Treat a Breach Like a Customer, Not a Compliance Issue

A Comprehensive Approach

to Breach Resolution

Treating a Breach as a Customer –

Not a Compliance Issue

Follow us on @Experian_DBR

Agenda

• Common Pitfalls to Avoid

• Consequences of Mishandling

a Breach

• Why You Should Treat a

Breach like a Customer – Not

a Legal Requirement

• Co3 Systems + Experian = A

Holistic Approach


Introductions: Today’s Speakers

Michael Bruemmer

Vice President

Data Breach Resolution

Bob Krenek

Senior Director

Data Breach Resolution

Gant Redmon

Vice President

Business Development


The complete process – based on E.R. standards

PREPARE

Improve Organizational

Readiness

• Appoint team members

• Fine-tune response SOPs

• Escalate from existing systems

• Run simulations (firedrills / table

tops)

MITIGATE

Document Results &

Improve Performance

• Generate reports for management,

auditors, and authorities

• Conduct post-mortem

• Update SOPs

• Track evidence

• Evaluate historical performance

• Educate the organization

ASSESS

Identify and Evaluate

Incidents

• Assign appropriate team members

• Evaluate precursors and indicators

• Correlate threat intelligence

• Track incidents, maintain logbook

• Prioritize activities based on criticality

• Generate assessment summaries

MANAGE

Contain, Eradicate, and

Recover

• Generate real-time IR plan

• Coordinate team response

• Choose appropriate containment

strategy

• Isolate and remediate cause

• Instruct evidence gathering and

handling

• Log evidence


We operate and thrive in the most regulated environment • All of the regulations of the Bureau, Federal statutes and 46 State laws

We have serviced more breaches than all other providers combined • Over 7,000 incidents in the last decade

We exceed the highest compliance standards • PCI Level 1, SAES 16, HIPAA-HITECH

We are a market innovator in Breach Resolution • First entire family ‘in one’ product – 2006

• First mobile app – 2012

• First lifetime full restoration product – 2012

Experian® Data Breach Resolution


Common Pitfalls to Avoid

• IT security too lax to detect a breach

• Not hiring privacy counsel

• Sending poorly written “form letters/emails” that anger or

confuse breach population

• Not setting up a call center or having enough staff to handle

calls

• Not providing identity protection or adequate identity

protection


SECONDS MINUTES HOURS DAYS WEEKS MONTHS YEARS

Compromise (YELLOW)

Discovery (GREEN)

Containment (BLUE)

It can take months for an organization to realize that it has a breach but once the breach is

discovered, the majority of organizations contain it within days or weeks.

Source: 2013 Data Breach Investigations Report, Verizon

Many Breaches Go Undetected for Months

60% 13% 11% 13% 2% 1% 0%

9% 1% 0% 11% 12% 62% 4%

18% 2% 2% 41% 14% 22% 0%


Source: 2012 Consumer Study on Data Breach Notification, Ponemon Institute, June 2012

Bleak Report Card

Are Notifications Easy to Understand?

FY 2005

No 52%

Yes 48%

FY 2012

No 61%

Yes 39%


Consequences of Mishandling a Breach

• Financial Devastation

• Loss of Reputation

• Loss of Customers and Business Partners

• Class Action Lawsuits


Source: 2013 Cost of a Data Breach Study: Global Analysis, Ponemon Institute, May 2013

Financial Devastation

Average Cost of a Data Breach Per Country

$5.4 MILLION

$4.8 MILLION

$4.1 MILLION

UNITED STATES GERMANY AUSTRALIA


Source: U.S. Department of Health and Human Services, Federal Register, January 2013

Harsher Fines for Healthcare Organizations

HIPAA Omnibus Rule Increases

Penalties for Repeat Offenders

• First time violators still face

fines of up to $50,000 per violation

per year

• Repeat offenders, however, can

face a devastating fine of up to

$1.5 million


Source: Is Your Company Ready for a Big Data Breach?, Ponemon Institute, April 2013

Loss of Reputation

Negative Public Opinion Worrisome

• 75% of respondents had or expect to

have a material data breach resulting

in negative public opinion, blog posts

and media reports


Loss of Business

Source: Is Your Company Ready for a Big Data Breach?, Ponemon Institute, April 2013

Number 1 Concern: Loss of Customers and Business

Partners

• 76% of respondents had or expect to have a material data

breach that results in the loss of customers and business

associates


Source: 2014 Data Breach Forecast, Experian Data Breach Resolution, December 2013

Class Action Lawsuits

• Surge in class action lawsuits expected next year

– Judges continue to side with plaintiffs

that file class action suits

• Handle a breach correctly and

take care of your consumers

– Avoid getting sued


Treat Your Breach Like a Customer – Not a Legal

Requirement

• Putting your customers first pays off

in the end

• Detailed breach notices

• Identity protection and credit

monitoring for all

• Reassure customer, patients,

employees


New Normal for Breach Response

Plan Ahead Organization Execution

• Who will handle

notifications?

