The trends continue to point upward for data incidents and 2013 is becoming a pace setter. The shifting regulatory landscape promises to add further complications for companies struggling to prepare for and respond to data privacy incidents.
This webinar will feature two leading data breach experts who have performed a two year trend analysis across hundreds of cases to offer a powerful and up-to-date perspective on what has happened and their predictions for the future. It will also cover how these factors are shaping regulations which are in turn influencing decision-making in the C-Suite.
Our featured speakers for this timely webinar will be:
-Bill Hardin, Director of Data Privacy Response & Investigations, Navigant
-Jennifer Coughlin, Privacy and Data Security Attorney, Nelson, Levine
-Gant Redmon, Esq. General Counsel and VP of Business Development, Co3 Systems
Master Data in the Cloud: 5 Security FundamentalsSarah Fane
Your master data is essential to the smooth operation of your business. But it is also valuable to others. Master data is vulnerable to both internal and external attacks. As the future of business and data is increasingly cloud-based, we explore five fundamentals to ensure the security of your data.
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
NetIQ was a Platinum sponsor for “Plugging the Leaks: Finding and Fixing the IT Security Holes in Your Enterprise,” a virtual trade show (VTS) produced by Information Week Magazine and Dark Reading.
This was our presentation deck: "Proven Practices to Protect Critical Data" presented by Matt Mosley, Senior Product Manager, and Matt Ulery, Director of Product Management during a live presentation. They explored some of the most significant problems facing security teams tasked with protecting critical data. And, they will reveal some of the most effective approaches and technology that can be used to quickly identify real threats.
Threat Ready Data: Protect Data from the Inside and the OutsideDLT Solutions
Is your current state really threat ready?
Amit Walia, Senior Vice President, General Manager of Data Integration and Security at Informatica, shares how to protect data from the inside and the outside from the 2015 Informatica Government Summit.
Protecting the Crown Jewels – Enlist the BeefeatersJack Nichelson
Protecting the Crown Jewels – Enlist the Beefeaters
In the wake of a constant stream of high-profile breaches, data is not only becoming a highly valued commodity, it’s becoming an organization’s crown jewels. Who better to protect your crown jewels than the Beefeaters? Tapping into the iconic London Guard’s reputation, Jack Nichelson, with the support of the FBI and PwC, has developed an elite force to defend his organization’s most valuable assets from even trusted insiders. Providing insights into his companies data identification, classification and security initiative, sharing best practices for creating consensus, and engaging and aligning multiple business units to better protect the organization's crown jewels.
To implement data-centric security, while simultaneously empowering your business to compete and win in today’s nano-second world, you need to understand your data flows and your business needs from your data. Begin by answering some important questions:
•
What does your organization need from your data in order to extract the maximum business value and gain a competitive advantage?
•
What opportunities might be leveraged by improving the security posture of the data?
•
What risks exist based upon your current security posture? What would the impact of a data breach be on the organization? Be specific!
•
Have you clearly defined which data (both structured and unstructured) residing across your extended enterprise is most important to your business? Where is it?
•
What people, processes and technology are currently employed to protect your business sensitive information?
•
Who in your organization requires access to data and for what specific purposes?
•
What time constraints exist upon the organization that might affect the technical infrastructure?
•
What must you do to comply with the myriad government and industry regulations relevant to your business?
Finally, ask yourself what a successful data-centric protection program should look like in your organization. What’s most appropriate for your organization?
The answers to these and other related questions would provide you with a clearer picture of your enterprise’s “data attack surface,” which in turn will provide you with a well-documented risk profile. By answering these questions and thinking holistically about where your data is, how it’s being used and by whom, you’ll be well positioned to design and implement a robust, business-enabling data-centric protection plan that is tailored to the unique requirements of your organization.
The trends continue to point upward for data incidents and 2013 is becoming a pace setter. The shifting regulatory landscape promises to add further complications for companies struggling to prepare for and respond to data privacy incidents.
This webinar will feature two leading data breach experts who have performed a two year trend analysis across hundreds of cases to offer a powerful and up-to-date perspective on what has happened and their predictions for the future. It will also cover how these factors are shaping regulations which are in turn influencing decision-making in the C-Suite.
Our featured speakers for this timely webinar will be:
-Bill Hardin, Director of Data Privacy Response & Investigations, Navigant
-Jennifer Coughlin, Privacy and Data Security Attorney, Nelson, Levine
-Gant Redmon, Esq. General Counsel and VP of Business Development, Co3 Systems
Master Data in the Cloud: 5 Security FundamentalsSarah Fane
Your master data is essential to the smooth operation of your business. But it is also valuable to others. Master data is vulnerable to both internal and external attacks. As the future of business and data is increasingly cloud-based, we explore five fundamentals to ensure the security of your data.
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
NetIQ was a Platinum sponsor for “Plugging the Leaks: Finding and Fixing the IT Security Holes in Your Enterprise,” a virtual trade show (VTS) produced by Information Week Magazine and Dark Reading.
This was our presentation deck: "Proven Practices to Protect Critical Data" presented by Matt Mosley, Senior Product Manager, and Matt Ulery, Director of Product Management during a live presentation. They explored some of the most significant problems facing security teams tasked with protecting critical data. And, they will reveal some of the most effective approaches and technology that can be used to quickly identify real threats.
Threat Ready Data: Protect Data from the Inside and the OutsideDLT Solutions
Is your current state really threat ready?
Amit Walia, Senior Vice President, General Manager of Data Integration and Security at Informatica, shares how to protect data from the inside and the outside from the 2015 Informatica Government Summit.
Protecting the Crown Jewels – Enlist the BeefeatersJack Nichelson
Protecting the Crown Jewels – Enlist the Beefeaters
In the wake of a constant stream of high-profile breaches, data is not only becoming a highly valued commodity, it’s becoming an organization’s crown jewels. Who better to protect your crown jewels than the Beefeaters? Tapping into the iconic London Guard’s reputation, Jack Nichelson, with the support of the FBI and PwC, has developed an elite force to defend his organization’s most valuable assets from even trusted insiders. Providing insights into his companies data identification, classification and security initiative, sharing best practices for creating consensus, and engaging and aligning multiple business units to better protect the organization's crown jewels.
To implement data-centric security, while simultaneously empowering your business to compete and win in today’s nano-second world, you need to understand your data flows and your business needs from your data. Begin by answering some important questions:
•
What does your organization need from your data in order to extract the maximum business value and gain a competitive advantage?
•
What opportunities might be leveraged by improving the security posture of the data?
•
What risks exist based upon your current security posture? What would the impact of a data breach be on the organization? Be specific!
•
Have you clearly defined which data (both structured and unstructured) residing across your extended enterprise is most important to your business? Where is it?
•
What people, processes and technology are currently employed to protect your business sensitive information?
•
Who in your organization requires access to data and for what specific purposes?
•
What time constraints exist upon the organization that might affect the technical infrastructure?
•
What must you do to comply with the myriad government and industry regulations relevant to your business?
Finally, ask yourself what a successful data-centric protection program should look like in your organization. What’s most appropriate for your organization?
The answers to these and other related questions would provide you with a clearer picture of your enterprise’s “data attack surface,” which in turn will provide you with a well-documented risk profile. By answering these questions and thinking holistically about where your data is, how it’s being used and by whom, you’ll be well positioned to design and implement a robust, business-enabling data-centric protection plan that is tailored to the unique requirements of your organization.
