Embed Size (px)
DESCRIPTION
Citation preview
Data Breaches: The Cost of Being UnpreparedA Thought Leadership Panel DiscussionMay 28, 2009
Getting the most from today’s webcast
• Turn off pop-up blockers
• Submit questions to the panelists and access additional supporting information through the “Additional Information Tab” in your webcast viewer
• Agenda:• Panelist overviews• General panel discussion• Response solutions• Open Q&A with the listening audience
Introductions
Moderator Bob Bragdon - Publisher, CSO magazine
Panelists Lisa Sotto - Partner, Hunton & Williams LLP
Chris Pierson - CPO & SVP, Citizens Financial Group, Inc.
Michael Fox - Senior Managing Director, ICR Inc.
Tom Rusin – CEO, Affinion Security Center
The content and opinions shared by the panelists do not necessarily reflect those of their employers, Affinion Security Center, or CSO magazine, and should not be considered legal advice. This content is not offered as legal advice or any other advice on any particular matter.
A Legal Perspective
Lisa J. SottoPartner, Hunton & Williams LLP
Lisa J. Sotto, a partner in the New York office of Hunton & Williams LLP, heads the firm’s Privacy and Information Management Practice. She was voted the world’s leading privacy advisor in Computerworld’s 2007 and 2008 surveys and was ranked "Band 1" by Chambers USA in the category of Privacy & Data Security.
Ms. Sotto assists clients in identifying and managing risks associated with privacy and information security issues, and advises clients on GLB, HIPAA, COPPA, CAN-SPAM and other U.S. state and federal information privacy and security requirements (including state breach notification laws), as well as international data protection laws. She has advised clients in over 500 data breaches.
Ms. Sotto has testified before Congress and Executive Branch agencies on privacy and data security issues and is a routinely quoted source regarding privacy and data security.
A Legal PerspectiveOverview of Data Breach Landscape• Data security incidents are ubiquitous
Any company that has not experienced one isn’t looking in the right places
• There have been over 1,100 security breaches reported to date This number represents just the tip of the iceberg
• Over 250 million reported records have been impacted to date
• Breaches are not one-size-fits-all They can differ dramatically They range from laptop losses to network intrusions
• Breaches Can Occur Through: Authorized access (e.g., an employee or contractor) Unauthorized access (e.g., a hacker or phisher) Small incidents that are unlikely to cause harm Massive, organized attacks that cause significant harm
A Legal Perspective
State Security Breach Notification Laws• There are over 40 state data breach laws, including D.C. and Puerto Rico
• The laws are not harmonized
• Generally, the duty to notify arises when unencrypted computerized “personal information” was acquired or accessed by an unauthorized person
• “Personal information” typically is an individual’s name, combined with: SSN driver’s license or state ID card number account, credit or debit card number, along with password or access code
Differences Among State Breach Laws• Definition of “Personal Information”
Many states use the standard definition, but other states add data elements such as health data, DOB, mother’s maiden name, employee ID number, passport number or user name
• Most laws apply to computerized data But a few affect information in hard-copy format as well
• A number of states require direct notification to state agencies This is essentially self-reporting
• Most states require notification to credit reporting agencies
A Legal Perspective
New Federal Regulations
• For the first time, there is now a federal breach notification requirement that applies to the private sector
• ARRA requires HIPAA covered entities to notify individuals whose “unsecured protected health information” in any
format has been, or is reasonably believed to have been “accessed, acquired or disclosed” as a result of a breach
• BAs are responsible for notifying covered entities if BA has a breach
• Notice must be provided 60 calendar days after “discovery”
• Law enforcement delay
• Notification to HHS and media Posted on HHS website
• When should you involve law enforcement? Local law enforcement Federal agents Foreign law enforcement
A Legal Perspective
Immediate Steps to Take Following a Breach
• Conduct an investigation to determine the facts What happened? Who was affected? What data? What systems?
