The Trust Catalyst Data Breach Prep Kit

Transcription

1 TrustCatalystDataBreachPrepKit Page1of21 The Trust Catalyst Data Breach Prep Kit Preparingyourorganization sresponsebefore navigatingadatabreach Copyright(c)2009TrustCatalyst AllRightsReserved

2 TrustCatalystDataBreachPrepKit Page2of ExecutiveSummary Thenumberofrecordsexposedindatabreachincidentsoverthelastdecadehasreachedepicproportionsputting customersinavulnerable,anxiousposition.accordingtothedatalossdatabasecreatedbytheopensecurity Foundation,overhalfabillionrecordshavebeenexposedinover1,990incidentssince2000andthisnumberisquickly growingasunreportedcasesareaddeddaily.and,whileaccidentaldisclosureshaveputcompaniesintheheadlines,a newenemyinthewarondatabreachisemerging cybercriminalswillingandabletoprofitfromidentityfraud.theu.s. DepartmentofJusticerecentlytestifiedtoCongressthatidentitytheftconvictionshaveincreased138%overthelastfour years.thefederaltradecommissionestimatedthatoverninemillionamericansarevictimsofidentitythefteachyear costingtheu.s.business$50billionindamagesannually. Increasingly,identitytheftcrimesaretargetedandorganizedbycriminalswhohaveacyberconnection.Perhapsnopieceofresearchhasputthe profitsofcybercriminalsmoreonthemapthantherecentverizondatabreachinvestigationreport,whichdocumentedthefindingsof258 compromisedrecordsstolenfromover600corporatenetworksinvestigatedbyverizon.unliketheopensecurityfoundation sdatabase,this reportfocusedonlyonthesubsetofcompromisedrecordsthatwereinvestigatedinconnectionwithidentityfraudcrimes.ninety eightpercent ofthesecasesinvolvedanoutsideintruderhackingintothecorporatenetworkthroughvulnerability,installingmalwareandcollectingdata. Ninety ninepercentofthetime,thetargetofthebreachwasaserver(asopposedtodatalossincidentswhichofteninvolvethelossofsensitive informationviaunencryptedbackuptapes,laptopsor dumpsterdiving ).Inover90percentofthecasesreportedbyVerizon,theattackerwas connectedtoaglobalcybercriminalringalreadyknowntolawenforcement.probablythemostdisturbingfindingwasthatforthemajorityof compromisedorganizations,theywereunawareofthebreach.mostoften,theseorganizationswerenotifiedbyeithertheircustomers,law enforcement,acreditcardcompanyorabusinesspartnerthatverifiedanidentityfraudcrimehadbeencommittedbeforeitwasdiscoveredby thevictimorganization. Inthisenvironment,ifyoustorecustomersensitivedata,youneedtobethinkingabouthowyourorganizationwillbepreparedtohandleadata breach.mostorganizationscollectingpersonaldataabouttheircustomerswillnotbeimmune.infact,webelieveorganizationsshouldprepare themselvesnowforbreachesthatmayhappeninthefuture.dependingontheseverityandsizeofthebreach,youwillfaceadifferentsetof managementchallenges.whenoutsidepressurefromcustomers,mediaandregulatorsmount,youwillnotwantthistobethefirsttimewhere yourdatabreachmanagementskillsaretested.inaddition,asmoreofourcustomersareactuallyvictimsinidentityfraudcrimes,wemuststep upourresponsesoasnottotallydestroycustomertrust.webelievethewaysuccessfulorganizationshandlebreacheventswillraisethestakes oftheytypicalresponseweareseeingtoday.organizationsinterestedinmaintainingarelationshipwiththeircustomerspost breachwillbe moreopenandtransparentandexchangemorecriticalinformationwithcustomersandlawenforcementagencies. Copyright(c)2009TrustCatalyst AllRightsReserved

