Data identity theft has surpassed illegal drug trafficking as the top criminal moneymaker. Most businesses do not understand the extent of their liability in both statutory fines and potential civil liability to the victims. Businesses cannot entirely eliminate their risk of exposure, but they can institutionalize procedures that minimizes this risk. This is an introduction to the Texas law which is similar to laws in 40 other states.
10. Cost to repair average 2008 data = $6,600,000Statistics credited to USAF Lt Gen (ret) Harry Raduege, Chairman, Center for Network Innovation, Deloitte, July 2009, World Affairs Council, Houston, TX.
11. Who Are You? A business owner Who owns/licenses or maintains “sensitive personal information” (SPI). You may have security, both for the premises and for your computer/network. You may be liable to Texas and to the victim for security/data breaches – even if they do not result in identity theft.
12. What is Sensitive Personal Information (SPI)? First initial and last name OR First name and last name Combined with any of: Social security number OR Drivers license number OR Account or credit card number in combination with any required security code, access code, or password that would permit access to that account.
13.
14. Improperly trashed or donated computers or computer parts without proper preparation
20. Manage Your Risk Know the terms: Sensitive Personal Information Encryption Business duty Reasonable procedures Know what is required to comply with the law. You may be liable under the laws of another state! Currently, Massachusetts has the strictest law.
30. Business Duty 2: Destroy or Arrange for the Destruction… “…of customer records by shredding, erasing, or “otherwise modifying the sensitive PI in the records to make the information unreadable or indecipherable through any means”
32. Business Duty 3: Notify Potential Victims “… after discovering or receiving notification of that breach … as quickly as possible”
33. Notification How do you discover a breach? What constitutes “receiving notification of that breach”? What does “quickly as possible” mean? How do I notify potential victims?
34. What Does the Attorney General Tell an Identity Theft Victim To Do http://www.texasfightsidtheft.gov/ Create a written criminal report to protect themselves from being denied credit. File report with the Federal Trade Commission. Collect as much evidence as possible. This evidence can be used against you!
51. Your Biggest Hidden Security Threats Social engineering: Unintentional and by those you trust OR Insider threat: Intentional and by those internal to your enterprise