How Good Privacy Practices can help prepare for a Data Breach from TRUSTe

1 v Privacy Insight Series v

How Good Privacy Practices Can

Help Prepare for a Data Breach

August 13, 2015

2 v Privacy Insight Series

Today’s Speakers

Dr Larry Ponemon,

Chairman & Founder,

Ponemon Institute

Joanne Furtsch,

Director of Product Policy,

TRUSTe

Mary Westberg,

Senior Compliance Paralegal

SanDisk Corporation


Is Your Company Ready for a Big

Data Breach?

Dr Larry Ponemon

Chairman and Founder of the Ponemon Institute

Research Study Sponsored by

Experian® Data Breach Resolution

Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness

About Ponemon Institute

The Institute is dedicated to advancing responsible information

management practices that positively affect privacy and data protection in

business and government.

The Institute conducts independent research, educates leaders from the

private and public sectors and verifies the privacy and data protection

practices of organizations.

Ponemon Institute is a full member of CASRO (Council of American Survey

Research Organizations). Dr. Ponemon serves as CASRO’s chairman of

Government & Public Affairs Committee of the Board.

The Institute has assembled more than 60 leading multinational

corporations called the RIM Council, which focuses the development and

execution of ethical principles for the collection and use of personal data

about people and households.

The majority of active participants are privacy or information security

leaders.

August 13, 2015 Ponemon Institute© Private and Confidential 5

In this study we surveyed 14,639 executives located in the United

States about how prepared they think their companies are to respond

to a data breach. Screening and failed reliability checks removed 48

surveys. The final sample was 567 surveys (or a 3.9 percent response

rate).


Sample response Freq Pct%

Sampling frame 14,639 100.0%

Total returns 615 4.2%

Rejected or screened surveys 48 0.3%

Final sample 567 3.9%

Current trends in data breach

preparedness

• More companies have data breach response plans and teams in place.

• Data breaches have increased in frequency.

• Most companies have privacy and data protection awareness

programs.

• Data breach or cyber insurance policies are becoming a more

important part of a company’s preparedness plans.

• There was very little change in the training of customer service

personnel.


Data breach and the current state of

preparedness

Ponemon Institute© Private and Confidential

Most respondents believe their

companies are not able to deal with the

consequences of a data breach Unsure, disagree and strongly disagree responses


19%

29%

30%

27%

18%

20%

23%

21%

12%

13%

14%

20%

0% 10% 20% 30% 40% 50% 60% 70% 80%

My organization is prepared to respond to the theft of sensitive and confidential information that requires

notification to victims and regulators

My organization is prepared to respond to a data breach involving business confidential information and

intellectual property

My organization understands what needs to be done following a material data breach to prevent the loss of

customers’ and business partners’ trust and confidence

My organization understands what needs to be done following a material data breach to prevent negative

public opinion, blog posts and media reports

Unsure Disagree Strongly disagree

Barriers to effective data breach response


How effective is the development and

execution of a data breach response

plan?


9%

21%

23%

30%

17%

0%

5%

10%

15%

20%

25%

30%

35%

Very effective Effective Somewhat effective Not effective Unsure

How often does the company review &

update the data breach response plan?


37%

41%

14%

5%

3%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

We have not reviewed or updated since the plan was put in place

No set time period for reviewing and updating the plan

Once each year

Twice per year

Each quarter

How are the board of directors,

chairman and CEO involved? More than one response permitted


2%

18%

36%

45%

50%

0% 10% 20% 30% 40% 50% 60%

Other

They participate in a high level review of the organization’s data protection and privacy practices

They have requested to be notified ASAP if a material data breach occurs

They participate in a high level review of the data breach response plan in place

They approve funds and resources for data breach response efforts

Do you have training programs for

employees handling sensitive personal

information and do you have training

programs for customer service

personnel?


