Moore’s Law, 1966 "The number nu of transistors incorpo incorporated in a chip will approx approximately double every 2 24 months.” Gordon Moore, Intel co-founder Moore’s Law Decoding the human genome originally took 10 years to process; now it can be achieved in one week. Kryder’s Law, 2005 “Storage capacity doubles every twelve months.” Mark Kryder, SVP Research/CTO, Seagate Corp Graphic Source: http://en.wikipedia.org/wiki/File:Hard_drive_capacity_over_time.svg How far have we come? iPhone 4/5 OSBORNE 1 • • • • 4MHz CPU (Zilog Z80) – Weighs 100X more – 500X larger 64 KB of Memory – ‘Executive’ had 124 KB Screen- 5-inch, 52 character x 24 line monochrome CRT Available 300 baud modem – Equal to 0.002197266 Mbps • • Avg. WiFi speed is 24-36 Mbps 11 software options 412 MHz CPU (ARM11) • 100X CPU clock speed 64 GB of Memory or • 68,719,476,736 KB Costs 10X less (adjusted) Screen- 4-inch, 640 x 1136 pixel, 326ppi, 16,777,216 color touch screen WiFi, Bluetooth, 4G LTE 700,000 Apps as of 9/12 Also includes: • Camera (still/video) • Audio Play/Record • Integrated GPS • Etc. Reported Data Breach Incidents 1,800 1,620 1,600 1,400 1,200 1,091 1,048 1,000 775 800 644 828 728 600 400 157 200 43 2004 2005 2006 2007 2008 2009 2010 2011 2012 Source: Open Security Foundation/DataLossDB.org Essential Elements of a WISP Component Description Purpose/Scope/Policy Describe business; why sensitive information is required to perform operations; and who & what will be included within compliance of WISP Program Owner & Responsibility Designated owner of WISP; process to monitor effectiveness; and, what will be included within annual review of policy Risk Management Identify and assess internal & external risks Exceptions Document how exceptions will be handled Information Protection Policies for storage, access & transportation of records; access limitations to access records based on need to perform job; Encryption of transmitted records; encryption within laptops/other portable devices Access Control Policies for terminated employees; vendor management & control; user authentication (password management, unique ID plus passwords, etc.); and restrict access to active users with need to know Change Control Policies for change control and configuration management Training Personnel training & compliance; also provide for periodic staff awareness and management support communications Physical Security Policies for ensuring physical security (e.g., building, desk, PC, monitors, files, laptops, mobile devices, etc.) Systems Security Policies for maintaining/updating protection, patching , antivirus definitions within Firewall, Malware, regular data backup, etc. Incident Reporting & Response Planning Data security breach response plan, detecting & preventing security system failures, monitor unauthorized use or access Recovery Planning & Enforcement Plan for recovery; and discipline for failure to follow security program rules Payment Card Industry Data Security Standards (PCIDSS) • Set of security requirements and standards promulgated by the payment card issuers regarding the storage and security of payment card related data Card Specific Data Security Breach requirements • Making things very complicated is the fact that there are NOT uniform reporting and response requirements and timelines for all card participating in PCI-DSS CISERO’S, INC. and THEODORA MCCOMB vs. ELAVON, INC. (Civil No. 1000500480) [Filed in Summit County District Court, Utah Filed August 8th, 2011] GENESCO INC. vs. VISA U.S.A., INC.; VISA, INC.; and VISA INTERNATIONAL SERVICE ASSOCIATION [Filed in U.S. District Court, Middle District of Tennessee, March 7th, 2013] Key Point Cyber Insurance raance MAY MA AY include inc Data urrance, but bu ut Da Breach Insurance, Data Breach NOT Cyber Cyyber IInsurance. Insurance iss NOT Cyber Risk and Data Breach Insurance • • • • • The term “Cyber Insurance” covers a wide swath of risks and can be as broad or narrow as necessary Language in many Policies dates back to the late 1990’s/early 2000’s Meant to cover more traditional “dot com” risks Many were not meant to cover the evolving area of privacy related risks that have emerged in the last decade. Covers older/traditional concepts of privacy/right to privacy/right to publicity Cyber Risk and Data Breach Insurance • The term “Cyber Insurance” covers a wide swath of risks and can be as broad or narrow as necessary and may include: – – – – Data Loss/Restoration Coverage for Business Critical Data Business Interruption Coverage Network/Website Liability Coverage Violations of Rights to Privacy (Different from Privacy Breach) Cyber Risk and Data Breach Insurance • The term “Cyber Insurance” covers a wide swath of risks and can be as broad or narrow as necessary and may also include: – – – – – Loss of Use Resulting Business Interruption Copyright Infringement Trade or Service Mark Infringement Patent Infringement Cyber Risk and Data Breach Insurance • The term “Cyber Insurance” covers a wide swath of risks and can be as broad or narrow as necessary or it could also include: – – – – – – Errors & Omissions Data Losses/Data Restoration Unauthorized Access Security Breaches Personal Injury Advertising Injury Cyber Risk and Data Breach Insurance • • The term “Privacy/Data Breach Coverage” covers a more specific set of risks but can also be tailored to fit specific business needs. Initially came out in the U.S. as the result of increased market need due to data security breach notification regulations passed by the states: – California’s SB1386 became law in 2003 – 8 years later, 46 states, and Federal health privacy notification under HIPAA required notification Data Breaches on the Rise • Over 608 million records breached from 3,765 data breaches made public since 2005 Reported Data Breach Incidents 2009 Top 4 Data Breach Types in 2012 57% Hack 9% Fraud 8% 728 + 14% 2010 828 5% Stolen Laptop/Computer/Drive + 32% 2011 Web 1,091 + 48% 2012 1,615 Source: Open Security Foundation's DataLossDB, June 18, 2013 Insurance Coverage Trends Data Breach Coverage continued growth Identity Recovery Coverage inclusion 3rd Party Liability Coverage inclusion Reinsurance vs. Self-Insured path options Business Interruption Coverage Coverage Filings 2010 35 + 111% 2011 101 + 189% 2012 213 Source: Perr&Knight, Keyword search using the following terms: cyber, data breach, data compromise, data protection, data security, ecommerce, information protection, information security, internet liability , network protection, and security breach Empirical Analysis of Data Breach Litigation Temple University Beasley School of Law LEGAL STUDIES RESEARCH PAPER NO. 2012-29 Electronic copy available at: http://ssrn.com/abstract=1986461 Two Key Questions Which data breaches are being litigated in federal court? Which data breach lawsuits settle? Federally Litigated Data Breaches Average Probability of Lawsuit 8% A 10-fold increase in the number of compromised records Increase 2.5% The presence of actual (financial) loss Increase Decrease 3.7% 5.1% The presence of credit monitoring The compromise of financial data Increase Liability in Terms of Odds-Ratios The odds of a firm being sued are… 3.5X 6X greater when individuals suffer actual (financial) harm lower when the firm provides free credit monitoring to those affected by the breach The odds of a firm being sued from improperly disposing data are… 3X 6X greater than breaches caused by lost/stolen data greater when the data breach involved loss of financial information Probability of Data Breach Settlement Probability of Settlement 30% Plaintiff allegations of financial harm Increase 30% The certification of a case as a “class action” Increase Surprisingly, causes of action asserting a violation of a federal statute with statutory damages were not positively correlated with settlement. Which Data Breach Lawsuits Settle? • Only breaches caused by cyber attacks were found to be positively and significantly correlated with settlement (29%), relative to lost/stolen hardware • The odds settling for a litigated breach caused by cyber attack are almost 10 times greater relative to a litigated breach caused by lost or stolen hardware • Breaches relating to financial and credit card information were found to be negatively correlated with settlement • Losses or thefts of medical information are most strongly correlated with settlement (31%) • Cases with merit were much more likely to settle - yet, cases without merit still settle about 50% of the time Which Data Breach Lawsuits Settle? Empirical Analysis of Data Breach Litigation Copyright © 2013 by Risk and Insurance Management Society, Inc. All rights reserved. !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 111 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 111 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 222 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 222 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 333 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 333 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 444 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 444 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 555 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 555 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 666 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 666 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 777 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 777 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 888 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 888 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 999 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 999 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 111000 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 111000 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 111111 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 111111 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 111222 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 111222 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 111333 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 111333 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 111444 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 111444 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 111555 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 111555 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 111666 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 111666 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 111777 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 111777 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 111888 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 111888 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 111999 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 111999 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 222000 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 222000 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 222111 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 222111 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 222222 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 222222 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 222333 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 222333 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 222444 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 222444 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 222555 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 222555 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 222666 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 222666 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 222777 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 222777 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 222888 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 222888 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 222999 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 222999 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 333000 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 333000 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 333111 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 333111 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 333222 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 333222 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 333333 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 333333 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 333444 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 333444 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 333555 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 333555 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 333666 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 333666 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 333777 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 333777 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 333888 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 333888 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 333999 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 333999 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 444000 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 444000 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 444111 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 444111 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 444222 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 444222 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 444333 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 444333 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 444444 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 444444 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 444555 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 444555 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 444666 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 444666 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 444777 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 444777 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 444888 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 444888 !aaassseee 333:::111333---cccvvv---000000222000222 DDDooocccuuummmeeennnttt 111 FFFiiillleeeddd 000333///000777///111333 PPPaaagggeee 444999 ooofff 444999 PPPaaagggeeeIIIDDD ###::: 444999 ERM Best Practices in the Cyber World RIMS Executive Report The Risk Perspective 1 RIMS executive report | erm best practices in the cyber world Contributors About the contributing organizations Carol Fox Director of Strategic and Enterprise Risk Practice, RIMS Brian McGinley Senior Vice President of Data Risk Management, Identity Theft 911 USLAW NETWORK Carla J. Hartley Dillingham & Murphy, LLP Paul D. Ivey Jr. Hall Booth Smith & Slover, P.C. Richard P. Magrath Global Director, USLAW NETWORK, Inc. Charles G. Meyer, III LeClairRyan James E. O’Connor Baird Holm, LLP Richard K. Traub Traub Lieberman Straus & Shrewsberry, LLP The contributing organizations would like to thank Frank Russo, Managing Director, Aon Global Risk Consulting for his contributions to this paper. Morgan O’Rourke Editor Karen Arbasetti Designer 1 RIMS is a global not-for-profit organization representing more than 3,500 industrial, service, nonprofit, charitable and government entities throughout the world. Dedicated to advancing risk management for organizational success, RIMS brings networking, professional development and education opportunities to its membership of more than 10,000 risk management professionals who operate in more than 120 countries. For more information, visit www.rims.org Founded in 2003, Identity Theft 911 is the nation’s premier consultative provider of identity and data risk management, resolution and education services. The company serves 13 million households across the country and provides fraud solutions for a range of organizations, including Fortune 500 companies, the country’s largest insurance companies, corporate benefit providers, banks and credit unions and membership organizations. Since 2005, the company has helped more than 150,000 businesses manage data breaches. For more information, visit www.idt911.com USLAW NETWORK is an international organization composed of over 100 independent, defense-based law firms with nearly 6,000 attorneys covering the United States, Canada, Latin America, Europe and Africa. Within the U.S.