Date post: | 18-Nov-2014 |
Category: |
Economy & Finance |
Upload: | nafcu-services-corporation |
View: | 1,027 times |
Download: | 1 times |
www.affinion.com Proprietary & Confidential
Data Breaches Preparedness – Practical Tips for
Responding
presented by Christine El Eris, Product Director, Affinion Group
2 www.affinion.com
Presentation
Prepared
For
What is a Data Breach?
A breach is defined as an event in which an individual name plus
Social Security Number (SSN), driver’s license number, medical
record or a financial record/credit/debit card is potentially put at
risk – either in electronic or paper format.
3 www.affinion.com
Presentation
Prepared
For
Data Breaches Occur Every Day
Breaches are a daily news item
Yet many organizations, their IT, data security and senior management teams still hope:
“It won’t happen to us.”
No matter how secure your web sites or data networks are, it may just be a matter of time before
– an employee loses a laptop containing critical data
– a staffer clicks on a phishing link that launches malware or lets an attacker in to the company network
– a third party supplier improperly handles your members’ data
– a hacker takes advantage of a vulnerability in security weakness of a third party vendor or supplier
4 www.affinion.com
Presentation
Prepared
For
Organizational Risks
All Sectors Are Vulnerable
Breached entities include Corporations, Healthcare, Government, Financial, Colleges & Universities
Breaches Exposed More Data in 2011 than 2010
According to the Identity Theft Resource Center, there were 662 breaches in 2010 identified as of 12/29/2010 affecting over 16 million records
2011 saw 414 reported incidents with nearly 23 million records impacted
Complexities of the crime continue to change
Legislative Environment Increasingly Complex
Breach notification laws now in 46 states plus District of Columbia
Federal Trade Commission’s Red Flag rules
State AG expectations for post-breach response
Specter of federal regulation in the future
Increased Consumer Expectations Your members expect MORE than just a notification and credit monitoring when their personal data
has been exposed
4
5 www.affinion.com
Presentation
Prepared
For
Trends: Identity Theft
Consumers whose data has been exposed as the result of a data breach are
four times more likely to become victims of identity fraud
New account fraud has become significantly more complicated:
It takes more than 140 days to be detected
And requires more than 180 days to be resolved
And consumers incur more than $1,200 of out-of-pocket expense
Source: 2011 Javelin Strategy & Research “Identity Fraud Survey Report”
Consumer Risks
6 www.affinion.com
Presentation
Prepared
For
How to Respond to a Data Breach Incident
7 www.affinion.com
Presentation
Prepared
For
What NOT to Do … a Lesson from Sony
8 www.affinion.com
Presentation
Prepared
For
• Assemble your response team
– Who should be involved? How will you manage resources?
• Conduct a risk assessment
– Who is affected? Do you need to notify customers/clients/patients whose data was impacted?
• Comply with federal and state regulations
– How can you avoid fines? Will there be an investigation?
– How can you prepare for inevitable lawsuits?
– 46 states and the District of Columbia mandate notifications to impacted individuals (based on
residency of breached individuals, not the organization who lost the data or where the data resided)
– Become familiar with state AG opinions on notifying consumers and providing post-incident
remediation services
– Pay attention to FTC’s guidelines
– Keep your attorney included in all discussions related to the incident to protect attorney-client privilege
• Set up a call center
– What resources are required? How will you serve non-English speakers if applicable?
Immediate First Steps
9 www.affinion.com
Presentation
Prepared
For
• Implement a public relations/brand management strategy to manage and repair your
corporate reputation
• Consider a trusted third-party to manage the state-mandated notifications and provide post-
incident identity protection and credit monitoring services
• Consider a trusted third-party to conduct forensic analysis – even if you know what occurred,
it is best to out-source this function
• Employ outside counsel who are experts on data privacy law to assist your in-house counsel
• Consider pre-contracting for each of the above services
– Saves time when an event occurs
– Enables your organization to properly perform due diligence on each partner in advance and at
your own pace
Utilize Experts As Needed
10 www.affinion.com
Presentation
Prepared
For
How Can Affinion Security Center Help?
