US House Energy and Commerce Committee. Commerce, Manufacturing, and Trade Subcommittee
|
|
- Cameron Audra Mosley
- 8 years ago
- Views:
Transcription
1 US House Energy and Commerce Committee Commerce, Manufacturing, and Trade Subcommittee Protecting Consumer Information: Can Data Braches Be Prevented? February 5, 2014 Congressmen in Attendance: Rep. Lee Terry, Rep. Pete Olson, Rep. Leonard Lance, Rep. Jan Schakowsky, Rep. Fred Upton, Rep. Marsha Blackburn, Rep. Billy Long, Rep. Henry Waxman, Rep. Joe Barton, Rep. John Dingell, Rep. Peter Welch, Rep. Brett Guthrie, Rep. Mike Pompeo, Rep. Gregg Harper, Rep. Gus Bilirakis, Rep. David McKinley, Rep. John Yarmuth, and Rep. Bill Johnson Witnesses: Panel 1: Edith Ramirez, Chairwoman, Federal Trade Commission, Lisa Madigan, Attorney General, State of Illinois, William Noonan, Deputy Special Agent in Charge, Criminal Investigations Division, Cyber Operations, US Secret Service, Lawrence Zelvin, Director of the National Cybersecurity and Communications Integration Center, Department of Homeland Security Panel 2: Michael Kingston, Senior Vice President and Chief Information Officer, The Neiman Marcus Group, John Mulligan, Executive Vice President and CFO, Target Brands Inc., Bob Russo, General Manager, PCI Security Standards Council, Philip Smith, Senior Vice President, Trustwave Holdings Begin Panel 1 Rep. Lee Terry introduces the panel and witnesses. He states that he believes that that more can be done whether that be by government, the private sector or a combination of both. Rep. Pete Olsen makes a similar statement. Rep. Leonard Lance states that data breach notification is where the attention should be focused. He also suggests that attention should also be on prevention and the industry standards put in place by the card brands. Rep. Jan Schakowsky takes the floor recognizing that no regulation can 100% prevent data breaches, which happen every day. She makes it clear that we need a federal law regarding data breach notification and data security standards. She also is open to the idea of a technology neutral bill so that the FTC can work with the payments industry to keep up with new technology as it becomes available. Rep. Fred Upton states that the federal government and regulation is not the only layer of protection. The states and the private sector have important roles to play as well. On the other hand, Rep. Upton questioned whether self regulation was the way to go.
2 In Rep. Marsha Blackburn s opening statement she explained that data breach notification is important but the private sector must work with the federal government on these issues. Rep. Henry Waxman questioned if the industry policing itself was the best course of action. He explained that the federal government definitely has a role in data breach notification and data security standards. He stated that the state laws should be used as models for minimum legislation implemented on the federal level. Ms. Edith Ramirez urged the importance for a data security protection standard and data breach notification legislation. She also encouraged the panel to consider increasing the FTC s power, giving them the power to implement civil actions and liabilities, holding companies responsible for their data security systems. The FTC would also have the power to form security standards. Ms. Lisa Madigan stated that action must be taken on the private sector and in the federal government. She explains that companies are not doing everything they can to prevent breaches and the US in general is behind on its payments networks. This technological gap is the main reason for the US being such a large criminal target according to Madigan. She says that the government must put in place a notification requirement, give the FTC power to investigate, all while not undercutting state laws. Mr. William Noonan made it clear that the Secret Service has the authority and should keep the authority to investigate data breaches. He also explains the five part breach process criminals go through to gain access to consumer information. The process includes, unauthorized access, implementation of malware, selling the acquired data, fraud with the data, and the laundering process of the stolen money. Mr. Lawrence Zelvin echoes many other representatives and witness statements, saying that everyone must work together to combat data breaches; the government and the private sector. Begin Questioning Rep. Terry asks about how this data security breach took place. Mr. Noonan explains that the Target and Neiman Marcus breaches are different in nature, including different malware. He also confirms that these companies were using major security systems at the time of the attacks. Noonan also explains the ISAC program to the board. Mr. Zelvin states that it is up to businesses if they want to participate in ISAC. Rep. Shakowski asks what the Illinois law considers reasonable security and notification. Madigan stated that it is investigated on a case by case basis and no one has been fined yet due to lack of security. Rep. Barton asks if it is at all possible to legislatively eliminate data theft. Ramirez states that congress needs to act regardless. The entire panel is in agreement that there needs to be government action on data security standards and breach notification.
