Kroll Fraud Solutions Blog – A Dialogue on Data Security

When it comes to cyber security, what’s at the top of your list? Is it protecting against the threat of hackers? Ensuring that your mobile devices contain the most up-to-date security software or encryption technologies? Making sure you are prepared in the event of a data loss incident?

As the threat landscape continues to expand, it could be all of these, and more. Kroll’s work in all aspects of risk management – from physical and data security to forensics, data recovery and breach response – has provided our team with the experience and frontline knowledge that affords a great vantage point for conveying best practice information and insight.

Last week, the Senate Judiciary Committee approved three bills that would establish a federal breach notification standard:

• Data Breach Notification Act of 2011 (S 1408): Requires entities to notify individuals of a breach via mail, e-mail or telephone unless:
  • Entity immediately submits certification to US Secret Service that notice could damage national security or hinder a law enforcement investigation and Secret Service determines exemption is warranted; or
  • Without unreasonable delay and within 45 days of discovery, entity submits results of a risk assessment to Secret Service concluding there is no significant risk of harm to individuals and Secret Service determines the exemption is warranted.

Make plans now to attend Kroll’s upcoming webinar, How to Avoid the Data Breach Hot Seat, scheduled for Wednesday, October 12 at 1:00 p.m. Central/2:00 p.m. Eastern. This is a free webinar and you can register as many representatives from your organization as you’d like. To register, please click here.

This webinar tackles the challenges specific to healthcare privacy, compliance and security officers, as well as IT professionals, legal counsel, and ultimately, C-suite officers. These include the evolution of cyber risk, recognizing the symptoms of an intrusion, looking beyond perimeter protection toward defense-in-depth, and determining steps to ensure effective incident management and response later.

California continues to tinker with its notification laws, and as mentioned in the first of this two-part series, these will be effective January 1, 2012. The California amendment requires that breach notification be written in plain language and contain:

• Name & contact info of the data owner/licensor providing notice
• Date of the notice
• List of types of info believed breached
• Toll-free telephone # and address for credit bureaus if breach exposed SSN, driver’s license or state ID #
• If available at the time of notice, notice must also contain:
  • General description of breach incident;

States continue to individually fine-tune their breach notification laws, with California and Illinois each making changes effective January 1, 2012. The Illinois amendment adds requirements around what the notification to affected residents and owners or licensees of data must (and must not) contain. Specifically, notice to individuals must include:

1. Toll-free numbers and addresses of credit bureaus;
2. Toll-free number, address, and website address of FTC; and
3. A statement that the individual can obtain information from these sources about fraud alerts and security freezes.

Note that this does not include the number of Illinois residents affected by the breach.