These are my notes from the NRS Fall Compliance Conference.
Ted Kobus, Baker Hostetler
Karen M. Aavik, First Niagara Financial Group
Tammy Eisenberg, CLS Bank International
In 2012 the average cost of a data breach was $5.4 million. IBM 2014 Cost of Data Breach Study
More breaches happen from lost laptops and media than third-party hackers. Malicious employees may steal information. Ill-informed employees may leave systems open inadvertently. Also keep an eye on employee’s departure. Make sure you shut down the employee’s remote access.
Malware is hard to stop, but it takes a concerted effort. Phishing and spear-phishing are more common. The attacker tries to cause you to voluntarily open a breach by giving them your account information and password.
Vendors cause a substantial portion of breaches. They may not be as careful as you. At the end of contract, you need to make sure you get the data back and they delete the information.
Data Breach Decisions
- Is it a breach?
- Who are the key internal personnel that should be involved in the response?
- Do you involve law enforcement?
- Do you hire a forensics company?
- Do you retain outside counsel?
- Do you involve regulatory agencies?
- Is crisis management necessary?
- Do you offer credit monitoring?
- Do you get relief from a “law enforcement” delay?
One silver lining. You will be better prepared for the next breach.
What do regulators expect?
- Transparency
- prompt and thorough investigation
- Corrective action
- appropriate and prompt notification to regulators and customers
Best practices
- Prepare and practice a response plan
- respond quickly
- Bring in the right team
• Preserve evidence
• Contain & remediate
• Let the forensics drive the decision-making
• Law enforcement
• Document analysis
• Involve the C-suite
• Plan for likely reaction of customers, employees, & key stakeholders
• Mitigate harm
FTC Recommended Internal Safeguards
Over 50% of data breaches originate from inside the company.
Train and retrain all employees to:
(1) Limit access to customer information to employees who have a business reason to view;
(2) Secure deal jackets and information;
(3) Lock rooms and file cabinets;
(4) Use strong passwords on computers (and don’t share);
(5) Remove access for terminated employees;
(6) Securely dispose of customer information;
(7) Think about what data is provided to a vendor;
(8) Protect customer information.
Identity Theft Red Flag Rules
The key is to see if you are a “covered account” or “financial institution”
Policies/procedures must be based on a periodic identification of client accounts and a risk assessment of potential identity theft, including:
– account opening processes;
– account access processes; and
– previous experiences with identity theft.
The procedures must include the following four elements:
– identifying red flags;
– detecting red flags;
– responding to red flags; and
– periodically updating the program.