WHAT IS SENSITIVE INFORMATION?

Transcription

1 Disclaimer: This material is designed and intended for general informational purposes only, and is not intended, nor shall it be construed or relied upon, as specific legal advice. Nearly all companies and organizations store some sort of personal information about their customers or employees. Names, Social Security numbers, credit card information and other data are often necessary to perform normal business functions such as filling orders or meeting payroll. If this information falls into the wrong hands, it could lead to fraud or identity theft. Your clients and staff trust you to safeguard their personal information. An incident of data compromise can mean negative media attention for your organization, which can harm your brand, or possibly lead to a lawsuit. It also can be a costly incident because many states have passed breach notification laws that require organizations to notify those affected by a data breach. These notifications can be expensive, running anywhere from $50 to $100 per record. Additionally, disheartened clients may decide to move their business elsewhere causing further financial damage to your organization. Don t believe that data compromise won t happen to your organization. Reduce the risk of it occurring in the first place by creating and implementing a plan to safeguard your organization s sensitive information. WHAT IS SENSITIVE INFORMATION? Before your organization takes any preventative actions, it s important that you understand what information needs to be protected. The Federal Trade Commission Act (FTCA) requires that companies must maintain reasonable procedures to protect sensitive information. Whether your security practices are reasonable depends on the nature and size of your business, the type of information you have, the security tools available to you based on your resources and the risks you are likely to face. Sensitive information is any information that can be used to identify a person. Examples include: names, Social Security numbers, credit card information, addresses, employee ID numbers, financial and bank account numbers, medical information, mothers' maiden names and drivers' license numbers. Depending on the type and nature of your organization, you may be subject to additional legislative requirements such as the obligations under the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPPA) as well as other federal, state and local laws. TYPES OF DATA COMPROMISE Data can be compromised in a variety of ways depending on what type of sensitive information you collect and how your organization stores and secures the information. Understanding the types of threats your organization could experience should better equip you to defend against them. Types of threats include: Unintended disclosure: Sensitive information is posted publicly on a website, mishandled or sent to the wrong person via , fax or mail. Page 1 Rev

2 Hacking or malware: Information is compromised when an outside party gains access to your organization s computers, networks or other electronic devices. Malware is a type of computer software specifically designed to damage or disrupt a system. Hacking occurs when an unauthorized person breaks into computers or computer networks, often with the intent to steal information. Computer viruses: A computer virus is malicious code that infects a system s files. Viruses can get into a computer system in many different ways such as through an attachment or by downloading infected software. Viruses often lead to some sort of data loss and/or system failure. Worms: Although often confused with viruses, worms are different in that they spread an autonomous code over the entire network, targeting hard drive space and processors. Worms usually start by infecting files on one computer and eventually spread to others on the network. Worms are often used to corrupt files but can also steal data from a network. Credit or debit card fraud: This is fraud involving debit or credit cards that isn t related to hacking. Customer debit and credit card numbers can be stolen using skimming devices at the credit card terminal. Skimming devices look like they are part of the payment system, but they secretly store card numbers once a card is swiped. Employees: An employee or someone with access to sensitive information steals or leaks the information. Physical loss: Paper documents such as files or credit card receipts are lost, disposed of improperly or stolen. Portable devices: Laptops, personal digital assistants (PDAs), smart phones and portable memory devices (CDs, hard drives, USB flash drives or data tapes) are popular because they are easily portable. However this portability means they are also easily lost or stolen, putting sensitive information at risk, or employees may intentionally discard them while neglecting to remove the information. Stationary devices: Computers, servers or scanners containing sensitive information may be lost, discarded or stolen. WHERE TO START Conduct an Information Inventory Start by identifying what information you have and who has access to it. Inventory the locations where sensitive customer and employee information is stored, including file cabinets, computers, laptops, company and employee owned smart phones, CDs, copy machines, flash drives, disks, and home computers used for telecommuting. Your IT department, sales department and your HR office are all good places to start when conducting an inventory, because they often store or collect sensitive information. Once you have identified the physical locations containing sensitive information, you ll want to also consider how the information moves and is used within your organization. Sensitive information exists in many different contexts (in data stores, in motion through the network via or otherwise, in use on laptops, on mobile devices and on portable storage devices such Page 2 Rev

