Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.

Similar presentations


Presentation on theme: "Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February."— Presentation transcript:

1 Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February 28, 2007 Claudia Volk, Principal CJVolk Associates & Carol Van Cleef, Partner Bryan Cave, PC

2 Agenda Background : Current Events Background : Current Events Disposal Rule of the Fair and Accurate Credit Transactions Act Disposal Rule of the Fair and Accurate Credit Transactions Act Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard

3 Scope of the Problem 10 million people each year are victims of identity theft 10 million people each year are victims of identity theft Mean fraud loss per victim in 2005 was $6,383. Mean fraud loss per victim in 2005 was $6,383. Victims spend, on average, 40 hours and $422 to resolve issues related to identity theft. Victims spend, on average, 40 hours and $422 to resolve issues related to identity theft. Losses as a result of identity theft ranged from $53.2 billion in 2003 to $56.6 billion in 2005 Losses as a result of identity theft ranged from $53.2 billion in 2003 to $56.6 billion in 2005 Javelin Strategy & Research

4 Pervasiveness Changing methods to pentrate data security Changing methods to pentrate data security The threat within The threat within MacAffee Analysis MacAffee Analysis Planted employees to engage in identity theft and money laundering Planted employees to engage in identity theft and money laundering Avoid assumptions about the trusted employee Avoid assumptions about the trusted employee

5 The Disposal Rule Protect the privacy of the consumer’s information Protect the privacy of the consumer’s information Reduce risk and fraud of identity theft Reduce risk and fraud of identity theft Applies to any business or individual using consumer reports for business purposes Applies to any business or individual using consumer reports for business purposes Federal Trade Commission Federal Trade Commission June 1, 2005 June 1, 2005 State Laws may apply State Laws may apply

6 The Disposal Rule The FACT Act requires that: The FACT Act requires that: Any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose {, } properly dispose of any such information or compilation Any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose {, } properly dispose of any such information or compilation The Federal Trade Commission Rule The Federal Trade Commission Rule Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to, or use of information in connection with its disposal. Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to, or use of information in connection with its disposal.

7 The Disposal Rule Flexible Flexible Reasonable measures based on Reasonable measures based on Sensitivity of data Sensitivity of data Costs and benefits of different methods Costs and benefits of different methods Changes in technology Changes in technology Consumer reports and any personal and financial information Consumer reports and any personal and financial information No de minimus exception No de minimus exception Actual, statutory and punitive damages, plus attorney’s fees and civil money penalties Actual, statutory and punitive damages, plus attorney’s fees and civil money penalties

8 Key Terms Consumer Information Consumer Information Any record about an individual Any record about an individual Consumer report or derived from a consumer report Consumer report or derived from a consumer report Information obtained from a consumer reporting company Information obtained from a consumer reporting company Used or expected to be used in establishing eligibility for credit, insurance, and employment Used or expected to be used in establishing eligibility for credit, insurance, and employment Paper, electronic or other form Paper, electronic or other form Compilation of such records Compilation of such records Not included: aggregate information or blind data Not included: aggregate information or blind data

9 Key Terms Disposal / Dispose Disposal / Dispose Discarding or abandonment of consumer information Discarding or abandonment of consumer information Sale, donation or transfer of any medium on which consumer information is stored Sale, donation or transfer of any medium on which consumer information is stored

10 Reasonable Measures Non exclusive examples Non exclusive examples Burn, pulverize or shred papers – cannot practicably be read or reconstructed Burn, pulverize or shred papers – cannot practicably be read or reconstructed Destroy or erase electronic media – cannot practicably be read or reconstructed Destroy or erase electronic media – cannot practicably be read or reconstructed Contract with a third party after appropriate due diligence Contract with a third party after appropriate due diligence Review independent audit of operations or compliance with disposal rule Review independent audit of operations or compliance with disposal rule Obtain several references Obtain several references Require certification by recognized trade associations Require certification by recognized trade associations Review and evaluate information security polices or procedures Review and evaluate information security polices or procedures Take other appropriate measures to determine competency and integrity Take other appropriate measures to determine competency and integrity

11 Action Items Catalog your information Catalog your information Review where and how it is stored Review where and how it is stored Determine who can access it and how Determine who can access it and how Develop appropriate procedures and control to comply with the Disposal Rule Develop appropriate procedures and control to comply with the Disposal Rule Designate a responsible person Designate a responsible person Train employees Train employees Audit Audit

