Read an Excerpt

Managing Catastrophic Loss of Sensitive Data

Syngress Publishing, Inc.

Chapter One

Solutions in this chapter:

* What Is Sensitive Data?

* Data Security Breach

* Data Loss Consequences

* Prevention and Safeguards

* Response

* Notification

* Recovering from a Data Breach

* Organization of the Book

Overview

The loss of sensitive data continues to be a significant concern for both organizations as well as individuals whose information may be at risk of a breach. Organizations that experience a data breach can suffer reputational damage, loss of customer and constituent confidence, legal and regulatory scrutiny, and the direct costs of managing an incident and complying with the legal requirements to notify customers that their private information has been breached.

If a data breach involves internal business information, the competitive damage to the organization can be severe. In the case of leakage of private customer information, this damage will be compounded by eroded customer trust and brand equity.

Data breaches represent a major category of organizational failures in the eyes of many individuals. Customers, constituents, and employees demand to have their personal information well protected and, in the event that sensitive data may have been exposed, require that they be notified of such incidents. As a result, lawmakers and regulators have responded by passing laws to help identity theft victims and to require organizations to protect the security and confidentiality of their customers' and employees' personal information.

Both organizations and individuals are acutely aware of the risk from the loss of sensitive information. One of the most nefarious consequences of a data breach is identity theft, a rapidly growing crime with devastating consequences to its victims. It still poses a major risk to the public as well as to the organization that mishandles private information with which it has been entrusted.

Since the consequences of identity theft are severe, a real concern arises even if only a small percentage of parties whose information was breached end up becoming victims. Moreover, any notification of a data breach, even if it does not result in identity theft, will influence consumers' behavior and confidence and may lead to the termination of their relationship with the organization that mishandled their private and confidential information. The consequence may be damage to an organization's reputation as well as the opportunity cost of lost business. This loss of confidence can also arise within the organization itself, since the loss of confidence in the security of a particular system or data store can render it hesitant or unwilling to engage in new initiatives or ventures.

Since organizations collect and store vast amounts of personal information about their customers, constituents, and employees, they must play an important role in protecting privacy and curbing the growth of identity theft through the implementation of effective safeguards and controls and through a response plan that will provide the ability to make informed decisions during an incident in order to protect the organization and its customers. This requires the development and implementation of response mechanisms for such a crisis before one occurs.

What Is Sensitive Data?

On a general level, sensitive data can be defined as information concerning the organization's or an affiliate's prospective, current, or former customers, clients, vendors, employees, or any other nonpublic business information. Sensitive data is information whose disclosure is protected by law or regulation as well as that protected by organizational policy. This includes confidential information and Personally Identifiable Information (PII), which is an individual's name in conjunction with an identifier or account number and whose compromise could lead to identity theft or fraud.

Sensitive data can be organized into the following general categories:

* Legislatively protected data subject to legal or regulatory oversight. This includes data such as medical records and financial records. * Personally Identifiable Information, which can reasonably identify individuals and which, if disclosed, could violate the privacy of individuals and lead to identity theft or fraud. * Any data whose unauthorized disclosure could lead to a financial or reputational loss. This includes nonpublic intellectual property and trade secrets as well as business related data such as payroll and benefits information, work history, and budget information. * Any combination of components of customer information that could allow unauthorized access to the customer's account, such as username and password or password and account number. * Data whose unauthorized release would constitute a violation of confidentiality agreed to as a condition of possessing the data. * System or user credentials whose unauthorized release could provide access to sensitive systems or resources. * Any data protected by organizational policy.

Personally Identifiable Information

An important class of sensitive information is notice-triggering Personally Identifiable Information (PII). This type of data is tightly associated with identity theft or fraud and is subject to legislation requiring both reporting and notification of unauthorized access.

Personally Identifiable Information is any information that permits the identity of an individual to be directly or indirectly inferred, including the first name or first initial and last name, address, or telephone number, in conjunction with any one or more of the following elements, when either the name or the data element is not encrypted:

* A social security number or national identification number. * A driver's license number or other officially recognized form of identification. * A credit card number, debit card number, financial account number, or any required security code, access code, or password that would permit access to financial information relating to that party. * Any additional, specific factor that adds to the personally identifying profile of a specific individual, such as a relationship with a specific financial institution or membership in a club. * Medical information.

This general definition of PII can apply is most cases unless local jurisdiction law or regulatory guidance is stricter, in which case the organization must abide by the local jurisdiction laws or regulations.