3 During Rep. Dingell s questioning he makes it clear that there must be legislation and imposed regulation on the industry. There also must be an FTC power increase and a requirement for companies to provide credit monitoring after a data breach. Rep. Welch was the first to bring up Chip and PIN technology in his questioning. In Ms. Ramirez s answer, she made it clear that the FTC does not support technology in legislation. The Issuers need to stay up to date with emerging technology trends according to Ramirez. She also states that this technology will not eliminate data beaches but would still help. She also encourages the industry to not abandon PIN technology. Mr. Noonan supports the new technology but also realizes that one technology cannot not 100% prevent data breaches. Finally, Rep. Welch agrees that maybe technology should not be incorporated into any data security legislation. During Rep. Lance s questioning Noonan explained that in 2007 criminals started focusing on data processing companies and not POS systems. That has since changed. Rep. Pompeo questioned why the consumers could not choose whether to patronize Target and Neiman Marcus if their systems were not secure. Ramirez explains that consumers inevitably bear the cost and this includes if the industry switches to chip and PIN technology. Rep. Pompeo then explains that Europe is perfectly comfortable using the US s payments system and the situation is not as dire as it may seem. Rep. Harper inquired about how this breach could have been prevented. Noonan responds by noting that this was a highly skilled group of criminals but it could have been handled better if the companies had a response plan consisting of notifying authorities and victims. Rep. Harper went further by asking if a government standard would be setting up the companies to fail. Ramirez emphasized that each case would be handled on a case by case basis. She also explained that there are still simple security flaws that companies make that can be prevented. Rep. Bilirakis asked about how seniors or people without internet could be notified about a breach.. Ramirez responded by saying that they would be willing to use paper mail and work with the committee to come up with better options. Rep. McKinley asked about the Affordable Care Act and data breach notification associated with that. Noonan and Zelvin both agreed that people should be notified if this situation occurred. Begin Panel 2 Mr. Mulligan started the panel by explaining that Target had malware in their systems that led to the data breach. He also stated that Target moved as quickly as possible to notify law enforcement and breach victims. Target also took several steps after discovering the data breach. According to Mulligan they put security enhancements in place, fraud protection, reissuing of cards to those who request it, one year of free credit monitoring, zero liability fraud protection and accelerating Target s chip technology integration in its stores and Target credit cards.
4 Mr. Kingston also explained that the Neiman Marcus data breach is still under investigation and they acted swiftly and responsibility once the breach was discovered. He also stated that the malware that was found within their systems had a zero percent detection rate. Neiman Marcus found out about the breach on January 2 and disabled the malware on January 10 and notified their customers once the malware had been eliminated. Neiman Marcus is also offering identity theft insurance and credit monitoring to its customers. Mr. Russo states that the private sector is qualified to secure itself and does not need outside legislation. There are currently PCI standards for the industry. These standards include destroying unneeded information off servers, software and POS device standards, tokenization and point to point encryption goals, and EMV technology goals. EMV technology, according to Russo, EMV will reduce face to face fraud but it is only a piece of the puzzle. There also needs to be more than just standards, there also needs to be a raised level of awareness. The best way for the government to help would be an increased level of law enforcement and the facilitation of a data sharing network among companies. Mr. Smith stated that companies must go beyond PCI standards although the standards are an excellent guideline for companies to follow. He also states that chip and PIN technology is a good step but a multilayer approach is needed. Incident and response plans should be implemented, web application security, and antimalware gateways allowing for real time protection. Rep. Terry asks if the US is actually being attacked more or if the media is just playing it up to look that way. Smith says that the US is being attacked more because our data is so valuable. Rep. Terry also asks if the unencrypted information involved in the Target breach was a short coming. Mulligan blames the magnetic strips on current credit cards as the problem and notes that Target fully supports the move towards EMV technology. Rep. Terry also asks what the point of access was. Mulligan said it was false vendor credentials and Kingston did not know. Rep. Terry also inquired about the timeliness of notification after the breach occurred. Both men stated that notification is very important to their respective companies and it took four days after the breach to notify the victims and the public. Rep. Schakowsky straight forwardly asks if the committee should act at all. Russo says that the best way for the government to act in this situation is to better equip law enforcement of the criminals involved and encourage data sharing. Rep. Schakowsky asks who discovered the breaches. According to the witnesses, the Neiman