12 Some Suggested Policies and Procedures Conduct personal background checks Conduct personal background checks Permanent employees Permanent employees Temporary hires Temporary hires Sensitive data limits Sensitive data limits Access Access Use Use Distribution Distribution Secure records – physical and online Secure records – physical and online Collect and retain only essential information Collect and retain only essential information Make accessible disposal tools Make accessible disposal tools

13 General Data Safeguarding and Security Breach Tips Integrate into information safeguarding program Integrate into information safeguarding program Ensure information safeguarding program reflects other changes in law Ensure information safeguarding program reflects other changes in law Prepare ready response plan in the event of data security breach Prepare ready response plan in the event of data security breach Understand requirements of data security breach laws Understand requirements of data security breach laws

14 Data Security Breach Laws What businesses are covered? What businesses are covered? What information is covered? What information is covered? What triggers notification? What triggers notification? Who must be notified? Who must be notified? Who is responsible for the notice? Who is responsible for the notice? When must the notices be given? When must the notices be given?

15 Data Breach Notification Best Practices Encrypt information Encrypt information Prepare consumer notification plan Prepare consumer notification plan Notify general counsel or outside counsel immediately Notify general counsel or outside counsel immediately Conduct an immediate internal investigation Conduct an immediate internal investigation Contact local law enforcement contact Contact local law enforcement contact Provide consumer and other notifications if necessary Provide consumer and other notifications if necessary

16 Industry Response Cardholder Information Security Program (CISP) American Express ®, Diners Club ®, Discover ®, JCB ®, MasterCard ® and Visa ® USA American Express ®, Diners Club ®, Discover ®, JCB ®, MasterCard ® and Visa ® USA Safekeeping of account information requirements: Safekeeping of account information requirements: Storage of Cardholder Information Storage of Cardholder Information Destruction of Cardholder Information Destruction of Cardholder Information Use of Third Parties Use of Third Parties Reporting a Security Incident Reporting a Security Incident

17 Payment Card Industry (PCI) Data Security Standard Build and Maintain a Secure Network Build and Maintain a Secure Network Protect Cardholder Data Protect Cardholder Data Maintain a Vulnerability Management Program Maintain a Vulnerability Management Program Implement Strong Access Control Measures Implement Strong Access Control Measures Regularly Monitor & Test Networks Regularly Monitor & Test Networks Maintain an Information Security Policy Maintain an Information Security Policy

18 VISA’s Cardholder Information Security Program (CISP) Classification defines merchant audit requirements Classification defines merchant audit requirements Level 1 merchants: Level 1 merchants: Process > 6 million transactions annually Process > 6 million transactions annually Have suffered a breach Have suffered a breach Are identified as Level 1 by another card issuer Are identified as Level 1 by another card issuer Risk is determined to warrant level 1 requirements Risk is determined to warrant level 1 requirements Level 2 process between 150,000 and 6 million e- commerce transactions annually Level 2 process between 150,000 and 6 million e- commerce transactions annually Level 3 process 20, ,000 e-commerce transactions annually Level 3 process 20, ,000 e-commerce transactions annually All other merchants are considered Level 4 All other merchants are considered Level 4

19 CISP Compliance Validation On Site Security Audit Self- Assessment Questionnaire Network Scan Merchants Required annually for Level 1 Required annually for Level 2 & 3 Recommended for Level 4 Required Quarterly for Level 1 & 2 Recommended for Level 4 Service Providers Required annually for Level 1 & 2 Required annually for Level 3 Required Quarterly

20 What YOU can do “Know thy data” “Know thy data” What you have collected What you have collected Where it is Where it is Who has access to it Who has access to it  Stay informed about Related laws and regulations Related laws and regulations Current breach incidents Current breach incidents Best practices Best practices

21 Questions and Comments? ? ? ?

22 Contact Information Bryan Cave LLP CJVolk Associates, Inc S. Arlington Mill Rd, Ste. 530 Arlington, VA Claudia Volk, Principal Phone Fax Thirteenth Street, NW Washington, DC Carol Van Cleef, Partner Carol Van Cleef, Partner Phone Fax


Download ppt "Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February."

Similar presentations


Ads by Google