When your assets have been exposed
By Vawn Himmelsbach
Identity theft has become a major concern, causing billions of dollars in losses. At the IAPP Privacy Conference in Toronto Oct. 18, security experts outlined tips on how to handle a breach notification, should a breach occur.
By Vawn Himmelsbach
In many cases of identity theft ”“ some 50 to 70 per cent ”“ the
culprit is an employee or contractor, said Jim Koenig, practice
co-leader of privacy strategy and compliance with
PricewaterhouseCoopers. But thieves only have a one in 700 chance of
Still, most data is compromised offline ”“ so
breaches are not necessarily computer breaches. Data management is also
a big issue: from lost or stolen laptops, backup tape issues or even
hotel business centre computer breaches.
“Notifications have increased and received front-page media coverage of
failures by high-profile organizations,” said Koenig.
breach and disclosure law was developed three years ago in California
(SB 1386), but its failure is in its definition. “Lots of things can
get swept into the definition,” said Koenig. In 2005 and 2006, 33
states in the U.S. passed similar legislation.
As a result, some
companies are removing sensitive data from business and HR processes.
Others are reviewing and implementing key identity theft safeguards
such as encryption, access control and identity management. And others
are enhancing administrative safeguards such as training and employee
The way to handle a breach, once it’s
occurred, involves preparation, investigation and notice. “The first
step is to make sure they’re covering all aspects of the business,”
said Julie Fergerson, vice-president of emerging technologies with
Debix. A common mistake is to secure the data online, but not take into
account who has access to the data offline.
Then, look at common
vulnerabilities, such as third-party vendor handling, paper handling,
dumpster diving, phishing and social engineering. “Make sure you
understand how to document diligence in a way that will be
understandable by regulators,” said Koenig. There’s a lot of focus on
security framework convergence or mapping, but they don’t necessarily
Next is proactive planning. “We lost a backup tape one year ago,”
said Chris Zoladz, vice-president of information protection with
Marriott International and former president of IAPP. “I know how
painful it can be ”“ I sure wish we had done some of this before
December ’05.” While you can’t predict every scenario from A-Z, you can
approach the situation from a crisis management perspective. Know who
the key stakeholders are. “The devils are in the details, and there are
a lot of them,” he said.
Also, know your vendor. Vendors have been at the heart of many
recent breaches and incidents, such as credit card theft and lost or
stolen tapes, said Zoladz. Your vendor privacy or security policy must
be in sync with that of contracting companies. Include a penalty in the
contract if a breach does occur.
If a breach occurs, bring in the forensics team immediately. A
common mistake is for internal IT staff to claim they have the skill
set to deal with a breach when they don’t. “Data gets screwed up by
folks without proper training and it makes it harder for forensics
teams to track what happened,” said Fergerson. But make sure forensics
is a disinterested third party, she added.
Proceed with a sense of urgency because the first 48 hours are
critical, said Zoladz. Isolate what happened and if data is
recoverable. “Don’t let denial or shock result in a waste of precious
time,” he said. “If you have to make [a plan] up on the fly, it’s a
tough way to go.”
Know your compliance obligations and the law, said Koenig. Tailor
the investigation to look at limiting your liability and obligations,
and use tools that help you respond quickly.
Also, make sure you’re readily accessible in order to reassure
clients. Have toll-free numbers and properly trained staff with a
consistent message, said Zoladz. Pre-empt media coverage based on
misinformation or assumption.
Also at the IAPP Privacy Conference, Ann Cavoukian, information and
privacy commissioner of Ontario, announced her support for a global
online identity system framework by outlining seven “privacy-embedded”
laws that would help consumers verify the identity of legitimate
organizations before making online transactions. The laws are based on
Microsoft’s Seven Laws of Identity.
These laws will offer more direct user control over personal
information when online, as well as an enhanced ability to minimize the
amount of identifying data revealed online and the linkage between
different identities and actions. They also offer an enhanced ability
to detect fraudulent messages and websites to help prevent phishing and