3 TrustCatalystDataBreachPrepKit Page3of TheDataBreachPrepKitwasdesignedtohelpyoustartthinkingabouthowyouwanttohandlebreaches.Itcanhelpyouprepareanincident responseplaninadvanceofabreach,helpyouthinkthroughhowtoeducatekeystakeholdersinyourcompanyandevenestimatepotentialcosts ofbreachessoyoucanbuildtherightplantoprotectyourcustomerstoday.unfortunately,thisprepkitalonecannotaccuratelypredicthowa databreachcrisiswillimpactyourspecificorganization,butitcanhelpyougetprepared,gatherthefactsandmakeimportanttrade offsrequired todeveloplong termstrategiestoprotectthevalueofyourcompany.ifyoufindyouneedmorehelpplanningyourresponseandweighingthe costs,contactusandwewillbehappytodevelopacustomizedplanforyourorganization. TheDataBreachPrepKitincludesanumberofhelpfulresourcesandisagreatforstepfor: Definingthethreetypesofdatabreaches Creatingadatabreachincidentresponseplan Managingthecrisis howtodefinestrategyforthreatlevel Databreachestimatedcostsworksheet Databreachincidentsresponsereportworksheets Databreachchecklist Referencesandhelpfulresourcesforfuturereading Wehopethisreferencehelpsyouuncoversomeofthequestionsyourbusinessneedstoaddressnowandhelpsyoucalculatetherisksandcosts tosellstrategiesthatwillhelpyouprotectyourcustomers. Bestregards, KimberlyGetgen FounderandPrincipal,TrustCatalyst direct: Copyright(c)2009TrustCatalyst AllRightsReserved

4 TrustCatalystDataBreachPrepKit Page4of DataBreachesDefined Therearethreedifferenttypesofdatabreachincidentsasillustratedintheillustrationandtablebelow.Eachtypeofbreachcanelicitadifferent typeofresponsefromtheorganization,whichiscriticalintheeducationofyourorganization,creationofyourresponseplananddetermining yourcosts. Copyright(c)2009TrustCatalyst AllRightsReserved

5 TrustCatalystDataBreachPrepKit Page5of DataBreachesDefined AShortSummary DataLoss DataTheft IdentityTheft/Fraud Definition Common examples HowcanI reduce therisk? Accidentallossordisclosureofunencryptedcustomer PIIorothersensitiveinformation particularlythat usedinidentitytheft/fraudcrimes. Lostlaptop Losttapeormedia accidents UseencryptionandDataLeakagePrevention(DLP): 1. EncryptPIIthatleavestheorganization especiallyonlaptops,backuptapesandin . 2. Discoverwheresensitivedataislocatedwithin theorganization 3. MonitorPIIinmotionoverthenetworkfordata leaksofpiigoingtopartnersorthirdparties. 4. MonitorPIIleavingtheorganizationormistakes inwebapplications. Impacts Estimatedthereareoverhalfabillionrecords currentlyexposedandover1,990reporteddata lossincidentssince2000. Costsorganizationsmillionsindatabreach notificationprocess. TheaveragecostperrecordinUSis$202 Losttrustfromcustomerscancauselost business dependingonhowtheorganization respondstotheircustomers,lostbusinesscan accountfor69%ofthecostsofabreach TheftofPIIorsensitivedatausedinidentity theft/fraudcrimes.oftentheresultofacomputer intrusion(hacker)ormaliciousinsider(employeeor businesspartner)withpermissionstothedatawho stealsandusesinacrime. Computer/networkintrusion Exploitmistaketogainaccesstonetwork/hack intonetwork,installmalwareandcollectdata SQLinjections Malwareinyourcustomer scomputer Businesspartners;supplychain,vendors Insidermaliciousthreat Regularsecurityassessmentsandvulnerabilityscans conductedbyanoutsideforensicsorsecurity professionalservicefirm.duetopcirequirements, yourorganizationmayberequiredtoconductthese byqualifiedqsaacertainnumberoftimesayear. EvenifyouarenotregulatedbyPCI,youcan dramaticallydecreaseyourrisksbyconductingthese typesofauditsregularly. Oneforensicfirmhasestimatedtheircaseloadto accountforover258millioncompromised accounts thereareover600individualcases. Costsorganizationsmillionsindatabreach notificationprocess TheaveragecostperrecordinUSis$202in2008 Lostbusiness dependingonhowthe organizationresponds,lostbusinesscanaccount for69%ofthecostsofabreach. Regulatoryfines Coststomakecustomers whole Lawsuitsfromdamagedcustomers Lostorstolendataisactuallyusedinfor identitytheftorfraud.now,the customer/consumerisdamagedandavictim. Newaccountcreation Accounttakeover ATMorPINcompromise Fraudulentcharges(i.e.cardnotpresent fraud) Opennewloansandapplications Ifyouacceptpaymentforservicesonlineor offeronlinebanking/paymentproductsyou willbeinapositiontoacceptorreject transactionsyouthinkarefraudwith: Riskprofiling/riskscoringalgorithms Backendautomatedandmanualfraud detectionprocesses Cross industryinformationsharing databases Estimatedthereare9MUSIDtheft victimsayear USIDtheftconvictionshaverisen138% lastfouryears IDtheftcoststheUSbusiness$50million in2008 Averagecosttotheconsumerwhoisa victimofidtheftis$5,720 OnlinefraudcostseCommerce merchantsanestimated$10billion annually Copyright(c)2009TrustCatalyst AllRightsReserved