Presented at ISACA Indonesia Monthly Technical Meeting, 11 Dec 2019 at Telkom Landmark.
Key takeaways from my presentation:
1. Cloud customers have to understand the share responsibilities between customer and cloud provider
2. Different cloud service model (IaaS, PaaS, SaaS) has different audit methodology
3. Customer’s IT Auditor have to be trained to have the skills needed to audit the cloud service
4. Understanding IAM in Cloud is very important. Each Cloud Service Provider has different IAM mechanism
5. Understanding different type of audit logs in cloud platform is important for IT Auditor
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
Discussion of if and how you can secure payments in the cloud. Covers the issue, compliance considerations, regulatory changes and their impact, and provides a rationale for using a cloud to decouple your payments processes from your legacy infrastructure.
Who is the next target proactive approaches to data securityUlf Mattsson
The landscape of threats to sensitive data is changing. New technologies bring with them new vulnerabilities, and organizations like Target are failing to react properly to the shifts around them. What's needed is an approach equal to the persistent, advanced attacks companies face every day. The sooner we start adopting the same proactive thinking hackers are using to get at our data, the better we will be able to protect it.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Cyber Security Planning: Preparing for a Data BreachFletcher Media
Presented by Clark Insurance in Portland, Maine, this two hour seminar featured lead panelists in the privacy security business.
This presentation reviews all aspects of a data breach from preparation, discovery, plan implementation, cyber insurance, crisis communication and PR policies and protocols.
Protecting Intellectual Property and Data Loss Prevention (DLP)Arpin Consulting
Protecting Intellectual Property and Data Loss Prevention (DLP) – what makes your business unique, different, valuable, and attracts clients and customers - presented at the Boston Business Alliance 9/23/09
Patrick Bourk, National Cyber Practice Leader from Hub International, discusses the various cyber policies available for mid size commercial businesses. He also showcases the various types of risk to consider when working with an insurer.
Boards' Eye View of Digital Risk & GDPR v2Graham Mann
The presentation provides senior executives and board members with an overview of digital risk and GDPR. It describes the issues and seeks to provide answers, whilst highlighting the need for a joined-up strategy around digital risk management.
California Consumer Protection Act (CCPA) is
one such law that empowers the residents of
California, United States to have enhanced
privacy rights & consumer protection. It is the
most comprehensive US state privacy law to
date.
Why law firms are vulnerable to cyber attack
What are lawyer's ethical duties
The value of privilege & how to obtain it
The value of the security assessment
The value of continuous security monitoring
Mobile / Tablet Application Development - What are my options?DATA Inc.
Presentation on Mobile / Tablet Application Development as done to the Commerce and Industry Association of New Jersey on September 19, and to the New Jersey Technology Council on September 20.
Presented at ISACA Indonesia Monthly Technical Meeting, 11 Dec 2019 at Telkom Landmark.
Key takeaways from my presentation:
1. Cloud customers have to understand the share responsibilities between customer and cloud provider
2. Different cloud service model (IaaS, PaaS, SaaS) has different audit methodology
3. Customer’s IT Auditor have to be trained to have the skills needed to audit the cloud service
4. Understanding IAM in Cloud is very important. Each Cloud Service Provider has different IAM mechanism
5. Understanding different type of audit logs in cloud platform is important for IT Auditor
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
Discussion of if and how you can secure payments in the cloud. Covers the issue, compliance considerations, regulatory changes and their impact, and provides a rationale for using a cloud to decouple your payments processes from your legacy infrastructure.
Who is the next target proactive approaches to data securityUlf Mattsson
The landscape of threats to sensitive data is changing. New technologies bring with them new vulnerabilities, and organizations like Target are failing to react properly to the shifts around them. What's needed is an approach equal to the persistent, advanced attacks companies face every day. The sooner we start adopting the same proactive thinking hackers are using to get at our data, the better we will be able to protect it.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Cyber Security Planning: Preparing for a Data BreachFletcher Media
Presented by Clark Insurance in Portland, Maine, this two hour seminar featured lead panelists in the privacy security business.
This presentation reviews all aspects of a data breach from preparation, discovery, plan implementation, cyber insurance, crisis communication and PR policies and protocols.
Protecting Intellectual Property and Data Loss Prevention (DLP)Arpin Consulting
Protecting Intellectual Property and Data Loss Prevention (DLP) – what makes your business unique, different, valuable, and attracts clients and customers - presented at the Boston Business Alliance 9/23/09
Patrick Bourk, National Cyber Practice Leader from Hub International, discusses the various cyber policies available for mid size commercial businesses. He also showcases the various types of risk to consider when working with an insurer.
Boards' Eye View of Digital Risk & GDPR v2Graham Mann
The presentation provides senior executives and board members with an overview of digital risk and GDPR. It describes the issues and seeks to provide answers, whilst highlighting the need for a joined-up strategy around digital risk management.
California Consumer Protection Act (CCPA) is
one such law that empowers the residents of
California, United States to have enhanced
privacy rights & consumer protection. It is the
most comprehensive US state privacy law to
date.
Why law firms are vulnerable to cyber attack
What are lawyer's ethical duties
The value of privilege & how to obtain it
The value of the security assessment
The value of continuous security monitoring
Mobile / Tablet Application Development - What are my options?DATA Inc.
Presentation on Mobile / Tablet Application Development as done to the Commerce and Industry Association of New Jersey on September 19, and to the New Jersey Technology Council on September 20.
While Hadoop is the most well-known technology in big data, it’s not always the most approachable or appropriate solution for data storage and processing. In this session you’ll learn about enterprise NoSQL architectures, with examples drawn from real-world deployments, as well as how to apply big data regardless of the size of your own enterprise.
Where data security and value of data meet in the cloud ulf mattssonUlf Mattsson
Title: Where Data Security and Data Value Meet in the Cloud
Abstract:
The biggest challenge in this new paradigm of the cloud and an interconnected world, is merging data security with data value and productivity. What’s required is a seamless, boundless security framework to maximize data utility while minimizing risk. In this webinar, you’ll learn about value-preserving data-centric security methods, how to keep track of your data and monitor data access outside the enterprise, and best practices for protecting data and privacy in the perimeter-less enterprise.
BrightTALK webinar, January 14, 2014
I tend to describe the public cloud similar to a public parking garage in which the infrastructure and resources are made available to the general public over public roads. A public parking garage is owned by an organization selling services, and serves a diverse pool of clients. Your car is your liability. You pay per usage. Don’t leave any valuables in the car. You don’t know who is in the car next to you.
Ulf Mattsson will highlight current trends in the security landscape based on major industry report findings, and discuss how we should re-think our security approach.
Although Sony seemed to dominate the cyber-security headlines of 2014, it was just one of many corporations infiltrated by an increasingly sophisticated and driven pool of hackers. J.P. Morgan Chase, Home Depot, and Target also top the list of businesses struggling with data breaches.
The most recent major cyberattack against Anthem Healthcare shook the insurance industry. In a rare show of honesty, the insurer began alerting customers and the media to the potential of a data break just eight days after it first noted suspicious activity on Jan. 27, 2015.
