- Illegal access to information or systems. Personal Identifying Information (PII) data can be illegally accessed via technology such as computer hacking or infecting computers with viruses, Trojans or worms—leading to stolen data or malfunctioning systems.
- An inside job. Employees (past or present) can commit data breaches. Also, an innocent employee is tricked by social engineering into revealing confidential information or giving out access to that information.
- Judgment lapse. An employee may leave data unprotected—not on purpose, but due to an oversight, making it easy prey for villains.
- Device loss. When a device that contains valuable data is lost or misplaced, a thief could get ahold of it—and then all hell can break loose.
Don’t wait for a breach to figure out a plan of action. Have the plan in place in anticipation of an attack. The plan should be built around written emergency contacts, clear guidelines to which law enforcement outfits should be contacted for resolution, and a notification timeframe.
Put in place vendor contracts that have a call center unless the company’s staff can handle a big data breach. The contracts should also include a mail-house for letters of notification, and previously agreed rates pertaining to consumer fraud protection should the business need to notify clients or customers.
When a breach occurs, consult with legal counsel, always. In addition, there are certain actions you must take. First, find out how the breach occurred, then contain it. Get a solution started to prevent it from striking again. Alert relevant employees.
Also notify external entities in a timely fashion such as law enforcement, a forensics investigator, consumers, FTC and any affected vendors and suppliers.
- A strong prevention strategy for data breaching depends upon top management, to ensure that the company’s budget covers fiscal and personnel resources.
- From the get-go, the company’s most high-up individuals should be included in devising any plans to protect against and mitigate data breaches.
- Getting upper management involved is critical for establishing a solid groundwork for security.
- Keeping up to date and re-evaluations should be carried out on an ongoing basis to always stay on top of the latest trends in data breach and security technologies.
- Also ongoing should be training and practice of the company’s response plan to data breaching.
Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.
ROBERT SICILIANO, CEO of IDTheftSecurity.com is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds. His "tell it like it is" style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders to get the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace. Siciliano is accessible, real, professional, and ready to weigh in and comment at a moment's notice on breaking news.
- Data Breach Notification Bill goes to the House
H.B. 224, a newly introduced data breach notification bill for New Mexico, would mandate that organizations notify breached individuals within 10 days of breach discovery (unencrypted credit card data); and within 10 business days notifying the state attorney general if more than 50 NM residents are affected. The bill allows for a shorter notification deadline and
- What is a Data Breach and how do I protect Myself?
When protected, sensitive or confidential data is accessed or used by someone without authority, this is a data breach. This can involve any kind of data such as personal health, financial, or business related. Not all data breaches result from hacking into a computer. One can breach data simply by peering over someone’s shoulder at the
- Been Breached? A Response Plan
Should victims of a data breach be notified? This situation can be confusing due to various state laws. Certain issues must be considered, including differences among state laws. Differences include what exactly defines personally identifiable information; which agency (e.g., law enforcement, credit reporting) should be alerted; when victims should be notified; and what the notification
- Mobile Device Security in a BYOD World
In the real world there is little difference between an employer’s issued device and a personal mobile device. The most important difference should be that a digital device issued by your employer requires and should have a “company mobile liability policy”. Businesses generally provide and pay for employee mobile devices, and also strictly dictate what
- Data Breaches Equal Job Loss
Is it coincidence that Beth Jacob CIO resigned from her job as chief information officer of Target Corporation? Or could this possibly be connected to the data breach that slammed Target in December of 2013, affecting as many as 70 million customers? Being a CIO is no easy task, especially when you have thousands of