2010 Data Breach Prevention Response

4301 Hacienda Drive, Pleasanton, CA 94588 USA ● +1 925 225 9100 t ● +1 925.225.9101 f ● www.javelinstrategy.com

2010 Data Breach Prevention and Response:

Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM) June 2010

© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 2

2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)

Overview .......................................................................................................................................................................................... 5

Primary Questions ............................................................................................................................................................. 5

Key Findings ....................................................................................................................................................................... 5

Methodology ................................................................................................................................................................................... 7

Introduction: How Data Breaches Impact Financial Institutions and their Customers ................................................................... 8

Data Breach Notification Laws ........................................................................................................................................ 12

How Criminals Use Breached Data impacts Overall Fraud Rates .................................................................................... 15

Prevention: Have an Incident Response Plan Handy ................................................................................................................... 18

Limit Access to Sensitive Data ......................................................................................................................................... 18

Where the Data Lives ...................................................................................................................................................... 19

DLP Solutions Vendors .................................................................................................................................................... 21

Cisco IronPort .................................................................................................................................................... 21

CheckPoint ........................................................................................................................................................ 21

RSA .................................................................................................................................................................... 21

Trustwave.......................................................................................................................................................... 22

WebSense ......................................................................................................................................................... 22

McAfee Data Loss Prevention ........................................................................................................................... 22

Sophos ............................................................................................................................................................... 22

Symantec Data Loss Prevention ........................................................................................................................ 22

Trend Miro DLP ................................................................................................................................................. 22

Create a Data Breach Response Plan .............................................................................................................................. 23

Detection: Monitor for a Data Breach .......................................................................................................................................... 24

SIEM Vendors .................................................................................................................................................................. 26

ArcSight ............................................................................................................................................................. 26

Cisco .................................................................................................................................................................. 26

elQNetworks ..................................................................................................................................................... 26

IBM .................................................................................................................................................................... 26

McAfee ............................................................................................................................................................. 26

RSA .................................................................................................................................................................... 26

Splunk................................................................................................................................................................ 26

Symantec ........................................................................................................................................................... 26

Trustwave.......................................................................................................................................................... 27

Enact Your Incident Response Plan ................................................................................................................................. 27

Determine the Point of Compromise and Secure it ........................................................................................................ 28

Breach Assessment Vendors ........................................................................................................................................... 28

Resolution: Notification and Resolution ........................................................................................................................................ 29

Notification and Resolution Vendors .............................................................................................................................. 29

Affinion Data Breach ......................................................................................................................................... 29

Table of Contents



Experian ............................................................................................................................................................ 29

Equifax .............................................................................................................................................................. 30

ID Experts .......................................................................................................................................................... 30

Intersections ..................................................................................................................................................... 30

Identity Theft 911 ............................................................................................................................................. 30

Kroll ................................................................................................................................................................... 30

LifeLock ............................................................................................................................................................. 30

TrustedID........................................................................................................................................................... 30

Resolution: How Different Companies Handle Data Breaches ..................................................................................................... 31

The Blame Game: Who Customers Blame for a Data Breach ......................................................................................... 31

Disconnect Between Actual Fraud Caused By Data Breach and Consumer Understanding ........................................... 32

Case Studies .................................................................................................................................................................... 33

Recommendations ......................................................................................................................................................................... 34

Appendix ........................................................................................................................................................................................ 35

Related Research .......................................................................................................................................................................... 36

Companies Mentioned .................................................................................................................................................................. 37

Table of Contents



Figure 1: Data Breach Incidents vs. Records Breached ................................................................................................................ 8

Figure 2: Percentage of Consumers who had Cards Replaced Due to Security Concerns ........................................................... 9

Figure 3: Consumers with More than One Debit Card or Credit Card Replaced due to Security Issues .................................... 10

Figure 4: Number of U.S. Consumers Reporting Card Replacement Due to Security Concerns ................................................ 11

Figure 5: Consumers’ Likely Reaction toward Bank after Receiving a Data Breach Notification Letter ..................................... 12

Figure 6: How Consumers’ Use of Credit or Debit Cards Is Affected by Security Reissue .......................................................... 13

Figure 7: Victims’ Top Breached Personally Identifiable Information (PII) ................................................................................ 14

Figure 8: New Account Fraud Compared with Existing Non‐card and Card Account Frauds ..................................................... 15

Figure 9: Fraud Rate Past 12 Months for Consumers Who Received Breach Notification Letters vs. Did Not Receive Breach

Notification Letters vs. All Consumers ........................................................................................................................................ 16

Figure 10: Mean Consumer Costs and Fraud Amounts for Victims “Notified” vs. “Not Notified” ............................................ 17

Figure 11: How Data is Lost ........................................................................................................................................................ 20

Figure 12: Incidents (Cases) vs. Records Reported for Data Breaches ...................................................................................... 24

Figure 13: Comparison of Detection – Internal vs. External Sources ......................................................................................... 25

Figure 14: Layering Protection with SIEM and DLP .................................................................................................................... 27

Figure 15: Consumers’ Assignation of Fault in a Data Breach .................................................................................................... 31

Figure 16: Actual Fraud Rates Among Data Breach Victims Last 12 months vs. Fraud Attributed to the Data Breach by Those

Notified of Data Breach Last 12 Months .................................................................................................................................... 32

Figure 17: Breach Victims (Notified Last 12 Months) Fraud Rate vs. All Consumers Fraud Rate ............................................... 35

Table of Figures



Audience: Financial institutions, credit and debit card issuers, card networks, security vendors, DLP vendors, SIEM vendors, healthcare organizations, merchants.

Author: Robert Vamosi, Fraud and Security Analyst Contributors: Mary Monahan, Managing Partner and Research Director Tom Wills, Senior Analyst, Risk, Fraud and Compliance John Kenderski, Research Associate James Van Dyke, President and Founder

Editor: Levi Sumagaysay

Publication Date: June 2010

Overview

Data breaches have become commonplace – 26% of U.S. consumers have received data breach notifications. Global criminal networks

continue to evolve quickly to develop more sophisticated capabilities. Data loss and breach containment will be an ongoing challenge

for businesses. Layered defenses such as data loss prevention (DLP) and security incident and event management (SIEM), covered in

this report, can help. This report lists best practices for organizations before, during, and after a data breach. Should an incident

occur, the organization needs to take specific actions quickly to minimize losses and curtail the impact to customer relationship. Long

term, organizations need to provide not just notification but a complete resolution process.

Primary Questions

• How do customers react to data breaches?

• What increased risks of identity fraud do data breach victims have?

• How does a notification letter affect a consumer’s relationship with a financial institution?

• How are data breaches being perpetrated?

• How does a security reissue affect consumer use of a credit and/or a debit card?

• What steps should an organization take in advance of a data breach?

• Are there services for monitoring sensitive data?

• What steps should any breached company take first?

• Are there companies that provide data breach services?

Key Findings More than 1 in every 4 consumers had their debit or credit cards replaced in 2009 due to security issues Of those, One in five had

more than one credit or debit card replaced within the last 12 months. Of those consumers who had had their cards replaced, 37% ‐

40% say it adversely affects their card usage.



Previously, Javelin has reported that consumers who receive a data breach notification letter are more than four times likely than

average to become a victim of identity fraud. As of April 12, 2010, 46 states, the District of Columbia, Puerto Rico, and the U.S. Virgin

Islands had data breach notification laws. Myriad state laws means multi‐state companies that suffer a breach must operate under

multiple different reporting rules and requirements. Effective January 1, 2008, California expanded the protections under its breach

notification law to cover medical/health information (AB 1298). In February 2009, the American Recovery and Reinvestment Act

created the first federal notification law for data breaches within the healthcare industry.