3 as USB drives). Because of the wide range, the process of identifying the true level of sensitive information exposure becomes more complicated. Simplify the process by asking yourself, Who sends sensitive information to my organization and how do we receive it? You may get information from customers, banks or credit card companies. You may receive this information through an , website submission, or through regular U.S. mail. Once you know how you receive sensitive information, determine the kinds of information your organization is collecting and where it is being stored once collected. Find out who has access to these areas. What, if any, controls do you currently have in place to prevent unauthorized access? Assess Your Vulnerability Once you have completed an inventory, conduct a vulnerability assessment by asking the following questions: What type of information might be exposed? Who/what might expose it? How and where could it be exposed? What applications currently use the sensitive information? How would a data breach impact an individual or our organization? Evaluate Information Needs Decide if your organization actually needs to be collecting the sensitive information in the first place. Only keep what is essential for your organization s purposes. Keeping unneeded information, or keeping it longer than necessary, raises the risk that the information could be compromised and used to commit fraud or identity theft. For example, you can help protect your employees by choosing identification numbers other than Social Security numbers. The fewer places you record Social Security numbers, the lower the risk that they will be compromised. If you decide there is data that isn t needed, make sure you are destroying it properly. Papers or other data in hard copy form should not be simply thrown in the trash. Identity thieves have and will sift through an organization s trash to find sensitive information. Burn, shred or pulverize physical data. Data stored on electronic devices must be overwritten at least 3 times to erase it. The Department of Defense (DOD) requires data to be overwritten 7 times to remove it. Deleting data is not the same as overwriting it. A file deleted from a computer remains on the hard drive and can be retrieved. By overwriting the data, you are erasing it completely. Overwriting data requires a special program designed specifically to overwrite data, so that the specific disk sectors are erased. Page 3 Rev

4 INFORMATION SECURITY Once you have identified the sensitive information you need to keep, it s time to take measures to protect that information. The manner and level of protection is based on where the information is stored. Physical Security Store sensitive documents and files, CDs, floppy disks, zip drives and tapes with sensitive information in secured rooms or in locked file cabinets. Don't forget to secure backup files, too. Limit access to these areas to employees with a legitimate business need. If you use physical keys, maintain records of how many keys exist and to whom they have been issued. Each key should have a statement engraved on them telling locksmiths to not duplicate the key. Files containing sensitive information should be removed from their secured locations only when an employee is working on the file. Remind employees not to leave sensitive papers out in the open when they're out of the office or away from their desks, even if it s only for a short break. Train your employees to put files away, log off their computers and lock their file cabinets and office doors at the end of every day. Make sure all physical information is destroyed properly prior to disposal. Use a cross-cut shredder to dispose of paper files with private information. Place shredders or shredding boxes throughout your organization to encourage proper disposal. You can also hire a private shredding contractor to regularly pick up your discarded paper files and ensure they are disposed of in a secure manner. Computer and Electronic Security It is important for you to understand your organization s computer system and know what you need to do to keep the information safe. Determine which of your computers or servers store sensitive information, and then identify all connections to these computers and servers. Take the time to analyze each connection and decide how susceptible each one is to known or foreseeable attacks. Your security assessment may include running security software or, for larger organizations, hiring a professional to conduct a full-scale audit on your network. Network security requires constant attention. At a minimum, you should be running anti-virus and anti-spyware programs should be set to run continually on both individual computers and servers and updating these at least once a day, but more frequently, if possible. Antivirus software should be deployed at the network perimeter level (e.g., firewalls, servers and at the host level (e.g., workstations, file servers, client software). You should be performing regular backups of your system data. If a system or your entire network becomes compromised you can format the system to its pre-attack state. Encryption It is a best practice to electronically encrypt sensitive information regardless of what form it is in. Encryption is the process by which information is rendered unreadable to anyone who doesn t have appropriate authorization. You should encrypt sensitive information: Page 4 Rev