• Consider whether the investigation should be conducted by internal or external parties
• Does the event trigger notification to individuals under the state breach notification laws? Was the PI “acquired” or “accessed” by an “unauthorized” person?
• Consider your obligations Are you the data owner or licensee? Are you a service provider?
More Information on Data Breach and Privacy Laws
A Chief Privacy Officer’s PerspectiveChristopher T. Pierson, Ph.D., J.D. CPO & SVP, Citizens Financial Group, Inc.
Dr. Chris Pierson is the Chief Privacy Officer, Senior VP for Citizens Financial Group. In this role he is responsible for developing and implementing the company’s privacy compliance program across all business lines, including Citizens and Charter One banks.
Prior to joining Citizens, Chris worked as an attorney for a large US corporate law firm where he previously established their Cybersecurity and Privacy Practice Area. While in practice he assisted his clients on numerous privacy compliance matters, data loss incidents, and handled the first data breach in the US.
Chris has also been involved in other aspects of cybersecurity including serving homeland security committees, briefing DHS, FBI, Director of National Intelligence, and Secret Service on cybercrime matters and critical infrastructure threats, and serving as President of the FBI’s Phoenix InfraGard.
Dr. Pierson is a frequent speaker at national and international cybersecurity and privacy conferences and is regularly interviewed by the media on these topics and homeland security matters.
A Chief Privacy Officer’s Perspective
Preparedness and Response: Five High-Level Themes
I. PreplanningNot if, but when . . . plan accordingly
II. Awareness and ExercisePractice, practice, practice!
III. CollaborationTeam efforts are critical to success
IV. CommunicationClarity, consistency, and single voice
V. Avoiding PitfallsUnderstand and predict all possible future outcomes
A Chief Privacy Officer’s Perspective - Preparedness and Response I. Preplanning – Not If, But When . . . Plan
Accordingly Do not stick you head in the sand
“Loss of Control” of information incidents can happen
Know what data you own or possess and where it isData inventories, data flow diagrams, auditsOut-sourcing/off-shoring
Relationships can be made ahead of time Create critical documents ahead of time
Letters, communications, website and media statements
II. Awareness and Exercise – Practice, Practice, Practice
Design the plan, test it, socialize it, and reviseTable top exercises prevent panic
A Chief Privacy Officer’s Perspective - Preparedness and ResponseIII. Collaboration – Team Efforts are Critical to Success
Ensure roles are clearly delineatedPre-planned roles keep people on-track
Receive buy-in to the process during calmAssemble the core team to walk through critical elements of response ahead of time
Make sure everyone can succeed by joining the teamPartners who can claim success are more willing to join the team
Do not forget outside relationshipsCredit Monitoring, Help Centers, Printing, Mailing, Counsel, etc.Law Enforcement and/or Regulators (insurance, financial, healthcare, government sectors)
IV. Communication – Clarity, Consistency and Single Voice
One Voice, One MessageBe consistentTime-line event scenarios
V. Avoiding Pitfalls – Understand and Predict Future Hazards
Do not react to only what is in front of youWhere uncertainty exists, examine options and react accordingly
A Public Relations PerspectiveMichael FoxSenior Managing Director, ICR Inc.
Michael is a senior managing director of ICR, Inc. a leading financial communications consulting firm. He heads the corporate communications team, providing strategic financial communications services to a broad spectrum of clients, including energy, defense and financial services companies.
Michael’s clients turn to him for counsel on wide variety of issues, ranging from activist shareholder actions to corporate data breaches. His work has included crisis communications counsel for both retail and payment processors victimized in recent high-profile data breaches.
Michael previously served as the Group Director of the U.S. Corporate Communications Practice for Ogilvy Public Relations Worldwide where he provided strategic communications counsel, internal relations and crisis and issues management services to several Fortune 500 companies. Prior to his work in communications, he served as a legislative director to Congressman Chris Shays (CT-4).
