Data Breaches Part II: Five Steps to Manage a Data Breach

October 22, 2007 • Published Categories ArchiveTags , , , , , , , , , , ,

Though a smaller data breach than its predecessors at TJX and ChoicePoint, the musical instrument company Bananas.com (Bananas at Large) was the victim of a hacker, who, according to published reports stole an administrative password by accessing Bananas.com systems as a remote user.

What’s interesting about this case is not the small number of records compromised, but the way that bananas.com reacted to the data breach.

Not only did they wait over month after the breach happened to contact the affected customers, but according to the Associated Press (AP), bananas.com admitted to the breach only after AP inquired about it.

Allegedly, someone went to an Internet chat room and tried to sell the names, addresses, phone numbers and credit card numbers of 31 bananas.com customers, and that is when the company discovered that they had a breach.

Once the breach was known, bananas.coms’ 25-person staff raced to try and contact the customers affected through a blanket of standard mail and e-mail statements.

When it seemed too much to handle, the company referred customers to credit-reporting agencies, for any financial fallout from the data breach.

Because there was no data breach containment plan before the breach, and because the company is a web-based, mail order company, Bananas scrambled to keep up with each state’s breach notification laws.

Subsequently, the company was hit with stiff fines from the major credit card companies. “They did not specifically provide a reason for the fees other than saying that we had not met all of the terms in our agreements with them,” said Bananas President J.D. Sharp, in an article for ComputerWorld magazine. “They’ll fine the pants off you,” he added. Bananas was caught off-guard, with no real data breach plan in place before the intrusion.

If this happens to your organization, there are immediate steps you can take to contain the damage from a data breach, while complying with state and federal data breach notification laws.[/toggle]

[toggle title=”After The Data Breach: Introduction”]Though a smaller data breach-affecting only 250 private records-than its predecessors at TJX and ChoicePoint, the musical instrument company Bananas.com (Bananas at Large) was the victim of a hacker, who, according to published reports stole an administrative password by accessing Bananas.com systems as a remote user.

What’s interesting about this case is not the small number of records compromised, but the way that bananas.com reacted to the data breach.

Not only did they wait over month after the breach happened to contact the affected customers, but according to the Associated Press (AP), bananas.com admitted to the breach only after AP inquired about it.

Allegedly, someone went to an Internet chat room and tried to sell the names, addresses, phone numbers and credit card numbers of 31 bananas.com customers, and that is when the company discovered that they had a breach.

Once the breach was known, bananas.coms’ 25-person staff raced to try and contact the customers affected through a blanket of standard mail and e-mail statements.

When it seemed too much to handle, the company referred customers to credit-reporting agencies, for any financial fallout from the data breach.

Because there was no data breach containment plan before the breach, and because the company is a web-based, mail order company, Bananas scrambled to keep up with each state’s breach notification laws.

Subsequently, the company was hit with stiff fines from the major credit card companies. “They did not specifically provide a reason for the fees other than saying that we had not met all of the terms in our agreements with them,” said Bananas President J.D. Sharp, in an article for ComputerWorld magazine. “They’ll fine the pants off you,” he added. Bananas was caught off-guard, with no real data breach plan in place before the intrusion.

If this happens to your organization, there are immediate steps you can take to contain the damage from a data breach, while complying with state and federal data breach notification laws.[/toggle]

[toggle title=”New Changes To Pci Dss Self Assessment Questionnaire”]As well, every organization should fill out and follow the PCI DSS Self-Assessment Questionnaire, in order to spot breaches, and to serve as a guideline and checklist of everything that should be covered before or after a data breach.

The PCI Security Council just released an updated questionnaire that splits the original requirements among the following organization types:

  • SAQ Validation Type 1 Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
  • SAQ Validation Type 2 Imprint-only merchants with no electronic cardholder data storage
  • SAQ Validation Type 3 Stand-alone terminal merchants, no electronic cardholder data storage
  • SAQ Validation Type 4 Merchants with POS systems connected to the Internet, no electronic cardholder data storage
  • SAQ Validation Type 5 All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ.

Here is a brief recap of the original PCI DSS Self Assessment Questionnaire: Build and Maintain a Secure Network:

  • Requirement 1: Install and maintain a firewall configuration to protect data.
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  • Requirement 3: Protect stored data.
  • Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks.

