Date post: | 06-Aug-2015 |
Category: |
Technology |
Upload: | resilient-systems |
View: | 709 times |
Download: | 0 times |
A Comprehensive Approach
to Breach Resolution
Treating a Breach as a Customer –
Not a Compliance Issue
Page 2
Follow us on @Experian_DBR
Agenda
• Common Pitfalls to Avoid
• Consequences of Mishandling
a Breach
• Why You Should Treat a
Breach like a Customer – Not
a Legal Requirement
• Co3 Systems + Experian = A
Holistic Approach
Page 3
Follow us on @Experian_DBR
Introductions: Today’s Speakers
Michael Bruemmer
Vice President
Data Breach Resolution
Bob Krenek
Senior Director
Data Breach Resolution
Gant Redmon
Vice President
Business Development
Page 4
Follow us on @Experian_DBR
The complete process – based on E.R. standards
PREPARE
Improve Organizational
Readiness
• Appoint team members
• Fine-tune response SOPs
• Escalate from existing systems
• Run simulations (firedrills / table
tops)
MITIGATE
Document Results &
Improve Performance
• Generate reports for management,
auditors, and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
ASSESS
Identify and Evaluate
Incidents
• Assign appropriate team members
• Evaluate precursors and indicators
• Correlate threat intelligence
• Track incidents, maintain logbook
• Prioritize activities based on criticality
• Generate assessment summaries
MANAGE
Contain, Eradicate, and
Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment
strategy
• Isolate and remediate cause
• Instruct evidence gathering and
handling
• Log evidence
Page 5
Follow us on @Experian_DBR
We operate and thrive in the most regulated environment • All of the regulations of the Bureau, Federal statutes and 46 State laws
We have serviced more breaches than all other providers combined • Over 7,000 incidents in the last decade
We exceed the highest compliance standards • PCI Level 1, SAES 16, HIPAA-HITECH
We are a market innovator in Breach Resolution • First entire family ‘in one’ product – 2006
• First mobile app – 2012
• First lifetime full restoration product – 2012
Experian® Data Breach Resolution
Page 6
Follow us on @Experian_DBR
Common Pitfalls to Avoid
• IT security too lax to detect a breach
• Not hiring privacy counsel
• Sending poorly written “form letters/emails” that anger or
confuse breach population
• Not setting up a call center or having enough staff to handle
calls
• Not providing identity protection or adequate identity
protection
Page 7
Follow us on @Experian_DBR
SECONDS MINUTES HOURS DAYS WEEKS MONTHS YEARS
Compromise (YELLOW)
Discovery (GREEN)
Containment (BLUE)
It can take months for an organization to realize that it has a breach but once the breach is
discovered, the majority of organizations contain it within days or weeks.
Source: 2013 Data Breach Investigations Report, Verizon
Many Breaches Go Undetected for Months
60% 13% 11% 13% 2% 1% 0%
9% 1% 0% 11% 12% 62% 4%
18% 2% 2% 41% 14% 22% 0%
Page 8
Follow us on @Experian_DBR
Source: 2012 Consumer Study on Data Breach Notification, Ponemon Institute, June 2012
Bleak Report Card
Are Notifications Easy to Understand?
FY 2005
No 52%
Yes 48%
FY 2012
No 61%
Yes 39%
Page 9
Follow us on @Experian_DBR
Consequences of Mishandling a Breach
• Financial Devastation
• Loss of Reputation
• Loss of Customers and Business Partners
• Class Action Lawsuits
Page 10
Follow us on @Experian_DBR
Source: 2013 Cost of a Data Breach Study: Global Analysis, Ponemon Institute, May 2013
Financial Devastation
Average Cost of a Data Breach Per Country
$5.4 MILLION
$4.8 MILLION
$4.1 MILLION
UNITED STATES GERMANY AUSTRALIA
Page 11
Follow us on @Experian_DBR
Source: U.S. Department of Health and Human Services, Federal Register, January 2013
Harsher Fines for Healthcare Organizations
HIPAA Omnibus Rule Increases
Penalties for Repeat Offenders
• First time violators still face
fines of up to $50,000 per violation
per year
• Repeat offenders, however, can
face a devastating fine of up to
$1.5 million
Page 13
Follow us on @Experian_DBR
Source: Is Your Company Ready for a Big Data Breach?, Ponemon Institute, April 2013
Loss of Reputation
Negative Public Opinion Worrisome
• 75% of respondents had or expect to
have a material data breach resulting
in negative public opinion, blog posts
and media reports
Page 14
Follow us on @Experian_DBR
Loss of Business
Source: Is Your Company Ready for a Big Data Breach?, Ponemon Institute, April 2013
Number 1 Concern: Loss of Customers and Business
Partners
• 76% of respondents had or expect to have a material data
breach that results in the loss of customers and business
associates
Page 15
Follow us on @Experian_DBR
Source: 2014 Data Breach Forecast, Experian Data Breach Resolution, December 2013
Class Action Lawsuits
• Surge in class action lawsuits expected next year
– Judges continue to side with plaintiffs
that file class action suits
• Handle a breach correctly and
take care of your consumers
– Avoid getting sued
Page 16
Follow us on @Experian_DBR
Treat Your Breach Like a Customer – Not a Legal
Requirement
• Putting your customers first pays off
in the end
• Detailed breach notices
• Identity protection and credit
monitoring for all
• Reassure customer, patients,
employees
Page 17
Follow us on @Experian_DBR
New Normal for Breach Response
Plan Ahead Organization Execution
• Who will handle
notifications?