54%

43%

3%

34%

49%

17%

0%

10%

20%

30%

40%

50%

60%

Yes No Unsure

Privacy/data protection awareness program for employees and other stakeholders who have access to sensitive or confidential personal information

Customer service personnel trained on how to respond to questions about a data breach incident

The primary person/function to manage

the data breach response team


21%

2%

4%

5%

5%

6%

6%

8%

10%

12%

21%

0% 5% 10% 15% 20% 25%

No one person/department has been designated to manage data breach response

Human Resources

Chief Privacy Officer

General Counsel

Head of PR and communications

Chief Security Officer

Chief Risk Officer

Chief Information Officer

Head of Business Continuity Management

Compliance Officer

Chief Information Security Officer

Technical security considerations


Barriers to improving the ability of IT

security to respond to a data breach Two responses permitted


2%

15%

21%

23%

40%

43%

56%

0% 10% 20% 30% 40% 50% 60%

None of the above

Lack of C-suite support

Lack of investment in much needed technologies

Lack of expertise

Third party access to or management of data

Proliferation of mobile devices and cloud services

Lack of visibility into end-user access of sensitive and confidential information

Technologies in place to quickly detect

a data breach More than one response permitted


5%

25%

31%

34%

54%

89%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

None of the above

Analysis of netflow or packet captures

Security Incident & Event Management

Mobile Device Management (MDM)

Intrusion prevention systems

Anti-virus

Frequency for monitoring information

systems for unusual or anomalous

traffic


20% 21%

8%

4%

2% 1%

28%

16%

0%

5%

10%

15%

20%

25%

30%

Continuous monitoring

Daily Weekly Monthly Quarterly Annually Never Unsure

How data breach preparedness can be

improved


How could the data breach response

plan become more effective? More than one response permitted


2%

45%

63%

69%

70%

77%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Other

Individuals with a high level of expertise in compliance with privacy, data protection laws and regulations

Individuals with a high level of expertise in security assigned to the team

A budget dedicated to data breach preparedness

More participation and oversight from senior executives

Conduct more fire drills to practice data breach response

The best approach to keep customers

and maintain reputation


3%

9%

13%

13%

17%

45%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

A sincere and personal apology (not a generic notification)

None of the above would make a difference

Discounts on products or services

Gift cards

Access to a call center to respond to their concerns and provide information

Free identity theft protection and credit monitoring services

Conclusion

• The incident response plans should undergo frequent reviews and reflect the current security risks facing the company.

• Risk assessments should be conducted to ensure the appropriate technologies are in place to prevent and detect a data breach.

• The board of directors, CEO and chairman should play an active role in helping their companies prepare for and respond to a data breach. These include briefings on the security posture of the company and a review of the incident response plan.

• Employees should receive training on the importance of safeguarding sensitive data—especially customer information. Call center employees should become skilled at answering customers’ questions about the privacy and security practices of the company as well as explaining what the company is doing in the aftermath of a data breach.

• Accountability and responsibility for data breach response should be clearly defined and not dispersed throughout the company. Cross-functional teams that include the expertise necessary to respond to a data breach should be part of the incident response planning process.



Privacy Best Practices to Mitigate

Risk/Damage from Data Breach

Joanne Furtsch

Director of Product Policy, TRUSTe


Data breach prevention starts with strong data

privacy management policies, and processes

Data Privacy Office

Incident Response

Plan

Collection Limitation

Policy Management

Vendor Management

Employee Training


It’s not a matter of if, it’s a matter of when

• Identify cross functional team members and clearly define roles

• Involve senior management

• Practice practice practice increases response effectiveness

– At least 1-2 times annually

– When a new team member joins the response team

• Include public relations crisis management & front line customer

response plan

• Identify who needs to be notified and when

• Develop communication templates

– Understand requirements before the breach happens

• Review and update your organization’s plan at least annually

Develop & practice incident response plan


Limit information collection to what is necessary to fulfill business

purposes

• Understand what information your organization has

– Conduct a data inventory

– Assess where the information goes, who has access to it, and how long the

information is retained

• Data classification

– Classify information based on level of sensitive and business impact if that data is

