Professional Documents
Culture Documents
2011DataBreachGuide PDF
2011DataBreachGuide PDF
Developing and advocating best practices and public policies which mitigate
emerging privacy, identity and security threats to online services, government
agencies, organizations and consumers, thereby enhancing online trust and
confidence.
Table of Contents
Executive Summary
OTA advocates that businesses create an incident response plan and be prepared for the
likelihood they will experience a breach or data loss. The fact is breaches happen and often at
the worst of times. Rather than be lulled into the belief it will not happen to your business, a
well-designed plan is emerging as an essential part of regulatory compliance, demonstrating
that a firm or organization is willing to take reasonable steps to protect data from abuse. Doing
so is good business. Developing a plan can help to minimize risk to consumers, business
partners and stockholders, while increasing brand protection and the long-term viability of a
business.
This document outlines key questions and recommendations for businesses to consider
integrating in their baseline framework. Depending on your
industry, size and data collected, your requirements may vary
and you should consult with professionals to aid you in your 2010 Incident Highlights
plans. 407 Breaches
26 million records
Few events can damage a company‟s reputation and 98% server exploits
consumer trust more than the loss, misuse or breach of 96% avoidable
personal and sensitive data. In the past 5 years, it is $204 cost per record
estimated over 525 million records containing sensitive $5.3 billion impact to
personal information have been compromised due to U.S. businesses
1
breaches.
These high profile data breaches and cyber security incidents caused by human error or malice
confirm that all businesses and government agencies are at risk. In 2010, according to the
Open Security Foundation‟s Data Loss Database, 407 incidents were reported impacting over
26 million records. Equally as alarming are the threats that impact every sector of the economy.
Education (schools and colleges) represented 19% of the incidents, government agencies 16%,
2
health care providers 26% and business 40%. Compared to 2009, the percentage of breaches
increased dramatically in healthcare reflecting an increase of 11% while the number of business
incidents decreased 13%.
This data is the tip of the iceberg as a great majority of breaches continue to occur undetected
or unreported. Of the data from the Identity Theft Resource Center (ITRC), less than 30% of
the incidents were provided via mandatory reporting and 38% percent did not identify the
3
manner in which the breach was exposed. While OTA encourages self-regulation and
reporting, these trends suggest the need for broader
transparency and reporting requirements.
Scope of a DIP
Combined with the increased sophistication of international Consumer & Partner Data
Internet crime syndicates, economic uncertainty and the Intellectual Property
proliferation of new technologies and devices, we expect the Brand Reputation &
trends and severity of breaches and resulting identity theft Protection
will continue to grow this year. Efforts by OTA members and Regulatory Compliance
collaborating organizations including the Identity Theft Stockholder & Investment
Council and the Identity Theft Assistance Centers, are „north Community
stars‟ for businesses to follow as an aid in consumer Business Continuity
protection.
1
Source: Privacy Rights Clearing House & DataLossDB.org
2
http://datalossdb.org/yearly_reports/dataloss-2010.pdf
3
http://www.idtheftcenter.org/ITRC%20Breach%20Report%202010.pdf
services and evolving definition of privacy. Today, businesses need to not only validate and
monitor their own policies and practices, but also their vendors. As the definition of Personally
Identifiable Information (PII) and covered information is rapidly evolving, businesses need to
take a broader view of the data they retain. Historically PII refers to information that can be used
to uniquely identify, contact, or locate a single person or can be used with other sources to
uniquely identify a user and can apply to all data collected including email addresses.
Independent of point of collection (online or offline), all data is at risk and should be
incorporated in a business‟ data loss plan.
Business Dynamics
Trends & Business Impact & Technical Landscape
According to the Verizon 2010 Data Breach Notification On and Off Line Data
report, 98% of all data breaches were through server Collection
exploits and hacking. Most alarming is that 96% were
4 Evolving Definition of Covered
avoidable through simple steps and internal controls.
