Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.

Published byGodwin Garrett Modified over 9 years ago

Similar presentations

Presentation on theme: "Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February."— Presentation transcript:

1 Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February 28, 2007 Claudia Volk, Principal CJVolk Associates & Carol Van Cleef, Partner Bryan Cave, PC

2 Agenda Background : Current Events Background : Current Events Disposal Rule of the Fair and Accurate Credit Transactions Act Disposal Rule of the Fair and Accurate Credit Transactions Act Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard

3 Scope of the Problem 10 million people each year are victims of identity theft 10 million people each year are victims of identity theft Mean fraud loss per victim in 2005 was $6,383. Mean fraud loss per victim in 2005 was $6,383. Victims spend, on average, 40 hours and $422 to resolve issues related to identity theft. Victims spend, on average, 40 hours and $422 to resolve issues related to identity theft. Losses as a result of identity theft ranged from $53.2 billion in 2003 to $56.6 billion in 2005 Losses as a result of identity theft ranged from $53.2 billion in 2003 to $56.6 billion in 2005 Javelin Strategy & Research

4 Pervasiveness Changing methods to pentrate data security Changing methods to pentrate data security The threat within The threat within MacAffee Analysis MacAffee Analysis Planted employees to engage in identity theft and money laundering Planted employees to engage in identity theft and money laundering Avoid assumptions about the trusted employee Avoid assumptions about the trusted employee

5 The Disposal Rule Protect the privacy of the consumer’s information Protect the privacy of the consumer’s information Reduce risk and fraud of identity theft Reduce risk and fraud of identity theft Applies to any business or individual using consumer reports for business purposes Applies to any business or individual using consumer reports for business purposes Federal Trade Commission Federal Trade Commission June 1, 2005 June 1, 2005 State Laws may apply State Laws may apply

6 The Disposal Rule The FACT Act requires that: The FACT Act requires that: Any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose {, } properly dispose of any such information or compilation Any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose {, } properly dispose of any such information or compilation The Federal Trade Commission Rule The Federal Trade Commission Rule Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to, or use of information in connection with its disposal. Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to, or use of information in connection with its disposal.

7 The Disposal Rule Flexible Flexible Reasonable measures based on Reasonable measures based on Sensitivity of data Sensitivity of data Costs and benefits of different methods Costs and benefits of different methods Changes in technology Changes in technology Consumer reports and any personal and financial information Consumer reports and any personal and financial information No de minimus exception No de minimus exception Actual, statutory and punitive damages, plus attorney’s fees and civil money penalties Actual, statutory and punitive damages, plus attorney’s fees and civil money penalties

8 Key Terms Consumer Information Consumer Information Any record about an individual Any record about an individual Consumer report or derived from a consumer report Consumer report or derived from a consumer report Information obtained from a consumer reporting company Information obtained from a consumer reporting company Used or expected to be used in establishing eligibility for credit, insurance, and employment Used or expected to be used in establishing eligibility for credit, insurance, and employment Paper, electronic or other form Paper, electronic or other form Compilation of such records Compilation of such records Not included: aggregate information or blind data Not included: aggregate information or blind data

9 Key Terms Disposal / Dispose Disposal / Dispose Discarding or abandonment of consumer information Discarding or abandonment of consumer information Sale, donation or transfer of any medium on which consumer information is stored Sale, donation or transfer of any medium on which consumer information is stored

10 Reasonable Measures Non exclusive examples Non exclusive examples Burn, pulverize or shred papers – cannot practicably be read or reconstructed Burn, pulverize or shred papers – cannot practicably be read or reconstructed Destroy or erase electronic media – cannot practicably be read or reconstructed Destroy or erase electronic media – cannot practicably be read or reconstructed Contract with a third party after appropriate due diligence Contract with a third party after appropriate due diligence Review independent audit of operations or compliance with disposal rule Review independent audit of operations or compliance with disposal rule Obtain several references Obtain several references Require certification by recognized trade associations Require certification by recognized trade associations Review and evaluate information security polices or procedures Review and evaluate information security polices or procedures Take other appropriate measures to determine competency and integrity Take other appropriate measures to determine competency and integrity

11 Action Items Catalog your information Catalog your information Review where and how it is stored Review where and how it is stored Determine who can access it and how Determine who can access it and how Develop appropriate procedures and control to comply with the Disposal Rule Develop appropriate procedures and control to comply with the Disposal Rule Designate a responsible person Designate a responsible person Train employees Train employees Audit Audit

12 Some Suggested Policies and Procedures Conduct personal background checks Conduct personal background checks Permanent employees Permanent employees Temporary hires Temporary hires Sensitive data limits Sensitive data limits Access Access Use Use Distribution Distribution Secure records – physical and online Secure records – physical and online Collect and retain only essential information Collect and retain only essential information Make accessible disposal tools Make accessible disposal tools

13 General Data Safeguarding and Security Breach Tips Integrate into information safeguarding program Integrate into information safeguarding program Ensure information safeguarding program reflects other changes in law Ensure information safeguarding program reflects other changes in law Prepare ready response plan in the event of data security breach Prepare ready response plan in the event of data security breach Understand requirements of data security breach laws Understand requirements of data security breach laws

14 Data Security Breach Laws What businesses are covered? What businesses are covered? What information is covered? What information is covered? What triggers notification? What triggers notification? Who must be notified? Who must be notified? Who is responsible for the notice? Who is responsible for the notice? When must the notices be given? When must the notices be given?

15 Data Breach Notification Best Practices Encrypt information Encrypt information Prepare consumer notification plan Prepare consumer notification plan Notify general counsel or outside counsel immediately Notify general counsel or outside counsel immediately Conduct an immediate internal investigation Conduct an immediate internal investigation Contact local law enforcement contact Contact local law enforcement contact Provide consumer and other notifications if necessary Provide consumer and other notifications if necessary

16 Industry Response Cardholder Information Security Program (CISP) American Express ®, Diners Club ®, Discover ®, JCB ®, MasterCard ® and Visa ® USA American Express ®, Diners Club ®, Discover ®, JCB ®, MasterCard ® and Visa ® USA Safekeeping of account information requirements: Safekeeping of account information requirements: Storage of Cardholder Information Storage of Cardholder Information Destruction of Cardholder Information Destruction of Cardholder Information Use of Third Parties Use of Third Parties Reporting a Security Incident Reporting a Security Incident

17 Payment Card Industry (PCI) Data Security Standard Build and Maintain a Secure Network Build and Maintain a Secure Network Protect Cardholder Data Protect Cardholder Data Maintain a Vulnerability Management Program Maintain a Vulnerability Management Program Implement Strong Access Control Measures Implement Strong Access Control Measures Regularly Monitor & Test Networks Regularly Monitor & Test Networks Maintain an Information Security Policy Maintain an Information Security Policy

18 VISA’s Cardholder Information Security Program (CISP) Classification defines merchant audit requirements Classification defines merchant audit requirements Level 1 merchants: Level 1 merchants: Process > 6 million transactions annually Process > 6 million transactions annually Have suffered a breach Have suffered a breach Are identified as Level 1 by another card issuer Are identified as Level 1 by another card issuer Risk is determined to warrant level 1 requirements Risk is determined to warrant level 1 requirements Level 2 process between 150,000 and 6 million e- commerce transactions annually Level 2 process between 150,000 and 6 million e- commerce transactions annually Level 3 process 20,000-150,000 e-commerce transactions annually Level 3 process 20,000-150,000 e-commerce transactions annually All other merchants are considered Level 4 All other merchants are considered Level 4

19 CISP Compliance Validation On Site Security Audit Self- Assessment Questionnaire Network Scan Merchants Required annually for Level 1 Required annually for Level 2 & 3 Recommended for Level 4 Required Quarterly for Level 1 & 2 Recommended for Level 4 Service Providers Required annually for Level 1 & 2 Required annually for Level 3 Required Quarterly

20 What YOU can do “Know thy data” “Know thy data” What you have collected What you have collected Where it is Where it is Who has access to it Who has access to it  Stay informed about Related laws and regulations Related laws and regulations Current breach incidents Current breach incidents Best practices Best practices http://usa.visa.com/business/accepting_visa/ops_risk_management/ http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html

21 Questions and Comments? ? ? ?

22 Contact Information Bryan Cave LLP CJVolk Associates, Inc. 2776 S. Arlington Mill Rd, Ste. 530 Arlington, VA 22206 www.cjvolk.com Claudia Volk, Principal 703-405-4404 Phone 703-405-4404 703-940-2510 Fax 703-940-2510 Claudia.Volk@cjvolk.com 700 Thirteenth Street, NW Washington, DC 20005 www.bryancave.com Carol Van Cleef, Partner Carol Van Cleef, Partner 202-508-6112 Phone 202-508-6112 202-508-6200 Fax 202-508-6200 Carol.VanCleef@bryancave.com

Download ppt "Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February."

Similar presentations

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.

Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.
The New Rules of F&I with Peter Jones The New Rules of F&I What are the Rules? Red Flag Rule Graham / Leach / Bliley Act Privacy Notice Safeguard Rule.

The New Rules of F&I with Peter Jones The New Rules of F&I What are the Rules? Red Flag Rule Graham / Leach / Bliley Act Privacy Notice Safeguard Rule.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Red Flags Rule & Municipal Utilities

Red Flags Rule & Municipal Utilities
1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.

1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

Similar presentations

Ads by Google