Learning Center
Plans & pricing Sign in
Sign Out

Data Breach


									Dealing with a Data Breach
  A Proactive Approach

 Muzaffar I. Chaudhary CISA, CISSP

I.    Background
II.   GA Data Breach Law
III. Regulatory Requirements
IV. A Data Breach Scenario
V.    Data Breach Response Strategy
            Hackers Landscape

• Today’s hackers are organized, motivated, and
  sophisticated. Data and identity theft is no longer for

• Hackers work on behalf of state sponsored or criminal
  organizations, have access to state-of-the-art tools, and know
  how to target specific organizations for information that can be
  used for financial gain.
Is your Organization Immune to
Data Breach ?
• 340 million records containing personal information have been
  breached in US since 2005 (Privacy Rights Clearing House)
• 85 % of businesses have experienced a data breach (2009
  Ponemon Institute data breach study)
• 50 % of large hospitals experienced at least one data breach in
  2009. ( Source: HIMSS)
Some Massive Data Breaches
       February 2007, information on possibly
       tens of millions of credit and debit cards.
        Credit card information for more than 250,000
        businesses in 2009 – 130 million records
   Contractor recycled Disks without erasing – leaving
   the personal information for millions of veterans
   accessible to whoever got the disc.

     In February 2008, Bank of New York Mellon sent
     10 unencrypted backup tapes to a storage facility and
      lost one tape during the transit.
Most Recent Breaches
• 08-19- 2010 University of Connecticut
   10,174 student applications with SSN, NAA stolen
• 08-19- 2010 University of Kentucky
  2,027 patient names, medical record numbers, date of birth,
  diagnosis, SSN breached
• 08-20- 2010 Cook County Health & Hospitals
  7,000 patient names, birth dates, and some SSN stolen

   Reported Incidents to date

PII Data Breach - 2010 yearly report
 Total Incidents: 470
 Total Records Affected: 13,996,783 ?

  Data Breach Readiness

When it comes to a data breach, the question is
not“ if” you will become a target, the question
is “when.” Operational pre-planning and readiness can
control costs, improve customer loyalty and preserve
your reputation and brand.
       Georgia Breach Law
The law requires that "Any information
broker that maintains computerized data that
includes personal information of individuals
shall give notice of any breach of the
security of the system following discovery or
notification of the breach in the security of
the data to any resident of this state whose
unencrypted personal information was, or is
reasonably believed to have been, acquired
by an unauthorized person."
Regulatory Requirements (PCI, HIPAA..)

1. Isolate the breach- for Forensics

2. Inform necessary parties – Law enforcement etc.

3. Notify your business partners (e.g. Bank)

4. Incident Response Report
PCI Incident Response Requirements

 Requirement 12.9:

 12.9.1: Create an incident response plan
 12.9.2: Test the plan at least annually
 12.9.3: Designate specific personnel to be available on a 24/7 basis to respond
 to incidents
 12.9.4: Provide appropriate training to staff with security breach response
 12.9.5: Include alerts from IDS, IPS and file integrity monitoring systems
 12.9.6: Develop processes to modify and evolve the IR plan according to lessons
A Data Breach Scenario (hypothetical)

Credit card data is compromised at the Airport. The DOA has
to notify the effected customers according to “GA Breach Law
Notification”. The Executive Management at DOA has asked
the Public Relations, Information Security Officer and DOA’s
Attorney to do the following:

   • A press release to the media for the incident
   • A posting on DOA Website for the incident
   • Letter to the effected customers whose
     credit card information have been compromised
       A Perfect Storm

This breach event may become ultimate
nightmare, a “perfect storm” if:

   • DOA Customers learned of the breach via
     sensationalized media reports.
   • DOA was obliged to make public statements in the
     absence of necessary facts.
   • Card Issuers had to act quickly, with little information,
     to notify customers and determine if cards should be
     closed and new cards be re-issued.
      Data Breach Response Strategy

