How Good Privacy Practices can help prepare for a Data Breach from TRUSTe
description
Transcript of How Good Privacy Practices can help prepare for a Data Breach from TRUSTe
1 v Privacy Insight Series v
How Good Privacy Practices Can
Help Prepare for a Data Breach
August 13, 2015
2 v Privacy Insight Series
Today’s Speakers
Dr Larry Ponemon,
Chairman & Founder,
Ponemon Institute
Joanne Furtsch,
Director of Product Policy,
TRUSTe
Mary Westberg,
Senior Compliance Paralegal
SanDisk Corporation
3 v Privacy Insight Series v
Is Your Company Ready for a Big
Data Breach?
Dr Larry Ponemon
Chairman and Founder of the Ponemon Institute
Research Study Sponsored by
Experian® Data Breach Resolution
Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness
About Ponemon Institute
The Institute is dedicated to advancing responsible information
management practices that positively affect privacy and data protection in
business and government.
The Institute conducts independent research, educates leaders from the
private and public sectors and verifies the privacy and data protection
practices of organizations.
Ponemon Institute is a full member of CASRO (Council of American Survey
Research Organizations). Dr. Ponemon serves as CASRO’s chairman of
Government & Public Affairs Committee of the Board.
The Institute has assembled more than 60 leading multinational
corporations called the RIM Council, which focuses the development and
execution of ethical principles for the collection and use of personal data
about people and households.
The majority of active participants are privacy or information security
leaders.
August 13, 2015 Ponemon Institute© Private and Confidential 5
In this study we surveyed 14,639 executives located in the United
States about how prepared they think their companies are to respond
to a data breach. Screening and failed reliability checks removed 48
surveys. The final sample was 567 surveys (or a 3.9 percent response
rate).
August 13, 2015 Ponemon Institute© Private and Confidential 6
Sample response Freq Pct%
Sampling frame 14,639 100.0%
Total returns 615 4.2%
Rejected or screened surveys 48 0.3%
Final sample 567 3.9%
Current trends in data breach
preparedness
• More companies have data breach response plans and teams in place.
• Data breaches have increased in frequency.
• Most companies have privacy and data protection awareness
programs.
• Data breach or cyber insurance policies are becoming a more
important part of a company’s preparedness plans.
• There was very little change in the training of customer service
personnel.
August 13, 2015 Ponemon Institute© Private and Confidential 7
Page 8
Data breach and the current state of
preparedness
Ponemon Institute© Private and Confidential
Most respondents believe their
companies are not able to deal with the
consequences of a data breach Unsure, disagree and strongly disagree responses
August 13, 2015 Ponemon Institute© Private and Confidential 9
19%
29%
30%
27%
18%
20%
23%
21%
12%
13%
14%
20%
0% 10% 20% 30% 40% 50% 60% 70% 80%
My organization is prepared to respond to the theft of sensitive and confidential information that requires
notification to victims and regulators
My organization is prepared to respond to a data breach involving business confidential information and
intellectual property
My organization understands what needs to be done following a material data breach to prevent the loss of
customers’ and business partners’ trust and confidence
My organization understands what needs to be done following a material data breach to prevent negative
public opinion, blog posts and media reports
Unsure Disagree Strongly disagree
Page 10
Barriers to effective data breach response
Ponemon Institute© Private and Confidential
How effective is the development and
execution of a data breach response
plan?
August 13, 2015 Ponemon Institute© Private and Confidential 11
9%
21%
23%
30%
17%
0%
5%
10%
15%
20%
25%
30%
35%
Very effective Effective Somewhat effective Not effective Unsure
How often does the company review &
update the data breach response plan?
August 13, 2015 Ponemon Institute© Private and Confidential 12
37%
41%
14%
5%
3%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
We have not reviewed or updated since the plan was put in place
No set time period for reviewing and updating the plan
Once each year
Twice per year
Each quarter
How are the board of directors,
chairman and CEO involved? More than one response permitted
August 13, 2015 Ponemon Institute© Private and Confidential 13
2%
18%
36%
45%
50%
0% 10% 20% 30% 40% 50% 60%
Other
They participate in a high level review of the organization’s data protection and privacy practices
They have requested to be notified ASAP if a material data breach occurs
They participate in a high level review of the data breach response plan in place
They approve funds and resources for data breach response efforts
Do you have training programs for
employees handling sensitive personal
information and do you have training
programs for customer service
personnel?