Organizations are more likely to discover they’ve become breached by a third party than through internal sources. Still, companies

need to assess their own sensitive data and monitor it with tools such as data loss prevention (DLP) and security incident and event

management (SIEM), both of which are part of the layered perimeter at the organization. In addition to data in motion (on the

network), there’s also data at rest and at the endpoint (USB drives, CDs, external drives). Part of the security solution needs to be

greater education; just as we educate employees about what is an appropriate joke to tell in the office, we should also educate

employees what is acceptable use of the desktop computer and data. Should a breach occur, an incident response plan/data breach

response plan needs to be enacted. A committee consisting of executives, legal staff, PR, IT, and risk and compliance should meet

immediately to gather information and begin executing a strategy. Such a strategy should seek to determine the cause of the data

breach and resolve, seek to preserve the data by establishing a clear chain of custody, and finally seek to go public with as much data

as possible.



Methodology This report is based on data collected online from a random‐sample panel of 3,294 online consumers collected in November 2009, with an

overall margin of sampling error of ±1.71 percentage points at the 95% confidence level.

Data from a September 2009 telephone survey with 5,000 U.S. adults, including 703 identity fraud victims, was also used in this report. For

questions answered by all 5,000 respondents, the maximum margin of sampling error is +/‐ 1.4% at the 95% confidence level. For

questions answered by all 703 identity fraud victims, the maximum margin of sampling error is +/‐ 3.7% at the 95% confidence level. For

questions answered by a proportion of all identity fraud victims, the maximum margin of sampling error varies and is greater than +/‐ 3.7%

at the 95% confidence level.

The surveys targeted respondents based on representative proportions of gender, age, ethnicity and income compared to the overall U.S.

online population. Rounding (in the underlying numbers) in the figures included in this report accounts for the slight differences in totals.

Secondary data from publicly available online sources have also been included in this report.



One thing is clear: Despite new laws, new standards, and new

technology, data breaches remain a problem year after year.

When looking at data breach numbers it is important to

distinguish between the numbers of incidents (data breaches) vs.

customer records (potential victims affected by the data

breach1). The two statistics can be very different. For example,

one data breach incident (a lost laptop) disclosed in 2009 at

Continental Airlines resulted in the loss of 230 records.2 Another

data breach incident (a web hack), was disclosed that same

month at Heartland Payment Systems that resulted in 130 million

records exposed.3 These two January incidents went on to

account for 58% of all records lost in 2009; clearly a single event

can skew the total number of customer records exposed. Thus

the total number of incidents for a given year may rise and fall

and be independent of the total number of records breached. It

is important to look at both the number of incidents and the

number of records breached to see the entire picture.

INTRODUCTION: HOW DATA BREACHES IMPACT FINANCIAL INSTITUTIONS AND THEIR CUSTOMERS

Data Breaches Continue to Increase

Figure 1: Data Breach Incidents vs. Records Breached

1 It is possible for one victim to have multiple accounts breached, so there is not a one‐to‐one correlation between numbers of records and numbers of victims, although it is a good estimator. 2 http://datalossdb.org/incidents/1485‐laptop‐stolen‐from‐office‐containing‐finger‐prints‐names‐social‐security‐numbers‐addresses‐dates‐of‐birth‐and‐other‐information 3 http://datalossdb.org/incidents/1518‐malicious‐software‐hack‐compromises‐unknown‐number‐of‐credit‐cards‐at‐fifth‐largest‐credit‐card‐processor

Category /Year 2009 2008 2007

Number of reported breaches 498 656 446

Records breached 222, 477,043 35,691,255 127,725,343

©2010 Javelin Strategy & Research

http://idtheftcenter.org/artman2/uploads/1/ITRC_Breach_Report_20100106.pdf Accessed May 25, 2010. Note: Adjusted Heartland from 30 million to 130 million as per alleged in Justice Dept. documentation.



Another metric is the frequency in which consumers report

having their card replaced. Cards tend to be re‐issued out of

cycle when there is a breach of data with a risk of fraud

associated with the card. Under a normal‐timed reissue the new

card will only have a new expiration data and security code;

under a high‐risk issue the card will have a new account number.

Among all consumers, at least 28% have had a credit or debit

card reissued in the past year due to security concerns. Within

that group, 1 in 20 report having both their debit and their credit

card replaced. The good news is that 65% of all consumers did

not have either their credit cards or debit cards replaced within

the past 12 months due to security. Of those who did have a card

replaced, 18% had debit cards replaced (33.2 million consumers)

and 15% had credit cards replaced (27.6 million consumers),

including the 5% of those who had both replaced. Seven percent

of consumers were unsure whether their cards had been

replaced due to security reasons (or did not apply).

More than 1 in Every 4 Consumers Had Debit or Credit Cards Replaced in 2009 Due to Security Issues

Figure 2: Percentage of Consumers who had Cards Replaced Due to Security Concerns

10%

13%

5%

65%

7%

Credit card(s)

Debit card(s)

Both my credit and debit card(s)

Neither my credit or debit card has been replacedDon't know

Q44: In the last 12 months, have your credit or debit cards been replaced with a new card due to security concerns? (select one only)

November 2009, n=3,294Base: All consumers.

© 2010 Javelin Strategy & Research



Of the 18% who had their debit cards replaced within the past 12

months, 21% had their debit card replaced more than once. Of

the 15% who had their credit cards replaced, 18% had their

credit card replaced more than once. This suggests that more

data breaches are impacting consumers, who typically have 3.2

credit cards on average.

A simple market sizing would indicate that at minimum 72.2

million replacement cards (debit and credit) with accompanying

letters were sent out to consumers in 2009, under the most

conservative assumption that consumers with more than one

reissue averaged just two cards. In one Heartland Payment

System lawsuit, one plaintiff said the costs of reissuing a credit

card included costs for “purchasing new plastic Payment Cards,

postage and other mailing expenses, time spent by employees

addressing the Data Breach, absorption of fraudulent charges

made on the compromised Payment Cards, and harm to

Plaintiffs’ reputations and goodwill.”4 In a TJX‐related lawsuit,

Among Consumers with Replacement Cards, Approx. 1 in 5 had their Card Reissued More than Once

Figure 3: Consumers with More than One Debit Card or Credit Card Replaced due to Security Issues

18%

21%

82%

79%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Credit card(s)

Debit card(s)

Only once More than once

Q45: Credit card(s)~You indicated that your credit or debit cards have been replaced in the past 12 months. Have any of these cards been replaced more than once?

November 2009, n=492, 579Base: Consumers who have replaced their credit or debit cards in the past 12 months.


4 http://chimicles.com/assets/Key%20Bank%20Complaint.pdf Accessed May 21, 2010.



the Massachusetts Bankers Association claimed that card

replacement costs could reach $25 per card.5 There’s a wide

range for reissuance fees. Using an arguably conservative

estimator of $3.5 per card replacement, security reissue costs for

the cards replaced in 2009 at a minimum would total $252

million.

At Minimum, $252 Million Spent Replacing Debit and Credit Cards in 2009

Figure 4: Number of U.S. Consumers Reporting Card Replacement Due to Security Concerns

Debit cards replaced Credit cards replaced

Only once 30,742,045 27,394,152

More than once 8,221,257 5,851,178

Total 38,963,302 33,245,330


5 http://www.computerworld.com/s/article/9017758/Massachusetts_banks_file_class_action_suit_against_TJX Accessed May 21, 2010.



Data Breach Notification Laws Two laws will impact data breaches in 2010: Nationally, the Red

Flags Rules, to be effective December 31, 2010 , requires firms

that hold customer accounts to implement programs that

identify and detect red flags that signal possible identity theft.

And effective May 1, 2010, Massachusetts General Law,

consistent with Red Flags rules, orders that all companies that

own, license, store or maintain personal information regarding a

Massachusetts resident must implement an identity theft

program, identifying red flags indicating possible identity theft,

emphasizing a “risk‐based” approach.