Marcus breach was discovered by a forensic investigator hired by the company and Target s breach was discovered by the Justice Department. Mulligan also explained that Target notified the victims of the marketing information breach as well through public exposure and notification. Rep. Schakowsky goes on to question whether or not credit monitoring really does anything for those who were victims. Mulligan states that he cannot comment on the effectiveness of the program but the consumers will have zero liability for any fraudulent charges. Rep. Lance inquired about how business was conducted at Neiman Marcus between the dates of discovery and notification. Kingston said that business was conducted normally but with increased security measures. Rep. Lance also questioned about the difference between chip and PIN and chip and signature cards. Russo stated that both are great security advancements. Russo also did not have a
5 preference as to whether the government should require a chip and PIN/signature implementation. Smith, however, explained the importance of leaving room for the industry to innovate new technologies past EMV to boost security. Rep. Yarmuth asked about the communication within the industry about attacks. Mulligan expressed that Target has a good relationship with law enforcement and security tech companies. Now they are working to communicate directly with other companies as well. Rep. Blackburn asked if law enforcement had ever seen this malware prior to these breaches. Kingston stated that the malware had a zero percent detection rate and had never been seen before. Rep. Blackburn also asked what the panel s guidance for law makers was when it comes to this situation. Russo emphasized the effectiveness and importance of the PCI standards and that most companies are complaint. He did however agree that the standards may need some updating. Rep. Blackburn also asked how much the companies were spending on data security. Both Mulligan and Kingston replied with millions of dollars spent on security. Rep. Guthrie asked if Neiman Marcus and Target were PCI compliant and if the breaches were basic and the cost of the breaches. The answer to these questions were all still under investigation. Rep. Johnson asked why Target had not joined ISAC and Mulligan stated that he did not know much about it but they share information with law enforcement and would consider joining a data sharing group. Rep. Johnson also asked about the current systems that the companies have in place and why they failed. Kingston stated that Neiman Marcus uses a multi layer security system consisting on firewalls, intrusion detection, encryption and tokenization. The malware, according to Kingston, was extremely sophisticated and unique and was able to delete itself from the system after doing the damage. Rep. Bilirakis asked if Target had notified the payment processors first and if there was a notification standard for that. Mulligan stated that Target notified the processors and they, in turn, fired up their fraud detection security systems. Rep. Bilirakis also asked if it was hard to follow all the different state laws. Mulligan said that with broad public exposure and s, all state laws were followed. Rep. Bilirakis also asked if there should be a federal law on notification. Mulligan said yes and Kingston did not have an opinion on the law but noted the need for flexibility and case by case examination. Rep. Bilirakis also brought up the 2015 shift of liability to retailers and if EMV technology will save the retailers money. Mulligan expressed Target s advocacy of EMV and its further investment in the technology. Kingston stated that Neiman Marcus is still evaluating chip and PIN technology but they will be ready to support the technology by Smith stated that any technological advancement, including EMV, is good for security. Russo also agreed that EMV will be a good additional layer to data security. Rep. Terry asked about the last time security audits took place at each company. Mulligan explained that there are annual security checks and PCI standards checks, but he did not know when the last audit was done. Target was however PCI compliant as recently as September. Kingston also shared that Neiman Marcus also does periodic security checks and PCI compliant checks.
6 Rep. Schakowsky if the companies agree that the FTC lacks authority. Mulligan expressed that Target would be open to engaging in talks. Kingston stated that he was not familiar with the FTC s powers but supports data security standards.
WRITTEN TESTIMONY BEFORE THE HEARING ON FEBRUARY 4, 2014 TESTIMONY OF JOHN MULLIGAN TARGET
WRITTEN TESTIMONY BEFORE THE SENATE COMMITTEE ON THE JUDICIARY HEARING ON PRIVACY IN THE DIGITAL AGE: PREVENTING DATA BREACHES AND COMBATING CYBERCRIME FEBRUARY 4, 2014 TESTIMONY OF JOHN MULLIGAN EXECUTIVE
More informationWRITTEN TESTIMONY BEFORE THE HEARING ON PROTECTING PERSONAL CONSUMER INFORMATION FROM CYBER ATTACKS AND DATA BREACHES MARCH 26, 2014 2:30 PM
WRITTEN TESTIMONY BEFORE THE SENATE COMMITTEE ON COMMERCE, SCIENCE, & TRANSPORTATION HEARING ON PROTECTING PERSONAL CONSUMER INFORMATION FROM CYBER ATTACKS AND DATA BREACHES MARCH 26, 2014 2:30 PM TESTIMONY
More informationPrepared testimony of W. Joseph Majka Head of Fraud Control and Investigations Visa Inc.
Prepared testimony of W. Joseph Majka Head of Fraud Control and Investigations Visa Inc. Before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Committee on
More informationDATA SECURITY: EVERYTHING YOU NEED TO KNOW
DATA SECURITY: EVERYTHING YOU NEED TO KNOW! Data Breaches: Where, What and Why! Federal and State Regulations to Protect Data! EMV Chip Technology! PIN or Signature?! Existing and Emerging Security Options!
