Information Security: Gone in 60 Seconds

Similar documents
Identity Theft Security and Compliance: Issues for Business

YOUR CITY/MUNICIPALITY

Identity Theft Regulation. *Christine Stagnetto-Sarmiento, Oglala Lakota College, USA. *Corresponding Author, 490 Piya Wiconi Road-Kyle, South Dakota

DSU Identity Theft Prevention Policy No. DSU

Cyber Liability. AlaHA Annual Meeting 2013

Red Flag Policy and Procedures for Alexander Orthopaedic Associates

PREVENTING IDENTITY THEFT AT The University of North Carolina at Greensboro. Presented By Roy Davenport Shred-it North Carolina

Why you MUST protect your customer data

SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015

Identity Theft and Medical Theft. *Christine Stagnetto-Sarmiento, Oglala Lakota College, USA

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Law & Ethics, Policies & Guidelines, and Security Awareness

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

ERM Symposium April Moderator Nancy Bennett

Cyber Liability. What School Districts Need to Know

Pacific University. Policy Governing. Identity Theft Prevention Program. Red Flag Guidelines. Approved June 10, 2009

Network Security & Privacy Landscape

Discussion on Network Security & Privacy Liability Exposures and Insurance

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks

Cyber-insurance: Understanding Your Risks

Guylyn Cummins, Esq. Elizabeth Balfour, Esq.

PII = Personally Identifiable Information

Anatomy of a Privacy and Data Breach

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

PROTECTING THE COMPANY S CROWN JEWELS WHEN EMPLOYEES DEPART

CSR Breach Reporting Service Frequently Asked Questions

Network Security & Privacy Landscape

A Proposal of Employee Benefits. Innovations in IDENTITY THEFT

Whitepaper. Best Practices for Securing Your Backup Data. BOSaNOVA Phone: Web:

Allianz Global Corporate & Specialty. Cyber Risks. Recent Trends. AIRMIC 15 th June 2015

SafeBiz. Identity Theft and Data Breach Program For Small & Medium Size Businesses (SMB)

IDENTITY THEFT PROCEDURES

Cybersecurity: Protecting Your Business. March 11, 2015

Protect your credit. Guard your identity. BENEFITS GUIDE

on Data and Identity Theft*

Data Breaches, Identity Theft, and Employees

IDENTITY THEFT FRAUD

Identity Theft Victim Guide

THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident.

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

PII Personally Identifiable Information Training and Fraud Prevention

Violation Become a Privacy Breach? Agenda

S22 - Employee and Customer Awareness Turning Vulnerabilities Into Sentries John Sapp

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

Aftermath of a Data Breach Study

Identity Theft Prevention Program (Approved by the Board of Trustees)

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

cyber invasions cyber risk insurance AFP Exchange

SIMMONS COLLEGE OFFICE OF THE GENERAL COUNSEL RED FLAG RULE POLICY. Background of the Federal Legislation Known as Red Flag Rule

How-To Guide: Cyber Security. Content Provided by

AN INFORMATION GOVERNANCE BEST

Wheaton College Audit Committee Red Flag Identity Theft Prevention Program Meeting of February 20, 2009

Vulnerability Management Policy

Data Loss Prevention and HIPAA. Kit Robinson Director

2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage

Facts About FACTA Red Flag Identity Theft Prevention Program

Vulnerability Assessment & Compliance

UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE. University of Cincinnati Red Flags Rule Protecting Against Identity Fraud

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

TOURO UNIVERSITY WORLDWIDE AND TOURO COLLEGE LOS ANGELES IDENTITY THEFT PREVENTION POLICY 1.0 POLICY/PROCEDURE 2.0 PURPOSE 3.0 SCOPE 4.

Law Firm Cyber Security & Compliance Risks

Combating Identify Theft: A Theoretical Framework

The Data Breach: How to stay defensible before, during and after the incident. Alex Ricardo, CIPP/US Breach Response Services

Table of Contents. Table of Contents Chapter 1 Introduction Sample. Chapter 2 Monitoring and Quality Control... 8

Prepare for the Worst: Best Practices for Responding to Cybersecurity Breaches Trivalent Solutions Expo June 19, 2014

Florida International University. Identity Theft Prevention Program. Effective beginning August 1, 2009

