Preventing the Unpreventable: Best Practices to Minimize Exposure to Information Losses

2008 International Conference

Golden Opportunities or Fool’s Gold? • November 5-7, 2008 • San Francisco

Preventing the Unpreventable:Best Practices to Minimize Exposure

to Information Losses

Moderator: • Toby Merrill, Assistant Vice President, ACE USA

Panel:• Tanya Forsheit, Esq., Partner, Proskauer Rose LLP

• Mark Greisiger, MS, President, NetDiligence

• Stephen Haase, MS, CEO, INSUREtrust.Com, LLC

• Roxanne Westfall, Vice President, Axis Reinsurance

Preventing the Unpreventable

Overview

• Brief Introduction

• Best Practices for Data Security

• Responding to the Eventual Data Breach

• Evaluating Legal Liability Exposures

• Q&A

Best Practices for Data Security


Why the Problem… the Internet’s Open Network

• Many companies have a transactional website• Businesses collect and store customer private data

– More data often collected than needed– Data often Stored for too long

• Business servers (websites) are very porous and need constant care (hardening & patching). 4 out of 5 fail our scan test

• IDS is very weak (many biz learn of breach months/years too late)• Bad buys rely on the prevalence of human error

– Unchanged default settings– No applied patches– Customer private records (paper) improperly disposed (dumpster)

“95% of all network intrusions could be avoided by keeping systems up-to-date”

(CERT)


Computer Crime Studies• Deloitte (2007 Global Security Survey of Large FI’s) (169 ct):

– 70% reported repeated external breaches

• E&Y (1300 companies) 2007 Global survey on ‘Top privacy drivers’– 64 % compliance with regulations

• PWC The global state of information security 2007 (7200 respondents) – Cause of event: employee/ contractor 84%, vs. hacker 40% (conflicts with Verizon study)

• Identity Theft Resource CenterIdentity Theft Resource Center – Total Breach Reports for 08 is 69% greater than 07

• Kroll Fraud Solutions Study 2008 (263 healthcare sector companies)Kroll Fraud Solutions Study 2008 (263 healthcare sector companies)– 56% of companies DO NOT report a breach of private data. Regulatory ‘loopholes’ are

partly to blame (or failure of IDS process is my thought)

• UK Breach Study 2008UK Breach Study 2008– Average cost per breach -- $2.7 million

• FDIC Technology Incident ReportFDIC Technology Incident Report– Average bank loss per incident = $30,000.

• University of Toronto's business school University of Toronto's business school (300 Canadian-based companies)– Average public corporation = $637k per yr

CEOs seem to think their enterprises are a lot more secure than CIOs and security leaders do…

PWC report.


Verizon Business Forensics Study

• Threat Source– 73% resulted from external sources– 39% implicated business partners

• Causes of Loss– 62% significant error– 59% hacking/ intrusions

• Unknown – Unknowns 9 out of 10 data breaches involved one of the following:– A system impacted unknown to the org– Stored data which the Biz did not even know

existed on their system

• The Aftermath– 75% of breaches not discovered by the business– 87% of breaches were avoidable through reasonable controls

Discovered by 3rd party

Patch was available


Common Weak Spots – Intrusion Detection System• IDS - security software used to detect malicious activities against a computer system. It is an ‘early warning

system’. IDS performs by collecting/ logging and analyzing network data and audit logs to detect signs of attack and anomaly.

• Problems: – FTC and plaintiff lawyers (Class Action suits) often cite ‘failure to detect’– studies show that 75% of KNOWN breach events are NOT detected by the company, but by 3rd parties– Bigger issue: many more go undetected completely, because lack of IDS policy & Tech.

• Why Problem: – Some companies IDS can log millions/ billions of events against their network each month. – How does IT Security Mgr reasonable review & respond to the ‘serious’ incidents? – Need the capability to filter, correlate & prioritize key events. Need man power.

• False positives: – events that appear to be harmful, but are actually quite harmless. IDS can alert to more than 70% false

positives. Tuning an IDS to reduce false positives takes time (months). – Outcome: InfoSec Mgrs can often dismiss a real attack as another false alarm.