More informationPAI Secure Program Guide
PAI Secure Program Guide A complete guide to understanding the Payment Card Industry Data Security Requirements and utilizing the PAI Secure Program. Letter From the CEO Welcome to PAI Secure. As you
More informationTarget Security Breach
Target Security Breach Lessons Learned for Retailers and Consumers 2014 Pointe Solutions, Inc. PO Box 41, Exton, PA 19341 USA +1 610 524 1230 Background In the aftermath of the Target breach that affected
More informationFINAL // FOR OFFICIAL USE ONLY. William Noonan
FINAL // FOR OFFICIAL USE ONLY William Noonan Deputy Special Agent in Charge United States Secret Service Criminal Investigative Division Cyber Operations Branch Prepared Testimony Before the United States
More informationIdentifying Security. Payment System. Federal Reserve Bank. Ellen Richey Chief Enterprise Risk Officer Visa Inc. Visa Public
Identifying Security Issues in the Retail Payment System Federal Reserve Bank Chicago Ellen Richey Chief Enterprise Risk Officer Visa Inc. June 5, 2008 Agenda 1. The Data Security Landscape 2. Recent Trends
More informationPayment Card Industry Data Security Standards
Payment Card Industry Data Security Standards January 19, 2011 Marc S. Reisler, Holland & Knight Copyright 2011 Holland & Knight LLP All Rights Reserved Data Breaches Remain a Serious Concern PCI Standards
More informationFIGHTING FRAUD: IMPROVING INFORMATION SECURITY TESTIMONY OF JOHN J. BRADY VICE PRESIDENT, MERCHANT FRAUD CONTROL MASTERCARD INTERNATIONAL
FIGHTING FRAUD: IMPROVING INFORMATION SECURITY TESTIMONY OF JOHN J. BRADY VICE PRESIDENT, MERCHANT FRAUD CONTROL MASTERCARD INTERNATIONAL Before the Subcommittee on Financial Institutions and Consumer
More informationCSR Breach Reporting Service Frequently Asked Questions
CSR Breach Reporting Service Frequently Asked Questions Quick and Complete Reporting is Critical after Data Loss Why do businesses need this service? If organizations don t have this service, what could
More informationPRESENTATION TO THE UNIVERSITY SYSTEM OF MARYLAND S BOARD OF REGENTS
CYBERSECURITY PRESENTATION TO THE UNIVERSITY SYSTEM OF MARYLAND S BOARD OF REGENTS by Dr. Lawrence A. Gordon (Lgordon@rhsmith.umd.edu) EY Professor of Managerial Accounting and Information Assurance Affiliate
More informationAccepting Payment Cards and ecommerce Payments
Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More information2015 Visa Payment Security Symposium Webinar
The Power of Partnership AUGUST 12-13 HYATT REGENCY BURLINGAME, CA 2015 Visa Payment Security Symposium Webinar Diana Greenhaw Sr. Director, Global Data Security and Third Party Risk Lester Chan Director,
More informationWhy Data Security is Critical to Your Brand
Why Data Security is Critical to Your Brand Why security is critical to your brand Cybercriminals do not discriminate based on industry or business size. Security is expensive. At least, it is if you wait
More informationHealthcare Payment Security Is Your Patient s Card Data Exposed? May 24, 2016
Healthcare Payment Security Is Your Patient s Card Data Exposed? May 24, 2016 PRESENTER BIOS Michael Fidler Vice President Elavon Healthcare Payment Solutions Michael D. Fidler is Vice President, Healthcare
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationEMV and Chip Cards Key Information On What This Is, How It Works and What It Means
EMV and Chip Cards Key Information On What This Is, How It Works and What It Means Document Purpose This document is intended to provide information about the concepts behind and the processes involved
More informationMASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009
MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009 Current Laws: Identity Crime: A person is guilty of identity
More informationHandling Debit Card, ATM, & Point-of-Sale Fraud
Handling Debit Card, ATM, & Point-of-Sale Fraud First Things First You have noticed fraudulent transactions involving your Debit Card, ATM, or Point-of-Sale (POS). You should contact us immediately to
More informationChairman Johnson, Ranking Member Carper, and Members of the committee:
UNITED STATES OFFICE OF PERSONNEL MANAGEMENT STATEMENT OF THE HONORABLE KATHERINE ARCHULETA DIRECTOR U.S. OFFICE OF PERSONNEL MANAGEMENT before the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
More informationPreparing for EMV chip card acceptance
Preparing for EMV chip card acceptance Ben Brown Vice President, Regional Sales Manager, Wells Fargo Merchant Services Lily Page Vice President, Wholesale ereceivables, Wells Fargo Merchant Services June
More informationBIG DATA AND INSURANCE SYMPOSIUM
BIG DATA AND INSURANCE SYMPOSIUM ATTORNEY GENERAL GEORGE JEPSEN UNIVERSITY OF CONNECTICUT SCHOOL OF LAW APRIL 3, 2014 (REVISED FOR PUBLICATION) *** This Article reproduces the keynote address delivered
More informationRETHINKING ORC: NRF S CYBER SECURITY EFFORTS. OMG Cross Domain Threat & Risk Information Exchange Day, March 23, 2015
RETHINKING ORC: NRF S CYBER SECURITY EFFORTS OMG Cross Domain Threat & Risk Information Exchange Day, March 23, 2015 No Organization is Secure Source: http://www.informationisbeautiful.net An Average
More informationData Breach Cost. Risks, costs and mitigation strategies for data breaches
Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,
More informationRisk and Rewards For PCI DSS 3.1 Compliance. What Is PCI DSS?