In addition to PII, other high risk personal information includes health information, student records, employee salary and benefits data, financial information, or other personal information the disclosure of which would violate the privacy of individuals.

Confidential Business Information

In addition to customer, constituent, and employee information, sensitive data encompasses business and operational information whose disclosure would violate a legal agreement or would either deny the organization a competitive advantage or provide an advantage to its competitors. This includes trade secrets and intellectual property, operational details, organizational strategies, certain client relationships, and sensitive third-party information subject to a nondisclosure agreement.

Legally protected business information includes pending mergers and acquisitions. The premature disclosure of this information to or its use by certain parties can result in regulatory and legal penalties since it can provide the potential for insider gains in security trading.

Data Categories

Not all sensitive information requires the same level of safeguards or poses the same risk of harm in case of a breach. Categorization or classification schemes are used to identify various levels of data sensitivity. The most common schemes generally classify data into three or four categories, such as Confidential, Internal, and Public. Guidelines used to classify data include:

* Monetary, reputational, contractual, or regulatory impact if the data is compromised. * Statutes, regulations, or policies requiring certain information types to receive special consideration with respect to unauthorized disclosure or dissemination. * Confidentiality and accuracy of the data with respect to business functions and needs.

Data Security Breach

Despite efforts at identifying and correcting security vulnerabilities, weaknesses will remain given the difficulty in sustaining a fully secured posture. The intentional or accidental exploitation of such weaknesses to obtain unauthorized access to information can result in a data security incident or breach. More specifically, a breach can be defined as any known or suspected circumstance that results in an actual or possible unauthorized release of information deemed sensitive by the organization or subject to regulation or legislation. This can include the unauthorized acquisition, use, alteration, disclosure, retention, and destruction of data that compromises the confidentiality, integrity, or availability of sensitive information maintained by the organization or by a third-party provider under contract to the organization.

An incident can include events that do not constitute an actual compromise or breach but nonetheless pose a security risk to the organization, such as the violation of an explicit or implicit information security policy that can increase the risk of a compromise, or any adverse event whereby the confidentiality, integrity, or availability of organizational information could be threatened accidentally or intentionally.

Specific regulations and laws can also have very specific definitions of incidents, particularly of breaches that warrant notification and reporting to regulators and the affected parties.

An incident can be the result of accidental or intentional actions, by internal or external parties. However, good faith acquisition of sensitive information by an employee for business purposes is not a breach provided that the information is not used or subject to further unauthorized disclosure.

Incidents can have one or more root causes, including negligent employees, negligent third parties, malicious internal or external parties, and unaddressed process or technical vulnerabilities.

There are several ways in which data breach incidents can lead to the compromise of sensitive information. Some common ways include:

* Lost or stolen laptops or storage devices. * Theft of intellectual property. * Attempted or actual unauthorized access to systems or information. * Unauthorized sharing of data. * Improper handling or disposal of data. * Compromised user accounts. * Inappropriate use or sharing of passwords. * Intentional or unintentional noncompliance with organizational security policies and processes. * Noncompliance by a party with contractual obligations regarding the safeguard of sensitive information.

Data Loss Consequences

The consequences of a loss of sensitive information can affect both the organization and any external party whose information was compromised. The principal issue is the threat of misuse of the breached information, especially if this misuse leads to identity theft or fraud.

Impact

For the organization, a loss of sensitive information at a minimum will entail the cost of responding to and managing the incident along with the associated productivity loss. Beyond that, it can include one or more of the following:

* Regulatory or legal impact if the incident will likely result in regulatory attention, legal penalties, civil action, or governmental prosecution. * Customer impact if the incident resulted in a disruption of customer service or in a loss of customer accounts. * Reputational impact if the incident resulted in negative publicity and/or negatively impacted the reputation of the organization. * Financial impact if the incident resulted in or is likely to result in a financial loss or expense.

Identity Theft

Identity theft and identity fraud refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain. A baseline definition can be found in the US Identity Theft and Assumption Deterrence Act of 1998, in which identity theft is described as a range of illegal activities that use a person's personal information to perpetrate a crime. The act identifies offenders as anyone who "... knowingly transfers or uses, without lawful authority, any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual with the intent to commit, or to aid or abet, any unlawful activity ...".

(Continues...)

---

Excerpted from Managing Catastrophic Loss of Sensitive Data by Constantine Photopoulos Copyright © 2008 by Elsevier, Inc.. Excerpted by permission of Syngress Publishing, Inc.. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---