Information, beyond PII
This report provides further insights into where to focus
counter measures, revealing that while hacking Complex Regulatory
constituted only 40% of the breaches, these incidents Framework
represented 94% of the records. Not surprising, social Increased Reliance on
engineering exploits including deceptive email and Outsourcing & Cloud Services
phishing accounted for 28% of the breaches, but only Multiple Devices & Platforms
amounted to 3% of the records, reflecting the fact that Portability of Storage &
these exploits are typically focused on an individual PC Devices
or device. Increase Sophistication &
Resiliency of Cybercrime
Data breaches and incidents run the spectrum from
targeted exploits to accidental losses of USB memory
sticks and notebook computers. In the last weeks of
2010, hackers used an SQL injection attack targeting a New York tour company and stole over
5
110,000 bank card numbers. More alarming was the attack on a popular gossip website with
the hack exposing account information on as many as 1.4 million people. While the site may
not have collected sensitive data, many of the usernames and passwords were the same as
6
credentials to more valuable accounts including email and banking sites.
Analysis of the data stolen revealed the continued use of weak and common passwords
7
including users name or a combination of sequential numbers or letters on a keyboard. With a
potentially larger impact, a leading email service provider data store was compromised
impacting over 100 clients, including one of the largest fast food chains in the world. At the
same time, a site with sensitive lifestyle and cultural information was exploited, potentially
8
impacting over 16 million users disclosing their email addresses and birth dates. These
examples illustrate the range of data incidents a business may experience.
4
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
5
www.computerworld.com/s/article/9201822/Hackers_hit_New_York_tour_firm_access_110_00_bank_cards
6
http://www.huffingtonpost.com/2010/12/12/gawker-hack-hacked-databa_n_795613.html
7
http://blogs.wsj.com/digits/2010/12/13/the-top-50-gawker-media-passwords/
8
http://www.theregister.co.uk/2010/12/15/silverpop_breach_probe/
9
Ponemon Institute 2009, published January 2010. http://www.encryptionreports.com/costofdatabreach.html
(registration required).
Directly related to data security breaches is the impact of key operations which may result from
criminals changing passwords, deleting key files and or loss of physical property impacting
business continuity. Planning for incidents and physical disaster helps to identify exposure from
internal and external threats. Synthesizing your hard and soft assets can help provide effective
prevention, recovery and system integrity. In addition to cyber-attacks, employee theft and
accidents, related incidents include fires, earthquakes, power outages and are proving to be
critical scenario planning requirements.
Incident planning incorporates both data breaches and disaster planning as a part of an
organization‟s learning effort that helps reduce operational risks, improve information security
and corporate reputation risk management practices. Not unlike training first responders for a
physical incident, data managers and cyber responders must be trained, equipped and
empowered. Planning is the key to maintaining online trust and the vitality of the Internet, while
helping to ensure the continuity of business.
Risk Assessment
To aid in the development of a DIP and help maximize business continuity, organizations are
encouraged to self-audit their level of preparedness by surveying key management leaders and
a representative sample of employees with the following questions:
1. Do you know what sensitive information is maintained by your company, where it is
stored and how it is kept secure? Do you have an accounting of all information stored
including backups and archived data?
2. Do you have an incident response team in place ready to respond 24/7?
3. Are management teams aware of security, privacy and regulatory requirements related
specifically to your business?
4. Have you completed a privacy and security audit of all data collection activities
including cloud and outsourced services?
5. Are you prepared to communicate to customers, partners and stockholders?
6. Do you have readily available access codes and credentials to critical systems in the
event key staff are not available or are incapacitated?
7. Are employees trained and prepared to notify management in the case of accidental
data loss or a malicious attack? Are employees reluctant to report such incidents for
fear of disciplinary action or termination?
8. Have you coordinated with all necessary departments with respect to breach
readiness? (For example information technology, corporate security, marketing,
governance, fraud prevention, privacy compliance, HR and regulatory teams).
9. Do you have a privacy review and audit system in place for all data collection activities
including that of third-party service providers? Have you taken necessary or reasonable
steps to protect users‟ confidential data?
10. Do you review the plan on a regular basis to reflect key changes? Do key staff
members have hard copies of the plan readily accessible in their offices and homes?
1. Data Classification
A preventative and mitigating first step is identifying and Data Classification
classifying data which is 1) in use, 2) in motion (archived or Data In Use
stored) and 3) at rest. Organizations should determine the
Data In Motion
useful life, level of sensitivity and the applicable regulatory
Data At Rest
requirements of all data and apply a value to such data in
creating its data classification policies. It is advisable to have
legal counsel review your data classification policies.
Typically “Data in Use” is highly exposed and vulnerable as it is being used on client
desktops or mobile devices often susceptible to vulnerable applications, viruses and
malware. In addition, it can often be copied to unprotected external devices and memory
storage. By limiting data access, timing out inactive sessions, and forcing password resets,
risk and exposure can be minimized.
“Data in Motion” is at high risk for accidental loss or unauthorized access. Examples
include customer lists, suppression files, and other data that might be uploaded to cloud
applications, available from remote locations, or transmitted to third-party service providers.
Virtual Private Networks (VPNs), Transport Layer Security (TLS) and Secure Sockets Layer
(SSL), are cryptographic protocols that help provide security and should be adopted where
10
feasible or required.
“Data At Rest” is equally challenging since a great deal of data is often stored or archived
on servers in multiple geographic locations, at times without documentation of its existence.
Logs need to be maintained including; check in/out of data, legal requirements and
destruction policies.
10
See OTA Principles1 and 7. https:/lotalliance.org/resources/principles.html
Limiting data access helps to minimize the scope of potential losses and can provide an
increased accountability and auditing capabilities. Equally important is the deployment of
policies addressing appropriate use and access. Polices should consider a device
management plan which addresses all removable drives, mobile devices, media and USB
keys, notebooks and respective encryption
11
requirements. All data shared with third parties
containing sensitive data and all wireless connections Employee & Vendor Access
should be encrypted using industry best practices and Management & Oversight
standards. Policies concerning uploading such Safeguarding
documents containing sensitive data to the “cloud” or Deter Detect & Defend
external storage sites should be balanced for business Education & Training
need and convenience versus risk and exposure.
Personnel & Physical
Security
Companies doing business with the governmental
bodies should review specific requirements. In the
recent wake of WikiLeaks, the Executive Office of the
President, Office of Management and Budget (OMB), published a Self-Assessment
program for user access. While developed for agencies and government contractors, this
document reinforces the importance of detection, deterrents and defense from unauthorized
12
employee and contractor disclosure.
A critical step in developing policies is to review all Web applications and third-party content
being served on internal and external facing sites. More and more frequently, applications,
add-ons, and third party scripts are becoming intrusion opportunities and aid in the
distribution of malware. Intrusion testing, application vulnerability scanning and
preventative web application scans for iframes, cross-site scripting (XSS) vendibilities, click
jacking, and other threats including trojans, key loggers, and sniffers need to be part of an
organization‟s arsenal to combat online threats.
Logs are a fundamental requirement enabling forensic analysis to determine the scope and
customer impact. You will need to isolate and review logs from the compromised
machine(s), including network devices, routers and access control systems. A business
may have a number of log types--transaction, server access, application server, and the
client operating system. They can all provide valuable information to retrace what occurred.
11
For an overview on Full-Disk Encryption (FDE) see http://en.wikipedia.org/wiki/Full_disk_encryption. Windows
BitLocker drive encryption helps to protect from threats of data theft, accidental disclosure from lost, stolen or
inappropriately decommissioned PC hardware. BitLocker helps to prevent a thief who boots another operating
system or runs a software hacking tool from breaking into a system or performing offline viewing of the files
stored on the protected drive. http://www.microsoft.com/windows/windows-vista/features/bitlocker.aspx. Similar
solutions are available for Apple users from PGP, CheckPoint and others third parties.
12
https://otalliance.org/docs/OMB_Self-Assessment.pdf
A primary goal is to understand what data has been compromised. As you review logs look for
queries that match the data known to have been exported. If you don't have any evidence to
match against, the database administrator, application developer, and other key IT staff should
be able to provide “normal” application and database activities. This should include anomalies
such as unusual queries that applications or administrators wouldn't normally make. The
attacker may have compromised the server before going after the database. Or, he may have
gone through an application. Look for authentication attempts that appear out of place, both
successful and failed. If file-level auditing was enabled by the system admin for the server OS,
check if files were created in any unusual directory. This could be evidence of a database dump
or copy.
