Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview of Data Privacy and Security Breaches, Laws and Risk Mitigation Measures Presentation to the Greater Washington, DC Chapter of ARMA International.

Published byKevon Purvis Modified over 10 years ago

Similar presentations

Presentation on theme: "Overview of Data Privacy and Security Breaches, Laws and Risk Mitigation Measures Presentation to the Greater Washington, DC Chapter of ARMA International."— Presentation transcript:

1 Overview of Data Privacy and Security Breaches, Laws and Risk Mitigation Measures
Presentation to the Greater Washington, DC Chapter of ARMA International Wednesday, March 21, 2007 Bruce H. Nielson

2 Outline of Presentation
Data Privacy and Security Breaches, Problems and Risks Data Security Breach Incidents Additional Risks Overview of Applicable Laws and Regulations Federal International State Risk Mitigation Measures Human Resources-related Measures Vendor/Service Provider-related Measures Technological Measures Q & A

3 Data Privacy and Security Breaches, Problems and Risks
104,137,499 Total number of records containing sensitive personal information estimated to have been involved in security breaches since Jan 2005 – probably a significant underestimation Current and recent headlines

4 Data Privacy and Security Breaches, Problems and Risks (cont.)
TJX Says Data Breach Worse than Previously Believed Ongoing probe shows it happened almost a year earlier than first thought, as far back as July 2005 TJX still hasn't disclosed the number of shoppers that may have been affected by the breach; analysts believe the number to be in the tens of millions Comerica Bank is reissuing cards to its customers whose account information was compromised in the TJX breach

5 Data Privacy and Security Breaches, Problems and Risks (cont.)
Hack Attack Forces Texas A&M To Change 96,000 Passwords Texas A&M University is forcing 96,000 students, faculty, and staff to change their passwords after a hacker attempted a network break-in The university's computer users can get updated information about the break-in and the ongoing investigation at a University web site. University officials are directing people to the web site for information on how to safeguard personal information

6 Data Privacy and Security Breaches, Problems and Risks (cont.)
University of Idaho Put Staff Data on Web Personal information for about 2,700 University of Idaho employees was inadvertently posted at the school's Web site for 19 days in February, though officials say it was not easy to access and there's no reason yet to believe it was misused A university data file was mistakenly included along with a report from the UI's internal research department that was posted at the department's Web site. It contained information including names, birthdates and Social Security numbers for about 2,700 university employees, but did not include any personal financial account numbers

7 Data Privacy and Security Breaches, Problems and Risks (cont.)
CD with Medical Data of 75,000 is Found A missing CD containing confidential medical and personal information on 75,000 Empire Blue Cross and Blue Shield members was recovered Wednesday A spokeswoman for a managed care company that monitors payments for mental health and substance abuse cases of insurers, said the company received a telephone call Wednesday morning saying that the CD was delivered by mistake to a residence in the Philadelphia area. The CD had been missing since January No way to track whether copies of the CD were made

8 Data Privacy and Security Breaches, Problems and Risks (cont.)
PC, Phone Home Several years ago, Bob installed on his wife's laptop, which was stolen from the couple's Minneapolis home on Jan. 1 Annoyed at the break-in – and alarmed that someone could delete the screenplays and novels that his wife, Sue, was writing – Bob monitored the database to see if the stolen laptop would “talk” to the Berkeley servers. The laptop checked in three times within a week, and Bob sent the IP addresses to the Minneapolis Police Department Officers subpoenaed Bob's Internet service provider, to determine the address where the stolen laptop logged onto the Internet. Within days, officers seized the computer and returned it to the rightful owners

9 Data Privacy and Security Breaches, Problems and Risks (cont.)
Former Fruit of the Loom Workers' Identities Compromised A security breach with a Fruit of the Loom database has left former Rabun Apparel Inc. employees on edge Word spread rapidly across the North Georgia Technical College campus Tuesday morning about how easily one could access the 1,006 names and Social Security numbers of the former employees Fruit spokesman said Tuesday evening that every possible step was being taken to purge the information from the Internet. Sometime between Tuesday night and Wednesday morning, it could no longer be accessed

10 Data Privacy and Security Breaches, Problems and Risks (cont.)
Thief Stole Credit Card Numbers from Seed Site A cyber thief broke into the web site of Johnny's Selected Seeds and stole sensitive customer data, including credit card numbers; in all, 11,500 accounts were compromised. Approximately 20 of the stolen card numbers have been used fraudulently The site is now under 24-hour monitoring to prevent a recurrence; other security measures have also been implemented. Johnny's has notified all people whose account information was stolen. The initial intrusion occurred on February 4, A company official said "criminals gained access to our internal systems and gathered enough information to allow then to gain access to our web site." The FBI is investigating

