SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015

Transcription

1 SMB Data Breach Risk Management Best Practices By Mark Pribish February 19, 2015

2 Presentation Agenda About Mark Pribish Information Governance The Threat Landscape Data Breach Trends Legislative and Regulatory Updates Creating Your Data Breach Response Plan Questions and Answers

3 About Mark Pribish Vice President & ID Theft Practice Leader Certified Identity Theft Risk Management Specialist (CITRMS) and Arizona P&C License 25 years experience in helping consumers and enterprise organizations manage the risks associated with ID Theft and data breach events Served in senior sales positions for Aon and AIG Gannett / Arizona Republic guest columnist for cyber security, data breach, identity theft, and personal privacy Member of FBI Citizens Academy Class of 2012, FBI InfraGard Public Private Alliance, Guidepoint Global Advisors, and Risk Insurance Management Society Graduated from the University of Dayton in 1981

4 Information Governance What is Information Governance? Information governance is a holistic approach to managing corporate information by implementing processes, roles, controls and metrics that treat information as a valuable business asset. "Information governance is the activities and technologies that organizations employ to maximize the value of their information while minimizing risks and costs." Articles/T/The-IG-Initiative-Definition-of-Information-Governance.aspx#sthash.RxzcIMEl.dpuf Information governance is a set of established policies and procedures you and your employees implement and follow in order to manage sensitive and proprietary information. John G. Iannarelli, Assistant Special Agent in Charge of the FBI Phoenix Division

5 Information Governance Information Governance Program Checklist Implement an information governance policy Require annual information security training and education Understand what type of employee, customer and member data is being collected, stored, protected Constantly assess and test your organization s needs and requirements Know your organization s strengths and weaknesses Implement baseline safeguards and controls Vigilance including annual pre-employment screening Be aware of current and former employees, customers and vendors

6 Information Governance SMBs handle customer, employee and vendor information including social security numbers, bank/credit card/loan account information, drivers license numbers, birth dates, etc. SMBs use , computerized accounting, electronic procurement, and/or stores electronic employee and customer information SMBs rely on electronic networks including the information, data and the e- records within and outside these computer networks

7 Information Governance Size Doesn t Matter! Small to medium size businesses are now the target of cyber attacks and ID Theft criminals Why? Because of large business financial and IT resources, hackers and thieves are going after small to medium size businesses The Best Defense? Web filtering, security software and employee and customer education

8 The Threat Landscape of breaches are to businesses of 100 employees or fewer of SMBs have no formal cybersecurity plan of companies who experienced a data breach didn t know it Notified by 3 rd party

9 The Threat Landscape

10 The Threat Landscape Privacy Rights Clearinghouse Data Breach Timeline for Jan 19, 2015 Since January 2005 there have been 4,478 data breaches affecting nearly 1 billion records 30 percent of these data breaches were impacted by hackers and IT related events 70 percent of these data breaches were impacted by social engineering (the human element)

11 Data Breach Trends 320 breaches reported between July and September, 2014 November 19,

12 Data Breach Trends Websense Warns Doctors to be on High Alert for 2015 Cyber Blitz 19 Nov 2014 News Security experts have warned healthcare organizations to prepare for tidal wave of online attacks in % increase in attacks targeting healthcare data since the start of 2014 Security is often seen as an inhibitor leaving dangerous gaps for hackers to exploit Social media platforms would increasingly be used by cyber-criminals as covert C&C infrastructure

13 Data Breach Trends Ponemon Institute Study: Cost of a Data Breach March 2014 Total Costs averaged $201 per lost customer record Direct Incremental Costs including free/discounted services, notification letters, legal/accounting fees, etc. Lost Productivity Costs including lost time of employees and contractors diverted from other tasks Customer Opportunity Costs including cost of lost customers and cost of acquiring new customers

