1 / 22

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?. Finance & Administration Roundtable February 28, 2007 Claudia Volk, Principal CJVolk Associates & Carol Van Cleef, Partner Bryan Cave, PC. Agenda. Background : Current Events

faith
Download Presentation

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Theft & Data Security ConcernsAre You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February 28, 2007 Claudia Volk, Principal CJVolk Associates & Carol Van Cleef, Partner Bryan Cave, PC

  2. Agenda • Background : Current Events • Disposal Rule of the Fair and Accurate Credit Transactions Act • Payment Card Industry Data Security Standard

  3. Scope of the Problem • 10 million people each year are victims of identity theft • Mean fraud loss per victim in 2005 was $6,383. • Victims spend, on average, 40 hours and $422 to resolve issues related to identity theft. • Losses as a result of identity theft ranged from $53.2 billion in 2003 to $56.6 billion in 2005 Javelin Strategy & Research

  4. Pervasiveness • Changing methods to pentrate data security • The threat within • MacAffee Analysis • Planted employees to engage in identity theft and money laundering • Avoid assumptions about the trusted employee

  5. The Disposal Rule • Protect the privacy of the consumer’s information • Reduce risk and fraud of identity theft • Applies to any business or individual using consumer reports for business purposes • Federal Trade Commission • June 1, 2005 • State Laws may apply

  6. The Disposal Rule • The FACT Act requires that: • Any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose {, } properly dispose of any such information or compilation • The Federal Trade Commission Rule • Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to, or use of information in connection with its disposal.

  7. The Disposal Rule • Flexible • Reasonable measures based on • Sensitivity of data • Costs and benefits of different methods • Changes in technology • Consumer reports and any personal and financial information • No de minimus exception • Actual, statutory and punitive damages, plus attorney’s fees and civil money penalties

  8. Key Terms • Consumer Information • Any record about an individual • Consumer report or derived from a consumer report • Information obtained from a consumer reporting company • Used or expected to be used in establishing eligibility for credit, insurance, and employment • Paper, electronic or other form • Compilation of such records • Not included: aggregate information or blind data

  9. Key Terms • Disposal / Dispose • Discarding or abandonment of consumer information • Sale, donation or transfer of any medium on which consumer information is stored

  10. Reasonable Measures • Non exclusive examples • Burn, pulverize or shred papers – cannot practicably be read or reconstructed • Destroy or erase electronic media – cannot practicably be read or reconstructed • Contract with a third party after appropriate due diligence • Review independent audit of operations or compliance with disposal rule • Obtain several references • Require certification by recognized trade associations • Review and evaluate information security polices or procedures • Take other appropriate measures to determine competency and integrity

  11. Action Items • Catalog your information • Review where and how it is stored • Determine who can access it and how • Develop appropriate procedures and control to comply with the Disposal Rule • Designate a responsible person • Train employees • Audit

  12. Some Suggested Policies and Procedures • Conduct personal background checks • Permanent employees • Temporary hires • Sensitive data limits • Access • Use • Distribution • Secure records – physical and online • Collect and retain only essential information • Make accessible disposal tools

  13. General Data Safeguarding and Security Breach Tips • Integrate into information safeguarding program • Ensure information safeguarding program reflects other changes in law • Prepare ready response plan in the event of data security breach • Understand requirements of data security breach laws

  14. Data Security Breach Laws • What businesses are covered? • What information is covered? • What triggers notification? • Who must be notified? • Who is responsible for the notice? • When must the notices be given?

  15. Data Breach Notification Best Practices • Encrypt information • Prepare consumer notification plan • Notify general counsel or outside counsel immediately • Conduct an immediate internal investigation • Contact local law enforcement contact • Provide consumer and other notifications if necessary

  16. Industry ResponseCardholder Information Security Program (CISP) • American Express®, Diners Club®, Discover®, JCB®, MasterCard® and Visa® USA • Safekeeping of account information requirements: • Storage of Cardholder Information • Destruction of Cardholder Information • Use of Third Parties • Reporting a Security Incident

  17. Payment Card Industry (PCI) Data Security Standard • Build and Maintain a Secure Network • Protect Cardholder Data • Maintain a Vulnerability Management Program • Implement Strong Access Control Measures • Regularly Monitor & Test Networks • Maintain an Information Security Policy

  18. VISA’s Cardholder Information Security Program (CISP) • Classification defines merchant audit requirements • Level 1 merchants: • Process > 6 million transactions annually • Have suffered a breach • Are identified as Level 1 by another card issuer • Risk is determined to warrant level 1 requirements • Level 2 process between 150,000 and 6 million e-commerce transactions annually • Level 3 process 20,000-150,000 e-commerce transactions annually • All other merchants are considered Level 4

  19. CISP Compliance Validation

  20. What YOU can do • “Know thy data” • What you have collected • Where it is • Who has access to it • Stay informed about • Related laws and regulations • Current breach incidents • Best practices http://usa.visa.com/business/accepting_visa/ops_risk_management/ http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html

  21. Questions and Comments? ? ? ?

  22. Bryan Cave LLP CJVolk Associates, Inc. Contact Information 700 Thirteenth Street, NW Washington, DC 20005 www.bryancave.com Carol Van Cleef, Partner Phone 202-508-6112 Fax 202-508-6200 Carol.VanCleef@bryancave.com • 2776 S. Arlington Mill Rd, Ste. 530 • Arlington, VA 22206 • www.cjvolk.com • Claudia Volk, Principal • Phone 703-405-4404 • Fax 703-940-2510 • Claudia.Volk@cjvolk.com

More Related