5 Found on laptops In transmission between wireless devices and computer networks Shipped using outside carriers or contractors Sent to third parties over the Internet or through Stored on your network Stored on disks or portable storage devices Sent through within your business Wireless Network Security If your organization uses wireless devices to transmit sensitive information, set up limitations on who can use wireless connections. Change your Service Set Identifier (SSID), or your network name, from the default before you actually connect the wireless router of the access point. Try to limit the amount of devices that are allowed to connect to your network. Encrypting transmissions from wireless devices to your computer network may prevent an intruder from gaining access through a process called "spoofing" -- impersonating one of your computers to get access to your network. Require strong passwords for access to your wireless connections. Take steps to ensure the secure transmission of sensitive information. Use a Secure Sockets Layer (SSL) or other secure connection to protect information in transit. When employees are using mobile devices that can access sensitive information, it s best if they do not use public wireless hot spots, especially if they are unsecured networks. Anyone can create a hot spot at public locations. A data hacker can put up an unsecured wireless access point in minutes, and because it s free people will use it. By utilizing certain devices, hackers can view everything the Wi-Fi user types, including user names and passwords, leaving the Wi-Fi user clueless to the breach that has just occurred. When choosing a network to connect to, pick one with some kind of network encryption, such as WPA2 and WPA. If your employees are required to travel and maintain access to your organization s network and software, consider using a mobile virtual private network (mvpn). A mvpn provides mobile devices with secure access to your organization s network resources and software when employees connect using an outside wireless or wired network. A mvpn requires strong protection using either a two-factor or multi-factor authentication system. It enforces encryption of the data traffic and gives your IT department visibility and control over electronic devices located away from corporate premises. Laptop Security If your employees use laptops for business, decide whether sensitive information needs to be stored on these devices. If not, overwrite any existing information using an overwrite program and avoid adding sensitive information in the future. For the most thorough removal, use a software program designed to permanently wipe the hard drive. Page 5 Rev

6 If you must allow employees to work with sensitive data on laptops, you don t have to store it on their machines. When possible, store sensitive information on a secure central computer that employees can access with their laptops. That way, the laptops function as terminals that display information from the central computer, not as storage sites. Add extra protection by requiring the use of a token, such as a "smart card," a thumb print, or some other biometric - - as well as a password -- for access to the central computer. If a laptop will contain sensitive data, configure the system so users can t download any software or make changes to security settings without approval from your IT staff. Also encrypt any data stored on the laptop. Consider adding an "auto-destroy" function to automatically wipe the information from the hard drive of a stolen or lost computer. Restrict the use of laptops to employees who need them to perform their jobs, and require those employees to store laptops in a secure place. Even when laptops are being used in the office, think about using cords and locks to secure them to employees' desks. Tell your employees to think of their laptops as they would their wallets or cash. Instruct them to never leave their laptops unattended. When they're on the road, they should never leave them visible in a car, sitting at a hotel luggage stand or packed in checked luggage, unless directed to do so by airport security. Smart Phones and Other Mobile Devices Mobile devices are now used both on and off the job, creating numerous threats to security. Sensitive information shouldn t be stored on smart phones or similar mobile devices because these devices are much more likely to be lost, stolen and are vulnerable to viruses and worms. However, given the high proliferation of mobile devices into the workplace, organizations may find banning the use of mobile devices for work purposes to be difficult. Instead of storing sensitive information directly on the device, consider storing the information on a central server and with mobile devices accessing the information remotely. If your organization must save or send data via mobile devices, develop and implement enhanced security on all devices. If an employee needs to have access to work from his or her mobile device (e.g., ), provide a work phone or require their personal phone have the same security features that a work phone would. Allow employees to access only the information they need on their mobile devices. For example, if an employee doesn t need access to network file locations, don t give him or her access. Stay up to date on the operating system the mobile device uses and make sure all devices have the latest versions. Install antivirus software on mobile devices to protect against viruses and malware. Educate mobile device users on unsolicited messages (SMS). If a user receives a text with a link from someone they do not know, they should not click on it. These links often lead to malicious websites that can infect the phone with malware or a virus. Set up all mobile devices to have strong passwords and have a way to automatically wipe or overwrite the information in case of a theft. Just like laptops, you should encourage your employees to never leave their mobile devices unattended. Digital Copiers Organizations often use digital copiers to copy, print, scan, fax and documents. These devices have hard drives that manage incoming jobs and workloads and also store the information from the documents. If your organization uses a digital copier, you should treat Page 6 Rev