Risk and Rewards For PCI DSS 3.1 Compliance What Risks Exist If I Don t Become Compliant? What Do I Gain For Being Compliant? What Is PCI DSS? PCI DSS is an acronym for Payment Card Industry (PCI) Data
More informationTax Fraud and Identity Theft Frequently Asked Questions [Updated February 10, 2015] 4. WHAT CAN I DO TO PROTECT MYSELF FROM TAX FRAUD IN THE FUTURE?
1. WHAT HAPPENED (2015 UPDATE)? Tax Fraud and Identity Theft Frequently Asked Questions [Updated February 10, 2015] 2. WHAT IS THE ARCHDIOCESE DOING ABOUT THIS? 3. WHAT WERE THE RESULTS OF THE INVESTIGATIONS?
More informationThe Evolution of Data Breaches
The Evolution of Data Breaches 2015 Data Privacy & Security Summit June 29, 2015 Mark Shelhart Incident Response & Forensics Retail Data Security recent victims The Largest Cyber Risks to your Organization
More informationThe SQL Injection Threat & Recent Retail Breaches
The SQL Injection Threat & Recent Retail Breaches Sponsored by DB Networks Independently conducted by Ponemon Institute LLC Publication Date: June 2014 1 Part 1. Introduction The SQL Injection Threat &
More informationPREPARED STATEMENT OF THE FEDERAL TRADE COMMISSION. Protecting Consumer Information: Can Data Breaches Be Prevented? Before the
PREPARED STATEMENT OF THE FEDERAL TRADE COMMISSION on Protecting Consumer Information: Can Data Breaches Be Prevented? Before the COMMITTEE ON ENERGY AND COMMERCE SUBCOMMITTEE ON COMMERCE, MANUFACTURING,
More informationData Breach and Senior Living Communities May 29, 2015
Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs
More informationThis policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.
Policy Number: 339 Policy Title: Credit Card Processing Policy, Procedure, & Standards Review Date: 07-23-15 Approval Date: 07-27-15 POLICY: All individuals involved in handling credit and debit card transactions
More informationStatement of. Carlos Minetti. Discover Financial Services. Before the. Subcommittee on Oversight and Investigations. of the
Statement of Carlos Minetti Discover Financial Services Before the Subcommittee on Oversight and Investigations of the Committee on Financial Services United States House of Representatives July 21, 2005
More informationINFORMATION SECURITY & PRIVACY INSURANCE WITH BREACH RESPONSE SERVICES
INFORMATION SECURITY & PRIVACY INSURANCE WITH BREACH RESPONSE SERVICES NOTICE: INSURING AGREEMENTS I.A., I.C. AND I.D. OF THIS POLICY PROVIDE COVERAGE ON A CLAIMS MADE AND REPORTED BASIS AND APPLY ONLY
More informationDATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH
DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH Andy Watson Grant Thornton LLP. All rights reserved. CYBERSECURITY 2 SURVEY OF CHIEF AUDIT EXECUTIVES (CAEs) GRANT THORNTON'S 2014 CAE SURVEY Data privacy and
More informationSecurity. Tiffany Trent-Abram VP, Global Product Management. November 6 th, 2015. One Connection - A World of Opportunities
One Connection - A World of Opportunities Security Tiffany Trent-Abram VP, Global Product Management November 6 th, 2015 2015 TNS Inc. All Rights Reserved. Bringing Global Credibility and History TNS Specializes
More informationPCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates
PCI-DSS Compliance Ron Dinwiddie Chief Technology Officer J. Spargo & Associates Agenda What is PCI Compliance Why is PCI Important How does this impact me? Becoming PCI Compliant JSA PCI Strategy Risk
More information1. Ask what your financial institution knows or has personally experienced with regard to internal and external data breaches.
