TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

""

At the IAPP Practical Privacy Series in Silicon Valley, Joanne McNabb, CIPP/G, of the California Office of Privacy Protection and Julie Fergerson of Debix ran participants through live, interactive data breach scenarios. Here are their thoughts on the exercise and their reactions to participants’ responses.
Running through breach incident scenarios is a great way to verify that your incident response plan is ready. It makes your team think through some common and possible scenarios.

During a session at the IAPP Practical Privacy Series in June, participants used Turning Point’s voting technology to register responses to a series of questions designed to measure their preparedness for handling a breach incident. Approximately 80 individuals actively participated in each scenario. As you read through the results, you will see some of the responses were quite a surprise to us.

Scenario 1:  Lost Tape
A back-up tape containing unencrypted names and SSNs of customers is lost in delivery. The customers reside in all 50 states.

Q:  Which individuals do you notify?

   1. Individuals in strict liability states (“unauthorized acquisition”)
   2. Individuals in states with harm-based trigger
   3. All individuals regardless of state laws
   4. No one and hope that the problem goes away

You can interpret from this answer that most companies notify all individuals, regardless of state laws. Still, it was disappointing to see that five percent of respondents would choose not to notify, and that other companies would only notify when required by law.

SCENARIO 1 CHART HERE:

Scenario 2:  Hacking
Many companies face this scenario. A hacker penetrates a server with a database containing employee names and Social Security numbers. It is not clear if the hacker accessed any of the data. Fifty-nine days have passed and forensics still needs more time to determine if any information was accessed. Some entities are subject to a federal law requiring notification within 60 days from the date of discovery, and on the horizon are new laws that will go into effect with 30-day notification requirements from the date of discovery.

Q:  Do you notify without verification that the individuals’ information was viewed by the hacker?

   1. No, wait for forensics to complete audit, regardless of state laws and timeline requirements to notify.
   2. Yes, notify all individuals immediately because so much time has passed.

SCENARIO 2a CHART HERE:

Q:  Which individuals would you notify?

   1. Individuals in strict liability states (“unauthorized acquisition”)
   2. Individuals in states with harm-based trigger
   3. All individuals regardless of state law

SCENARIO 2b CHART HERE:

Scenario 3:  Employee Access
Employee A receives an e-mail from Employee B which contains a list of customer names and credit card numbers. Employee A, who is not authorized to have access to this information, prints out the list, then tells his supervisor when he sees what it is. The e-mail was sent by accident.

Q: Which of the following would you do?

   1. Tell the supervisor not to worry about it, since the employee reported it.
   2. Treat it as a possible breach:
          * Have someone from IT scan the employee’s computer
          * Interview the receiving and sending employees
          * Thoroughly document the incident
          * Determine if notification is required (to credit card issuers, individuals, government agencies, etc…)

SCENARIO 3 CHART HERE:

Scenario 4: Stolen Briefcase
A manager’s briefcase containing job applications with applicants’ Social Security numbers is stolen at an airport.

Q: Would you notify the job applicants?

   1. Yes
   2. No

SCENARIO 4 CHART HERE:

Final Question. Do you conduct a root-cause analysis after a breach to determine how the scenario can be prevented in the future? Some examples include:

    * After an employee accidentally e-mails Social Security or credit card numbers, you could purchase and install content monitoring software that blocks the e-mail transmission of Social Security numbers and credit card numbers.
    * If you lost a tape of unencrypted Social Security numbers, you could create a new policy to encrypt all data that is backed up.
    * After a hack, you could scan all servers and fix the hole through which the hackers entered

FINAL CHART HERE:

In addition to the scenarios and results, we created a self-audit guide for companies to audit their incident response plan for key elements and then run through these same scenarios with their teams.

While there are no “right” answers to the questions posed in the scenarios, it is reasonable to conclude that when over 80 percent of the votes went in a single direction, the answer may represent a best, or in any case, a common, practice.

Comments

If you want to comment on this post, you need to login.