7 the information stored on the copier the same as information stored on a computer. Encrypt the data stored on the device so it cannot be retrieved from the machine. Once you are finished using the information, overwrite all the information on the hard drive. If your copier allows you to overwrite after every job run, enable that setting. Many organizations lease their digital copiers from a supplier. If your organization does this, be sure to overwrite the data prior to returning the device. Contractors and Service Providers Before subcontracting any of your organization s operations, research the contractor company and their security practices and make sure they are in line with your own. Talk with the service provider or contracting service and agree that they will notify you of any security incidents they experience. You should get all data compromise procedures and obligations in writing. You should monitor incoming and outgoing to ensure that any mail sent or received complies with your organization s policies. Require the use of authentication such as Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM). These forms of authentication verify that the domain used is under the control of the sender, protecting users from scams and spammers. Your system should have spam filters and virus scanners. Regular is not a safe way to send sensitive data. Any with information that could be used by fraudsters or identity thieves should be encrypted. ACCESS CONTROL Control access to all of your offices and storage sites, either with good key control practices or through electronic access control systems which include photo access badges or proximity cards. Your employees are often your best defense against thieves. Make sure employees know what to do or who to contact if they see someone on the premises they don t recognize. Passwords You should require all employees to have a strong password that is changed at least every 90 days. Employees should not be allowed to use the same password over and over. Take a look at your password policy settings. Your password protection will be strongest if employees are required to cycle through several different passwords before they are allowed to reuse a past one. The strongest passwords contain a mix of letters, numbers, symbols and both uppercase and lowercase characters. Longer passwords and complexity requirements also create stronger passwords. Employees should avoid using passwords with the company name or other easy to guess words. Use password-protected screen savers to lock employee computers after a period of inactivity and require passwords for applications that use or store sensitive information. These programs should time out after a period of inactivity and force regular password resets. Lock out users who don't enter the correct password within a certain number of log-on attempts. Instruct your employees to never give away password information or any other sensitive information via or phone. Page 7 Rev

8 Firewall Every organization should install a firewall. A firewall is software or hardware designed to block hackers from getting into your computer or network. A "border" firewall separates your network from the Internet and could prevent an attacker from getting to where you store sensitive information. It's important to allow only trusted employees with a legitimate business need to access the network remotely. Determine what level of permissions each employee should have and ensure the access control settings reflect that. The protection a firewall provides is only as effective as its access controls. Updating Access Controls You should be regularly updating the access controls of your organization. If an employee leaves, make sure he or she no longer has access to your network. Terminate all of their passwords and collect keys and identification cards. If an employee is reassigned to a different area within your business, reevaluate their permissions and curtail their access to sensitive information if there is no longer a legitimate business need. EMPLOYEE TRAINING A well-trained workforce may be your best defense against data compromise. Train your employees on the potential security threats your organization may face and take time to explain your organization s rules. Educate employees on the various ways data could be compromised. Make sure they know the definition of sensitive information and what types they may run across during their work. Make it clear to your staff your expectations and what their responsibilities are. Have all employees sign an agreement to follow your organization s policy regarding confidentiality and sensitive information security, and establish consequences for security policy violations. Make sure your employees know to never release sensitive information over the phone to unknown or suspicious callers. Require employees to inform a supervisor immediately if they suspect a security issue. Prior to hiring new employees that will have access to sensitive data, conduct a background check. Do not allow temporary employees access to your staff or customer sensitive information. INFORMATION RETENTION POLICY It is important for your organization to retain sensitive information only as long as it is needed. An information retention policy can help your organization consistently dispose of unneeded information, reducing your exposure to data compromise incidents. The policy should dictate how long certain types of information need to be kept and the best way to destroy data when it no longer is needed. Paper records should be cross-cut shredded, burned or pulverized. If you use consumer credit reports for business purposes, you may be required to follow the FTC s Disposal Rule which requires businesses to make reasonable and appropriate efforts to prevent unauthorized access to the information on a consumer report. When deleting information from a computer or portable device, use a wipe utility program to overwrite everything. If you establish an information retention policy, it s a good idea to conduct regular checks to ensure it is being implemented effectively. Make sure telecommuting employees also follow your procedures for disposal of sensitive information in both paper and electronic form. Page 8 Rev

9 RESPONDING TO DATA COMPROMISE Detecting Data Compromise One of the most challenging aspects of data security is accurately detecting incidents of data compromise. Signs of a data compromise incident may include: A Web server crash The antivirus software detects a worm Users complain of slow Internet The system administrator sees a filename with unusual characters An application logs multiple failed login attempts from an unfamiliar remote system An unusual change in network traffic flow Make sure the person(s) in charge of monitoring your network, system and applications has a solid understanding of expected activity in your organization so abnormal activity can be recognized quickly. Use an intrusion detection system that monitors networks and systems for malicious activities or organization policy violations, and make sure it is updated frequently. Maintain central log files of security-related information to monitor activity on your network so that you can spot and respond to attacks. If an attack occurs on your network, the log will help you identify which computers are compromised. Monitor network traffic using a network intrusion detection system (NIDS) for signs that someone is trying to acquire unauthorized access. Keep an eye out for activity from new users, multiple log-in attempts from unknown users, and higher-than-average traffic at unusual times of day (like non-business hours). An effective intrusion detection system will also look at outgoing traffic for signs of a data breach. Watch for unexpectedly large amounts of data being transmitted from your system to an unknown user. Investigate to make sure the transmission is authorized. Most importantly, have a breach response plan in place. Establishing an Incident Response Plan It s important for your organization to develop a plan for responding to a data security breach. If possible, establish a data breach incident response team with representatives from necessary departments (information technology, human resources, risk management, security, and legal) with the necessary skills (system administration, network administration, programming, technical support and/or intrusion detection). There is no one size fits all approach to a contingency plan. What s right for your organization is dependent on the size and the nature of your organization. Most plans should include instructions for the following actions: Determine the nature and scope of the data loss incident Take immediate steps to stop the unauthorized access Page 9 Rev

