Dealing with a Data Breach A Proactive Approach Muzaffar I. Chaudhary CISA, CISSP 05/04/11 Agenda I. Background II. GA Data Breach Law III. Regulatory Requirements IV. A Data Breach Scenario V. Data Breach Response Strategy VI. Q&A Hackers Landscape • Today’s hackers are organized, motivated, and sophisticated. Data and identity theft is no longer for amateurs. • Hackers work on behalf of state sponsored or criminal organizations, have access to state-of-the-art tools, and know how to target specific organizations for information that can be used for financial gain. Is your Organization Immune to Data Breach ? • 340 million records containing personal information have been breached in US since 2005 (Privacy Rights Clearing House) • 85 % of businesses have experienced a data breach (2009 Ponemon Institute data breach study) • 50 % of large hospitals experienced at least one data breach in 2009. ( Source: HIMSS) Some Massive Data Breaches February 2007, information on possibly tens of millions of credit and debit cards. Credit card information for more than 250,000 businesses in 2009 – 130 million records Contractor recycled Disks without erasing – leaving the personal information for millions of veterans accessible to whoever got the disc. In February 2008, Bank of New York Mellon sent 10 unencrypted backup tapes to a storage facility and lost one tape during the transit. Most Recent Breaches • 08-19- 2010 University of Connecticut 10,174 student applications with SSN, NAA stolen • 08-19- 2010 University of Kentucky 2,027 patient names, medical record numbers, date of birth, diagnosis, SSN breached • 08-20- 2010 Cook County Health & Hospitals System 7,000 patient names, birth dates, and some SSN stolen Source: datalossdb.org Reported Incidents to date Source: datalossdb.org PII Data Breach - 2010 yearly report Total Incidents: 470 Total Records Affected: 13,996,783 ? Source: datalossdb.org Data Breach Readiness When it comes to a data breach, the question is not“ if” you will become a target, the question is “when.” Operational pre-planning and readiness can control costs, improve customer loyalty and preserve your reputation and brand. Georgia Breach Law The law requires that "Any information broker that maintains computerized data that includes personal information of individuals shall give notice of any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." Regulatory Requirements (PCI, HIPAA..) 1. Isolate the breach- for Forensics 2. Inform necessary parties – Law enforcement etc. 3. Notify your business partners (e.g. Bank) 4. Incident Response Report PCI Incident Response Requirements Requirement 12.9: 12.9.1: Create an incident response plan 12.9.2: Test the plan at least annually 12.9.3: Designate specific personnel to be available on a 24/7 basis to respond to incidents 12.9.4: Provide appropriate training to staff with security breach response responsibilities 12.9.5: Include alerts from IDS, IPS and file integrity monitoring systems 12.9.6: Develop processes to modify and evolve the IR plan according to lessons learned A Data Breach Scenario (hypothetical) Credit card data is compromised at the Airport. The DOA has to notify the effected customers according to “GA Breach Law Notification”. The Executive Management at DOA has asked the Public Relations, Information Security Officer and DOA’s Attorney to do the following: • A press release to the media for the incident • A posting on DOA Website for the incident • Letter to the effected customers whose credit card information have been compromised A Perfect Storm This breach event may become ultimate nightmare, a “perfect storm” if: • DOA Customers learned of the breach via sensationalized media reports. • DOA was obliged to make public statements in the absence of necessary facts. • Card Issuers had to act quickly, with little information, to notify customers and determine if cards should be closed and new cards be re-issued. Data Breach Response Strategy • Inventory of data and information systems is essential to a successful security program. • Data Steering Committee (An Event Response Team) consisting of key executives and personnel from areas of the business that would be affected by a data breach. • A Risk Assessment and Response Matrix that guides your team in determining how harmful a particular breach event would be and how you should respond to it. • A Communication Plan designed to control outbound messaging related to the event and to maintain public confidence Building Your Data Steering Committee/ Event Response Team • Audit and compliance • Representatives from all customer-facing groups • Human resources • Key executives and senior decision-makers • Legal • Marketing and Public Relations • Operations/information technology • Risk management and Information security Creating Your Risk Assessment and Response Matrix Source: First Data Corporation A Solid Communication Plan • When a breach is contained, announce what you know when you know it. • If there are things you do not yet know—perpetrator, details of attack etc. Avoid spreading misinformation that you will eventually have to correct or retract. • Explain why you cannot reveal certain information. • Describe, in specific detail if possible, what you are doing and why you are doing it. • Be honest, above all else. Your customers and partners will appreciate it. Bad-News Management Plan • Prepare for the worst by envisioning the best • Go from start to finish in words and pictures • Do a dry run • Establish leadership contingencies • Coach and train spokespeople •Know where everybody is and how to contact him/her Notification Templates • Outlines and content for – Press Releases – Notification Letters – Incident Specific Website – Incident Response FAQs – Hotline (FAQs serve as a script for call-takers) • Sample language from actual incidents • Food for thought – one size does not fit all Press Release Components • What are you doing? – Announcing a breach? A theft? – Announcing that the case has been resolved? That notification has occurred? • Who is affected/not affected? • What specific types of personal information are involved? • What are the (brief) details of the incident? • “No evidence to indicate data has been misused…” or what the evidence points to. • Expression of regret and concrete steps the institution is taking to prevent this from happening again. • For more information, … Sample Snippets – Who is Affected/Not Affected • The server contained credit card information, including names and credit/ debit cards numbers, of parking customers • The server contained personal information, including names and Social Security numbers, on current, former and employees. • Laptop computers were not breached, and, at this time, company officials believe that [population] were not affected. Notification Letter Components • What happened and when? • How was it detected? • What specific types of personal information are involved and for whom? • What steps are being taken? • “No evidence to indicate data has been misused…” or what the evidence points to. • What steps should individuals take? • Expression of regret and/or commitment to security. • Contact information. • Signature. Sample Snippets – Notification Letter • Anticipated next steps, if any. e.g. intention to notify if any additional information becomes available? Example: The theft of this information raises a number of possible risks to you. One is theft of identity for financial gain. We will be sending you a package of materials outlining steps you can take to protect yourself from identity theft. • Who to contact for additional information Contact/name, number, hours of availability, web site, hotline, email address, etc. Example: Should you have further questions about this matter, please contact [name of contact}, [title of contact], at [email address of contact] or [phone number]. • Signature Who makes most sense – CEO, COO, General Manager etc. Incident Web Site Components • Most-Recent-Update section at top of page • <Replicate Notification Letter Components modified for more generic audience > • Link to Identity Theft website/credit agencies • FAQs • Press Releases • Toll-free Hotline contact information Generic Notifica- Incident- Data Identity Press tion specific Breach Theft Check list Release Letter Website FAQ Website Purpose of Announcement Affected Parties and Personal Information Incident Details Conclusions of Investigation Actions Taken Sources for Further Information Risk of Disclosure Discovering Fraud Important Contacts What is Identify Theft Identity Theft Prevention Responding to data breach notification Responding to evidence of identity theft Conclusion 1. Form A Data Steering Committee/ An Event Response Team 2. Define a process to Investigate a Data Breach 3. Define a process to deploy Incident Management Team 4. A Risk Assessment and Response Matrix 5. Create / Implement Notification Plan/ Communication Plan 6. Perform a Response Audit after the event 7. Conduct Tabletop Exercise at least once a year Any Questions ?