Posts

Data Breach Notification Bill goes to the House

H.B. 224, a newly introduced data breach notification bill for New Mexico, would mandate that organizations notify breached individuals within 10 days of breach discovery (unencrypted credit card data); and within 10 business days notifying the state attorney general if more than 50 NM residents are affected.

4DThe bill allows for a shorter notification deadline and for card carriers to sue for recovery costs linked to the breach; and customers can sue for statutory damages.

Companies operating in NM will also have additional data security and data disposal requirements, due to the bill. Enacting H.B. 224 would make New Mexico join 46 states who have data breach alert laws.

Payment Card Breach

  • Within two business days: Time allowed for card issuers facing a breach to notify all the merchants “to which the credit card number or debit card number was transmitted,” according to H.B. 224.
  • H.B. 224 would also set a risk of harm threshold regarding when an alert is required for card breaches.
  • If the magnetic strip data or other information is revealed, yielding harm or risk of harm to the cardholder and compromise of access device data, the bill would require notification. The card issuer would not need to give approval or direction.
  • Card issuers can sue for recovery of administrative costs if a card reader is breached or if there’s a problem with strip data.

Data Security and Disposal

  • The bill would make companies “implement and maintain reasonable” security measures to ensure protection of personal identifying information from illegitimate access or other fraudulent action.
  • Businesses would also have to include these data security standards in contracts involving “non-affiliated third parties” that they share personal information with.
  • Personal data, however which way it’s contained, be disposed of such that personal identifying information would be impossible to read or decipher.

Enforcement

  • The bill would authorize the state attorney general to seek injunctive relief and recovery of damages via court.
  • Failure of a company to notify of the breach could result in harsh fines, if the bill is enacted.
  • Customers could sue for damages of $100 to $300, depending on circumstances.

Being accountable:

It may be just a matter of time before the Federal government steps in and decides PCI Standards might not fix client data protection problems. Businesses who see the writing on the wall are being proactive and making smarter investments in their customers security.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

How Data Breaches happen and how to respond

Here’s four chief ways how data breaches happen:11D

  • Illegal access to information or systems. Personal Identifying Information (PII) data can be illegally accessed via technology such as computer hacking or infecting computers with viruses, Trojans or worms—leading to stolen data or malfunctioning systems.
  • An inside job. Employees (past or present) can commit data breaches. Also, an innocent employee is tricked by social engineering into revealing confidential information or giving out access to that information.
  • Judgment lapse. An employee may leave data unprotected—not on purpose, but due to an oversight, making it easy prey for villains.
  • Device loss. When a device that contains valuable data is lost or misplaced, a thief could get ahold of it—and then all hell can break loose.


Prepare

Don’t wait for a breach to figure out a plan of action. Have the plan in place in anticipation of an attack. The plan should be built around written emergency contacts, clear guidelines to which law enforcement outfits should be contacted for resolution, and a notification timeframe.

Put in place vendor contracts that have a call center unless the company’s staff can handle a big data breach. The contracts should also include a mail-house for letters of notification, and previously agreed rates pertaining to consumer fraud protection should the business need to notify clients or customers.

Fighting back

When a breach occurs, consult with legal counsel, always. In addition, there are certain actions you must take. First, find out how the breach occurred, then contain it. Get a solution started to prevent it from striking again. Alert relevant employees.

Also notify external entities in a timely fashion such as law enforcement, a forensics investigator, consumers, FTC and any affected vendors and suppliers.

Additional Points

  • A strong prevention strategy for data breaching depends upon top management, to ensure that the company’s budget covers fiscal and personnel resources.
  • From the get-go, the company’s most high-up individuals should be included in devising any plans to protect against and mitigate data breaches.
  • Getting upper management involved is critical for establishing a solid groundwork for security.
  • Keeping up to date and re-evaluations should be carried out on an ongoing basis to always stay on top of the latest trends in data breach and security technologies.
  • Also ongoing should be training and practice of the company’s response plan to data breaching.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Ways small businesses are preventing Breaches

How did that huge recent data breach of a major retailer occur in the first place? Well, valuables can’t be stolen if there aren’t any valuables to begin with. Large merchants will store customers’ credit/debit card data to facilitate faster transactions. But small retailers keep minimal or zero data—this will not attract thieves.