Immediately upon discovering it had been attacked, Anthem jumped to address the security vulnerability, contacted the FBI, and hired leading cyber-security firm Mandiant to evaluate its systems, said president and CEO Joseph Swedish in a statement.
Noting the importance of protecting financial institutions, New York's Department of Financial Services responded to the Anthem breach by announcing its intent to integrate regular assessments of cyber-security preparedness at insurance companies as part of its examination process. It will also enforce "enhanced regulations" on insurers based in New York.
"Recent cyber security breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses," said Benjamin M. Lawsky, New York State's superintendent of financial services, in a statement. He continued, "Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data.“
Most people might expect that larger insurers, given the sensitive customer information they handle, would boast robust cyber-security programs. This is not necessarily true.
As part of its investigation, the Department found that 95% of insurers already think they have sufficient staff for information security, and just 14% of CEOs receive monthly briefings on data security. Anthem, the nation's second-largest health insurer, had not even encrypted its database containing nonmedical data. It claims that the HIPAA did not require it to do so.
While experts believe that Anthem was exclusively targeted in its attack, there is no doubt that all financial institutions are at risk. Here are eight things to know as the industry enters a year of increasingly heightened cyber-vulnerability.
For digital media companies, effective cybersecurity programs a mustGrant Thornton LLP
In digital media trust is everything, without it your business model doesn’t work. Cybersecurity can be a key component, ensuring the integrity of your services. Check out this brief guide to securing your data.
Cyber security is becoming increasingly relevant within the insurance industry to the degree, that the National Association of Insurance Commissioners (NAIC) named it as the key initiative for 2015.
This article examines cyber and information security as it relates to the legal industry and provides strategic considerations for law firms looking to deal with information security issues.
8242015 Combating cyber risk in the supply chain Print Art.docxevonnehoggarth79783
8/24/2015 Combating cyber risk in the supply chain Print Article SC Magazine
http://www.scmagazine.com/combatingcyberriskinthesupplychain/printarticle/381050/ 1/2
Daryk Rowland, director of risk
management, Guidance Software,
Inc.
Daryk Rowland, director of risk management, Guidance Software, Inc.
November 11, 2014
Combating cyber risk in the supply chain
Share this article:
facebook
twitter
linkedin
google
Comments
Email
Print
Security threats within the supply chain have been a concern of purchasing,
information security and risk and compliance teams for many years. What's
new is the rapid increase in targeted attacks on a less welldefended area for
most corporations the confidential data now commonly shared with
supply chain vendors and partners.
In research released in 2013, the Information Security Forum (ISF) found
that, “of all the supply chain risks, information risk is the least well
managed,” and that, “forty percent of the datasecurity breaches experienced
by organizations arise from attacks on their suppliers.” The Target breach
began with a simple login to its corporate network—a login seen as normal
by its security systems because the user name and password were valid. The
problem, of course, was that these login credentials were stolen—yet they
were also authorized for access, so they went unchallenged by Target's
authentication system.
Consider the fact that the recent Dragonfly/Energetic Bear hack of U.S. and
European energy companies began with a spearphishing campaign against
senior employees in energy sector companies. Those senior employees took
the bait and enabled the hackers to compromise legitimate software used by
industrial control system (ICS) manufacturers, inserting malware into
software updates sent from the ICS manufacturers to their clients.
Everyone involved with vendor management — from legal and risk/compliance teams to information security and
purchasing specialists — should now develop a common, collaborative security strategy (or program) that includes
layering new protections onto processes and policies to defend against information risk in the supply chain. Adding the
following practices to your existing security controls can help you collaborate productively for a targeted approach to
supply chain cybersecurity.
Map locations of sensitive data: Collaborate across all relevant teams to determine which data—intellectual property,
employee records, financial information, credit card data — is considered sensitive by your organization. Security
teams should audit for all locations of that sensitive data on your network, as well as for the locations of copies of that
data that may be accessible to members of your supply chain.
Evaluate risk by vendor: Assess and rank vendors and partners with access to your network—or any who retain
copies of your data—according to their risk to information security. Two helpful templates for this are the annotated
ICT Supply Chain Risk Manageme.
Business Security Check Reducing Risks Your Computer Systems- Mark - Fullbright
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Many executives are concerned about the security of their data and network infrastructure. Join us and learn where your organization may have security gaps or be out of state or federal compliance. In this seminar, we will discover how a combination of good policies and the implementation of good, solid solutions can help you meet compliance requirements, and protect and secure your organization or business.
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
Cyber-attacks are an alarming threat to all types of businesses & organizations.The risk of a cyber-attack is not just a risk to your company but also to your privacy.Hence, cybersecurity is crucial for every business. Cybersecurity protects critical data from cyber attackers. This includes sensitive data, governmental and industry information, personal information, personally identifiable information (PII), intellectual property, and protected health information (PHI). If you are looking for tools to fight against cyber threats, then Techwave’s tools & technologies with adequate controls will help your organization stay protected.
Cyber-attacks are an alarming threat to all types of businesses & organizations.The risk of a cyber-attack is not just a risk to your company but also to your privacy.Hence, cybersecurity is crucial for every business. Cybersecurity protects critical data from cyber attackers. This includes sensitive data, governmental and industry information, personal information, personally identifiable information (PII), intellectual property, and protected health information (PHI). If you are looking for tools to fight against cyber threats, then Techwave’s tools & technologies with adequate controls will help your organization stay protected.
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
Companies are under increasing risks of breaches, theft of intellectual property and erosion of customer trust. CIOs and CISOs need to be able to explain to executive management what's being done to shore up their company's security strategy and defenses.
Similar to Responding to a Data Breach, Communications Guidelines for Merchants (20)
This report solely belongs to Symantec. Credit is due to all original authors and no financial gain was made from the report, Simply sharing for educational purposes,
The FBI is the lead federal agency for investigating malicious cyber activity by criminals, nation-state adversaries, and terrorists. To fulfill this mission, the FBI often develops resources to enhance operations and collaboration. One such resource is the FBI’s Internet Crime Complaint Center (IC3) which provides the public with a trustworthy and convenient mechanism for reporting information concerning suspected Internet-facilitated criminal activity. At the end of every year, the IC3 collates information collected into an annual report.
Credit is due to all original authors and no financial gain was made from the blog, Simply sharing an interesting story for educational purposes,
This guide aims to help journalists understand their rights at protests and avoid arrest when reporting on these events. It summarizes the legal landscape and provides strategies and tools to help journalists avoid incidents with police and navigate them successfully should they arise. Credit RCFP.Org
Credit is due to all original authors and no financial gain was made from the blog, Simply sharing an interesting story for educational purposes,
Verizon Publishes 2020 Data Breach Investigation Report (DBIR) With Insights From Thousands of Confirmed Breaches. Verizon's 2020 Data Breach Investigations Report (DBIR) is the most extensive yet, with 81 contributing organizations, and more than 32,000 incidents analyzed (of which 3,950 were confirmed breaches). Credit:Verizon
Credit is due to all original authors and no financial gain was made from the report, Simply sharing an interesting story for educational purposes,
A Resource Guide to theU.S. Foreign Corrupt Practices Act
Credit is due to all original authors and no financial gain was made from the report, Simply sharing an interesting story for educational purposes,
The FTC takes in reports from consumers about problems they experience in the marketplace. The reportsare stored in the Consumer Sentinel Network (Sentinel), a secure online database available only to lawenforcement. While the FTC does not intervene in individual consumer disputes, its law enforcementpartners – whether they are down the street, across the nation, or around the world – can use informationin the database to spot trends, identify questionable business practices and targets, and enforce the law.
Credit is due to all original authors and no financial gain was made from the report, Simply sharing an interesting story for educational purposes,
Below is a list of consumer reporting companies updated for 2019.1 Consumer reporting companies collect information and provide reports to other companies about you. These companies use these reports to inform decisions about providing you with credit, employment, residential rental housing, insurance, and in other decision making situations. The list below includes the three nationwide consumer reporting companies and several other reporting companies that focus on certain market areas and consumer segments. The list gives you tips so you can determine which of these companies may be important to you. It also makes it easier for you to take advantage of your legal rights to (1) obtain the information in your consumer reports, and (2) dispute suspected inaccuracies in your reports with companies as needed.
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...- Mark - Fullbright
Transnational criminal organizations (TCOs), foreign fentanyl suppliers, and Internet purchasers located in the United States engage in the trafficking of fentanyl, fentanyl analogues, and other synthetic opioids and the subsequent laundering of the proceeds from such illegal sales.
The mission of the IC3 is to provide the public with a reliable and convenient reporting mechanism to submit information to the FBI concerning suspected Internet-facilitated criminal activity, and to develop effective alliances with industry partners. Information is analyzed and disseminated for investigative and intelligence purposes, for law enforcement, and for public awareness.
Credit is due to all original authors and no financial gain was made from the report, Simply sharing an interesting story for educational purposes,
This report is built upon analysis of 41,686 security incidents, of which 2,013 were confirmed data breaches. We will take a look at how results are changing (or not) over the years as well as digging into the overall threat landscape and the actors, actions, and assets that are present in breaches. Windows into the most common pairs of threat actions and affected assets also are provided.
The Federal Trade Commission (FTC or Commission) is an independent U.S. law enforcement agency charged with protecting consumers and enhancing competition across broad sectors of the economy. The FTC’s primary legal authority comes from Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in the marketplace. The FTC also has authority to enforce a variety of sector specific laws, including the Truth in Lending Act, the CAN-SPAM Act, the Children’s Online Privacy Protection Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, and the Telemarketing and Consumer Fraud and Abuse Prevention Act. This broad authority allows the Commission
to address a wide array of practices affecting consumers, including those that emerge with the development of new technologies and business models.
Sentinel sorts consumer reports into 29 top categories. Appendices B1 – B3 describe the categories,providing details, and three year figures. To reflect marketplace changes, new categories or subcategories are created or deleted over time.The Consumer Sentinel Network Data Book excludes the National Do Not Call Registry. A separate report about these complaint statistics is available at: https://www.ftc.gov/reports/national-do-not-call-registry-data-book-fiscal-year-2018. The Sentinel Data Book also excludes reports about unsolicited commercial email.Consumers can report as much or as little detail as they wish when they file a report. For the Sentinel Data Book graphics, percentages are based on the total number of Sentinel fraud, identity theft, and other report types in 2018 in which consumers provided the information displayed on each chart.Reports to Sentinel sometimes indicate money was lost, and sometimes indicate no money was lost.Often, people make these reports after they experience something problematic in the marketplace,avoid losing any money, and wish to alert others. Except where otherwise stated, numbers are based on reports both from people who indicated a loss and people who did not.Calculations of dollar amounts lost are based on reports in which consumers indicated they lost between $1 and $999,999. Prior to 2017, reported “amount paid” included values of $0 to $999,999.States and Metropolitan Areas are ranked based on the number of reports per 100,000 population.State rankings are based on 2017 U.S. Census population estimates (Annual Estimates of the Resident Population: April 1, 2010 to July 1, 2017). Metropolitan Area rankings are based on 2016 U.S. Census population estimates (Annual Estimates of the Resident Population: April 1, 2010 to July 1, 2016).This Sentinel Data Book identifies Metropolitan Areas (Metropolitan and Micropolitan Statistical Areas)with a population of 100,000 or more except where otherwise noted. Metropolitan areas are defined by Office of Management and Budget Bulletin No. 15-01, “Revised Delineations of Metropolitan Statistical Areas, Micropolitan Statistical Areas, and Combined Statistical Areas, and Guidance on Uses of the Delineations of These Areas” (July 15, 2015). Numbers change over time. The Sentinel Data Book sorts consumer reports by year, based on the date of the consumer’s report. Some data contributors transfer their complaints to Sentinel after the end of the calendar year, and new data providers often contribute reports from prior years. As a result, the total number of reports for 2018 will likely change during the next few months, and totals from previous years may differ from prior Consumer Sentinel Network Data Books. The most up to date information can be found online at ftc.gov/data
A credit score is a three -digit number that predicts how likely you are to pay back a loan on time, based on information from your credit reports.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only. - Medical identity theft has existed in various forms for decades, but it was in 2006 that World Privacy Forum published the first major report about the crime. The report called for medical data breach notification laws and more research about medical identity theft and its impacts. Since that time, medical data breach notification laws have been enacted, and other progress has been made, particularly in the quality of consumer complaint datasets gathered around identity theft, including medical forms of the crime. This report uses new data arising from consumer medical identity theft complaint reporting and medical data breach reporting to analyze and document the geography of medical identity theft and its growth patterns. The report also discusses new aspects of consumer harm resulting from the crime that the data has brought to light
The FTC takes in reports from consumers about problems they experience in the marketplace. The reports are stored in the Consumer Sentinel Network (Sentinel), a secure online database available only to law enforcement. While the FTC does not intervene in individual consumer disputes, its law enforcement partners – whether they are down the street, across the nation, or around the world – can use information in the database to spot trends, identify questionable business practices and targets, and enforce the law.
Since 1997, Sentinel has collected tens of millions of reports from consumers about fraud, identity theft, and other consumer protection topics. During 2017, Sentinel received nearly 2.7 million consumer reports, which the FTC has sorted into 30 top categories. The 2017 Consumer Sentinel Network Data Book (Sentinel Data Book) has a vibrant new look, and a lot more information about what consumers told us last year. You'll know more about how much money people lost in the aggregate, the median amount they paid, and what frauds were most costly. And you'll know much more about complaints of identity theft, fraud, and other types of problems in each state, too. The Sentinel Data Book is based on unverified reports filed by consumers. The data is not based on a consumer survey. Sentinel has a five-year data retention policy, with reports older than five years purged biannually.
This guide addresses the steps to take once a
breach has occured. For advice on implementing a
plan to protect consumers’ personal information, to
prevent breaches and unauthorized access, check
out the FTC’s Protecting Personal Information: A
Guide for Business and Start with Security: A Guide
for Business.
*Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
Consumer Sentinel Network Data Book for January 2016 - December 2016- Mark - Fullbright
FTC Consumer Sentinel Network Law enforcement's source for consumer complaints.
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Introduction to AI for Nonprofits with Tapp Network
Responding to a Data Breach, Communications Guidelines for Merchants
1. Responding to a Data Breach
Communications Guidelines for Merchants
2.
3. Responding to a Data Breach
Communications Guidelines for Merchants
It all comes down to one word: TRUST. How merchants respond to data
breaches can build or damage hard-earned trust and corporate reputation.
