The regulation also expands data breach notice requirements to cover all industries rather than just telecoms and ISPs under the current Directive.  The breach notification requirements provide some detail, but still leave important points such as the format and methods of notice up to future acts.  The regulation requires notice of data breaches to the supervisory authority within 24 hours of an organization becoming aware of the breach, if feasible.  The supervisory authority is the Data Protection Authority (DPA) in the nation where the organization has its main establishment.  If notice to the DPA is later than 24 hours, the organization must provide a “reasoned justification” for the delay.  Notice to the DPA must:

• Describe the nature of the breach, including number and categories of personal data and individuals involved;
• Provide the name and contact information of the data protection officer or other contact where more information can be obtained;
• Recommend measures to mitigate potential adverse effects of the breach;
• Describe the consequences of the breach; and
• Describe the measures proposed or taken to address the breach.

Notice to individuals is required when the breach “is likely to adversely affect the protection of the personal data or privacy of the data subject.”  The regulation does not provide guidance on how to apply this standard, but instead leaves that for future acts.  The format and method of notice are also to be determined in future acts, but the regulation specifies that notice to affected individuals must:

• Describe the breach;
• Provide the name and contact information of the data protection officer or other contact where more information can be obtained; and
• Recommend measures to mitigate potential adverse effects of the breach.

Notice to individuals must be provided “without undue delay.”  However, notice is not required if the organization demonstrates to the satisfaction of the DPA that it applied technological measures rendering the data unintelligible to unauthorized individuals.   This again emphasizes the importance of encrypting personal data.

The regulation’s 24-hour notice requirement to DPAs is likely to be difficult for organizations to comply with.  The final draft added “if feasible,” which was absent from a prior version, reflecting the EC’s acknowledgement that in some cases this will not only be difficult, but impossible.   We’ve seen spirited debate among privacy professionals on whether the regulation will be passed as-is or softened significantly.  Any predictions?  We would love to hear them.

By Francesca Wolf
Legal Counsel & Compliance Officer

• The sensitivity of the breached personal data;
• The number of individuals affected by the breach; and
• Whether the breach or pattern of breaches demonstrates a “systemic problem.”

Notice to individuals would be required if it is “reasonable” under the circumstances to “believe that the breach creates a real risk of significant harm to the individual.” Significant harm includes, but is not limited to, “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” When determining whether there is a real risk of significant harm, organizations are instructed to consider the sensitivity of the personal information involved and the “probability that the information has been, is being, or will be misused.”

The bill requires that the notice to individuals contain sufficient information for individuals to understand the importance of the breach and take steps to protect themselves. Additional content requirements are yet to be determined and may be imposed via regulations. Unlike U.S. breach notice laws, the bill does not mandate particular methods of notice. It simply requires that the notice be conspicuous and given directly to the individual if feasible to do so. The timeframe for notice is “as soon as feasible” after a breach is confirmed and it is determined that notice is required.

It’s uncertain at this point whether the bill will gain traction. The same legislation was introduced last year, but failed to make it past a second reading. We will watch to see if this is finally the year for breach notice in Canada.

By Francesca Wolf
Legal Counsel & Compliance Officer

The proposed regulations for private business would repeal the EU Data Protection Directive and lay out requirements for the protection of personal information via the regulation. By using a regulation to mandate data protection standards, the EU avoids each nation having to enact its own law to put the standards into effect. This eliminates the variation that can occur from nation to nation and has caused headaches for multi-national companies under the existing directive.

The draft also included a general breach notification requirement, widening the scope that had previously applied to just internet service providers and telecommunications companies. Notice would be required when a breach adversely affects the personal data of an individual, particularly if it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. Notice to the Data Protection Authorities (DPAs) and to individuals would be required without undue delay, and as a rule, not later than 24 hours after the breach has been established. The notice to DPAs and individuals must include:

• The nature of the breach, including the categories and number of individuals and data concerned;
• Contact information where more information can be obtained; and
• Recommended measures individuals can take to mitigate adverse effects of the breach.

Notice to the DPAs must also describe the consequences of the breach and describe the measures proposed or taken by the data controller to address the breach. Specifics regarding the criteria for determining if personal information is “adversely affected,” acceptable methods of providing notice, or when a breach is considered “established” to trigger the 24 hour notice window are yet to be determined.