Part 1: Internal & External Data Breach Vulnerabilities Presented on: Thursday, February 12, 2 3 ET Co presented by: Ann Davidson VP of Risk Consulting at Allied Solutions Joe Majka CSO at Verifone 1 Breakdown
More informationManaging Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec
Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec Jeremy Ong Divisional Vice-President Great American Insurance Company November 13, 2010 1 Agenda Overview of data breach statistics
More informationHow To Control Credit Card And Debit Card Payments In Wisconsin
BACKGROUND State of Wisconsin agencies accepted more than 6 million credit/debit card payments annually through the following payment channels: Point of Sale (State agency location) Point of Sale (Retail-agent
More informationWhitepaper. PCI Compliance: Protect Your Business from Data Breach
Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your
More informationPCI General Policy. Effective Date: August 2008. Approval: December 17, 2015. Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:
Effective Date: August 2008 Approval: December 17, 2015 PCI General Policy Maintenance of Policy: Office of Student Accounts PURPOSE: To protect against the exposure and possible theft of account and personal
More informationPOLICY & PROCEDURE DOCUMENT NUMBER: 3.3101. DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants
POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101 DIVISION: Finance & Administration TITLE: Policy & Procedures for Credit Card Merchants DATE: October 24, 2011 Authorized by: K. Ann Mead, VP for Finance & Administration
More informationHow To Protect Your Credit Card Information From Being Stolen
Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)
More information$22k. Payment Card Data Breaches: What You Need to Know About Your Risk and Liability. First Data Market Insight
Need to Know About Your Risk and Liability Many small merchants are surprised to learn that they can be held liable for tens of thousands of dollars in fines and other expenses when a card data breach
More informationHow To Protect Your Restaurant From A Data Security Breach
NAVIGATING THE PAYMENTS AND SECURITY LANDSCAPE Payment disruptions impacting restaurant owners today An NCR Hospitality white paper Almost every month we hear a news story about another data breach that
More informationInternet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler
Internet Gaming: The New Face of Cyber Liability Presented by John M. Link, CPCU Cottingham & Butler 1 Presenter John M. Link, Vice President jlink@cottinghambutler.com 2 What s at Risk? $300 billion in
More informationINFORMATION SECURITY AND PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY COVERAGE. I. GENERAL INFORMATION Full Name:
INFORMATION SECURITY AND PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY COVERAGE NOTICE: COVERAGE UNDER THIS POLICY IS PROVIDED ON A CLAIMS MADE AND REPORTED BASIS AND APPLIES ONLY TO CLAIMS FIRST MADE
More informationSecurity & Compliance, Sikich LLP
Mark Shelhart, CFI, CISSP, QSA Security & Compliance, Sikich LLP 1. Credit card breaches 2. Disgruntled IT, bad leaver 3. Personal records breach 4. Vendor network connections (and contracts) 5. Everything
More informationCybersecurity Workshop
Cybersecurity Workshop February 10, 2015 E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. 150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3153
More informationCYBER LIABILITY AND PRIVACY CRISIS MANAGEMENT EXPENSE APPLICATION
CYBER LIABILITY AND PRIVACY CRISIS MANAGEMENT EXPENSE APPLICATION THIS APPLICATION IS FOR A FIRST DISCOVERY POLICY. COVERAGE IS FOR EVENTS FIRST DISCOVERED DURING THE "POLICY PERIOD" OR ANY APPLICABLE
More informationWILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES
WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES This special report examines the cyber risk disclosures made by the retail sector of the Fortune 1000.
More informationState of Illinois Department of Central Management Services ACTION PLAN FOR NOTIFICATION OF A SECURITY BREACH
State of Illinois Department of Central Management Services ACTION PLAN FOR NOTIFICATION Effective August 31, 2007 Publication Name(s): Version #(1): ILLINOIS DEPARTMENT OF CENTRAL MANAGEMENT SERVICES
More informationThis notice contains important information about the data breaches announced by Home Depot, Kmart and Dairy Queen.
