Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.

Slides:

Advertisements

Similar presentations

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP

Advertisements

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.

UNCLASSIFIED Cybercrime: The Australian Experience Australian Cybercrime Online Reporting Network (ACORN) Conference Assistant Commissioner Tim Morris.

Target Data Breach – Cost of the Learning Curve Discuss the recent Target data breach and its impact on the industry as well as individuals January 29/30,

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.

Section 6.3 Protecting Your Credit. Billing Errors and Disputes Notify your creditor in writing Notify your creditor in writing Pay the portion of the.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Page 1 Presented Insp. Amos Sylvester Trinidad and Tobago Police Service.

Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.

Security Controls – What Works

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

1 Information and Systems Security/Compliance Security Day The Information and Systems Security/Compliance Program Dave Kovarik.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

(Geneva, Switzerland, September 2014)

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

IT Security Challenges In Higher Education Steve Schuster Cornell University.

Preparedness for cybersecurity threats domestic aspects of cyber security Jaan Priisalu.

Cybercrime & Breach Impact Questions American Bar Association Criminal Justice Section June 6, 2014.

An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.

Targeted Data  Integrated Solutions  Modeling & Analytics Equifax intelligence ® Data Security & Privacy DMNYC Luncheon, May 11, 2006 Chris Lynde – SVP.

Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.

1 Group-IB: Digital investigations and forensic Ilya Sachkov Group-IB

Texas House of Representatives Committee on Criminal Jurisprudence Testimony of Randall S. James Banking Commissioner Texas Department of Banking August.

Military Sentinel Presentation November 19, 2008 John Krebs, Attorney Consumer Sentinel Network Program Manager Federal Trade Commission.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.

Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

Identity Protection (Red Flag/PCI Compliance/SSN Remediation) SACUBO Fall Workshop Savannah, GA November 3, 2009.

AUGUST 25, 2015 Cyber Insurance:

Information Sharing Challenges, Trends and Opportunities

Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.

Cyber Security Nevada Businesses Overview June, 2014.

SV: IS PATIENT BILLING A LOSING PROPOSITION FOR BILLING COMPANIES, TOO MANY PATIENTS, TOO MANY NO PAY.

Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.

The Privacy Symposium – Summer 2008 Identity Theft Resource Center Jay Foley, Executive Director Presents: Privacy: Pre- and Post-Breach © Aug 2007.

Information Security 2013 Roadshow - PCI. Roadshow Outline  What IS PCI  Why we Care about PCI  What PCI Means to You and Me.

The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.

Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2013 CCH Incorporated. All Rights Reserved W. Peterson Ave. Chicago,

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

© Cloud Security Alliance, 2015 Jim Reavis CEO, Cloud Security Alliance.

Recent Initiatives and Priorities The Federal Trade Commission’s Debt Collection Program Colin Hector Attorney Division of Financial Practices Federal.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Chapter 4: Laws, Regulations, and Compliance

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc

The Future. What will Change Fraud will not go away It will become more sophisticated and clever We have to step up to beat it June 16Caribbean Electronic.

EUROPEAN SECURITY POLICY A SNAPSHOT ON SURVEILLANCE AND PRIVACY DESSI WORKSHOP, CPH 24 JUNE 2014 Birgitte Kofod Olsen, Chair Danish Council for Digital.

CYBERSECURITY INCIDENCE IN THE FINANCIAL SERVICES SECTOR March 28, 2017 Presented by Osato Omogiafo Head IT Audit.

Encrypted from CDS Office Technologies

Financial Institutions – Cyber Risk

Advanced Income Tax Law

Gift Card Risk Mitigation – Presentation A

Regulatory Compliance

Data Compromises: A Tax Practitioners “Nightmare”

Own Your Identity.

Red Flags Rule An Introduction County College of Morris

CONFIDENTIALITY, INTEGRITY, LEGAL INTERCEPTION

cyberopsalliance.com |

Cyber Trends and Market Update

The State of Cybersecurity and

Own Your Identity.

Securing the Threats of Tomorrow, Today.

Tax Crime and Compliance Issues

Cyber Security: What the Head & Board Need to Know

Move this to online module slides 11-56

Presentation transcript:

Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection 09 City University of New York City College (CCNY) June

Large Scale Breaches  What is a large scale data breach?  Why are they important?  Where do these breaches occur?

Information on Data Breaches  State Breach notification Laws  Federal Breach Notification Laws  Role of State Attorney Generals  Breach notification letters  Civil and criminal prosecutions  Company press releases and announcements  SEC Filings

Organizations that track breaches  Open Security Foundation: DataLoss DB project  Privacy Rights Clearing House  Federal Trade Commission

Breach Incidents

Incidents By Breach Type

Incidents Business

Incidents by Data Type

Notable large scale breaches in the Data Aggregation Industry  What is the data aggregation industry?  Who buys information from a data aggregator?  What types of information do these companies provide?

Breaches in the Data Aggregation: methods, costs and consequences  Acxiom breaches  Choice Point breaches 2004  LexisNexis (Accurint) breaches 2005,2007

Breaches in the Retail and Card Payment Industry  What is the card payment processing industry?  Why is this industry targeted and by whom?  What do you do with 45 million credit card numbers?

Breaches in the Retail and Card Payment Processing Industries: methods, costs and consequences  CardSystems Solutions – 45 million card numbers  TJX Companies – 94 million cards  RBS World Pay – 1.5 million financial records  Heartland Payment Systems – 100 million cards

Card Payment Industry

Monetizing the Crime  Carding sites  Cashing on a world-wide basis  Targeted attacks, e.g., scanners and cameras

Breaches and Fraud  Percentage of revenue lost to on-line fraud – about 1.4% for the past six years, 3.6% in 2001  Card present fraud rate continues to decline  ATM fraud is rising(?)  “Identity fraud” is rising (?)  Fraud in international card transactions is unacceptable (One in nine on-line purchases rejected)

Large scale breaches: The costs to businesses  Breach notification costs  Class action suites to recover costs  Loss of confidence by business partners and clients

Remedies  Industry wide attempts at security – PCI DSS in the payment processing industry  Enhanced roles of the chief information security and information privacy officers  The increasing importance of information privacy polices

Challenges  Breach details seldom revealed, even long after the breach.  Until recently, there were no industry wide clearing houses for breach information. (Payments processing Information Sharing Council)  Risks of keeping breach information secret

A few IT Community Challenges  Knowing where the data is  Rapid system wide updating and patching  Integration of legacy systems  Automated fraud detection tools at each level  Implementing end-to-end encryption  Better systems for authorization and auditing

Law Enforcement Challenges  Immediate notification in the event of a breach  Improved intelligence on carding sites and cashing techniques  Critical need for international law enforcement and governmental cooperation

Information Security Policy Challenges  Privacy polices based on need-to-know (limit data collection and retention)  Comingling of systems on public and private networks.  Polices to protect large data repositories

Trends  Breach costs will continue to grow  National Breach Notification Legislation is coming (health care now, other sectors soon.)  Breach notification will give FTC and HHS Dept. more authority to regulate the use of PII.

Concluding Remarks  Breach notification laws are changing the way organizations view information security and privacy.  Breaches of PII such as SSNs, names, addresses is especially dangerous for individuals.  More on privacy and data breaches at the Center for Cybercrime Studies Center for Cybercrime Studies