This whitepaper goes over the facts about data breach and identity theft, offers ways to prevent this from happening, and offers ways to do damage control after it does. http:www.nafcu.org/affinion
Has your credit union considered how member relations, legal compliance and brand reputation might be affected during a data breach? In this 2012 NAFCU Technology & Security Conference session recording you will learn about the risks of data breaches and how they could impact your credit union. http://www.nafcu.org/affinion
Has your credit union considered how member relations, legal compliance and brand reputation might be affected during a data breach? In this 2012 NAFCU Technology & Security Conference session recording you will learn about the risks of data breaches and how they could impact your credit union.
Lost laptops, misplaced paper records, cyber theft - breaches are a fact of life. But they don't have to be a disaster. Breach veterans know that the impact of a data loss event is substantially determined by what happens in the 48 hours after you find out about it. Get things right, and even a substantial and public breach can be weathered gracefully. Mess things up, and a small breach can turn into a nightmare.
This webinar will review critical steps organizations can take in the wake of a breach. Our featured speaker will be privacy and compliance expert, Deb Hampson who is an AVP & Assistant General Counsel at The Hartford. Don't miss this opportunity to learn best practices from a proven professional.
Breaches happen to the best of us. Occasionally they're large, headline grabbers with significant financial impact. For example, last week a payments processor revealed that it took an $84.4 million charge related to a breach it disclosed earlier this year. As a result of this charge, the firm's quarterly profit fell 90%. But even small breaches can be incredibly painful. Last year a local newsstand suffered a small breach. The resulting $22,000 in expenses cut profits in half.
Though we can't prevent breaches, we can certainly prepare for them to minimize the damage and stress. In fact, breach management pros are so good at this that a breach situation doesn't bring the organization to it's knees - they take them in stride.
This webinar will reveal how you can do the same. Based on time in the trenches at a major retailer, our featured speaker will share with you a breach preparation process with specific tactics for its implementation. You'll learn what team members you'll need, how to recruit them, what data you'll need to collect, how to put together a communication plan, and more.
Our featured speaker for this timely Webinar is:
Bob Siegel, Privacy Strategist & Principal, Privacy Ref
formerly Sr. Mgr of WW Privacy & Compliance at Staples
CIPP/US, CIPP/IT
Blogs at: http://privacyref.com/
Has your credit union considered how member relations, legal compliance and brand reputation might be affected during a data breach? In this 2012 NAFCU Technology & Security Conference session recording you will learn about the risks of data breaches and how they could impact your credit union. http://www.nafcu.org/affinion
Has your credit union considered how member relations, legal compliance and brand reputation might be affected during a data breach? In this 2012 NAFCU Technology & Security Conference session recording you will learn about the risks of data breaches and how they could impact your credit union.
Lost laptops, misplaced paper records, cyber theft - breaches are a fact of life. But they don't have to be a disaster. Breach veterans know that the impact of a data loss event is substantially determined by what happens in the 48 hours after you find out about it. Get things right, and even a substantial and public breach can be weathered gracefully. Mess things up, and a small breach can turn into a nightmare.
This webinar will review critical steps organizations can take in the wake of a breach. Our featured speaker will be privacy and compliance expert, Deb Hampson who is an AVP & Assistant General Counsel at The Hartford. Don't miss this opportunity to learn best practices from a proven professional.
Breaches happen to the best of us. Occasionally they're large, headline grabbers with significant financial impact. For example, last week a payments processor revealed that it took an $84.4 million charge related to a breach it disclosed earlier this year. As a result of this charge, the firm's quarterly profit fell 90%. But even small breaches can be incredibly painful. Last year a local newsstand suffered a small breach. The resulting $22,000 in expenses cut profits in half.
Though we can't prevent breaches, we can certainly prepare for them to minimize the damage and stress. In fact, breach management pros are so good at this that a breach situation doesn't bring the organization to it's knees - they take them in stride.
This webinar will reveal how you can do the same. Based on time in the trenches at a major retailer, our featured speaker will share with you a breach preparation process with specific tactics for its implementation. You'll learn what team members you'll need, how to recruit them, what data you'll need to collect, how to put together a communication plan, and more.
Our featured speaker for this timely Webinar is:
Bob Siegel, Privacy Strategist & Principal, Privacy Ref
formerly Sr. Mgr of WW Privacy & Compliance at Staples
CIPP/US, CIPP/IT
Blogs at: http://privacyref.com/
To ensure that electronic documentation & records shall only be accessible to those who are authorized, and be restricted from the rest.
Nevertheless, there is necessity to balance it against the enterprise need to use and share the information
What Not-for-Profits Can Do To Prevent "Uninspired" TheftCBIZ, Inc.
This presentation showcases the reasoning for and the importance of cyberseucrity in the not-for-profit sector. Case studies reinforce the importance of being ahead of the curve when managing cyber risk.
An exclusive presentation by Keith Swanson, Director, Financial Crimes, SAS South Asia presented on Big Data, Big Analytics & Bad Behaviour - Fighting Financial Crime.
The purpose of this paper is to review the topic of data breach from two perspectives: first, an overview of the trends in data breach litigation, and second, a more granular perspective of practical data protection processes that may serve as a guidepost to help reduce the risk of likelihood of data breach. Taken together the reader will understand why a measured approach to data protection can reduce the risk of financial liability from a data breach lawsuit.
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditNationalUnderwriter
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit by Lynda Bennett
2014 ended almost the same way that it began for most companies – having concerns about cyber security and hackers. At the beginning of the year, the news cycle was focused on breaches that took place in the consumer product space as Target, Michael’s, Neiman Marcus, and Home Depot worked fast and furious to address breaches that led to concerns about a massive amount of credit card information possibly being “in the open.” Later in the year, we learned that corporate giants like JPMorgan Chase and Apple were not immune from cyber security breaches as still more personally identifiable information and very personal photographs were released into the public domain. Finally, as 2014 drew to a close, the entertainment industry was further rocked by the cyber-attack on Sony Corp., which led to even broader concerns about national security and terrorist threats.
It’s important to establish the balance sheet for security leadership to measure, monitor and report. Insurance is an important component to protecting the balance sheet. Don’t believe all of the fake news about cyber-insurance. This session will take you from theory to practice. How partnering with the insurance industry provides practical benefits to security leaders if you let it.
Learning Objectives:
1: Learn how to map cyber-risks to financial impacts.
2: Learn how to determine if your insurance covers the impact from an incident.
3: Overcome common myths around cyber-insurance and claims.
(Source: RSA Conference USA 2018)
New York State Department of Financial Services Expands Its Cyber Focus to In...NationalUnderwriter
New York State Department of Financial Services Expands Its Cyber Focus to Insurers by Eric R. Dinallo, Jeremy Feigelson, David A. O’Neil, Jim Pastore, and Jordan R. Friedland
The New York State Department of Financial Services (“DFS”) recently announced a major expansion of its cybersecurity efforts: DFS will require insurers to respond to a special “comprehensive risk assessment” on cybersecurity, with those assessments to be followed by an enhanced focus on cybersecurity as part of DFS’s regular examinations of insurers. DFS’s announcement expands to insurance the increasingly rigorous approach it has recently applied to banks in the area of cyber security. More importantly, it offers critical guidance to all industries about what regulators will consider adequate precautions and preparation in this area.
Regulation raises the risk for global subsidiariesNair and Co.
Reacting to the global debt crisis, the global economic slowdown and increasing financial corruption, foreign governments have revamped regulations to stop fraud and protect their market share of key industries.
The state of privacy and data security complianceFindWhitePapers
With new privacy and data security regulations increasing, organizations are asking questions. Do the new regulations help or hinder the ability to protect sensitive and confidential information? With these new regulations on the march, how can you remain competitive in the global marketplace? This report provides answers and examines how compliance efforts can impact a company's bottom line.
An exclusive presentation by Mr. Mazhar Leghari, Business Development Solution Manager, SAS Middle East FZ LLC; on ‘Building for Success: The Foundation for Achievable MDM’. The presentation was made at SAS Forum India 2013.
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
Steve Robinson of RPS Technology & Cyber presented "Discussing Cyber Risk Coverage With Your Commercial Clients" to the 68th Annual F. Addison Fowler Fall Seminar on October 17, 2014.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
To ensure that electronic documentation & records shall only be accessible to those who are authorized, and be restricted from the rest.