• False negatives: – events that go undetected by the IDS because the IDS "did not see any match".

• Vast Data: – IDS output a large amount of audit data that often must be analyzed and examined by

human operators in detecting intrusions and misuses


Common Weak Spots – Patch Management

Patch Management - Challenges:Patch Management - Challenges:

• Complexity of networking environments: Network professionals are responsible for a wide variety of hardware, OS and applications.

• Lack of time: Gartner Group estimates that: “IT Mgrs spend an avg of 2 Hrs per day managing patches.”

• Frequency: The vast number of patches that are released can be daunting.

– CERT determined that patches are being released on avg. about every 5.5 days.

– Problem: Time to research what vulnerabilities exist, what patches (if any) are available

– According Intel, “researching each of the 4,200 vulnerabilities published by CERT for only 10 minutes would have required 17.5 weeks, or 700 hours of a researcher's time.

Source: SANS

Good MethodGood Method• Inventory of all hardware, operating systems

and applications that exist in the network• A daily process to identify vulnerabilities in

hardware, operating systems and applications.• A procedure for testing patches prior to

deployment (many fail or break aps).• A process for timely deployment of patches and

service packs, as well as a process for verification of deployment.

• Automate via open source or commercial tool

“My company has 45 (Windows 2000) servers and

I was spending roughly 2-hours per day keeping them updated. And that was for Critical updates only…”


Key Regulations

• Older:– SOX– GLBA 501b (1999)– HIPAA Security Rule (1996)– Federal Trade Commission Act

• State level ‘breach notice’s– 45 states require notice to customers after unauthorized access to NPI

• Payment Card Industry Data Security Standard

• Fair And Accurate Transaction Act of 2003 (FACTA)– Truncation– Disposal– Identity Theft ‘Red Flags’ Program

• (NEW/ PROPOSED) Identity Theft Enforcement and Restitution Act– Approved in a unanimous vote by the U.S. Senate (August 08)– Bill would allow identity theft victims to seek restitution in federal

court for the loss of time and money spent in restoring their credit.


YearRecords

Lost/StolenRecords

Per SecondIncidents Reported

Incidents Per Week

State Laws

2008 15,121,627 1.08 132 5.7 45

2007 162,563,703 5.15 324 6.23 38

2006 49,679,260 1.57 346 6.65 30

2005 55,986,942 1.77 138 2.65 11

2004 31,895,900 1.01 21 0.40 1

2003 6,405,000 0.20 11 0.21 1

2002 4,960 0.00 3 0.06 0

Notice of

Breach


Loss Prevention Approach

Proactively Assess Safeguard Controls Surrounding:• People: dedicated info sec personnel; Background checked; Proper

security budget and vigilant about their job!

• Processes: enterprise ISO27002, GLBA/HIPAA ready; policies enforced daily; employee education/ training; change management processes, etc.

• Technology: managed firewall with proven IDS/IPS, hardened & patched servers (tested), event logging, ‘data at rest’ is encrypted , redundancy/ hot-site..


Where to Begin... A Wide-Angle Assessment

Self-Assess Key Areas of impact

• e-records management programs • compliance (GLBA; SB 1386; PCI)• disaster recovery planning• privacy breaches (PR, communications, response) • information security: ensuring organization is

investing in baseline or vital safeguards (encryption of laptops with NPI etc.).

Lesson - not just IT's responsibility

Risk Profile


No Longer a Function of IT…Risk Manager a Key Stakeholder

• Corporate culture• Information (paper & data)

management• Integration of physical and

technical security• Regulatory Compliance (GLBA,

HIPAA, SOX, PCI, FACTA)• Service provider & partner

compliance with your requirements

Risk Mgr Mitigation Efforts

• Assess & Test• Inventory of Assets; Data,

Systems, applications• Effective Privacy Policy• Employee training• Quarterly Pen testing

(know the hacker’s view)• Encrypt & Detect• Review of you ASP’s &

Partners own safeguards


(Discussion)

Responding to the Eventual Data Breach


• Obtaining qualified expertise• Investigating the event• Securing the network• Identifying and notifying affected individuals• Providing necessary services• Developing a formal Date Breach Response Plan


• Unlikely your firm will avoid security breaches• Preplanning is essential

– choose resources familiar with your business and that have proven expertise with security breaches

– prenegotiate rates and fees

• Consider insurance– may pay for most of these services (balance sheet protection)– may offer access to experts in the field

• Test the plan– similar to a fire drill.


