Posts

Data Breach Response Planning 101

Don’t think in terms of “if” you’ll suffer a data breach, but rather, “when.” Once you establish this mindset, it’s time for you to develop a response plan. After all, a security system that’s impenetrable has yet to be invented.

4HWhat’s even more, an amazing number of businesses don’t even have the best security system available. So again, the data breach is a “when,” not an “if.”

For starters, a response plan should include as much information about the incident as possible, remaining transparent (consult your legal team about the types of information that should and should not be disclosed) and being aggressive at managing the circumstances.

Another area to consider when developing a response plan is how the data breach will impact customers and clients—namely, their trust in the company. The Ponemon Institute states that much of the damage from a data breach stems from the loss of customer trust in the company.

Though the average number of customers who vanish following a data breach came in at 4 percent, says the study, there are enterprises that see an average “customer churn” rate of 7 percent. While it may seem small, it will undoubtedly be noticeable when it comes to the bottom line, , and the healthcare and pharmaceutical industries are just the type to suffer this degree of loss.

So how can a company prepare to retain as many customers as possible following a data breach? Be prepared, and this preparation should include a way to stay level-headed.

One way to stay cool and collected is to avoid jumping the gun when the breach occurs, because if the business is too hasty at revealing the breach, the organization will have that much less time to respond in an efficient, optimal matter. Thus, take the time to consult with experts and gather all of the facts before reacting.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Being in Sync means your Data is safe

What is data synchronization? This technology synchronizes data between two or more computers and/or the cloud and automatically copies changes that are transacted between devices.

GSFile synchronization is used for home or small business backups when the user copies files to a flash drive or external hard drive. The synching prevents creating duplicate files.

For superior synching, take a look at GoodSync with its 30-day free trial. After which, for $30 (or use 33% of discount code “SICI1”), you can continue using its battleship of features. GoodSync provides remote service and also synchs with many online services.

Now let me tell you how well GoodSync works for me. Like most, my operating system resides on my C Drive. I keep my C Drive clear and free of all data so all it has to do is operate my system and contain updates, drivers and security patches. My D Drive is the DVD/CD Rom drive and My E: drive has all my data, taking up over 75 percent of the three-terabyte internal drive. My primary data is on Drive E, and this is backed up by a cloud service and then synched to my external three-terabyte F: drive.

Now, every two hours, GoodSync automatically synchs my external F: and internal E: drives. Even though all my data is in a cloud, what if my internal drive crashes? Downloading everything would be a pain. That’s where GoodSync comes in. Plus, though the cloud has its virtues, assessing data from it on a daily basis is surely not one of them.

You’ll be pleased with GoodSync’s efficient main window. Some of GoodSync’s offerings include file filtering, bidirectional/unidirectional synching, synching of deletions, and job scheduling.

Version 9 can include numerous sources and single files in one job. If you create files on your mobile, GoodSync will automatically download them. It supports SkyDive, Windows Azure, Google Docs, Amazon Cloud Drive and Amazon S3.

Don’t let the lack of flamboyant design fool you; GoodSync is as good as they come, and for tech savvy users, is a breeze. In particular, not-so-tech-savvy users will be quite impressed with the many options but will need more time to catch on. Read more about that here.

GoodSync stands out from other synching programs because it displays files from both destination and source on the right side of its main window, while the status shows on the left side. It’s best to use a dedicated destination folder for your synch.

As for connecting to online services, GoodSync supports SFTP, FTP and Webdav.

Another point is that for every PC that you wish to remotely synch, you will need a license.

There really isn’t any reason why you shouldn’t download GoodSync and take advantage of its 30-day free trial.

You have nothing to lose (literally!) with GoodSync. Get going on it.

Robert Siciliano is a digital life expert to GoodSync discussing identity theft prevention on Youtube. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Recognize Your Willingness to give up your Privacy

If a stranger stopped you on the street and requested your e-mail address and birthdate, would you give it to that person? A rational person would never give up this information.

1PThis is the same guard you should have when giving out your personal information to set up an online account, setting up a social account or to get some bargain or great deal on a product or service. Most people will give up all their data for 10% off at a shoe store.

Many people blindly give out personal information online or in person to get that bargain. Sometimes, these choices are made by people who claim to value their privacy.

Those same people may not know that every time you log into free unencrypted WiFi you are most likely revealing everything you communicate on a PC, laptop or mobile? This is why an encrypted connection like one provided with Hotspot Shield is very necessary.