-based firms, there are over 150 offices in 47 states. An alliance with the Trans-European Law Firm Alliance (TELFA) gives clients access to 25 European law firms each representing its own jurisdiction and a similar relationship with ALN Limited enables USLAW to partner with 10 firms in East and Central Africa. The NETWORK is comprised of highly rated law firms who are part of the NETWORK by invitation only. Member firms undergo a rigorous review process to insure outstanding quality of lawyers throughout the NETWORK. USLAW NETWORK firms are experienced in commercial and business law, employment and labor law, litigation and other business-related areas of law. All firms have substantial trial experience. USLAW member firms provide legal representation to major corporations, captive insurance companies, and large and small businesses across the United States. For more information, visit www.uslaw.org Table of Contents EXECUTIVE SUMMARY 2 PART 1: DATA RISK AND ENTERPRISE RISK MANAGEMENT 3 The Data Risk Environment 3 Incorporating ERM into Cybersecurity 3 Defining the Data 5 Integrated Data Risk Management 6 PART 2: THE DATA RISK ASSESSMENT ISSUE 7 Why Conduct a Cybersecurity Risk Assessment 7 Data Protection Regulations 7 Due Diligence Concerns 11 Privileged Information 11 Performing an Attorney-Directed Data Risk Assessment 12 PART 3: PRACTICAL SOLUTIONS FOR PROTECTING YOUR DATA 14 Developing a Written Information Security Plan 14 Understanding the Data 16 The Data Breach Plan 16 When a Breach Occurs 16 Breach Response Priorities 17 Building a Breach Response Team 17 Executing the Breach Response Plan 17 BEST PRACTICES FOR DATA BREACHES 20 BEST PRACTICES FOR EFFECTIVE DATA RISK MANAGEMENT 21 IMMEDIATE POST-BREACH STEPS TO QUANTIFY A CYBER CLAIM 25 CONCLUSION 26 APPENDIX A: STATE SPECIFIC DATA SECURITY BREACH NOTIFICATION LAWS 27 APPENDIX B: SELECTED REFERENCES 28 RIMS executive report | erm best practices in the cyber world EXECUTIVE SUMMARY All organizations accept a certain amount of data risk in conducting daily operations, but as cyberattacks and data breaches become all too common, the importance of protecting this data has increased dramatically. In order to avoid the potentially devastating costs of a data breach and to meet privacy and security requirements and stakeholder expectations surrounding the collection, storage, use and dissemination of confidential information that is entrusted to them, organizations have had to take a closer look at their cyber risk management practices. Part 1 of this reports considers data risk fundamentals and the environment, explains how data risk is best managed through an enterprise risk management (ERM) approach, explores data risk management concepts and practices, and describes the challenges an integrated data risk management approach can hold. As a discipline, ERM prepares organizations to deal dynamically with uncertainties that can either improve or worsen their positions. Since nothing is more abundant than data in our cyber world, nor more uncertain than the security of that data, organizations will want to consider the following reasons to tap into ERM to improve their positions with respect to the digital explosion: 2 • Data risks may hold unrecognized implications for the organization’s strategy. • Unifying the organization’s internal functions in a comprehensive data risk and controls gap assessment creates efficiencies and protects the findings. • Managing data risk well delivers an advantage over competitors who do not and protects the organization’s standing within its market. One of the first steps in the data risk management process is to conduct a data risk assessment, which is designed to identify and remedy an organization’s potential cyber security weaknesses. But while a focused data risk assessment helps an organization’s management fulfill its fiduciary duty of care, the assessment itself can involve risk. The written reports generated at the culmination of such a risk assessment, whether conducted internally or by an external party, may provide a roadmap for an adversary, an advantage for a competitor or be produced as evidence of negligence or willful disregard in a tort action. It is important for organizations to protect such reports from unwanted discovery, so they can be used constructively within the organization with fewer misgivings about potential misuse. There are a few privileges that potentially could protect the written assessment reports from unwanted discovery. Part 2 of this report details the issue, the need for data risk assessments, the substantive areas to be addressed, due diligence concerns, potentially available privileges and undertaking an attorney-directed data risk assessment project. Just knowing that the organization is at risk with respect to safeguarding data is only the beginning. Part 3 offers practical solutions for weathering the cyber storm. From creating a written information security plan, putting the plan into practice, detailing best practices for dealing with data breaches and maintaining effective data risk management practices to additional technology considerations, this section of the report offers a comprehensive overview of how organizations can become more resilient to data risk through people, process and technology solutions. Finally, organizations should not overlook possible coverage under existing or newly available insurance policies. To address the risk of cyber-attacks, a number of insurers are offering standalone cyber insurance products and policies that cover cyber, privacy and social media related risks. Many of these new cyber risk policies include coverage for e-business interruption or loss of income and extra expenses associated with a breach, which typically can make-up some of the more significant costs. PART 1 DATA RISK AND ENTERPRISE RISK MANAGEMENT The Data Risk Environment Today, data is being created, transmitted, shared and stored in unprecedented volumes. It is estimated that 1.8 zettabytes of information will be created and stored in 2011 (a zettabyte equals one billion terabytes or one followed by 21 zeroes)—a number that is expected to double every two years. Because this data has become a key commodity for commerce, it is important to understand what data needs to be protected, where it resides, what it is being protected from, and why. A data breach is an incident (or series of incidents) in which sensitive, protected or confidential information has potentially been viewed, stolen or used by an individual or entity unauthorized to do so. Data breaches may involve personally identifiable information (PII), personal health information (PHI), payment card industry data (PCI) or sensitive internal business information such as sales and marketing lists, trade secrets or other intellectual property. According to the 2010 U.S. Cost of a Data Breach study sponsored by Symantec Corporation and presented by the Ponemon Institute, the average organizational cost of a data breach was $7.2 million, or $214 per compromised record. Add to that the cost of detection, escalation, notification and response. Then consider the legal, investigative, administrative and reparation expenses. These are then compounded by potential customer defections, opportunity loss, reputation management and reduction in shareholder value. So when it comes to protecting sensitive data, the risk environment has never been more hostile and the need for attention more important. Sensitive consumer and business information has become a valuable criminal target that can enable lucrative fraud and identity theft schemes. As a result, this data is under attack by individuals, entities and organized crime. Cybercriminals can gain access to personal, biographic, demographic, financial and business information by methods that are both low- and high-tech. Simple schemes include activities like the theft of exposed information from the office or the trash, use of available internet public records, data broker and social network information, social engineering of targeted individuals and companies and the corruption of employees of organizations with access to sensitive information. More complex schemes involve attacks that utilize electronic hacking techniques to identify, compromise and exploit system vulnerabilities within a personal computer or company network. In addition to outright theft, data, along with the computers and networks that it resides on, is also vulnerable to unplanned or malicious destruction, alteration or misdirection, directory manipulation, blocked access and denial of service or other similarly destructive actions. Cyberattacks are occurring with significantly more frequency and severity. Businesses of every type and size have been targeted and many current security measures and countermeasures have been successfully circumvented by criminals. Data breach events that used to be the exception have now become the rule. For many individuals and organizations, the sheer volume of data breach incident reports has led to “breach fatigue” and complacency. With this hostile environment in mind, it is imperative for organizations to plan and prepare not only for the protection of their information but also for the response and recovery of their data in the event of a breach. A comprehensive assessment and plan should take an end-to-end view of the organization and its data with special attention to bridging the “silos” between internal operations, systems and people. It is important that the organization and the individuals entrusted with the data clearly understand the expectations and their responsibilities for the protection of this data. This also includes third party vendors and others who may come in contact with the data. An organization needs to proactively manage third parties with whom they entrust sensitive data as an extension of their business. Incorporating ERM into Cybersecurity RIMS defines enterprise risk management (ERM) as a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. Simply put, ERM is a disciplined approach for anticipating and handling variations from expected outcomes. ERM prepares organizations to deal dynamically with uncertainties that can either improve or worsen their positions. In the cyber world, while nothing is more abundant than data, nothing is more uncertain than the security of that data. As a result, developing an effective data protection program has become a business necessity for every organization. And there are good reasons to incorporate ERM into this process: 1. Data Risk May Hold Unrecognized Implications for Strategy. Data risks are typically viewed within organizations as either an operational, compliance or regulatory risk consigned to the IT function. In reality, data risk can also become a strategic risk when is has the potential to compromise an organization’s strategies and/or the implementation of those strategies. An inappropriate posting on YouTube could cost hundreds of millions of dollars for defense and damages that otherwise could have been used for strategy execution. 2. A Common Risk and Controls Gap Assessment Creates Efficiencies While Protecting the Findings. Redundancies can be reduced by utilizing a single assessment approach, defining risk impact and probability in common ways, and creating one 3 RIMS executive report | erm best practices in the cyber world “source of truth” in the form of standardized risk analyses and reports. When these reports are developed, made accessible and shared across different divisions, departments and locations, a common infrastructure can be leveraged across the enterprise. Establishing data risk assessments in a unified approach protects the findings from potential misuse. 3. Managing Data Risk is a Competitive Advantage. While managing data risk may seem an insurmountable task, those organizations that are taking an active stance find that it gives them an edge. Customers and businesses that share personal information and business plans to enable commerce all seek a certain standard of care when it comes to protecting their data. Organizations that demonstrate a sophisticated understanding and ability in this regard not only make the cut, they improve their market standing. A core component of the ERM discipline and process is the risk assessment, which involves the identification, analysis and evaluation of risk. The evaluation considers what responses are appropriate: avoid, accept, transfer, mitigate, exploit or a combination thereof, all in light of the organization’s willingness to bear risk. Once that evaluation is completed, risk responses then can be implemented and monitored for expected outcomes. Before risk assessments begin, however, the assessor must first establish the external and internal context of the risk. Data risk management presents unique challenges from both perspectives. Since digital media use is so pervasive, it is difficult to pinpoint a specific external context for the risks involved. Likewise, from an internal perspective, since this risk affects multiple parts of the organization and arises from multiple sources, it may be challenging to find a “natural owner “for the identification, assessment, planning, threshold alerts and monitoring required to effectively manage the risk. Organizations typically have various control functions that oversee specific risks, such as business continuity planning, physical security, compliance, IT and financial risk management. Given the common risk management policies, risk authorities, risk assessment methodologies and root cause analyses, a unified enterprise approach can improve both data risk assessments and control execution (Figure 1). Enterprise risk management, because of its pervasive reach, is a natural for encompassing the legal, security, data management and protection, information security, privacy, compliance and audit functions needed for a comprehensive data risk approach. (Figure 2). Specifically focused within an ERM framework, data risk management assesses a company’s internal and external vulnerabilities and protection posture to identify potential risk exposures that could result in the compromise of critical data. It then identifies, develops and implements policies, procedures, practices and systems to mitigate the exposures and minimize the risks. Figure 1: erm unifies established practices/controls Adhering to risk management policies on risk tolerance, risk authorities, etc. Accept, Avoid, Transfer, Mitigate and / or Exploit MANAGEMENT CONTROL OPTIONS Business Disruption Business Continuity Management Environmental Execution Failure Theft/Geopolitical Data Breach Regulatory Root cause analyses COMMON RISKS Environmental Management Quality Assurance/Project Management Physical Security Management Privacy/Information Security Management Compliance Program Management IT infrastructure IT Risk Management Financial Risks Financial Risk Management Measure uncertainties/deviations from plan 4 Controls