August 13, 2015 Ponemon Institute© Private and Confidential 14
54%
43%
3%
34%
49%
17%
0%
10%
20%
30%
40%
50%
60%
Yes No Unsure
Privacy/data protection awareness program for employees and other stakeholders who have access to sensitive or confidential personal information
Customer service personnel trained on how to respond to questions about a data breach incident
The primary person/function to manage
the data breach response team
August 13, 2015 Ponemon Institute© Private and Confidential 15
21%
2%
4%
5%
5%
6%
6%
8%
10%
12%
21%
0% 5% 10% 15% 20% 25%
No one person/department has been designated to manage data breach response
Human Resources
Chief Privacy Officer
General Counsel
Head of PR and communications
Chief Security Officer
Chief Risk Officer
Chief Information Officer
Head of Business Continuity Management
Compliance Officer
Chief Information Security Officer
Page 16
Technical security considerations
Ponemon Institute© Private and Confidential
Barriers to improving the ability of IT
security to respond to a data breach Two responses permitted
August 13, 2015 Ponemon Institute© Private and Confidential 17
2%
15%
21%
23%
40%
43%
56%
0% 10% 20% 30% 40% 50% 60%
None of the above
Lack of C-suite support
Lack of investment in much needed technologies
Lack of expertise
Third party access to or management of data
Proliferation of mobile devices and cloud services
Lack of visibility into end-user access of sensitive and confidential information
Technologies in place to quickly detect
a data breach More than one response permitted
August 13, 2015 Ponemon Institute© Private and Confidential 18
5%
25%
31%
34%
54%
89%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
None of the above
Analysis of netflow or packet captures
Security Incident & Event Management
Mobile Device Management (MDM)
Intrusion prevention systems
Anti-virus
Frequency for monitoring information
systems for unusual or anomalous
traffic
August 13, 2015 Ponemon Institute© Private and Confidential 19
20% 21%
8%
4%
2% 1%
28%
16%
0%
5%
10%
15%
20%
25%
30%
Continuous monitoring
Daily Weekly Monthly Quarterly Annually Never Unsure
Page 20
How data breach preparedness can be
improved
Ponemon Institute© Private and Confidential
How could the data breach response
plan become more effective? More than one response permitted
August 13, 2015 Ponemon Institute© Private and Confidential 21
2%
45%
63%
69%
70%
77%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Other
Individuals with a high level of expertise in compliance with privacy, data protection laws and regulations
Individuals with a high level of expertise in security assigned to the team
A budget dedicated to data breach preparedness
More participation and oversight from senior executives
Conduct more fire drills to practice data breach response
The best approach to keep customers
and maintain reputation
August 13, 2015 Ponemon Institute© Private and Confidential 22
3%
9%
13%
13%
17%
45%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
A sincere and personal apology (not a generic notification)
None of the above would make a difference
Discounts on products or services
Gift cards
Access to a call center to respond to their concerns and provide information
Free identity theft protection and credit monitoring services
Conclusion
• The incident response plans should undergo frequent reviews and reflect the current security risks facing the company.
• Risk assessments should be conducted to ensure the appropriate technologies are in place to prevent and detect a data breach.
• The board of directors, CEO and chairman should play an active role in helping their companies prepare for and respond to a data breach. These include briefings on the security posture of the company and a review of the incident response plan.
• Employees should receive training on the importance of safeguarding sensitive data—especially customer information. Call center employees should become skilled at answering customers’ questions about the privacy and security practices of the company as well as explaining what the company is doing in the aftermath of a data breach.
• Accountability and responsibility for data breach response should be clearly defined and not dispersed throughout the company. Cross-functional teams that include the expertise necessary to respond to a data breach should be part of the incident response planning process.