6 TrustCatalystDataBreachPrepKit Page6of CreatingaDataBreachIncidentResponsePlan Ifyourorganizationexperiencesadatabreach,therearealotofmovingpartsandpeoplethatmustbemanagedeffectivelytoreducedamages fromdiminishedcustomertrust.youwillneedtogettherightinformationouttotherightpeopleveryquickly.businessleadersinyour organizationwhomayhaveneverworkedtogetherinacrisismayformyourincidentresponseteamand,asitoftenturnsout,different stakeholdershaveconflictingagendas.thisishardenoughtomanageundernormalconditionsbutamplifiedwhenmanagingacrisislikedata breach. Dependingontheseverityofthebreachandnumberofvictimsimpacted,youmayalsohavetobringinoutsiderstomanagedifferentaspectsof thecrisisincludinginvestigatorsandevenlawenforcement.and,asoutsidepressuresfromcustomers,mediaandauditorsorregulatorsmount, yourmanagementskillswillbetested.putsimply,theaftermathofdatabreachisnotthefirsttimewhereyouwillwanttobetested.putting togetheryourresponseplaninadvancecanbeinvaluablelearningexperience.inevitably,youwilluncoverquestionsintheplanningthatyour organizationmaynothaveconsidered.nowisthetimetouncovertheunknowns,getanswersfromkeystakeholdersandbuildingawarenessand recommendationsforhowdifferenttypesofbreachesshouldbehandledaswellasestimatetheircosttoyourbusiness. Gettingeveryoneonthesamepage Notalldatabreachesarethesame.Therearedifferentlevels,responsesandcostsbasedonthetypeofbreachyouencounter,numberof customersimpactedandtypeoffraud(ifany)found.and,ifyouareinthefortunatepositiontoactquickly,youcanbeginpreventingadataloss situationfromturningintoadatatheft/identityfraudcrisiswherecostsandstakesaredramaticallyincreased. Theworksheetbelowsimplifiesthetypesofbreachestofourdifferentscenariosthatrequiredifferentresponseplans.Thisworksheetwillhelp youworkthroughthetypeofresponseyouwillwanttoproducebasedonthestageofdatabreachencountered.itshouldhelpyoustartto identifythekeyresourcesyouwillneedtosuccessfullymanagethebreach.whilethisisnotacompleteresponseplan,wherepossiblewehave providedeitherrecommendationsorquestionsforyoutoconsidertobegintheprocessofbuildingyourown.werecommendusingthis worksheetasastartingpointtocreateachartinyourorganizationthatyoucanuseasaneducationaltooltopreparedifferentstakeholders abouttheactionthatwillberequiredandquestionsthatwillcomeupintheprocesstomanageadatabreach.trainyourorganizationonthe differencebetweenthedifferentlevelsofbreachesandhowissueswillbeescalatedandtreateddifferentlydependingonthestageofthebreach. Someorganizationsmayevenwanttoorganizemockbreachincidentslikeafiredrilltotesttheirteaminadvance.Also,becauseeach organizationisregulateddifferently,youmaywanttoaddwhatcompliancerequirementsyouwillspecificallyencounterateachstage. Copyright(c)2009TrustCatalyst AllRightsReserved

7 TrustCatalystDataBreachPrepKit Page7of DataBreachIncidentResponsePlanWorksheet Stage0 Data Loss Lostlaptop,PDA, backuptapeorstorage mediawithsensitive datawaslost. Thisdatawasencrypted andthereisanauditlog thatprovesdatais protected. Response/ActionRequired Nonotificationprocessrequiredbecausesensitivedatahasbeenadequatelyprotected. RecommendedActions: Haveaninternalteaminvestigatewhatwaslostandproduceareportthatshowsresponseprovingthedatawas protected.includethenumberofrecords/customersyouprotectedinthisincidenceandestimatethecosthaving theseprotectionsinplacesavetheorganization. Reportonthesetypesofbreachestothebusinessasappropriatetobuildacaseforthereturnoninvestment technologiesyou veputinplacetoprotecttheorganizationareproducing. Questionsforthebusiness: Whoistheinternalteamandkeystakeholders? Isthereeveracasewhereencryptedlostdatawouldneedtobereportedpublicly?Ifso,documenttheseexamples andincludethemintheappropriatestageinthisresponseplan. Ifyouarenotencryptinghigh riskdata,whatispreventingthisfromhappening?perhaps,goingthroughacostbasedriskassessmentofthecostsofpreventinganotificationeventisrequiredtogetinvestmentforthesetypesof solutionsinyourorganization(forexample,seethecostworksheetprovidedinthisdocument). Copyright(c)2009TrustCatalyst AllRightsReserved

8 TrustCatalystDataBreachPrepKit Page8of Data Loss Stage1 Lostlaptop,PDA, backuptapeorstorage mediawithsensitive datawaslost. Datalostwasnot encrypted. Response/ActionRequired Notificationprocessrequired.Customersatriskforidentitytheft. Recommendedactions: Securityteamproducesareportwithcriticalinformationforexample:customersaffected,numberaffected,where theyreside,dateinformationwaslost,typeofinformationthatwaslost(e.g.ssn,ccn ). Inyouropinion,whatriskexistsforthesecustomerstobecomevictimsofidentitytheft/fraud?Whatstepswould youtaketopreventcustomersfrombeingfinanciallydamagediftheybecomevictimsofidentitytheft(e.g.canyou workwithlawenforcement?shouldyouoffercreditmonitoringservicesoridentitytheftinsurance?whoshould receivetheseservices?) Createassessmentofsituationandoffertheorganizationarecommendedcourseofactiondependingonthetype ofinformationdisclosed/potentialrisk.howmuchwouldthiscost?arethecostsjustifiedbytheamountof businessyouwillsavefromnegativecustomerreactionanddiminishedtrust? Implementrecommendedcourseofaction Questionsforthebusiness: Whatwouldbetheimpactoflosingrevenuefrom30%ofyourcustomersfollowingthebreachnotification? Whoarethesecurityteamandkeystakeholders?Willyourequireoutsidesecurity,PRorlegalservices? Copyright(c)2009TrustCatalyst AllRightsReserved

9 TrustCatalystDataBreachPrepKit Page9of Data Theft Stage2 Datatheftoccurred knowtheorigin/how theftwascommitted Response/ActionRequired Notificationprocessrequired.Customersatelevatedriskforidentitytheft. Recommendedactions: Appointteamthatproducesareportwithcriticalinformationforexample:customersaffected,numberaffected, wheretheyreside,dateinformationwaslost,typeofinformationthatwaslost(e.g.ssn,ccn ),howthedatawas compromisedandwhatstepsarebeingtakentopreventthisfromhappeninginthefuture. Inyouropinion,whatriskexistsforthesecustomerstobecomevictimsofidentitytheft/fraud?Whatstepswould youtaketopreventcustomersfrombeingfinanciallydamagediftheybecomevictimsofidentitytheft(e.g.canyou workwithlawenforcement?shouldyouoffercreditmonitoringservicesoridentitytheftinsurance?whoshould receivetheseservices?) Createassessmentofsituationandoffertheorganizationarecommendedcourseofactiondependingonthetype ofinformationdisclosed/potentialrisk.howmuchwouldthiscost?arethecostsjustifiedbytheamountof businessyouwillsavefromnegativecustomerreactionanddiminishedtrust? Implementrecommendedcourseofaction Questionsforthebusiness: Whatwouldbetheimpactoflosingrevenuefrom30%ofyourcustomersfollowingthebreachnotification?What canyoudotomakediminishtheimpactsoflostcustomertrustandlostcompetitiveadvantage? Whoistheteaminvestigatingthebreach?Isitthesameasinalevelonebreachordoesitchange? Willyourequireoutsidesecurity,PRorlegalservices? Whattypeofcasecanyoupulltogetherforlawenforcementsothattheycanactquickly,beforetherearefinancial damages?wouldthisbethesamecourseofactioniftherewereaninsiderwhostoledataversusahacker? Copyright(c)2009TrustCatalyst AllRightsReserved

10 TrustCatalystDataBreachPrepKit Page10of Identity Theft or Fraud Stage3 Identitytheftoccurred becausenotifiedby outsidesource(e.g. consumer,customer) theyareseeing fraudulentactivitiesand youarethesourceof origin. Youdonotknowhow datawasstolen. ResponseActionRequired Notificationprocessrequired.Customershavebecomevictimsofidentitytheft. Recommendedactions: Bringinoutsideforensicsinvestigationteamtofindsourceoforiginanddetermine:customersaffected,number affected,wheretheyreside,dateinformationwaslost,typeofinformationthatwaslost(e.g.ssn,ccn ),howthe datawascompromisedandwhatstepsarebeingtakentofixtheproblemandpreventthisfromhappeninginthe future. Contactlawenforcementtodeterminewhatstepscanbetakentofindcriminalsandwhentonotifycustomers. Beginnotificationprocess.Whatstepscanyoutaketopreventmorecustomersfrombeingfinanciallydamagedas victimsofidentitytheft(e.g.offercreditmonitoringservicesand/oridentitytheftinsurance). Createassessmentofsituationandrecommendedcourseofactionthroughacostjustificationbytheamountof businessyouwillsavefrommorecustomersbecomingvictims,publicreactionanddiminishedtrust? Implementrecommendedcourseofaction. Questionsforthebusiness: Whatwouldbetheimpactoflosingrevenuefrom30%ofyourcustomersfollowingthebreachnotification?What canyoudotomakediminishtheimpactsoflostcustomertrustandlostcompetitiveadvantage? Whoistheoutsideforensicsteamyouwillcallintoinvestigate?Howoftenaretheyassessingyournetwork? Willyourequireoutsidesecurity,PRorlegalservices? Whatisyourrelationshipwithlawenforcement? Whattypeofcasecanyoupulltogetherforlawenforcementsothattheycanactquicklytocatchcriminals?Would thisbethesamecourseofactioniftherewereaninsiderwhostoledataversusahacker? Howmuchcashshouldbeputinreservefordamagesresultingfromlawsuits,settlementandfines? Copyright(c)2009TrustCatalyst AllRightsReserved

11 TrustCatalystDataBreachPrepKit Page11of DataBreachEstimatedCostsWorksheet Thespreadsheetbelowgivesabreakdownofthevariouscostsinvolvedwithcleaningupadatabreach.Costswillvarydependingontypeof breach,numberofcustomersinvolvedandseverityofbreach.youcancustomizethistoyourorganizationorestimatesfordifferenttypesof breaches. Typeofbreach(dataloss,datatheft): Numberofcustomerrecordsexposed: Whatwasdisclosed(e.g.Creditcard,debitcard,socialsecurity,address ): Numberofcustomersexposed: Howmanycustomershavebecomevictimsofidentitytheft: CustomerManagement Costs Notification(letters,website,pressreleases,costofcreation,printingandmailing) Creditmonitoringservice Identitytheftinsurance Customerretentionprogram Customersupporthelpdesk Coststocreatenewaccountsorreplacementcards Coststomakecustomers whole EmployeeManagement Employeetrainingprograms Lostemployeeproductivity OutsideServices Legal PR/CrisisManagement/Communication Marketing ForensicInvestigators SecurityExperts RegulatoryFines/Lawsuits Fines Lawsuits NetworkUpgrades Securityupgrades(encryption,dataleakagemonitoring,services,etc.) TotalEstimatedCosts Copyright(c)2009TrustCatalyst AllRightsReserved

12 TrustCatalystDataBreachPrepKit Page12of DefinitionsofCosts Notifications:Ifthebreachrequiresnotification,theorganizationwillneedtocreatethenotificationanddecidehowtheyintendtonotifythose impacted.theorganizationwillneedtodecideiftheywillbehandlingthenotificationoroutsourcingthisactivitytoanoutsidefirm. CreditMonitoringServices:Toimprovecustomersatisfactionanddependingontheseverityandtypeofinformationdisclosed,organizations maychosetoenrollthevictimsinacreditmonitoringserviceasanadditionallayerofprotection. IdentityTheftInsurance:Toimprovecustomersatisfactionanddependingontheseverityandtypeofinformationdisclosed,organizationsmay chosetogivevictimsidentitytheftinsuranceasanadditionallayerofprotectionandcustomerservice. CustomerRetentionProgram:Someorganizations(especiallyorganizationswhoareserviceproviders)createcustomerretentionprogramsin theaftermathofdatabreachtoexplainoutcomestotheircustomersinface to facemeetings.forexample,thistypeofinteractionwas encouragedaftertheheartlandbreachandthecostswerereportedintheirquarterlyearningscallafterthebreach. CustomerSupportHelpDesk:Dependingonthenotificationstrategy,itmaybecomenecessarytotrain,assignoroutsourcecustomersupport personneltoanswerquestionscustomers. Coststocreatenewaccountsorreplacementcards:Dependingonwhatwasbreached,someorganizationsmayneedtocreatereplacement cardsorprovidenewaccountcredentialstocustomersinvolvedinthebreach. Coststomakecustomers whole :Forcustomerswhobecomevictimsofidentitytheftorfraudasaresultofthebreach,organizationswillfind thattheyincurcostsmakingcustomers whole forfraudulentchargesordamages. EmployeeTrainingPrograms:Someorganizationsrollouttrainingprogramsforemployeesintheaftermathofsignificantdatabreachestoarm employeeswiththerighttypesofinformationthatcanimprovecustomertrust. LostEmployeeProductivity:Organizationsfacelostemployeeproductivityastheyaretakenoffrevenue generatingactivitiestodealwiththe aftermathofdatabreach.whatwouldbethecosttoyourorganizationifyoulostfive,tenoreven20percentofemployeeproductivity? LegalServices:Toeffectivelymanagethedatabreachcrisis,someorganizationsfindtheyneedtopayoutsidelawfirmswhohavespecialized expertiseindatabreach.theseservicesoftenrequireretainersormoneypaidupfrontforlegalfees. Copyright(c)2009TrustCatalyst AllRightsReserved

13 TrustCatalystDataBreachPrepKit Page13of PR/CrisisManagement/CommunicationServices:Toeffectivelycommunicateandmanagethemediaandtheirbrand,someorganizationsturn tooutsideprfirmsthatspecializeincrisismanagementanddatabreach.anoutside,objectivepointofviewisoftenaninvaluableresourceto effectivelymanageadatabreachcrisisandimprovethehandlingofthebreachintheeyesofcustomersandvictims. MarketingServices:Tohelpplanthestrategytomanagethecustomersandbrandintheaftermathofdatabreach,someorganizationsturnto outsidemarketingandresearchfirmstoplanstrategyorhelpincreasecustomersatisfactionratingstodecreasethecostsinlostbusinessthat followdatabreach. ForensicInvestigationServices:Fororganizationsvictimofdatatheft,itisimperativethataforensicinvestigationfirmfindthesourceofthe breachandhelptheorganizationcaptureevidencethatcouldbeusedtocatchthecriminals. InformationSecurityProfessionalServices:DependingonthesourceofthebreachandinternalexpertiseoftheITorganization,some organizationsmayneedtoretainadditionalinformationsecurityprofessionalstohelpdeployorexecutemodificationsrequiredinthetechnology infrastructureintheaftermathofbreach. RegulatoryFines:Iftheorganizationhascomplianceorregulatoryrequirements,theycouldhavefinesassessedagainsttheorganizationfornot meetingtheserequirements. Lawsuits:Theorganizationmayfindtheyfaceanumberofdifferentlawsuitsfromclassactiononbehalfofcustomerstolawsuitsfromother businesspartnerswhoneedtoreclaimdamagesasaresultofthebreach. SecurityUpgrades:Manyorganizationsfindtheyneedtomakeupgradestotheirtechnologyinfrastructuretoprotectagainstfutureattacksor breaches.technologyinvestmentsoftenincludeencryptionprojectsanddataleakagemonitoringtechnology. Copyright(c)2009TrustCatalyst AllRightsReserved

14 TrustCatalystDataBreachPrepKit Page14of IncidentResponseReportInformation PartI:Informationaboutthetypeofcustomersensitivedatayoustoreandregulationswithwhichyoucomply Thisinformationcanbecompletedinadvancesoyouhaveapictureofthesensitivedataresidinginternallyandregulationsthathave requirementsforprotectingthistypeofinformation.youmayfindthatyouwanttotakestepstoprotectadditionaltypesofinformationevenif notrequiredbylaw. Whattypeoforganizationarewe: []DataOwner []ServiceProvider WestorethefollowingPIIaboutcustomers: [] addresses []CreditCardNumbers []DateofBirth []AccountInformation []Mother smaidenname []DebitAccountNumbers []EmployeeIDNumber []PINs []SocialSecurityNumber []CVVsorCardSecurityCodes []PassportNumber []CreditCardMagneticStripTrack1or2Data []Driver slicensenumber []Passwords,secretcodesoraccessnumbersforaccountinfo []Passwordsforonlineaccounts []BillingAddress []HealthData []ShippingAddress []Payrollinformation []PhoneNumber []Creditscores []Other: Wearerequiredtocomplywith: []StateDataNotificationLaws(U.S.) []PCIDSS []GLBA []HIPAA []UKDataProtectionAct []Other: Copyright(c)2009TrustCatalyst AllRightsReserved

15 TrustCatalystDataBreachPrepKit Page15of PartII:DataBreachIncidentResponseTeam InternalTeam Completetheinformationforthekeypersonnelthatwillmakeupyourinternalteam,theircontactinformationandwhoistheprojectlead. DataBreachIncidentResponseTeam ContactInformation;IndicateProjectLead []ChiefExecutiveOfficer []ChiefRiskOfficer []ChiefFinancialOfficer []ChiefPrivacyOfficer []ChiefInformationSecurityOfficer []ChiefInformationOfficer []ChiefComplianceOfficer []GeneralCounsel []Marketing []Sales []CustomerRelations/CustomerSupport []Other []Other Copyright(c)2009TrustCatalyst AllRightsReserved

16 TrustCatalystDataBreachPrepKit Page16of PartIII:LawEnforcementContacts Insertinformationaboutthelawenforcementcontactsthatyouwouldneedtocontactineventofacrimehasbeencommitted.Themore relationshipsyouhavewiththesepeoplepriortotheincident,theeasieritwillbetogetanappropriateresponse.attendindustrymeetingswith lawenforcementpresenceorestablishrelationshipswiththekeypersonnelwhenpossible. DataBreachIncidentResponseTeam ContactInformation Locallawenforcement: FBI U.S.SecretService U.S.PostalInspections InternationalLawEnforcement Agencies Copyright(c)2009TrustCatalyst AllRightsReserved

17 TrustCatalystDataBreachPrepKit Page17of PartIV:DataBreachIncidentResponseChecklist Thefollowingisachecklistoftheitemsthatyoumayormaynotneedtocompletedependingontheseverityandnumberofrecordsbreached. Thiswillallowyoutodecidewhichitemsfityourbusinessneedsandassignownershipofthetaskswithacompletiondate. ProjectLead: IncidentStage(0 3): Planning: []Willyouprovidecustomerswithacreditmonitoringservice? []Willyouprovidecustomerswithanidentitytheftprotectioninsurance? []Willyoucreationnewaccountsorplasticforcustomers? []Ifcustomerisdamagedwithidentityfraud,howcantheyreportthistoyou? Tasks Owner Completion []AssignwhowillmanagePRaboutthebreach(currentfirm,crisismanagementfirmorinternalresource) []Determinecorporatespokespersonforbreachquestionsfrommedia []Writewebsitecopyaboutbreachandstepstakentoprotectcustomersfromidentitytheft []Approvewebsitecopyaboutbreach []Posttowebsite []Draftcopyforpressrelease []Approvepressrelease []Postpressrelease []DraftFAQforcustomers []ApproveFAQforcustomers []PostFAQforcustomersonwebsite []Createdatabreachnotificationletterstobreachedcustomers(oreditsampleletter) []Approvedatabreachnotificationletters []Createde dupedcustomermailinglist []Printandmailletters []CreateFAQforemployees(toeducateallemployeesaboutthesituation []ApproveFAQforallemployees []Posttointernalcorporatewebsite []Write tonotifyemployeesaboutbreach []Approve tonotifyemployeesaboutbreach Copyright(c)2009TrustCatalyst AllRightsReserved

18 TrustCatalystDataBreachPrepKit Page18of Tasks Owner Completion []Send toemployees []Determineifadditionalemployee/salestrainingrequired(concall,webcastormeeting??) []Scheduletraining []Sendinvitationstoemployeesrequiredfortraining []Writecustomersupport/helpdesktrainingFAQ []ApprovehelpdesktrainingFAQ []Trainhelpdeskpersonnelonhowtohandlecustomercallsaboutbreach Notes: Copyright(c)2009TrustCatalyst AllRightsReserved

19 TrustCatalystDataBreachPrepKit Page19of PartV:IncidentResponseForm FrequentlyAskedQuestions Thequestionsbelowarefrequentlyaskedintheprocesstocreatenotificationletters,writeFAQsforcustomersandmanagethebreach. Marketing,PRandcustomer facingemployeeswillneedtoknowhowtoanswerthesequestions. Whatstageisthebreach(0 3) Whenwasitreported? Whendiditoccur? Howwasitdiscovered? Whowasimpacted? Hasitbeenremediated? Howwasitremediated? Howmanycustomersimpacted? Wherearecustomerslocated? Areyouworkingwithlaw enforcement? Havearrestsbeenmade? Copyright(c)2009TrustCatalyst AllRightsReserved

20 TrustCatalystDataBreachPrepKit Page20of Conclusion WhilethepreventionofdatabreachismostlyanITfunction,managingtheaftermathofabreachturnsouttobealessofanITfunctionandmore ofamarketing/customerrelationsprogram.organizationsfindtheseeventschallengingbecausetheyareacrisisthatteststheleadershipof differentbusinessunitswithintheorganization.wehopethisdatabreachprepkitcanhelpyouplantheappropriateactionplanfordealingwith abreachbeforeoneaffectsyourorganization.wealsohopeyouareabletostarttoassembletherightinter departmentalteaminadvanceto helpprotectcustomers,theirtrustinyourorganizationtomanagetheirsensitiveinformationandyourbrand. WewillbeupdatingthisDataBreachPrepKitoverthecourseofthenextyear,aswereceivemorefeedbackfromtheorganizationsthatputitto forupdatedversionsandnewresourcestomanagedatabreaches.weverymuchwouldliketohearfromyou.youcanalsojoinusatthe LinkedinGroup PreventDataBreaches toexchangeupdatesandquestionswithcolleaguesandpeersaboutthesubjectofdatabreachanddata protection. ResourcesMentionedinThisDocument: OpenSecurityProjectDataLossDatabaseat: 2009VerizonDataBreachInvestigationReport: 2009OnlineFraudBenchmarkSurveyReport: EncryptionandKeyManagementBenchmarkSurvey: ConsumerSurveyonDataBreachNotification,JavelinStrategyandResearch2008 AboutTrustCatalyst TrustCatalysthelpscompaniesmakecriticaldecisionsabouthowtoprotecttheirmostvaluableresource theircustomer strust.weunderstand thattheadoptionofasuccessfuldataprotectionorsecurityprogramisaboutsellingastrategytoalargeraudience.wespeakthelanguage businessexecutivesunderstandandquantifytheneedforsecuritybyhelpingestablishthecostsoflostcustomertrustandthedisruptionto businesswhenthattrustisbroken.asmoreinsidiousattacksfromcybercriminalsspecificallytargetingorganizationswithcustomer ssensitive datagrows,wehelpbusinessesunderstandthethreats,thecostsofthethreatsandhowtomaintaintrustedrelationshipswiththeircustomers. Learnmoreanddownloadhelpfultoolsthatcanhelpyouprepareforthesetypesofattacksatwww.trustcatalyst.com Copyright(c)2009TrustCatalyst AllRightsReserved

21 TrustCatalystDataBreachPrepKit Page21of NoticeAboutThisDocument Thisdocumentisnotintendedaslegaladvice.Thisdocumentisintendedtoassistcompaniesgetajump startonpreparingtheirresponsetodata breachincidents.eachorganizationisdifferentandweencourageyoutocustomizetheseworksheetstoyourparticularsituation.ifyouhave feedbackoradvicetomakethisabetterguide,pleasecontactussowecanupdatethisguide.ifyouwouldliketoshareanyfeedback,please Copyright(c)2009TrustCatalyst AllRightsReserved