Privacy Legislation and Industry Security Standards

How to Prevent It What to Do If You Are a Victim

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

Information Security Policy

Common Data Breach Threats Facing Financial Institutions

National Cyber Security Month 2015: Daily Security Awareness Tips

Richard Swed. CEO- The Risk Management Group

Data Privacy and Security: A Primer for Law Firms

Responding to New Identity Theft Laws

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Computer Forensics US-CERT

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Federal Bureau of Investigation. Los Angeles Field Office Computer Crime Squad

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

$22k. Payment Card Data Breaches: What You Need to Know About Your Risk and Liability. First Data Market Insight

Ferris State University

An Introduction to Identity Theft. Letbighelptoday.com. Your Free Copy

The City of West Linn Identity Theft Prevention Program

OLYMPIC COLLEGE POLICY

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Aegis Padlock for business

HIPAA: Privacy/Info Security

Benefits of LifeLock Ultimate Plus. About LifeLock. 3 Layers of Protection DETECT ALERT RESTORE FACT SHEET LIFELOCK ULTIMATE PLUS

Cyber Exposure for Credit Unions

Managing data security and privacy risk of third-party vendors

AUTOMATED PENETRATION TESTING PRODUCTS

WISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009

UNIVERSITY OF CALIFORNIA, MERCED Red Flag and Security Incident Reporting Policy

CITY OF MARQUETTE, MICHIGAN CITY COMMISSION POLICY

McLennan Community College

Boynton Beach Chamber Lunch. How to Deter, Defend, and Detect Identity Theft July 11, 2012

SECURITY FREEZE INFORMATION FOR KENTUCKY RESIDENTS

Transcription:

Information Security: Gone in 60 Seconds

Think Fast Identity Theft: The Next Corporate Liability Wave Corporate Counsel, March 30, 2005 Your phone rings. It s Special Agent Bert Ranta. The FBI is investigating a crime ring involved in widespread identity theft. It has led to millions of dollars of credit card and loan losses for lenders, and havoc in the lives of the 10,000 victims. By identifying links between the victims, the FBI has discovered where the personal data appear to have come from: your company. The victims are some of your customers. The nation s fastest growing crime, identity theft, is combining with greater corporate accumulation of personal data, increasingly vocal consumer anger and new state and federal laws to create significant new legal, financial and reputation risks for many companies.

The Facts

The Facts A Chronology of Data Breaches Over 223 million data records of U.S. residents have been exposed due to security breaches since January 2005. April 4, 2008 - University of California, Irvine (Irvine, CA)- 7,000 7,000 current or former graduate students could be at risk of identity thieves who already used stolen data to file fake tax returns for 93 students. Mar. 28, 2008 - Antioch University (Yellow Springs, OH) 70,000 A computer system that contained personal information on about 70,000 people was breached by an unauthorized intruder three times. The system contained the names, Social Security numbers, academic records and payroll documents for current and former students, applicants and employees. Mar. 20, 2008 - Lasell College (Newton, MA) 20,000 A hacker accessed data containing personal information on about current and former students, faculty, staff and alumni. Information included names and Social Security numbers. Mar. 17, 2008 - Binghamton University (Binghamton, NY) 300 A university employee mistakenly sent an e-mail attachment containing the names, grade point averages and Social Security numbers of junior and senior accounting students to another group of School of Management students. The Privacy Rights Clearing House http://www.privacyrights.org

The Facts

The Facts The Weakest Link From an organization s perspective, people include employees, customers, third parties, and business partners. All of these people are vital to the organization s survival and are privy to the organization s information in varying degrees through different means. As a result, all of these people represent risk. Well aware that infrastructures and perimeters have been fortified, today s sophisticated crooks no longer batter the fortress directly they take a subtler approach through its people. Deloitte 2007 Global Security Survey: The Shifting Security Paradigm

Definition of CSI Examples of Confidential and Sensitive Information Personal Information Social Security Number Social Insurance Number Birth Dates Driver s License Number Professional License Information Customer Identifiers* Financial Information Credit Card Number Card Expiration Dates Card CCV Numbers Account Numbers Credit Reports Billing Information* Business Information Federal Identification Numbers Proprietary Information Trade secrets Business Systems Pay Rates / Payroll Access Codes / Passwords* Medical Information Medical Records Doctor s Names and Claims Life, Health, Disability Insurance Policy Information * This Information may not always be classified as Sensitive Data but can be used for Social Engineering by a thief. It should still be secured.