2DIf customers want increased security of their card data, they’re going to have to give up the speedy transactions and automatic debits, because currently, they can’t have it both ways.

A smaller outfit may keep only the last four numbers of a credit card on file; no SSN or anything else. This isn’t much for thieves to work with. Yet at the same time, every time a customer makes a purchase, they must give all the required information.

Some small retailers are completely technology-free, though this seems like an impossible undertaking in this modern e-age. For example, a small business that bills monthly for services may not honor automatic withdrawal of a member’s monthly fees. Members may pout, unaware that this inconvenience has a protective feature.

Banks also have a role in protecting customers and businesses. A good start would be to require a PIN from cardholders for every transaction.

Another maneuver would be for the U.S. to ditch the magnetic strip on cards and replace with a digital chip. This would prevent thieves from stealing data off the strip. Thanks to the magnetic strip, America is the hacking capital of the world.

Additional Tips

  • Hardware: firewall security appliances and routers.
  • Software: Think anti: virus, spyware, phishing. Also think full disk encryption and total protection suites.
  • E-mail security: It must be hammered into employees NEVER to click on any link in an e-mail from an unfamiliar sender.
  • Physical security: The building should be equipped with video surveillance (outside and indoors), alarm systems and solid core doors of commercial grade.
  • The test: Find someone, known as a “penetration tester” who knows all about hacking, but whom you can trust, to “hack” your network to see what needs to be done to protect it from a real villain.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Data Insecurity causes Customer Headaches

Imagine not being able to use cash for even the smallest purchases because your bank—still shaking from news of the recent retail data breach that affected at least 110 million accounts—has decided to block all customer transactions. This actually happened.

12DIn many recent interviews I have been asked the question numerous times “Is it time to go back to cash?” The answer is NO, but consumers should definitely have cash on hand. Not having cash will severely limit consumers in the event of a massive power outage and we are seeing that massive data breaches have big time negative effects too.

Large banks, in response to that 110-million-account breach, may be putting limits on card usage, and can have cards replaced relatively quickly. But smaller financial institutions do not have the means to replace cards quickly. They also lack budgets to cover potential breach incidents.

As a result, a customer may learn that their card is blocked from transactions that don’t involve a PIN. Many consumers got stung by this during the holidays. One customer reported he had to contact his bank first to confirm any online purchases. His card then gets unblocked for an hour, but then blocked again. Supposedly this ban has since been lifted.

In a litigious society, don’t bet against the possibility of consumers suing retailers for these kinds of consequences; it’s already begun happening. One woman filed a class-action lawsuit on Dec. 23, 2013, citing a giant retailer’s alleged failure to secure its data, leading to the massive breach.

Tips for Businesses

  • Always update. Your software should always be up to date. Thieves can easily overcome old software and invade your sensitive data.
  • Control access. Who has access to your servers? Do you know? Make sure that only trusted users/administrators have access.
  • App testing. If a custom application code is running on your servers, it should be tested for the top 10 security issues regarding web applications.
  • Be alert. Keep a tight rein on your server, and your cloud provider’s bill. A traffic surge that you don’t expect can signal a spam attack.

Don’t pass the buck. Business owners, and consumers as well, have been playing key roles in cyber crimes—though not with malicious intentions, but rather, being uninformed as well as not wanting to step up to the plate.

Stepping up to the plate is the only option retailers have in order to survive. The time to show your customers you are serious about preventing credit card fraud and the lengths you’ll go to protect their identities is right now.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Been Breached? A Response Plan

Should victims of a data breach be notified? This situation can be confusing due to various state laws. Certain issues must be considered, including differences among state laws. Differences include what exactly defines personally identifiable information; which agency (e.g., law enforcement, credit reporting) should be alerted; when victims should be notified; and what the notification letter should say.

4DLegal counsel can tell you what level of notification you’re entitled to. Not every data breach case requires that consumers or businesses be alerted. But not alerting has its own set of negative consequences.

When an incident does require notification, the information that follows must be considered: (these are general guidelines – review any and all steps with your attorney)

  • Treat all victims equally; all get notified, even if this means out of state. Not doing so can yield legal consequences or the media might pounce.
  • Though there aren’t really any notification laws regarding overseas victims, they too should be notified.