• A 2008 survey1 of U.S. consumers found that an average of 79 percent
cite loss of trust and confidence in any business they deal with as a
consequence of a security or privacy breach.
• An October 2008 consumer confidence survey2 found that 74 percent
of U.S. consumers would not shop where they feel their financial or
personal information may be at risk.
Because data compromises are often complex, it is challenging to make
the rapid communication decisions needed to mitigate the potential harm
of a breach. These situations are often further complicated by the reality
that every data breach is different and there may be no precedent within
your organization for responding. But the stakes for handling a breach effectively
couldn’t be higher, and the impact to your business — depending on a variety
of factors — can be huge. The impact of a poorly handled breach can reach
throughout your business in both the short and long term: bad press, lost sales,
mitigation and litigation, as well as the uphill battle to rebuild your reputation.
Although it is true that every data compromise has its own challenges and
extenuating circumstances, there are some good basic communications
principles that can be applied to most data breach situations. This booklet
is intended to provide some best-practice guidance for merchants on how
to think about, prepare for and respond to data breaches.
The best line of defense is a thorough and ongoing data security program.
This document presumes that your company has extensive prevention measures
in place but also recognizes the critical need for every company to be prepared
to communicate in the event of a data breach. These are not requirements from
Visa but are merely best practices for your consideration.
Following are five principles for effective data breach communications that can
be used to guide your internal strategy discussions.
1
The CA 2008 Security and Privacy Survey, by CA Inc.
2
Solidcore Systems, Inc. Survey
4. 1. Consider a Breach Likely — and Prepare Accordingly
“In today’s environment, it’s not a matter of if a data breach will occur, but when it will occur,
and how well you respond. Do everything you can to prevent data breaches, but also fully
plan out how you will respond if you are breached. Today’s media and business environment
demands that two-pronged approach.”
Brian Lapidus
coo, kroll fraud solutions
Data breach incidents exposing consumers’
personal information to misuse were at an
all-time high in the United States in 2008 —
a dubious distinction for which business
managers and communicators need to
be prepared.
The statistics are overwhelming. It seems that
you can’t pick up a newspaper without reading
coverage about another massive data breach,
and it appears no organization is immune —
government agencies, corporations, nonprofits.
Even the most sophisticated, best-protected
IT systems can be hacked or compromised,
and sometimes no amount of technology security
can account for human error or deception.
Therefore, the best approach is to assume
you will be breached and prepare accordingly.
It is easy to waste valuable days or weeks
establishing processes and relationships that
could have already been in place. Best practices
indicate that to be prepared, you should:
• Have an ongoing PCI DSS compliance
program and regular security assessments.
The PCI DSS is a security standard developed
by the electronic payment community to help
create and promote consistent data security
measures. The standard is designed to help
companies proactively protect customer
data and includes requirements for security
management, policies, procedures, software
design, network architecture and other
critical protective measures. For more
information, visit:
https://www.pcisecuritystandards.org/security_
standards/pci_dss.shtml.
2 | Responding to a Data Breach: Communications Guidelines for Merchants
• Designate and empower an internal breach
response team that includes experienced
communicators, key operations staff, legal
counsel, risk officer(s) and senior managers.
Minimizing the team and the bureaucracy
can expedite approvals and response.
Because there may be significant liability
issues involved, it is strongly recommended
that legal counsel be involved in any breachrelated response planning and communication.
5. • Identify and establish relationships and/or
agreements with key vendors, including:
>> utside IT security forensics experts who
O
can investigate if, when and how a breach
occurred, and how to close and repair
your system. Visa requires its partners
to use external experts for this function,
and doing so is critical to establishing
credibility with the media, customers,
investors and other key audiences. Also,
consider using a different vendor from the
one that may have done previous security
assessments — they may be defensive or
too concerned with the “how” rather than
the “what,” “when,” and “where.” A list of
Visa-approved CISP Incident Response
Assessors (QIRA) can be found at:
http://usa.visa.com/download/merchants/cisp_
qualified_cisp_incident_response_assessors_list.pdf
upport services vendors that can handle
S
large mailings to your customer database,
provide credit reports, set up toll-free
hotlines and offer counselors and advisors.
There is a wide range of providers of
breach support services. Do your research
in advance and consider factors such
as relevant experience, security expertise
and cost.
utside communications/PR support
O
with experience handling breaches and
crisis communications if you believe your
internal staff may lack the capacity or
experience to respond. Also, internal staff
may often have a difficult time advocating
tough advice to senior managers who may
need convincing of a particular approach.
• Have a breach response communications
plan in place. Most effective breach response
communication plans include personnel and
processes with the lists and channels needed
to execute all communications that might
be needed.
Lesson Learned:
One of the nation’s major grocery chains announced in March
2008 that a data breach at checkout lanes in its stores had exposed
4.2 million payment cards to fraudulent misuse — the largest breach
to hit a U.S. grocery chain. Apparently, the problem was not that the
grocery store chain ignored IT security but that the company’s security
did not evolve as fast as data theft practices. Supermarket News, in
an analysis of lessons learned from cybercrime in its industry, said:
“The breach exposed a weakness in [the company’s] card processing
procedure that it has since addressed. The chain discovered that
malware installed on its store servers was able to gather credit card
numbers as the data was being transmitted from the card-swipe PIN
pad across its private network to its centralized payment switch.
“ ‘Our customer card information is now encrypted from the
[PIN pad] in the lane and remains encrypted the entire time it is
on our network,’ said [the company’s] vice president of marketing. …
‘In the past, the data was encrypted during “part of the trip” through
[the company’s] private processing network,’ she noted. ‘PCI standards
require encryption for data in transit on public networks but not on
private ones.’ ”
As a result of its experience, the company is currently installing
new PIN pads, installing the MX830 terminal from VeriFone and
implementing PIN TDES, or triple data encryption, which a company
senior executive termed the “highest possible level of PIN encryption.”
This major grocery store chain is taking numerous other steps
to strengthen its security, including “borrowing from the military
and industry for the retail environment,” the vice president of
marketing told Supermarket News. “The security bar gets raised
all the time. Security is not a point in time or a single event.
It’s an ever-escalating threshold and a continuous process.”
Responding to a Data Breach: Communications Guidelines for Merchants | 3
6. 2. Be Accurate And Be Fast
“More than 55 percent of respondents said the notification about the data breach occurred
more than one month after the incident, and more than 50 percent of respondents
rated the timeliness, clarity, and quality of the notification as either fair or poor.”
ponemon institute for id experts, the consumer’s report card on data
breach notification, survey of 1,795 u.s. adults, april 2008
Find the facts and tell them fast. This is the most
fundamental of crisis communications principles.
However, most often, in the case of data
breaches, the desire to be certain about all facts
hinders the ability to provide information quickly.
Everyone wants to know all the facts before
communicating, but the reality of data breaches
today is that security forensics takes time —
often more time than applicable state laws allow
prior to disclosure and a lot longer than the
“court of public opinion” considers appropriate.
Most companies experiencing data breaches
end up having to announce the news well before
they feel ready, and certainly well before they
have determined the facts to the degree of
confidence they would like. There are situations
when companies are obligated to withhold
disclosure of a suspected or detected breach
upon direction from law enforcement officials
concerned about compromising their criminal
investigation. In these cases, you may have
no choice but to remain silent. Even then, best
practices recommend preparing to communicate
at the earliest appropriate opportunity.