Nevertheless, there is necessity to balance it against the enterprise need to use and share the information
What Not-for-Profits Can Do To Prevent "Uninspired" TheftCBIZ, Inc.
This presentation showcases the reasoning for and the importance of cyberseucrity in the not-for-profit sector. Case studies reinforce the importance of being ahead of the curve when managing cyber risk.
An exclusive presentation by Keith Swanson, Director, Financial Crimes, SAS South Asia presented on Big Data, Big Analytics & Bad Behaviour - Fighting Financial Crime.
The purpose of this paper is to review the topic of data breach from two perspectives: first, an overview of the trends in data breach litigation, and second, a more granular perspective of practical data protection processes that may serve as a guidepost to help reduce the risk of likelihood of data breach. Taken together the reader will understand why a measured approach to data protection can reduce the risk of financial liability from a data breach lawsuit.
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditNationalUnderwriter
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit by Lynda Bennett
2014 ended almost the same way that it began for most companies – having concerns about cyber security and hackers. At the beginning of the year, the news cycle was focused on breaches that took place in the consumer product space as Target, Michael’s, Neiman Marcus, and Home Depot worked fast and furious to address breaches that led to concerns about a massive amount of credit card information possibly being “in the open.” Later in the year, we learned that corporate giants like JPMorgan Chase and Apple were not immune from cyber security breaches as still more personally identifiable information and very personal photographs were released into the public domain. Finally, as 2014 drew to a close, the entertainment industry was further rocked by the cyber-attack on Sony Corp., which led to even broader concerns about national security and terrorist threats.
It’s important to establish the balance sheet for security leadership to measure, monitor and report. Insurance is an important component to protecting the balance sheet. Don’t believe all of the fake news about cyber-insurance. This session will take you from theory to practice. How partnering with the insurance industry provides practical benefits to security leaders if you let it.
Learning Objectives:
1: Learn how to map cyber-risks to financial impacts.
2: Learn how to determine if your insurance covers the impact from an incident.
3: Overcome common myths around cyber-insurance and claims.
(Source: RSA Conference USA 2018)
New York State Department of Financial Services Expands Its Cyber Focus to In...NationalUnderwriter
New York State Department of Financial Services Expands Its Cyber Focus to Insurers by Eric R. Dinallo, Jeremy Feigelson, David A. O’Neil, Jim Pastore, and Jordan R. Friedland
The New York State Department of Financial Services (“DFS”) recently announced a major expansion of its cybersecurity efforts: DFS will require insurers to respond to a special “comprehensive risk assessment” on cybersecurity, with those assessments to be followed by an enhanced focus on cybersecurity as part of DFS’s regular examinations of insurers. DFS’s announcement expands to insurance the increasingly rigorous approach it has recently applied to banks in the area of cyber security. More importantly, it offers critical guidance to all industries about what regulators will consider adequate precautions and preparation in this area.
Regulation raises the risk for global subsidiariesNair and Co.
Reacting to the global debt crisis, the global economic slowdown and increasing financial corruption, foreign governments have revamped regulations to stop fraud and protect their market share of key industries.
The state of privacy and data security complianceFindWhitePapers
With new privacy and data security regulations increasing, organizations are asking questions. Do the new regulations help or hinder the ability to protect sensitive and confidential information? With these new regulations on the march, how can you remain competitive in the global marketplace? This report provides answers and examines how compliance efforts can impact a company's bottom line.
An exclusive presentation by Mr. Mazhar Leghari, Business Development Solution Manager, SAS Middle East FZ LLC; on ‘Building for Success: The Foundation for Achievable MDM’. The presentation was made at SAS Forum India 2013.
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
Steve Robinson of RPS Technology & Cyber presented "Discussing Cyber Risk Coverage With Your Commercial Clients" to the 68th Annual F. Addison Fowler Fall Seminar on October 17, 2014.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Cyber Security Planning: Preparing for a Data BreachFletcher Media
Presented by Clark Insurance in Portland, Maine, this two hour seminar featured lead panelists in the privacy security business.
This presentation reviews all aspects of a data breach from preparation, discovery, plan implementation, cyber insurance, crisis communication and PR policies and protocols.
ocial Security benefits and how to claim them is becoming
a prominent topic in the national discussion about baby boomers’
financial retirement readiness. It doesn’t take much searching to
find articles that describe strategies for maximizing Social Security,
perhaps because of the devastation of millions of boomer nest eggs
during the Great Recession. Securian Financial Group wanted to find
out if boomers now see Social Security as a strategic element of
retirement income planning. For more info: www.nafcu.org/securian
Although Sony seemed to dominate the cyber-security headlines of 2014, it was just one of many corporations infiltrated by an increasingly sophisticated and driven pool of hackers. J.P. Morgan Chase, Home Depot, and Target also top the list of businesses struggling with data breaches.
The most recent major cyberattack against Anthem Healthcare shook the insurance industry. In a rare show of honesty, the insurer began alerting customers and the media to the potential of a data break just eight days after it first noted suspicious activity on Jan. 27, 2015.
Immediately upon discovering it had been attacked, Anthem jumped to address the security vulnerability, contacted the FBI, and hired leading cyber-security firm Mandiant to evaluate its systems, said president and CEO Joseph Swedish in a statement.
Noting the importance of protecting financial institutions, New York's Department of Financial Services responded to the Anthem breach by announcing its intent to integrate regular assessments of cyber-security preparedness at insurance companies as part of its examination process. It will also enforce "enhanced regulations" on insurers based in New York.
"Recent cyber security breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses," said Benjamin M. Lawsky, New York State's superintendent of financial services, in a statement. He continued, "Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data.“
Most people might expect that larger insurers, given the sensitive customer information they handle, would boast robust cyber-security programs. This is not necessarily true.
As part of its investigation, the Department found that 95% of insurers already think they have sufficient staff for information security, and just 14% of CEOs receive monthly briefings on data security. Anthem, the nation's second-largest health insurer, had not even encrypted its database containing nonmedical data. It claims that the HIPAA did not require it to do so.
While experts believe that Anthem was exclusively targeted in its attack, there is no doubt that all financial institutions are at risk. Here are eight things to know as the industry enters a year of increasingly heightened cyber-vulnerability.
Edelman Privacy Risk Index Powered by PonemonEdelman
The Edelman Privacy Risk Index℠ is a global study that reveals many organizations lack the business behaviors and compliance practices necessary to adequately address growing consumer and regulatory concerns about data security and privacy.
Der Edelman Privacy Risk Index℠ ist eine globale Studie zum Thema Datensicherheit und Datenschutz. Für die Studie wurden die Angaben von 6.400 Datenschutz- und Datensicherheitsverantwortlichen in Unternehmen aus 29 Ländern von der unabhängigen Forschungseinrichtung Ponemon Institute ausgewertet.
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data AssetsPuneet Kukreja
When organisations today connect digitally and the concept of a network is found to be fast disappearing. Mobile and Cloud solutions are being enabled across the enterprise to aid digital agendas. Calls for agility by the business are driving CIOs and CISOs to look for effective trust-based service enablement models that can help cater to business demand.
Learn from the largest subservicer how best to evaluate and select the right subservicing partner for your credit union based on your portfolio, investor mix, product range and other key selection factors.
Nearly one-third of Americans surveyed by Securian Financial Group say they haven’t thought about what would happen to their debt if they – or their cosigners – were to pass away unexpectedly. Fewer than 13 percent say they have taken steps to protect themselves from the sudden loss of a borrower.
With the tsunami of new regulations from NCUA and the CFPB, getting good at compliance is becoming a key success factor for credit unions. In this podcast and presentation from the 2013 NAFCU Annual Conference, Toné Gibson explores how your credit union can develop a cost-effective approach to strike a better balance between compliance and operational efficiency. Through the utilization of three methodologies – strategic development, process excellence, and performance management – learn in detail how to reduce the cost of compliance.
Wolters Kluwer Financial Services is the NAFCU Services Preferred Partner for Consumer and Member Business Lending & Deposit Services. More educational resources and contact information are available at www.nafcu.org/wolterskluwer.