Notification

The sooner victims are alerted, the better. Under what circumstances, though, should victims be notified? The nature of the breach should be considered, along with type of information stolen and whether or not it may be misused, and the possible fallout of this misuse.

Damage from misuse can be significant, such as with stolen SSNs and names.

When in doubt, consult with legal counsel. Don’t be surprised if you’re informed that breached consumers must be notified; most states require this. And within 30 days. Some states mandate that the Attorney General’s office also be notified.

FTC Recommendations for Notification

  • Inform law enforcement when notification takes place so they don’t cross lines with it.
  • Also find out from them precisely what information the consumer notification should contain.
  • Select someone from your organization to manage release of information.
  • This contact individual should be given updated information concerning the breach, plus your official response, as well as guidelines for how victims should respond.
  • To aid victims’ communication options, consider providing a toll-free number, posting a website or mailing letters.
  • Explain clearly to victims just what you know of the breach. How did it happen? What information was stolen or compromised? How might the thieves misuse it? What actions have the organization taken for mitigation? What reactions are appropriate?
  • Make sure victims know how to reach the contact person.
  • Make sure the law enforcement official who’s working your case has contact information for victims to use.The officer should also know that you’re sharing this contact information.
  • Victims should ask for a copy of the police report, then make copies to give to credit card companies that have honored unauthorized charges.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Business Data Breaches Key in Rise of ID Theft

The 2012 Identity Fraud Report: Social Media and Mobile Forming the New Fraud Frontier report released by Javelin Strategy & Research Data Breaches increasing and more damaging – “One likely contributing factor to the fraud increase was the 67 percent increase in the number of Americans impacted by data breaches compared to 2010. Javelin Strategy & Research found victims of data breaches are 9.5 times more likely to be a victim of identity fraud than consumers who did not receive such a data breach letter. The survey found 15 percent of Americans, or about 36 million people, were notified of a data breach in 2011.”

Over the past five years, criminal hackers from all over the world have been targeting huge databases of Social Security and credit card numbers. The endgame for criminal hackers is identity theft. Once they obtain stolen data, their objective is to turn it into cash as quickly as possible. This either entails selling the data to identity thieves on black market forums, or using the information to create new accounts or to take over existing credit card accounts.

According to the Privacy Rights Clearinghouse’s Chronology of Data Breaches, more than 500 million sensitive records have been breached in the past five years. The Chronology of Data breaches lists specific examples of data theft incidents in which personal data is compromised, lost, or stolen: “employees losing laptop computers, hackers downloading credit card numbers and sensitive personal data accidentally exposed online.”

The fundamentals of ID theft protection include:

Software: Antivirus, antiphishing, antispyware. Total protection “all access” suites of protection and full disk encryption

Hardware: Routers, firewall security appliances

Physical security: Commercial grade solid core doors, business security systems, security cameras.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Is Email Encryption Right for Your Business?

The Privacy Rights Clearing house currently tallies 542,608,451 records breached in the past 5 years. Unsecure email certainly contributes to the problem. Small business email (or any email) starts off on a secure or unsecure wired or wireless network then travels over numerous networks through secure or unsecure email servers often vulnerable to people who are in control of those servers.

There is also plenty of hacking and cracking tools bad guys (and good guys) use to sniff out that data in plain text.

With criminal hackers, government funded hackers and the various other snoops, email encryption today is essential.

In a recent study by Ponemon Institute, the latest U.S. Cost of a Data Breach report, which was just released today, shows that costs continue to rise. This year, they reached $214 per compromised record and averaged $7.2 million per data breach event. The fact is that individuals still care deeply about their personal information and they lose trust in companies that fail to protect it.

If your business operates under some form of regulation whether it is finance, healthcare, or any other regulation where fines are imposed in the event of a data breach, then email security should be a fundamental layer of your company’s information security protection plan.  Plain and simple if you are concerned about compliance with regulations like HIPAA and the HITECH Act and the numerous state data breach notification laws look to email encryption.

At its basic level PGP encryption is one way to provide email encryption. More on that in the next post.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures