In many cases of identity theft ”“ some 50 to 70 per cent ”“ the culprit is an employee or contractor, said Jim Koenig, practice co-leader of privacy strategy and compliance with PricewaterhouseCoopers. But thieves only have a one in 700 chance of being caught.

Still, most data is compromised offline ”“ so breaches are not necessarily computer breaches. Data management is also a big issue: from lost or stolen laptops, backup tape issues or even hotel business centre computer breaches.

The impact? “Notifications have increased and received front-page media coverage of failures by high-profile organizations,” said Koenig.

The first breach and disclosure law was developed three years ago in California (SB 1386), but its failure is in its definition. “Lots of things can get swept into the definition,” said Koenig. In 2005 and 2006, 33 states in the U.S. passed similar legislation.

As a result, some companies are removing sensitive data from business and HR processes. Others are reviewing and implementing key identity theft safeguards such as encryption, access control and identity management. And others are enhancing administrative safeguards such as training and employee background checks.

The way to handle a breach, once it’s occurred, involves preparation, investigation and notice. “The first step is to make sure they’re covering all aspects of the business,” said Julie Fergerson, vice-president of emerging technologies with Debix. A common mistake is to secure the data online, but not take into account who has access to the data offline.

Then, look at common vulnerabilities, such as third-party vendor handling, paper handling, dumpster diving, phishing and social engineering. “Make sure you understand how to document diligence in a way that will be understandable by regulators,” said Koenig. There’s a lot of focus on security framework convergence or mapping, but they don’t necessarily cover compliance.

Next is proactive planning. “We lost a backup tape one year ago,” said Chris Zoladz, vice-president of information protection with Marriott International and former president of IAPP. “I know how painful it can be ”“ I sure wish we had done some of this before December ’05.” While you can’t predict every scenario from A-Z, you can approach the situation from a crisis management perspective. Know who the key stakeholders are. “The devils are in the details, and there are a lot of them,” he said.

Also, know your vendor. Vendors have been at the heart of many recent breaches and incidents, such as credit card theft and lost or stolen tapes, said Zoladz. Your vendor privacy or security policy must be in sync with that of contracting companies. Include a penalty in the contract if a breach does occur.

If a breach occurs, bring in the forensics team immediately. A common mistake is for internal IT staff to claim they have the skill set to deal with a breach when they don’t. “Data gets screwed up by folks without proper training and it makes it harder for forensics teams to track what happened,” said Fergerson. But make sure forensics is a disinterested third party, she added.

Proceed with a sense of urgency because the first 48 hours are critical, said Zoladz. Isolate what happened and if data is recoverable. “Don’t let denial or shock result in a waste of precious time,” he said. “If you have to make [a plan] up on the fly, it’s a tough way to go.”

Know your compliance obligations and the law, said Koenig. Tailor the investigation to look at limiting your liability and obligations, and use tools that help you respond quickly.

Also, make sure you’re readily accessible in order to reassure clients. Have toll-free numbers and properly trained staff with a consistent message, said Zoladz. Pre-empt media coverage based on misinformation or assumption.

Also at the IAPP Privacy Conference, Ann Cavoukian, information and privacy commissioner of Ontario, announced her support for a global online identity system framework by outlining seven “privacy-embedded” laws that would help consumers verify the identity of legitimate organizations before making online transactions. The laws are based on Microsoft’s Seven Laws of Identity.

These laws will offer more direct user control over personal information when online, as well as an enhanced ability to minimize the amount of identifying data revealed online and the linkage between different identities and actions. They also offer an enhanced ability to detect fraudulent messages and websites to help prevent phishing and identity theft.