Thirty‐eight percent of all consumers say they view their financial

institution less favorably after receiving a notification letter. This

is not good news for banks and credit unions that are often put

into the position of being the messenger about data breaches,

although the institutions may have had nothing to do with the

breach itself, but instead are reacting to protect their

accountholders. Often the issuer is the only point of contact with

the customer after a retail data breach. Due to legal liability

issues, typically the financial institution’s notification letter can

only state that a breach occurred, but does not publicly identify

the actual breached entity.

Blame the Messenger: 38% of Consumers View Banks Less Favorably After Receiving Breach Notification

Figure 5: Consumers’ Likely Reaction Toward Bank after Receiving a Data Breach Notification Letter

21%

17%

36%

13%

13%

1 - Much less favorably2345 - Much more favorably

Q48: Assume you receive a letter from your bank. The letter states that they learned a data breach occurred and your account information may have been lost or stolen. Does receiving the letter cause you to view your bank more or less favorably? (select one only)

November 2009, n=2,978Base: All consumers with banking products.




For issuers that often must take steps to protect their customers

after a data breach at another institution, unfortunately, the bad

news continues: After a block and reissue, 1 in 10 consumers no

longer use their credit cards, and an additional 30% use them

less. Among debit cardholders with a security reissue, 7% stop

using the card, while 30% use them less. For little over half of

consumers, reissues have no effect. For certain group of

consumers, the reissue has a positive effect: 6% of credit

cardholders and 9% among debit cardholders use their cards

somewhat more or much more.

Issuers must take these statistics into account when deciding

whether to monitor or block and reissue after a data breach.

Security Reissues: 37% ‐ 40% of Consumers Claim It Adversely Affects Usage

Figure 6: How Consumers’ Use of Credit or Debit Cards Is Affected by Security Reissue

55%

2%

4%

16%

14%

10%

54%

3%

6%

17%

13%

7%

It's had no impact on my card usage

I use the card much more

I use the card somewhat more

I use the card somewhat less

I use the card much less

I no longer use the card

0% 10% 20% 30% 40% 50% 60%Percent of Consumers

DebitCredit

Q46: How has the fact that the bank replaced your credit card due to security concerns, affected your use of the credit card? (Select one only)

November 2009, n=494, 579Base: All consumers who replaced their credit card in the last 12 months, all consumers who replaced their debit card in the last 12 months.




Aside from existing credit and debit cards, breaches can also

affect other PII. When breach victims in 2009 were asked what

was taken, Social Security number (SSN) thefts remained the top

critical data reported breached after names and addresses. SSNs

permit new‐account creation, one of the most difficult types of

fraud to detect. Among the types of data typically stolen, stolen

checking accounts nearly doubled over 2008 (27% vs. 16%).

While theft of health insurance information (7%) and medical

records fraud (3%) were low, medical records fraud resulted in

the largest mean frauds ($18,480 vs. $4,841 for all consumers).

The American Recovery and Reinvestment Act (ARRA) signed into

law on Feb.17, 2009, establishes the first nationwide data breach

notification law for the health care industry, specifically

whenever protected health information (PHI) is released, via

paper or electronic means. Breaches of PHI that are under the

control of the patient are to be reported to the Federal Trade

Commission. Breaches of health information, specifically

electronic medical records (EMR), are to be reported to the

Department of Health and Human Services. Both the FTC and

HHS are required to prepare an annual report on the state of

healthcare data breaches.6

Breached Social Security Numbers Allow Criminals to Create Fraudulent New Accounts

Figure 7: Victims’ Top Breached Personally Identifiable Information (PII)

1%

3%

3%

7%

10%

18%

19%

22%

27%

32%

37%

63%

0% 20% 40% 60% 80%

Military ID card

Medical records

A passport

Health insurance information

Online banking username and password

ATM PIN on your debit card

PIN on your credit card

Driver's license number

Checking account number

Social Security number

Physical address

Full name

Percent of Consumers

Q12: Which documents or pieces of information were stolen?

November 2009, n= 393Base: All ID fraud victims who know how their

information was obtained.© 2010 Javelin Strategy & Research

6 New Federal Personal Health Information Breach Notification Law: HITECH Act— A Tsunami of Opportunity, Javelin Strategy & Research, April 2009.



How Criminals Use Breached Data impacts Overall Fraud Rates In 2009, new accounts fraud was the main driver of the overall

increase in total dollar fraud. New accounts fraud increased 38%

since 2007, with a 17% rise over the past year alone, accounting

for a total growth of $3 billion in losses per annum.7 In the same

two‐year period, overall identity fraud increased 20%, or $9

billion, from $45 billion in 2007 to $54 billion in 2009. Thus new

accounts fraud alone accounted for two‐thirds of the increase in

total identity fraud over the past two years (the only two years

that overall identity fraud has risen during the past seven years).

The number of different accounts opened by criminals rose in

2009. There were increases in percentages of fraud victims

reporting traditional accounts created by fraudsters such as new

credit card applications (39% vs. 33% in 2008) and new loans

opened (18% vs. 15%). However, there were also increases in

percentages of fraud victims reporting new fraudulent electronic

accounts, with five times as many e‐mail payment accounts such

as PayPal (15% vs. 3%) and more than twice as many Internet

accounts opened on eBay and Amazon (22% vs. 10%). New

mobile phone accounts, a new category in this report, accounted

for 29% of the fraudulent new accounts opened in 2009.

New Account Fraud—Most Difficult to Detect—Accounts for 2/3s of Growth in Total Fraud

Figure 8: New Account Fraud Compared with Existing Non‐card and Card Account Frauds

7 2010 Identity Fraud Survey Report: Identity Fraud Continues to Rise – New Accounts Fraud Drives Increase; Consumer Costs at an All‐Time Low , Javelin Strategy & Research, February 2010.

$27

$19

$15

$18

$21

$13$12 $13

$9$11

$22 $22

$19

$22 $22

$0

$5

$10

$15

$20

$25

$30

2005 2006 2007 2008 2009

Tota

l Fra

ud A

mou

nts (

In B

illion

s)

Survey Year

New accounts fraudExisting non-card account fraudExisting card fraud

Q9: Did the perpetrator use your personal information to obtain new credit or debit cards, new bank accounts or loans in your name, or otherwise commit theft, fraud, or some other crime? Q8: Did the perpetrator use any of your existing accounts other than a credit or debit card account without your permission to run up charges or to take money from your accounts? Q5: Did the perpetrator misuse your existing credit, or debit card or account numbers to place charges on your account without your permission? Q3: Have you, yourself, ever been a victim of identity theft?

November 2009, 2008, 2007, 2006, 2005, 2004, n= 5,000,4,784, 5,075, 5,006, 5,000, 5,004

Base: All consumers.© 2010 Javelin Strategy & Research



There is also a direct relationship between those who received a

data‐breach notification letter and those who went on to

experience an identity fraud event. Not all the recipients of data‐

breach notification letters went on to experience fraud. Of the

26% of consumers that said they had been notified of a data

breach, 11.5% reported they had been victimized by identity

fraud within the past 12 months. Fraud victims who had been

notified of a data breach experienced fraud at nearly five times

the rate of fraud victims who had not been notified of a data

breach.

Consumers who have received breach notifications suffered an

increased rate of identity fraud, averaging 11.5% vs. only 2.4%

for those who have not been notified. The pattern of increased

fraud victimization among consumers notified of a breach within

the past 12 months remains consistent from 2006 to 2008,

indicating that this is not a one‐time anomaly in 2009. (Refer to

Figure 17, Appendix.) Many consumers have yet to fully

understand the concepts of identity theft and identity fraud, let

alone identity protection services such as credit monitoring,

fraud alerts, and credit freezes – which are primarily designed to

protect against new accounts fraud. Some consumers may be

confused or overwhelmed as vendors of identity protection

services continue to expand their product features in an effort to

be as comprehensive as possible.