13
See Gartner Magic Quadrant for Content-Aware Data Loss Prevention
*Extended Validation SSL Certificates - https://otalliance.org/resources/authentication/index.html
** Email Authentication - https://otalliance.org/resources/authentication/index.html
6. Implement Steps to Help Curb Misuse of Your Brand, Name, Domain & Email
Data loss and identity theft occur not only from accidental physical loss, but also from an
ever increasing level of deceptive practices. Forged email, malvertising, phishing,
deceptive acquisition of domains, and creation of bogus web sites to capture consumer
personal data are all on the rise. Such exploits may result in the installation of malware and
keystroke loggers via trojans and deceptive downloads. Steps are to be taken to mitigate
these exploits. For example, a company should authenticate all outbound email with
declarative policies to help detect email spoofing; lock all domains from potential transfer,
monitor domain registration, and implementation of Extended Validation Secure Socket
Layer (EV SSL) Certificates. Combined with other key practices such as DNSSEC, help to
establish reasonable security measures which are critical in fostering consumer trust.
Conversely, the absence of such practices may be viewed as an organization‟s failure to
14, 15
adequately protect their customers.
14
Email Authentication including (SPF/SenderID and DKIM) as well as EV SSL Certificates may be found at
http://otalliance.org/resources/index.html. Many OTA Members who provide such services may be found at
http://otalliance.org/about/Members.htm
15
See OTA Online Principles and Business Guidelines https://otalliance.org/resources/principles.html
If you have existing insurance coverage, check with your carrier to see whether they have
recommended providers to estimate your potential exposures and define an acceptable
level for your risk tolerance and provide preferred rates.
16
For email authentication resources visit https://otalliance.org/resources/authentication/index.html
17
Brand and domain management resources may be found at https://otalliance.org/about/Members.htm
Vendor agreements should include standard security risk management language and a risk
assessment of their access to or storage of your data. Audit validation processes and
performance benchmarks are an essential part of any agreement. In addition, clauses
should be included in agreement addressing responsibility in the event of a security breach.
Provisions should include allocation of costs and responsibility for notification.
Since many state, federal and foreign regulators require prompt notification, it is important
to determine in advance how impacted individuals need to be contacted. Knowing this in
advance will significantly improve your ability to mitigate consumer angst and increase
compliance. Considerations include the numbers of individuals impacted; the specific data
elements exposed, risk to the affected constituents from such exposure, regulatory
requirements and law enforcement jurisdiction. Speed and accuracy are equally important.
Consumers increasingly expect timely and clear notification delivered in a manner
appropriate to their needs.
As stated above, data breach notification regulations vary widely. They vary not only by state,
but also by country, industry and type of breach. This requires businesses to be familiar with a
broad set of regulations. At last count in the United States there are forty-five states which
govern disclosure of PII or health-related information. The regulatory landscape is rapidly
expanding with comprehensive draft federal proposals introduced in May 2010 by
Representatives Boucher and Stearns and draft proposals from the FTC and the Commerce
Department‟s released in December 2010. While currently in a draft, the proposed bills will
cover both online and offline data collection, expanded definition of sensitive data, demands for
broader data notice requirements and increased regulatory and enforcement powers for the
18
Federal Trade Commission.
A data loss plan should be familiar with or address applicable requirements including but not
limited to the following:
Individual State Laws Where a Business has Nexus or Customers
Payment Card Industry Data Security Standards (PCI DSS)
Sarbanes-Oxley Act
HITECH Act of 2009
19
18
http://www.boucher.house.gov/index.php?option=com_content&view=article&id=1957:boucher-stearns-
release-discussion-draft-of-privacy-legislation-may-4-2010&catid=33:2010-press-releases&Itemid=41
19
http://hitechanswers.net/about
20
Red Flag‟ Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft
http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm
The communications component of the DIP should have a set of pre-approved web pages
and templates staged, phone scripts prepared and frequently asked questions (FAQ‟s)
drafted and ready for posting. Staffing needs to anticipate call volumes and steps to
minimize hold times and to consider the need of multi-lingual support. In the possibility of a
phishing exploits to be the cause or contribute to the incident, it is suggested organization
create a phishing warning page and FAQ in advance and to post and replace the deceptive
21
site as a teachable moment for users. An effective response including a FAQ was
initiated by McDonalds Corporation in December 2010 in response to a breach of millions of
22
email names and addresses from their email service provider (ESP).