Consumers are willing to pay for services that they find either adds convenience or delivers value. In this podcast and presentation from the 2013 NAFCU Annual Conference, Dave Schneider, Brent Dixon, and Paul Muse discuss how to expand your credit unions credit and debit opportunities and explore innovative products that can help guide your future credit union operations, including new approaches to increasing penetration, activation, and usage of the fundamental card. Also, learn to leverage new payment options that will appeal to Gen Y consumers, including Internet PIN debit, PINless at the point of sale, and payments and delivery of service through mobile.
Succession planning is the right people at the right time doing the right work. In this podcast and presentation from the 2013 NAFCU Annual Conference, Deedee and Peter discuss how you can develop a strategic organization successional plan to ensure the successful transition of key leadership for your credit union. This session covers an overview and best practices, levels and types planning, board evaluation, behind the scenes conversions, and the integration of board succession planning with CEO succession planning.
Rising Above Uncertainty: Opportunities and Challenges for Credit Unions in P...NAFCU Services Corporation
The retail financial services market is in a transformative period where new stakeholders and business models are reshaping the industry. Credit unions still have the opportunity for retention and growth, but must continue to compete. In this presentation, you will get an in-depth look at key market dynamics, including evolving financial services models and regulatory impact; learn about emerging strategies and their impact to credit unions, including EMV, prepaid, and mobile; and find out how to prepare for the future.
In this presentation from the 2013 NAFCU Annual Conference, Barrett Burns provides a comprehensive analysis of credit score models and discusses how your credit union can utilize them for member outreach and education.
Listen to the full podcast here: http://www.nafcu.org/NAFCU_Services_Corporation/Partner_Library/Credit_Scores__What_s_Behind_the_Number___Podcast_and_Presentation_/
2013 NAFCU BFB Survey of Executive Compensation and Benefits (Presentation Sl...NAFCU Services Corporation
First introduced in 2007, the NAFCU-BFB Survey of Federal Credit Union Executive Benefits and Compensation was created to better understand the compensation and benefits for the top five executives of Federal credit unions. For more info: www.nafcu.org/bfb
Study Confirms Debit Strength, Reveals Reward Trends (Payment Choice Study Re...NAFCU Services Corporation
TSYS partnered with Mercator Advisory Group to conduct the 2012 Consumer Debit Payment Choice Research Study. This unique study combines survey questions and focus groups, enabling researchers to have an interactive discussion with participants about payment choices and influences, technology awareness and overall user experiences. Learn more at: www.nafcu.org/discover
Before you embark on the critical path of defining (or redefining) your mortgage strategy, there are five basic truths you need to know and build into your planning. From expenses and technology to people and process, these truths are an essential part of any mortgage discussion. This webinar shares the research behind each tenet and how you can incorporate them into your strategy. Learn more at: www.nafcu.org/morgtagecadence
There is an unprecedented focus today around the future of retail branch networks. Credit union executives are seeking new ways to economically alter the scale, reach, and character of their branch assets to drive growth and enable expansion in profitable new territories and non-traditional locations. While the channel is universally acknowledged as best for both member acquisition and sales, the economics must change in order for this way of member-centric financial services to thrive and realize its potential in the new, consumer-driven, omnichannel environment. For more info: www.nafcu.org/ncr
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
When stars align: studies in data quality, knowledge graphs, and machine lear...
Data Breach Response Guide for Credit Unions
1. 1-800-350-7209
www.breachshield.com
BreachShield
SM
Corporate Data Breach Solutions
Their information | Your reputation | Our experience. 100 Connecticut Avenue
Norwalk, CT 06850-3561
A S C B R E A C H S H I E L D | D ATA B R E A C H R E S P O N S E G U I D E
AFFINION SECURITY CENTER | BREACHSHIELD
Data Breach Response Guide
www.breachshield.com
3. Contents
1 Introduction
04 An Explanation of Affinion’s Expertise
05 The Facts About Data Breaches
What Is a Data Breach?
07 FAQ & Terminology
10 Case Study 1.1 | Insurance Services Company
2 Explanation of Laws
11 States That Require Disclosure
11 Red Flag Rules
3 Breach Preparation & Response
12 Preparation
12 Assemble Team
13 Documentation
1
13 Response/Protection
Introduction
15 Case Study 3.1 | Large Healthcare Company
16 Case Study 3.2 | Large Grocery Chain
4 Communication
17 Crisis Communication
20 Case Study 4.1 | The Largest Data Breach in History
21 Case Study 4.2 | Federal Government Agency
22 Case Study 4.3 | Financial Institution
5 Solutions
23 Notification
23 Enrollment Options
23 Member Services
6 Breach Recovery Materials
25 Sample Press Release
26 Sample Letter to Employees
28 Sample Letter to Customers
7 Resources
29 Industry Experts, Contact Leads
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 03
4. An Explanation of Affinion’s Expertise
For over 35 years, Affinion Group has provided customer engagement
solutions for more than 5,300 clients across multiple industries. In 1991,
Affinion Group launched the first identity theft protection service available,
PrivacyGuard®. With its development of IdentitySecure , acquisition of
SM
CardCops , and strong industry partnerships, Affinion has maintained its
SM
leadership by creating and delivering the most comprehensive, proactive
and preventative solutions in the marketplace.
Leading fraud experts, including Frank Abagnale, subject of the book and
movie Catch Me if You Can, have endorsed Affinion Security Center’s
Introduction
protection solutions.
As a natural extension to our world-class protection service suite, Affinion
launched BreachShield , a full service, rapid response data security breach
SM
response and delivery program. National and multi-national enterprises,
including those in the financial, retail and travel industries, partner with
1
Affinion Group for our BreachShield data breach solutions. Since 2007,
Affinion’s BreachShield services have been provided to over five million
individuals whose identities have been compromised by a security breach.
For more information on how to implement your breach strategy and
solution, please call a BreachShield security expert at 1-800-350-7209.
04 Their information | Your reputation | Our experience.
5. The Facts About Data Breaches
In the past 12 months, the number of identity fraud victims increased 22%
to 9.9 million adults, for an annual incidence rate of 4.32%.1 It is now more
important than ever to remember your customer’s experience during a
breach incident. The customers and/or employees should easily be able to
understand the breach solution you have put in place. Poor communication
and execution could cause a significant customer service challenge and
could lead to negative PR, heightened media scrutiny, and increased cost.
The total average costs of a data breach grew to $202 per record compromised,
an increase of 2.5% since 2007 ($197 per record) and 11% compared to
2006 ($182 per record).2
1
Introduction
Increasing incidents where third party is responsible; growing costs:
Since 2005, the percentage of incidents where a third party such as an
outsourcer or consultant was responsible for a data breach has increased
from 21% in 2005 to 29% in 2006 to 40% in 2007, to 44% in 2008. After
experiencing a large gap, the difference in cost for a data breach based on
responsibility has become increasingly stable. In 2005, the difference in per-
record compromised costs between third-party and internal responsibility for
a breach was $12. In 2007, that difference grew to $67, and in 2008 that
amount was $52. Third-party outsourcers or consultants often analyze or
process large volumes of customer-related information.2
1 2009 Identity Fraud Survey Report - Identity Fraud on the Rise But Consumer Costs Plummet as
Protection Increase
2 2008 Annual Study: Cost of a Data Breach, Ponemon Institute, LLC February 2009
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 05
6. The Facts About Data Breaches (cont.)
• As of Oct. 1, 2008, 44 states and the District of Columbia require
companies to notify individuals (consumers or employees) regarding
a potential or actual breach
• Social Security numbers (38%) and names and addresses (43%)
were the data most frequently compromised. Although 15% of
victims suffered ATM or debit PIN compromise, and 13% credit PIN
compromise, only 9% of victims went on to experience ATM cash
withdrawls. Both fraudulent online and in-person purchases increased
in 20081
• The total annual fraud amount in 2008 measured $48 billion, versus $45
The three main forms of identity theft
billion in 20071 and their frequency, as determined
by the Federal Trade Commission,
through a survey of actual identity
• Increased availability of public information combined with easy Internet
theft victims.