RECENT DATA BREACHES This notice contains important information about the data breaches announced by Home Depot, Kmart and Dairy Queen. Data security is a number one priority at Northwest. We take every
More informationData Security Breaches: Learn more about two new regulations and how to help reduce your risks
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
More informationPayment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
More informationEMV and Restaurants: What you need to know. Mike English. October 2014. Executive Director, Product Development Heartland Payment Systems
October 2014 EMV and Restaurants: What you need to know Mike English Executive Director, Product Development Heartland Payment Systems 2014 Heartland Payment Systems, Inc. All trademarks, service marks
More informationEMV's Role in reducing Payment Risks: a Multi-Layered Approach
EMV's Role in reducing Payment Risks: a Multi-Layered Approach April 24, 2013 Agenda EMV Rationale Why is this worth the effort? Guides how we implement it EMV Vulnerability at the POS EMV Impact on CNP
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010 Credit Card
More informationPCI Risks and Compliance Considerations
PCI Risks and Compliance Considerations July 21, 2015 Stephen Ramminger, Senior Business Operations Manager, ControlScan Jon Uyterlinde, Product Manager, Merchant Services, SVB Agenda 1 2 3 4 5 6 7 8 Introduction
More informationDATA SECURITY, FRAUD PREVENTION AND COMPLIANCE
DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE December 2015 English_General This presentation was prepared exclusively for the benefit and internal use of the J.P. Morgan client or potential client to
More informationPrivacy Legislation and Industry Security Standards
Privacy Legislation and Issue No. 3 01010101 01010101 01010101 Information is generated about and collected from individuals at an unprecedented rate in the ordinary course of business. In most cases,
More informationInformation Technology
Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing
More informationEMV and Small Merchants:
September 2014 EMV and Small Merchants: What you need to know Mike English Executive Director, Product Development Heartland Payment Systems 2014 Heartland Payment Systems, Inc. All trademarks, service
More informationNine Steps to Smart Security for Small Businesses
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
More informationFebruary 2015. Introduction
February 2015 ISSUE EDITORS: Stuart P. Ingis singis@venable.com Michael A. Signorelli masignorelli@venable.com Ariel S. Wolf awolf@venable.com ADDITIONAL CONTRIBUTORS: Emilio W. Cividanes ecividanes@venable.com
More informationPROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS
PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS The following claim scenarios are hypothetical and are offered solely to illustrate the types of situations that may result in claims. Although sorted by industry,
More informationPrivacy / Network Security Liability Insurance Discussion. January 30, 2013. Kevin Violette RT ProExec
Privacy / Network Security Liability Insurance Discussion January 30, 2013 Kevin Violette RT ProExec 1 Irrefutable Laws of Information Security 1) Information wants to be free People want to talk, post,
More informationPCI COMPLIANCE AND WHAT IT MEANS TO YOU IN ENGLISH
PCI COMPLIANCE AND WHAT IT MEANS TO YOU IN ENGLISH PCI COMPLIANCE AND WHAT IT MEANS TO YOU IN ENGLISH How do I -know if I m compliant? -what do I do to become compliant? -how do I know if the fee(s) I
More informationPCI (Payment Card Industry) Compliance For Healthcare Offices By Ron Barnett
PCI (Payment Card Industry) Compliance For Healthcare Offices By Ron Barnett Dr. Svenson thought he was doing both his patients and his practice a big favor when he started setting up monthly payment arrangements
More informationPCI Compliance for Healthcare
PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?
More informationCREDIT CARD PROCESSING POLICY AND PROCEDURES
CREDIT CARD PROCESSING POLICY AND PROCEDURES Note: For purposes of this document, debit cards are treated the same as credit cards. Any reference to credit cards includes credit and debit card transactions.
More informationCybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048
Cybersecurity Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048 Setting expectations Are you susceptible to a data breach? October 7, 2014 Setting expectations Victim Perpetrator
More informationINFORMATION SECURITY & PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY APPLICATION
INFORMATION SECURITY & PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY APPLICATION NOTICE: COVERAGE UNDER THIS POLICY IS PROVIDED ON A CLAIMS MADE AND REPORTED BASIS AND APPLIES ONLY TO CLAIMS FIRST
More informationThe Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development
The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment Card Industry Data Security Standards
More informationAnatomy of a Hotel Breach
Page 1 of 6 Anatomy of a Hotel Breach Written by Sandy B. Garfinkel Monday, 09 June 2014 15:22 Like 0 Tweet 0 0 Data breach incidents have dominated the news in 2014, and they are only becoming more frequent
More informationPAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS COUNCIL
PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS COUNCIL Session 1 Payment Card Industry (PCI) Security Standards Slide 1 Top 3 Largest Security Incidents Reported Worldwide = CREDIT CARDS Related *Source:
More informationSTATEMENT OF DELARA DERAKHSHANI CONSUMERS UNION BEFORE THE UNITED STATES SENATE COMMITTEE ON THE JUDICIARY
STATEMENT OF DELARA DERAKHSHANI CONSUMERS UNION BEFORE THE UNITED STATES SENATE COMMITTEE ON THE JUDICIARY ON PRIVACY IN THE DIGITAL AGE: PREVENTING DATA BREACHES AND COMBATING CYBERCRIME FEBRUARY 4, 2013
More informationWe are writing to you because of a recent security incident which may have resulted in unauthorized access of your personal information.