Most organizations realize too late or in the heat of notification that there are subsets of the
population that require specific communication. It may be appropriate to consider separate
messages and methods of delivery for the company‟s most important relationships, such as
highest-value customers or most-senior employees, or for categories of individuals that may
be particularly sensitive, such as the elderly, the disabled and minors. But remember to
consider all applicable laws before determining how to notify. Tailored communications
may be appropriate by geographic region and unique characteristics of the population,
including ethnicity and age of the audience.
21
For examples of teachable moments visit APWG
http://www.apwg.org/reports/APWG_CMU_Landing_Pages_Project.pdf or OTA‟s sample phishing page
https://otalliance.org/resources/samplephishgpage.html
22
http://www.aboutmcdonalds.com/mcd/our_company/mcd_faq/databasefaq.html
It is recommended the design of such plans include trusted mechanisms, on and off line, for
a customer to accept and enroll since their level of online trust may be tarnished and
negatively impacted.
23
See the Department of Homeland Security program; Stop, Think Connect http://www.dhs.gov/files/events/stop-
think-connect.shtm
Information Compromise and the Risk of Identity Theft: Guidance for Your Business
http://business.ftc.gov/documents/bus59-information-compromise-and-risk-id-theft-guidance-
your-business
Return Path – www.returnpath.net provides email marketing services that increase the reach,
performance and overall success of permission-based email programs. We make sure that
email relationships are sustained by ensuring email deliverability and list quality. By eliminating
your email delivery issues and lost revenue, we improve the way that you use email to connect
to your customers.
Truedomain – www.truedomain.net delivers the technology framework, the network and the
feedback loop to connect email senders and the receivers to root out and stopping phishing
attacks. The Truedomain Antiphishing Network combines a standards-based authentication
technology platform with a robust services layer and feedback loop to deliver the highest level of
antiphishing effectiveness for email. We've partnered with the largest ISPs, email providers and
domain owners in the world, and are adding more partners every day to provide maximum
protection for our customers and their users.
Dasient - www.dasient.com an Internet Security Company that protects businesses from web-
based malware attacks. It was the first to develop a complete cloud-based Web Anti-Malware
Service (WAM) and Anti-Malvertising Solution (AMS) that can monitor, automatically identify,
and contain malware on websites before it can infect visitors and cause losses of traffic,
reputation, and revenue.
RiskIQ - www.riskiq.com provides early warning against online threats most likely to impact
your customers, your employees and your brand. From zero-day malware hosts to
malvertisements to sophisticated affiliate fraud, RiskIQ™ discovers the latest in fraud
techniques and distribution tactics by analyzing real-world web content – constantly.
VeriSign Inc. - http://verisigninc.com the trusted provider of Internet infrastructure services for
the networked world. Billions of times each day, VeriSign helps companies and consumers all
over the world to engage in trusted communications and commerce.
GlobalSign – www.globalsign.com a true global CA with offices in the US, UK, Belgium and
throughout Asia. As a publicly trusted Digital Certificate provider, GlobalSign issues Certificates
for SSL, Code Signing, S/MIME, Adobe Certified Document Services and other x.509 & PKI
deployment solutions. GlobalSign was founded in 1996 and has been WebTrust certified since
2002. GlobalSign works with companies of all sizes – from startup ecommerce sites to Fortune
1000 companies deploying complex PKI solutions.
GoDaddy - www.godaddy.com the world's largest domain name registrar and is the flagship
company of The Go Daddy Group, Inc. The Go Daddy Group includes Wild West Domains, Inc.,
a reseller of domains and domain-related products and services; Domains by Proxy, a private
registration service; Starfield Technologies, a research and development affiliate; and Blue
Razor Domains, a membership-based discount registrar.