Notified Data Breach Victims Are Nearly 5 Times More Likely to Experience Identity Fraud

Figure 9: Fraud Rate Past 12 Months for Consumers Who Received Breach Notification Letters vs. Did Not Receive Breach Notification Letters vs. All Consumers

4.8%

2.4%

11.5%

0% 2% 4% 6% 8% 10% 12% 14%

All consumers

Did not receive a data breach notification letter

Received a data breach notification letter


Q3. Have you, yourself, ever been a victim of identity fraud? In the last 12 months only. Q2. Have you ever been notified by a business or other institution that your personal or financial information has been lost, stolen or compromised in a data breach?

March 2010 n= 239, 4,010, 1,275, 5,000Base: All fraud victims in the last 12 months who have

received a data breach notification letter, all fraud victims in the past 12 months who have not received a data breach notification letter, all fraud victims in the past 12 months.




In 2009, 1 in 4 American adults reported being notified by a

business or other institution that their information had been

compromised in a data breach (26%). This group of consumers

detected their breaches sooner than the average fraud victim (57

vs. 63 days) and they also stopped the misuse faster (74 vs. 99

days). Nonetheless, their average frauds were higher ($4,543 vs.

$3,775) and they paid more in consumer costs ($415 vs. $308).

Normally, the sooner a breach is detected and stopped, the

lower the costs.

This report will look at prevention, detection and resolution with

regard to data breaches.

Mean Fraud Costs for Victims Notified of a Data Breach are 20% Higher

Figure 10: Mean Consumer Costs and Fraud Amounts for Victims “Notified” vs. “Not Notified”

Consumer Cost Fraud AmountYes $415 $4,543No $308 $3,775




Like it or not, data breaches can happen even to the best

companies, even to those that have been found to be in

compliance with PCI or other security standards. Therefore it is

important to have a data breach/incident response plan before a

data breach occurs. At its most basic, a data breach response

plan outlines the procedures a company needs to take

immediately after a data breach or other network compromise is

reported. But before such a plan can be crafted, an assessment

needs to be performed. A company needs to understand what it

has in terms of sensitive data.

Limit Access to Sensitive Data What is sensitive data? A simple answer might be anything that is

subject to regulatory action such as the Gramm‐Leach‐Bliley Act

(GLB), Sarbanes‐Oxley (SOX), the FTC’s Red Flags Rules, the

Payment Card Industry Data Security Standard (PCI DSS), Health

Information Technology for Economic and Clinical Health Act

(HITECH), Health Insurance Portability and Accountability Act

(HIPAA), or the European Union Data Protection Directive should

be considered highly sensitive information.

More generically, the State of Illinois says personally identifiable

information would include, but not be limited to: (a) a first and

last name or first initial and last name; (b) a home or other

physical address, which includes at least street name and name

of city or town; (c) an e‐mail address; (d) a telephone number; (e)

a Social Security number; (f) credit and/or debit card

information, including credit and/or debit card number with

expiration date; (g) date of birth; (h) a driver’s license number; or

(i) any other information from or about an individual customer

that is combined with (a) through (h) above.8 Illinois further

defines sensitive PII as combining a full name with any one or

more of the following data elements, when either the name or

PREVENTION: HAVE AN INCIDENT RESPONSE PLAN HANDY

8 http://www.wired.com/threatlevel/2010/04/nsa‐executive‐charged Accessed May 21, 2010.

Action Items

• Classify data as either non‐sensitive or highly sensitive. Examples include:

• Intellectual property

• Customer PII

• Segment sensitive data and protect it

• Restrict access to highly sensitive information by provisioning employees

• Wipe or shred physical media and paper securely

• Overwriting hard drive data with 1s and 0s

• Degauss (demagnetize) external media

• Shred paper

• Prepare a document, with names, of those who will comprise the data breach/incident response team.



data elements are not encrypted: (1) driver’s license or state

identification number; (2) Social Security number; or (3) account

numbers (such as bank, credit or debit card numbers) when

combined with any required security code, access code or

password that would permit access to an individual’s financial

account.

In addition, intellectual property should also be considered

sensitive. For example, the Uniform Trade Secrets Act includes

formulas, patterns, compilations, program devices, methods,

techniques, or processes. They also can be diagrams and flow

charts, supplier data, pricing data and strategies, source code,

marketing plans and customer information.

Sensitive data may lie outside its intended area of use. A

thorough assessment should scope out where such data resides,

no matter its relationship to the server hosting it. Every effort

should then be taken to secure and minimize access to the

designated sensitive data.

Once sensitive data has been mapped out, organizations should

further limit access data to a need‐to‐know basis. Access to

sensitive files and records should be set by HR and IT working

together to determine what access is necessary for an employee

to function within the organization. Carte‐blanche access to

sensitive information is both dangerous and unnecessary.

Where the Data Lives There are three states of data within the organization that need

to be assessed: Data that is in motion, data that is at rest, and

data that exists as an endpoint. A compromise can occur in each

of these.

• Data in motion: This category covers data moving into

or out of the network via the Internet. Avenues of

transit may include e‐mail, webmail, HTTP, instant

messaging (IM), peer‐to‐peer sites (P2P), and file

transfer protocol (FTP)

Protecting e‐mail is not as clear cut as filtering Outlook Exchange,

however. Employees may use webmail (which passes through

port 80, the Internet port) or e‐mail that is private. Hushmail is

an encrypted Java application that is used to share secure e‐mail

between two parties anonymously; the catch is that both have to

be using the service. Without access to the keys, the e‐mail is

unreadable to a third party. Here the U.S. government worked

with Hushmail to decipher the e‐mails critical to the case.

Instant messaging (IM), peer‐to‐peer (P2P), and file transfer

protocol (FTP) involve consumer desktop applications and are

sometimes blocked from installation by IT staffs. Some

businesses need the instant communications with remote

workers that IM provides, however P2P and FTP are often

unnecessary and dangerous because incorrect configurations can

open a desktop and internal network to remote third parties.

Data on the network and data on its way toward storage, if

unencrypted or “in the clear,” may be subject to a sniffer, a piece

of code that can detect and make a copy of 16‐digit credit card

data. In the case of Heartland Payment Systems, that is what

happened; copies of the card data sent in the clear across the

Heartland network were copied and stored in .tmp files for third‐

party retrieval. The actual malware was well‐hidden, and almost

missed by two independent teams of forensic investigators.

• Data at rest: This category typically covers data sitting

in file systems, databases and other storage methods.

Data, particularly sensitive data, should be encrypted when at

rest and, following PCI’s requirement, the keys used for the

encryption should be rotated at least once a year. Data at rest

used to be the target of hacker attacks a decade ago; recently

there has been a decided shift toward data‐in‐motion attacks.

Hushmail, in addition to providing e‐mail service, also provides

encrypted and anonymous file storage and domain service with

various servers located around the world.



• Data at the endpoint: This category covers data sitting

on laptops and within smartphones, USB devices,

external drives, MP3 players, laptops, and CDs.

A more straightforward form of data loss, perhaps, is data lost

through external devices such as the Apple iPod and iPhone,

which, when plugged into a desktop, are capable of storing

several gigabytes of data from the office network. Such devices

are common in the offices today, yet pose significant danger if

employees are allowed to copy sensitive files to an external

drive. 9

More dangerous than a missing laptop might be the ubiquitous

USB drive (an employee is more likely to remember leaving

behind an expensive laptop than a tiny USB). In a recent survey,

the UK security company Credant found that 4,500 USB drives

were left behind in clothing sent to the dry cleaners. This is down

significantly from the 9,000 reported the previous year.

