www.affinion.com Proprietary & Confidential

Data Breaches Preparedness – Practical Tips for

Responding

presented by Christine El Eris, Product Director, Affinion Group

2 www.affinion.com

Presentation

Prepared

For

What is a Data Breach?

A breach is defined as an event in which an individual name plus

Social Security Number (SSN), driver’s license number, medical

record or a financial record/credit/debit card is potentially put at

risk – either in electronic or paper format.

3 www.affinion.com

Presentation

Prepared

For

Data Breaches Occur Every Day

Breaches are a daily news item

Yet many organizations, their IT, data security and senior management teams still hope:

“It won’t happen to us.”

No matter how secure your web sites or data networks are, it may just be a matter of time before

– an employee loses a laptop containing critical data

– a staffer clicks on a phishing link that launches malware or lets an attacker in to the company network

– a third party supplier improperly handles your members’ data

– a hacker takes advantage of a vulnerability in security weakness of a third party vendor or supplier

4 www.affinion.com

Presentation

Prepared

For

Organizational Risks

All Sectors Are Vulnerable

Breached entities include Corporations, Healthcare, Government, Financial, Colleges & Universities

Breaches Exposed More Data in 2011 than 2010

According to the Identity Theft Resource Center, there were 662 breaches in 2010 identified as of 12/29/2010 affecting over 16 million records

2011 saw 414 reported incidents with nearly 23 million records impacted

Complexities of the crime continue to change

Legislative Environment Increasingly Complex

Breach notification laws now in 46 states plus District of Columbia

Federal Trade Commission’s Red Flag rules

State AG expectations for post-breach response

Specter of federal regulation in the future

Increased Consumer Expectations Your members expect MORE than just a notification and credit monitoring when their personal data

has been exposed

4

5 www.affinion.com

Presentation

Prepared

For

Trends: Identity Theft

Consumers whose data has been exposed as the result of a data breach are

four times more likely to become victims of identity fraud

New account fraud has become significantly more complicated:

It takes more than 140 days to be detected

And requires more than 180 days to be resolved

And consumers incur more than $1,200 of out-of-pocket expense

Source: 2011 Javelin Strategy & Research “Identity Fraud Survey Report”

Consumer Risks

6 www.affinion.com

Presentation

Prepared

For

How to Respond to a Data Breach Incident

7 www.affinion.com

Presentation

Prepared

For

What NOT to Do … a Lesson from Sony

8 www.affinion.com

Presentation

Prepared

For

• Assemble your response team

– Who should be involved? How will you manage resources?

• Conduct a risk assessment

– Who is affected? Do you need to notify customers/clients/patients whose data was impacted?

• Comply with federal and state regulations

– How can you avoid fines? Will there be an investigation?

– How can you prepare for inevitable lawsuits?

– 46 states and the District of Columbia mandate notifications to impacted individuals (based on

residency of breached individuals, not the organization who lost the data or where the data resided)

– Become familiar with state AG opinions on notifying consumers and providing post-incident

remediation services

– Pay attention to FTC’s guidelines

– Keep your attorney included in all discussions related to the incident to protect attorney-client privilege

• Set up a call center

– What resources are required? How will you serve non-English speakers if applicable?

Immediate First Steps

9 www.affinion.com

Presentation

Prepared

For

• Implement a public relations/brand management strategy to manage and repair your

corporate reputation

• Consider a trusted third-party to manage the state-mandated notifications and provide post-

incident identity protection and credit monitoring services

• Consider a trusted third-party to conduct forensic analysis – even if you know what occurred,

it is best to out-source this function

• Employ outside counsel who are experts on data privacy law to assist your in-house counsel

• Consider pre-contracting for each of the above services

– Saves time when an event occurs

– Enables your organization to properly perform due diligence on each partner in advance and at

your own pace

Utilize Experts As Needed

10 www.affinion.com

Presentation

Prepared

For

How Can Affinion Security Center Help?

11 www.affinion.com

Presentation

Prepared

For

Identity theft market leader

Financially strong

Comprehensive solutions

The largest multi-channel reach

identities protected

15 million FCRA- and MAGIC-

certified staff using well-

defined policies and

fraud resolution

procedures average tenure of our

caseworkers

5 years

average tenure

for team leaders

15 years

with automated workflow used

for case management and

reporting

Siebel CRM

#1 provider of

identity theft

services

configurations of

benefits supported

200

invested in product

development, servicing

and testing of benefits in

the last year alone

$25+ million

Next Gen solutions empowering

consumers to prevent,

detect and resolve fraud

35+ years

Cited by Inc. Magazine as one of the

fastest growing private companies

Scalable platform to

accommodate

future growth

increase in profitability

over the last 5 years

24% $164+ million

in cash at year-end

$1.4 billion in 2010 revenue

More than Marketing in

reach customers offered

breach remediation

solutions

True multi-channel

unique contacts

made annually

1 billion

18+ Million

countries around

the world

16

through direct mail,

in-branch, online,

telephony

Affinion Security Center History

12 www.affinion.com

Presentation

Prepared

For

Affinion’s Product Road Map – Identity Theft Solutions Ability to Combat a Full-Spectrum of ID Fraud Issues

