1 / 35

Privacy and Information Security

Privacy and Information Security. Privacy and Information Security: Laws and Regulations Susan Freund Managing Director Larrimer Associates, Inc. Laws Governing Data Breach. Consumer Financial Privacy and Regulation S-P The FACT Act Consumer Report Disposal Rule

Télécharger la présentation

Privacy and Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Privacy and Information Security

  2. Privacy and Information Security:Laws and RegulationsSusan FreundManaging DirectorLarrimer Associates, Inc.

  3. Laws Governing Data Breach • Consumer Financial Privacy and Regulation S-P • The FACT Act Consumer Report Disposal Rule • State Data Breach Notification Laws

  4. Regulation S-P • Safeguard Rules • Written Policies and Procedures • Insure the security of customer information • Protect against threats • Protect against unauthorized access

  5. TheFact Act • Consumer Report Disposal Rule • Proper disposal of customer information must be done in a way that protects against unauthorized access

  6. State Data Breach Notification Laws • Who must comply? • What is Personal Information? • What Constitutes a Breach? • What Data is Covered? • When should Notice be Made? • Other Requirements

  7. Who Must Comply? • “any person or company that acquires, maintains, handles, collects, disseminates, owns, licenses, sells, or otherwise deals with nonpublic information.”

  8. What is Personal Information? • Name in combination with at least one other data element, such as social security number, medical information, credit card number, password, etc.

  9. What Constitutes a Breach? • Unlawful and unauthorized acquisition of personal information

  10. What Data is Covered? • Computerized and electronic data • Trend is to include notification obligation to non-electronic documents as well

  11. When should notice be made? • “the most expedient time possible and without unreasonable delay”

  12. Encryption • Safe HarborLaw Enforcement Delay • Delay if notification would impede a criminal investigation Substitute Notice Substitute notice permitted when costs exceed $250,000 or more than 500,000 people affected - -

  13. Cases Involving Security Breaches • Stephen Bauman • LPL Financial • Commonwealth Financial Network

  14. Privacy and Information Security: Internal Risks and Best PracticesNick NicholsExecutive Vice PresidentVenio LLC

  15. Security Management Challenges • Hyper-Extended/Borderless Environments • Combination of Human/Business/Technical Factors • Escalating threats • Who/How and What of Data Breaches

  16. Hyper-Extended Enterprises* • Extreme levels of connectivity and info exchange • Shareholders, brokers, banks, lawyers…… • Digital information growth to increase 5-fold IDC, May 09 • Powered by new web and communication strategies • Nearly 75% of the workforce will be mobile by 2011BNET, FEB 09 • Social networks? Facebook to exceed 300m users by Y/E All Facebook, Feb 09 * Source RSA/EMC

  17. Hyper-Extended Enterprises* • Integrates a vast array of third-party technology • Cloud Computing (e.g., virtual servers and web-based applications) to capture 25% IT spending growth by 2012IDC, Feb 09 • Companies to virtualize 34% of servers • Network Worlds, Feb 09 • 25%+ Global 1,000 IT jobs to move offshore by 2010CIO, Dec 08 • Anybody know Vasyl Smyrnov? * Source RSA/EMC

  18. Human/Business/Technical Factors • Human • Lack of security culture and training • Different Perceptions of Risk • Business • Risk-versus-reward; Security is expenses driven • Need to compete in an open complex environment • Technical • Need to balance ‘enabling’ and securing an organization

  19. Escalating threats • Cyber attacks have surged 322%* • 40% of all data lost in a security breach is private consumer information ** • A 585% spike in malicious anti-malware*** • Compromised PCs rose 66% to over 12 million** * McAfee 2009 ** Anti-Phishing Working Group 1H 2009 *** Websense Q1-Q2 2009

  20. Escalating threats (cont.) • Banking Trojan/password-stealing crimeware detected..rose 186%* • 95% of comments in chat rooms is spam/malicious** • 87.7% of email messages were spam ** * Anti-Phishing Working Group 1H 2009 ** Websense Q1-Q2 2009

  21. Who is behind data breaches? • 74% resulted from external sources • 20% were caused by insiders • 32% implicated business partners • 39% involved multiple parties * Verizon 2009 DBIR report

  22. How do breaches occur? • 67% were aided by significant errors in security • 64% resulted from hacking • 38% utilized malware • 22% involved privilege misuse • 9% occurred via physical attacks * Verizon 2009 DBIR report

  23. What needs to be done? • Encrypt EVERYTHING • Incorporate security into business strategy decisions • Ensure essential controls are met • Collect and monitor event logs • Audit user accounts and credentials • Test and review web applications