However, in the UK, the 4,500 lost USBs is still enough for

concern. Under a new Data Protection Act, a lost USB is

considered a data breach and the company whose data is on it is

subject to a fine of up to £500k.10

Thus, encrypting the data stored on hard drives of laptops, USBs,

and other external media makes sense, as does limiting access to

sensitive information through digital rights management (DRM).

DRM can specify whether a file is read‐only, not for printing, and

not for copying. Additionally, files can be marked as not for e‐

mail. Provisioning based on employee job descriptions and work

flow can further keep the temp out of the HR files.

9 http://datalossdb.org/statistics Accessed April 6, 2010. 10 http://www.credant.com/news‐a‐events/press‐releases/376‐dry‐cleaners.html Accessed May 21, 2010.

Physical Media Incidents Outnumber Virtual Media in Terms of Data Loss

Figure 11: How Data is Lost

Stolen/Lost Laptop21%

Hack16%

Web13%

Fraud SE8%

Stolen/Lost Computer

7%

Document for Disposal

5%

Snail Mail4%

Unknown4%

E-mail4%

Stolen/Lost Media4%

Stolen/Lost Document

5%

Stolen/Lost Tape3%

Stolen/Lost Drive3%

Virus1%

Source: DataLossDB© 2010 Javelin Strategy & Research



Sometimes common electronic media can disguise data theft.

Researchers have found a way to burn sensitive data onto an

otherwise ordinary CD.11 Steganography, the practice of hiding

something within plain sight, dates back several centuries to the

Roman era, and modern incarnations include storing text

documents within JPEG image files (thus, a picture can literally be

worth a thousand words). This new variation obscures the data

on a CD so that only CD players with tunable crystals can pull out

the sensitive information. When played on a standard drive, the

CD would not reveal the data; only by adjusting the crystal within

the CD player would the data be accessible. While it is unlikely

the typical employee would have access to a tunable crystal, such

technology might be possible in a high‐risk and very targeted

attack.

In addition to encrypting active files, secure destruction of older

files is also necessary. Simply deleting data from hard drives and

USB is not enough. The Windows operating system in particular

makes it easy to reconstruct “deleted” files later, what’s called

“data remanence.” IT staffs must therefore overwrite the

deleted data with 1s and 0s. Better yet is degaussing, a process

by which the magnetic field is removed — provided the media in

question can be reformatted later. Finally, physically destroying

the media is another option.

Not all data loss is electronic. The Identity Theft Research Center

(ITRC) reports that 25% of all data breaches in 2009 involved

paper documents.12 Often paper documents are not disposed of

properly. CVS, the pharmacy, was fined $2.25 million in 2009

after the Department of Health and Human Services alleged that

the company violated the Health Insurance Portability and

Accountability Act (HIPAA).13 HHS Investigators found

prescriptions and other personally identifiable information in the

dumpsters behind several CVS locations. In addition to the fine,

CVS will also be audited every two years for the next 20 years to

ensure that it is properly disposing of personal data.

DLP Solutions Vendors To mitigate the dangers of leakage with data at rest, data in

motion, and data at the endpoint, data loss prevention (DLP)

systems make the most sense. DLP systems classify, encrypt, and

monitor sensitive data. Some DLP systems also classify and

monitor endpoint data. Some DLP systems on the market today

include:

Cisco IronPort Cisco offers its DLP solutions based on an organization’s size, for

example the IronPort S160 is for systems up to 1,000 users, S360

from 1,000 to 10,000 users, S660 more than 10,000. One

interesting differentiator is that the Cisco IronPort solution can

work with existing DLP solutions by providing a security appliance

that sits between traditional perimeter defenses, offering an

additional layer of filtering and protection. http://

www.ironport.com/technology/ironport_dlp_overview.html

Check Point The Check Point DLP solution includes Innovative MultiSpect, a

data classification system that combines user, content and

process information to make accurate decisions around data

sensitivity. Another solution, UserCheck, allows organizations to

remediate incidents in real‐time. For more information see

http://www.checkpoint.com/products/dlp/index.html

RSA

According to RSA, its DLP Datacenter product identifies sensitive

data and then helps organizations enforce policies across file

shares, databases, storage systems such as Microsoft SharePoint

and other data repositories. Its DLP Network product identifies

sensitive data and then enforces policies across corporate e‐mail

systems, instant messaging, and web‐based protocols. Finally,

RSA’s DLP Endpoint product identifies sensitive data and then

11 http://www.credant.com/news‐a‐events/press‐releases/376‐dry‐cleaners.html Accessed May 21, 2010. 12 http://www.idtheftcenter.org/artman2/publish/m_press/Data_Breaches_Undeterred_by_Laws_or_Common_Sense.shtml Accessed May 21, 2010. 13 http://www.networkworld.com/community/node/38684 Accessed May 21, 2010.



enforces policies for such data whether it is stored or in use on

laptops and desktops. For more information see http://

www.rsa.com/node.aspx?id=3426

Trustwave

The three categories of data loss are covered by Trustwave’s DLP

products. Trustwave Discover handles data at rest. Trustwave

Monitor covers data in motion. And Trustwave Edge covers

endpoint. For more information see https://

www.trustwave.com/dlp‐overview.php

Websense

Designed for enterprise DLP deployments, Websense Data

Security Suite includes four integrated modules: Websense Data

Monitor (to see network traffic), Websense Data Protect (for

data at rest), Websense Data Endpoint (for external media), and

Websense Data Discover (for data classification). For more

information see http://www.websense.com/content/

DataSecurity.aspx

DLP suites are also available from major antivirus vendors. These

include:

McAfee Data Loss Prevention

The McAfee DLP products work through the McAfee ePolicy

Orchestrator, a system information and event manager (SIEM;

see page 26). McAfee Network DLP Discover classifies data by

crawling the network, including laptops, to find sensitive data.

McAfee Network DLP Prevent enforces policies in e‐mail,

webmail, instant messaging (IM), wikis, blogs, portals, and Web

2.0 technologies. The McAfee Network DLP Monitor appliance

handles real‐time scanning and analysis of network traffic. The

McAfee Network DLP Manager appliance integrates the DLP suite

with the ePolicy Orchestrator. For more information, see http://

mcafee.com/us/enterprise/products/data_protection/

data_loss_prevention/dlp_modules/

host_data_loss_prevention.html

Sophos

SafeGuard Enterprise is Sophos’ DLP product. It is heavy on AV,

and combines full disk encryption with system flags on content

deemed sensitive. It also works with third‐party security

defenses. For example, it can manage BitLocker encryption in

Windows Vista and Windows 7. For more information:

http://www.sophos.com/products/enterprise/encryption/

safeguard‐enterprise/

Symantec Data Loss Prevention

Symantec acquired and re‐branded the Vontu line of DLP

products. Symantec currently includes several distinct product

offerings: Symantec Data Loss Prevention Endpoint Discover,

Symantec Data Loss Prevention Endpoint Prevent, Symantec Data

Loss Prevention Network Discover, Symantec Data Loss

Prevention Network Monitor, Symantec Data Loss Prevention

Network Prevent. For more information see: .http://

www.symantec.com/business/theme.jsp?themeid=vontu

Trend Micro DLP

Award‐winning DLP protection comes from Trend Micro, which

provides specific solutions for endpoint, network and

management server monitoring. The hardware appliance

includes DataDNA™ fingerprinting to identify and secure

unstructured data. For more information see: http://

us.trendmicro.com/us/products/enterprise/data‐loss‐

prevention/



Create a Data Breach Response Plan Having assessed and identified the sensitive data in the

organization, the next step is to create a response plan.

A simple data breach plan should include the following: 1. Determine whether a breach did in fact occur.