Maintain a Vulnerability Management Program

  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Requirement 7: Restrict access to data by business need-to-know.
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

  • Requirement 10: Track and monitor all access to network resources and cardholder data.
  • Requirement 11: Regularly test security systems and processces.

Maintain a policy that addresses information security

  • Requirement 12: Maintain a policy that addresses information security

After the data breach: PCI DSS and data breaches
If your organization processes money transactions, via credit cards, then the word PCI DSS is no stranger to you.
No longer is it considered “best practices” to follow the 12 requirements, it’s now mandatory, or your organization could spend millions in fines. Depending on whether you are considered a Level 1, Level 2, Level 3 or Level 4 organization, determines your deadline to be PCI compliant.

If you have been certified as PCI compliant, and a breach occurs, Visa and MasterCard require a forensic investigation into the breach, before fines are levied.

For a 2007 article written for SearchSecurity.com, entitled “PCI DSS auditors see lessons in TJX breach,” Senior News Writer Bill Brenner interviewed several PCI DSS auditors concerning the status of their clients.

He found out that most PCI DSS auditors report that their clients are achieving PCI compliance, but that there are big problems along the way to compliance.

The auditors he interviewed reported the following:

  • Unpredictable encryption – Data is encrypted and protected in some instances, but in others there is no encryption present.
  • Unnecessary data storage – Organizations store data that they don’t need to store and then allow this data to be available across unsecured parts of their network.
  • Failure to log activity – Some IT departments fail to keep a log of network activity, which makes finding a breach and who is attempting to access systems impossible.
  • Failures to scan software – Some organizations don’t conduct regular scans for software vulnerabilities and abnormal activity.
  • Controls are not PCI compliant – Many organizations thought that rules from regulatory acts like Sarbanes-Oxley and HIPAA also covered their controls, with or without PCI DSS. Organizations are quickly finding out that even with those controls in place, they are not PCI compliant.

By addressing the areas listed above, working in conjunction with a certified PCI auditor, and by taking the following steps, the aftermath of a data breach may not be as devastating as previously reported data breaches.[/toggle]

[toggle title=”Step 1: Spot/investigate The Breach”]The PCI DSS Self Assessment Questionnaire is an excellent way to spot or investigate a data breach, whether or not your organization is currently PCI compliant.

In the case of Bananas.com, it was months before they realized that a breach had taken place.

For TJX, it took several years after the breach for the company to realize that 45.7 million credit card numbers had been compromised. The company is still reeling from paying out settlements, upwards of 40 million dollars, for class-action suits against them.

If your organization is hit by a data breach, the first thing to do is to detect where the breach occurred, by looking at all of the IT departments, including network and systems, Internet activity or whether there has been a physical theft of a computer or computer hard drive. Additionally, utilizing and monitoring intrusion detection systems (IDS) can give vital information on data breaches.

Once your organization has determined the type of breach and what sector it affects, it’s time to determine the scope and size of the damage from the data breach.

This data breach assessment includes:

  • The number of customers affected.
  • Systems that are damaged or infected by malicious intrusions, if applicable.
  • The exact type of data breach-Was it credit card numbers? Social Security Numbers? Vital statistic information? Address and telephone numbers?
  • Projected amount of cost to repair the damage from the organization perspective and, most importantly, the customer aspect.
  • A complete list of compromised accounts
  • Decisions as to whether to monitor, freeze or close affected accounts, if applicable.
  • Blocking and reissuing credit cards, if needed
  • Monitoring and studying affected accounts
  • Determining fraud patterns

[/toggle]

[toggle title=”Step 2: Circle The Wagons: Deploy The Rapid Response Team”]Once your organization is hit by a data breach, it is time to jump into immediate action.

If your organization has not previously set up a rapid response team, to handle all aspects and fallout over a data breach, it’s now time to do so in quick manner.

If a rapid response team is in place, make sure that the following areas are covered:

  • Human Resources
  • Information Technology (IT)
  • Public Relations
  • Legal Counsel
  • Risk Management
  • Financial Managers
  • Corporate Management
  • Branch Management (if applicable)
  • Digital investigators

Each organization’s response team will vary, however each area should be covered, so your organization knows how to spin the fallout from a data breach.

