380 likes | 448 Views
Webinar on data privacy guidelines and best practices that will go a long way to prepare your company for a data breach. <br>Access the complete webinar from industry experts on how to be ready for a big data breach https://info.truste.com/On-Demand-Webinar-Reg-Page-V3.html?asset=IZC8I93X-553
E N D
How Good Privacy Practices Can Help Prepare for a Data Breach August 13, 2015 v v Privacy Insight Series 1
Today’s Speakers Dr Larry Ponemon, Chairman & Founder, Ponemon Institute Joanne Furtsch, Director of Product Policy, TRUSTe Mary Westberg, Senior Compliance Paralegal SanDisk Corporation v Privacy Insight Series 2
Is Your Company Ready for a Big Data Breach? Dr Larry Ponemon Chairman and Founder of the Ponemon Institute v v Privacy Insight Series 3
Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness Research Study Sponsored by Experian® Data Breach Resolution
About Ponemon Institute The Institute is dedicated to advancing responsible information management practices that positively affect privacy and data protection in business and government. The Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations. Ponemon Institute is a full member of CASRO (Council of American Survey Research Organizations). Dr. Ponemon serves as CASRO’s chairman of Government & Public Affairs Committee of the Board. The Institute has assembled more than 60 leading multinational corporations called the RIM Council, which focuses the development and execution of ethical principles for the collection and use of personal data about people and households. The majority of active participants are privacy or information security leaders. August 13, 2015 Ponemon Institute© Private and Confidential 5
In this study we surveyed 14,639 executives located in the United States about how prepared they think their companies are to respond to a data breach. Screening and failed reliability checks removed 48 surveys. The final sample was 567 surveys (or a 3.9 percent response rate). Freq Pct% Sample response Sampling frame 14,639 100.0% Total returns 615 4.2% Rejected or screened surveys 48 0.3% Final sample 567 3.9% August 13, 2015 Ponemon Institute© Private and Confidential 6
Current trends in data breach preparedness More companies have data breach response plans and teams in place. Data breaches have increased in frequency. Most companies have privacy and data protection awareness programs. Data breach or cyber insurance policies are becoming a more important part of a company’s preparedness plans. There was very little change in the training of customer service personnel. • • • • • August 13, 2015 Ponemon Institute© Private and Confidential 7
Data breach and the current state of preparedness Page 8 Ponemon Institute© Private and Confidential
Most respondents believe their companies are not able to deal with the consequences of a data breach Unsure, disagree and strongly disagree responses My organization understands what needs to be done following a material data breach to prevent negative public opinion, blog posts and media reports 27% 21% 20% My organization understands what needs to be done following a material data breach to prevent the loss of customers’ and business partners’ trust and confidence 30% 23% 14% My organization is prepared to respond to a data breach involving business confidential information and 29% 20% 13% intellectual property My organization is prepared to respond to the theft of sensitive and confidential information that requires notification to victims and regulators 19% 18% 12% 0% 10% 20% 30% 40% 50% 60% 70% 80% Unsure Disagree Strongly disagree August 13, 2015 Ponemon Institute© Private and Confidential 9
Barriers to effective data breach response Page 10 Ponemon Institute© Private and Confidential
How effective is the development and execution of a data breach response plan? 35% 30% 30% 25% 23% 21% 20% 17% 15% 9% 10% 5% 0% Very effective Effective Somewhat effective Not effective Unsure August 13, 2015 Ponemon Institute© Private and Confidential 11
How often does the company review & update the data breach response plan? Each quarter 3% Twice per year 5% Once each year 14% No set time period for reviewing and updating the plan 41% We have not reviewed or updated since the plan was put 37% in place 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% August 13, 2015 Ponemon Institute© Private and Confidential 12
How are the board of directors, chairman and CEO involved? More than one response permitted They approve funds and resources for data breach 50% response efforts They participate in a high level review of the data breach 45% response plan in place They have requested to be notified ASAP if a material 36% data breach occurs They participate in a high level review of the organization’s data protection and privacy practices 18% Other 2% 0% 10% 20% 30% 40% 50% 60% August 13, 2015 Ponemon Institute© Private and Confidential 13