A majority of data breaches are reported by external sources (e.g. , card networks, law enforcement, etc.)

If breach is large, then proceed to step 2.

2. Contact the incident response team , whose members

should include:

Executives

Legal

Public and media relations

Compliance and risk management

3. Develop a communications strategy.

Choose one spokesperson.

Prepare scripts for call centers, FAQs, department heads, etc.

4. Determine the point of compromise and secure it.

Document date and time of discovery, date and time of breach

Method and extent of the breach

Can reduce compliance issues later

Can reduce civil liabilities going forward

5. Determine what notification laws come into play.

Have a notification strategy in place.

Notification laws not restricted to the U.S., other countries have them as well

6. Update this response plan.

Annually, if no breach events

During the breach, as new information becomes available

Having an incident response plan is not enough. The plan should

be tested periodically and refined as needed. Then, if the

organization does experience a data breach, it can be enacted

effortlessly.



0%

0%

2%

6%

2%

90%

94%

0%

67%

9%

12%

22%

38%

64%

0% 20% 40% 60% 80% 100%

Enviromental

Error

Physical

Deceit

Misuse

Malware

Hacking


% of Cases

% of Records

Source: Verizon Business RISK Team© 2010 Javelin Strategy & Research

For data loss attributed to hacking and malware, monitoring the

network through the use of security information and event

management (SIEM) security information managers (SIMs) or

other network monitoring systems can help. One important

distinction is that while your company may experience several

security “events” they are not all security “incidents.” An event

can be defined as an anomalous activity detected on the system.

For this, individual security tools, such as a firewall or an IDS, may

not be adequate. SIEMs monitor a variety of security tools,

collating events to create a real‐time picture of what is

happening on the network.

In looking at the information below, physical loss of data often

results in fewer records lost than the online loss of data. Misuse,

deceit (social engineering) and physical theft are categorized as

physical thefts that result in fewer records stolen. Hacking and

malware are online threats that result far greater numbers of

records lost, and thus are more profitable to thieves.

DETECTION: MONITOR FOR A DATA BREACH

Action Items

• Monitor logs and current activity in real‐time.

• Meet at least annually to review internal procedures in the event of data breach and discuss adding new team members

to reflect changes in the data landscape at the organization.

Hacking and Malware Account for Most of the Records Lost

Figure 12: Incidents (Cases) vs. Records Reported for Data Breaches



There is a perception that the major data breaches are

discovered by vigilant IT staffers. This romantic view was

perhaps made popular by Clifford Stoll tracking down a $0.75

discrepancy in his University of California‐ Berkeley account as

chronicled in the bestselling book Cuckoo’s Egg. While it does

happen, it does not happen nearly as often as one might think.

Verizon Business states that 75% of the data breach cases it has

investigated went undiscovered and uncontained for weeks or

months by the IT staff.14

Data collected by the Verizon Business RISK Team shows that

third parties, not IT staff, often discover a data breach.15 While

acknowledging that the potential existed for some of their clients

to discover the data breach with sufficient evidence available,

Verizon Business says this trend was seen in retrospect:

Companies are not diligent enough in analyzing the data in real‐

time. Rather, data breaches typically go unnoticed until a

significant number of frauds are detected by third parties — such

as card brands or law enforcement.

Third Parties Discover 7 out of 10 Data Breaches

Figure 13: Comparison of Detection – Internal vs. External Sources

Internal Active7%

Internal Passive24%

Third Party69%

Source: Verizon Business RISK Team© 2010 Javelin Strategy & Research

14 http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf Accessed April 6, 2010. 15 Ibid.



SIEM Vendors There are ways to protect data in real‐time. In addition to DLP

services, which classify and block data release, real‐time

monitoring of all sensitive data on the internal networks can be

accomplished through security information management

systems (SIMS) or security information event management

systems (SIEM). These reconcile and create real‐time analysis of

what’s going on in your network from firewalls, intrusion

detection system (IDS) and other security tools. Vendors in this

space include:

ArcSight

ArcSight offers Enterprise Security Manager (ESM), software that

is designed for large organizations and requires some training.

For smaller organizations, ArcSight Express is an appliance‐based

version of ESM that comes with preconfigured reports and

monitoring. For more information see: http://

www.arcsight.com/products/

Cisco

For SIEM, Cisco offers its Cisco Security Monitoring, Analysis and

Response System (MARS), an appliance which combines SIM with

SEM and network behavior analysis. Designed for out‐of‐ the‐box

use, it is part of the Cisco Security Manager. For more

information see:

http://www.cisco.com/en/US/products/ps6241/index.html

elQNetworks

elQNetworks sells its SecureVue software and appliances that

combines SIM, SEM, network behavior analysis and security

compliance configuration policy. For more information see:

http://www.eiqnetworks.com/solutions/

SIEM_and_Log_Management.shtml

IBM

IBM has three different offerings in this space: Tivoli Compliance

Insight Manager (TCIM), IBM Tivoli Security Operations Manager

(TSOM), and IBM Tivoli Security Information and Event Manager

(TSIEM). The latter combines TCIM and TSOM for a

comprehensive view of the network. For more information see:

http://www‐01.ibm.com/software/tivoli/

McAfee

McAfee’s ePolicy Orchestrator, a system information and event

manager, integrates with its DLP solutions and other third‐party

perimeter defenses that an organization may have in place. For

more information see: http://www.mcafee.com/us/enterprise/

products/security_management_console/

epolicy_orchestrator.html

RSA

For monitoring the network, RSA offers two services: RSA

Security Information Management and RSA Security Event

Management. These two, when combined with log management,

provide RSA’s SIEM product. For more information see: http://

www.rsa.com/node.aspx?id=3207

Splunk

San Francisco‐based Splunk is an evolved SIEM that enables

organizations to search, report, monitor and analyze streaming

and historical data from any source on your network. For more

information see http://www.splunk.com/

Symantec

Symantec Security Information Manager (SSIM) combines SIM,

SEM, and log‐management capabilities, with Symantec

DeepSight, a global threat‐monitoring network. An appliance

collects data on site.



Trustwave

A standard package of Trustwave SIEM, Trustwave Managed

SIEM, and Trustwave SIEM Operations Edition monitor events on

the network in real time.

Enact Your Incident Response Plan Immediately after a breach has been identified and confirmed,

the incident response team representatives need to be

assembled. This team should have already been created and

include a member from each: the executive team, the legal staff,

public relations, and, of course, representatives of the IT and

compliance and risk‐management teams. The executive

representative acts as a liaison with management. The legal staff

is responsible for determining what laws may be triggered by the

breach and is to advise the company how best to respond. The

public relations representative serves to protect the brand by

crafting communications with the media. The IT and compliance

and risk management representatives are responsible for

determining what happened.

How Data Loss Protection and Monitoring Fit into the Organization

Figure 14: Layering Protection with SIEM and DLP




Determine the Point of Compromise and Secure it Documentation is important for law enforcement and

compliance. Once a breach has been identified, establish a chain

of custody of log files. Often this is as simple as having two

individuals sign for possession of the files, media, or other

potential evidence.

Final determination of the cause of the breach might not be

immediate, but it is very important to find out what happened.

In the case of Heartland Payment Systems, after being informed

by Visa that card accounts processed by Heartland were on the

Internet black market, two independent forensic examinations

failed to discover evidence of a breach. It was only at the

eleventh hour that one company found a cache file of .tmp files

with credit card numbers. This led to the discovery of a rootkit, a

file buried deep in the kernel of the payment server’s operating

system.

Heartland Payment Systems, for example, has since made its

rootkit available to other processors. For financial institutions,

there are opportunities to share information through the card

networks and programs such as Identity Theft Assistance Center

(ITAC), Early Warning Services, BITS Fraud Steering Committee

and Fraud Program, Financial Services Technology Consortium,

etc.