Two of the most sensitive areas are Public Relations and IT. Most of the time, it’s the PR representative who must make a written and verbal statement concerning the breach.

In addition, IT personnel have a spotlight on them too, especially if the breach occurred within the IT environment. Documentation is key, when it comes to an IT-based breach, and it is a best practice to train in-house IT personnel about how to respond to a suspected incident. Every time there is a change to the IT environment, the IT team should document it.

In addition, any organization should either have forensic specialists on the IT team, who are educated and certified in digital forensi

cs, or be able to hire third-party companies to handle forensics as well as other aspects of the response plan. Most forensics experts-within an IT environment-are typically certified to use the two primary tools for performing digital forensics: Guidance Software’s Encase, and Access Data’s Ultimate Forensics Toolkit (FTK).

“If you go to any IT person, this is a big concern,” says Chris Ramos a compliance consultant with First Advantage/Security Incident Response Network (SIRN). “There is a blame game out there, there are liabilities and an aftermath.”

Under the umbrella of First Advantage-the nation’s largest reseller of credit card information to financial institutions-SIRN is a St. Petersburg, FL-based third-party fulfillment service that assists organizations after a data breach. They handle rapid consumer notification and help to minimize the potential impact of a consumer data security breach.

“Most organizations we do business with, actually have experience in data breach material,” says Ramos. “They understand that they need policies, but they don’t know how to execute those policies…if a company has experienced a data breach, that doesn’t always mean that they will follow their procedures.”

Ramos emphasized that the organization should, first, get their response team organized, whether they use a third-party vendor like SIRN or not.

“There are legal issues, PR issues, and SIRN is really there as an aid and to compliment their current policies,” he continued. “We don’t go in and write the policies, and we have our own internal processes, so we can take over for them, but we like to work with the organization’s response team…we urge organizations to create their own response and notification plan, first.”[/toggle]

[toggle title=”Step 3: Create A Notification Plan”]Once your organization’s rapid response team assembles, it’s time to create a notification plan for all entities that require notification after a breach.

The following are the major groups that organizations should contact, in the event of a data breach:

  • Law Enforcement – Is this a physical theft? Is any person in danger as a result of the theft? In the event of a stolen computer hard drive, laptop, or other device, along with any identity theft issues, report the crime to the proper legal authorities, including-if needed-the Federal Bureau of Investigations (FBI) or the U.S. Secret Service, or your local police department. If mail theft is involved, contact the U.S. Postal Inspection Service.
  • Affected Businesses – Do you store and maintain credit card or bank account numbers, or store or collect personal information for any third party organization? Have credit card and bank accounts been stolen from you, but the accounts are stored with another organization? In the event of a data breach that includes bank, credit card or Social Security numbers, whether stored with your organization or with a third party organization, notification to those third-party organizations is mandatory. This may involve notifying the major credit card bureaus, if needed.
  • Affected individuals – Notify individuals in a timely matter, so that the affected parties can quickly take steps to rectify the situation. The Federal Trade Commission (FTC) has a list of notification guidelines, when sending notification to individuals. Allow the affected individuals to request police reports, contact law officials, contact credit bureaus and urge the victims to contact the FTC, if needed.

[/toggle]

[toggle title=”Step 4: Implement The Notification/communications Plan”]Your organization has suffered a data breach, and now it’s time to put the teams and plans into action.

Once the rapid response team determines the type of breach, scope of breach and the customers affected by the breach, it’s time to det

ermine when or if your organization needs to disclose the breach to the affected individuals or businesses. When should an organization disclose a breach, or should an organization always send notification no matter the level of the breach?

Opinions vary, however the FTC offers some specific guidelines, including the fact that an organization does not have to provide notice if there is no realistic expectation that an actual crime happened.

In an opinion piece for CSO.com, A. Bryan Sartin, vice president of investigative response, Cybertrust, wrote the following. “There are noble and valid reasons behind the proposed new laws. Addressing the “if”-to inform people in a proactive fashion that their data has been stolen when they may already be a victim of compromised information or identity theft-is the right thing to do,” he wrote. Continuing, “In terms of addressing the “when,” however-and it’s a big however-security breaches need to be qualified and should require an industry-established threshold standard before any disclosure takes place. Disclosing just for the sake of disclosing is not the answer.”

In the case of GE Capital and J.C. Penney (see Pre data breach article), the data breach in question had to do with a lost backup tape. If it was determined that the backup tape was actually stolen, GE Capital has an obligation to notify those customers whose personal data may have been compromised because it was on the backup tape in question.

If the backup tape was just lost, and it was not determined that it was stolen, should the organization give notification to affected customers, business partners or third party vendors?

“Financial institutions, as well as other industries, commit a large amount of their budgets to ensure that security breaches are rapidly recognized and reacted to before they grow out of control,” wrote Sartin.

“In the payments industry, for example, there are formal processes requiring investigations to ensure containment and verify the full extent of the exposure. From PCI (Payment Card Industry Data Security Standard) compliance requirements and industry watchdog groups, to government accounting standards and Wall Street analysts, disclosure is often not up to the compromised organization.” Sometimes, it’s up to law enforcement agencies involved with the response team. If a criminal investigation is on going, or there is a pending law enforcement action, authorities may not want you sending out public notices while the initial investigation is underway. This is where having representatives from an organization’s legal team comes in very handy as it relates to data breaches.

Use the legal representatives on your rapid response team to help determine the following:

  • State and federal laws and regulations that are applicable
  • The probability that the information has been, or will be misused
  • Contractual obligations of the organization to disclose the data breach
  • Whether regulators and customers need to be informed about the data breach, and developing the content of those communications.

Disclosing the Breach
39 states have passed laws about data breach practices and disclosure, and through the Federal Trade Commission and the Securities and Exchange Commission, there are also guidelines for disclosure.

Unfortunately, there is no set standard for disclosure at the federal legislation level, though there are several bills up for consideration.

What this means for your organization, is that you must determine-especially if your organization conducts business across many or all states, or around the world-what disclosure policies to follow.

ChoicePoint, an Alpharetta, Ga.-based data aggregator and reseller of personal information, decided to send out notices to over 163,000 people affected by their much publicized data breach two years ago. According to Vice President for Compliance Christopher Cwalina, the company followed the only legislation available at the time-California’s data breach notification laws-and sent the notices without any federal or state law requiring that they do so.

When considering how to respond to a data breach, remember the following tips:

  • Identify data breach disclosure – Depending on the applicable state or federal data breach notification laws, your organization must follow a data disclosure plan. A rapid response team or an individual from the rapid response team-Legal counsel, PR representative, or third party-must disclose the breach via letter, email, or any mandated communication method to customers, legal organizations, third-party partners, the SEC, FTC, etc.
  • Manage data breach disclosures – Research your organization’s state data breach notification laws, first, and then follow any applicable data breach laws at the state level, and via organizations like the FTC, SEC, PCI DSS guidelines, etc.
  • Understand magnitude of disclosure – When making the decision as to when or if your organization should disclose the data breach, remember that the bad press, negative exposure, not to mention the millions of dollars that could be lost in fines and judgments in class action law suits, far outweigh the fallout from notifying the affected parties about the breach. The quicker the notification, the easier damage control will be between the organization and the customer.

[/toggle]

[toggle title=”Step 5: Perform A Response Audit After The Event”]Once the data breach is contained and letters sent to the affected customers, businesses, law enforcement and any other third-party entity, this is the time for all members of the rapid response team to document the data breach from beginning to end.

Each member of the team should maintain a log that contains the following information:

  • All information concerning the specific breach
  • All procedures followed, from the beginning to the containment and aftermath of the data breach.
  • Document any outsourcing to third-party companies, which took place during the breach, and add any documentation from said third-party concerning the data breach.
  • Document problem areas, if any, within your department.
  • Publish a list of any resources used during data breach notification, such as the FTC website, or other information and supply it to the rapid response team, customers and third party vendors.

Test rapid response plan

Periodically, your organization should practice utilizing the data breach plan from start to finish.

Since one of the most prevalent data breach incidents involves unsecured workstations, laptops, desktops, instruct your employees to properly secure all storage devices, etc.

Pay attention to IT issues, including monitoring your IDS systems. When is the last time you checked your IDS systems? When did you view logs of your Active Directory servers? Are you deleting employee user information, once the employee leaves the organization? Are you using encryption across all of your systems?

Routinely check everything at your organization, whether it’s monthly, quarterly or yearly, as it relates to data transmission and storage.[/toggle]

[toggle title=”After A Data Breach: Navigating State Disclosure Laws”]Following the lead of California-the first state to enact a data breach notification law-39 states currently have a data breach notification law on the books.

Banannas.com was hit with fines for not complying with various state data breach laws, and trying to research breach laws overwhelmed its small staff and simultaneously notifying affected customers.

If your organization conducts business online, with customers from all over the U.S., or abroad, not only must you comply with your own state’s data breach notification laws, you must comply with the data breach notification laws from the states of the affected customers.

When to send a notification is tricky in some instances. 
For instance, Arizona prohibits some local law enforcement and state agencies from disclosing a security system breach, but Illinois requires an immediate notification of the breach.

In some states, data breach notification laws are based only on possible harm, injury, fraud or identity theft, and if there is no reasonable probability of any of these, data breach notification is not required. Other states require notification in almost all circumstances. Florida and Ohio are the only states to set a time period for a business to notify consumers.[/toggle]

[toggle title=”After A Data Breach: Outsourcing Data Breach Response To A Third-Party”]With PCI DSS, organizations are required to engage the services of an Approved Scanning Vendor (ASV) and/or a PCI auditor to make sure their organization is compliant as it relates to credit card transactions and the organization’s systems and data storage. Other organizations must follow HIPPA guidelines and guidelines set forth by the Sarbanes-Oxley Act, etc. If a data breach occurs, even after an organization follows and is compliant with the above rules, organizations have to follow all of the state laws concerning data breach notification.

With all of the guidelines and regulations, many organizations are turning to third-party vendors to handle data breach responses, as it takes so much effort and time on the behalf of the affected organization to make sure they are covering all legal and regulatory aspects when responding to a data breach.

As mentioned in a previous section, First Advantage’s subsidiary, SIRN, is a company that works in conjunction with an organization’s rapid response team, when a data breach occurs.

Developed in 2006, SIRN handles the research and notification duties for any organization, after they have suffered a data breach. Instead of an organization having to determine whether notification is needed, or what are the applicable notification laws that affect the organization, third-party companies like SIRN, control all responses after a data breach.

“We work with organizations in advance to prepare them for a data breach,” explained Chris Ramos.

“Most organizations we do business with, actually have experience in data breach material…they understand that they need policies, but they don’t know how to execute them.”

He continued, “If a company has experienced a data breach, that doesn’t mean that they will always follow their own procedures.”

SIRN offers organizations a turnkey solution to the confusion and red tape, often experienced in the aftermath of a data breach. Once an organization is a SIRN member, it only takes a phone call to a toll-free phone number by a rapid response team member to get the ball rolling on putting out the fires of a data breach event.

Within a 48-hour period, SIRN begins the notification process, by researching the files that were compromised by the data breach. If it’s a database with customer information, including names, addresses, Social Security numbers and credit card information, SIRN handles the verification of the names and current addresses of all of the affected customers.

From helping to draft a notification letter to the customers affected, to drafting call center scripts, setting up call centers to handle questions about the data breach and handling disputes between customers and credit bureaus, SIRN takes the stress off of your organization, in the confusing aftermath of a data breach.

“You want as many of your consumers to know what happened, before the evening news…in terms of liability, you don’t want your clients leaving you,” Ramos explained.

“We have interruption agreements with three local call centers, who have agreed to stop what they are doing, if we ask them to step in on a data breach case, and we have the same agreements with other fulfillment companies like printing companies, who will also stop their activities to get the letters out to the individuals as soon as possible.”

SIRN can and will help draft a letter, or take over from your organization’s response team. In addition, they will navigate the web of state and federal laws and guidelines for notification, including applicable state laws and FTC or SEC guidelines. “Our services are very customizable. We are not trying to take over any organization, but work with them in any way that they need,” commented Ramos. “Our job is to help them to keep in compliance with state laws, help them with the consumers, and help them with identity theft.”[/toggle]

[/next_toggles]

Leave a Comment