10 Notify appropriate regulatory bodies and law enforcement (e.g., the Federal Bureau of Investigations [FBI], the U.S. Secret Service, district attorney offices and state and local police) Notify those affected (staff and/or customers) Notify affected external parties, such as the vendor of vulnerable software or your organization s Internet service provider A plan for communicating with the media Many states have laws regarding data compromise. Check your local and state regulations prior to implementing a plan. Depending on your business, you might also fall under federal regulations such as the Federal Trade Commission s Red Flags Rule. Review your plan on a regular basis and make changes that correspond with technological advances. Make certain key staff members such as information technology, legal, corporate security, etc. have easily accessible hard copies of your plan. If a data compromise incident does occur, immediately start recording all the facts regarding the incident. Document all system events, telephone conversations, observed changes and every step your organization took from the time the incident was detected to the final resolution. Having this in writing will assist investigations. When an incident has been detected and analyzed, it is important to contain it before the spread of the incident overwhelms resources or the damage increases. If an individual server or a system is affected do not shut it down as this may delete the system log, which is important for any investigations. If an entire network is compromised or if you believe a system is infected with a worm that is sending itself out from your computer, shut it down and disconnect it immediately from the Internet to prevent further damage. When a data compromise could result in harm to a person or business, you should call your local law enforcement immediately. Ask them about when and how you should notify the individuals or businesses involved in the breach. When notifying those affected, make sure to describe clearly to them what you know about the compromise. Let them know how it happened, what information was taken, how the information has been used and what actions your organization has taken. If credit card information was stolen, encourage the victims to immediately put a fraud alert on their credit reports. They can do so by calling one of the three major credit bureaus. Equifax Experian TransUnionCorp Provide contact information for both your organization and the law enforcement officer working on the case. When constructing a breach notification to send to customers, take into consideration their communication needs. Elderly customers may have hearing or sight issues that require accommodations. If your customer s first language is not English, you should be able to provide translated information. Page 10 Rev

11 Under the Fair Credit Reporting Act (FCRA), organizations are required upon request to provide identity theft victims a copy of all transaction records relating to the theft of their identity. If you receive a request for transaction records you may ask for proof of identity, a police report and an affidavit before giving the victim the records. Recovering from a Data Breach Incident The most damaging effect of a data breach is the loss of your customer s trust and business. Following a data breach, customers will most likely question your organization s commitment to information security. Regain their trust and your organization s credibility by providing personal services that go beyond the legally required notifications. If possible, or where required by law, provide your affected customers with a credit monitoring service for a year after the breach. Set up a call center for affected customers. Make sure call center staff is knowledgeable about the latest information in regards to the breach, able to answer questions, address concerns and provide resolutions, such as advice on how to use credit monitoring. Consider providing a recovery service to those customers that do experience fraudulent activities related to your breach. These services will assess and document the impact of the identity theft and help indemnify the individual. FOR ADDITIONAL INFORMATION Federal Trade Commission: Fighting Back Against Identity Theft Red Flag Rule On Guard Online: National Conference of State Legislatures: State Data Breach Notification Laws National Institutes of Standards and Technology NIST Computer Security Incident Handling Guide APPENDIX A Sample Data Breach Notification Letter Dear : Page 11 Rev

12 We are contacting you about a potential problem involving identity theft. [Describe the information compromise and how you are responding to it.] Data Compromise We recommend that you place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. Call any one of the three major credit bureaus. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. All three credit reports will be sent to you, free of charge, for your review. Equifax Experian TransUnionCorp Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Victim information sometimes is held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot problems and address them quickly. If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call [insert contact information for law enforcement] and file a police report. Get a copy of the report; many creditors want the information it contains to absolve you of the fraudulent debts. You also should file a complaint with the FTC at or at ID-THEFT( ). Your complaint will be added to the FTC s Identity Theft Data Clearinghouse, where it will be accessible to law enforcers for their investigations. [Provide your organization s contact information.] [Insert closing] Your Name Page 12 Rev