• Determine scope of the breach.– How reliable is the information?

– DSW and TJ Max kept increasing their estimates of how many customers were affected.

• Can the IT department mitigate the loss? – Can they identify the access point?

– Did it occur at your facility or a hosted site?

• Notify affected parties and provide meaningful resources to resolve future problems.


• Determine when or if your organization needs to disclose the breach to the affected individuals or businesses. – Should an organization always send notification? If so, when?

– Opinions vary, however the FTC offers some specific guidelines.

• Use the legal representatives on your data breach response team to determine the following: – State and federal laws and regulations that are applicable

– The probability that the information has been, or will be misused

– Whether regulators and customers need to be informed about the data breach, and developing the content of those communications

– Contractual obligations of the organization to disclose the data breach


Disclosing the Breach

• Unfortunately, there is no set standard for disclosure at the federal legislation level, though there are several bills up for consideration.

• What this means for your organization, is that you must determine what disclosure policies to follow. Especially if your organization conducts business across multiple states or around the world.

• ChoicePoint, an Alpharetta, GA based data aggregator and reseller of personal information, decided to send notices to over 163,000 people affected by their much publicized data breach two years ago. According to Vice President for Compliance Christopher Cwalina, the company followed the only legislation available at the time.


Key considerations when responding to a data breach:

• Identify the applicable data breach disclosure law(s) and requirements– Depending on the applicable data breach notification laws, your organization may

be required to follow a data disclosure plan. – The response team (legal, PR, or third party) may be required to disclose the breach

via letter, email, or other mandated communication method to customers, legal organizations, third-party partners, State AG, FTC, etc.

• Manage data breach disclosures – Research your organization's state data breach notification laws first.– Follow guidelines of organizations like the FTC, SEC, FDIC, PCI DSS, etc.

• Understand magnitude of disclosure– When making the decision as to when/if your organization should disclose the data

breach, remember that the bad press, negative exposure and millions of dollars that could be lost in fines and judgments in class action law suits far outweigh the fallout from notifying the affected parties about the breach.

– The quicker the notification, the easier damage control will be between the organization and the customer.


Perform an audit after the event • Once the data breach is contained and letters sent to the affected

customers, businesses, law enforcement and any other third-party entity, this is the time for all members of the rapid response team to document the data breach from beginning to end.

• Each member of the team should maintain a log that contains the following information: – All information concerning the specific breach– All procedures followed, from the beginning to the containment and aftermath of

the data breach.– Document any outsourcing to third-party companies, which took place during the

breach, and add any documentation from said third-party concerning the data breach.

– Document problem areas, if any, within your department.– Publish a list of any resources used during data breach notification, such as

the FTC website, or other information and supply it to the rapid response team, customers and third party vendors.


Harvard Business Review Case Study:“Boss, I Think Someone Stole Our Customer Data”

• Data breach suspected when bank discovered that the company was a common point of purchase by fraudulent credit card accounts.

• Executives are prepared to deal with stolen property but in this case the allegations are that data had possibly been obtained from Flaxton’s network – no actual crime seen to confirm it.

• Flaxton would not have caught this unless a third party reported it as the fraudulent purchases were being done elsewhere.

• It could take months before anyone detects the breach.

Harvard Business Review, September 2007 – “Boss, I Think Someone Stole Our Customer Data” by Eric McNultyhttp://harvardbusinessonline.hbsp.harvard.edu/b01/en/common/item_detail.jhtml?id=R0709X&referral=2342


Harvard Business Review Case Study:

• The company is now challenged with answering the following questions (all at the SAME TIME):

– Did the breach happen at our company?– How extensive was it?– Who do we have to notify?– How do we prevent further damage?– Where do we go for help?– Authorities want them to continue to operate so they can possibly

catch the perpetrators. If they do, does this put them at more risk?