A study from Carnegie Mellon University, conducted by Alessandro Acquisti, turned up some very interesting results.

He sent some graduate students to a shopping mall near Pittsburgh. The students were instructed to offer a $10 discount card, with an extra $2 discount to shoppers in exchange for their shopping information. Half turned down the extra offer. The $2 wasn’t enough to get them to reveal their shopping cart items.

Another group of shoppers was offered a $12 discount and the choice to exchange it for $10 if they desired to keep their shopping data private. Ninety percent decided to keep the $12 discount, which meant they were willing to reveal their shopping data.

What gives?

It looks as though if people already have ownership of private data from the get-go, they’re more likely to value it. If it’s yet to be acquired, however, the value placed on it is less.

So getting back to cyber space then, have you ever wondered if the data, that the online advertising industry collects on you, is truly scrambled so that it’s not possible to identify individuals?

Acquisti conducted another experiment. With a webcam he took snapshots of about 100 campus students. It took only minutes for him to identify about 30 percent of these nameless students by using facial recognition software.

He then went a step further and gathered enough information on about a quarter of the identified students via Facebook to guess a portion of their Social Security numbers.

Acquisti showed how simple it is to identify people from scratch because they leave a data trail in cyber space—and this includes photos. This shows how easy it is for criminals to use Facebook to steal a person’s identity.

Though it would violate Facebook’s terms of service to register a fake birthdate, the user needs to be aware of the tradeoff: Identity thieves love to find birthdates.

Facebook says that the user can control who sees personal information. So you just have to weigh the pros and cons. Is receiving well wishes on your birthday worth the risk of a thief using your basic information to steal your identity?

And by the way, thieves can use your Facebook profile photo to help steal your identity. Maybe this is why some people use their baby’s or dog’s photo for their Facebook photo?

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Data Breaches Equal Job Loss

Is it coincidence that Beth Jacob CIO resigned from her job as chief information officer of Target Corporation? Or could this possibly be connected to the data breach that slammed Target in December of 2013, affecting as many as 70 million customers? Being a CIO is no easy task, especially when you have thousands of criminals trying to breach your networks every minute of every day.

4DTarget also announced that its information security procedures and compliance division will be completely revamped. The retail giant will also be seeking an interim CIO.

That’s not all. Gregg Steinhafel, Target’s former chief executive, recently lost his job with the retailer due to the data breach. He had been with the company for 35 years.

Should weaknesses in computer safety be blamed on Chief Executive Officers? Yes, because ultimately, the CEO is responsible for protecting the customer’s sensitive data. For instance, Steinhafel was at the helm when thieves hacked customer data records such as credit card information and home addresses, from the retailer’s computer system. Boards are also latching onto this issue and will be very influential in the before and after of a breach.

The company CEO isn’t just responsible for sales; this individual is responsible for security. Target’s data breach is a rude awakening for CEOs everywhere; data security breaches influence sales—very negatively—not to mention customer loyalty.

And then there’s the enormous expense of recovering from the breach and regaining customer trust. In Target’s case it rings in at $17 million thus far. And it is growing. Ultimately, the costs for everything related to the data breach is projected to soar into the billions.

The Secret Service, which is involved in the ongoing investigation, reports that it may take years to nail the hackers.

Law Enforcements motto is “Serve and Protect” and people gripe “where’s a cop when you need one” suggesting Law Enforcement is supposed to be there to protect us at all times. This misconception has created an entire culture of “its not my job/responsibility/problem”. YES. IT. IS. As a company front line employee, an officer or a CEO, security is your responsibility. Security is everyone’s responsibility.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Data Brokers: Walking the Tightrope

Never mind the government nosing in on your business; there’s a much bigger snooper out there that’s mining to your personal data: thousands of companies whose names you may not even know.

2WThese “data brokers” aren’t “bad”, although a few are irresponsible. They collect and analyze your very personal information, then package it up and sell it for profit to advertisers and the government. Though this rather benign consumer marketing is nothing new, the volume and type of data has changed, thanks to the Internet, making data broking a multibillion dollar venture.

Today’s technology allows data brokers to snatch and sell information about your closest friends, medical conditions, unsavory habits, even your literal footsteps—online and offline.

Data brokers today will classify people into groups such as those with genetic diseases or poverty. These are called vulnerable consumers, with classification names such as Ethnic Second-City Strugglers.

