The Shock of a Data Loss Incident - Who are you going to call?
Craig Spiezle Executive Director Online Trust Alliance

2013 Lowlights
•
~2160 data loss incidents
•
89% of data loss incidents could have been prevented
•
822 million records exposed
•
31% of incidents were due to insider threats or mistakes
•
21% of the incidents were the result of physical loss
•
76% were the result of weak or stolen account credentials
•
29% of compromises were via social engineering
© 2014 All rights reserved. Online Trust Alliance (OTA) Slide 2
Sources: Publically disclosed incidents and data published by Microsoft, Open Security Foundation, Privacy Rights Clearinghouse, Risk Based Security, Verizon & Symantec

Day 1 – Panic & Denial

Day 2 – Confusion & Chaos

Day 3 – Communications

Laws of Data
•
Your company includes “covered information”
•
You have regulatory requirement(s)
•
You will have a data incident
•
If you are unprepared it will cost you
▫
Direct expenses
▫
Remediation
▫
Partners
▫
Brand
▫
Business Shock
© 2014 All rights reserved. Online Trust Alliance (OTA) Slide 6

Evolution as we become a data driven society
Data Classification & Personal Info
© 2014 All rights reserved. Online Trust Alliance (OTA) Slide 7

Data Collection Considerations
© 2014 All rights reserved. Online Trust Alliance (OTA) Slide 8

Self Assessment
1.
Do you understand regulatory requirements?
2.
What data attributes do you collect? How and where is it stored?
3.
Is the business purpose for collecting this data still valid?
4.
Are your encryption processes representative of best practices?
5.
Do you have a 24/7 incident response team in place?
6.
Are you prepared to communicate?
7.
Do you follow generally accepted security & privacy best practices?
8.
Does your privacy policy reflect your collection and sharing practices?
9.
Do you know who to contact in the event of a breach?
10.
Can you sign off on a plan affirming you have adopted best practices?
© 2014 All rights reserved. Online Trust Alliance (OTA) Slide 9

Being Unprepared for an Incident

Not just “consumer data”
•
Consumer & Employee Data
▫
Unencrypted computer, “stolen?
▫
Lapse in policy requiring encryption of all laptops
© 2014. All rights reserved. Online Trust Alliance (OTA) Slide 11

Credit Cards & Beyond

Requires a Holistic View
▫
Part of your DNA.
▫
Ongoing review - controls & polices
▫
Stewardship is everyone’s responsibility.
© 2014 All rights reserved. Online Trust Alliance (OTA) Slide 13

Security Best Practices (page 9)
1.
Email Authentication & DMARC
2.
Always On SSL
3.
User Access & Password Management
4.
Data & Disk Encryption
5.
Automatic Patch Management
6.
Router & Access Point encryption
7.
BYOD Management Plan
© 2014 All rights reserved. Online Trust Alliance (OTA) Slide 14

Forensics Mistakes (page 12)
© 2014 All rights reserved. Online Trust Alliance (OTA) Slide 15

•
Secure and protect the physical integrity of evidence and ensure any systems impacted by a breach are only accessible to investigators and law enforcement. Track the chain of custody of the evidence, who collects the evidence, who transfers it and where it is stored.
•
Preserve and store all critical log files in a secure location, including web client and server operating systems, application, mail, firewall, IDS,VPN and Netflow. Due to rotation schedules, the saving of critical logs need to happen as soon as possible.
•
Contact law enforcement and your attorney. It’s critical that forensics be performed by experts, and that your organization does not do anything to compromise the data or chain of custody.
•
Disk image capture/evidence preservation should strongly be considered before placing machines back online for law enforcement monitoring purposes.
•
Review internal remediation plans and policies.
•
Document everything that has been done on the impacted systems since the incident was detected.
Forensics Best Practices (Appendix E)
© 2014 All rights reserved. Online Trust Alliance (OTA) Slide 16