Breach Assessment Vendors Not all organizations are capable of conducting their own

internal breach investigation. There are two organizations that

can investigate and work with law enforcement. PCI maintains an

updated list of PCI‐qualified assessors here: https://

www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf



In 46 states and three U.S. territories there are specific laws

regarding when breached companies must contact potential

victims. As part of the incident response plan, the company

should have a notification service to help with the notification of

all potential consumers affected by the data breach.

Notification companies offer services beyond mere boilerplates

for the text sent out to customers or the press. Several

companies told Javelin they provide the ability to clean up

customer databases, providing updates to addresses or

completing incomplete addresses. These companies also remove

duplicate entries, a process that sometimes lowers the number

of actual customers affected by a given breach (for example,

several records breached at a company may belong to one

customer). Companies that do not provide customer list services

said they could enlist third parties.

After notification is resolution. All of the companies below offer

resolution assistance including the creation of a website and a

customer call center, although only Kroll offered the dedicated

service of one investigator assigned to a customer’s case —

whether the case takes three months or three years to resolve. A

few companies told Javelin they take limited power of attorney

as a means of helping victims recover.

Notification and Resolution Vendors

Affinion Data Breach

Affinion helps breached organizations with the execution of the

notification process. Unique to Affinion is its new contract

service, allowing organizations to contract with Affinion for

unspecified service. When a breach occurs, they can choose

what specific service they want Affinion to provide, including

normalizing the customer database to eliminate duplicates and

update addresses with full zip codes and other United States

Postal Service standards, credit monitoring, online data sweeps

for personal information, and dedicated fraud resolution

caseworkers for the duration of the incident. Furthermore,

enrollment options can include multiple service channels

including US mail, website, IVR, and call center support. Affinion

also provides resolution services, including automatic registration

of breach victims in credit monitoring. For more information see:

http://www.breachshield.com/

Experian

Experian contracts with companies to produce the notification

letters as well as guidance on the notification process and overall

communication with victims. They also provide consumer fraud

protection options (e.g., credit monitoring) and a National Fraud

Data Base, which provides single‐point direct access to

RESOLUTION: NOTIFICATION AND RESOLUTION

Action Items

• Notify affected customers per state laws.

• Notification letters can be handled by a third party.

• Customer data base and completion can be handled by a third party.

• Consider sharing detailed breach information with industry ISAC or FBI Infoguard.



nationwide consumer and commercial fraud records. For more

information see: http://www.experian.com/business‐services/

data‐breach‐protection.html

Equifax

For the organization Equifax provides its Data Breach Response

Team, a service that provides pre‐breach planning and services

customer care in the event of a data breach including notification

(mail only) and call center support. In addition the company

provides a variety of consumer fraud protection services such as

credit monitoring, credit freeze, fraud restoration. For more

information see: http://www.equifax.com/business/en_us

ID Experts ID Experts offers organizations a full‐service notification and

support service with multiple channels for breach victims (letters,

Web site, call center). This includes composition, delivery and

tracking of notification letters/outreach. Breach assessment

Consumer protection (credit monitoring and remediation if fraud

occurs) Call center and Web site “Total recovery” approach to

data breach response (breach assessment, response, consumer

protection, and recovery) Experience working with financial

institutions (comprises one‐third of its client base) For more

information see: http://www.idexpertscorp.com/newsstories/?

articleid=254

Intersections

The data breach response plan from Intersections includes

flexible service configuration options for consumer fraud

protection and enrollment methods (online and offline

fulfillment; credit‐focused and/ or full‐spectrum identity

protection services). Intersections also offers integration with the

Identity Theft Assistance Center (ITAC) Breach response program

development Full spectrum of services for breach notification,

effective customer protection, and identity theft recovery. For

more information see: http://www.intersections.com/

Breach.html

Identity Theft 911

Identity Theft 911 primarily works with the insurance industry,

providing data breach resolution services for some of the largest

insurance companies in the United States. Through partnerships

with Identity Guard, TransUnion and TrueLink Notification

Identity Theft 911 handles the response for credit and financial

services, law enforcement and consumer advocacy organizations.

For more information see: http://www.identitytheft911.com/

whatwedo/databreach.htm

Kroll Kroll offers a full‐service victim notification and support service in

addition to its comprehensive investigation and restoration

services for fraud victims. Kroll has a strong reputation in the

breach recovery space, and is considered an industry leader in

fraud investigation and identity restoration. For more

information see: http://www.krollfraudsolutions.com/breach‐

products‐and‐services/defenses.aspx

LifeLock In addition to providing consumer prevention, LifeLock offers a

resolution package that includes notification and response via

letters, call center, and website support. The company also

provides, if desired, public relations support (including PR

guidelines and sample press releases) as well as tracking and

reporting of outreach operations and victim response. For more

information see: http://www.lifelock.com

TrustedID TrustedID provides a multitier response focused on resolution.

This includes a communication package that recommends

language and correspondence for notifying victims and other

stakeholders. The company makes sure that state‐by‐state

breach notification requirements are met. Additionally,

TrustedID offers consumer protection services to monitor for

signs of identity fraud. For more information see: https://

www.trustedid.com/products.php?databreach



There are two primary victims in a data breach: the organization

that is breached and the customers who have their personal data

exposed. There are also plenty of candidates for collateral

damage —organizations that, in doing their jobs, get caught in

the crossfire and sometimes blamed.

The Blame Game: Who Do Customers Blame for a Data Breach? Financial institutions often become the face of a data breach to

their cardholders and can be viewed in a less favorable light as a

result. An FI is often the party that first contacts the consumer or

mails out a new card after a data breach event, sometimes based

on a fraud event. However, nearly three times as many

consumers blame the merchant or retailer as the party most

likely to be responsible for any data breach.

RESOLUTION: WHO SUFFERS MOST?

Consumers Blame Merchants More than Issuers or Financial Institutions

Figure 15: Consumers’ Assignation of Fault in a Data Breach

21%

61%

7%

4%

7%

Financial institution or card issuer

Merchant or retailer I have purchased fromAn employer

A government agency

Other, please specify

Q52: In the event a data breach occurs, which of the following do you believe is most likely at fault? (Select one only)

November 2009, n=3,294Base: All consumers.




Customers Don’t Connect Breach Notifications with Fraud Among consumers who received a data breach notification in the

past 12 months, 19% suffered fraud, yet only 2% attributed their

fraud to a data breach. It seems as if consumers are not

connecting the dots on data breach notifications to fraud events.

They are aware, in the abstract, that their personal records have

been compromised, but when they become a victim of fraud

they do not make the connection to the earlier breach

notification.

The implications of this finding, if true, are shocking. While the

idea of notification is to provide an opportunity for consumers to

take action to protect themselves, apparently they do not. This

suggests that notification is not working. Consumers apparently

do not understand that the data breach puts them at increased

risk for other types of fraud. It also suggests that consumers who

are explicitly notified are at increased need for identity

protection services such as fraud alerts, security freezes, credit

monitoring, and identity monitoring. Identity protection services

vendors need to assist in fully educating consumers about the

potential consequences of receiving a data breach notification

letter.

A Disconnect Exists Between Actual Fraud Caused By Data Breach and Consumer Understanding

Figure 16: Actual Fraud Rates Among Data Breach Victims Last 12 months vs. Fraud Attributed to the Data Breach by Those Notified of Data Breach Last 12 Months

19.5%20.4%

15.8%

1.9%0.6% 0.4%

0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

2008 2007 2006

Data breach victims (notified in the last 12 months) who experienced any fraud in the last 12 months

Fraud victims who received a data breach notification (within past 12 months) who self-identified that their information was obtained through a data breach

October 2008, 2007, 2006, n= 105,109, 97Base: Data breach victims in the last 12 months.