access has left consumers vulnerable to far more devastating types of
identity theft • New accounts and other fraud
• Misuse of existing non-credit card
• Over 88% of all cases this year involved incidents resulting from account or account number
negligence. Per-victim cost for data breaches involving negligence cost
Introduction
• Misuse of existing credit card
$199 per record versus malicious acts costing $225 per person2 or credit card number
Identity Theft Resource Center Report,
• On average, consumers spent nearly $500 of their own money January 8, 2008
to clear up fraud3
1
• New account fraud cost the industry $18 billion and $579 per victim3
• Healthcare and financial services suffer highest customer loss:
Healthcare and financial services companies have the highest average
rate of churn – 6.5% and 5.5%, respectively. High churn rates reflect the
fact that these industries manage and collect consumers’ most sensitive
data. Additionally, the average cost of a healthcare breach ($282) is more
than twice that of an average retail breach ($131). Thus, another sign
that consumers may have a higher expectation for the protection and
privacy of their healthcare records3
• Trust may be intangible and hard to quantify, but the result of breaking
that trust is clear, as the cost of lost business represents 69% of the total
cost of a data breach3
• The majority of breaches in 2008 occurred at merchants and businesses
(37%), followed by the education sector (22%)4
1. Javelin 2009 Identity Fraud Survey Report - Identity Fraud on the Rise But Consumer Costs Plummet
as Protections Increase
2. 2008 Annual Study: Cost of a Data Breach, Ponemon Institute, LLC February 2009
3. Javelin Strategy & Research 2009 Identity Fraud Survey Report
4. Javelin Strategy & Research 2008 Data Breaches
06 Their information | Your reputation | Our experience.
7. FAQ & Terminology
What is a data security breach?
In simple terms, a data security breach occurs any time there is
unauthorized access to company data.
How do data security breaches occur?
Lost laptops and system failure are the main causes of data breaches
(35 and 33% respectively). Within the classification of “systems
glitch,” respondents cited a number of different issues, including software
applications development that did not anonymize live customer data,
merger/acquisition activities in which customer data was sent to an
unrelated law firm by mistake, credit card processing systems infiltrated
by malware, social engineering attacks and insecure wireless connectivity,
among other IT-related glitches which caused a breach.1
1
Introduction
What is the impact of a data security breach on an organization?
The impact of a data security breach can be far reaching and long lasting.
This includes loss of data, compliance pressures, customer loss or attrition,
diminished trust, reduction in brand equity, litigation, and negative media
coverage. Any and all of these issues have the potential to erode shareholder
value and customer confidence. As such, the smooth execution of a
comprehensive breach response is critical to managing and reinforcing the
trust of your clientele. In fact, an effective response can actually transform
the negative implications of a data security breach into a valuable brand-
enhancing and loyalty-building opportunity.
How should I notify the impacted population that a data security breach
has occurred?
It is important to alert the impacted population in a clear, concise and
timely manner. However, merely informing your clientele of a data security
breach could prove catastrophic. A more effective post-breach strategy is to
brief clientele on the proactive measures you are implementing to protect
them. Taking a responsive leadership role in your communication strategy
can play a significant role in restoring – and even increasing – clientele
loyalty after a data security breach occurs.
1. 2008 Annual Study: Cost of a Data Breach, Ponemon Institute, LLC February 2009
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 07
8. FAQ & Terminology (cont.)
What should I offer to the impacted population of a data security breach?
What you provide to your clientele will depend on the risks ascribed to the
particular data security breach. However, general best practices include the
provision of:
• Credit reports from the three major credit reporting agencies
• Credit monitoring alerts
• Fraud alerts
• Identity theft insurance
• Identity fraud resolution services
Your ASC BreachShield consultant will be able to determine the most
effective benefits configuration based on the unique circumstances and
characteristics of your data security breach.
If a data security breach occurs, what am I required to do by law?
Each state has differing regulations about the reporting and recompense
for resolving a data security breach. In addition, if your organization
touches clientele across state lines, you may be subject to different compliance
requirements based on the location of the affected parties. You should check
Introduction
with your legal department regarding your legal requirements.
Why should I take action beyond my legal obligations?
There are many reasons to address a data security breach even if you are
not required to do so by law. In a world where information can be shared
1
instantaneously, you need to consider possible repercussions, should your
clientele be notified of your data security breach by another entity.
Additionally, notifying and protecting the impacted population reflects the
responsibility that your organization feels toward its customers, employees,
suppliers and other valued partners. Lastly, a seemingly negative event, when
handled well, can actually be leveraged as a relationship building activity.
What are Credit Monitoring and Alerts?
This service monitors changes to an individual’s credit records with one
of the national credit reporting agencies (Credit Bureaus). Members will
be notified of any changes to their records on file with that agency.
Those changes could include events such as new accounts opened or
a change in credit score.
What is Triple-Bureau Credit Report with Triple-Bureau Credit Score?
This service delivers Credit Reports and Credit Scores from all three major
credit reporting agencies. Customers also receive a comprehensive analysis,
detailing which factors impact their rating.
08 Their information | Your reputation | Our experience.
9. FAQ & Terminology (cont.)
What is the difference between Identity Fraud Resolution
and Identity Restoration?
Resolution services provide consumers with the tools they need
to remedy the negative impact of identity theft. Additionally, consumers
are provided with a dedicated caseworker who will work with the individual
throughout the duration of his or her case until all issues are resolved.
Identity Restoration requires that an individual sign over his or her power
of attorney to a third party who will then be responsible for the case.
Identity Restoration may be a source of concern to a victim because it
requires consumers to hand over power of attorney at a moment of crisis.
Also, the individual’s active involvement in his or her case mitigates risk
and ensures accuracy. With the help of ASC’s Identity Fraud Resolution
caseworkers, victims of identity theft will have all the tools they need to
resolve their cases.
1
What is a Fraud Alert?
A fraud alert is something that the major credit bureaus attach to your
Introduction
credit report. When you, or someone else, try to open up a credit account
by getting a new credit card, car loan, cell phone, etc., the lender should
contact you by phone to verify that you really want to open a new account.
If you aren’t reachable by phone, the credit account should not be opened.
Do Fraud Alerts always work?
Not necessarily. There are many forms of identity theft that do not pass
through the credit bureaus, thereby making a fraud alert alone insufficient.
That’s why ASC recommends a comprehensive solution that addresses all
the forms of identity theft cited by the Federal Trade Commission.
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 09
10. Case Study 1.1: Insurance Services Company
Background
In Dec. 2007, a large provider of insurance products suffered a data breach
that impacted more than 500,000 people. The breach exposed personal and
financial information, including names, addresses, Social Security numbers,
bank account numbers, employer information, salary information, medical
insurance information and more.
Notification
The company alerted its partners, and began notifying customers in March
2008. It spent more than $700,000 to mail notification letters to the affected
population. However, the letters left many end-customers confused, because
they had no direct relationship with the parent company that experienced
the breach.
Due to budgetary constraints at the time, the breached company chose not
to offer any type of credit monitoring or identity theft protection to those
customers who had their information compromised.
Reaction
Case Study 1.1
Negative media stories about the company began to circulate and, combined
with legal pressures, caused the company to seek help from Affinion’s breach
response team. The company was interested in a low-cost breach solution,
as it only had a remaining budget of $500,000 to spend on a breach resolution.
The breach response team immediately implemented a second mailing to
all customers advising them that their information had been stolen, and
1
offering them identity theft protection services. Significant time and money
could have been saved had this company had a breach response plan in
place, and executed it immediately after discovering the breach.
Lessons Learned
Explain the relationship. Since the breached company in question was a
B-to-B service provider to the companies that consumers dealt with, the
consumers were confused by the notification letters.
Optimize call center communication. Call center agents should expect that
customers will be angry and scared when they call for more information.
Provide call center agents with facts, background information and remedies
so they can explain what happened, and offer the callers support.
Offer the solution to all customers. Offer identity theft protection services
to all of your affected or potentially affected customers. This may lessen
consumer anger, and in this case, may have made them less likely to file
the class-action lawsuit.
Plan your communication. Save time, money and damage to your company’s
reputation by planning your response to a data breach in advance.
10 Their information | Your reputation | Our experience.
11. Explanation of Laws
As of Oct. 1st, 2008, in addition to Washington DC and Puerto Rico, there
are 44 states that have breach notification laws. The only states that
did not have these laws are: Alabama, Kentucky, Mississippi, Missouri,
New Mexico and South Dakota.
Who is requiring compliance?