As for medical conditions, there are classifications for particular diseases, such as multiple sclerosis and cancer. There is no legislation that regulates any of this mining into our most private information.

Surprisingly, some of these companies are also in the business of offering identity protection services to consumers.

It’s not known just where the bigger data brokers even harvest their information or to whom they are selling it.

Maybe this is because they consider their client list to be proprietary. One broker even stated that it purchases lists of financially vulnerable people from government agencies so that ultimately, those who are eligible for assistance can be identified. These government clients are public record, said the broker.

The FTC consumer protection head believes that data brokers should be required to allow consumers access to the data that’s been scooped up about them. Meanwhile, data brokers records have become attractive to criminals. Ever since the ChoicePoint breach there have been multiple info/data brokers compromised.

When considering who you choose to do business with, relationships with data brokers, especially any who are also involved with protecting your customers’ identities, should be reassessed.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen.See him knock’em dead in this identity theft prevention video. Disclosures.

Your Customers’ High Cost of Privacy

This writer has said numerous times that privacy is waning and dying. Partly because we have allowed it with our bazillion posts to social and partly because of the shift from print advertising to digital. During that shift, lots of creative types figured out how to figure you out and get inside your digital head. But all at a cost of your privacy.

1PArwa Mahdawi in the Gurdian brilliantly posed “Privacy isn’t dead, but it’s getting very expensive.” So true.

Ask yourself: as a decision maker for your business or employer, when it comes to protecting your organization’s customers’ or clients’ personal data, how proactive are you? And even if you’re proactive, are you aware of just what is involved on the part of the customer/client to ensure that their personal information doesn’t get into the wrong hands?

Or perhaps you’re not very active in this realm at all, figuring that it’s “up to the customer” to figure out how to secure their data, or that it’s the responsibility of the banks and credit card companies.

I contend that businesses who collect valuable data from customers and profit from it – from email addresses, to credit cards to SSNs – have the responsibility to protect the data collected. Otherwise customers inclined to do so must pay a fee to have their personal information protected. That business is booming.

It’s fair to speculate that if businesses, such as retailers and healthcare organizations, had an excellent history of keeping customers’ data airtight, the protection of privacy wouldn’t have become something that people must pay for.

Of course, there are ways that consumers can protect their privacy without paying for it, such as giving up the use of credit and debit cards, always remembering to disconnect their mobile device in public when they don’t need to be online, never seeing doctors, disabling their cookies, etc.

But let’s face it, these free approaches are impractical or even impossible. How many Internet users even know how to disable their cookies, or even what a cyber cookie is? How many know what a VPN is?

Consumers should not have to be tech savvy or have a lot of money or make impractical lifestyle changes in order for their private information to be leak-proof.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Data Breaches: How To Protect Your Business From Internal Threats

The biggest threat to your data may not come from external hackers. Find out how to guard against intentional or accidental internal cyber breaches.

14DThe NSA leaks we keep hearing about are a constant reminder of just how vulnerable data is and how this vulnerability can result in data breaches by organization insiders. As Reuters reported, “Edward Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator.” It’s apparent now that the nation’s most significant intelligence and security team failed to install the most up-to-date, anti-leak software.

This news coincides with two recent reports that show insiders are becoming the most significant reason data breaches proliferate. While threats to data security and privacy are often perceived to come from the outside via criminal hackers, recent research has marked internal threats as equally dangerous to customer/client data—whether breached on purpose or by accident.

According to a recent Forrester Research report titled “Understand the State of Data Security and Privacy,” 25 percent of survey respondents said that abuse by a malicious insider was the most common way in which a breach occurred in the past year at their company, while 36 percent of breaches were caused by employee mistakes, making it the current top cause of most data breaches.

Another report, from MeriTalk, which focuses on the federal government, found that 49 percent of breaches happen when employees bypass existing security measures, such as when they’re Web surfing or downloading email or other files. If the federal government can’t protect itself against data leaks, how can small-business owners expect to adequately protect their business data? Let’s take a look at how these data leaks are happening to find out how you can protect against them.

Cracking The Code

We’re at a point where companies interested in protecting their data have invested significant resources into fighting off network attacks from outsiders by incorporating numerous layers of security, such as firewalls, antivirus software, antispyware, antiphishing software and security awareness training, but they’re leaving their data vulnerable to their employees. Companies may have malicious, Edward Snowden-like insiders who hack the network for information, including fellow employees’ passwords.