Case Studies How companies chose to handle the public face of the data breach – and the response is very different. Three case studies are BNY

Mellon, TJX and Heartland Payment Systems.

TJX: This retail chain is perhaps the poster boy for all data‐breached companies. The company remains in business, and one could

argue it has successfully navigated a potentially disastrous period. TJX will be monitored for the next 20 years and, like Heartland, it

has paid and will continue to pay millions of dollars in settlements and fines for years to come. TJX settled with Visa for $41 million

and MasterCard for $24 million.

Heartland Payment Systems: The payment processing company Heartland Payment Systems was presented with evidence by the

card brands that credit cards seen sold on the Internet in fall 2008 were suspected to have been processed through Heartland. After

several months of independent analysis, Heartland confirmed the breach and went public on Jan. 20, 2009. Immediately following,

Heartland’s stock plummeted from $15 before the disclosure to $3.43 a few weeks later when the processor was delisted from the

list of PCI‐compliant companies (Heartland was relisted in May 2009). Additionally, the company has since paid $129 million in

consumer losses, $60 million to Visa, $41 million to MasterCard, and currently pays about $2 million a month in legal bills.

BNY Mellon: In 2007, the bank found that a backup tape being transported by a third‐party vendor (Archive Systems) was missing.

The tapes included shareholder and plan participant account information for 4.5 million people, including such sensitive data as

name, mailing address, Social Security number, and transaction activity.16 The bank was criticized for delaying in notifying the public

and the other banks (People’s United Bank) that were affected by the loss.17 In response, BNY Mellon disclosed the data breach, and

provided affected customers with a web page that not only disclosed the details of the data breach, but also provided a link to ID

protection services available to those who received a letter.18

16 http://www.bnymellon.com/tapequery/shareownerservices.html Accessed May 21, 2010. 17 http://www.reuters.com/article/idUSN2320877320080523 Accessed May 21, 2010. 18 http://www.bnymellon.com/tapequery/shareownerservices.html Accessed May 21, 2010.



One key to surviving a data breach is knowledge. Knowing in

advance what sensitive information your organization has and

where it resides is a major step toward protecting and

monitoring that data. Another is having an incident response

plan ready, and this includes not only the names and contact

information for all the critical parities, but also a strategy for

notifying affected customers and providing them with identity

fraud protection and resolution.

• Assess all data and secure the most sensitive data.

Before a data breach, create a baseline assessment of

how much sensitive data your organization has and

where it lives.

• Provision employees to limit access to sensitive data.

In concert with HR and IT, limit the access employees

have to what they need to get their jobs done.

• Provide employees with data breach sensitivity

training. One company, Identity Theft 911, suggested

that just as HR requires employees to take a sexual

harassment sensitivity training, employees should have

a data breach sensitivity training as well. Such an

interactive video or lecture could identify common

online behaviors that would not be acceptable in the

office. Review annually.

• Determine how a data breach occurred. Perform

enough forensic analysis to determine the true cause,

not just the symptom of data leakage. If one piece of

malware is hiding on your system, others could be

there as well.

• Immediately assemble the data breach response

team. Notify department heads and prepare messaging

around the event. Develop a comprehensive response

strategy. Prepare scripts for customer service reps,

FAQs for online use, and vet all of these through legal.

Determine notification requirements, response, and

mail notifications.

• Establish a chain of custody for all evidence. Have

more than one person sign off on all log files,

hardware, and data collected during the breach

investigation — this will make it easier to hand over to

law enforcement.

• Designate a single spokesperson for media. Train staff

to direct public inquiries to designated website/800

numbers. Public disclosure can help bring awareness to

the overall problem of data breaches — and more

resources to mitigate and stop future attacks.

• Assess response. Throughout the breach response,

assess the response and make changes based on

feedback if necessary.

• Share details of the breach experience with other

organizations in your space. Bad guys share data; good

guys typically do not. Associations such as FS‐ISAC,

NACHA, and others have begun facilitating sharing

among members. Newer organizations such as Secure

POS Vendor Alliance have formed to share details of

attacks in partnership with the Secret Service and other

law enforcement agencies.

RECOMMENDATIONS



APPENDIX

Four Times Higher Fraud Victimization Rate Among Data Breach Victims

Figure 17: Breach Victims (Notified Last 12 Months) Fraud Rate vs. All Consumers Fraud Rate

19.5%20.4%

15.8%

4.32%3.62% 3.74%

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

2008 2007 2006

Data breach victims (notified in the last 12 months) who experienced any fraud in the last 12 months

All fraud victims

October 2008, 2007, 2006 n= 539, 535, 552/ n= 4874, 5075, 5000

Base: Data breach victims, all U.S. adults.© 2009 Javelin Strategy & Research



New Federal Personal Health Information Breach Notification Law: HITECH Act— A Tsunami of Opportunity

April 2009

New federal legislation designed to improve the nation's quality and coordination of medical care has created a perfect storm at the

intersection of the health care and financial industries. Physicians and hospitals will be rushing to go online to take advantage of temporary

monetary incentives. Handled well, prospects for enhanced medical care are considerable. But if the online transfers aren't handled

properly, the opportunities generated will benefit data thieves, rather than health care. And with a new national data breach notification

requirement in place for personal health information, the impact of the Health Information Technology for Economic and Clinical Health Act

(HITECH) could be staggering. This report explains the new federal requirements extending HIPAA security and privacy and addresses the

impact of this bill to the financial and health care industry.

2010 Identity Fraud Survey Report: Identity Fraud Continues to Rise – New Accounts Fraud Drives Increase; Consumer Costs at an All‐Time Low

February 2010

ID Fraud continued to rise in 2009, with Javelin finding there are more victims than in any period since the survey began in 2003. Driving that

increase was new accounts fraud, which showed longer periods of misuse and detection and therefore more dollar losses associated with it

than any other type of fraud. Meanwhile the consumer costs, the dollar amounts the victim pays on average out‐of‐pocket, reached an all‐

time low. The Javelin 2010 Identity Fraud Survey Report provides a detailed, comprehensive analysis of identity fraud in the United States to

help consumers and businesses better understand the effectiveness of methods used for its prevention, detection and resolution. A

nationally representative sample of 5,000 U.S. adults, including 703 fraud victims, was surveyed via a 50‐question phone interview to gain

insight into this crime and the effects on its victims. This report, supported by the Better Business Bureau, is issued as a longitudinal update

to the Javelin 2005, 2006, 2007, 2008, and 2009 I.D. Fraud Survey reports and the FTC’s 2003 report.

Data Breach Notifications: Victims Face Four Times the Risk of Fraud

October 2009

If a consumer gets a data breach notification letter, he is four times more likely to suffer identity fraud within the next year. Data breach

notifications were intended to help consumers take protective action when their private data is exposed. But there seems to be a disconnect

between data breach notifications and consumer understanding of possible outcomes of data breaches. New data shows that consumers

who have received data breach notifications within the past year are at a much greater risk for fraud than the typical consumer. Yet, these

same consumers rarely attribute the fraud to their data breach exposure. This report also contains an update of data breaches for 2009,

implications of changes to the legislative landscape, and the technical means by which data breaches occur. Finally, a timeline of several of

the recent, most egregious data breaches in U.S. history (including who, how, where and when) is included.

RELATED RESEARCH



Affinion Kroll

ArcSight Lifelock

BNY Mellon McAfee

Check Point RSA

Cisco Sophos

CVS/ Pharmacy Splunk

Early Warning Services Symantec

eIQNetworks TJX

Equifax Trend Micro

Experian TrustedID

Heartland Payment Solutions Trustwave

IBM USPS

ID Experts Verizon

Identity Theft 911 Websense

Intersections Windows

Companies Mentioned

Documents

2010 Data Breach Prevention Response