Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Breach What kind of target are you?. Agenda The Problem Legal Landscape Risk Mitigation.

Published byAdelia Flora Clark Modified over 8 years ago

Similar presentations

Presentation on theme: "Data Breach What kind of target are you?. Agenda The Problem Legal Landscape Risk Mitigation."— Presentation transcript:

1 Data Breach What kind of target are you?

2 Agenda The Problem Legal Landscape Risk Mitigation

3 The Problem

4 There’s an app for that! Our Reality

5 Is there anyone in the U.S. who has NOT received a notification that their data has been compromised?

6 – Malicious – seeking to steal/expose/ embarrass – Insidious – trying to gain foothold in organization and monitor – Accidental – lost equipment, email accidents, systems crash etc. Threat Characteristics Source: Corporate Executive Board

7 How can you cripple a major news organization’s website?

8 How can you cause the Dow Jones Industrial Average to drop 150 points in 7 minutes?

9 How can you cause the U.S. to lose billions in exports? http://ipcommission.org/report/IP_Commission_Report_052213.pdf

10 Entry point: Then what happens?

11 http://www.hassonybeenhackedthisweek.com

12 Economics Of A Security Breach Forensics Notification Call centers Credit protection Legal Fees Fines Public relations Lost business Lost productivity Increased security Mandated audits Other…

13 Simulated Incident Based on the results of the event analysis, the assessment has established the following list of minimum recommended actions: – Under jurisdictional regulatory requirements – Notify 11 state attorneys general – Notify 94,000 consumers in 47 jurisdictions – Notify credit agency of 54,000 exposures in 27 jurisdictions – Notify local media in 2 jurisdictions – Provide other general notifications – Notify 7 special offices in 5 jurisdictions – Also advised: 8 optional tasks Estimated fine liability: $7,700,000

14 Data Risk 1 – TMI! Companies tend to over-collect/retain in the interest of customer service – “We might need that”… More records = more expense

15 Data Risk 2 – TMI! Companies try to track and monitor too much, or the wrong things – Have you ever seen what is generated by an intrusion detection system? Narrow down to the truly important Risk based approach Secure vs. compliant

16 Data Risk 3 – TMI! Do you need to keep processing in-house? Tokenization – Some ROI available What risk goes away, what stays

17 Laws and Standards

18 U.S. and privacy/security Fair information practices approach – Notice and choice (opt in or out) By Sector – Education – Financial – Health – Marketing – Other Data breach

19 Education Family Education Rights and Privacy Act – Right for only certain parties to view records – Right to inspect and correct records

20 Financial Gramm Leach Bliley Fair Credit Reporting Act Red Flags Rule Others…

21 Health Health Insurance Portability and Accountability Act – Health records – Privacy and Security HITECH/GINA

22 Marketing CAN SPAM Do not call Others…

23 California SB 1386 Passed to prevent identity theft Defined personal information Landmark law that affected the rest of the country Influenced other states

24 Massachusetts Data Security Law Set data security standards for records Specific rules for data protection

25 Other U.S. Payment Card Industry standard FTC Act – Unfair and deceptive trade practices FCC regulations COPPA Pending federal legislation Others…

26 Global perspective Different focus and expectations Many new and pending global developments

27 PCI Data Security Standard (PCI DSS) Actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents Regularly evolving as threats and technologies change

28 Retail Breaches U.S. heavily targeted for credit card theft Target, Home Depot, Neiman Marcus, Michaels, etc….. Stolen magnetic stripe data can be used create a fake credit card with an encoding device Over $11 billion in losses in 2014

29 Fraud Statistics in the U.S. The United States accounted for 47% of total global payment-card fraud losses according to the Nilson Report A survey released in 2012 by the Aite Group and ACI Worldwide, a research and a payment-software firm respectively, found that 42% of Americans had experienced some form of payment-card fraud in the preceding five years Source: http://www.economist.com/news/finance-and-economics/21596547-why-america-has-such-high-rate-payment-card-fraud-skimming-top

30 Does fraud live near you? Source: http://learn.equifax.com/identity-theft/fraud-index

31 EMV and PCI DSS EMV chip: – Authentication technology for the point of sale part of the transaction when the physical card is actually present PCI DSS: – Security controls to protect the cardholder's confidential information on payment cards, not just at the moment the card is swiped or dipped, but all the way through the transaction process – Controls also apply when payments are made online or via telephone, where the card is not present Source: https://www.pcisecuritystandards.org/news_events/quick_resources/increasing_security _with_emv_chip_and_pci.php

32 Vulnerabilities Not Address by EMV Transmission and storage of card data – Ex: thieves siphoning card data as it is transmitted to merchant’s central server in the clear Card not present (CNP) transactions – Rollouts of EMV in other countries have initially shown an increase in CNP fraud Led to more stringent fraud measures for CNP

33 Risk Mitigation

34 What challenges do you face? !Prioritize Crown Jewels !Understand/Address Risk !Reduce Targets Protection/Retention Priorities

35 Controls Framework ISO, NIST, etc. 4 controls have a big impact Layer on controls depending on your risk profile

36 Incident Response-Are You Ready? All companies will experience a security incident Planning ahead is important – many security and legal issues involved All companies should go through incident simulations 36

37 Legacy SystemsNew Systems Sensitive data visibleData masking enabled Limited monitoringEnhanced monitoring Legacy contract languageIncreased contractual liability for vendors SSN as identifierNew identifiers used PasswordsMulti-factor 37

38 Reducing the Target Don’t forget non-production and “shadow IT” Data on mobile devices Retired applications Unstructured data Data held by third parties Data on backup media or offsite storage

39 Encryption and Tokenization Encrypt all clear transmission of cardholder data for additional security Tokens replace legacy data in storage – Can reduce PCI scope and maintenance costs – Takes sensitive data out of cardholder data environment (CDE) – Keep in mind a lot of tokenization is “go forward” only

40 3 rd Parties and Insurance Many breaches start with a compromised 3 rd party – Vetting vendors – Contractual obligations – Regular audits – Entry into and out of company Cyber liability insurance coverage Your security “credit score”

41 Questions?

Download ppt "Data Breach What kind of target are you?. Agenda The Problem Legal Landscape Risk Mitigation."

Similar presentations

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP www.ScottandScottllp.com.

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP
Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Travelers CyberRisk for Insurance Companies

Travelers CyberRisk for Insurance Companies
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.

Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
Responding to a Data Security Breach

Responding to a Data Security Breach
Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.

Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.

Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Introduction to PCI DSS

Introduction to PCI DSS
Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.
Gift Card Landscape & Competitive Report July 2012.

Gift Card Landscape & Competitive Report July 2012.

Similar presentations

Ads by Google