Assessment (Audits) FIGURE 2: ERM UNIFIES RISK SILOS Enterprise Risk Management (ERM) Cyber Cloud Legal Human Resources Operations Privacy/ Compliance Information Security Technology/ Physical Infrastructure Physical Security Data can be thought of as a living “organism” that is composed of various components and life support systems that need to be engineered and maintained appropriately so that the entity thrives and survives. Similar to a medical doctor, the goal of a data risk practitioner is to help keep the organism healthy as it moves through its various life stages. To achieve this, one must understand the anatomy and how the systems work and interact with each other to sustain life and promote viability. One must also consider the need for a safe and healthy environment coupled with a supportive lifestyle, good hygiene and preventative health care to ward off internal and external threats to the organism and keep data healthy and safe. Unfortunately, there is not a “one size fits all” approach to data risk management. There are many variables that impact an organization’s needs based on the size, type, attributes and complexity of the individual entity. The one thing that is common is that all organizations need to examine their respective data and how it is used along with the attendant risks and governance requirements. They then need to put appropriate plans and protection measures in place to address these risks. That said, there are some commonalties, lessons and best practices that can be shared by different types and sizes of organizations including those in private industry and government. Many start with sharing common perspectives and basic tenets of data risk. Defining the Data It is critical to understand what kind of data each organization maintains. The volumes of data can be immense and it is important to develop some ways to classify it. This classification can then be used to establish appropriate access, use, handling and security requirements around sensitive data. Data exists in three basic forms—paper, electronic and human memory. Data also has a lifecycle—it is received or created; it is used, maintained and stored; and it is archived or destroyed. While data is in an organization’s possession, it has three basic states of existence—in use, in motion and at rest. While this sounds fundamental, recognizing where data is in its lifecycle and addressing the security needs and threats to the data in each of its forms and in each of its states is critical to the success of any data risk management plan. Like hazardous materials, sensitive data may be essential to your business but it can be toxic and must be handled with care and properly disposed of when it is no longer needed. Fundamental data protection rules dictate that organizations be stingy with sensitive data both internally and externally. Companies should only provide access to specific data on a demonstrated “need to know” basis and be deliberate in how data is handled, used and shared. Basically, when it comes to data: 5 RIMS executive report | erm best practices in the cyber world 1. If the organization does not need it, do not collect it. 2. If data must be collected, collect only what is needed. 3. If data is needed, control it and encrypt it. 4. When data is no longer needed, get rid of it – securely. Integrated Data Risk Management Fundamentally, successful data risk management is about awareness, recognition, planning, resourcing, action and response. Sensitive data must be considered and treated as the lifeblood of the organization. The responsibility for stewardship and protection of the organization’s sensitive data must be inculcated from the top of the organization to the bottom. Data protection must be considered through its entire lifecycle, from the creation or intake of the material to its final disposition and disposal. Layered security that provides multiple rings or “perimeters” of protection, early detection of unauthorized access and preferably no single point of failure has become the goal and best practice for data security. Realistically, even in the best of organizations, data security by its nature is continuously evolving. In many organizations, it can be an aspirational goal but often key portions are works in progress and have not been fully implemented. In some businesses, it is not even on executive management’s radar as a priority. This is a mistake. Data risk and protection can be an insidious topic and a tricky management issue. Like electricity, it often runs in the background and is taken for granted until there is a problem—the lights do not go on, the equipment does not work and you are left in the dark. Another challenge with data risk management is that organizations cannot confidently look to the past to make assumptions and predict the future. It is not a matter of past loss experience; it is a matter of proactively correcting exposures that have not yet been exploited. For individuals tasked with the responsibility for data risk management and information security, there is the ever-present issue of funding and prioritization of programs within an organization. In the best of times, managers are constrained by finite resources and competition for these resources. This often results in a security investment model of “too little, too late.” Chasing data and preventing cybercrime are not easy tasks. Remediating and upgrading an organization’s systems and protection 6 protocols are most often cumbersome processes. It can be a long time between solution identification, vetting, selection, approval, funding, procurement and implementation. Often by the time a security measure is deployed, hackers have devised new ways to circumvent the new solution. Regardless of the challenges, however, the financial, operational, regulatory and reputational consequences of ignoring data security are too severe to be considered a reasonable business risk. Many companies have lost millions of dollars as well as their clients’ trust and hard-earned business. Their struggles have become media fodder and have landed them in court and in some cases in front of Congress to explain just how such breaches occurred. Given what is a stake, data risk management cannot be overlooked. Managers whose responsibilities include risk or who are, in fact, the designated risk managers for the organization need to embrace a leadership role when it comes to data security. These individuals need strong analytical skills, with enough technical understanding to be able to articulate the detail and complexities underlying the various organizational systems operations. The role requires the ability to influence, educate, persuade and convince management to provide an environment and supporting infrastructure conducive to data protection relative to the risk. Individuals tasked with data risk responsibility will benefit from clear and visible management support coupled with access to resources, funding and business prioritization. These risk practitioners should be viewed as business enablers, prepared with solutions and options—not just messengers relaying issues, concerns and problems. With this foundation in place, organizations and their risk managers will be better equipped to understand and develop an effective data risk management program. It should be noted that not all ERM programs are at the same maturity level so not everyone will be able to integrate ERM with their data risk management goals right away. For those organizations that are just starting out, the frequency and severity of data breaches may provide the necessary impetus to improve an ERM program. In order to accomplish this goal, tools like the RIMS Risk Maturity Model (www.rims.org/resources/ERM/Pages/RiskMaturityModel.aspx) can be useful guides to determining the next steps to take along the maturity continuum in order to provide to most value possible to the organization and to more effectively combat the digital threat. PART 2 THE DATA RISK ASSESSMENT ISSUE One of the first steps to creating a data risk management program is to conduct a risk assessment. The increased adoption of ERM programs coupled with higher stakeholder expectations has made internal risk assessments more common today than ever. Conducted in a coordinated and standardized way through an ERM discipline, internal risk assessments can provide relevant analysis of an organization’s full risk spectrum, enabling it to prioritize and manage risks in accordance with the organization’s willingness to assume risk. Regrettably, this spectrum approach is the exception rather than the rule. Too often, risk assessments are conducted in silos by different parts of the organization--internal audit, compliance, information technology, corporate security, business continuity and risk management, etc--without full appreciation of the potential interconnectedness among seemingly unrelated risks. Not only does this shotgun approach to risk assessments reinforce inherent inefficiencies due to non-standardization, it can create unintended consequences for any organization striving to create, capture and protect its enterprise value. These unintended consequences are of particular concern in the area of information security or, more broadly, cybersecurity risk assessments. Why Conduct a Cybersecurity Risk Assessment? Any information that is collected, stored, transmitted, processed or otherwise manipulated in digital form is susceptible to intentional or accidental misuse, loss and abuse. As the volume of digital data that is created and stored each year increases exponentially, so does the potential for a costly data breach, which can lead to devastating financial and reputational losses for customers, management and shareholders alike. The importance of cyber security is also driven by the fact that many kinds of sensitive data are protected by regulation. Information that relates to the past, present or future medical condition of individuals is protected under HIPAA as protected health information (PHI). In the financial services arena, non-public personal information is protected under the Gramm-Leach-Bliley Act. These and other regulations require organizations that collect, process, transmit or store such information to establish effective security programs. In addition to the regulatory and business requirements, organizations understand that the value of their reputation is a critical asset. At the World Affairs Council breakfast on April 21, 2011 in Atlanta, Larry Summers (former Secretary of the Treasury) and Neville Isdell (former chairman and CEO of the Coca-Cola Company) in their presentation on “Connected Capitalism” estimated that 60% of an organization’s value is reputation. To protect their reputations and to avoid loss of market capitalization and shareholder lawsuits, it is critical for organizations to take the necessary steps to identify and mitigate cyber risks that could lead to reputational loss. Data risk assessments may also be driven by requests for information/assurance from outside parties, such as insurance underwriters, customers, shareholders or other key stakeholders. More typically, the board and executive management, in consideration of their respective risk oversight and management roles, require a cyber-focused risk assessment in order to evaluate the organization’s resilience to potential data breach incidents. By conducting a risk assessment as a first step toward more broadly managing cyber risks, an organization can increase the likelihood that it will fulfill its goals and objectives. A cyber-focused data risk assessment allows an organization to better assess risks associated with changes in the digital environment. The organization will also be able to better describe to customers, clients and other stakeholders what mission-critical personnel are doing to manage these potential risks. A data risk assessment generally starts by identifying an organization’s cybersecurity weaknesses. But while a focused data risk assessment helps an organization’s management fulfill its fiduciary duty of care, the assessment itself can introduce new vulnerabilities. The written reports generated at the culmination of such a risk assessment, whether conducted internally or by an external party, may provide a roadmap for an adversary, an advantage for a competitor or be produced as evidence of negligence or willful disregard in a tort action. It is important for organizations to protect such reports from unwanted discovery, so they can be used constructively within the organization with fewer misgivings about potential misuse. DATA PROTECTION REGULATIONS Digital information is valuable to an organization. However, regulations and other legal protections dictate how this data is stored. If these requirements are not followed, it can have significant financial and reputational repercussions that, in some cases, could be disproportionate to the information’s inherent value. These protections cover a wide range of data, including: • Health information • Financial information • Employment-related information • Consumer information • Proprietary information and intellectual property • Contractually restricted information • Privacy laws • E-discovery issues 7 RIMS executive report | erm best practices in the cyber world U.S. Health Information Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Security Rule establishes standards that must be maintained by organizations that store protected health information (PHI). All PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. This rule requires organizations to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of PHI. Risk analysis is the first mandatory step in that process. In addition to being a requirement of the Security Rule, risk analysis is considered a necessary tool for reaching substantial compliance with many other standards and implementation specifications. For example, the rule contains several implementation specifications that are labeled “addressable” rather than “required.” An addressable implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable and appropriate, the organization must document why it feels that is the case and adopt an equivalent measure if it is reasonable and appropriate to do so. The outcome of the risk analysis process is a critical factor in assessing whether an implementation specification or an equivalent measure is reasonable and appropriate. Guidance from the Office of Civil Rights, which is responsible for issuing annual guidance on the Security Rule, indicates that organizations should use the information gleaned from their risk analyses to: • Design appropriate personnel screening processes • Identify what data to backup and how • Decide whether and how to use encryption • Address what data must be authenticated in particular situations to protect data integrity • Determine the appropriate manner of protecting health information transmissions U.S Financial Information Gramm-Leach-Bliley Act. Section 501 of the Gramm-LeachBliley Act requires financial institutions to develop and implement an information security program. Such a program must be in writing; must be approved by the board of directors; and must include administrative, technical and physical safeguards appropriate to the size and complexity of the financial institution. While all parts of a financial institution are not required to implement a uniform set of policies, all elements of the information 8 security program must be coordinated across the organization. The information security program must identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration or destruction of a customer’s financial information. Such measures may include: • Access controls on customer information systems • Access restrictions at physical locations containing