Harvard Business Review Case Study:

• How does the company defend itself?– Are they PCI compliant? Since testing a network is like a shower- unless

you take one every day IT WEARS OFF

– Now that the press is aware of this, how do they rebuild the loss of trust with third parties?

– They struggle with the possible causes of the breach-• A firewall was turned off

• There were some disgruntled former employees

– Without a definitive cause, proof of a breach, or definitive size of the breach – are they obligated to notify third parties?

– If not obligated to notify should they do it anyway?

– If they don’t report it – the press will leak it anyway.


Harvard Business Review Case Study – The Experts:

• “How you react to a breach is much more important than what actually happened.”

James E. Lee, Chief Public and Consumer Affairs Officer of ChoicePoint

• “Businesses that are serious about protecting their data and preserving the data’s value should have a high-level official, such as a director or a vice president of information protection, who serves not merely as a manager but as a senior champion in this area.”Bill Boni, Corporate Information Security Officer of Motorola

• “Making data security a priority for the future – and communicating the specific policy changes that flow from that - may allow the company to become recognized as a leader in this area.” former President and CEO of Visa USA

• “The companies that are sued are not those that quickly disclose a breach but, rather, those that do so poorly.”

Executive Director of the Identity Theft Resource Center


(Discussion)

Evaluating Legal Liability Exposures


• State data breach requirements have spawned a number of private suits, including class actions.

• Suits can arise from consumers, employees, business partners, financial institutions, shareholders, regulatory agencies, and more.

• Courts frequently, but not always, find injury too speculative and damages not sufficiently demonstrated.


Why Privacy Class Actions are Tempting to Plaintiffs’ Bar:

• No clear uniform standard of care

• They see a natural “class” of all those who got a notice

• Breach notification letter viewed as an admission of negligence

• Playing on public anxiety about identity theft

• For consumers, remedy sought is credit monitoring

• Most common complaints include:– Negligence

– Invasion of privacy

– Breach of contract

– Breach of fiduciary duty


Pisciotta v. Old Nat. Bancorp499 F.3d 629 (7th Cir. Aug. 21, 2007)

• Plaintiffs sought damages for potential economic losses and emotional distress/anxiety caused by potential misuse of personal information by third parties. No allegation of existing loss or identity theft

• Alternatively, plaintiffs sought cost of credit monitoring – Court concluded: “Indiana law would not recognize the costs of

credit monitoring that the plaintiffs seek to recover in this case as compensable damages.” Id. at 637.


Pisciotta v. Old Nat. Bancorp

• Pisciotta conclusion regarding damages and injury consistent with other decisions in various district courts:– Forbes v. Wells Fargo Bank, N.A., 420 F.Supp.2d 1018, 1021 (D.Minn.2006); – Kahle v. Litton Loan Servicing, LP, 486 F.Supp.2d 705, 712-13 (S.D.Ohio 2007)

(entering summary judgment for the defendant because the plaintiff had failed to demonstrate an injury);

– Guin v. Brazos Higher Educ. Serv. Corp., Inc., 2006 WL 288483 (D.Minn. Feb.7, 2006) (unpublished) (same);

– Hendricks v. DSW Shoe Warehouse, 444 F.Supp.2d 775, 783 (W.D.Mich.2006) (dismissing an action where “[t]here is no existing Michigan statutory or case law authority to support plaintiff's position that the purchase of credit monitoring constitutes either actual damages or a cognizable loss”).


Pisciotta decision departs from other district courts that held data breach plaintiffs lacked Article III standing for failure to allege injury in fact:

• Held that alleging “threat of future harm or . . . act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced” sufficient to allege injury in fact.

• Drew upon cases considering toxic torts and medical monitoring, not data breaches.

• Some courts considering data breaches have reached the opposite conclusion. See examples:

– Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1, 10 (D.D.C.2007);

– Bell v. Acxiom Corp., 2006 WL 2850042, at *2 (E.D.Ark. Oct.3, 2006) (unpublished);

– Giordano v. Wachovia Sec., LLC., 2006 WL 2177036, at *5 (D.N.J. July 31, 2006) (unpublished).