11 www.affinion.com
Presentation
Prepared
For
Identity theft market leader
Financially strong
Comprehensive solutions
The largest multi-channel reach
identities protected
15 million FCRA- and MAGIC-
certified staff using well-
defined policies and
fraud resolution
procedures average tenure of our
caseworkers
5 years
average tenure
for team leaders
15 years
with automated workflow used
for case management and
reporting
Siebel CRM
#1 provider of
identity theft
services
configurations of
benefits supported
200
invested in product
development, servicing
and testing of benefits in
the last year alone
$25+ million
Next Gen solutions empowering
consumers to prevent,
detect and resolve fraud
35+ years
Cited by Inc. Magazine as one of the
fastest growing private companies
Scalable platform to
accommodate
future growth
increase in profitability
over the last 5 years
24% $164+ million
in cash at year-end
$1.4 billion in 2010 revenue
More than Marketing in
reach customers offered
breach remediation
solutions
True multi-channel
unique contacts
made annually
1 billion
18+ Million
countries around
the world
16
through direct mail,
in-branch, online,
telephony
Affinion Security Center History
12 www.affinion.com
Presentation
Prepared
For
Affinion’s Product Road Map – Identity Theft Solutions Ability to Combat a Full-Spectrum of ID Fraud Issues
Peer-to-Peer File Exchange
Networks
Credit Monitoring with
the 3 bureaus
Internet Directories & Web
Black Market Web and
Underground Chat-Rooms
Credit Header, Proprietary
Databases
Public Records
Children SSN Monitoring
Real time activity alerts;
credit & non-credit
Social Media
Evaluate ID Fraud Risks
“Deputize the Consumer” by
providing him or her meaningful,
actionable alerts to evaluate if
fraud is occurring to stop it fast.
Concept coined by:
13 www.affinion.com
Presentation
Prepared
For
ASC’s End-to-End Solution
Incident
Response
Consulting
List Services
Notification
Drafting &
Printing
Customer
Support
ID Theft
Protection
Services
Enrollment
Options
Ongoing
Support &
Reporting
Proactive
preparation
List hygiene
De-duping
NCOA services
USPS compliance
Drafting
Printing
Mailing
Pre-enrollment
breach FAQ
support
Enrollment
support
Post-enrollment
remediation
Prevention
Detection
Resolution
Services*
Full File
Enrollment
VRU/Call Center
Online
USPS
Standard or
‘a la carte’
requests
Established best
practices
leveraging
experience from
hundreds of
breaches
20 individuals
dedicated to
limiting notification
costs
Highly scalable
services to
support 700
million pieces of
mail annually
Proven scale to
support 40 million
calls annually
across 20 call
centers
Dedicated fraud
resolution
specialists
averaging 5 years
tenure per case
worker
More than 15
million consumers
enrolled in ID theft
protection today
Over 1 Billion
unique contacts
annually through
multiple channels,
including
dedicated VRU
enrollment
Breach team
dedicated to
your account
offering
completely
customizable
reporting at no
additional
charge
Se
rvic
e
Des
cri
pti
on
T
he A
ffin
ion
Dif
fere
nce
Average timeline for all enrollment options being functional is 21 days from when ASC learns of a breach
14 www.affinion.com
Presentation
Prepared
For
Case Study: Top 10 FI
Positive results for the client:
• Notification process was expedited
• Proper list management and use of VRU saved the client over $1
million
Impacted Population: 4.5 Million
List Services
After a major consulting and auditing firm hired to do 'forensics' on the 60+ impacted databases had
already spent weeks working on record cleansing, BreachShield stepped in.
Our team of database experts was able to scrub the files within 72 hours.
Using our NCOA and de-duping capabilities, we reduced the mailing cost to 1/4 of the amount initially
expected.
Contact Center
To ensure an optimal customer experience and preserve SLA levels while managing increased call center
volumes, Affinion Security Center (ASC) utilized both VRU and live agent options.
40% of callers opted for the VRU, minimizing the financial impact to the client.
15 www.affinion.com
Presentation
Prepared
For
Case Study: Insurance Carrier
Impacted Population: 500,000
The Client Declined our Services
Instead, the simply mailed notification letters to the impacted population.
Facing increasing media and legal pressures, the client later offered a referral to an optional
ID theft protection service on their website and via their contact center.
Less than a year later, the client faced a class-action lawsuit. A major settlement component
was offering two years of ID theft protection service to the impacted population, with costs
that were much greater than Affinion Security Center’s initial price quote.
A proactive and thorough response plan would have:
1) Protected their brand from negative PR
2) Significantly reduced costs
3) Provided a robust solution to the affected population
16 www.affinion.com
Presentation
Prepared
For
Case Study: Entertainment Company
Flexibility to Meet Diverse Needs
An entertainment company has a breach that affected more than 50 million individual
customers. While the company was pre-contracted within the US with another provider, they
found that provider inadequate for international needs.
Starting from scratch, Affinion Security Center was able to create a solution for 10
million impacted users in less than 30 days.
Positive Result for the Client:
Media scrutiny was significantly lessened overseas.
Impacted Population: 50 Million
17 www.affinion.com
Presentation
Prepared
For
A Trusted Resource
This publication includes:
• Data breach facts and terms
• Explanations of breach
notification laws
• Suggested incident response
action plan
• Sample customer notifications
www.nafcu.org/affinion