• Inventory of data and information systems is essential to a
  successful security program.
• Data Steering Committee (An Event Response Team)
  consisting of key executives and personnel from areas of the
  business that would be affected by a data breach.
• A Risk Assessment and Response Matrix that guides your
  team in determining how harmful a particular breach event
  would be and how you should respond to it.
• A Communication Plan designed to control outbound
  messaging related to the event and to maintain public
Building Your Data Steering
Committee/ Event Response Team
 •   Audit and compliance
 •   Representatives from all customer-facing groups
 •   Human resources
 •   Key executives and senior decision-makers
 •   Legal
 •   Marketing and Public Relations
 •   Operations/information technology
 •   Risk management and Information security
Creating Your Risk Assessment and Response

            Source: First Data Corporation
A Solid Communication Plan

• When a breach is contained, announce what you know
when you know it.
• If there are things you do not yet know—perpetrator,
details of attack etc. Avoid spreading misinformation
that you will eventually have to correct or retract.
• Explain why you cannot reveal certain information.
• Describe, in specific detail if possible, what you are
doing and why you are doing it.
• Be honest, above all else. Your customers and partners
will appreciate it.
  Bad-News Management Plan

• Prepare for the worst by envisioning the best

• Go from start to finish in words and pictures

• Do a dry run

• Establish leadership contingencies

• Coach and train spokespeople

•Know where everybody is and how to contact him/her
         Notification Templates
• Outlines and content for
   –   Press Releases
   –   Notification Letters
   –   Incident Specific Website
   –   Incident Response FAQs
   –   Hotline (FAQs serve as a script for call-takers)
• Sample language from actual incidents
• Food for thought – one size does not fit all
    Press Release Components
• What are you doing?
    – Announcing a breach? A theft?
    – Announcing that the case has been resolved? That notification has
• Who is affected/not affected?
• What specific types of personal information are involved?
• What are the (brief) details of the incident?
• “No evidence to indicate data has been misused…” or what the
  evidence points to.
• Expression of regret and concrete steps the institution is taking
  to prevent this from happening again.
• For more information, …
      Sample Snippets – Who is
       Affected/Not Affected
• The server contained credit card information, including
  names and credit/ debit cards numbers, of parking
• The server contained personal information, including
  names and Social Security numbers, on current, former
  and employees.

• Laptop computers were not breached, and, at this time,
  company officials believe that [population] were not
  Notification Letter Components
• What happened and when?
• How was it detected?
• What specific types of personal information are involved
  and for whom?
• What steps are being taken?
• “No evidence to indicate data has been misused…” or
  what the evidence points to.
• What steps should individuals take?
• Expression of regret and/or commitment to security.
• Contact information.
• Signature.
Sample Snippets – Notification Letter
• Anticipated next steps, if any.
   e.g. intention to notify if any additional information becomes
   Example: The theft of this information raises a number of possible risks to
  you. One is theft of identity for financial gain. We will be sending you a
  package of materials outlining steps you can take to protect yourself from
  identity theft.
• Who to contact for additional information
   Contact/name, number, hours of availability, web site, hotline, email
  address, etc.
   Example: Should you have further questions about this matter, please
  contact [name of contact}, [title of contact], at [email address of contact] or
  [phone number].
• Signature
   Who makes most sense – CEO, COO, General Manager etc.
  Incident Web Site Components
• Most-Recent-Update section at top of page
• <Replicate Notification Letter Components modified
  for more generic audience >
• Link to Identity Theft website/credit agencies
• FAQs
• Press Releases
• Toll-free Hotline contact information
                                      Notifica-   Incident-    Data    Identity
                             Press      tion       specific   Breach    Theft
        Check list          Release    Letter      Website     FAQ     Website
Purpose of Announcement                         
Affected Parties and
Personal Information                                       
Incident Details                                
Conclusions of
Investigation                        
Actions Taken                                   
Sources for Further
Information                                     
Risk of Disclosure                                            
Discovering Fraud                                                     
Important Contacts                                                    
What is Identify Theft                                                 
Identity Theft Prevention                                              
Responding to data breach
notification                                                          
Responding to evidence of
identity theft                                                        

1. Form A Data Steering Committee/ An Event Response
2. Define a process to Investigate a Data Breach
3. Define a process to deploy Incident Management Team
4. A Risk Assessment and Response Matrix
5. Create / Implement Notification Plan/ Communication
6. Perform a Response Audit after the event
7. Conduct Tabletop Exercise at least once a year
Any Questions ?

To top