Federal Deposit Insurance Corporation (FDIC)
Federal Reserve Board
Office of the Comptroller of the Currency (OCC)
Office of Thrift Supervision (OTS)
National Credit Union Administration (NCUA)
Federal Trade Commission (FTC)
Red Flags
Final rule adopted under sections 114 and 315 of the Fair and Accurate
Credit Transactions Act of 2003 (the “FACT Act”) regarding identity theft
red flags for financial institutions and procedures that users of consumer
2
reports should use in the event they receive notices from consumer
reporting agencies (“CRAs”) of address discrepancies.
Explanation of Laws
Section 114 of the FACT Act requires the agencies to jointly issue
regulations and guidelines identifying patterns, practices and specific
forms of activities that indicate the possible existence of identity theft.
Section 114 also directs the agencies to prescribe joint regulations requiring
each financial institution and creditor to establish reasonable policies and
procedures to identify possible risks to account holders or customers.
The rules went into effect on Jan. 1, 2008, and compliance is required
by May 1, 2009.
What is required?
The new rule requires financial institutions to implement a written
program designed to detect, prevent and mitigate identity theft in
connection with a covered account.
The program must be tailored to the institution’s size, complexity
and the nature of its activities. The program must also contain reasonable
policies and procedures that:
1) Identify relevant Red Flags for covered accounts and incorporate them
into the program.
2) Detect Red Flags that have been incorporated into the program.
3) Respond appropriately to any Red Flags that are detected to prevent
and mitigate identity theft.
Information concerning legal
aspects of security breaches may 4) Ensure the program is updated periodically.
have changed since the publication
of this booklet. Always consult
your legal counsel regarding to
The program is to be approved by the institution’s board of directors
security breaches. or an appropriate board committee.
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 11
12. Breach Preparation & Response
It is important to prepare and plan ahead by completing a Data Breach
Incidence Response Plan. Should a breach occur, you are well-positioned
to move swiftly by following your completed Data Breach Incident
Response Plan. It is important to document all ongoing events, all
people involved and all discoveries into a timeline for evidentiary use.
BreachShield’s data security professionals are experts at developing effective
data breach solutions for before, during and after a breach incident. However,
advanced preparation can greatly reduce the time it takes to resolve a data
breach, as well as minimize the inevitable panic and confusion that stems
from such a critical event. Contacting BreachShield prior to an actual
breach enables your organization to have an effective response strategy
already in place and ready to implement at a moment’s notice.
Another helpful tactic is to develop a set of breach scenarios that could
affect your clientele, and define the tasks that need to be accomplished to
help resolve potential issues. In addition, designating the incident response
teams and assigning specific tasks to each team member before a breach
Breach Preparation
will help familiarize the responsible parties to their duties, streamlining
response times and reducing the chance of error during an actual breach.
& Response
Incident Response Action Plan
Once confirmation is established, it is essential to execute a timely
incident response plan.
3
Assemble your incident response team
Designating the members of the incident response team – and providing
the necessary training – prior to the actual data breach will provide quicker
recovery and cost savings over the use of ad hoc teams. BreachShield
recommends that your incident response team include at least one senior
member from each of the following departments:
• Executive Management
• Legal
• Customer Service
• Public Relations
• IT
• Compliance
• Risk Management
12 Their information | Your reputation | Our experience.
13. Breach Preparation & Response (cont.)
Select an incident response project lead
In our experience, the best incident response project leads demonstrate an
acute understanding of the organization’s current customer relationships
and are able to strategize effective ways to preserve brand equity.
Document all relevant information
Accurate documentation of the events leading up to, during,
and after the data breach will aid in both the incident response team’s
investigation as well as prevent future occurrences. BreachShield suggests
compiling the following information while simultaneously preserving all
evidence in its original form:
• Date and time of data breach
• Method of data breach
• Extent of data breach
• Quantity and identifying factors of the impacted population
3
Your BreachShield consultant will be able to determine the most
& Response
Breach Preparation
effective benefits configuration based on the unique circumstances
and characteristics of your security breach.
Restore and reinforce the breached data
The measures taken by the incident response team are dependent on
the type and scope of the specific data breach incident. Some standard
protocols include determining the point of compromise and securing it,
managing the affected systems and enacting preventative measures.
Protect the affected population
BreachShield recommends taking a proactive and thorough approach
toward protecting the affected population. This can help the impacted
organization meet compliance standards, reduce potential liabilities and
position itself as a responsible leader. It also helps preserve brand equity
by maintaining control of the notification process as opposed to risking
awareness through other sources.
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 13
14. Breach Preparation & Response
Please remember that every situation is different and some situations may
not require you to notify your customers. Depending on the type of data
that was breached, a letter may or may not be required. Always consult your
legal counsel. If your counsel deems it necessary to contact your customers
and/or employees please consider the following:
The sooner you notify anyone involved the sooner they can take action
to protect themselves.
It is crucial that all notification be clear and concise. Customers should
understand the company is aware of the problem and that it is taking
steps to help with a resolution.
Communication of this sort requires great care, as improper notification
could actually lead to more financial loss. BreachShield helps organizations
of all sizes carefully tailor their incident response notification strategy to
minimize potential disruptions while simultaneously placing the affected
population at ease.
Breach Preparation
BreachShield’s security experts are available 24/7 to develop timely,
effective data breach solutions that address the needs of your specific
& Response
incident and organization. We can help with: list management services,
notification letter development, printing and mailing services and call
center support (pre- and post-enrollment).
3
14 Their information | Your reputation | Our experience.
15. Case Study 3.1: Large Healthcare Company
Background
On Mar. 26, 2007, the names and Social Security numbers of 17,000 current
and former employees of a major healthcare corporation were compromised
when the spouse of an employee downloaded peer-to-peer file sharing
software onto a company-issued laptop.
Notification
Nine weeks after the company confirmed the exposure, it notified the
affected employees in a well-written letter, outlining how the data was
exposed and what steps the company was taking to help protect those
affected. In addition, the company issued one year of free credit monitoring
services and a $25,000 insurance policy to each individual affected. The
company’s notification letter also provided information and resources for
those affected, including a phone number people could call for further
information about the breach and instructions for how to sign up for the
free identity theft protection services being offered.
3
The company reinforced its response by dedicating a portion of its website to
the breach, providing information and an extensive Q&A section to help
Case Study 3.1
victims understand what happened and how they could get help.
Reaction
This company was highly scrutinized by the media as a result of the breach,
especially because it took nine weeks to alert the employees affected. After
the breach, data security experts questioned whether the company had
taken adequate precautions to prevent breaches related to the use of laptops,
saying that encryption devices and other security measures could have
prevented the loss of data. The breach spurred an investigation, and a
subsequent civil lawsuit by the Connecticut Attorney General, where at
least 300 victims of the breach resided.
Lessons Learned
State laws can complicate the response. Creating a response that is
compliant with the laws of each state where the victims live can be
a big challenge.
Offer help in the notification letter. Relevant phone numbers, websites and
information on the remedies offered and precautions to take are valuable
and reassuring to those individuals affected.
Post information on website. Consumers, employees, investors and the
media look to the Internet for information, so it is important for all
pertinent information to be available on the company website.
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 15
16. Case Study 3.2: Large Grocery Chain
Background
On Feb. 27, 2008, a large grocery store chain became aware that
it had been exposing customer data for several months, via malware
installed on 300 of its computers. It was determined that 4.2 million unique
credit and debit card numbers with expiration dates were compromised
during the store’s authorization process. The breach occurred despite the
fact that the grocery store received PCI certification in 2007, underwent
periodic vulnerability scans, and was re-certified in 2008.
There were approximately 1,800 cases of reported credit and debit card
fraud stemming from the breach in the months that followed.
Notification
On March 17, 2008, the company notified customers of the breach
via a letter on its website from the CEO, who stated: “No personal
information, such as names or addresses, was accessed.”
The media speculated that the company was lying about how much
information was exposed, deducing that of the 1,800 victims who reported
Case Study 3.2
fraud stemming from this breach, those must have been names associated
with the stolen credit card numbers and expiration dates.
Reaction
Days after the CEO’s note was posted, the company found itself defending
a class-action lawsuit, filed on behalf of customers whose credit or data
was stolen.