customer information • Encryption of electronic customer information • Procedures to restrict modifications to customer information • Dual control procedures, segregation of duties and employee background checks • Monitoring systems and procedures to detect actual and attempted cyber attacks • Response programs that specify actions to be taken when the bank suspects or detects that unauthorized access to customer information systems has occurred • Measures to protect against the destruction, loss or damage of customer information Sarbanes-Oxley Act. Section 404 of the Sarbanes-Oxley Act requires public companies to annually report internal controls over financial reporting. To facilitate compliance, organizations must understand the financial reporting process and the role technology plays in developing appropriate internal controls. For example, information technology controls that affect how transactions are processed and recorded are critical to certifying the accuracy of financial statements. U.S Employment-Related Information The Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Businesses frequently use consumer report information in connection with employee hiring decisions or other employment actions. The FACT Act requires individuals and businesses that possess or maintain consumer report information for a business purpose to dispose of it properly. Financial institutions are required to establish policies and procedures for the proper disposal of consumer information by “taking reasonable measures to protect against unauthorized access” to it. In addition, employers regularly obtain other types of financial or healthcare information about employees that is subject to various privacy obligations. Employers’ policies also may create contractual obligations with regard to retention and safeguarding of employee information. U.S Consumer Information Identity theft rules. The “Red Flags Rule” enforced by the banking regulators and the Federal Trade Commission (FTC) requires many businesses and organizations to implement a written identity theft prevention program designed to detect the warning signs—or “red flags”—of identity theft in their day-to-day operations. The obligation to maintain and evaluate the organization’s identity theft prevention program is ongoing. The rule covers banks and creditors who regularly: • Obtain or use consumer reports in connection with a credit transaction • Furnish information to consumer reporting agencies in connection with a credit transaction • Advance funds to someone, except for funds for expenses incidental to a service provided by the creditor to that person FTC enforcement actions. Most companies have adopted privacy policies that may be accessed on their websites. The FTC treats these policies as quasi-contractual standards by which the companies must abide. Companies that fail to employ security measures to protect customer information that are consistent with their privacy policies may be prosecuted for violation of Section 5(a) of the FTC Act, even though they may not otherwise be subject to any particular privacy or data security laws. Changing regulatory landscape. As of this writing, the FTC and federal and state legislatures are considering sweeping changes to the rules governing how consumer data may be obtained, stored and used. Consequently, a risk assessment in light of these changing standards will be essential to ensure an organization is taking appropriate compliance measures. Proprietary Information and Intellectual Property Trade secrets. State law in the United States establishes the standards for determining whether information qualifies as a trade secret. Trade secret status is generally afforded to any process that derives actual or potential economic value from being kept secret. Consequently, trade secrets may include processes, formulas, patterns, plans, procedures, knowledge or customer lists. Protection of such information frequently is crucial to maintain an organization’s competitive advantages and enterprise value. Other proprietary information. Much of an organization’s information is not legally protected by patent, copyright or trade secret status but is essential to the functioning of the business or mission. Such information may include, for example, pricing information, financial information, development stage projects, information related to disputes and other information that may not qualify for legal protection. The secrecy of such information is important to maintain the organization’s competitive advantages and to protect its goodwill and reputation. Contractually Restricted Information Licenses. Software and information subject to licensure restrictions may restrict the means by which an organization can use, share or transfer information. Measures that restrict access to an organization’s information systems, in addition to effective contract and vendor management solutions, are essential to maintain compliance with such license provisions. Confidential information. Information not otherwise protected by statute or regulation nevertheless may be subject to obligations to maintain confidentiality imposed through contract. Both vendor and customer agreements frequently contain confidentiality provisions, and even in the absence of specific contractual obligations, an organization’s privacy policy establishes standards for protecting and sharing information entrusted to the organization. USA PATRIOT Act The USA PATRIOT Act implicates data stored on the cloud. The act allows the FBI to apply for a court order to produce data or other information that may assist an investigation to protect against international terrorism or clandestine operations. The FBI need not provide a reason for requesting the court order, and it need not inform the person or entity whose data is being accessed. Consequently, the act allows the U.S. government to access cloud data located on servers located inside the United States. Further, cloud data stored outside the United States may be procured by the government if that data is processed or otherwise accessible by a cloud services provider located inside the United States or wholly owned by a U.S. company. For instance, Microsoft recently admitted that data from the E.U., even though stored on servers located in the E.U., may be subject to access by the U.S. government under the PATRIOT Act, because Microsoft is located in the United States and is subject to local laws. Export Controls U.S. export controls restrict the export of certain data and technologies with a license from the U.S. government. Thus, if “controlled” data or technology is stored in the cloud with servers located outside the United States, or otherwise accessible by non-U.S. citizens or permanent residents, that data or technology may be deemed to have been exported in violation U.S. law. Both civil fines and criminal penalties may result. Privacy Laws U.S. state specific data breach notification laws. As of this writing, every state, except Alabama, Kentucky, New Mexico and South Dakota, has enacted data security breach notification laws that require data owners to notify individuals whose computerized personal informa- 9 RIMS executive report | erm best practices in the cyber world 10 tion has been subject to unauthorized access (see Appendix A). For example: report may serve to bolster complainants’ cases should they further pursue a remedy in federal court. • California’s statute requires organizations to adopt “reasonable safeguards” to ensure the security of personal information (such as social security numbers, identification numbers and account numbers) and to require contractually that third-party vendors do the same. • Any person who owns or licenses personal information about a resident of the Commonwealth of Massachusetts is required by law to implement a comprehensive information security program. The minimum requirements for such security programs include practical, legal and technical safeguards for the protection of customers’ personal information. International data security laws. The United States and Canada are not the only countries that have enacted security standards. The European Union also heavily regulates the processing of personal data under the Data Protection Directive, which was adopted in 1995 and has been transposed into internal law in each of the 27 E.U. member states. The Data Protection Directive defines personal data broadly and imposes a number of requirements on controllers of processing personal data. These requirements rest on principles of transparency, legitimacy and proportionality, and generally mandate that a controller: • Disclose his or her identity and the purpose and recipients of any data processing upon request by any data subject Information-specific legislation. Like the federal statutes that impose security standards for specific types of information, many states have enacted laws that impose parallel obligations or even greater protections than those afforded under the federal laws. Medical information, financial information and identifying information are among the types of data for which many states have enacted such laws. • Process data only under certain enumerated circumstances • Process data only for a legitimate purpose and not in a way that is incompatible with or disproportionate to this purpose • Maintain the integrity and accuracy of personal data while processing Canadian Privacy LAWS. In Canada, the collection, use and disclosure of personal information by the federal government is primarily regulated by the Privacy Act. As a general matter, the Privacy Act prohibits the government from collecting personal information unless directly related to a governmental program or activity. Even then, personal information may only be used for the purpose for which it was originally obtained or in a manner consistent with that purpose. The government generally must inform the individual of the purpose for which the information was collected, and that individual has a right to access any personal information that is reasonably retrievable. With few exceptions, the government may not disclose personal information to third parties without consent. The collection, use, and disclosure of personal information by private companies is primarily regulated by the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA requires companies to obtain consent from individuals whose personal information is being collected, and it also prohibits companies from refusing service to customers who do not consent to the collection of their personal information. Only fair and lawful means may be used to collect personal information. Finally, the law requires that companies maintain understandable policies concerning the collection and use of personal information Both the Privacy Act and PIPEDA rely on the Privacy Commissioner of Canada to investigate alleged privacy violations. The Office of the Privacy Commissioner may not award damages or impose fines, but it may produce a report containing recommendations at the conclusion of its investigation. While these recommendations are non-binding, the • Only transfer personal data to countries outside the European Economic Area (includes the 27 E.U. member states plus Norway, Liechtenstein, and Iceland) if those countries have enacted substantively-similar data protection laws • Provide a designated governmental supervisory authority with the following information before data processing begins: »» The purpose of the processing »» A description of the data to be processed »» Any recipients to whom the data might be disclosed »» Any proposed transfers to countries outside the E.U. »» A description of any data security measures to be undertaken Passage of the Data Protection Directive presented a watershed moment in international data privacy law. In response to the Data Protection Directive, the United States implemented a safe harbor in which U.S. companies can certify that they meet seven principles that comply with the substantive requirements of the Data Protection Directive and may thus transfer data to and from the European Union. Re-certification for the safe harbor must occur annually and is overseen by the Federal Trade Commission. Several other countries have adopted comprehensive data protection laws with the goal of meeting the E.U.’s “adequacy” standard for international transfers of personal data. Countries meeting the E.U.’s standard include Argentina, Australia, Canada, Hungary, Israel and Switzerland, among others. In addition, many other countries have either guidelines in place or proposed regulations concerning data security. Importantly, a number of major industrial countries offer either minimal regulation on the transfer of personal data or regularly fail to enforce what data protection laws they have already enacted. Examples of these countries include China, Mexico, Russia and Singapore. E-Discovery in the United States In the event of litigation, an organization is required to maintain and preserve records relevant to the proceedings. This obligation extends to electronically stored information, including documents, email and other electronic records. The ability to quickly implement a litigation hold on all such records is crucial to enable an organization to conduct a robust defense and to avoid allegations of spoliation and sanctions. DUE DILIGENCE CONCERNS A data risk assessment is designed to accomplish several objectives. Specifically, it is designed to: 1. Expose vulnerabilities in the organization. A vulnerability is defined in the National Institute for Standards and Technology’s (NIST) Risk Management Guide for Information Technology Systems as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy” 2. Identify threats to the organization. A threat is defined by the NIST as “the potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” Threats can be natural (such as floods, earthquakes, tornados, etc.) or human (unintentional acts such as inadvertent data entry or intentional acts such as network-based attacks) 3. Document control gaps within the organization Data risk assessments typically culminate in a written report that documents the vulnerabilities, threats and lack of controls. In addition, the reports make recommendations for addressing the threats, vulnerabilities and control deficiencies. These reports often contain critical analyses and are prone to misinterpretation. As noted earlier, a significant concern of organizations undertaking data risk assessments is that the written reports may provide a roadmap for an adversary, an advantage for a competitor or be produced as evidence of negligence or willful disregard in a tort action. It is important for organizations to seek to protect such reports from unwanted discovery. One common misconception is that risk assessment documents automatically are protected if they are marked “Proprietary and/or Confidential” or “Classified – for Internal Use Only.” Simply marking documents with such notations does not preserve privilege in and of themselves. So what does constitute privilege? Privileged Information The most common type of privileged information in an organizational setting, apart from business secrets, is information protected by attorney-client privilege. The bedrock of such privilege is confidentiality. Organizations must establish effective controls from the start of the process to ensure confidentiality is maintained whenever information is shared with attorneys in order for privileged status to attach. These controls begin with a clearly worded formal engagement of counsel with a clear outline of the purpose of the engagement. Only in this fashion can an informed decision be made later to use one’s risk assessment program as an affirmative defense to any claim of negligence