Peer-to-Peer File Exchange

Networks

Credit Monitoring with

the 3 bureaus

Internet Directories & Web

Black Market Web and

Underground Chat-Rooms

Credit Header, Proprietary

Databases

Public Records

Children SSN Monitoring

Real time activity alerts;

credit & non-credit

Social Media

Evaluate ID Fraud Risks

“Deputize the Consumer” by

providing him or her meaningful,

actionable alerts to evaluate if

fraud is occurring to stop it fast.

Concept coined by:

13 www.affinion.com

Presentation

Prepared

For

ASC’s End-to-End Solution

Incident

Response

Consulting

List Services

Notification

Drafting &

Printing

Customer

Support

ID Theft

Protection

Services

Enrollment

Options

Ongoing

Support &

Reporting

Proactive

preparation

List hygiene

De-duping

NCOA services

USPS compliance

Drafting

Printing

Mailing

Pre-enrollment

breach FAQ

support

Enrollment

support

Post-enrollment

remediation

Prevention

Detection

Resolution

Services*

Full File

Enrollment

VRU/Call Center

Online

USPS

Standard or

‘a la carte’

requests

Established best

practices

leveraging

experience from

hundreds of

breaches

20 individuals

dedicated to

limiting notification

costs

Highly scalable

services to

support 700

million pieces of

mail annually

Proven scale to

support 40 million

calls annually

across 20 call

centers

Dedicated fraud

resolution

specialists

averaging 5 years

tenure per case

worker

More than 15

million consumers

enrolled in ID theft

protection today

Over 1 Billion

unique contacts

annually through

multiple channels,

including

dedicated VRU

enrollment

Breach team

dedicated to

your account

offering

completely

customizable

reporting at no

additional

charge

Se

rvic

e

Des

cri

pti

on

T

he A

ffin

ion

Dif

fere

nce

Average timeline for all enrollment options being functional is 21 days from when ASC learns of a breach

14 www.affinion.com

Presentation

Prepared

For

Case Study: Top 10 FI

Positive results for the client:

• Notification process was expedited

• Proper list management and use of VRU saved the client over $1

million

Impacted Population: 4.5 Million

List Services

After a major consulting and auditing firm hired to do 'forensics' on the 60+ impacted databases had

already spent weeks working on record cleansing, BreachShield stepped in.

Our team of database experts was able to scrub the files within 72 hours.

Using our NCOA and de-duping capabilities, we reduced the mailing cost to 1/4 of the amount initially

expected.

Contact Center

To ensure an optimal customer experience and preserve SLA levels while managing increased call center

volumes, Affinion Security Center (ASC) utilized both VRU and live agent options.

40% of callers opted for the VRU, minimizing the financial impact to the client.

15 www.affinion.com

Presentation

Prepared

For

Case Study: Insurance Carrier

Impacted Population: 500,000

The Client Declined our Services

Instead, the simply mailed notification letters to the impacted population.

Facing increasing media and legal pressures, the client later offered a referral to an optional

ID theft protection service on their website and via their contact center.

Less than a year later, the client faced a class-action lawsuit. A major settlement component

was offering two years of ID theft protection service to the impacted population, with costs

that were much greater than Affinion Security Center’s initial price quote.

A proactive and thorough response plan would have:

1) Protected their brand from negative PR

2) Significantly reduced costs

3) Provided a robust solution to the affected population

16 www.affinion.com

Presentation

Prepared

For

Case Study: Entertainment Company

Flexibility to Meet Diverse Needs

An entertainment company has a breach that affected more than 50 million individual

customers. While the company was pre-contracted within the US with another provider, they

found that provider inadequate for international needs.

Starting from scratch, Affinion Security Center was able to create a solution for 10

million impacted users in less than 30 days.

Positive Result for the Client:

Media scrutiny was significantly lessened overseas.

Impacted Population: 50 Million

17 www.affinion.com

Presentation

Prepared

For

A Trusted Resource

This publication includes:

• Data breach facts and terms

• Explanations of breach

notification laws

• Suggested incident response

action plan

• Sample customer notifications

www.nafcu.org/affinion