What lessons can we learn from other data breaches? Target Sentry Insurance Dynacare Laboratories 1 INTRODUCTION.

Slides:



Advertisements
Similar presentations
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
Identity Theft Solutions. ©SHRM Introduction Identification theft became the number one criminal activity issue in 2004 and has remained at the.
1 MIS 2000 Class 22 System Security Update: Winter 2015.
Critical Data Management Indiana University HR Summit April 24, 2014.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Security Controls – What Works
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
IT Security Essentials Ian Lazerwitz, Information Security Officer.
Why Comply with PCI Security Standards?
Introduction to PCI DSS
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Copyright © 2014 Pearson Education, Inc. 1 IS Security is a critical aspect of managing in the digital world Chapter 10 - Securing Information Systems.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Protecting Sensitive Information PA Turnpike Commission.
Information Security Decision- Making Tool What kind of data do I have and how do I protect it appropriately? Continue Information Security decision making.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Information Security Technological Security Implementation and Privacy Protection.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
General Awareness Training
Defining Security Issues
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Business Continuity from an Insurance Perspective Presented by Jim Carter Manager, Risk & Insurance.
Staying Safe Online Keep your Information Secure.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
IT Security Essentials Lesley A. Bidwell, IT Security Administrator.
AUGUST 25, 2015 Cyber Insurance:
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 7, 2015 DRAFT1.
Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Rebecca Pritchard.
SPH Information Security Update September 10, 2010.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Information Security General Awareness Training Module 1 – Introduction For The UF HSC Workforce.
e-Learning Module Credit/Debit Payment Card Acceptance and Security
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Cyber Safety Mohammad Abbas Alamdar Teacher of ICT STS Ajman – Boys School.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.
BUSINESS CLARITY ™ PCI – The Pathway to Compliance.
Protecting Your Assets By Preventing Identity Theft 1.
Introduction: Introduction: As technology advances, we have cheaper and easier ways to stay connected to the world around us. We are able to order almost.
Information Security Everyday Best Practices Lock your workstation when you walk away – Hit Ctrl + Alt + Delete Store your passwords securely and don’t.
Computer Security Sample security policy Dr Alexei Vernitski.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
How to Make Yourself More Secure Using Public Computers and Free Public Wi-Fi.
Information Technology Security Office of the Vice President for Information Technology New Employee Orientation II.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
HIPAA Privacy and Security
Data Compromises: A Tax Practitioners “Nightmare”
Joe, Larry, Josh, Susan, Mary, & Ken
Chapter 3: IRS and FTC Data Security Rules
Cybersecurity Awareness
Robert Leonard Information Security Manager Hamilton
Cyber Issues Facing Medical Practice Managers
Introduction to the PACS Security
Anatomy of a Common Cyber Attack
Presentation transcript:

What lessons can we learn from other data breaches? Target Sentry Insurance Dynacare Laboratories 1 INTRODUCTION

Why should we care? Certain kinds of data are very valuable to identity thieves ◦ Personal Financial Information (PFI) ◦ Personal Health Information (PHI) ◦ Personally Identifiable Information (PII) ◦ PII = PFI + PHI A breach of PII can be very costly ◦ Loss of reputation ◦ Expenses to remedy the breach ◦ Potential lawsuits ◦ Potential fines and penalties 2 INTRODUCTION

What is PFI and PHI? Any government issued ID number is PFI ◦ Social Security Number ◦ Driver’s License Number Any bank issued account number is PFI ◦ Checking/savings accounts ◦ Credit card numbers Most health information is PHI ◦ Diagnosis information ◦ Treatment information 3 INTRODUCTION

Legal Requirements 47 states have breach notification laws Laws vary widely from state to state Wisconsin insurance commissioner must be notified of unauthorized access to insured information (December 4, 2006 bulletin) 4 INTRODUCTION

Target Breach 5 ALL WARNINGS IGNORED BY TARGET Unknown Date Target’s HVAC vendor’s computer systems were infected through a phishing attack Customer credit card information was transmitted out from Target’s computer system Target acknowledges a data breach; 40,000,000 credit card records stolen Malicious software was detected on Target servers and Target’s security team was notified Federal authorities notified Target of the data breach Target acknowledges 70,000,000 additional customer records were stolen