A Public Relations Perspective
Crisis Management = Reputation & Relationship Management
Business success is based on strong relationships – customers, partners, employees, investors, regulators, etc.
Crisis undermines trust and strains relationships Crisis communication is the art of managing relationships in the
aftermath of a negative event Effective crisis response can actually strengthen relationships
Characteristics of a Crisis
Unplanned: Sudden and unexpected
Negative: Will adversely impact the company
Public: Is or likely to become publicly known
Serious: Impact could be significant/lasting
A Public Relations Perspective
Data Security and Breach Incidents Specific negative personal impact on key stakeholders
Directly undermine trust
Raise questions of competence and care
Easy for unaffected parties to relate… “could have been me”
Have lasting impact
Unique Challenges Confusion over responsibility and accountability
Whose fault? Whose customer?
Challenges of identifying who might have been harmed
Difficult to accurately predict the potential negative impact
Conflicting rules around notification
Conflict between prompt disclosure and first fixing the problem
A Public Relations Perspective
Conflicting Perspectives in a Crisis
CompanyCompany
• Let’s make sureLet’s make sure
• It’s not that badIt’s not that bad
• It will blow overIt will blow over
• It’s not entirely our faultIt’s not entirely our fault
• Talking about it will just Talking about it will just make it worsemake it worse
• We can’t say anything We can’t say anything until we know until we know everythingeverything
CompanyCompany
• Let’s make sureLet’s make sure
• It’s not that badIt’s not that bad
• It will blow overIt will blow over
• It’s not entirely our faultIt’s not entirely our fault
• Talking about it will just Talking about it will just make it worsemake it worse
• We can’t say anything We can’t say anything until we know until we know everythingeverything
StakeholdersStakeholders
• What happened?What happened?
• Why did it happen?Why did it happen?
• How will it affect me?How will it affect me?
• When will it end?When will it end?
• Will it happen again?Will it happen again?
• I want to know now!I want to know now!
StakeholdersStakeholders
• What happened?What happened?
• Why did it happen?Why did it happen?
• How will it affect me?How will it affect me?
• When will it end?When will it end?
• Will it happen again?Will it happen again?
• I want to know now!I want to know now!
Disconnect
The public can forgive error and mistakes, but it can be ruthless in the face of:
• Indifference, Arrogance, Obfuscation, Deflection, Insensitivity, Cover-up
A Public Relations Perspective
The Media Will be Ruthless
“Retailer Wards Failed To Notify Customers Of Data Breach”
“TJX Breach Skewers Customers, Bank”
“Heartland Has No Heart for Violated Customers”
“Democrats Question Handling of Data Breach”
Crisis Response Imperatives
Preparation – develop a crisis plan and conduct simulations
Crisis plan: Team, contact information, core principles, draft materials, scenarios
Leadership – a senior executive must lead the process
Speed – decisive action is critical
Thoroughness – cover all bases, anticipate all contingencies
Control – take the initiative and stay one step ahead
Accuracy – get the facts, correct errors, never speculate
Closure – tie all loose ends before you can move on
A Public Relations Perspective
What to Say in the Midst of a Crisis:
5 Steps to Eliminate “Fear”
Facts – Communicate what you know/don’t know, correct inaccuracies, never speculate. In the absence of facts, talk “process.”
Empathy – Always express concern for affected parties.
Accountability – Demonstrate you will do everything necessary to assist (even if it’s not your fault!)
Action – Be explicit about what you are doing, how and when.
Remediation – Take specific steps to eliminate and compensate for any negative impact in the future. Don’t skimp.
A Public Relations Perspective
Data Breach PR Response Best Practices
Effective planning and preparation
Timely disclosure and notification
Responsibility and empathy
Direct and redundant communication
Good use of website (FAQs to simplify process)
Tangible and commensurate remediationErr on the side of inclusiveness
Active online monitoring
A Public Relations Perspective
Tom RusinCEO, Affinion Security Center
Tom Rusin is the President and C.E.O. of Affinion Group’s North American division, which generated over $1.1 billion in revenue and a quarter of a billion dollars in operating income in 2008. He also serves as C.E.O. of the Affinion Security Center, a division of Affinion Group and a leading provider of solutions in identity theft protection to consumers.
Tom has extensive experience in product development, customer service and direct marketing in the Identity Protection, Insurance, Travel, and Loyalty industries. Tom is a seasoned and engaging speaker on multiple subjects including; the criticality of media diversity, using consumer attitudes to better target direct marketing, turning customers into fans, and the continuing evolution of identity theft and how consumers can really protect themselves. As an expert on the growing crime of identity theft, Tom has been featured in a wide variety of leading media, including Network World, C/Net, and BusinessWeek TV, and has also moderated forum discussions with industry and global leaders, including former US Secretary of State Gen (r) Colin Powell.
Panel Discussion
How big are the actual issues stemming from data breaches, and should only large businesses be concerned?
Panel Discussion
What are the challenges that any business faces when dealing with a data breach?
Panel Discussion
What role does regulation play in driving breach response, and how important is it for businesses to be prepared to respond to a breach in advance?
Panel Discussion
Are most businesses adequately prepared?
Panel Discussion
What needs to be considered when proactively preparing for a data breach, and how is that different from simply reacting to a breach?
Panel Discussion
What advantages are there in being proactive vs. reactive from both legal and reputational perspectives?
Panel Discussion
Are typical businesses capable of responding to breaches with their own internal resources?
Affinion Security Center’s Expertise
A leading provider of identity theft solutions worldwide
Currently serving 10 million+ individuals Over 100 custom or branded programs managed for
many of the world’s leading financial institutions
Dedicated research & development team committed to staying ahead of the identity theft curve
Hot-Line first offered in 1969 One of the first to market with credit monitoring
services (PrivacyGuard - 1992) Card Cops acquired in 2007 Recent innovations include launch of IdentitySecure
and BreachShield ID theft and privacy expert Frank Abagnale serves as
product advisor and spokesman
Committed to the highest security and operational standards
Process over 150 million transactions/year through variety of payment processors and direct relationships
ISO 27001 certified (one of only 85 US companies to earn this credential)
PCI Level 1 compliant Six Sigma trained experts
Addressing the growing threat of data breaches by leveraging ASC’s infrastructure
Strategic solutions for personal data security
Data Breaches – A Complex, High-Stakes Environment
Breaches Continue To Rise
According to the Identity Theft Resource Center, breaches increased by 47% in 2008
Complexities of the crime continue to change
Legislative Environment Increasingly Complex
Breach notification laws now in 44 states
Emerging trend of state laws require that all businesses encrypt personally identifiable information
Additional Federal legislation proposed
Federal Trade Commission’s Red Flag rules
“If a company or institution that experienced a data breach of your personal information offered you an identity protection service, would you most prefer a
service that…”*
Customers Expect More Than Just Notification and Credit Monitoring
* Javelin Strategy & Research on Data Breach Notification – June 2008
We provide turn-key, end-to-end solutions by leveraging the expertise and infrastructure of a $1.4 billion organization.