3
The suit maintained that because of the company’s inadequate data security,
its customers had their personal financial information compromised, were
exposed to the risk of fraud, have incurred and will continue to incur time
to monitor their accounts and dispute fraudulent charges, and have
otherwise suffered damages.
Lessons Learned
“Compliance” does not mean “security.” Prepare for the worst. Although
PCI compliance is considered extremely safe, it is not a shield against data
breach. Even when technical standards are met, it is important for every
company to prepare for a potential breach.
Use a multichannel approach to reach affected parties. When responding to
a breach, it is important to contact as many affected customers as possible.
This company did not send notification letters via mail, and opted instead
to post a statement to its website. Only customers who visited the site were
notified directly of the breach.
State the facts. The CEO’s statements were called into question by
the media and the public as 1,800 cases of identity theft were reportedly
linked to the data exposure.
16 Their information | Your reputation | Our experience.
17. Communication
The nature of crisis communication
Data breaches, because they pose a significant threat to the business,
financial, operational and “reputational” health of a company, are
considered crisis events.
Crisis events occur within all organizations and, depending on how they are
handled, can either reinforce a positive reputation or irreparably damage a
brand. That is because a crisis focuses the attention of customers, partners,
employees, investors and the general public on an organization, and cause
every action to be closely observed, with each action taking on far greater
significance. In other words, the stakes are high, and the world is watching.
Beyond any legal concerns that the company must consider in the event of a
ICR is a strategic communications
breach, the purpose of communication is to protect the brand and reinforce
and investor relations firm with a
crisis communications practice customer relationships.
devoted to helping companies
minimize reputational damage from Clear, controlled communication of what happened, when it occurred, who
crisis situations. The firm has guided
several large institutions through was affected and what is being done to rectify the situation is important for
4
data breach crises by helping them navigating a breach crisis and minimizing brand damage.
to define, develop and deliver the
communications that meet the
Communication
needs of clients, partners, Time is of the essence
investors and the media.
The most valuable commodity in a crisis situation is time. As soon as the
The guidelines and case studies breach is discovered, it is important to gather information and quickly
here provide some information on determine the appropriate action steps. Although there is some danger in
how to react in the event of a data
breach. If your company needs overreacting to a given situation or prematurely sounding an alarm, the vast
additional crisis communication majority of mistakes are made in assuming something is not a problem or
support, please visit www.icrinc.com
or call (203) 682-8218. that it will just “go away.” A data breach will not go away if it is ignored,
and the outcomes always get worse over time.
Breach communication principles
In response to a breach, it is important to incorporate the following core
principles in all internal and external communication:
1) Honesty – Always the best policy, and never more important than in a
data breach situation where trust and corporate credibility may already be
strained. Being forthright and open with information will win points and
actually give management more room to operate.
2) Speed – Success or failure in handling a breach is often a function of
time. It is critical to move quickly and make the best decisions possible.
Having a breach plan in place greatly facilitates quick decision making.
3) Control – Update stakeholders with the latest information, as you get it.
Anticipate questions and be there first with information and answers.
4) Facts – Nothing is more important than ensuring the most accurate
portrayal of events possible. In all cases, correct the record where necessary
and do not allow unsubstantiated or erroneous information to go
unchallenged. Do not speculate, always deal with the facts and never guess.
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 17
18. Communication (cont.)
Breach communication goals
The goal in responding to a data breach is to act and behave at every point
during the process in a way that is consistent with the company’s values
and culture, and at all times place the highest priority on the safety and
satisfaction of customers, employees, partners and other stakeholders.
All communications should be designed to best achieve the following:
Internal Communication:
• To ensure accurate, consistent and timely communication
• To eliminate or minimize confusion and rumors
• To provide guidance and channels for sound internal decision making
External Communication:
• To maintain the trust, confidence and respect of customers,
employees, shareholders, analysts, business partners, public officials
and the community
• To maintain credible and productive relations with the media
• To minimize the impact on the company’s brand equity,
Communication
operations and sales
Media communications
During the course of the breach, and its disclosure, the company may get
requests from the media for interviews. It is absolutely essential that
communication with the media be highly measured and controlled.
4
Discussion should focus on the facts of the breach, and what is being
done proactively by the company to control the situation and protect those
affected. If possible the company should always offer a comment, even if it
is limited in substance or information. “No comment” should be avoided
and every effort should be made to avoid “the company was unavailable
for comment.”
Communication should also be tightly controlled. Only an authorized
spokesperson should respond to media requests and the number of executives
allowed to comment to the media should be limited. In order to underscore
how serious the company considers the breach, it is best if a senior executive
is designated as the spokesperson.
18 Their information | Your reputation | Our experience.
19. Communication (cont.)
General media communication guidelines
The following five steps provide a helpful framework for response to
the media. Every communication should seek to include these elements.
Five steps to prevent F.E.A.A.R
1) Facts – Communicate what you know and don’t know.
Correct inaccuracies. Never speculate.
2) Empathy – Always express concern for affected parties. Be human.
3) A ccountability – Demonstrate that you will do everything to assist
(even if it’s not your fault!).
4) A ction – Be explicit about what you are doing.
5) Remediation – Apologize. Fix what is broken and ensure it won’t
happen again. Discuss plans to prevent similar incidents from
occurring in the future.
Answers may not be available for all questions pertaining to the
4
breach. When information is unavailable or inappropriate for public
dissemination, the company should state that it is working to gather
Communication
relevant information and will make it available as soon as possible.
Case Studies
Over the past few years, data breach incidents have greatly increased.
And because the number of identity theft victims has also increased, data
breaches continue to capture more attention from the mainstream media
and the public at large.
In creating a Data Breach Response Plan, it is important to look at how
other companies have responded, and what outcomes resulted from their
actions. There are unique lessons that can be learned from each response.
The case studies in this book provide an overview of different types of
companies and how they responded to different types of breaches.
While the specific actions each company took were different, there are
two lessons that applied in every situation:
• Timing is Critical: In almost all of the cases below, the companies involved
were slow to alert customers to the breach, which led to panic among
customers and negative perceptions from the media and the public. Keep
in mind that promptly alerting customers and the media demonstrates a
proactive interest in keeping customers safe and in finding a solution to
the situation.
• Develop a Plan in Advance: No matter what unique circumstances a breach
presents, companies with a Data Breach Response Plan in place are able to
react more quickly and professionally. Being prepared is the key to a
successful response.
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 19
20. Case Study 4.1: The Largest Data Breach in History
Background
This data hack went undetected for five years, involved several national
retailers, and exposed the credit card data of 41 million people. The method
used to access the data was not particularly sophisticated. The thieves were
“wardriving” or driving around in a car testing Wireless local area networks
(WLANs) and exploiting security holes to gain access to customer data,
including credit card numbers, expiration dates and security codes.
Notification
Without the proper tracking systems in place, it was exceedingly difficult to
establish how long the fraud had been occurring or how many customers
were affected. The retailer then came under heavy criticism for what many
considered a slow and sloppy response. The company was also criticized for
not disclosing the breach until a month after it was first discovered.
The company was eventually forced to offer credit monitoring to a small
subset of affected customers, as a result of a lawsuit settlement. It also held
a special sale for its victimized customers and gave them a $30 voucher to be
used in its retail locations, provided that the customers provided written
Case Study 4.1
documentation of the time or money lost as result of the incident.
Reaction
A few months following the disclosure, the company received 11 subpoenas
from different state attorneys general. There were many lawsuits filed
against the company in federal and state courts, brought forth from banks,
credit card issuers, state government officials and groups of affected North
4
American customers. The company suffered more than $200 million in
losses related to the theft. The negative publicity surrounding this incident
continues, years after the breach was discovered, and almost nine years after
the breach first began.
Lessons Learned
Investigate the breach. The company’s lack of an appropriate data tracking
system led to consumer confusion and speculation, which resulted in fear.
Offer the solution to all customers. The company was criticized for offering
credit monitoring to only a small subset of affected customers, and for the
fact that the monitoring was only offered as a result of a lawsuit settlement.
The remedy should fit the offense. Consider that victims who spent time and
money trying to reclaim their stolen identities and recoup their losses may
see a token (such as a $30 coupon) as an insult.
Provide updates. Demonstrate a concern for customers and a concern about
the outcome of the case by providing customers and media with needed
periodic updates of new findings and case status.