or to object to the production of the assessment citing the attorney-client privilege. If the risk assessment is used as an affirmative defense, the privilege is waived. The primary purpose of the communication sought to be protected must be legal in nature as opposed to regular business evaluation/audit advice. It is very difficult for an organization to claim the privilege where only in-house counsel was used. In-house counsel are typically considered to hold dual roles in the organization consisting of both legal and day to day business advice. Often the line between the two roles is difficult to discern. For example, Merck & Co. asserted privilege over approximately 30,000 documents during the course of discovery, the majority of which were electronic communications in In re Vioxx Products Liability Litigation. Merck claimed that extensive regulation of corporations created potential legal issues in virtually all of its communications with legal and nonlegal departments, requiring a collaborative effort protected under the attorney-client privilege. The court disagreed. It recognized that some tasks that do not appear to be legal can be legal in nature; however, a corporation must establish a “primary legal purpose” for each communication to obtain the benefits of the privilege. The court defined certain parameters for the “primary purpose” test. The number of lawyers or non-lawyers included in a communication is not dispositive—if the prior purpose is mixed, it does not become magically unmixed with an increase in counsel as recipients. Additionally, counsel’s recommendation of, or involvement in, a business transaction does not necessarily place the transaction under the cloak of privilege. The court noted that “this [rule] cannot be gotten around by the simple expedient of putting a lawyer in the shoes of the executive or ... giving the legal department the power of the corporate executive.” Vioxx was followed by the Middle District of Florida in In re Seroquel Products Liability Litigation. In Seroquel, plaintiffs sought a motion to compel the defendant corporation to produce documents 11 RIMS executive report | erm best practices in the cyber world “improperly designated as privileged and documents for which privilege should be deemed waived.” The court relied on Vioxx and held that simultaneous communication to both lawyers and non-lawyers often waives privilege. The court noted that the defendant “chose, as part of its business organization, to mix legal consultation with many other sources for creating final documents. This choice makes it difficult to determine the primary purpose in creating the communication and to determine whether the attorney’s roles were providing legal (rather than business) advice.” (emphasis added). The court held that most of the claims of privilege by the defendant were not sustainable. Therefore, retaining outside counsel at the start of a data risk assessment is key to the organization’s ability to protect the results of the assessment from discovery or disclosure to anyone outside of the organization. Additionally a clearly worded engagement letter will greatly aid in the protection of the information under the attorney- client privilege. Once litigation can be shown to be anticipated, the work product doctrine can be utilized to protect the attorney’s (and often the client’s) mental impressions, opinions, conclusions and legal theories. Courts have been reluctant to grant work product protection where only in-house counsel is involved. Further, documents created solely for a business purpose and not in anticipation of litigation are not protected. Protecting Assessments through Privilege There are a few privileges that potentially could protect written assessment reports from unwanted discovery. The first is the self-critical analysis privilege, which is recognized in a few states and under limited conditions. This privilege applies to documents that are created as a result of a voluntary self-analysis, such as a risk assessment. The states that have limited self-critical analysis privileges are Hawaii, Illinois, Kansas, Michigan, New Jersey, North Dakota and Oregon. In addition to those states, there are a few courts that have recognized this privilege under limited circumstances. Each state addressing the self-critical analysis privilege has applied the privilege inconsistently and therefore it is not a privilege that can be uniformly relied upon. The more universally available privilege is the attorney-client privilege, potentially including its corresponding work product doctrine. The attorney-client privilege protects certain confidential communications between organizations and their attorneys. The Supreme Court has recognized in Upjohn Co. v. United States that the attorneyclient privilege enjoys a special position as “the oldest of the privileges for confidential communications known to the common law.” It is designed to “encourage full and frank communication between attorneys and their clients and thereby promote broader interests in the observance of law and the administration of justice.” Courts are very reluctant to grant the privilege to in-house counsel as a result of the dual roles in-house counsel often have. For example in-house counsel often is called upon to provide what would be considered 12 quasi-business/legal advice and as such would not fall under the privilege. Additionally courts will look to see if something different or out of the ordinary was done when deciding whether to grant the privilege. The most effective way to pass this test is through the retention of outside counsel with a clearly worded engagement letter. The essential elements of the attorney-client privilege are: 1. The person asserting the privilege is or seeks to become a client. 2. The person to whom the communication was made is an attorney or his subordinate acting in his capacity as attorney with respect to the communication. 3. The communication relates to a fact of which the attorney was informed by the client in confidence. 4. The communication relates to the seeking of legal advice or assistance and is not for the purpose of committing a crime or tort. 5. The privilege has been claimed and not waived. An attorney-directed data risk assessment should be designed to conduct such assessments in a manner that will allow an organization to claim attorney-client privilege. Further, if there is a significant threat or anticipation of potential litigation, then the work product doctrine may apply to the results of such a risk assessment. The work product doctrine protects writings and mental impressions created as part of the discovery process. It should be noted that there is no guarantee that either the attorney-client privilege or work product doctrine will attach to the results of an internal risk assessment. Communications for non-legal advice purposes are not covered by these privileges. However, in the context of a risk assessment, the attorney’s participation must be primarily as a provider of legal advice to the organization. This will put counsel on a much stronger footing in asserting privilege as to communications and other investigative material which, although in body factual and nonlegal information, has as its main purpose the rendering of legal advice. Performing an Attorney-Directed Data Risk Assessment An attorney-directed data risk assessment should be designed to meet the following goals: 1. Provide legal guidance to an organization regarding the cyberrelated risks and vulnerabilities specific to the organization. 2. Analyze potential legal exposures. 3. Review risk management strategies, including corporate policies and controls regarding data security and privacy responsibilities. 4. Provide the legal basis for establishing or revising employee training. 5. Develop a benchmark for ongoing risk assessment and measurement of the effectiveness of corporate and operational controls. In order to meet these goals, counsel may also engage independent data security experts, preferably through outside counsel in order to utilize available attorney-client and work products privilege, who may be engaged to: 1. Conduct a controls gap analysis of the organization’s practices for assessing what data needs to be secured, securing data that may need to be secured, as well as its ability to prevent and/or manage cyber-related risks. 2. Examine industry risk profile information, as well as historical incident reports. 3. Recommend possible improvements that the organization may consider to close identified gaps. Any experts engaged by internal counsel or by an outside party (such as outside counsel or an insurance carrier) must be given—typically through an engagement letter—specific instructions designed to maintain attorney-client privilege concerning the assessment and findings. The experts should agree in writing to maintain the confi- dentiality of all interviews, questionnaires and their respective requests for information, reports and other communications. Further, the experts must be required to maintain the confidentiality of all information assembled, derived or created during the engagement under counsel-provided instructions for maintaining the working papers and interim analysis. All deliverables from the experts’ analysis—whether interim reports or final—should be delivered to designated outside counsel for review prior to release to anyone internal or external to the organization. The designated outside counsel would then review the findings of the experts prior to release to anyone internal or external to the organization. The purpose of this review should be multi-fold: 1. To identify any areas in the findings which could be misinterpreted or which require additional analysis. Often, such findings can be misinterpreted if they are done by individuals not accustomed to creating reports to be produced for regulators or courts. 2. So that the designated outside counsel can form legal opinions regarding the potential legal risks and exposure to the organization. This opinion will take into account the experts’ recommendations and will provide guidance to the organization pertaining to legal risks, exposures and responses. 3. To make certain that the findings and conclusions are set out in a fashion that, while identifying all exposures and risks, will not form the basis of an admission of liability should a problem later occur. 13 RIMS executive report | erm best practices in the cyber world PART 3 PRACTICAL SOLUTIONS FOR PROTECTING YOUR DATA Prudent organizations need to protect both the information that has been entrusted to them and any other sensitive data that represents a material asset. There are many things that an organization can and should do to manage its data risk that are not excessively burdensome, costly or complex. These actions can significantly reduce vulnerabilities and provide an effective and efficient path to recovery in the event of a data breach. In this section, we will examine some of these practices. Developing a Written Information Security Plan Often the first the step in identifying and developing the right action plan to assess and address the organization’s data risks involves drafting a high level written information security plan (WISP). Depending on the size and complexity of the organization, participation by a number of different business units, support areas and subject matter experts may be required, including security, information technology, operations, risk management, privacy, compliance, legal, human resources and others. In the absence of the right internal skill sets, the organization may engage an outside firm with the experience and appropriate expertise to assist with the assessment and development of the plan. Many companies also engage external firms to provide the necessary expertise, skilled resources and bandwidth to focus on getting the initial program up and running. An external firm can also be of additional benefit by providing an objective and independent view of the organization’s processes, operations and systems coupled with previous experience and knowledge of solution options and best practices. The WISP may be a high-level document that is supported by reference to other business materials or more granular documents created by other departments and specialty areas. These materials may include but are not limited to technical information, security manuals, business continuity plans, and privacy, risk and compliance policies. If this is the case, it is important that the information and requirements within the WISP and the referenced materials are directionally consistent and do not conflict with each other. Organizations may be tempted to create large, complicated plans but many times those will only end up relegated to the shelf. Longer does not necessarily equal better. Instead, take a simple, straightforward approach that is realistic and achievable. The key actions and requirements should be defined in understandable terms and flow in a logical manner. Start small and build on the foundation as the plan matures. Often the use of graphic tools like simple drawings, process flows and matrices (see Figure 3) can be used to think through and illustrate key concepts that need to be addressed. 14 There are a number of excellent references for developing the components that should be included in the organization’s WISP. A number of industry, professional and trade associations have provided solid guidance and examples of what should be covered in the document. Definitive and prescriptive publications on data risk management and information security that contain excellent resources and frameworks have been published by distinguished organizations including the U.S. National Institute for Standards and Technology (NIST), the International Organization for Standardization (ISO) and ISACA (formerly known as the Information Systems Audit and Control Association). Appendix B includes some of the organizations, publications and information resources that may be helpful in developing a WISP and supporting enterprise and data risk management programs. One key set of references that must be considered within an organization’s WISP is the provisions of the various federal, state and provincial statutes to which the organization is subject. As the risk practitioner reviews the various references including the statutory mandates, a common pattern of requirements will emerge to help guide the organization’s efforts. These common themes typically will provide for the following: • Businesses entrusted with consumer information are required to protect that information and take preventative steps to avoid a data breach. • The organization must designate at least one employee to be in charge of data security. • Sensitive data that is created, stored or transmitted electronically should be encrypted. • The organization needs to create a WISP that spells out the organization’s commitment to data security and their approach to addressing the following areas of concern: »» Identification, inventory and destruction of information »» Threat assessment »» Internal and external security and access control »» Employee training »» Supplier/third party provider data risk management »» Security assessment and audit »» Data incident and breach response Figure 3: Documenting Data, Data Flow and Related Processes What is the sensitive data (SD)? • PII • PHI • PCI • Confidential business information • Intellectual property What laws & regulations govern this data? In what form is the SD? • State laws where we operate (12) Client account applications • Credit bureau info • EU privacy • Employee records • HIPPA/HITECH • Health & insurance • PCI-DSS • Attorney litigation files • VISA/MC/AMEX • Client list & pricing • Internal policies • Company