Intro To Data Identity Theft Liability For Businesses
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Intro To Data Identity Theft Liability For Businesses



Data identity theft has surpassed illegal drug trafficking as the top criminal moneymaker. Most businesses do not understand the extent of their liability in both statutory fines and potential civil ...

Data identity theft has surpassed illegal drug trafficking as the top criminal moneymaker. Most businesses do not understand the extent of their liability in both statutory fines and potential civil liability to the victims. Businesses cannot entirely eliminate their risk of exposure, but they can institutionalize procedures that minimizes this risk. This is an introduction to the Texas law which is similar to laws in 40 other states.



Total Views
Views on SlideShare
Embed Views



4 Embeds 17 7 5 3 2



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Intro To Data Identity Theft Liability For Businesses Presentation Transcript

  • 1. Managing Risk: What Business Owners Must Know about Their Data Breach Liability
    Paula S. deWitte, J.D., Ph.D., P.E.
    Paula deWitte, P.L.L.C.
  • 2. Objective
    • Help business owners understand their liability to protect sensitive personal information (SPI) under the Texas Identity Theft Enforcement and Protection Act.
    • 3. Provide practical steps to safeguard your operations.
    What you don’t know can hurt you.
  • 4. Identity Theft Is Growing
    • U.S. Dept. of Veterans Affairs = 1,800,000 (11/07)
    • 5. Countrywide Home Loan == 2,000,000 (08/08)
    • 6. CO Div. of Motor Vehicles = 3,400,000 (7/08)
    • 7. Overall U.S. identities lost since Jan 2005 => 250,000,000
    • 8. Estimated $1 Trillion worth of data stolen (2008)
    • 9. Cybercrime up 53%
    • 10. Cost to repair average 2008 data = $6,600,000
    Statistics credited to USAF Lt Gen (ret) Harry Raduege, Chairman, Center for Network Innovation, Deloitte, July 2009, World Affairs Council, Houston, TX.
  • 11. Who Are You?
    A business owner
    Who owns/licenses or maintains “sensitive personal information” (SPI).
    You may have security, both for the premises and for your computer/network.
    You may be liable to Texas and to the victim for security/data breaches – even if they do not result in identity theft.
  • 12. What is Sensitive Personal Information (SPI)?
    First initial and last name OR First name and last name
    Combined with any of:
    Social security number OR
    Drivers license number OR
    Account or credit card number in combination with any required security code, access code, or password that would permit access to that account.
  • 13. What Can Trigger Your Duties
    • Lost or stolen computer or laptop
    • 14. Improperly trashed or donated computers or computer parts without proper preparation
    • 15. Lost mobile devices, USBs, or CDs
    • 16. Weak, limited, or no data encryption
    • 17. Weak passwords
    • 18. E-mailing sensitive data to personal accounts
    • 19. Security or data breaches by someone who intentionally targets your organization
  • Texas Identity Theft Enforcement and Protection Act
    Runs almost eight pages
  • 20. Manage Your Risk
    Know the terms:
    Sensitive Personal Information
    Business duty
    Reasonable procedures
    Know what is required to comply with the law.
    You may be liable under the laws of another state!
    Currently, Massachusetts has the strictest law.
  • 21. Business Duty 1: Use “reasonable procedures”…
    • “..including appropriate corrective action to protect unlawful use or disclosure of any SPI collected or maintained by the business in the regular course of business.”
    • 22. Cannot be delegated.
    • 23. Liable for the actions of their employees, regardless.
  • What Is Reasonable?
    Reasonable to what standard?
    The business owner?
    The SPI owner (i.e., the potential victim)
    IT personnel?
    Information assurance (IA) experts?
    Prevailing public perception?
    Is there a standard?
  • 24. Reasonable Procedures
    • Must be in writing.
    • 25. Protect against anticipated threats or hazards.
    • 26. Consider administrative, technical, and physical.
    • 27. Consider all aspects of the SPI -- collection, storage, access, use, transmission, and protection.
    • 28. Institutionalize procedures.
    • 29. Audit.
  • Continuous Process
    Have a written information security program (WISP).
    Have a third party test your systems.
    Document the problems.
    Fix the problems.
    Conduct periodic reviews.
  • 30. Business Duty 2: Destroy or Arrange for the Destruction…
    “…of customer records by shredding, erasing, or “otherwise modifying the sensitive PI in the records to make the information unreadable or indecipherable through any means”
  • 31. How to Properly Destroy
    What works?
    What doesn’t work?
  • 32. Business Duty 3: Notify Potential Victims
    “… after discovering or receiving notification of that breach … as quickly as possible”
  • 33. Notification
    How do you discover a breach?
    What constitutes “receiving notification of that breach”?
    What does “quickly as possible” mean?
    How do I notify potential victims?
  • 34. What Does the Attorney General Tell an Identity Theft Victim To Do
    Create a written criminal report to protect themselves from being denied credit.
    File report with the Federal Trade Commission.
    Collect as much evidence as possible. This evidence can be used against you!
  • 35. Your Liability
    • Statutory fines to Texas
    • 36. To the SPI Owner:
    • 37. Lost income
    • 38. Expenses of fixing credit
    • 39. Attorney fees
    • 40. Possible treble damages under DPTA
    • 41. Your consequences:
    • 42. Loss of revenue and reputation
  • What SPI Do You Routinely Maintain?
    • Employee Records
    • 43. Every employee record has the employee’s name and social security number
    • 44. Customer Information
    • 45. Credit card numbers
    • 46. Discovery Documents
    • 47. Statutory exceptions:
    • 48. Statue excludes publicly available information available from federal, state, or local governments
    • 49. Excludes encrypted data
    • 50. No statutory definition for “encryption”
  • Do Not Rely on the Encryption Exception
    Encryption is not a yes/no category.
    Encryption is a continuum from weak to strong.
    True encryption requires encryption throughout system; one piece of your system that is not encrypted renders the entire system vulnerable.
  • 51. Your Biggest Hidden Security Threats
    Social engineering: Unintentional and by those you trust
    Insider threat: Intentional and by those internal to your enterprise
  • 52. What Do You Do?
    • Understand your risk.
    • 53. Understand what the law requires.
    • 54. Use industry best practices to protect SPI.
    • 55. Institute a continuous security process.
    • 56. Designate an in-house data security coordinator.
    • 57. Conduct periodic audits to review your systems.
    • 58. Have a written plan/process.
    • 59. Store only SPI that your business needs.
    • 60. Buy insurance.
  • Conclusions
    It is too big of a risk to businesses to ignore their potential liability
    The law is evolving while the problem with identity theft grows.
  • 61. Contact
    Paula deWitte, P.L.L.C.
    Office: 713.706.6248
    Cell: 512.633.3791