Or, on the less malicious end of the spectrum, employees may just make simple mistakes that leave the network vulnerable to data breaches. Because of this “hidden” vulnerability, company networks are often compared to candy bars that are hard on the outside and soft and chewy on the inside. Additional risks revolve around savvy employees who might have good intentions but may make the network vulnerable when they go outside existing security measures. They may find themselves forced to do this because of restrictions that prevent them from getting their jobs done.

The Meritalk study found:

  • 66 percent of federal network users believe security is time-consuming and restrictive.
  • 69 percent say their work takes longer because of additional cyber security measures.
  • One in five users report an inability to complete work because of security measures.
  • 31 percent of users work around security measures at least once a week.

Forrester found:

  • 36 percent of breaches stem from inadvertent misuse of data by employees.
  • 42 percent received training on how to remain secure at work, which means 58 percent haven’t had training at all.
  • 57 percent say they’re not even aware of their organization’s current security policies.
  • 25 percent say a breach occurred because of abuse by a malicious insider.

Guarding What’s Yours

The most important thing companies can do is to put the right security measures in place. Employees who need identification include those who are known to access critical data resources, such as those in accounting, human resources, administration, legal, personnel and account management as well as company officers and various contractors. Looking at data flow—that is, where data might be either vulnerable, shared across departments or bottle-necked—companies should work with each critical department to gradually implement security controls that create a delicate balance of security and productivity for day-to-day activities.

Data loss prevention begins with data discovery, classifying data in need of protection, and then determining what level of risk your company may face. Then you should complete a cost/benefit analysis and review the various technologies that can integrate with your existing systems. These include data loss prevention (DLP) technologies that provide real-time network activity monitoring, as well as system status monitoring from the inside out and the outside in.

The goal is to limit who has access to what data as well as determine why the person needs it. It’s also important to look for your vulnerabilities from outside attacks. DLP can simultaneously determine when employees are circumventing security because the system may be prohibiting them from getting their job done.

Other procedures and tools you might want to consider implementing include:

  • System-wide encryption
  • Tools that report alerts and events
  • Inspection access controls
  • Password management
  • Multifactor authentication
  • Device recognition
  • Data disposal for e-data, paper data and discarded devices
  • Transparency

This last one is critical because the more transparent your network security and security policies are, the more effective each department will be when communicating its requirements, needs, wants and differences.

The battle to fight criminal hackers from the outside must not hinder your employees’ progress on the inside. At the same time, you must protect against internal threats from employees, which is an equally dangerous risk that your IT department must acknowledge—and work to secure quickly.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Courts side with Consumers in Data Breach

In general, courts don’t tend to side with consumers in data breach incidents. However, a federal court in Florida is the apple among the oranges. It approved a $3 million settlement for victims whose data was on a stolen laptop in December 2009, that contained personal health information.

2D

The laptops belonged to AvMed, a health insurer, and the unencrypted data involved records of tens of thousands of the company’s customers.

Though the consumer-plaintiffs suffered no identity theft or other direct losses, they blamed AvMed of breach of contract and fiduciary duty, negligence and unjust enrichment.

These claims were dismissed by the U.S. District Court for the Southern District of Florida, but the plaintiffs appealed. The U.S. Court of Appeals for the Eleventh Circuit remanded the case.

AvMed’s attempt for another dismissal went down the tubes, prompting the company to enter into settlement talks with the plaintiffs.

The agreement says that each victim will get up to $10 for every year they made an insurance payment to AvMed, with a cap at $30. This is money, say the victims, that AvMed could have spent on better data security. The agreement also requires AvMed to pay damages to anyone who gets stung with identity theft.

AvMed will also employ encryption and new password protocols, plus GPS technology for its laptops.

Apparently, this settlement is the first in which the awarded victims didn’t have to show tangible evidence of loss.

Traditionally, courts nationwide don’t take on such claims, and that a claim lacks merit if it’s based on the possibility of future damages rather than actual concrete losses that have already occurred.

The ruling serves as a precedent for future data breach cases, to support customers’ stance that a segment of their health insurance premiums should fund data security placements.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Data Brokers: What Are They; How to Get Control of Your Name

Data brokers have lots of personal information about you; here’s what you can do about that.

8DEver hear of the term “data broker”?  What do you think that is? Think about that for a moment. Yep, you got it: An entity that goes after your data and sells it to another entity.