Once a breach is discovered, it is important
that corporate executives hear a subconscious
clock ticking. Why? To avoid consumer
discomfort — or worse, outrage — because
they feel they were left at risk for too long
before being notified. Also, in the worst
situations, someone other than you breaks
your news first. The following are some
proven suggestions for “beating the clock”:
4 | Responding to a Data Breach: Communications Guidelines for Merchants
• Put yourself in your customers’ shoes.
If you discovered that a company you do
business with notified you that your payment
card or personal information was exposed
(or may have been exposed) months after
they identified a breach, or many weeks
after they knew your information was
involved, how would you feel? Fortunately,
given the prevalence and high profile of
data breaches, many in the news media
now understand that a discovery period
is necessary and that even a few weeks
may be needed to get the facts and avoid
unnecessary alarm. But even enlightened
media won’t accept too long a delay.
Remember that consumers are unlikely to
respond sympathetically when the company
announces itself a “victim” of a data breach.
• Give yourself permission to notify before
you know everything, or before you know
it with confidence. IT forensics investigations
can be time-consuming and tricky. Because
the breadth and depth of a breach can
change dramatically with one new discovery,
investigators are understandably hesitant to
provide any premature information or even
put a timetable on their work. However, if
you are three-quarters of the way through
your investigation and 90 percent sure of
some key facts, that’s probably enough to
go forward with, even if you have to caveat
heavily. However, if obtaining 100 percent of
the facts seems reasonably only a week or
less away, it probably makes sense to hold
off until you have all of the information.
7. • Offer timetables. State laws often will drive
your consumer notification schedule, thus
forcing you to disclose to customers — and,
by default, the media — well before you are
ready. If this is the case, and you do not have
all of the basic information that reporters will
demand (such as when, how, how many), then
inform them of what you know and when you
expect to know more. Commit to updating
them as more facts become available.
Consider the dynamic on an airplane late for
takeoff — the longer the passengers sit on
the runway with no information, the angrier
they get. However, if the captain announces
that there is a problem, what’s being done
and when they will provide an update, the
passengers may not be happy about it, but
they are far less likely to be outraged.
• Acknowledge that the situation may change.
It’s always a good idea to preface any
statements describing a breach with qualifiers
such as “at this time” and “according to
the independent forensics investigation,
we currently believe.” The news media is full
of accounts where companies announce the
size of a breach and then have to dramatically
increase or decrease their estimates. This is
uncomfortable and embarrassing, but is
exacerbated if you have previously stated
your facts with certainty. Know this: Even
cases researched by premier investigators
that appeared to be well understood and
resolved have later been reopened and revised
based on undiscovered or new data.
• Make it a one-day story. By communicating
early and delivering on promised updates,
the company reduces the chances the media
may make more of the story than it might
deserve. The harder a journalist has to work
to dig up the information about your breach,
the more value the reporter and his/her
editors will place on the story — and this will
be reflected in where it is played and how
long it is considered newsworthy.
Lesson Learned:
In mid-June 2008, a specialty retail chain learned it might have
a problem when two of its employees reported unauthorized
transactions on their payment card accounts. The company
communicated proactively, and the visibility of the incident was
minimal. Only one story about this breach could be found.
It turns out The Company had issued a press release in July, less
than a month after the initial discovery, alerting consumers that
PIN pads at eight of its Southern California stores had been breached
and providing store locations, dates, and helpful information and
hotlines. It accepted responsibility, apologized and reiterated that
the “privacy of our customers and their personal information is a
matter of the highest concern to the company, and every effort
is made to ensure that all personal information and financial
data maintained by [the company] is secure and safe.”
The release detailed the changes the company had begun enacting
to strengthen security technology and protocols, and it assured
consumers it was working closely with “the financial institutions
and law enforcement officials to ensure that any of its customers
impacted by this incident are identified. [The company] is also
working with its merchant bank and the payment card issuers
to ensure that any affected cards are blocked and reissued.”
Responding to a Data Breach: Communications Guidelines for Merchants | 5
8. 3. Be Open, Honest and Transparent
“In the past two years, the cost of a data breach to organizations rose an estimated
43 percent with an average cost of $197 per compromised record.”
ponemon institute, 2007 annual study: u.s. cost of a data breach, november 2007
The initial questions
retailers should
consider asking
themselves are:
1. hy am I disclosing
W
this breach?
2. When will I disclose?
3. ow will I go about it?
H
Often, the nature of legal disclosure compliance
puts many companies in a defensive posture
when in fact a company could potentially benefit
more by taking the stance that the best reason
for disclosing openly and quickly is because
it’s the right thing to do for your customers
and your company.
Also, to reiterate principle No. 1, be prepared
by assuming it is likely you will be breached
again. The way you handle your first breach
will become the reference point (for the media,
consumers, investors, analysts, partners —
everyone) for analyzing your response to
future breaches.
Too often, companies take the approach of
determining the minimum amount of disclosure
required and then working to keep their breach as
quiet and hidden as possible. From one
standpoint this may seem appropriately
conservative, but in today’s world, it is no
longer realistic.
Simply put, companies need to protect their
ability to communicate in the future about this
issue. The following are some best practices
for doing so:
Notification letters sent to even a few thousand
consumers and communications issued to
investors and others often find their way
into the public domain. Business reporters
have become quite adept at investigating
data breaches and then breaking the news
that corporations could have delivered and
framed themselves. As a result, the company
may come off looking arrogant, deceptive
or downright deceitful instead of careful.
Although it may be uncomfortable, putting out
your information quickly and with sufficient
detail may be the best way to make your news
a one-day story. On the other hand, stalling,
limiting information and appearing guarded can
be an invitation for reporters to press, probe
and eventually leak out details of your story in
multiple reports or publish critiques of how your
company handled (or mishandled) the situation.
6 | Responding to a Data Breach: Communications Guidelines for Merchants
• Be transparent in your activity and
demonstrate that you are getting the word
out. State your news plainly and publicize
how you are notifying consumers. Let your
actions speak for themselves and realize
that your actions will be analyzed. For
example, putting out an ambiguous and
thin press release at 5 p.m. on a Friday may
not indicate a good faith effort to notify.
• Follow your normal media routine. If you
typically put your press releases on a certain
wire distribution circuit, use that same
process. If you have relationships with beat
reporters that you regularly update, then
include the breach news in your updates.
If they follow your company, they’ll find
out anyway. Better to hear it from you.
• Avoid absolutes. Again, information about
the breadth and depth of breaches can
change quickly and dramatically. Since
you can never be absolutely certain of the
facts, try to avoid speaking in absolutes.
9. Some companies have tried to minimize
the perception of their problem and
maximize the impression of their control by
expressing high confidence in their findings
(“we are very confident that this incident
only involved x consumers”), only to later
appear either foolish or untrustworthy
when they had to change their story.
• Avoid misleading statements. It can be
tempting to selectively provide information
or carefully construct statements to increase
confidence or decrease concern. For example,
“We know of no breach” may be a convenient
statement, but it is unacceptable if you have
reason to suspect a breach and are investigating,
or if prosecutors and other government
authorities have indicated they are investigating
a possible breach involving your company.