bank records • Other special considerations? • Use of off-shored resources (India) for customer service and routine client file maintenance • Exchange of SD information for M&A due diligence Who provides sensitive data? Ways SD comes into business: Where SD is: Who can access SD: • Computers & laptops • Employees • Customers/clients • Person • Mainframe/servers • Customers • Employees • Computers/mobile • Disk/tapes/CDs • Vendors • Credit card companies • Website • • Contractors • Banks/financial institutions • Email Flash drives and portable storage • Others • FTP/SFTP • Credit bureaus • Mail • Other businesses • FAX • Phone • Cash registers • Office/home files • Databases • Branch offices What are the internal threats to the data? What are the external threats to data? Security controls internal access: Security controls external access: • Misplaced or lost data • Theft of trash • • Building/office security • Data sent in error • Theft from premises • Document destruction • Malicious data destruction, manipulation, or alteration • Computer hacking • Firewalls • Spyware & malware • Updated anti-virus • • Encryption • Intrusion detection sys. • Patch management • Secure wireless • Penetration testing • Employee theft of data • Vendor theft of data • Authorized access • Unauthorized access • System access & role based entitlement control • Admin rights controls • System audit trail Access - unintentional disclosure • Locked down USB port • VPN remote access Malicious data destruction, manipulation, or alteration • Employee screening • Employee training Employee SD training: Third party vendor management: Security assessment & audit: • Signed confidentiality statement by employee • Internal company vendor management program • Policies & procedures • “Protecting company confidential information training program” • Contracts - appropriate SD considerations • • New employee orientation includes SD • Due diligence program • Audit & certifications • Penetration testing • Employee training • Annual training & test • Quarterly awareness communications Data breach: • Responsibility & ownership assigned Operations & execution • DB team identified & trained • Stand-alone technical SA program covers all key areas • Policies & procedures defined & published • Change management • Resources in place • Artifact & log review • DB program integrated into the DR/COB program 15 RIMS executive report | erm best practices in the cyber world Simply formalizing the above bullet points as headers and filling in the specific organizational approach, requirements and practices under the respective bullet is a solid starting point for the development of a WISP. Keep in mind that this document is intended to describe the organization’s approach to handling data risk, rather than detailing any potential findings within each point. Understanding the Data Utilizing the WISP outline as a guide, an organization can take the next steps to assessing data risk management requirements. First, the organization needs to inventory and classify the data maintained by the organization. This can include personally identifiable information (PII), personal health information (PHI), payment card industry (PCI) data, confidential business and marketing data, intellectual property and trade secrets, classified government data, etc. After initially defining and classifying the data, it can be very useful to simply draw the flow of the data as it enters, resides and moves through the organization to start the assessment process. The organization can then detail the protection protocols, catalogue the known internal and external threats against the data at the various points in the process where the data is being collected, transmitted and stored, and determine what data protection statutes, regulations or operating guidelines may apply. It is often helpful to think in terms of different internal and external threat “scenarios” and how the organization could most effectively respond to and address the needs posed by the scenario. Figure 3 is an example of how of a simple graphic approach can be used to begin fleshing out the areas that will need to be considered and addressed as the organization moves through the data risk management assessment process. This example is not intended to be an all-inclusive summary of the various attributes that may need to be examined in each of the data risk areas. It does, however, provide a directional sense of the types of questions as well as the prevention, mitigation and recovery issues to consider. While identifying sensitive data, mapping data flow and determining potential control gaps are important steps in a successful data risk assessment, preparing for the worst-case scenario is equally vital. Planning a response to a data breach can make a significant difference in the damage such an intrusion causes. The Data Breach Plan An important component of the WISP will be the data breach plan either by inclusion or reference. The data breach plan is a guideline and resource that has dependencies on the facts and circumstances surrounding a specific event. In today’s environment, there is high likelihood that any organization will be impacted by a breach. Organizations who fail to plan in advance often find themselves scrambling to identify appropriate response options as well as the right resources needed for response, mitigation and recovery from the event. The unprepared organization often pays a steep price when it comes to addressing the 1 16 event successfully. The first time management starts thinking about the considerations, details and nuances attendant to a breach event should not be when the organization is in the midst of a crisis. The construction and key principles of the data breach plan should be adaptable to all or most breach scenarios. It is important to recognize that not every contingency or nuance of a breach event can be reasonably contemplated or covered. For that reason, the plan needs to be flexible. The facts and circumstances of each event need to be reviewed carefully and the response tailored to the eventdriven needs. It is also highly recommended that the organization engage outside legal counsel for advice before and during the investigation, assessment and management of the event. A typical breach planning and response flow takes the following steps: 1. Pre-Planning for Breach 2. Execution of Plan 3. Breach Team Briefing 4. Investigation and Damage Assessment 5. Remediation and Resolution 6. Computer Forensic Assistance 7. Media Relations 8. Mandatory Breach Notification 9. Monitor Activities and Environment The circumstances of each breach will vary and adjustments to the process and flow can be made to reflect the situation and needs. When a Breach Occurs There is a wide range of circumstances that may place sensitive data at risk from simple errors or negligence,up to complex, global hacking events. It may include a relative handful of records or hundreds of thousands and even millions of records. Regardless, each of these situations requires an intelligent, informed and timely management response. Some common events in which sensitive information can be compromised include: • Loss or theft of physical documents • Lost or stolen laptop or other mobile devices • Errors resulting in communication or misdirection of sensitive data via U.S. Mail, email or fax to the wrong parties. • Loss of backup data tapes or related media • Improper disposal and destruction of memory devices or documents • Computer, application, website or network compromised via malware and hacking Breach Response Priorities Once the breach is recognized, management must address the issue with an appropriate sense of urgency. While it may seem obvious, it is important to understand and articulate breach response action priorities. 1. Identify the resources needed for addressing and resolving the event and launch a response effort as soon as possible. 2. Determine what the organization already knows. 3. Identify and stop the immediate source of the data leak/loss. 4. Attempt to recover the information. 5. Contain the damage, if any. 6. Do what is required by law, regulation or contract. 7. Assist those individuals or entities impacted by the situation. 8. Remediate the environment and exposures that caused or contributed to the data loss. One important factor that an organization needs to recognize from the beginning is that a proper breach response can be very resource intensive. An organization needs to be realistic about its limitations as well as the resources and expertise it can bring to the table and still manage its core day-to-day business. Many data loss events will demand additional hands, competencies and expertise that an organization may not have readily available. These resources may have to be obtained externally. This again speaks to the necessity and prudence of pre-planning. If there is not a breach plan already in place, the impacted organization will need to quickly put one together to address the specific event. If the organization has a business continuity plan or WISP in place, these can be excellent resources to draw from. It will be necessary to assemble a team of management and functional subject matter experts that can help formulate the appropriate actions to take. There will need to be a “command and control” structure set up to manage the event, assign responsibilities, track progress and make appropriate adjustments to the plan when necessary. Building a Breach Response Team The organization will need to put a breach response team in place. The structure will be determined based on the size and complexity of the organization. This team should be a multi-functional core team that includes individuals representing legal counsel, risk management, privacy and compliance, information security, information technology, physical security, audit, public relations and line of business management. Where the appropriate internal resources or experience sets are not available, the organization should seek external resources to fill these roles. Other functions, such as procurement and commercial insurance management, may be part of the team or brought in as necessary. The breach response team will provide their respective expertise to address the response, remediation and recovery needs of the organization. They will also assist in the formulation and/or adjustment of the breach plan based on the nature, facts and circumstances of the event. Executive management should also assign a breach response owner with the appropriate expertise, analytical judgment and management authority to draw and command resources as well as make most decisions associated with a data event. This position will hold responsibility for the plan itself and adopt an appropriate communication structure to support the on-going breach communication needs of the organization. The entire team should be supported by a breach executive management committee comprised of the “top of the house” leaders who are responsible for approving the breach response plan and to whom all issues, decisions or resource needs that could not be resolved by the breach response owner are referred for direction or action. Executing the Breach Response Plan Once the plan has been formulated, reviewed, adjusted and validated for the specific event, it is time to put it into action. The priorities and actions taken in the breach response plan are not always performed sequentially. Often, there may be multiple activities going on in a simultaneous, but well-coordinated, manner. Breach Team Briefing: The breach team will need to be briefed on the known facts and circumstances surrounding the data loss event. The breach plan will need to be reviewed with the breach team and validated or adjusted for the facts and circumstances surrounding the data loss event. The command and control structure for the event and the respective responsibilities of the team members will be communicated and confirmed. The briefing is an important time to foster a dialogue with the team to discuss not only what is known about the event but also to articulate what is not known and what needs to be known about the event. It is a time to collect any additional perspective or details from the participants that may further the response effort. It is also important to make sure that all the appropriate parties are represented in the room and that an initial identification of necessary resources, subject matter experts and actions has been addressed. 171 RIMS executive report | erm best practices in the cyber world Investigation and Damage Assessment: The breach team and other designated internal and external resources will proceed to investigate the event. These efforts can take many forms. They will collect information that will assist in formulating an assessment of the event in order to develop or refine the appropriate strategies and tactics to address the situation. This is typically a multi-disciplinary effort that attempts to answer the primary investigative questions of the “what,” “when,” “where,” “how,” “who” and “why” of the event. It is important to note that the assessment will likely be an ongoing, dynamic effort as more information is collected, details identified and various hypotheses tested. Strong communication and timely feedback are essential elements of this process. The breach response team must be kept informed of developments in any one area as it may impact other areas and assignment priorities. Mandatory Breach Notification: If the situation warrants mandatory notification to the individuals and/or entities whose information was compromised, the organization will want to make sure that all legal, compliance and regulatory requirements are met. The notification should be appropriately vetted by the respective subject matter experts. This will include a consideration of the content of the notice, the timeliness with which it must be sent out, and the various recovery options that must be made available to the impacted individuals. In addition, the organization will want to make sure that the tone of the communication is consistent with their desired brand and customer service messaging. An organization’s response to a sensitive situation like losing the personal data that has been entrusted to them can be a “moment of truth” for the organization’s customer relationship. A caring, contrite and transparent notification in conjunction with a solid offering to assist the customer in remedying the situation can go a long way in forging a lasting customer relationship. The next area to be addressed is how the organization is going to conduct the breach notification and who is going to handle the associated tasks, requirements and follow-ups. Many organizations choose to use a third party supplier to provide what is often called “breach response services,” including: 18 • Breach response consulting and advisory services • Public relations and media assistance • Customer notification preparation, mailings and phone support • Credit report review and placement of fraud alerts or credit freezes where warranted • Credit, public record and cyber-monitoring • Fraud and identity theft resolution services Pre-planning in this area can pay off in terms of having contracts and pricing in place with a vetted and trusted supplier of breach response services. In addition, the organization may want to look for suppliers who have experienced subject matter experts who can assist in developing the breach plan, are familiar with your organization and can participate in the breach response when called upon. Public Relations: Bad news travels fast. Often a data breach results in some type of immediate media coverage. The media may have been tipped off by a customer who received the notification, by a law