Target’s woes all started with phishing... (What in the world is “phishing”?) A thief sends an with a fake link, hoping the user will click it The link could install malicious software (malware) on the user’s computer The malware could transmit sensitive information back to the thief, such as passwords 6 TARGET BREACH LESSONS

A sample phishing Never click on unknown links! 7 TARGET BREACH LESSONS

Hackers quickly turn stolen credit card information into cash 8 TARGET BREACH LESSONS

Target was subject to Payment Card Industry (PCI) standards The major credit card companies have developed uniform standards for information security practices Any person or company accepting credit cards must comply with some or all PCI standards or face contractual fines and penalties Requirements include: 1.Build and maintain a secure network 2.Protect cardholder data 3.Maintain a vulnerability management program 4.Implement strong access control measures 5.Regularly monitor and test networks 6.Maintain an information security policy 9 TARGET BREACH LESSONS

Practice good password management Easy to remember – but hard to guess Change passwords regularly! Use a different password for each system Should be at least 8 characters long Should have upper case, lower case, and numbers 10 Source: Bloomberg BusinessWeek Time to crack passwords? TARGET BREACH LESSONS

Recap of Target lessons Users have the biggest role in information security ◦ Don’t click on unknown links in s! ◦ Change passwords often, and make them hard to guess Your system may be safe – but what about others who have access to your system? (Vendors? Customers?) Don’t ignore the warning signs of a breach ◦ Always conduct an investigation Be extremely careful if you keep sensitive data ◦ Delete unneeded data ◦ Take extra precautions if you store sensitive data 11 TARGET BREACH LESSONS

Sentry Insurance breach June of 2006 “A lead programmer/consultant with a nationally recognized computer contractor” 112,198 total records stolen; records from 72 worker's compensation claimants were sold Sentry was notified by law enforcement The data sold over the Internet included people's names and social security numbers 12

Grant the least privilege Users should have the least access necessary to do their job role Applies to everyone, including employees – not just consultants and vendors Excessive access is a recipe for disaster 13 SENTRY BREACH LESSONS

Use background checks Consider background and credit checks for employees and contractors. Look for: ◦ prior criminal history ◦ illegal drug use ◦ significant credit or financial issues 14 SENTRY BREACH LESSONS

Dynacare Laboratories and Froedtert Health breach October 22, 2013: Employee’s car was stolen, containing a laptop and a purse with a USB drive USB drive contained 9,414 PFI records All items were eventually recovered by police, with no evidence that files had been accessed Lawsuits filed by City of Milwaukee and Milwaukee Professional Firefighters Local

Closely manage mobile devices and mobile storage Devices containing potentially sensitive information are getting smaller and smaller – and easier to lose These devices can store massive amounts of data It is hard to control these exposures Don’t forget:  Laptops  Smart phones and tablets  USB drives  Backup tapes 16 DYNACARE BREACH LESSONS

Consider encryption Encryption scrambles a computer file. It can be read only by someone who has the right encryption key to unscramble it. In most statutes, encryption is a “get out of jail free card” Customers are beginning to expect encryption 17 DYNACARE BREACH LESSONS

What can I do to prevent a breach? Do not retain sensitive information unless necessary; consider encrypting it if you need to keep it Protect that data from access to anyone who does not need it ◦ Password management ◦ Least privilege ◦ Encryption Monitor those who do need it to ensure they are using it properly 18 SUMMARY

What if a breach occurs? Investigate every suspected claim of data breach right away Comply with the law Utilize outside help for ◦ Legal guidance ◦ Data forensics Notify in a timely manner 19 SUMMARY

20 SUMMARY

What else can I do? Engage an information security contractor to help evaluate your security practices If you use other contractors or vendors to service your computer system, check the contract! ◦ Do they assume liability for a breach they cause? Consider a cyberliability insurance policy 21 SUMMARY

Extras: Cloud security Many strategic advantages to outsourcing IT services This comes with significant security risks Assess vendors for security controls and look for certifications: ◦ PCI certification ◦ ISO certification ◦ SOC2 certification 22

Extras: Data Loss Prevention DLP technology allows you to see what information leaves your network perimeter Can check and web traffic Can block or automatically encrypt sensitive data 23

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.