The Growing Problem of Data Breaches in America

Transcription

1 Continuity Insights The Growing Problem of Data Breaches in America Today s Questions to Cover 1. What is a Data Breach? 2. How Significant is the Problem? 3. How Do Thieves Steal the Data? 4. How Does this Effect Individuals? 5. How Does this Effect Corporations? 6. What Can We Do About it?

2 What is a Data Breach? For purposes of this Agreement, the term Database Compromise not only encompasses a Database Compromise but also any Database Breach, Information Compromise and/or Information Breach. For the purposes of this Agreement, the term Database Compromise covers the following acts as hereafter defined: Accidental Communication or Accidental Release means the inadvertent disclosure of Non-Public Personal Information (NPPI) of one or more data subjects by the Company through , Fax, or other method of electronic or written/paper communication. Accidental Publication means the inadvertent disclosure of Non-Public Personal Information (NPPI) of one or more data subjects by the Company through disclosure over the Internet or through or other means of communication. DNS cache poisoning means the technique used to trick a DNS server into believing it has received authentic information when, in reality, it has not. DNS Redirection means redirecting the nameserver of an attacker's domain to the nameserver of the target domain, then assigning that nameserver an IP address specified by the attacker. Domain Name System or DNS means the system that stores information about hostnames and domain names in a type of distributed database on networks, such as the Internet. The DNS Server provides a physical location (IP address) for each domain name, and lists the mail exchange servers accepting for each domain. Internet Attack or Hacker Attack means a Network Intrusion or Database Compromise that is carried out using a remote computer over the Internet. Lost Data means the loss, dispersal, unauthorized release/communication or theft of data containing the Non-Public Personal Information (NPPI) and/or the Personal Health Information (PHI) of the company s Customers. This includes information stored in any digital or electronic format in addition to any information contained in any physical and tangible means of expression such as, but not limited to information that is typewritten, handwritten, photographed, photocopied, mimeographed, on microfiche, microfilm or other non-digitized manner. Lost Document means the physical loss of non-digitized information containing Non-Public Personal Information (NPPI) and/or the Personal Health Information (PHI) of Data Subjects and imprinted, typed, handwritten or recorded on a physical and tangible means of expression such as, but not limited to, paper, photograph, photocopy, mimeograph, microfiche, microfilm or other non-digitized manner of expression. Lost Hardware means the physical loss of one or more pieces of hardware such as servers, laptop computers, desktop computers, PDA s, Cell Phones or other electronic devices that contain in its memory, certain Non-Public Personal Information (NPPI) of one or more data subjects. Lost Media means the physical loss of one or more pieces of electronic media including but not limited to hard drives, zip disks, floppy disks, CD-ROMs, DVD-ROMs, magnetic tapes, USB storage devices, or any other forms of electronic media and storage that contain and/or store certain Non-Public Personal Information (NPPI) or Personal Health Information (PHI) of one or more data subjects. Malicious Code means a worm, virus, spyware, key logger or other piece of computer code that is used to collect, destroy, alter, retrieve or affect computer software and/or data on a computer system, network, storage device, PDA or other peripheral device. Network Intrusion means the unauthorized access and intrusion onto a computer network and may include but is not limited to denial of service attacks, port-scans, Man in the Middle attacks or even attempts to hack and/or crack into computers. Physical Security Breach means the unauthorized intrusion by a third party onto the physical premises of the Company s property or the property of a contractor that provides third party data processing services for the company. Stolen Document means the theft of digitized or non-digitized information containing Non-Public Personal Information (NPPI) and/or the Personal Health Information (PHI) of Data Subjects and imprinted, typed, handwritten or recorded on a physical and tangible means of expression such as, but not limited to, paper, photograph, photocopy, mimeograph, microfiche, microfilm or other non-digitized manner of expression. Stolen Hardware means the theft of one or more pieces of hardware such as servers, laptop computers, desktop computers, PDA s, Cell Phones or any other electronic device that contains in its memory, certain Non-Public Personal Information (NPPI) or Personal Health Information (PHI) of one or more data subjects. Stolen Media means the theft of one or more pieces of electronic media including but not limited to hard drives, zip disks, floppy disks, CD-ROMs, DVD- ROMs, magnetic tapes, USB storage devices, or any other forms of electronic media and storage that contain and/or store certain Non-Public Personal Information (NPPI) or Personal Health Information (PHI) of one or more data subjects. Unauthorized Employee Intrusion means access to the Company s information databases containing Non-Public April Personal 12-14, Information 2010(NPPI) or Personal Health Information (PHI) of one or more data subjects, by an employee of the company or a third Sheraton party contractor New for nefarious Orleans or other unauthorized purposes. What is a Data Breach? In simple terms: Theft of Non-Public Personal Information (NPPI) which can potentially be used to uniquely identify an individual and could be used to facilitate an Identity Theft or Identity Fraud. Name Date of Birth Medical ID Number Credit Card Typically: Address Social Security Number Bank Account info

3 How Significant is the Problem? Oops! Since 2005, over 247 Million records (NPPI) have been compromised or breached Most Notable Cases: TJ Maxx Choice Point Veterans Affairs Monster.com Countrywide State of Ohio UCLA Starbucks Harvard Law Heartland Payment January 20, 2009 "Largest Breach Ever" Reported The personal information of as many as 100 million may have been exposed in a breach at New Jersey-based credit-card processor Heartland Payment Systems Inc., reports the Wall Street Journal.

4 How Do Thieves Steal the Data? Internet Attack or Hacker Attack Malicious Code (worm, virus, spyware, key logger,etc) Physical Security Breach (stolen lap top, thumb drive) Unauthorized Employee Intrusion Domain Name System Redirect How Do Thieves Sell the Data? Internet Flea Markets Black Market Illegal Aliens ABC News2.flv

5 How Does this effect Individuals? Identity Theft Statistics 10 Million Americans had their identity stolen last year According to the IRS, there are 8 million Social Security Numbers being used by more than one person Black market trafficking of stolen identities is estimated to increase to $1.6 billion by 2010

6 What are the odds? Winning the Lottery? 1 in 135,145,920 Your Home Having a Fire? 1 in 1,200 Your Auto Being Totaled? 1 in 240 Becoming an ID Theft Victim?

7 What are the odds? Winning the Lottery? 1 in 135,145,920 Your Home Having a Fire? 1 in 1,200 Your Auto Being Totaled? 1 in 240 Becoming an ID Theft Victim? 1 in 30 How Does this Effect Corporations? Time Money Anxiety Frustration Reputation Lost Customers Lost Productivity from Employees

8 How Does this Effect Corporations? 85% of employees are Highly Concerned about having their identity stolen Identity Theft victims can spend 600 hours trying to restore their identity (most during work hours) 41% of victims do not recover their identity even after 14 months of work Security Breaches Cost $90 To $305 Per Lost Record After calculating the expenses of legal fees, call centers, lost employee productivity, regulatory fines, stock plummets, and customer losses, it can be dizzying, if not impossible, to come up with a true number," Two-thirds of the breaches in the study involved data that the organization did not know was present on the system.

9 What Can We Do about it? Nothing Can be Done to Prevent it. However, There are Steps to Decrease the Odds Create a Cyber Liability Program Remove NPPI from Computers Encrypt Sensitive Data Proactively Prepare for the Breach What Can We Do about it? We Choose to Be Proactive or Reactive Case Study Local Bank 20,000 Records Breached (Stolen) 1. Wrote Notification Letter Incorrectly 2. Provided Banks Phone Number for Questions 3. Provided Opt In Credit Monitoring for Victims 4. Cost - $49 per victim 5. Up to $1,000,000. Not to mention lost productivity, lost customers, legal, etc.

10 If Proactive What Can We Do about it? Case Study Local Bank 20,000 Records Breached (Stolen) 1. Write Notification Letter Correctly # Answered by Trained Paralegal 3. Fully Managed Recovery 4. Cost $3 per victim + $1,200 Retainer 5. $61,200 instead of potentially $1,000,000. What Can We Do about it? Protect Our Employees & Families with id guarantee

11 Identity Monitoring Monthly National Database screening of Name, Date of Birth & Social Security Number Identification of Fraudulent Name/Address Variations Expanded Data Searches within All 3 Credit Bureaus, Utilities, Public Records and More Immediate Notification of Suspected Identity Theft or Fraud Fully Managed Recovery Personal Recovery Specialist assigned to victim s case to determine severity of theft Victim spends 1-2 hours discussing case with trained Paralegal (Recovery Specialist) Victims receives all forms and documents ready for signatures and limited power of attorney Victim is finished with the work

12 Fully Managed Recovery id guarantee works directly with: Social Security Administration (SSA) Federal Trade Commission (FTC) US Postal Service (USPS) All 3 Credit Bureaus State Attorney General s Office Law Enforcement Officials All Creditors and Collection Agencies Thank you for your time For More Information Contact: Ken Stoll Principal ID Guarantee Corporation