20 Their information | Your reputation | Our experience.
21. Case Study 4.2: Federal Government Agency
Background
On May 22, 2006, a large federal government agency announced that
26.5 million Social Security numbers were compromised as the result
of a stolen laptop that contained unencrypted personally identifiable
information. It was later revealed that the incident had actually occurred on
May 3, 2006, but that the agency’s top official was not notified until May 16,
2006. This delayed notification of the FBI until two weeks after the burglary.
Less than a month later, the agency warned that an additional 2.2 million
citizens also had their data compromised, for a total of 28.7 million
breached records.
Notification
On Aug. 10, 2006, the agency mailed notification letters to the individuals
whose information was found on the missing computer, which was
recovered by the FBI.
The House Government Reform Committee also held a hearing to discuss
4
the incident and the Government Accountability Office (GAO) issued a
report the following year.
Case Study 4.2
To support the potential victims, the agency devoted the home page
of its website to notifying affected citizens. It posted an extensive Q&A
section on the site which provided information about how the breach
occurred, what steps people could take to monitor their personal
information and who to contact if they suspected fraud. The agency also
created a hotline staffed by call center employees to answer questions.
Reaction
There was a significant amount of media coverage when the incident was
announced. The media stories emphasized that the agency had waited two
weeks to disclose the incident, putting the citizens whose data had been
exposed at risk and denying them the opportunity to protect themselves.
As a result of the incident, at least three class-action lawsuits have been filed
against the agency and its secretary.
Lessons Learned
It can happen to you. Each year data breaches become more common.
Be prepared, and have contracts in place. It is important to develop a breach
response plan, and an internal process for rapid response. This can help
companies react to a breach more quickly.
Promote a culture of awareness and reporting. In order for companies to
detect and react to a breach, each person in the organization must know what
to look for and who to tell, so top executives can then put a plan in place.
Educate all staff. It is important to circulate information on data breaches
to employees, and make sure everyone knows what to look for, and how
they should react to a potential breach.
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 21
22. Case Study 4.3: Financial Institution
Background
In 2008, a major financial institution’s backup data storage tapes
(containing customer data that included Social Security numbers
and bank account information) went missing – twice. During the first
incident, the unencrypted tapes were lost while in transit to a storage
facility by the company’s courier. The second incident occurred again while
unencrypted data storage tapes were being moved by a commercial carrier.
Notification
The company was criticized for not disclosing the loss of customer data in a
timely manner. While the first incident occurred on Feb. 27, 2008, it appears
that the financial institution did not notify its affected partner institution
that it had lost the data until May 2008. The partner financial institution
then informed the Connecticut attorney general, who made a public
announcement about the incident and called for an investigation. The
attorney general and the media were highly critical of the financial
institution and questioned the long delay in notification. The financial
institution sent letters to all of the affected customers, an ongoing process
that took several months, as the institution uncovered an additional four
Case Study 4.3
million affected customers.
Reaction
Because of the delay in notification and because the company did not
actually announce the loss of customer data, the media and public reaction
was highly negative. The company’s initial response to the incident was an
offer for one year of credit monitoring for the affected customers. However,
4
as a result of the attorney general’s investigation, it later extended that offer
to include two years of monitoring, increased the amount of identity theft
insurance coverage from $10,000 to $25,000 and said that it would
reimburse for the cost for placing a security freeze on a credit file.
Lessons Learned
Take control of the disclosure. Allowing an outside entity to announce
a breach – in this case, the Connecticut Attorney General – puts your
company on the defensive, battling legal forces and negative public
perception. Disclosing as soon as possible helps mitigate the inevitably
negative reaction.
Indicate empathy for those affected. Customers see the bank as a
trustworthy entity – and after a breach, they may feel a tremendous lack
of that trust and confidence. Ensuring that customer-centric messaging is
included in the disclosure of a breach helps shape a perception among
customers that the company has their best interest in mind.
Post the customer letter on your website. However, even though the number
of affected customers may number in the millions, timely notification of
customers through a mailing is still important.
22 Their information | Your reputation | Our experience.
23. Solutions
Notification
Affinion Group recommends using Affinion Security Center to handle all
aspects of notification to the impacted population. At a very cost-effective
rate, given our unique experience and scale, not only can we draft the
notification letter, we will consult on PR strategy and ensure that the
impacted population is contacted quickly and efficiently.
Enrollment
We provide the greatest number of options available in the industry to
ensure that your customers can enroll quickly, easily and via the means
most convenient. We offer the following enrollment options:
Full File Enrollment allows your company to quickly protect all impacted
members. The partner will supply a full file of names via a secure method
to Affinion for enrollment.
Voice Response Unit (VRU) allows customers to enroll via telephone by
simply entering the unique encrypted activation code provided in the
5
notification letter.
Online allows customers to enroll via a dedicated URL by simply entering
Solutions
the unique encrypted activation code provided in the notification letter.
USPS enrollment allows customers to enroll by filling out an enrollment
form and returning it via USPS.
Protection Benefits
To help keep the customer’s identity safe, Affinion’s data breach products
offer comprehensive identity theft protection including: credit monitoring,
the credit information hotline, credit reports and the credit card registry
service, ID theft insurance, dedicated fraud resolution specialists, automated
fraud alerts, and Internet monitoring. Affinion’s specialists will help your
company choose the best options based on the severity of the breach and
the type of data lost.
Resolution
As part of your company’s BreachShield solution, all customers enrolled
in credit monitoring will have access to Affinion’s Identity Fraud Support
Services (IFSS). Our Identity Fraud Support includes all aspects of helping
our members resolve identity fraud or theft. Members will receive the following:
• A dedicated FCRA-certified caseworker who will provide direct contact
information to the member and follow the case through to resolution
• Victims of identity fraud will receive a six-month complimentary
term extension of the PrivacyGuard credit monitoring service ensuring
continued protection during resolution
• Advice on placing fraud alerts at each of the three major credit bureaus
• Assistance requesting a current credit report from the three credit bureaus
• Analysis of areas that could be impacted by the fraud
• In certain instances, the resolution specialist will assist members
by attending conference calls and drafting letters and forms
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 23
24. Solutions (cont.)
• Information on contacting law enforcement officials and the FBI
• Assistance with any travel arrangements necessary for fraud resolution
• Victims receive a personalized Fraud Resolution Kit via overnight mail
which includes:
– Educational information and resource contact information for relevant
government agencies and financial institutions
– Personalized dispute letters to send to credit bureaus and financial
institutions as well as extra copies for reference
– Instructions on how to file a police report, request a personal Social
Security statement, and a worksheet for victims to track activities and
time spent resolving identity fraud issues
Credit Monitoring and Alerts
This service monitors changes to an individual’s credit records with one
of the national credit reporting agencies (credit bureaus). Members will
be notified of any changes to their records, including any new accounts
opened or a change in credit score.
Internet Fraud Monitoring
A sophisticated, real-time, early warning technology monitors various
Solutions
underground chat rooms where thieves sell and trade stolen information.
Members are notified via e-mail if their personal information is discovered
as compromised – often before the financial institution is notified.
5
Automated Fraud Alerts
When an application for credit is made in the member’s name, either by the
member or somone else, the member receives a confirmation phone call
allowing them to approve or deny the new credit request.
Triple-Bureau Credit Reports & Scores
Members receive current credit reports and credit scores from all three
major credit reporting agencies, including a comprehensive credit analysis.
Identity Theft Insurance
ID Theft coverage is available at various levels.
Credit Information Hotline
Members can call the Credit Information Hotline toll free to speak to
an FCRA-trained representative. These highly trained representatives walk
members through their credit reports and answer questions about credit
records or alerts received.
Credit Card Registry Service (Lost/Stolen Service)
This service gives members the chance to centralize and store information
from credit, bank, department store and oil company cards in a single, secure
location. Should these items ever get lost or be stolen, members can cancel
these cards and request replacements – all with one toll-free phone call.