Do you have training programs for employees handling sensitive personal information and do you have training programs for customer service personnel? 60% 54% 49% 50% 43% 40% 34% 30% 20% 17% 10% 3% 0% Yes No Unsure Privacy/data protection awareness program for employees and other stakeholders who have access to sensitive or confidential personal information Customer service personnel trained on how to respond to questions about a data breach incident August 13, 2015 Ponemon Institute© Private and Confidential 14
The primary person/function to manage the data breach response team Chief Information Security Officer 21% Compliance Officer 12% Head of Business Continuity Management 10% Chief Information Officer 8% Chief Risk Officer 6% Chief Security Officer 6% Head of PR and communications 5% General Counsel 5% Chief Privacy Officer 4% Human Resources 2% No one person/department has been designated to manage data breach response 21% 0% 5% 10% 15% 20% 25% August 13, 2015 Ponemon Institute© Private and Confidential 15
Technical security considerations Page 16 Ponemon Institute© Private and Confidential
Barriers to improving the ability of IT security to respond to a data breach Two responses permitted Lack of visibility into end-user access of sensitive and 56% confidential information Proliferation of mobile devices and cloud services 43% Third party access to or management of data 40% Lack of expertise 23% Lack of investment in much needed technologies 21% Lack of C-suite support 15% None of the above 2% 0% 10% 20% 30% 40% 50% 60% August 13, 2015 Ponemon Institute© Private and Confidential 17
Technologies in place to quickly detect a data breach More than one response permitted Anti-virus 89% Intrusion prevention systems 54% Mobile Device Management (MDM) 34% Security Incident & Event Management 31% Analysis of netflow or packet captures 25% None of the above 5% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% August 13, 2015 Ponemon Institute© Private and Confidential 18
Frequency for monitoring information systems for unusual or anomalous traffic 30% 28% 25% 21% 20% 20% 16% 15% 10% 8% 4% 5% 2% 1% 0% Continuous monitoring Daily Weekly Monthly Quarterly Annually Never Unsure August 13, 2015 Ponemon Institute© Private and Confidential 19
How data breach preparedness can be improved Page 20 Ponemon Institute© Private and Confidential
How could the data breach response plan become more effective? More than one response permitted Conduct more fire drills to practice data breach response 77% More participation and oversight from senior executives 70% A budget dedicated to data breach preparedness 69% Individuals with a high level of expertise in security 63% assigned to the team Individuals with a high level of expertise in compliance with privacy, data protection laws and regulations 45% Other 2% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% August 13, 2015 Ponemon Institute© Private and Confidential 21
The best approach to keep customers and maintain reputation Free identity theft protection and credit monitoring 45% services Access to a call center to respond to their concerns and 17% provide information Gift cards 13% Discounts on products or services 13% None of the above would make a difference 9% A sincere and personal apology (not a generic 3% notification) 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% August 13, 2015 Ponemon Institute© Private and Confidential 22
Conclusion The incident response plans should undergo frequent reviews and reflect the current security risks facing the company. • • Risk assessments should be conducted to ensure the appropriate technologies are in place to prevent and detect a data breach. • The board of directors, CEO and chairman should play an active role in helping their companies prepare for and respond to a data breach. These include briefings on the security posture of the company and a review of the incident response plan. • Employees should receive training on the importance of safeguarding sensitive data—especially customer information. Call center employees should become skilled at answering customers’ questions about the privacy and security practices of the company as well as explaining what the company is doing in the aftermath of a data breach. • Accountability and responsibility for data breach response should be clearly defined and not dispersed throughout the company. Cross-functional teams that include the expertise necessary to respond to a data breach should be part of the incident response planning process. August 13, 2015 Ponemon Institute© Private and Confidential 23
Privacy Best Practices to Mitigate Risk/Damage from Data Breach Joanne Furtsch Director of Product Policy, TRUSTe v v Privacy Insight Series 24
Data breach prevention starts with strong data privacy management policies, and processes Incident Response Plan Employee Training Collection Limitation Data Privacy Office Vendor Management Policy Management v Privacy Insight Series 25
Develop & practice incident response plan It’s not a matter of if, it’s a matter of when • Identify cross functional team members and clearly define roles • Involve senior management • Practice practice practice increases response effectiveness – At least 1-2 times annually – When a new team member joins the response team • Include public relations crisis management & front line customer response plan • Identify who needs to be notified and when • Develop communication templates – Understand requirements before the breach happens • Review and update your organization’s plan at least annually v Privacy Insight Series 26