BreachShield – Comprehensive Solutions & Advanced Protection
Incident Response Consulting Pre-contract and proactively prepare response
plans
List Services Our database services include address hygiene
and NCOA services, ensuring USPS compliance, optimizing mailing and postal costs and minimizing undeliverable mail
Notification Drafting & Print Services Leverage our capabilities as one of the nation’s
largest direct mailers
Customer Support Pre-enrollment: VRU minimizes costs and
mitigates poor customer experience from increased call volumes
Includes FAQ Support Post-enrollments: tenured, FCRA-certified Identity
Fraud Support Specialists dedicated to each case until resolved
ID Theft Protection Solutions Our data breach solutions utilize the latest ID theft
protection technologies available through ASC
Multi-Channel Enrollment Options– Ensure the affected population can enroll quickly, easily and conveniently
Full File Enrollment Simply provide an encrypted file of all records
Online Allows instant enrollment through a dedicated URL
USPS Customers fill out and return the supplied
enrollment form Telephone – VRU with Live Agent Option
Customers enroll with the numeric activation code provided in the Notification Letter
Ongoing Support & Reporting Our team is always available to assist with your
needs and can support standard or ‘a la carte’ requests
IncidentIncident ResponseResponse
Consulting Consulting
IncidentIncident ResponseResponse
Consulting Consulting
List Services List Services (Deduping (Deduping & NCOA)& NCOA)
List Services List Services (Deduping (Deduping & NCOA)& NCOA)
Customer Customer SupportSupport
(Pre & Post(Pre & PostEnrollment) Enrollment)
Customer Customer SupportSupport
(Pre & Post(Pre & PostEnrollment) Enrollment)
ID TheftID Theft ProtectionProtectionSolutions Solutions
ID TheftID Theft ProtectionProtectionSolutions Solutions
Multi-Channel Multi-Channel EnrollmentEnrollment
OptionsOptions
Multi-Channel Multi-Channel EnrollmentEnrollment
OptionsOptions
OngoingOngoing Support &Support &Reporting Reporting
OngoingOngoing Support &Support &Reporting Reporting
Notification Notification Drafting &Drafting &
Print Services Print Services
Notification Notification Drafting &Drafting &
Print Services Print Services
ID Theft - Complicated Crimes Demanding a Complete Solution New account fraud makes up only 28% of ID theft instances Need solution that addresses all aspects of ID theft BreachShield is committed to providing the most robust and comprehensive solutions
PREVENTIONBest-in class technology, proactively combating emerging identity theft threats
Card Cops Internet Surveillance Credit Card Registry Service Fraud Alerts with Automated Reminders
DETECTIONSolutions to quickly identify instances where identity theft has occurred
Credit Monitoring and Alerts Credit Reports and Scores Credit Information Hotline
RESOLUTION The right resources to help customers restore their good name
Identity Fraud Support Services ID Theft Insurance
* Javelin Strategy & Research - 2008 Identity Fraud Survey Report
Proven History & Expertise: ASC provides its solutions to over 10 million individuals today, and services major financial institutions and top corporations.
Comprehensive End-to-End Solution: We can help with all aspects of data breach response, leveraging the back-end capabilities of a $1.4 billion organization
Advanced ID Theft Protection: Our services utilize proprietary technologies and offer the most complete protection available, with tools for preventing, detecting and resolving ID theft
Highest Security Standards: Ongoing commitment to data security – ISO 27001 & PCI Level 1 compliance
24/7 Availability: Available to take your call about a breach within your organization anytime, day or night
Speed to Launch: ASC BreachShield solutions can be deployed as quickly as 24 hours from time of request, demonstrating to your customers that you take the security of their personal data seriously
Why Partner with ASC BreachShield?
Customer Service: Exceptional call center expertise from over 35 years of experience
Notification & Fulfillment Services: We can consult on or draft the Notification Letter. Our state of the art production center allows us to print and mail Notification Letters
Trusted Provider: BreachShield solutions are powered by PrivacyGuard, the nation’s leading ID theft solution, and the only service endorsed by leading ID theft expert, Frank Abagnale
The only provider to offer comprehensive, turn-key solutions combined with advanced ID theft protection and world class customer service
Contact Us
For 24/7 assistance in the event of a breach, call ASC toll-free:1-800-350-7209
For general inquiry, call or email:
Chris [email protected]
Helen Boyian203-956-8926 [email protected]
Mike [email protected]
Questions and Answers
For more Information on Affinion Security Center please visit:
www.affinionsecuritycenter.com
For more information on data breach response planning and ASC’s Breachshield solutions please visit:
www.breachshield.com
BreachShield’s latest resource, the Data Breach Response Guide, is available for download at no cost, by clicking here:
