Compromised Identity Exchange: How to Contribute Compromised Data



Similar documents
MICHIGAN SECRETARY OF STATE ELECTRONIC INSURANCE VERIFICATION (EIV) TRANSMISSION OPTIONS AND FILE FORMAT GUIDELINES

Data Submission Guide

Virginia Department of Taxation Specifications for Web Upload Server to Server Processing for Virginia Department of Taxation Forms

Secure Data Transfer

Frequently Asked Questions (FAQ)

Data Validation Center. (DVC) Processing User Guide.

Online Payment FAQ s

Shipping Services Files (SSF) Secure File Transmission Account Setup

Online Utility Bill Payment FAQ s

State of Idaho Transportations Department Online Insurance Verification System User Guide For Insurance Companies (Version 1.0)

Regions Secure Webmail. Instructions

Clever SFTP Instructions

Online Presentment and Payment FAQ s

Online Presentment and Payment FAQ s

Paxton Light Online Presentment and Payment FAQ s

Online Presentment and Payment FAQ s

Online Presentment and Payment FAQ s

CROWNWeb Data Quality Improvement Report Distribution Process:

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008

Online Presentment and Payment FAQ s

Online Presentment and Payment FAQ s

State of New Jersey DEPARTMENT OF THE TREASURY DIVISION OF TAXATION PO BOX 269 TRENTON NJ In reply respond to: (609)

Online Presentment and Payment FAQ s

Message Archiving User Guide

City of Toppenish Online Presentment and Payment Frequently Asked Questions

Bank of Kirksville Internet Banking Application

Is your data safe out there? -A white Paper on Online Security

ONLINE BANKING APLICATION

Welcome to the ODE Secure Web Portal User Guide

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

Secure Frequently Asked Questions

Protecting Regulated Information in Cloud Storage with DLP

The Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015

Invoice Cloud Frequently Asked Questions

mywcb Online User Guide

HMRC Secure Electronic Transfer (SET)

1. (a) Full name of proposer including trading names if any (if not a limited company include full names of partners) Date established

ALERT: October 2011 TIN Reference Response File and Address Validation Information for Group Health Plan (GHP) Responsible Reporting Entities (RREs)

Titus and Cisco IronPort Integration Guide Improving Outbound and Inbound Security. Titus White Paper

Follow the trainer s instructions and explanations to complete the planned tasks.

Employer Portal User Guide Last Updated: October 2015

Network Security - ISA 656 Security

FF/EDM Intro Industry Goals/ Purpose Related GISB Standards (Common Codes, IETF) Definitions d 4 d 13 Principles p 6 p 13 p 14 Standards s 16 s 25

Kansas Insurance Reporting Guide

SUMMARY: The Office of the Secretary of Defense proposes to. alter a system of records notice DPFPA 02, entitled Pentagon

MTRS 2.0 Transaction Reporting Gateway Guide

Guidance on data security breach management

Using YSU Password Self-Service

Privacy Impact Assessment

New Employee Registry Program. Cover + 10 pages. DE 340 Rev. 4 (1-13) (INTERNET)

Online Banking for Business Secure FTP with SSH (Secure Shell) USER GUIDE

Privacy Rights Clearing House

Direct message exhange with Finnish Customs

Experian Secure Transport Service

Sample Report. Header Search. Search Information SSN: Found 27 records. Record # 1

Electronic Invoicing Overview. April, 2010

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

SART Data-Sharing Manual USAID Ed Strategy Goal 1

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

HTTPParameter Pollution. ChrysostomosDaniel

Guidance on data security breach management

Critical Data Guide. A guide to handling critical information at Indiana University

Revisions to Publication 199, Intelligent Mail Package Barcode. (IMpb) Implementation Guide for: Confirmation Services and

Establishment Registration SPL Technical Errors Training ebook

SLDS Program Race to the Top FLDOE Single Sign-on LEA Integration and User Provisioning Specification Version 1.0

Secure User Guide

Presented by: Mike Morris and Jim Rumph

Security Breaches. There are unscrupulous individuals, like identity thieves, who want your information to commit fraud.

Montezuma State Bank Internet Banking Agreement Online banking is not available to children under 18 years of age.

Electronic Data Transmission Guide For International Mailers

Online Banking for Business Secure FTP with SSL (Secure Socket Layer) USER GUIDE

Online Bill Presentment and Payment FAQ s

IRS Tax Return Transcript Request Process

PROCEDURES MANUAL FOR IMPLEMENTATION OF THE FLORIDA MOTOR VEHICLE NO-FAULT LAW AND FINANCIAL RESPONSIBILITY LAW INITIAL/RELOAD REQUIREMENTS

Canada Savings Bonds Program. FTP Server User Guide. Version 2.5

Identity Theft Prevention Program Compliance Model

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

.ME. Web Admin Tool User Manual. for Registrars. Copyright 2011 Afilias Limited

Transcription:

Compromised Identity Exchange: How to Contribute Compromised Data The first step in protecting your customers from fraud following a data breach at your organization is to contribute your breached records to the Compromised Identity Exchange. In order to offer consumers the highest level of protection, X has outlined in this document the proper process and format to contribute this data to the exchange. X implements the highest level of security and encryption standards at every stage of development and implementation to ensure that the Compromised Identity Exchange does not create additional risk of breach or opportunities for fraudsters to access exchange data. Data received by X that does not meet the standards outlined here or that we feel creates consumer or business risk will not be accepted into the exchange, and will be deleted immediately. Additionally, X follows stringent data minimization principles, and information is deleted following its use in the exchange. This prevents your customers information from being used by any entity for marketing or other unintended purposes. If you feel your organization is not prepared to follow these procedures for contributing breached data, contact info@xor.exchange for assistance. Participation for compromised entities is free of charge and presents invaluable opportunity to protect your customers and limit the effects of your organization s data breach. We welcome your participation and commitment to protecting consumers. Implementation Process for Compromised Entities There are two options for compromised entities to share breach information through the exchange: 1. Provide X with the personally identifiable information (PII) of the breached consumers as well as other basic information about the compromise event.

2. Install and run X s distributed exchange software that allows breached data to be matched in real time without any PII leaving your systems. The remainder of this document focuses on the first option as it is the simplest and quickest way for a compromised entity to protect customers. If you would prefer not to send compromised PII outside of your organization, then please contact X for more information about how to install and run the distributed exchange software. X does not recommend this method unless your compromise involves more than 10,000 consumers. Below is a description of the steps required to directly provide X with breach data. A detailed description of each step is provided below. 1. Signup for a secure data transfer account with X 2. Prepare compromised PII for transfer to X 3. Transfer compromised data to X 4. Submit compromise metadata to X Signup for a Data Transfer Account X hosts an SFTP server which can be used to securely transfer breached data to X. To get started, go to https://xor.exchange/breached and fill out the signup form. nce the form has been submitted, we will provide you with the necessary information to be able to login to the system. X will not accept file transfers over insecure channels such as email. In the event that data is sent to X in such a manner, the data will be immediately deleted. Prepare Compromised PII for transfer to X In keeping with X s data minimization standards, consumer information is deconstructed to the maximum extent possible prior to matching in the Compromised Identity Exchange. This is accomplished using a process developed by X called ID Factoring, which involves deconstructing identities into prime factors which are not individually sensitive but can be meaningfully matched. The most sensitive part of consumer s identity is not any particular element such as the SSN or name, but the combination of these elements. Appendix A provides a detailed layout of the various ID Factored files that can be sent to X. It is not necessary to provide each of the different ID factors if, for example, you do not have emails or SSNs for all the affected

consumers; however, the more data that is provided the better the match will be. Appendix B provides the required layout if ID Factoring is not run. To make this process easier, X will provide a free program to manage this process that will run on a wide variety of systems. Compromised entities are also free to implement their own processes as long as the files ultimately sent to X match the specifications. If your organization is unable to complete the ID Factoring process, contact X and we will determine the best format for you to send your data. Transfer Compromised Data to X nce the compromised data has been prepared to these specifications, you can transfer the data to X using your data transfer account. nce your data has been received, X will send you a confirmation email providing you with a unique ID for your breach. This is the ID that you will use to provide X with further information about your breach. In the event that there is more than one compromise event, information about each breach should be submitted separately and you will receive separate IDs for each occurrence. Despite the fact that the transmission of data is already encrypted, X also prefers that all breached data sent to X be encrypted at a file level. This can be accomplished by using X s public PGP key which will be provided along with the account login information for your file transfer account. Submit Compromised Metadata to X After you have received your confirmation email from X you will need to provide information about the compromise event. This includes details such as the date the breach was detected and how the data was exposed (e.g., lost laptop, external hack, etc.). This information must be submitted to X before the data can be properly used by at-risk entities. In the email confirming receipt of your data, X will provide a link to a Web form which must be completed prior to your data being activated in the exchange. This information will be gathered at the individual compromise level, so in the event that you have experienced multiple compromises you will need to fill out the form one time for each compromise event. nce this form has been submitted, X will make your data available as part of the exchange. If you are interested in receiving additional reporting about how your data is being accessed and used to protect exposed consumers, please contact X.

Appendix A: ID Factored File Layouts All files should be Unicode encoded and pipe ( ) delimited. All files should contain a header and each field listed below should always exist for each file. If a field is optional and will not be provided, please fill with two quotation marks ( ). Name and DB Factor Layout Field Name ptional/equired Formatting Name ID First Name All capital letters Last Name All capital letters Middle Initial A single capital letter Name Suffix All capital letters Date of Birth YYYY-MM-DD SSN Factor Layout Field Name ptional/equired Formatting SSN ID SSN 9 digits (no dashes) Address Factor Layout Field Name ptional/equired Formatting Address ID

Address Line 1 Address Line 2 Numbers followed by capital letters or P.. Box Unit followed by a number City All capital letters State Two letter postal abbreviation Zip Code 5 or 9 digits (no dashes) Phone equest Field Name ptional/equired Formatting Phone ID Phone Number 10 digits (no dashes or parenthesis) Email equest Field Name ptional/equired Formatting Email ID Email user@domain

Appendix B: Non-ID Factored Layout All files should be Unicode encoded and pipe ( ) delimited. All files should contain a header and each field listed below should always exist for each file. If a field is optional and will not be provided, please fill with two quotation marks ( ). Field Name ptional/equired Formatting ecord ID record. First Name All capital letters Last Name All capital letters Middle Initial A single capital letter Name Suffix All capital letters Date of Birth YYYY-MM-DD SSN 9 digits (no dashes) Address Line 1 Address Line 2 Numbers followed by capital letters or P.. Box Unit followed by a number City All capital letters State Two letter postal abbreviation Zip Code 5 or 9 digits (no dashes) Phone Number 10 digits (no dashes or parenthesis) Email user@domain

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information