  24. Oh…one more thing! INVEST • 71 % of IT directors believe there is some chance of a serious security breach* • 70 % had to freeze or cut their security budgets this year* *McAfee 2009 SMB survey

  25. Privacy and Information Security: Vendor Due DiligenceJoe Kardek Chief Technology OfficerDodge and Cox

  26. Vendor Expectations for Protection of NPI • The cost of a data breach rose to $202 for each compromised record last year, an increase of 2.5% over 2007. • Average expense to an organization was $6.6M in direct and indirect costs, which includes the cost of notifying victims and maintaining information hot lines as well as legal, investigative and administrative expenses. • The vast majority of data breaches were caused by negligence. • Portable storage devices, including laptops, are responsible for the growing number of breaches. • Many data breaches are caused by third party providers, including contractors, consultants and business partners – approximately 44% up from 40% in 2007. • **Source: Ponemon Institute Annual Survey

  27. What should you know about your Vendors? • What are our vendors’ data breach procedures? • Have we protected our organization and our shareholders in contracts with vendors? • Data transportation, storage and handling • Workspace requirements • Insurance considerations

  28. Vendor data breach procedures • Do they have a documented procedure? • Does it have timeframes and escalation steps, and do they meet State timeframes? • Does it include Vendor “C” level executives ?

  29. Data Transportation, Storage and Handling • Ensure secured methods of file transfer are leveraged between: • You and your Vendors • Your Vendors and THEIR Vendors • Internally on your Vendor’s network (multiple offices? Remote employees?) • How is data stored/protected on your Vendor’s network? • Encryption “at rest” (Servers/Laptops/PCs) and “in motion” (data traveling across the network) • Established security solutions in place (e.g. RSA, McAfee, Symantec, etc) • Firewalls, Intrusion Prevention, etc.

  30. Data Transportation, Storage and Handling • Safe data handling processes that extend beyond the “techies” • Employee training for safe handling of data • Limitations of what can be printed, scan/shred processes where possible • Surveillance in “paper intensive” areas • Third party attestations: • Are they comprehensive (e.g. SAS 70 Type II, ISO certification) and done by accredited firm? • What services do they cover? • What locations do they cover?

  31. Workspace Requirements If it’s required of you, consider it for your vendors • Secured offices • Building access • Office access • Server room (limited access) • Monitoring of entry points • Use of external storage drives and handheld devices • Lock down USB ports (“thumb drives”) • Ensure confidential data cannot be accessed by PDAs • Limited access to external messaging • External POP-email access (yahoo, Gmail, etc) • Instant Messaging (AOL, Trillion, etc)

  32. Insurance Considerations – The gaps • Commercial General Liability Insurance: Typically covers bodily injury and damage to “tangible” property. Data and software are considered to be “intangible” • Fidelity/Crime Insurance: Typically provides coverage to the organization for losses resulting from the theft of money, securities and “other tangible property.” Information theft is not covered under a standard fidelity bond. “Other property” does not include proprietary information, confidential information or copyrights, trademarks, etc. • Professional E&O: Typically only covers financial loss arising out of professional services to others. Computer attacks do not fall within “professional services,” and some E&O policies exclude coverage caused by “unauthorized access.” • Technology E& O: Covers only financial loss arising out of technology services performed for others. If negligence leads to breach, coverage would apply. However, if an employee commits an intentional act or if an outside hacker, causes a financial loss, no coverage would apply under a typical technology E&O policy. *Most Technology E&O policies can be extended to cover network security and privacy related exposures.

  33. Insurance Considerations – What should I Require? • Request E&O to include network security/privacy coverage • Be specific! Some Technology E&O policies have security/privacy exclusions • Cyber Liability – what you need, what your vendor needs: • Policies must cover THIRD PARTY data! • Non-network Privacy Breaches: What happens if a breach does not arise out of a failure of security of your computer system? e.g. paper, PDA’s, lost data tapes. • Regulatory Defense Expenses: Defense costs involved with a regulatory proceeding, a request for information, suit or civil investigation by or on behalf of a government agency arising from allegations of violation of a privacy regulation. • Notification Expenses: Costs to notify your clients of privacy breaches. • Credit Monitoring Expenses: Costs to provide your clients with credit monitoring services as a result of privacy violation, if you have the duty to provide. • Crisis Management Expenses: Reasonable and necessary expenses incurred by you in retaining public relations firm, law firm for advertising/communications to assist with mitigating harm to your reputation.

  34. Summary • Ask questions! • Get documentation/proof of coverage, policies, audits, etc • Make site visits!

More Related