Data Breach What kind of target are you?
Agenda The Problem Legal Landscape Risk Mitigation
The Problem
There’s an app for that! Our Reality
Is there anyone in the U.S. who has NOT received a notification that their data has been compromised?
– Malicious – seeking to steal/expose/ embarrass – Insidious – trying to gain foothold in organization and monitor – Accidental – lost equipment, accidents, systems crash etc. Threat Characteristics Source: Corporate Executive Board
How can you cripple a major news organization’s website?
How can you cause the Dow Jones Industrial Average to drop 150 points in 7 minutes?
How can you cause the U.S. to lose billions in exports?
Entry point: Then what happens?
Economics Of A Security Breach Forensics Notification Call centers Credit protection Legal Fees Fines Public relations Lost business Lost productivity Increased security Mandated audits Other…
Simulated Incident Based on the results of the event analysis, the assessment has established the following list of minimum recommended actions: – Under jurisdictional regulatory requirements – Notify 11 state attorneys general – Notify 94,000 consumers in 47 jurisdictions – Notify credit agency of 54,000 exposures in 27 jurisdictions – Notify local media in 2 jurisdictions – Provide other general notifications – Notify 7 special offices in 5 jurisdictions – Also advised: 8 optional tasks Estimated fine liability: $7,700,000
Data Risk 1 – TMI! Companies tend to over-collect/retain in the interest of customer service – “We might need that”… More records = more expense
Data Risk 2 – TMI! Companies try to track and monitor too much, or the wrong things – Have you ever seen what is generated by an intrusion detection system? Narrow down to the truly important Risk based approach Secure vs. compliant
Data Risk 3 – TMI! Do you need to keep processing in-house? Tokenization – Some ROI available What risk goes away, what stays
Laws and Standards
U.S. and privacy/security Fair information practices approach – Notice and choice (opt in or out) By Sector – Education – Financial – Health – Marketing – Other Data breach
Education Family Education Rights and Privacy Act – Right for only certain parties to view records – Right to inspect and correct records
Financial Gramm Leach Bliley Fair Credit Reporting Act Red Flags Rule Others…
Health Health Insurance Portability and Accountability Act – Health records – Privacy and Security HITECH/GINA
Marketing CAN SPAM Do not call Others…
California SB 1386 Passed to prevent identity theft Defined personal information Landmark law that affected the rest of the country Influenced other states
Massachusetts Data Security Law Set data security standards for records Specific rules for data protection
Other U.S. Payment Card Industry standard FTC Act – Unfair and deceptive trade practices FCC regulations COPPA Pending federal legislation Others…
Global perspective Different focus and expectations Many new and pending global developments
PCI Data Security Standard (PCI DSS) Actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents Regularly evolving as threats and technologies change
Retail Breaches U.S. heavily targeted for credit card theft Target, Home Depot, Neiman Marcus, Michaels, etc….. Stolen magnetic stripe data can be used create a fake credit card with an encoding device Over $11 billion in losses in 2014
Fraud Statistics in the U.S. The United States accounted for 47% of total global payment-card fraud losses according to the Nilson Report A survey released in 2012 by the Aite Group and ACI Worldwide, a research and a payment-software firm respectively, found that 42% of Americans had experienced some form of payment-card fraud in the preceding five years Source:
Does fraud live near you? Source:
EMV and PCI DSS EMV chip: – Authentication technology for the point of sale part of the transaction when the physical card is actually present PCI DSS: – Security controls to protect the cardholder's confidential information on payment cards, not just at the moment the card is swiped or dipped, but all the way through the transaction process – Controls also apply when payments are made online or via telephone, where the card is not present Source: _with_emv_chip_and_pci.php
Vulnerabilities Not Address by EMV Transmission and storage of card data – Ex: thieves siphoning card data as it is transmitted to merchant’s central server in the clear Card not present (CNP) transactions – Rollouts of EMV in other countries have initially shown an increase in CNP fraud Led to more stringent fraud measures for CNP
Risk Mitigation
What challenges do you face? !Prioritize Crown Jewels !Understand/Address Risk !Reduce Targets Protection/Retention Priorities
Controls Framework ISO, NIST, etc. 4 controls have a big impact Layer on controls depending on your risk profile
Incident Response-Are You Ready? All companies will experience a security incident Planning ahead is important – many security and legal issues involved All companies should go through incident simulations 36
Legacy SystemsNew Systems Sensitive data visibleData masking enabled Limited monitoringEnhanced monitoring Legacy contract languageIncreased contractual liability for vendors SSN as identifierNew identifiers used PasswordsMulti-factor 37
Reducing the Target Don’t forget non-production and “shadow IT” Data on mobile devices Retired applications Unstructured data Data held by third parties Data on backup media or offsite storage
Encryption and Tokenization Encrypt all clear transmission of cardholder data for additional security Tokens replace legacy data in storage – Can reduce PCI scope and maintenance costs – Takes sensitive data out of cardholder data environment (CDE) – Keep in mind a lot of tokenization is “go forward” only
3 rd Parties and Insurance Many breaches start with a compromised 3 rd party – Vetting vendors – Contractual obligations – Regular audits – Entry into and out of company Cyber liability insurance coverage Your security “credit score”
Questions?