August 13, 2015 Ponemon Institute© Private and Confidential 23
24 v Privacy Insight Series v
Privacy Best Practices to Mitigate
Risk/Damage from Data Breach
Joanne Furtsch
Director of Product Policy, TRUSTe
25 v Privacy Insight Series
Data breach prevention starts with strong data
privacy management policies, and processes
Data Privacy Office
Incident Response
Plan
Collection Limitation
Policy Management
Vendor Management
Employee Training
26 v Privacy Insight Series
It’s not a matter of if, it’s a matter of when
• Identify cross functional team members and clearly define roles
• Involve senior management
• Practice practice practice increases response effectiveness
– At least 1-2 times annually
– When a new team member joins the response team
• Include public relations crisis management & front line customer
response plan
• Identify who needs to be notified and when
• Develop communication templates
– Understand requirements before the breach happens
• Review and update your organization’s plan at least annually
Develop & practice incident response plan
27 v Privacy Insight Series
Limit information collection to what is necessary to fulfill business
purposes
• Understand what information your organization has
– Conduct a data inventory
– Assess where the information goes, who has access to it, and how long the
information is retained
• Data classification
– Classify information based on level of sensitive and business impact if that data is
breached
• Assess whether the information is
required in order to meet business goals
Collection Limitation
28 v Privacy Insight Series
Collection Limitation
29 v Privacy Insight Series
Review, update, and communicate
• Internal policies, systems, and procedures need to be reviewed regularly
to account for business or regulatory changes
• In addition to security, review policies, systems, and procedures around
– Data Collection, Use, Sharing, & Retention
– Employee access
– BYOD
– Vendor and third party risk management
– Privacy and security related compliant escalation and resolution process
• Communicate policy changes and updates to affected employees
Manage internal policies and procedures
30 v Privacy Insight Series
• Maintain an inventory of vendors and
third party partners that have access
to data
• Prioritize conducting risk
assessments where there is high
business and privacy impact
– Ensure vendors and third party
partners have policies in place
providing equal or greater protections
• Review agreements or terms of
service to determine what happens in
the event of breach is addressed
• Hold vendors and third parties
accountable
Manage vendors & third party partners
Know who your organization’s vendors and third party partners are & what
data they have access to
31 v Privacy Insight Series
• Most breaches caused by
insiders
– Building employee awareness key to
breach prevention
• Train employees, and then do it
again
– Training is an ongoing process
• Front line employees are key to
effective data breach prevention
and response
– May be first to recognize when a
breach has happened
o Train on escalation process and
procedures
– Face of your organization after a
breach incident
o Train customer support on how to
respond to customer questions
Employee training
32 v Privacy Insight Series v
Mary Westberg
Senior Compliance Paralegal, SanDisk
Key Take-Aways
33 v Privacy Insight Series
Designing an Incident Response Plan
Identify Stakeholders Know Your Data and
Systems Draft the Plan
• Each organization is different! • Consider likely data gatekeepers
- often HR; Web; Mobile; Sales; Product Managers
• Get input from Information Security, Legal, Compliance, Internal Audit, Insurance, Public or Investor Relations
• Buy-ins from key executives
• You’ll draft a better plan and mitigate risks if you know up-front the data types and quantities
• Classify data by type • Consider systems, locations,
accesses, vulnerabilities • While evaluating data and
systems for personal data, use this opportunity to also consider non-PI confidential information such as trade secrets; third party confidential information
• Be clear – this plan will bring needed structure during crisis time
• Be actionable - give instructions to persons reporting an incident; accountability and guidelines to responders
• Be flexible – incidents will vary and so must the response
• Be practical - leverage existing resources, if possible
• Publish the plan and be prepared to re-work
1 2 3
34 v Privacy Insight Series
Post-Publication; Work Continues
Evaluate and Improve
• Test the plan – conduct a trial run • Review for effectiveness • Make adjustments • Take corrective actions • Summarize and report • Regularly revisit plan
Communicate & Train
• Create awareness • Layer approaches to reach
those who need to know • General audience training or
instruction – integrate with other trainings
• Specialized training for responders, incident response team members
4 5
35 v Privacy Insight Series
Manage & Mitigate Risks
• you can’t loose what you don’t have!
• legitimate business purpose for collections
• mind data retention schedules – securely destroy Data Minimization
• on-boarding processes, contractual terms
• security assessment; audit; red flags
• saying goodbye - termination procedures, including a certificate of destruction
Vendor Management
• published policies and procedures that support data security and permitted data uses; related trainings
• phase gates for product, services and programs
• self-help tools and resources
• build awareness such as a Privacy Committee
Layered Internal Processes
36 v Privacy Insight Series v
Questions?
37 v Privacy Insight Series v
Dr Larry Ponemon [email protected]
Joanne Furtsch [email protected]
Mary Westberg [email protected]
Contacts
38 v Privacy Insight Series v
Don’t miss the next webinar in the Series –
What Does the Proposed EU Regulation Mean for Business
On September 16th
See http://www.truste.com/insightseries for details of future
webinars and recordings.
Thank You!