Collection Limitation Limit information collection to what is necessary to fulfill business purposes • Understand what information your organization has – Conduct a data inventory – Assess where the information goes, who has access to it, and how long the information is retained • Data classification – Classify information based on level of sensitive and business impact if that data is breached • Assess whether the information is required in order to meet business goals v Privacy Insight Series 27
Collection Limitation v Privacy Insight Series 28
Manage internal policies and procedures Review, update, and communicate • Internal policies, systems, and procedures need to be reviewed regularly to account for business or regulatory changes • In addition to security, review policies, systems, and procedures around – Data Collection, Use, Sharing, & Retention – Employee access – BYOD – Vendor and third party risk management – Privacy and security related compliant escalation and resolution process • Communicate policy changes and updates to affected employees v Privacy Insight Series 29
Manage vendors & third party partners Know who your organization’s vendors and third party partners are & what data they have access to • Maintain an inventory of vendors and third party partners that have access to data • Prioritize conducting risk assessments where there is high business and privacy impact – Ensure vendors and third party partners have policies in place providing equal or greater protections • Review agreements or terms of service to determine what happens in the event of breach is addressed • Hold vendors and third parties accountable v Privacy Insight Series 30
Employee training • Most breaches caused by insiders • Front line employees are key to effective data breach prevention and response – Building employee awareness key to breach prevention – May be first to recognize when a breach has happened o Train on escalation process and procedures – Face of your organization after a breach incident o Train customer support on how to respond to customer questions • Train employees, and then do it again – Training is an ongoing process v Privacy Insight Series 31
Key Take-Aways Mary Westberg Senior Compliance Paralegal, SanDisk v v Privacy Insight Series 32
Designing an Incident Response Plan 1 2 3 Know Your Data and Systems Draft the Plan Identify Stakeholders • Each organization is different! • Consider likely data gatekeepers - often HR; Web; Mobile; Sales; Product Managers • Get input from Information Security, Legal, Compliance, Internal Audit, Insurance, Public or Investor Relations • Buy-ins from key executives • You’ll draft a better plan and mitigate risks if you know up- front the data types and quantities • Classify data by type • Consider systems, locations, accesses, vulnerabilities • While evaluating data and systems for personal data, use this opportunity to also consider non-PI confidential information such as trade secrets; third party confidential information • Be clear – this plan will bring needed structure during crisis time • Be actionable - give instructions to persons reporting an incident; accountability and guidelines to responders • Be flexible – incidents will vary and so must the response • Be practical - leverage existing resources, if possible • Publish the plan and be prepared to re-work v Privacy Insight Series 33
Post-Publication; Work Continues 4 5 Communicate & Train Evaluate and Improve • • • • • • • • Create awareness Layer approaches to reach those who need to know General audience training or instruction – integrate with other trainings Specialized training for responders, incident response team members Test the plan – conduct a trial run Review for effectiveness Make adjustments Take corrective actions Summarize and report Regularly revisit plan • • v Privacy Insight Series 34
Manage & Mitigate Risks • you can’t loose what you don’t have! • legitimate business purpose for collections • mind data retention schedules – securely destroy Data Minimization • on-boarding processes, contractual terms • security assessment; audit; red flags • saying goodbye - termination procedures, including a certificate of destruction Vendor Management • published policies and procedures that support data security and permitted data uses; related trainings • phase gates for product, services and programs • self-help tools and resources • build awareness such as a Privacy Committee Layered Internal Processes v Privacy Insight Series 35
Questions? v v Privacy Insight Series 36
Contacts Dr Larry Ponemon Joanne Furtsch Mary Westberg research@ponemon.org jfurtsch@truste.com Mary.Westberg@sandisk.com v v Privacy Insight Series 37
Thank You! Don’t miss the next webinar in the Series – What Does the Proposed EU Regulation Mean for Business On September 16th See http://www.truste.com/insightseries for details of future webinars and recordings. v v Privacy Insight Series 38