• Need a call center?

• Have adequate identity

protection lined up?

• Have a response

plan?

• Have software to track

tasks, responsibilities?

• Have you tested your

plan?

• Have resolution

provider?

• What about privacy

attorneys, forensic

consultants – who will

you call?

Put Yourself in Your Consumers’ Shoes


72% of consumers in a recent

study were disappointed in

the way their notification was

handled.


Only 28% of respondents believe their organization did a

good job in communicating and handling the breach.

Breach Notices

Are organizations doing a good job with notifications?

NO


Breach Notices


Reason for disappointment with notifications

• Main reason boils down to what is

stated – or not stated –

in the notification

• Notifications don’t say what happened

• 37% of respondents had no idea what

the breach was about, despite

receiving a notification

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=pU3O8ljMzmP8EM&tbnid=zQ9z-_NMfQ0xtM:&ved=0CAUQjRw&url=http://graduateloop.org/how-to-write-an-appealing-cover-letter/&ei=DU3_Ue2fOanBiwKM6IHYBA&bvm=bv.50165853,d.cGE&psig=AFQjCNEfMxoNpQUlJfr-IyIHW62DhJfUdw&ust=1375772253728367


• 58% of respondents believe an

organization should provide

identity protection solutions

• 55% of respondents believe an

organization should provide

credit monitoring services

Identity Protection & Credit Monitoring


Source: 2013 Identity Fraud Report, Javelin Strategy & Research, February 2013

You must protect your consumers… Besides, they expect it.

1:4 25% of data breach letter

recipients became a victim

of identity theft last year

Following a data breach:


Source: Child Identity Theft, Carnegie Mellon CyLab, 2013

Identity Protection & Credit Monitoring

Cover every demographic

• Many identity theft and credit

monitoring services can only

monitor adults with a credit history

• Yet breached companies often have

customers with small children or

young adults with no credit history

• Children have a 51% higher chance

of becoming a victim of identity theft

than adults


Reassure Your Consumers

Be PROACTIVE. Reach out to customers, patients & employees.

• In addition to notifications and identity

protection/credit-monitoring, take it

one step further

–Establish a call center

–Set up a website to answer FAQs and

to keep consumers informed

–Hold a press conference


Co3 Systems + Experian = Holistic Approach

Co3 Systems & Experian form

partnership

Co3 helps organizations automate their

response

Experian helps organizations with

execution

Consumer-centric approach


The Co3 Systems & Experian Partnership

Co3 Systems:

• Provides software to

help automate the

steps needed to

respond to a breach

• Helps track tasks,

assign responsibilities

and generate

analytical reports

Experian Data

Breach Resolution: • Provides identity

protection & credit

monitoring

• Sends notifications to

breach population

• Establish U.S. based call

centers & provides

Certified Fraud Resolution

Agents to help victims of

identity theft

• Scrubs addresses from

world’s largest credit

bureau*

Source: IBIS World Industry Report 56145, Credit Bureaus & Rating Agencies in US, March 2013



Our partnership will benefit your customers

Cater to your customers, patients, or employees

• Less likely to call the media

• Avoid litigation

• Competitors



• Insert slides for next logical section of content

QUESTIONS

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of planning for a

nightmare scenario as painless as possible,

making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

“Co3…defines what software packages for

privacy look like.”

GARTNER

“Platform is comprehensive, user friendly, and

very well designed.”

PONEMON INSTITUTE

Michael Bruemmer

Vice President, Data Breach Resolution

[email protected]

(949) 294-8886

“One of the hottest products at RSA…”

NETWORK WORLD – FEBRUARY 2013

Bob Krenek

Senior Director, Data Breach Resolution

[email protected]

(678) 965-8857

Treat a Breach Like a Customer, Not a Compliance Issue

Technology

Transcript of Treat a Breach Like a Customer, Not a Compliance Issue