EQUIFAX AUTHORIZATION CODE July, 2012 Dear [insert name]: We are writing to you because of a recent security incident which may have resulted in unauthorized access of your personal information. On or
More informationHow To Comply With The New Credit Card Chip And Pin Card Standards
My main responsibility as a Regional Account Manager for IMD is obtain the absolute lowest possible merchant fees for you as a business. Why? The more customers we can save money, the more volume of business
More informationFighting Today s Cybercrime
SECURELY ENABLING BUSINESS Fighting Today s Cybercrime Ongoing PCI Compliance Using Data-Centric Security Technologies HOUSEKEEPING ITEMS All phone lines have been muted for the duration of the webinar.
More informationHow Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner ross.buntrock@agg.com 202.669.0495
How Cybersecurity Initiatives May Impact Operators Ross A. Buntrock, Partner ross.buntrock@agg.com 202.669.0495 Agenda! Rise in Data Breaches! Effects of Increase in Cybersecurity Threats! Cybersecurity
More informationWritten Testimony of. Jason Oxman, CEO The Electronic Transactions Association
**Embargoed until 10am on May 14** Written Testimony of Jason Oxman, CEO The Electronic Transactions Association House Financial Services Committee Hearing on Protecting Consumers: Financial Data Security
More informationFailure to follow the following procedures may subject the state to significant losses, including:
SUBJECT: Policy and Procedures PAGE: 1 of 5 INTRODUCTION During fiscal year 2014, State of Wisconsin agencies accepted approximately 6 million credit/debit card payments through the following payment channels:
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationPresented By: Corporate Security Information Security Treasury Management
Presented By: Corporate Security Information Security Treasury Management Is Your Business Prepared for a Cyber Incident? It s not a matter of if, it s a matter of when Cyber Attacks are on the Rise; Physical
More informationImportant Info for Youth Sports Associations
Important Info for Youth Sports Associations What the Heck is PCI DSS and Why Should I Care? Joe Posey Terrapin Financial Services Your Club is an ecommerce Business You accept online registration over
More informationAIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009
AIS Webinar Payment Application Security Hap Huynh Business Leader Visa Inc. 1 April 2009 1 Agenda Security Environment Payment Application Security Overview Questions and Comments Payment Application
More informationData Security, Fraud Prevention, and Cost Control. Mike Dorland, CPP Regional Marketing Representative Michigan Retailers Association
Data Security, Fraud Prevention, and Cost Control Mike Dorland, CPP Regional Marketing Representative Michigan Retailers Association Michigan Retailers Association Incorporated in 1940 Represent retail
More informationMatthew Howes Senior Vice President, Strategic Services inventiv Digital+Innovation Matthew.Howes@inVentivHealth.com
WHITE PAPER Global Digital Security: The Human Element March 2014 Written by: Matthew Howes Senior Vice President, Strategic Services inventiv Digital+Innovation Matthew.Howes@inVentivHealth.com TABLE
More informationPCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
More informationThe Home Depot Provides Update on Breach Investigation
The Home Depot Provides Update on Breach Investigation Breach confirmed Investigation focused on April forward No evidence of debit PIN numbers compromised No customers liable for fraudulent charges Customers
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationData Security Basics for Small Merchants
Data Security Basics for Small Merchants 28 October 2015 Stan Hui Director, Merchant Risk Lester Chan Director, Merchant Risk Disclaimer The information or recommendations contained herein are provided
More informationCYBERSECURITY IN HEALTHCARE: A TIME TO ACT
share: TM CYBERSECURITY IN HEALTHCARE: A TIME TO ACT Why healthcare is especially vulnerable to cyberattacks, and how it can protect data and mitigate risk At a time of well-publicized incidents of cybersecurity
More informationA Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014
A Wake-Up Call? Fight Back Against Cybercrime Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014 1 Coalfire Background Leading Information Security Consulting Firm Offices: Atlanta,
More informationIt is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
PCI FAQ And MYTHS FREQUENTLY ASKED QUESTIONS (FAQ): Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process,
More information