– Key v. DSW, Inc., 454 F.Supp.2d 684, 690 (S.D.Ohio 2006);


Shafran v. Harley-Davidson, Inc.No. 07 Civ. 01365, 2008 WL 763177 (S.D.N.Y. Mar. 20, 2008)

• dismissed the plaintiff’s lost laptop lawsuit because it found that the alleged claimed injury – credit monitoring costs sought to protect against speculative identity theft that might occur because of the data loss – was not actual, legally cognizable injury.

• "Courts have uniformly ruled that the time and expense of credit monitoring to combat an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy. Plaintiff has not presented any case law or statute, from any jurisdiction, indicating otherwise. Plaintiff’s alleged injuries are solely the result of a perceived and speculative risk of future injury that may never occur. Plaintiff has failed to show an actual resulting injury that might support a claim for damages. As damages are an essential element of each of plaintiff’s claims, plaintiff’s claims fail as a matter of law."


Stollenwerk v. Tri-West Healthcare AllianceCase No. 05-16990, 2007 U.S. App. LEXIS 27164 (9th Cir. Nov. 20, 2007) (unpublished)

• affirming summary judgment for defendants with respect to plaintiffs who failed to provide evidence of injury, but reversing summary judgment with respect to plaintiff who produced evidence from which a jury could infer a causal relationship between the theft of the hard drives and the incidents of identity fraud plaintiff suffered following the Tri-West burglary.

• “Brandt need not show [under Arizona law] that the Tri-West burglary was the sole cause of the identity fraud incidents, only that it was, more likely than not, a ‘substantial factor in bringing about the result,’ . . . and a factor ‘without which the injury would not have occurred.’”


Ruiz v. Gap, Inc.540 F.Supp.2d 1121 (N.D. Cal. 2008)

• holding that plaintiff’s allegation that the defendant's loss of his social security number placed him "at an increased risk of identity theft” sufficiently pled "injury in fact" to establish standing and survive a motion to dismiss his negligence claim.


Data Breach Settlements

• TJX Settlement– On January 17, 2007, hackers stole personal and financial data of

approximately 45.7 million consumers.– Breach possibly result of unsecured wireless network in store. – Proposed settlement would provide credit monitoring for some

consumers, worth approximately $177 million. Monitoring package worth $389.95, according to company official.

– Would provide cash and/or store vouchers– November 30,2007 News: TJX to pay up to $40.9 million to fund

• CS Stars LLC Settlement with New York AG– On May 9, 2006, CS Stars employee noticed a computer was missing.

Company waited until June 29, 2006 to notify NY Special Funds Conservation Committee, who owned the data, or the FBI.


Data Breach Settlements

• CS Stars LLC Settlement (cont’d)– The NY AG determined that the data was not improperly accessed.– However, CS Stars was subject to action by the NY Attorney General because it

failed to notify Special Funds, the owner of the data.– CS Stars and the AG settled the case on April 26, 2007.

• $60,000 to the AG’s office for costs of investigation• Implementation of precautionary measures• Injunction requiring compliance with NY’s breach notification laws.

• BJ’s Wholesale Club, Inc. Settlement– Counterfeiters obtained the credit and debit card information of thousands of BJ’s

Club members and used magnetic strip information to make millions of dollars of fraudulent purchases.

– Settlement required BJ’s to implement a comprehensive information security program and obtain audits by an independent third party security professional every other year for 20 years.


(Discussion)

Takeaways

• Preventing the unpreventable• Most data breaches are easily avoidable• Keep sensitive information secure (KISS)• Develop the proper controls

(organizational, administrative and electronic)• Best response comes from proper planning• Response will most likely drive legal liability

Q & A

Many Thanks to

• Toby Merrill

• Tanya Forsheit

• Mark Greisiger

• Stephen Haase

• Roxanne Westfall

Documents

Preventing the Unpreventable: Best Practices to Minimize Exposure to Information Losses