1.
Want to ensure you do not tip off the intruder. The attacker could become hostile, destroy logs and create additional back doors. You may be asked to limit your discussions. If so, take advantage of a law enforcement request to delay statutory data breach notifications.
2.
Preserve and collect evidence. Do not turn off your computers since that will result in the loss of volatile memory (disconnecting briefly from the Internet may be okay). They will ask for technical data, to include network- and host-based incident logs and up-to- date network topology maps.
3.
Will want to get a better sense of potential insider and external threats. They might ask you about disgruntled current/former employees, in addition to the ability of well- meaning, unsuspecting employees to have used infected thumb drives, clicked bad website links, or opened spoofed emails.
4.
May want your direct investigative assistance. This could include use of government tools and even be asked to engage in communications with the attacker.
Source: “What to Expect When Working With Cyber Cops” Security Magazine, Dec. 1, 2013
Working with Cyber Cops “CC”
© 2014 All rights reserved. Online Trust Alliance (OTA) Slide 17

Communications & Messaging (page 19)
© 2014 All rights reserved. Online Trust Alliance (OTA) Slide 18

Notification

Communications
•
Internal Communications
•
Partner Communications
•
Phone scripts
•
On-hold messages
•
Spokesperson Training
•
Email & Letter Templates
•
Web site FAQ
•
Multi-Lingual Support
•
Media Monitoring Services
© 2014 All rights reserved. Online Trust Alliance (OTA) Slide 20

Your Mailing Domain
© 2014. All rights reserved. Online Trust Alliance (OTA) Slide 21

KickStarter
•
Mailed from their top level domain
•
Within 72 hours of notification
•
Humble, reassuring
•
Complies with California notification requirements
•
Have adopted “some” email authentication best practices.
On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers' data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system. No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on your account. While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one. As a precaution, we have reset your Facebook login credentials to secure your account. No further action is necessary on your part. We’re incredibly sorry that this happened.We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come.

When announcing you’ve had a breach…
•
Target – “Your trust is a top priority for Target, and we deeply regret the inconvenience this may cause. The privacy and protection of our guests’ information is a matter we take very seriously and we have worked swiftly to resolve the incident.”
•Global Payments – “The Company will notify potentially-affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost.”
•Adobe – “As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts.”
•Epsilon – “Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.”
•Gawker Media – “You may be angry and upset about what has happened. You have a right to be. We're upset, too, and deeply embarrassed about the breach…here's your chance to ask questions about your commenting accounts, vent, or just help each other with issues you have.”
© 2014 All rights reserved. Online Trust Alliance (OTA) Slide 23

International Considerations
Do you know where your users reside?
•
What is an incident?
•
What is required for notification?
•
When do you need to advise regulatory authorities
•
What is appropriate remediation?

Regulatory Considerations
•
Beyond FTC Section 5
•
Definition of Covered Information
•
Notification & Timing
▫
Regulators vs Users
•
Pre-emption of State Laws
•
Ability of State AG’s to Enforce
•
Perhaps modeled off of CAN-SPAM & COPPA
•
Safe Harbor for best practices

Management Considerations
1.
Regulatory Requirements
2.
Re-validate Business Requirements
3.
Data Inventory – Where & Who?
4.
Data collection activities
5.
Points of vulnerability & risk
6.
Status of incident response team
7.
Communication preparedness
8.
Internal Coordination
9.
Training - Employees & Vendors
10.
Status of documentation
© 2014 All rights reserved. Online Trust Alliance (OTA) Slide 26

Summary – Key Principles
•
Acknowledge the data you collect contains one or more forms of PII or sensitive data.
•
Accept you will experience a data loss incident or breach.
•
Understand your company falls under multiple government regulations requiring notice and remedies.
•
Being unprepared can significantly add to the direct and indirect costs including management resources and lost productivity.
•
A data incident can result in significant damage to your business’s brand reputation.
© 2014 All rights reserved. Online Trust Alliance (OTA) Slide 27

•
2014 Data Protection & Breach Incident Planning https://otalliance.org/breach
•
Email Integrity & Security https://otalliance.org/eauth
•
Public Policy - https://otalliance.org/initiatives/public-policy
•
2014 Online Trust Honor Roll - https://otalliance.org/HonorRoll
•
Ad & Content Publishing Integrity - https://otalliance.org/resources/advertising-integrity-fraud
•
admin@otalliance.org +1 425-455-7400
Resources - update
© 2014 All rights reserved. Online Trust Alliance (OTA) Slide 28