breached

• Assess whether the information is

required in order to meet business goals



Review, update, and communicate

• Internal policies, systems, and procedures need to be reviewed regularly

to account for business or regulatory changes

• In addition to security, review policies, systems, and procedures around

– Data Collection, Use, Sharing, & Retention

– Employee access

– BYOD

– Vendor and third party risk management

– Privacy and security related compliant escalation and resolution process

• Communicate policy changes and updates to affected employees

Manage internal policies and procedures


• Maintain an inventory of vendors and

third party partners that have access

to data

• Prioritize conducting risk

assessments where there is high

business and privacy impact

– Ensure vendors and third party

partners have policies in place

providing equal or greater protections

• Review agreements or terms of

service to determine what happens in

the event of breach is addressed

• Hold vendors and third parties

accountable

Manage vendors & third party partners

Know who your organization’s vendors and third party partners are & what

data they have access to


• Most breaches caused by

insiders

– Building employee awareness key to

breach prevention

• Train employees, and then do it

again

– Training is an ongoing process

• Front line employees are key to

effective data breach prevention

and response

– May be first to recognize when a

breach has happened

o Train on escalation process and

procedures

– Face of your organization after a

breach incident

o Train customer support on how to

respond to customer questions

Employee training


Mary Westberg

Senior Compliance Paralegal, SanDisk

Key Take-Aways


Designing an Incident Response Plan

Identify Stakeholders Know Your Data and

Systems Draft the Plan

• Each organization is different! • Consider likely data gatekeepers

- often HR; Web; Mobile; Sales; Product Managers

• Get input from Information Security, Legal, Compliance, Internal Audit, Insurance, Public or Investor Relations

• Buy-ins from key executives

• You’ll draft a better plan and mitigate risks if you know up-front the data types and quantities

• Classify data by type • Consider systems, locations,

accesses, vulnerabilities • While evaluating data and

systems for personal data, use this opportunity to also consider non-PI confidential information such as trade secrets; third party confidential information

• Be clear – this plan will bring needed structure during crisis time

• Be actionable - give instructions to persons reporting an incident; accountability and guidelines to responders

• Be flexible – incidents will vary and so must the response

• Be practical - leverage existing resources, if possible

• Publish the plan and be prepared to re-work

1 2 3


Post-Publication; Work Continues

Evaluate and Improve

• Test the plan – conduct a trial run • Review for effectiveness • Make adjustments • Take corrective actions • Summarize and report • Regularly revisit plan

Communicate & Train

• Create awareness • Layer approaches to reach

those who need to know • General audience training or

instruction – integrate with other trainings

• Specialized training for responders, incident response team members

4 5


Manage & Mitigate Risks

• you can’t loose what you don’t have!

• legitimate business purpose for collections

• mind data retention schedules – securely destroy Data Minimization

• on-boarding processes, contractual terms

• security assessment; audit; red flags

• saying goodbye - termination procedures, including a certificate of destruction

Vendor Management

• published policies and procedures that support data security and permitted data uses; related trainings

• phase gates for product, services and programs

• self-help tools and resources

• build awareness such as a Privacy Committee

Layered Internal Processes


Questions?


Dr Larry Ponemon [email protected]

Joanne Furtsch [email protected]

Mary Westberg [email protected]

Contacts

mailto:[email protected]

mailto:[email protected]


Don’t miss the next webinar in the Series –

What Does the Proposed EU Regulation Mean for Business

On September 16th

See http://www.truste.com/insightseries for details of future

webinars and recordings.

Thank You!

http://www.truste.com/insightseries

How Good Privacy Practices can help prepare for a Data Breach from TRUSTe

Documents

Transcript of How Good Privacy Practices can help prepare for a Data Breach from TRUSTe