enforcement report or by someone in the impacted organization. The organization needs to consider what it will say to the media and who will say it when they come knocking at the door for information and comment. Some organizations will want to consider making a proactive notification to the media via a press release to get in front of the situation. The organization will want to appoint a specific spokesperson to whom all media inquiries will be referred. This person would benefit from previous media training and exposure as the face of the organization in these sensitive matters. The organization will also want to be guided in their media interactions in consultation with their legal counsel and preferably an experienced media relations person. When working with the media during these sensitive interactions: • Be as transparent as possible—typically following the messaging and tone conveyed in the customer notification is appropriate • Tell the truth on whatever you are prepared to share with them • Indicate that the assessment and investigation is still ongoing and things are subject to change as more information becomes known • Do not speculate on facts or information that you do not know for sure Computer Forensic Assistance: A breach may involve information technology networks, systems, applications or portable devices so it is often prudent and necessary to obtain the service of experienced computer forensic experts to assist with the investigation, assessment and remediation of technical issues. This is a specialized area that often falls outside of the skill sets of the traditional information technology team. If the organization does not have the internal forensic competencies and tools necessary, they should seek the services of a trusted external firm that can provide the services. The typical duties of the computer forensic team include: • Investigation of technical compromises involving IT systems and memory devices • Examination of the network, systems and devices to identify and/or confirm the source or sources of the data compromise • Identify compromised systems and assist with dimensioning the extent, duration and scope of the breach including impacted systems and data • Provide recommended actions to close and contain the exposure • Provide preservation of evidence and chain of custody for electronically stored information Computer forensics is another example of an area that should be addressed and contracted during the pre-planning for a breach. Many progressive organizations do proactive technical vulnerability assessments through the use of penetration testing and other technical assessment tools. Remediation, Recovery and Resolution: As the investigation and assessment activities are being conducted, a key priority is to identify and contain the threat(s) to stop the data leaks and safeguard the environment and/or systems from further deterioration. Once that has been accomplished, the next focus is to begin the process of repair and recovery. The repair activity to the organization’s internal environment will include the remediation of system, data, legal, regulatory and customer issues. Dependent on the event, there can be long list of “to do’s” in each of these categories. The organization’s goal here is not just to return to the state of existence just before the data event, but to make the improvements necessary to address the risk exposures and prevent a repeat situation. If the lost data can be traced and recovered, the appropriate actions should be taken to recover it. Alternatively, if there are options to reduce risk and render the data less valuable that course of action should be pursued as well. It may be as simple as instructing impacted customers to change their passwords and issuing new access credentials. Other remedies like the geo-location or remote disabling of laptops and mobile devices may need to be undertaken. It will also be important to provide the impacted customers with the support, resources, and tools to help mitigate the risk to their identities and assets. This can include providing credit, public record and cyber-monitoring coupled with fraud and identity theft resolution services previously mentioned. There is no “one size fits all” customer solution. Different customers may be impacted in different ways dependent on the type of data that has been compromised (i.e. PII, PHI and PCI) as well as how that data may be exploited in criminal hands. The organization will need to make sure that whoever is assigned to work with the customer has the appropriate skill-set and experience to help resolve a multitude of potential issues. Damage related to compromised data can often go on for months and sometimes years after the initial event. This issue of data compromise is not an area that the organization should leave half-done after the immediate crisis has passed. It will be important to continue to work in earnest to bring all the issues to a satisfactory resolution. Organizations that try to take shortcuts at this juncture, often find themselves back in the same or worse position in the wake of the first event. Smart organizations use the experience as a learning tool to improve their process, practices and systems. Monitor Activities and Environment: Data compromise situations can have a “long tail.” In today’s hostile data security environment, an organization should never assume a singular threat. Similar to a police officer who frisks a criminal suspect and finds a gun early in the pat down process but fails to continue and complete the pat down to locate the second or third concealed weapon, an organization cannot become complacent once it believes it has found the vulnerability. There may be other issues that have not yet been detected. Continued vigilance is therefore critical. This vigilance should include continued surveillance of the environment and activities that were impacted by the breach. This may include both the internal systems and the criminal activities targeted at the customer. The organization will want to create the appropriate mechanisms to facilitate follow-up actions and early warning should additional threats emerge. 19 RIMS executive report | erm best practices in the cyber world BEST PRACTICES FOR DATA BREACHES • • • • • The absolute best practice for data breach response is to try to prevent it all together by making data protection a high business priority and making the right investments to protect the data and minimize your exposures. Be proactive in assessing administrative, operational and systemic vulnerabilities through the use of technical assessment tools and penetration testing. »» Identification of the actions to be taken and the assignment of responsibility for these actions »» Identification of internal and external competency and resource needs for the organization Secure the competencies and resources that your organization will need to respond to a breach including: »» Outside legal counsel »» Breach services suppliers: Back-up data on a frequent basis. Safeguard the back-up media. These back-ups can be critical to the timely restoration of systems and your ability to do business. They are also critical for investigating the cause, scope and duration of a breach event. »» Breach response and advisory services »» Media relations assistance »» Customer notification with mailing and call center support »» Credit report access for customer review. »» Credit, public records and cyber monitoring »» Fraud and identity theft resolution Ensure that any third parties who have access to your data or are in possession of your data maintain appropriate security and control over the data that meets or exceeds your internal standards. Also ensure that third party contracts provide for: »» »» Notification to the organization in event of a breach or systems compromise that impacts the organization’s data Appropriate liability, insurance and reimbursement for expenses and losses incurred by affected parties as a result of a breach Appropriate response, recovery and remediation actions that are consistent with the organization’s own standards. Pre-plan for a breach. Make the necessary investment of time and resources to develop and maintain a solid breach plan that includes: »» 20 Identification of the sensitive data and its location Practice good systems hygiene by utilizing preventive, detective and audit tools for web sites, networks, systems and applications. »» • • »» Designation of executive management, individual(s) and breach teams responsible for responding to a breach • Forensic services supplier • Proactive vulnerability assessment • Post breach assessment, investigation and remediation support • Evidence preservation • Conduct a planned, periodic review and mock testing of the breach plan so that inconsistencies and gaps can be identified and corrected before the plan is needed. BEST PRACTICES FOR EFFECTIVE DATA RISK MANAGEMENT Beyond the administrative and analytical logistics of developing good written plans, the success of data risk management is reliant on the effectiveness and execution of the requirements in the daily activities of the organization. Administrative, operational, systemic and human considerations are critical. Data risk management success is achieved through the strength and effectiveness of employees, operational practices and technology. Here are some examples of the basic best practices that organizations may want to consider for incorporation into daily practices: Employees and employment practices: • Screen and orient employees. Check references and do background checks before hiring employees who have access to sensitive data. Have each employee sign an agreement to follow the organization’s “code of conduct,” confidentiality and security requirements. • Keep access to sensitive data and other sensitive information on a “need to know” basis in your operational and system protocols. • Keep only the information needed to conduct business. If there is no legitimate reason for PII, do not collect it and, even then, only keep it for as long as there is a purpose for having it. For example, only use social security numbers for required and lawful purposes—such as reporting taxes—not for an employee or customer identification number. • Have a written information security plan (WISP) that addresses and documents approved security policies, operations, standards, guidelines and recommended practices. • Back up needed data regularly and securely. • Develop a good business continuity /disaster recovery plan. Keep it current and test it. • Train employees. Periodic education and training emphasizes the importance of data security practices can prevent loss. A well-trained workforce is the best defense against data loss and breaches. • • Know who has access to sensitive data and why. Limit access to sensitive data including customer and employee information on a “need to know” basis. Regularly enforce password changes. Install physical security devices appropriate to the risk. Consider keycard access to premises, video monitoring, alarms, etc. • Institute good internal business practices. Make sure employees who leave or transfer to another part of the organization no longer have access to sensitive data. Terminate passwords, collect keys and ID cards as part of the check-out process. Instruct employees to be “gatekeepers” and keep eyes and ears open. Watch for intruders or anyone that does not look like they belong. Verify all work-orders, authorization and identification for individuals seeking access to your space or systems • Store sensitive data in a locked room or file cabinet. Keep paper documents as well CDs, zip drives, tapes and backups in a locked room or file cabinet. Control who has a key and who has access. Limit access to those with a legitimate business need, even for offsite storage facilities. • Require employees to log off and lock up. Employees should not leave sensitive papers on desks when they leave workstations. At the end of the day, they should log off computers and lock file cabinets and office doors. Automate log-offs where feasible. • Secure computer work stations and lock up laptops when not in use. • Whenever shipping material that contains sensitive informa- • • Re-train employees. Once is not enough. Employees should take an periodic refresher training class to keep up to date on the latest trends for PII and other sensitive data risks. Processes: • Know what data the organization has. Make it a continuing practice to identify and assess what sensitive information the organization has and determine who has access to it. Inventory computers, laptops, flash drives, disks, home computers, files, smart phones, cell phones, printers, copy machines and fax machines – remember all are capable of storing sensitive data. • Physical security: • Secure premises, file containers, data center, servers and server rooms. Know who sends sensitive data to the organization. Is it from customers, credit card companies, banks, others? 21 RIMS executive report | erm best practices in the cyber world tion, keep an inventory of shipments and only use carriers and processes that allow you to track deliveries end-to-end. Technology security: General systems and network security • Identify computers or servers where sensitive data is stored. • Identify connections to those computers and any vulnerabilities (can include the internet, printers/copiers, cash registers, computers at branch offices and service providers, wireless devices like scanners, cell phones, smart phones). Network scanning and penetration testing are useful tools in this regard. • Encrypt, encrypt, encrypt. This includes data in motion and at rest. If you need to store it, encrypt it—file-level encryption comes built-in to most standard office software (including Microsoft Excel and Word, and with Adobe PDF) and be sure to document the encryption for evidence purposes. • Do not store sensitive data on any computer with an internet connection, unless it is essential to business. • Encrypt sensitive data sent to third parties over public networks (i.e. the internet). Never send any unencrypted sensitive data via regular email, even to branch offices or “just this one time.” • Practice “good systems hygiene” by using strong anti-virus, firewall and patching programs that are automatically updated and prohibit access to the network by non-updated devices. • Regularly check for software vulnerabilities and promptly install vendor-approved patches. • Use secure socket layer (SSL) or another secure connection such as secure shell file transfer protocols (SFTP) when PII, credit/debit card information or other sensitive data is received or transmitted. • • Employees should never share passwords. Make it a organizational policy and practice. • Use password-activated screen savers to lock employee computers after a period of inactivity. • Lock-out users who do not enter the correct password within a specific number of attempted log-ins (typically five or less attempts). • Warn employees about potential calls from criminals attempting to trick them into giving out passwords by pretending to be on your IT staff (calls like that are always fraudulent—no one should ever ask them to reveal passwords). • Immediately change vendor-supplied passwords and/or default passwords to more secure ones, after installing new software or hardware. • Cancel all passwords, system access and VPN access and recover computers, flash drives, smart phones, cell phones, tokens and other access devices when an employee, contractor or vendor leaves or changes roles. Laptop and mobile security • Restrict the use of laptops, tablets and other mobile devices only to employees who need them to do their jobs. These devices whether personally owned or organization owned need to be controlled and managed at the enterprise level from an administrative and technical perspective. Be sure these devices have up-to-date security installed before allowing access to the network. • Do not allow the use of personally owned computers or smart phones and related devices to send, receive or store PII and other sensitive organization information unless enterprise managed and equipped with appropriate security protocols. • If sensitive information does not need to be stored on a laptop or mobile device, delete it with an appropriate “wiping” program that overwrites data or otherwise removes it (simply deleting files using standard keyboard commands does not truly delete the data. It remains on the device’s hard drive or memory and will be able to be retrieved with a common software utility). • Make sure employees store laptops in a secure place (even when in use, consider using locking workstations or cables and locks to secure laptops to employees’ desks). Provide adequate security for web applications that may be particularly vulnerable to hacking. Password management • 22 Require employees to use “strong” passwords, of at least 8 characters, with a mix of letters, numbers and symbols (not common dictionary words that can be easily guessed and not your organization name and require that they change passwords often). • Do not store large quantities of sensitive information on laptops or mobile devices. If access is needed, store the sensitive data on a secure central computer where users can remotely access it as needed through a secure device and connection. • If laptops contain PII, encrypt it and configure it so users cannot download any software or change security settings without approval from IT or management • Purge sensitive data from mobile devices as soon as it is no longer needed. Do not maintain large databases on mobile devices containing large volumes of customer information, PII, PHI, PCI and other sensitive data. • Consider an “auto-destroy” function so data on a computer that is reported stolen will be destroyed when a thief uses it to try to get to the internet. threats. The functionality typically provides both prevention and detection features that can be helpful in both stopping an intrusion as well as investigating and remediating the network if a successful intrusion has occurred. • • Set wireless networks to “no broadcast” and power the laptop and the network connectivity down when not in use. • Train employees to pay attention to security when they are on the road. Employees should never leave a laptop visible in a car, a hotel luggage stand or packed in luggage (and keep an eye on laptops going through airport security on the screening conveyor belt). Firewalls and anti-virus software • • Use properly configured firewalls to protect all networks and computers from hackers while they are connected to the Internet. Where appropriate and technically feasible, use enhanced firewall protection on the computers and networks with the most sensitive information. Determine if you need a “border firewall” to separate your network from the internet. Set access control settings to only allow trusted employees with an immediate need to access the network. • Use a strong, validated anti-virus software solution and keep it updated. • Regularly change passwords on firewalls. Service provider security: Contractor and service provider security • Before outsourcing a sensitive business function (i.e. payroll, web hosting, customer call center operations, data processing, accounting, etc.) conduct due diligence with respect to data security. Examine the organization’s background, hiring practices, data security practices and information security protections. Compare their standards to the organization’s requirements and conduct an on-site review of the facilities where the data will be used and stored. • Address security requirements in the contract for the type of data that they will be handling. • Insist that the contractor notify you of any security incidents they experience, even if the incidents may not lead to a data compromise. • Periodically audit for contractor compliance at least annually and upon contract renewal. Proper destruction of information: Ensure that the data cannot be read or reconstructed: • Prevent unauthorized use or access to PII. Shred, burn or pulverize paper records (make shredders available throughout the workplace, especially near copiers or printers).Prior to destroying any documents or data, verify that the destruction is within the organization’s retention policy and guidelines. • A document/data retention policy should be developed with legal counsel to reduce risks associated with storage of any unnecessary PII/sensitive data. Advanced technology solutions • Intrusion detection systems provide identification and monitoring of suspicious activity occurring on portals to and within organization networks. These systems utilize a combination of pattern recognition and signature-based detection of Data loss prevention systems are designed to detect unauthorized data leakage from a business. These systems use various “intelligent approaches” to look for suspicious activities related to an organization’s data in storage, in motion and in use. Many of the newer cyber-attack schemes are designed not only to get into a system but also to remove significant amounts of sensitive data from it. This stolen data is often encrypted by thieves utilizing their own encryption protocols to make it more difficult if not impossible for the victim business to identify what is actually leaving the control of the organization. 23 RIMS executive report | erm best practices in the cyber world • 24 Use a “wipe” utility program when disposing of old computers or portable storage devices (deleting files with keyboard or mouse commands is not sufficient because files can be retrieved). • Make sure employees that work from home follow the same disposal procedures for computers and mobile storage devices. • Use “degaussing” equipment (available from electronics stores and online) that uses electromagnetism to scramble digital storage on all hardware before destruction of comput- ers, copiers, printers, scanners, faxes and phones. • When leasing equipment with digital storage (computers, copiers, printers, scanners, faxes, phones), verify within the agreement that the leasing organization erases all digital storage upon return of equipment (even if you plan on degaussing before equipment return). • Completely destroy hardware with digital storage with a hammer or drill or use a service that totally destroys hardware (remember to destroy cell phones and smart phones). Immediate Post-Breach Steps to Quantify a Cyber Claim Sometimes all the prevention in the world will not be enough to prevent a data breach. As a result, more and more insurers are offering standalone cyber insurance products and policies that cover cyber, privacy and social media related risks. Most of these new cyber risk policies include coverage for e-business interruption or loss of income and extra expenses associated with a breach, which typically can make-up some of the more significant costs. Other post-breach expenses that are typically covered can include the cost for notifying affected customers, (including the cost of credit-monitoring services for those affected customers for a predetermined period of time), lost productivity costs of employees, crisis management expenses, rapid response security professionals, forensic investigators and accountants, online or electronic vandalism costs caused by an employee, etc. Quality documentation and forensic analysis is the cornerstone to effectuate a positive result on a cyber claim. In the event of a breach, a risk manager should consider the following items for loss tracking purposes and to help quantify a cyber risk claim: • Immediately review all insurance policies (cyber, property, liability, etc.). • Identify timeline of events, determine (as exact as possible) the time of the breach for each of the affected system, locations, etc. • Identify/confirm if the breach has ended, been stabilized or still on going for each of the affected system, locations, etc. • Establish a separate account number or charge code in your cost accounting system for each of the affected system, locations, etc. under which all cyber breach related costs will be captured. • Determine the stage at which the breach occurred and corresponding loss in production/sales/access began. • Secure production/sales budgets/forecasts that can be used to project production/sales had there not been a breach. • Identify any seasonality affect to production/sales or similar periodic fluctuations. • Identify costs that will stop/discontinue during the total and/ or partial breach period. • Consider potential loss to reputation/brand and loss of trust by customers or business partners. • Track all of the expenses incurred in preparing the cyber claim (including possible attorneys’ fees and the amount of time employees work on investigating and documenting the possible claim). It is essential that risk managers understand their organization’s cyber risk financial, contractual and reputational exposures prebreach, work with brokers and underwriters to explain the organization’s cyber liability exposures and associated controls, carefully review coverage options in all policies, and properly manage the post-breach claims documentation process to necessitate an expedited insurance recovery. 25 RIMS executive report | erm best practices in the cyber world CONCLUSION There has never been a more important time to assess and update your data risk management practices. The volume and value of sensitive data has never been higher and the sophistication of those who want to steal it continues to increase in lockstep with the newest technological innovations. All the while, the potential cost of a data breach grows ever more catastrophic in terms of financial, legal, and reputational damage. Failure to act is not an option. Data risk management must be addressed in a holistic sense, encompassing the activities of many silos at once. To safely protect sensitive data, especially in the context of the ever expanding world of cloud computing, engaging outside legal counsel and conducting attorney-guided data risk management assessment is a must. The umbrella of attorney-client privilege will help protect the findings of your assessment so that they cannot be used against you. The expertise of legal professionals will help create a plan that conforms to all relevant regulations. Creating a written information security plan as a standard to work against is a great start. Conducting the data risk assessment is another necessary component before one begins the implementation, mitigation and breach prevention process. Finally, implementing information security best practices in a practical way will protect your data on day to day basis. 26 APPENDIX A STATE SPECIFIC DATA SECURITY BREACH NOTIFICATION LAWS Alaska Alaska Stat. § 45.48.010 et seq. New Jersey N.J. Stat. 56:8-163 Arizona Ariz. Rev. Stat. § 44-7501 New York N.Y. Gen. Bus. Law § 899-aa Arkansas Ark. Code § 4-110-101 et seq. North Carolina N.C. Gen. Stat. § 75-65 California Cal. Civ. Code §§ 56.06, 1785.11.2, North Dakota N.D. Cent. Code § 51-30-01 et seq. 1798.29, 1798.82 Ohio Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192 Colorado Colo. Rev. Stat. § 6-1-716 Oklahoma Okla. Stat. § 74-3113.1 and § 24-161 to -166 Connecticut Conn. Gen Stat. 36a-701(b) Oregon Oregon Rev. Stat. § 646A.600 et seq. Delaware Del. Code tit. 6, § 12B-101 et seq. Pennsylvania 73 Pa. Stat. § 2303 Florida Fla. Stat. § 817.5681 Rhode Island R.I. Gen. Laws § 11-49.2-1 et seq. Georgia Ga. Code §§ 10-1-910, -911 South Carolina S.C. Code § 39-1-90 Hawaii Haw. Rev. Stat. § 487N-2 Tennessee Tenn. Code § 47-18-2107, 2010 S.B. 2793 Idaho Idaho Stat. §§ 28-51-104 to 28-51-107 Texas Tex. Bus. & Com. Code § 521.03 Illinois 815 ILCS 530/1 et seq. Indiana Ind. Code §§ 24-4.9 et seq., 4-1-11 et seq. Utah Utah Code §§ 13-44-101, -102, -201, -202, -310 Iowa Iowa Code § 715C.1 Vermont Vt. Stat. tit. 9 § 2430 et seq. Kansas Kan. Stat. 50-7a01, 50-7a02 Virginia Va. Code § 18.2-186.6, § 32.1-127.1:05 Louisiana La. Rev. Stat. § 51:3071 et seq. Washington Wash. Rev. Code § 19.255.010, 42.56.590 Maine Me. Rev. Stat. tit. 10 §§ 1347 et seq. West Virginia W.V. Code §§ 46A-2A-101 et seq. Maryland Md. Code, Com. Law § 14-3501 et seq. Wisconsin Wis. Stat. § 134.98 et seq. Massachusetts Mass. Gen. Laws § 93H-1 et seq. Wyoming Wyo. Stat. § 40-12-501 to -502 Michigan Mich. Comp. Laws § 445.72 Minnesota Minn. Stat. §§ 325E.61, 325E.64 States with no security breach law: Alabama, Kentucky, New Mexico and South Dakota Mississippi Miss. Code Ann. § 75-24-29 Missouri Mo. Rev. Stat. § 407.1500 Montana Mont. Code §§ 30-14-1704, 2-6-504 Nebraska Neb. Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807 Nevada Nev. Rev. Stat. 603A.010 et seq. New Hampshire N.H. Rev. Stat. §§ 359-C:19, -C:20, -C:21 OTHER UNITED STATES AREAS/TERRITORIES District of Columbia D.C. Code § 28- 3851 et seq. Puerto Rico 10 Laws of Puerto Rico § 4051 et seq. Virgin Islands V.I. Code § 2208 Source: National Conference of State Legislatures www.ncsl.org 27 RIMS executive report | erm best practices in the cyber world APPENDIX B SELECTED REFERENCES Below is a selected list of references that the authors have found helpful in their research and for the management of issues for their own companies and clients that may provide a useful starting point as you begin to develop your own cybersecurity program. Information Security Forum: “The Standard of Good Practice for Information Security” www.isfsecuritystandard.com ISACA/IT Governance Institute: “Control Objectives for Information and Related Technology (COBIT)” www.isaca.org PCI Security Standards Council (SSC): PCI Data Security Standard (PCI-DSS) www.pcisecuritystandards.org Shared Assessments www.sharedassessments.org “BITS Framework for Managing Technology Risk for Service Provider Relationships” www.bitsinfo.org The SANS Institute: “Top Cyber-Security Risks” www.sans.org The SANS Institute: “Glossary of Information Security Terms” www.sans.org/security-resources/glossary-of-terms CERT: OCTAVE (Operationally Critical Threat, Asses and Vulnerability Evaluation) www.cert.org/octave/ The National Institute of Standards and Technology An agency of the U.S. Department of Commerce, NIST has a number of excellent resources in the information security space. www.nist.gov NIST IR 7621, Small Business Information Security: “The Fundamentals” NIST Special Publication 800-12: “An Introduction to Computer Security: The NIST Handbook” NIST Special Publication 800-14: “Generally Accepted Principles and Practices for Securing Information Technology Systems” NIST Special Publication 800-27 Rev A: “Engineering Principles for Information Technology Security (A Baseline for Achieving Security)” NIST Special Publication 800-30: “Risk Management Guide for Information Technology Systems” NIST Special Publication 800-31 Rev.1: “Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach” NIST Special Publication 800-64 Rev 2: “Security Considerations in the System Development Lifecycle” 1 28 NIST Special Publication 800-100: “Information Security Handbook: A Guide for Managers” NIST Special Publication 800-111: “Guide to Storage Encryption Technology for End-User Devices” NIST Special Publication 800-122: “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)” Contributing organizations Risk and Insurance Management Society (RIMS): www.rims.org Identity Theft 911: www.idt911.com USLAW NETWORK: www.uslaw.org © Copyright 2012 USLAW Network, Inc., Risk and Insurance Management Society, Inc. and Identity Theft 911, LLC All rights reserved.
© Copyright 2026 Paperzz