• Don’t attempt to withhold key details.
It looks bad, and it won’t work. Some
companies initially refuse to provide the
number of transactions or accounts that
are involved. But one of the very first things
reporters want to understand is scope. If the
information is not provided, the media will
inevitably ask. But best practices recommend
that you should not make them have to ask.
It’s OK to admit that you don’t have the exact
numbers or are still investigating. However,
do provide as much info as you can to limit
the scope. For example, “our current research
indicates the breach was likely limited to
less than 5,000 cardholders in Southern
California” is a far superior answer to “I can’t
comment on that now.” It’s worth noting
that a breach involving fewer than 1 million
payment cards is unlikely to garner much
media attention in today’s environment.
• Stay focused and concise. Determine the
important information to deliver, provide
it directly and efficiently, and then stop
talking. Avoid excessive communication
that might prolong the life of the story.
Lesson Learned:
When a major global hotel chain suffered a data breach in Europe in
August 2008, its public comments about the breach began to receive
more scrutiny than the breach itself. “Most companies experiencing
data breaches quietly apologize and hope the story goes away, but [the
company] is doing everything it can to keep this story in the spotlight,”
wrote Ben Worthen in The Wall Street Journal’s Biz Technology blog.
It turns out that a Scottish newspaper notified the hotel chain that
a cybercriminal had obtained illegal access to about 8 million customer
records in its computer reservation system, and when it contacted the
company for comment, it was thanked for the alert and told that the
breach had been closed, according to an article later that month in
The Times of London by Bernhard Warner, under the headline: “Online
security breaches are getting increasingly common, so we may as well
settle on the right kind of response.”
According to The Times, within two days of thanking the Scottish
newspaper, hotel chain officials issued an irate denial, dismissing the
paper’s “grossly unsubstantiated” article and saying the company had
found “no evidence” to support the story.
“For the next 36 hours, confusion reigned,” The Times said. “A Google
News search pulled up over 200 articles debating whether [the company]
had or had not been hacked.” The following day, the hotel chain “was back
again with a third statement, this one contradicting its second statement.
In fact, there was a data breach, the company now informed the public.
But just 10 customers were affected, not 8 million.”
Still, “in changing its story so many times, it left the public baffled about
the extent of the damage and who, if anybody, is at risk,” the article said.
Responding to a Data Breach: Communications Guidelines for Merchants | 7
10. 4. Be Accountable — Always
The risk is real. Data is streaming out of companies at an alarming rate, with at least
one new breach reported daily. Businesses, nonprofits, and government agencies face
a host of regulations making it clear that they have a responsibility to protect data. …
The consequences of noncompliance can be severe, potentially resulting in financial
penalties, reduced stock value, loss of customer confidence, and lost sales revenue.”
Brian Lapidus,
coo, kroll fraud solutions
By now, the vast majority of consumers and
media understand that data compromises
happen. They can and will forgive companies for
security lapses, bad luck or both. However, the
public is very unforgiving of companies who do
not accept responsibility for the security of their
data. From a consumer’s perspective, the issue is
relatively simple: “I gave my information to you,
you exposed/lost it, and it’s your fault. Period.”
A good practice is to immediately and
consistently accept responsibility for the issue
and to demonstrate ownership of the problem.
Following are some recommended best practices
for doing so:
• Take ownership. Immediately acknowledge
responsibility for the breach and express
regret for its impact. Once you’ve done
so, you can quickly move to talking
about the solution (what you are doing),
rather than the problem. Avoid the blame
game, which might include placing
responsibility on an employee or vendor.
• Don’t play the victim. Ten years ago,
when announcing a data breach, it may
have been possible for companies to
successfully portray themselves simply as
fellow victims. Today, this is a flawed and
dangerous strategy. Although you may have
had a crime committed against you, the
public and business press will still hold you
accountable and will not consider you a covictim. Best practices recommend that rather
than announce that your company was the
“victim of a criminal computer hacker,” you
should announce that you became “aware
of unauthorized access to our computer
system,” or some alternate phrase.
• Express regret. Apologizing is a critical
step in taking ownership. Avoid qualified
or conditional apologies. For example,
“We don’t think anyone was affected but
regret if anyone is inconvenienced” might
be worse than not apologizing at all.
8 | Responding to a Data Breach: Communications Guidelines for Merchants
11. • Put an executive face on the issue.
Visibly involve a senior executive in your
communications. Issuing press quotes
or public comment from an IT employee,
customer service representative or lowlevel manager does not signal commitment.
Neither does sending a generic, unsigned
notice as a notification letter. However,
sending a personalized notification letter
signed by the president or CEO demonstrates
how seriously a company is taking the issue.
• Be careful how you portray PCI compliance.
Some companies will cite PCI compliance
as a defensive measure. However, data
security experts point out that just because
a company passed an assessment in the
past and was deemed PCI compliant doesn’t
mean it is still compliant today. In fact, the
experts say that if your company has had an
unauthorized system intrusion, it is highly
likely you were not PCI compliant at that
time. You can discuss your PCI compliance
program as evidence of your commitment
to security, but be careful about appearing
to use it to deflect accountability.
Lesson Learned:
A major clothing retailer and a shoe discount chain both waited more
than a month after federal indictments were announced in early
August 2008 in the largest single recorded data breach to release
any information about their roles, according to The Wall Street Journal
and other news accounts. ComputerWorld on Sept. 16, 2008, reported
that the clothing retailer only said in a statement that nearly 99,000
payment cards were compromised from 2004 to 2007 but offered no
explanation for the delay. Instead, it “stressed that it has complied with
the requirements of the credit card industry’s Payment Card Industry
Data Security Standards (PCI DSS) since they went into effect. And
it noted it has been certified as being PCI-compliant since 2007.”
The article noted that officials from the clothing retailer did not
return a phone call seeking comment and that a toll-free number to
answer consumer questions carried a recording that “invited callers
to leave their names and phone numbers with the promise that
someone from the company would get back to them. A message
seeking comment left at that number was not returned either.”
Several other major retailers targeted in the massive data breach
refused to tell The Wall Street Journal if they had made any consumer
disclosures. “Computer searches of their Securities and Exchange
Commission filings, Web sites, press releases and news archives
turned up no evidence of such disclosures,” the newspaper reported
on August 11, shortly after the indictments were announced.
“If I were these companies, I would be issuing public disclosures five
nanoseconds after the indictments were announced,”Evan Stewart,
a Fordham University School of Law adjunct professor and data breach
expert, said in the article.
Responding to a Data Breach: Communications Guidelines for Merchants | 9
12. 5. Get the Word Out – Be Thorough
“Sixty-three percent of respondents said notification letters they received offered no
direction on the steps the consumer should take to protect their personal information.
As a result, 31 percent said they terminated their relationship with the organization.
Fifty-seven percent said they lost trust and confidence in the organization.”
ponemon institute for id experts, the consumer’s report card
on data breach notification, survey of 1,795 u.s. adults, april 2008
Audiences
to Consider
• Cardholders
• Employees
• Customer service
• Shareholders
• Analysts
• Media
• Partners
• Regulators
• Legislators
The notification letter to customers is
important, but do not become so fixated on
that one task that you delay or ignore other
communications. You have multiple audiences
and channels to consider, and therefore it is
important to be systematic in your approach.
The following are recommended practices
from experts in data breach communications:
• Consider all audiences. No audience or
stakeholder wants to feel like they are the
last to be informed. Having lists and systems
in place to send out notifications quickly
can ensure that no one feels slighted.
10 | Responding to a Data Breach: Communications Guidelines for Merchants
• Don’t forget the front lines. Although it
would be nice to control all interaction with
consumers regarding a breach, it is neither
possible nor practical. No matter how thorough
your mailings and media statements are, there
is a high likelihood that curious or concerned
customers will approach company personnel
in your stores with questions. Rather than
expecting store personnel to address individual
inquires, and to avoid having them appear
uncooperative, consider providing handouts
or “take ones” that can be available at the
point of purchase and other key locations.
13. • Leverage the power of zero liability.
Often, the fastest way to reduce consumer
concern or panic is to remind consumer
cardholders that they will not be held
liable for any fraudulent purchase made
using their payment card. Best practices
recommend this message be present and
prominent in all of your communications.
• Take credit for what you are doing.
Explain how you have addressed the
problem (cooperation with law enforcement,
internal review, third-party forensics
investigation, etc.) and what you are doing
to support customers. Demonstrating
activity will advance your objective of
reducing customers’ security concerns.
• If law enforcement is involved, say the
company is cooperating, and if illegal
usage of card data is suspected or even
possible, work with Visa to monitor
for fraud and say this publicly.
Lesson Learned:
Two high-profile data breaches illustrate the range of impact an
organization’s breach response can have on its corporate reputation.
The Department of Justice announced 11 indictments in August 2008
in the largest U.S. data intrusion, which was committed against a major
retail corporation overseeing multiple brands. Associated Press
business writer Mark Jewell wrote in April 2007 that “for at least 17
months, someone had free rein inside [the company’s] computers.”
The total impact of the data breach is believed to have involved at
least nine retail companies and more than 40 million payment cards.
The trail of fraud, and the suspects in the case, crisscrossed the U.S.,
Canada, U.K. and several Eastern European countries.
In 2008, the U.S. Federal Trade Commission reached
a settlement with the retailer in which the company agreed to
upgrade and implement comprehensive security procedures and
submit to audits by third parties every other year for 20 years.
The company issued its first press release alerting consumers to
the massive breach a month after it was discovered (the delay was
at the request of the U.S. Secret Service, subsequent regulatory filings
showed) and has provided extensive information for consumers online
and via hotlines since January 2007. The breach has been costly to the
company — reports indicate more than $200 million has been reserved
— and the retailer has taken a reputational hit as well. Deepak Taneja,
chief executive of Aveksa, a security software company, told the AP:
“Unfortunately for [the company], I suspect they are going to become
the poster child for poor data security.”
However, redemption can follow a even record-breaking data breach.
“In a remarkable turnaround, [a large data services company] excoriated
two years ago for its lack of precautions as it went about gathering and
selling personal data, has recast itself as a model corporate citizen,”
was the lead in a USA Today story in April 2007. (The data services
company revealed in February 2005 that it had sold the personal
information of at least 166,000 people to a Nigerian con artist posing
as a debt collector. The widely publicized incident led the FTC to issue
a record $10 million fine against the company and order it to set aside
$45 million to aid victims of the data breach.)
“The once-obscure data broker … embraced extensive reforms,”
USA Today reported. “The result: [The company] is regarded by
a dozen leading privacy advocates interviewed by USA Today as the
most responsible company among dozens in the lightly regulated,
fast-growing field of aggregating and selling sensitive information.
“ ‘[The company] transformed itself from a poster child of data
breaches to a role model for data security and privacy practices,’
says Gartner analyst Avivah Litan.”
Responding to a Data Breach: Communications Guidelines for Merchants | 11
14. • Provide real, customer-focused support.
There is no better way to restore trust and
credibility than to demonstrate to consumers
what you are doing on their behalf and what
support you are offering.
Toll-free information lines. Call centers and
hotlines are commonly offered to customers
whose data were or may have been exposed
and are used as proof points of corporate
support. However, these services can
present some challenges. If the call center
is understaffed or if consumers can’t get
any information beyond a regurgitation of
the notification letter they received, then
avoid a live operator, as that can increase
frustration or outrage. One option is an
automated menu with preprogrammed
QA information that extends beyond
what was in the notification letter.
Credit monitoring. Although you may
not feel it is needed or warranted, credit
monitoring can provide comfort to
consumers. Many customers are familiar
with the service because they read in the
media about other breached companies
offering it or because they have received
offers themselves following other breaches.
While only a small percentage of consumers
sign up for monitoring, the offer is generally
appreciated. If personal identifier information
was included in the breach or is suspected
of being included, then it would be wise
to strongly consider credit monitoring.
Investigators or identity restoration
services. When customers become
a victim of fraud related to your exposure
of their personally identifiable information
(such as Social Security numbers), you
may want to consider providing access
to case investigators or identity
restoration services.
12 | Responding to a Data Breach: Communications Guidelines for Merchants
• Use the Internet to inform. In addition to
putting statements and QA documents on
your corporate website where customers will
be able to find them, consider other options,
such as conducting a live web chat on the
subject with a top executive, which could
be archived on your website. Also, consider
purchasing Google search keywords (such
as the name of your company in conjunction
with “breach” or “hack”) to help ensure that
any consumers or media searching online for
information about your breach will find a link
directly to your best information.
• Monitor all information sources. Most
companies will monitor news coverage as
standard procedure, and many include online
and blog searches as part of that monitoring.
Monitoring can help you understand how
your situation is being portrayed and reveal
opportunities to react and respond. If
reporters get some facts wrong, be very
careful what you try to correct. Your pursuit
of an error could pump additional life into the
story. Also, don’t assume no news coverage
means that consumers won’t notice. There
still may be concerns based on word of mouth
and what’s being said on the front lines within
your company. If you have a particularly large
breach, consider doing consumer polling to
better understand its impact on attitudes and
corporate reputation.
15. Conclusion
“The key lesson of the [major retailer] security breach, may be that it is impossible to prevent
data crimes against the card system. The ease of access to valuable consumer information,
the considerable rewards for stealing it, the failure of law enforcement to prevent it, and
the increasingly prohibitive cost of protecting it all militate against any easy solution.”
Duncan McDonald
former general counsel to citigroup inc.’s europe and north america card businesses
in “viewpoints,” american banker, april 20, 2007
Organizations that do business with payment
cards recognize the realities cited in the American
Banker column — including the rising odds of
experiencing a data breach in the future — and
have taken most, if not all, of the steps suggested
here in this booklet. The most important of them
is the need for advance preparation and internal
structures and protocols to monitor, assess and
upgrade security.
Although no formula can account for the
many variations and circumstances that may
be involved in individual data breaches, the
five principles outlined in this booklet will help
you navigate most situations. Following these
recommended best practices from experts
in data security and communications should
allow you to prepare, react and respond with
confidence — and then look back with no regrets.
Then, when the alarm goes off, your organization
will be able to respond rapidly to assemble the
correct information; be honest, open and
accountable; communicate with consumers and
other important audiences as quickly as possible.
Responding to a Data Breach: Communications Guidelines for Merchants | 13