24 Their information | Your reputation | Our experience.
25. Breach Recovery: Sample Press Release
[Company Name] Victimized by [Data Breach/Computer Intrusion]
Provides Helpful Information to Protect Customers
City, State– [Company Name] announced today that it suffered [Describe
Breach Incident: an unauthorized intrusion into its computer systems; loss of
data from a stolen computer] which contained information related to customer
transactions. [Describe the number of customers affected: Company is
launching a full investigation to determine the full extent of the theft and
number of affected customers; Company believes that XX customers may have
had their personal information compromised]. [Give more details on which
systems, brands and locations were affected] The data breach involved
[Company’s] payment processing system that handles credit card, debit card
and check transactions for its [stores/customers] throughout [the United States,
Europe, Texas]. Company immediately alerted law enforcement authorities of
the crime and is working closely with them to help identify those responsible.
Company is also cooperating with credit and debit card issuers and providing
them with information about the incident.
Company [is launching/has launched] a full investigation of the breach with the
assistance of leading computer security and data analysis firms to determine
what customer information may have been compromised. [Company] expects
6
to provide its customers with more information as it becomes available. Since
the intrusion, [Company] has taken steps to secure its computer network and
Reference Materials
Breach Recovery:
systems to prevent this type of incident from occurring in the future.
“We are extremely concerned about this event and the difficulties it may cause
our customers. Since discovering this crime, we have implemented the highest
security measures to ensure the safety of our customers, and will work with
them to help restore any compromised information. Our customers remain the
first priority for [Company], and we will continue to inform them as we
uncover additional details about the incident,” says [Name, CEO of Company]
Information For Customers
[Outline actions customers can take and resources available]
To help protect its customers, [Company] has notified the three major credit
bureaus in the U.S. of this incident, as well as the attorneys general in the
affected states. [Company] has also retained [Identity Theft Protection
Company], a specialist in identity theft protection, to provide customers with
[X] years of identity theft protection and restoration services, free of charge.
Customers who have questions about the incident or who wish to enroll in the
identity theft protection program can do so by calling [Company’s] dedicated
helpline toll free at: XXX-XXXX in the United States and (XXX) XXX-XXXX
in Canada or by visiting [Company’s website address].
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 25
26. Breach Recovery: Sample Letter to Employees
[Date]
Dear Customer/Employee:
We are writing to let you know that we have become aware of a data privacy
breach affecting an estimated XX [customers, colleagues, individuals]. It appears
that the breach developed when [briefly state how the beach occurred].
[Company] has been working with outside consultants to review the exposed
data quickly and thoroughly. At this point our review is not complete, but we
believe that some of the following information may have been exposed: your
name; Social Security number and/or Taxpayer Identification number; home
address; home and/or cellular phone number(s); fax number; e-mail address;
credit card number; bank account number; passport number; driver’s license
number; military identification number; birth date and signature.
So far there is no indication that any unauthorized person has used or is
misusing the information that was [stolen, accessed, compromised].
Nonetheless, we want you to know now, and to have tools and information to
help you prevent and detect any misuse. [Company] has notified law
enforcement and, to help protect you, has retained [Identity Theft Protection
Company], a specialist in identity theft protection, to provide you with [X]
Reference Materials
Breach Recovery:
years of protection and restoration services, free of charge.
You can enroll in the program by following the directions below. Please keep
this letter; you will need the personal access code it contains in order to register
for services.
The [Identity Theft Protection service] package that [Company] has arranged
provides these protections for you:
• Credit Monitoring: unlimited access to your credit report and score and will
notify you via email of key changes in your credit report that may indicate
6
fraudulent activity.
• Fraud Resolution Representatives: Expert guidance if you suspect that your
personal information is being misused.
• Insurance Reimbursement: [$XX] of Identity Theft insurance [describe details]
[Company] has advised the three major U.S. credit bureaus about this incident.
We gave a general report, alerting them to the fact that the incident occurred;
[Company] has not notified them about the presence of your specific information
in the removed data. [Company] has also notified the attorney general’s office in
your state of residence about this incident, as well as other officials where
required by law.
26 Their information | Your reputation | Our experience.
27. Breach Recovery: Sample Letter to Employees (cont.)
Additional Ways to Help Protect Yourself
Besides registering for the free protection services that [Company] has arranged,
there are other things that you can do to help protect yourself from fraud or
identity theft.
We advise you to remain vigilant against the possibility of fraud and/or
identity theft by monitoring your account statements and credit reports for
unusual activity.
When you receive your credit reports, review them carefully. If you see anything
you do not understand, call the credit reporting agency. If you do find suspicious
activity on your credit reports, call your local police or sheriff ’s office and file a
police report of identity theft. Make sure to obtain a copy of the police report
because you may need to provide the report to creditors to clear your record.
You also should file a complaint with the Federal Trade Commission (FTC) at
www.ftc.gov/idtheft or at 1-877-ID-THEFT (1-877-438-4338). Your complaint
will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be
accessible to law enforcers for their investigations.
Even if you do not find suspicious activity on your initial credit reports, the FTC
suggests that you keep checking your credit reports periodically. Identity thieves
6
sometimes hold on to personal information for a period of time before using it.
Checking your credit reports periodically can help you spot potential problems
Reference Materials
Breach Recovery:
and address them quickly.
We encourage you to consider all options to help protect your privacy and
security, and in particular, we encourage you to take advantage of the credit
protection services we have arranged for you with [Identity Theft Protection
Company], at no charge to you.
How to Sign Up for the Identity Theft Protection Services
You may sign up for the protection services free of charge, either by calling
a special toll free number [1-800-XXX-XXXX].
You may also enroll online by visiting [website]. To sign up, just enter
the access code provided below and disregard any pricing information.
Your Access Code: [insert access code]
We encourage you to enroll and activate your credit monitoring quickly.
Please note that the deadline for enrolling in this service is XXX.
[Company] takes your privacy very seriously and will continue to monitor this
situation. We have modified the computer system where this information was
stored and enhanced security for other computer systems as well. Should there
be any significant developments, we will notify you.
If you have questions or wish to request more information from [Company],
please send us an email at [email address] or call us at [phone number].
[Company] understands how important it is to maintain the security and
confidentiality of personal information. Again, we regret any inconvenience
that may result from this incident and encourage you to take full advantage
of all resources to help protect your personal information.
Sincerely,
[CEO or Privacy Officer]
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 27
28. Breach Recovery: Sample Letter to Customers
Dear [Name]:
We are writing to inform you about possible fraudulent activity involving your
personal information. We take these matters very seriously and this incident is
being investigated. As a result of unauthorized access to our computer system,
information such as your name, address, telephone number, Social Security
number, card account number, and PIN may have been accessed by
unauthorized parties. You will not be responsible for unauthorized fraudulent
activity resulting from this situation.
We are working with law enforcement authorities to investigate the situation,
and to ensure that this does not happen again. At this point, our investigation is
still ongoing, however we would like to make sure that your personal
information is protected.
What we are doing to protect your personal information:
We are offering you a complimentary one-year membership in PrivacyGuard®.
PrivacyGuard is a national subscription credit monitoring service that provides
you with access to your credit reports and daily monitoring of your credit files
from all three national consumer reporting agencies. To take advantage of this
service, you must sign up by [date].
Reference Materials
You may enroll for your free one-year membership in PrivacyGuard® in one of
Breach Recovery:
three ways:
1) Sign up online at [Insert URL] and enter the requested information.
2) Sign up by telephone using the automated system by dialing
1-800-XXX-XXXX.
3) To sign up via postal mail, please complete, sign and mail the enclosed
enrollment form.
What you can do to protect your information:
Attached to this letter is a list of steps you can take to help prevent identity theft.
6
If we can assist you further, please call our toll-free number at 1-800-XXX-XXXX
from 8 a.m. EST to 8 p.m. EST, Monday through Saturday. You may also visit
[company website] for more information.
Sincerely,
[Name]
Chief Operating Officer
28 Their information | Your reputation | Our experience.
29. Breach Recovery: Resources
Security Industry Experts
Affinion Security Center | BreachShield
www.affinionsecuritycenter.com
www.breachshield.com
Public Relations, Investor Relations & Crisis Communications
ICR, Inc.
www.icrinc.com
Federal Trade Commission
www.ftc.gov/bcp/edu/microsites/idtheft
Consumer Protection Groups
Identity Theft Resource Center
www.idtheftcenter.org
7
Resources
ASC BREACHSHIELD Data Breach Response Guide 1-800-350-7209 | www.breachshield.com 29