The entity that gets the data, the broker, is called a consumer data company. They snatch huge amounts of data from individuals all over the planet and sell it. And who wants your personal information? Your information is of significant value to marketers, companies doing background checks and in some cases, your government.

They want to know what you like to buy, what you’re most likely to buy, if you want to lose weight, build muscle, what kind of cars you like, where you vacation, what you eat, where you shop for clothes, what kind of disease you have, whether or not you’ve been assaulted or if you have committed a crime…all so they can get a solid picture of who you are.

You now know about data brokers: a whole new industry that reflects our evolving technology. Lawmakers have taken notice of this flourishing industry, trying to get companies to give some control to consumers over what becomes of their data.

At least one data broker makes it possible for you to see how much data is out there about you and to possibly edit and update it. But that’s not enough.

Just how much do data broker companies even know about people?

They build you up from the inside out; starting with skeletal information (name, address, age, race) and padding the meat on from there: education level, medical conditions, income, life events, (buying a home, getting divorced), driving record, law suits against you, credit scores and more. One credit reporting agency even sells lists of the names of people expecting babies and who has newborns. They even sell lists of people who make charitable donations and read romance novels. Data brokers can even get ahold of your income information.

This doesn’t mean that any one data broker knows everything about you. It’s just that a heck of a lot of personal information about you is potentially scattered all over the place. Data brokering is legal: a multi-billion dollar industry involving trillions of transactions every day. But this doesn’t mean the consumer is without rights or power. You can, indeed, do some reclaiming of your name from the data brokering industry.

How do you get control and manage your name?

Sit and wait: As mentioned, lawmakers are putting the heat on data companies to make it possible for consumers to have some control over all of this. The FTC recommended in a 2012 report that the data mining industry establish a website that reveals names of U.S. data brokers plus other relevant information.

  • Got to StopDatamine.me: Data brokers have not responded, so someone else did: a site that tells consumers who the data brokers are and their opt-out links.
  • Browse “Incognito”: with Googles Chrome browser you can open a “New Incognito Window” once opened, you’ve gone incognito. Pages you view in incognito tabs won’t stick around in your browser’s history, cookie store, or search history after you’ve closed all of your incognito tabs. Any files you download or bookmarks you create will be kept.
  • However, you aren’t invisible. Going incognito doesn’t hide your browsing from your employer, your internet service provider, or the websites you visit.
  • Use a VPN: For the ultimate in masking your webcrumbs use Hotspot Shield VPN which acts as a proxy and covers up your IP address and protects your devices and data from Wifi hackers at the same time.
  • Plugins: Browsers Chrome and Firefox offer a plethora of addons to mask your browser. DoNotTrackMe is a good one.
  • Behave: Yes, just be good, don’t commit any crimes, because you can’t erase bad behavior from government records.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Data Security Legislation is inevitable

A law(s) for data breaching is around the corner. And the time is right, what with the scads of data breaches involving major retailers lately. Details of customers’ addresses, phone numbers, credit cards and other sensitive information have ended up in the hands of hackers. We’re talking many tens of millions of affected consumers.

3DDespite this mushrooming problem, no consensus has yet arrived regarding just what role the government should assume to protect peoples’ data. But a common thread to the many ideas is customer notification once a data breach occurs. Though 46 states do have notification laws, retailers gripe that this makes them spend precious time complying with this instead of on fighting data infiltrations and repairing the fallout.

“We’ve long said that action is needed and hopefully we can see passage of data breach notification legislation this year,” says Brian Dodge, a senior vice president at the Retail Industry Leaders Association.

Recently the Data Security Act was introduced. It would require companies and banks to have privacy protections and investigate breaches, plus alert customers about big risks of theft or fraud. Banks have complained about the costs of responding to data breaches and have insisted that retailers take more action to the fallout. The DSA could take some of this burden off banks.

“We think it’s important that essentially everybody up their game,” says Kenneth Clayton, an executive VP and chief counsel at the American Bankers Association. This needs to occur whether through law or industry action, Clayton adds.

The FTC may even get involved. But how much should the government get involved, though? “The idea that the government would do a better job than private industry is a horrible idea,” says John Kindervag, a principal analyst at Forrester Research, an advisory firm.

However, a 2014 priority for the FTC is to protect sensitive health and financial information. “The FTC has long been concerned that this type of sensitive data warrants special protections,” says Jessica Rich, head of the FTC’s consumer protection bureau. She adds that the FTC strongly supports the possibility of new laws that would protect consumers.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.