The Facts Common Causes of Information Loss or Breach Internal Threats Poorly trained personnel Inadequate security measures Insufficient support from management Unsupervised third party providers Dishonest insiders Inadequate IT systems External Threats Hackers Organized Crime Social Engineers Customers Competitors

The Facts Six Common Forms of Identity Theft Financial Criminal Medical DMV Social Security Terrorist

Legislation, Loss, and Social Responsibility

Legislation Loss Social Responsibility Three Reasons Why Businesses Need to Safeguard Confidential and Sensitive Information. 1. Current State and Federal Legislation Requirements 2. To Limit Financial Loss and Loss of Trust 3. Social Responsibility

Legislation Loss Social Responsibility Important Federal Legislation Identity Theft Assumption and Deterrence Act Family Education Rights and Privacy Act Health Insurance Portability and Accountability Act (HIPAA): Security Rule Gramm- Leach- Bliley Act: Safeguard Rule Fair and Accurate Credit Transactions Act (FACTA) Identity Theft Red Flags Rule (Sections 114 and 315) Social Security Number Privacy Act

Legislation Loss Social Responsibility Common Law State Legislation As a fundamental principle, even before reaching theories applicable to information security, parties are generally responsible under the common law of torts to use due care in handling the information regarding gothers. 2 Businesses that do not take reasonable steps to protect information could be held civilly liable for criminal acts committed by others with the stolen information. This was the outcome of Bell v. Michigan Council 25 of the AFSCME, 2005 Mich. App. LEXUS 353(Mich. Ct. App. Feb. 15, 5005). June 2005 Electronic Banking Law and Commerce Report State Identity Theft Notification Laws To date, 39 states t have victim notification laws in place. In Illinois, i a business must notify potential victims within a reasonable period of time.

Legislation Loss Social Responsibility Financial Loss and Loss of Trust If confidential and sensitive information is lost or stolen damages go beyond government fines, penalties, and potential imprisonment. Perhaps the greatest impact to business is negative publicity and loss of trust tamong consumers. If you experience a security breach, 20 percent of your affected customer base will no longer do business with you, 40 percent will consider ending the relationship, and 5 percent will be hiring lawyers! CIO Magazine, The Coming Pandemic, Michael Freidenberg, May 15th, 2006

Legislation Loss Social Responsibility Calculate the Cost of a Breach By taking the time to properly prepare your business, you may calculate your savings with the following formula: Business Assets + Revenue - Liabilities - Expenses - Class Action Lawsuits - Notification fines - Monitoring Services - Crisis Management - Forensics - Federal and State Fines (depending on the law) - Attorney Fees - Bad Publicity - Jail Time = Pt Potential tilloss

Legislation Loss Social Responsibility Social Responsibility Any organization that t collects and / or retains personal, financial, medical, and business information has an ethical and a social responsibility to safeguard that information.

Workplace Requirements

Workplace Requirements Compliance Standards for the Protection of Confidential and Sensitive Information There can be safe harbor for businesses that make a reasonable effort to safeguard confidential and sensitive information. This includes: 1. The designation of an Information Security Officer. 2. A risk assessment of material internal and external risks to the security of confidential and sensitive information. 3. The design and implementation of a written Information Security Policy. 4. Employees must be trained on security policies. 5. The evaluation and adjustment of the program in light of the results of testing and ongoing monitoring of the program. 6. A plan for security incidents.

The information Compliance and Awareness Process

information Compliance and Awareness Process The Eight Stage - information Compliance and Awareness Process Stage One: Investigate Identity Theft, Fraud, and Information Security Risks Stage Two: Designate an Information Security Officer Stage Three: Define CSI and Information Systems Stage Four: Take Inventory of Information Assets Stage Five: Assess Risks to Information Systems Stage Six: Design an Information Security Policy Stage Seven: Implement Security Measures Stage Eight: Monitor and Evaluate Security Program

information Compliance and Awareness Process Disclaimer This information Compliance and Awareness Program (icap) does not guarantee compliance with any Federal or State t Government requirements. There is no guarantee against security incidents. This program is intended to help businesses to make a reasonable effort to reduce the likelihood of identity theft and fraud.

Thank You! Safeguarding personal, business, financial, medical information is everyone s responsibility! We are here to help. Identity Theft LOSS Prevention, LLC 7330 Turk Road Ottawa Lake, Michigan 49267 888 LOST MY ID www.idtlp.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information