• Need a call center?
• Have adequate identity
protection lined up?
• Have a response
plan?
• Have software to track
tasks, responsibilities?
• Have you tested your
plan?
• Have resolution
provider?
• What about privacy
attorneys, forensic
consultants – who will
you call?
Put Yourself in Your Consumers’ Shoes
Page 18
Follow us on @Experian_DBR
72% of consumers in a recent
study were disappointed in
the way their notification was
handled.
Source: 2012 Consumer Study on Data Breach Notification, Ponemon Institute, June 2012
Only 28% of respondents believe their organization did a
good job in communicating and handling the breach.
Breach Notices
Are organizations doing a good job with notifications?
NO
Page 19
Follow us on @Experian_DBR
Breach Notices
Source: 2012 Consumer Study on Data Breach Notification, Ponemon Institute, June 2012
Reason for disappointment with notifications
• Main reason boils down to what is
stated – or not stated –
in the notification
• Notifications don’t say what happened
• 37% of respondents had no idea what
the breach was about, despite
receiving a notification
Page 20
Follow us on @Experian_DBR
• 58% of respondents believe an
organization should provide
identity protection solutions
• 55% of respondents believe an
organization should provide
credit monitoring services
Identity Protection & Credit Monitoring
Source: 2012 Consumer Study on Data Breach Notification, Ponemon Institute, June 2012
Source: 2013 Identity Fraud Report, Javelin Strategy & Research, February 2013
You must protect your consumers… Besides, they expect it.
1:4 25% of data breach letter
recipients became a victim
of identity theft last year
Following a data breach:
Page 21
Follow us on @Experian_DBR
Source: Child Identity Theft, Carnegie Mellon CyLab, 2013
Identity Protection & Credit Monitoring
Cover every demographic
• Many identity theft and credit
monitoring services can only
monitor adults with a credit history
• Yet breached companies often have
customers with small children or
young adults with no credit history
• Children have a 51% higher chance
of becoming a victim of identity theft
than adults
Page 22
Follow us on @Experian_DBR
Reassure Your Consumers
Be PROACTIVE. Reach out to customers, patients & employees.
• In addition to notifications and identity
protection/credit-monitoring, take it
one step further
–Establish a call center
–Set up a website to answer FAQs and
to keep consumers informed
–Hold a press conference
Page 24
Follow us on @Experian_DBR
Co3 Systems + Experian = Holistic Approach
Co3 Systems & Experian form
partnership
Co3 helps organizations automate their
response
Experian helps organizations with
execution
Consumer-centric approach
Page 25
Follow us on @Experian_DBR
The Co3 Systems & Experian Partnership
Co3 Systems:
• Provides software to
help automate the
steps needed to
respond to a breach
• Helps track tasks,
assign responsibilities
and generate
analytical reports
Experian Data
Breach Resolution: • Provides identity
protection & credit
monitoring
• Sends notifications to
breach population
• Establish U.S. based call
centers & provides
Certified Fraud Resolution
Agents to help victims of
identity theft
• Scrubs addresses from
world’s largest credit
bureau*
Source: IBIS World Industry Report 56145, Credit Bureaus & Rating Agencies in US, March 2013
Page 26
Follow us on @Experian_DBR
The Co3 Systems & Experian Partnership
Our partnership will benefit your customers
Cater to your customers, patients, or employees
• Less likely to call the media
• Avoid litigation
• Competitors
Page 27
Follow us on @Experian_DBR
The Co3 Systems & Experian Partnership
• Insert slides for next logical section of content
Page 28
Follow us on @Experian_DBR
The Co3 Systems & Experian Partnership
• Insert slides for next logical section of content
Page 29
Follow us on @Experian_DBR
The Co3 Systems & Experian Partnership
• Insert slides for next logical section of content
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a
nightmare scenario as painless as possible,
making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages for
privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and
very well designed.”
PONEMON INSTITUTE
Michael Bruemmer
Vice President, Data Breach Resolution
(949) 294-8886
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
Bob Krenek
Senior Director, Data Breach Resolution
(678) 965-8857