Appendix C
SAMPLE LETTER TEMPLATE
I am writing to you with important information about a recent breach of your personal information from
[Name of Organization]. We became aware of this breach on [Insert Date] which occurred on or about
[Insert Date]. The breach occurred as follows:
Optional Considerations:
To help ensure that this information is not used inappropriately, [Name of Organization] will cover the cost
for one year for you to receive credit monitoring. To take advantage of this offer, [Need to document the
process for how this would work]. We also advise you to immediately take the following steps:
Call the toll-free numbers of anyone of the three major credit bureaus (below) to place a fraud alert on
your credit report. This can help prevent an identity thief from opening additional accounts in your
name. As soon as the credit bureau confirms your fraud alert, the other two credit bureaus will
automatically be notified to place alerts on your credit report, and all three reports will be sent to you
free of charge.
Order your credit reports. By establishing a fraud alert, you will receive a follow-up letter that will
explain how you can receive a free copy of your credit report. When you receive your credit report,
examine it closely and look for signs of fraud, such as credit accounts that are not yours.
Continue to monitor your credit reports. Even though a fraud alert has been placed on your account,
you should continue to monitor your credit reports to ensure an imposter has not opened an account
with your personal information.
We take very seriously our role of safeguarding your personal information and using it in an appropriate
manner. [Name of Organization] apologizes for the stress and worry this situation has caused you and is
doing everything it can to rectify the situation.
We have established a toll-free number to call us with questions and concerns about the loss of your
personal information. You may call [Insert Toll Free Number] during normal business hours with any
questions you have.
We have also established a section on our Web site with updated information and links to Web sites that
offer information on what to do if your personal information has been compromised.
Sincerely,
APPENDIX D
CYBER SECURITY LIABILITY AND INSURANCE CONSIDERATIONS
The following is a partial list of criteria a company may wish to consider when reviewing cyber
security liability policies and coverage including both first and third party protection. For your
specific needs contact your legal and insurance professionals.
1. Coverage for Loss resulting from Administrative or Operational Mistakes – extends to acts
of the Employee, Business Process Outsourcing (BPO) or outsourced IT provider
2. Cyber Extortion reimbursement costs for a range of perils including a credible threat to
introduce malicious code, pharm and phish customer systems or to corrupt, damage or
destroy the Insured‟s computer system
3. Electronic Media peril broadly defined to include infringement of domain name, copyright,
trade names, logo, service mark on internet or intranet site
4. Interruption expenses include additional costs associated with rented/leased equipment,
use of third party services, additional staff expenses or labor costs directly resulting from a
covered Loss of Digital Assets claim
5. Personally identifiable information (PII) broadly defined to include an individual‟s name in
combination with social security number, driver‟s license number, account number, credit or
debit card or any non-personal information as defined in any privacy regulation
6. Knowledge provision includes Board of Directors, President, Executive Officer, Chairman,
Chief Information Officer, Chief Technology Officer, Risk Manager or General Counsel
7. Broad coverage for Damages to third parties caused by a breach of network security.
8. Breach of Privacy coverage – includes Damages resulting from alleged violations of HIPAA,
state and federal privacy protection laws and regulations.
9. Regulatory Expense coverage to comply with an alleged breach notice order issued by a
regulatory agency against the Insured.
10. Coverage for expenses resulting from a breach of consumer protection laws including, but
not limited to, the Fair Credit Reporting Act (FCRA), the California Consumer Credit
Reporting Agencies Act (CCCRAA) and the EU Data Protection Act.
11. Public Relations Expenses coverage available to repair your reputation as a result of a data
breach
12. Customer Breach Notice Expense Coverage (via sub-limit) – reimburses for costs to notify
and remediation costs including but not limited to credit monitoring.
13. Coverage for acts of a rogue employee causing intentional damage to the Insured‟s
Computer Network.
14. Customer Notification Expenses include legal expenses, credit monitoring expenses,
postage and advertising costs.
15. Privacy Breach definition extends to acts of the Insured and acts of a Service Provider
acting on behalf of the Insured.
16. Punitive and exemplary damages coverage provided on a most favorable venue basis.
Updates
As best practices and resources evolve, this document will be updated. If you have comments
or suggestions, please email OTA at staff@otalliance.org. Updates will be posted at
https://otalliance.org/resources/Incident.html.
Acknowledgements
This document has been made possible with input and advice from numerous individuals and
organizations committed to self-regulation on online trust.