How to Avoid a Data Breach Disaster

A few years ago, a laptop containing encrypted information was stolen from the apartment of an employee at Canandaigua National Bank & Trust, creating a potentially large breach of sensitive customer information.

When Canandaigua management heard about the theft, the company’s 14-member security team conducted a breach assessment and came up with a disaster recovery plan. But the company soon realized it didn’t have the in-house expertise to thwart a data security breach. “Frankly, we were a bit out of our league,” is how Steve Martin, senior vice president of corporate communications at Canandaigua, put it during a recent Webcast.

Canandaigua is hardly alone. Few companies are entrusted with as much sensitive personal information—or bear the risks associated with it—as banks and financial services firms. Add employees’ soaring use of mobile devices, and you have the perfect recipe for a data breach.

Brill

When a breach does occur, having a practical, useful response plan can mean all the difference to the size and severity of the compliance failure. “There is a difference between those organizations that go into a learn-while-doing game and those that are executing a plan that they have carefully written, analyzed, tested, and updated,” Alan Brill, senior managing director at Kroll, said during the Webcast.

In Canandaigua’s case, it asked Kroll to help in the preparation and response to the potential data breach. “We decided early on that we needed to get out in front of this issue,” Martin said.

Martin

Canandaigua’s plan took its cues from the mother of all emergency response plans: Johnson & Johnson’s famed handling of poisoned Tylenol capsules in 1982. Martin cited J&J’s immediate decision to pull millions of Tylenol bottles from store shelves, and to inform customers of its actions every step of the way. “We decided from the get-go that that’s what we were going to do, as well,” he said.

“Data is like an iceberg … The piece you see is not the entire thing.”

—Alan Brill,

Senior Managing Director,

Kroll

Canandaigua first trained those employees who would be in direct communication with customers and drilled them with sessions of frequently asked questions. “That was quite helpful and quite reassuring for them in terms of their confidence,” Martin said.

The company also sought extensive feedback to gain perspective on its response plan from customers, the media, and employees. “We really gained from that,” Martin said. “The outcome was exceptionally positive.”

In the end, none of the 5,000 customers caught up in Canandaigua’s breach suffered any direct harm or loss. That didn’t stop the company from taking further action; it also implemented a formal identity-theft program, broadened its data recovery plan to include more than a dozen new potential risk scenarios, and educated the community about data protection. In all, Martin said Canandaigua not only gained the trust and confidence of customers, but also received new business as a result of the company’s efforts.

Best Practices

While the steps Canandaigua took all seem sensible, “the reality is there is no one-size-fits-all answer,” Brill said. Whether a laptop gets stole, sophisticated malware penetrates an IT system, or an angry employee commits theft, the key to surviving an incident is preparation, he said. He offered a few best practices companies can take to improve an incident-response plan.

DATA SECURITY FAST FACTS

The following fast facts on data security were compiled by Kroll from various sources:

Ponemon Institute (2005)

81 percent of companies surveyed have experienced the loss of one or more laptops containing sensitive data over the past 12 months.

64 percent of some 500 data-security pros surveyed admit that their companies have never performed an inventory to determine the location of customer or employee info.

CMO Council (2006)

76 percent of marketing executives surveyed believe security breaches negatively impact the company brand. Yet 60 percent said that security has not become a significant theme in their company’s messaging and marketing communications.

Only 29 percent said their company has a crisis containment plan for security breaches and failures. Another 27 percent don’t even know if such a plan exits.

Over a third of consumers say they would strongly consider taking their business elsewhere if their personal information was compromised.

CIO Insight.com Annual Security Survey (September 2006)

Nearly half of large companies have been targeted for online data thefts, by perpetrators ranging from organized crime mobs to disgruntled former employees.

One company in six has lost equipment containing company data in the past year.

Employee negligence and software vulnerabilities are considered the most significant IT-security risks.