11 Data Privacy and Security Breaches, Problems and Risks (cont.)
Downloading from the Internet A user downloaded photos of Paris Hilton for her Windows desktop. Windows asked her to say yes to executing the file when she got it. Assuming it was just pictures, she agreed. Within a couple of hours, she knew something was wrong when her computer started to slow down to the point where she was unable to use it. Even when she rebooted, she couldn't launch programs The IT department determined she had downloaded a Trojan program along with the photo. Her downloaded photo had a malicious payload attached that used her computer to send out spam. Her computer had to be rebuilt to eliminate the program. She lost most of the day and a lot of her personal computer settings in the process

12 Data Privacy and Security Breaches, Problems and Risks (cont.)
Plugging in USB drives (or any other storage devices or media) that are find lying around People's natural curiosity and desire to help were exploited by a consultant who was hired to check security awareness at a credit union. He loaded malicious software on old thumbnail drives and left the drives on the ground and tables in the parking lot and smoking areas. Each time a curious, helpful person plugged any of the thumb drives into his computer, it loaded software and reported who had taken the bait. His test was harmless, but criminals can use the same technique to take control of our computers

13 Data Privacy and Security Breaches, Problems and Risks (cont.)
Use of unauthorized software It may be tempting to use useful-looking software that you can get free on the Internet, but these tools may carry a hidden cost. Installing them may often cause other programs to stop working and it can take a long time for your IT teams to track down the problem. More seriously, they can display unwanted ads, slow your PC down or make it less secure by letting the PC download more ads from the Internet. Most seriously, they can be infected by viruses or spyware that are intended to damage your PC or steal confidential information

14 Data Privacy and Security Breaches, Problems and Risks (cont.)
Your new ID-theft worry? Photocopiers No known incidents yet, but potential is very real Most digital copiers manufactured in the past five years have disk drives to reproduce documents; copiers can retain the data being scanned If the data on the copier's disk aren't protected with encryption or an overwrite mechanism, and if someone with malicious motives gets access to the machine, sensitive information from original documents could get into the wrong hands More than half of all Americans may unknowingly put their private financial information at risk this tax season when they copy their tax returns

15 Data Privacy and Security Breaches, Problems and Risks (cont.)
Instant Messaging Security Risks IM creates new avenues for the distribution of malware (viruses, worms, spyware, etc.), which can jeopardize the security of a computer network IM opens new “holes” through which information that is to be kept secure and confidential can be leaked IM may create “invisible” communications channels that operate below the radar of conventional information security measures

16 Data Privacy and Security Breaches, Problems and Risks (cont.)
Wireless and Voice Over the Internet Protocol (“VoIP”) Security Risks Interception or capture of transmissions or packets Modification of transmissions or packets ID theft and theft of services; hijacking a VoIP call and masquerading as the intended called party Denial of service attacks that disrupt all data streams

17 Data Privacy and Security Breaches, Problems and Risks (cont.)
Employees and Vendors Weak Points in Data Privacy and Security Strategy With news of another high-profile data security breach almost a daily occurrence, companies must ensure two crucial weak points — their employees and third-party vendors — are covered in their data privacy and security protocols Employers are responsible for employee theft of information, and may also liable if they don't ensure third-party vendors have sufficient controls in place

18 Data Privacy and Security Breaches, Problems and Risks (cont.)
Most Data Breaches Traced to Company Errors Research from the University of Washington, Seattle says that organizations are more often to blame for data security breaches than outside intruders Looked at 550 data breaches that received media coverage between 1980 and 2006 Two-thirds of the breaches could be traced to lost or stolen equipment and a variety of management or employee errors Less than one-third of the breaches were the work of outside attackers

19 Data Privacy and Security Breaches, Problems and Risks (cont.)
Intel Fails to Keep Antitrust Intel said it has not properly preserved s related to its ongoing antitrust litigation with rival Advanced Micro Devices In a court filing, lawyers for Intel blamed human error for a number of "inadvertent mistakes" that it says resulted in certain employees failing to retain outgoing s as required as well as some employees not receiving timely instructions to save documents

20 Data Privacy and Security Breaches, Problems and Risks (cont.)
What’s the solution?

21 Overview of Applicable Laws and Regulations
Federal Data Privacy and Security Laws Gramm-Leach-Bliley Act (1999) Applies to “Financial institutions” Protects non-public personal financial information of consumers Regulations promulgated by the banking regulators, the SEC and the FTC Has data privacy and security requirements Notice and opt-out model

22 Overview of Applicable Laws and Regulations (cont.)
Federal Data Privacy and Security Laws (cont.) HIPAA – The Health Insurance Portability and Accountability Act of 1996 Applies to health care providers, health plans, and companies that receive and process health information from health care providers and health plans – so-called business associates Requires Business Associate Agreement Protects “individually identifiable health information” Does not apply to de-identified health information

23 Overview of Applicable Laws and Regulations (cont.)
Federal Data Privacy and Security Laws (cont.) Fair and Accurate Credit Transactions Act of 2003 Prohibits all persons and entities that accept credit cards and debit cards for business transactions from printing more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of sale or transaction

24 Overview of Applicable Laws and Regulations (cont.)
Federal Data Privacy and Security Laws (cont.) Proposed federal legislation for a data security breach notification law It's Round 2 in Congress' bid to craft federal law that would require businesses to notify U.S. consumers about computer data-security breaches. Some believe that legislation introduced in February soon could become law, given the cooperative tone of federal lawmakers. That would be a reversal from the previous few years, when members of the House and Senate could not agree on a national data-breach law, and dozens of states passed their own laws

25 Overview of Applicable Laws and Regulations (cont.)
Foreign Laws EU Data Directive – Directive 95/46/EC of the European Parliament and of the Council of October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Canadian Privacy Law – An Act to Support and Promote Electronic Commerce by Protecting Personal Information that is Collected, Used or Disclosed in Certain Circumstances . . . Notice and opt-in model

26 Overview of Applicable Laws and Regulations (cont.)
State Laws Non-disclosure of Social Security Numbers More than half of the states have laws that prohibit the disclosure of “whole” social security numbers without consent Data security breach notification laws Nearly three quarters of the states have laws that require notification of affected individuals in the case of a data security breach incident, along with certain remedial measures

27 Overview of Applicable Laws and Regulations (cont.)
Absence of Federal Data Breach Notification Law, and Passage of State Laws, Results in . . .

28 Risk Mitigation Measures
Human Resources-related Measures Employee background checks Employee training and education Acceptable use policies for s, IMs, downloads, and use of the Internet and company systems and equipment Disclaimer of privacy when using company assets Appropriate monitoring of usage Appropriate actions against violators

29 Risk Mitigation Measures (cont.)
Vendor/Service Provider-related Measures Background checks of vendor and service provider personnel Vendor and service provider agreements to comply, and to cause their employees to comply, with applicable laws and with vendee’s data privacy and security policies Indemnification from vendors and service providers against costs, losses and expenses from any data security breach or failure to comply with applicable law or vendee’s policies

30 Risk Mitigation Measures (cont.)
Technological Measures Password protection for computers, devices, networks, documents and databases Physical security for servers, equipment, devices and data and document storage and processing areas Data encryption Internet firewalls, filters, anti-virus software programs and meta data scrubbing programs Tracking of missing/stolen devices Data security breach response plan

31 Questions and Answers

Download ppt "Overview of Data Privacy and Security Breaches, Laws and Risk Mitigation Measures Presentation to the Greater Washington, DC Chapter of ARMA International."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
How to protect yourself, your computer, and others on the internet

How to protect yourself, your computer, and others on the internet
COMPLYING WITH PRIVACY AND SECURITY REGULATIONS Overview MHC Privacy and Security Committee Revised 1/17/11.

COMPLYING WITH PRIVACY AND SECURITY REGULATIONS Overview MHC Privacy and Security Committee Revised 1/17/11.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
Ethical and Social...J.M.Kizza 1 Module 5: Anonymity, Security, Privacy and Civil Liberties IntroductionAnonymitySecurityPrivacy Ethical and Social Issues.

Ethical and Social...J.M.Kizza 1 Module 5: Anonymity, Security, Privacy and Civil Liberties IntroductionAnonymitySecurityPrivacy Ethical and Social Issues.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.

FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.

© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Greg Lamb. Introduction It is clear that we as consumers and entrepreneurs cannot expect complete privacy when discussing business matters. However… There.

Greg Lamb. Introduction It is clear that we as consumers and entrepreneurs cannot expect complete privacy when discussing business matters. However… There.
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Privacy & Security By Martin Perez. Introduction  Information system - People : meaning use, the people who use computers. - Procedures : Guidelines.

Privacy & Security By Martin Perez. Introduction  Information system - People : meaning use, the people who use computers. - Procedures : Guidelines.

Similar presentations

Ads by Google