14 Legislative Changes/Updates Regulatory, Consumer and Data Security Laws HIPPA Data Breach Requirements (February 17, 2010) FACT Act Red Flags Rule (December 31, 2010) 47 State Security Breach Notification Laws

15 Creating a Breach Response Plan Data Breach Responsibility is on the SMB or Data Owner Whether the business data is accidentally lost or it is stolen with malicious intent Any business that experiences a data breach should work with legal counsel to determine regulatory requirements including but not limited to state breach notification laws: the FACT Act Red Flags Rule the HIPAA HITECH Data Breach Requirements the PCI Data Security Standards COPPA (Children s Online Privacy Protection Act) the 47 state breach notification laws

16 Creating a Breach Response Plan Small business data breach risk factors include people, processes and technologies: People the insider threat, whether accidental or malicious, can include current and former employees, customers, associates, vendors, and independent contractors. Processes including information technology, enterprise risk management, marketing/sales and human resources need to be aligned, defined, and documented. Technologies that are relied on to conduct and grow your business are also being used to identify vulnerabilities and cyber threats on your business.

17 Creating a Breach Response Plan What can a small business do? Complete a data assessment of the type of information that is being collected, used, stored and transmitted by asking the following questions: What type of data (e.g. current and former employee / customer / patient information) is in your electronic and hard copy files? What type of Personally Identifiable, non-public Information (PII) is included in your business data (e.g. name, address, social security number, driver s license, bank account information, credit/debit card, medical plan information)? What percentage of your data involves the collection, storage, usage, and transmittal of current and former PII? What aspects of your business products, services and technology are performed within and outside your business?

18 Creating a Breach Response Plan What can a small business do? Complete a data assessment (continued) What is the value of your data assets if they were stolen and made public? Is data that you store subject to civil fines and penalties if breached? What is your overall financial risk if data you control is breached? Which states does your business conduct business in and what states are your customers / employees / patients domiciled? Could a data breach damage your brand and if so what is the potential impact? Does your business insurance include cyber/network liability insurance?

19 Creating a Breach Response Plan Your Data breach response plan should include 5 components 1. Breach source - determine the source and make sure the data compromise is isolated and access is closed. If you cannot determine the source of breach you should engage a forensic investigation company. 2. Breach assessment - determine the scope of the data breach event and the privacy and data security regulatory requirements associated with the type of records in addition to the state of domicile. 3. Response plan - include internal employee education and talking points; public relations press releases, customer education, and resources; the small business or consumer solution(s) to be considered; and the content and timely release of notification letters.

20 Creating a Breach Response Plan Your data breach response plan should include 5 components 4. Protection plan - include the small business or consumer protection services to be offered to the compromised record group and the confirmation of professional call center and recovery advocate support services. 5. Breach victim resolution plan - provide access to professional certified identity fraud recovery advocates that will work on behalf of the victims to mitigate and resolve the issues caused by breach.

21 Creating a Breach Response Plan Cyber Insurance Becomes Small-Business Necessity Nov 18, 2014 Cyber liability insurance is now as important for small businesses as property and liability insurance A data breach can damage a small business far more than a big business because it can put you out of business Any firm that has a website, uses social media or stores customers' personal records in its computers is vulnerable to a cyber-attack Like other types of insurance, cyber insurance pays for a legal expenses to defend the business in a lawsuit and money to cover losses

22 Creating a Breach Response Plan Cyber Insurance Becomes Small-Business Necessity (continued) Cyber insurance can provide a dedicated call center so that customers can call a third party specializing in data breach response Cyber insurance can include identity restoration after a breach could tie up a business for weeks Cyber insurance can include social media liability where libel and slander on social media isn't covered by most standard business policies Cyber insurance can include data recovery where a virus could destroy the business's software and data and infect customers' computers. Cyber insurance pays for the cost of restoring the computers or buying new ones if necessary

23 Contact Information Mark Pribish VP & ID Theft Practice Leader Merchants Information Solutions, Inc

24