Javelin Strategy & Research (2005)

Security breaches at businesses accounted for 30 percent of 2005 identity-fraud cases, while 30 percent were the result of consumers’ lost or stolen wallets and checkbooks; nefarious friends and family, 15 percent; stolen mail, 9 percent; and attacks and scams targeting home computers, 9 percent.

Visa/U.S. Chamber of Commerce (2006)

Nearly two-thirds (64 percent) of small businesses have made improvements to protect their customers’ personal information, including credit and debit card data, in the past 12 months, and nearly a third (29 percent) have done so in the last 3 months.

Small retailers spend more resources preventing the theft of products and cash from their store (34 percent) than securing customers’ personal data (20 percent).

Deloitte Touche Tomatsu (2006)

The majority of technology, media and telecommunications (TMT) companies surveyed consider themselves reactive when it comes to investing in information security, and only 4 percent believe they are doing enough to address the problem.

Only 37 percent of the TMT companies provided security training to employees in the last 12 months.

While 74 percent of TMT companies said that they expect to spend more time and money on improving security in 2006, the average budget increase among those companies was only 9 percent.

Only 63 percent of TMT companies have a dedicated, senior-level security officer; among technology companies the number is only 53 percent

More than two-thirds of life sciences companies have already appointed a Chief Security Officer, a three-fold increase over the past decade.

Source

src="/sites/default/files/data/web2.gif" border="0"style="margin-top:3px;margin-right:6px;margin-bottom:9px" border="0"

align="left">Kroll, Inc.

Be sure your team is prepared. Ensure that human resources, IT, public affairs, and legal departments all know their jobs, and are available to do them.

Have a backup plan. If someone goes on leave or is traveling on business, is a backup person ready to handle issues in his or her place?

Train, train, train. Refresh employee training twice a year—not just for people on the team, but for as wide of an audience as possible.

Don’t forget the technology team. Most IT people don’t know that much about forensics, collecting evidence, or developing an affidavit. “It’s important to get them involved,” Brill said.

Lay a clear path for reporting a problem. Problems usually grow before they get noticed—and if people don’t know how to report a suspicious problem, they’re less likely to report it, noted Brill. In one instance, the IT team knew about an issue, but senior management didn’t hear about it until a local newspaper reporter called them. “This is not the way top management wants to get your organization into the paper,” Brill quipped. Encourage employees to report even the suspicion of a data breach as quickly as possible.

Plan before execution. Don’t jump into a response plan prior to knowing exactly what happened. In one example, a company believed it had lost 500,000 records thanks to a stolen laptop. The company held a press conference, notified regulators, and then discovered that the laptop was stolen before the data was ever loaded onto it. By then, the company had already publicly pledged to spend several million dollars on customer notifications and credit-monitoring services.

“So make sure that before you take action, you’re not relying on what you think happened, but what really did happen,” Brill said. Every data breach law allows time for an internal analysis to determine what happened and to ensure that the results are going to be sound and defensible.

Know your audience. Different types of breaches require companies to tell different audiences different things. If you have insurance to pay for a breach, for instance, the insurers will expect documentation of what went wrong, what you did, and why you did it. That means you will need to understand the breach, document what happened, and in the event of a criminal matter, capture the evidence in usable form.

Know where sensitive data is located. Consider all locations of data, including files at the department level, individual level, or in personal e-mails. “Data is like an iceberg,” said Brill. “The piece you see is not the entire thing.”

Consider vendor partners. Sometimes contracted companies also use outside firms, so it’s important to know their vendors. Ensure that they, too, are following appropriate procedures and that a network of trust exists throughout that chain.

Claypoole

One reasonable step is to send information security personnel to vet those parties, advises Ted Claypoole, a technology lawyer with law firm Womble Carlyle Sandridge & Rice. “There is nothing that beats eyes on the ground,” he says.

Routinely test your plan. Because threats are constantly evolving, response plans should be tested at least annually, preferably twice a year. New technology services, merger activity, and a revolving door of new personnel are all good reasons for retesting.