The draft contained several controversial provisions, including the “right to be forgotten” and stronger opt-in requirements. Items like these drew criticism from several Directorates-General, and it’s likely that significant changes will be made to the drafts before official release.

Let us hear from you – how would a breach notification requirement, such as the one included in this reform, affect your global operations?

By Francesca Wolf
Legal Counsel & Compliance Officer

In order to determine whether disclosure of cyber security risks is required, and be able to accurately quantify and describe the risks in a disclosure, companies must obviously understand the risks themselves. This requires a comprehensive risk assessment to determine what risks exist, how they affect the likelihood of a security incident, and how severe an impact they would have on the company’s operations, reputation, legal and compliance obligations, and overall financial performance. By identifying the risks, companies gain the opportunity to mitigate those risks and obtain a better disclosure position. This also reduces the likelihood of having a cyber incident and the resulting public relations nightmare that seems almost inevitable in this age of scrutiny.

Even with regular and robust risk assessments, it’s important to remember that hindsight is always 20/20, while foresight is fuzzy at best. It’s very difficult to quantify exactly how great a risk is and how likely it is to occur. Yet after a breach occurs, it seems clear the risk was material. Companies that do not disclose cyber risks face the threat of shareholder litigation for failure to disclose should the risk materialize. This will likely lead most publicly traded companies to include a statement about cyber risk, which is made all the more difficult by the SEC’s instruction to avoid generic “boilerplate.”

Many companies will also focus more intently on remediation, including post-breach assessments and regular penetration testing, should a cyber incident occur. The guidance requires publicly traded companies to disclose material cyber incidents the company has experienced, including a description of the costs and other consequences. Companies will be keen to demonstrate their responsible handling of these incidents and show what actions they have taken to mitigate future risk. The SEC’s guidance reaffirms the importance of understanding and addressing cyber security risks, but adds an additional compliance risk to the already complex cyber security realm for publicly traded companies.

Risk assessment is certainly a basic tenet at Kroll, and we’ve worked with clients across the globe that can attest to the benefits. Have you considered how a risk assessment before, or remediation and testing after an event, would strengthen your company’s defenses?

By Francesca Wolf
Legal Counsel & Compliance Officer

If you’ve got the last one in mind, you’re in luck. We’re devoting January to a run down on some recent developments, proposals, and guidance that have been issued here and abroad. When we released our 2012 cyber security trends list in December, we specifically mentioned the fact that we believe breach notification laws will be gaining traction globally, even if a federal law stalls here in the U.S.

To that end, this month we’ll be taking a look at recent SEC guidance here at home, as well as the proposal for amending the EU Data Protection Directive. There’s also the pending Canadian legislation to require notification should a breach occur. Kroll’s legal counsel and compliance officer, Francesca Wolf, Esq, will weigh in on each of these more closely, and we’ll provide you with updates on where they stand currently.

If 2011 is any kind of indicator, then we can probably expect significant changes in 2012. Stay tuned!

by the Kroll team

To get a proper perspective on the ramifications of this study, it’s important to know the demographic of respondents to the online survey – half (1,441) were college students ages 18-24, while the other half (1,412) were end users who met certain criteria: all were college graduates or higher, employed full-time in a non-IT role in an organization with at least 10 or more employees worldwide. Market research and non-profit organizations were excluded.

In short, the respondents in the survey were representative of the fresh crop of employees organizations are beginning to hire. The prolific findings reveal a picture that many employers may find surprising and, perhaps, a little unsettling:

• 33 percent of all respondents believed that the Internet is a “fundamental resource for the human race – as important as air, water, food and shelter.”
• Seven out of ten end users (employees) admitted to regularly disobeying IT security policies – and one third of them indicated they did not believe they were doing anything wrong
• Three out of five said they do not believe they are responsible for protecting corporate information and devices. Interestingly, respondents in countries like France and Japan, who highly indicated lack of responsibility, also highly indicated their remote access policies were restrictive and they did not believe they would ever be allowed to access corporate information remotely.
• 52 percent of all respondents said that service providers and IT are responsible for securing work devices and data, not them.
• 37 percent of end users indicate they either store a password on the device itself, in a computer document, or on a sticky note near the computer.

It is easy to see where the values and perspectives of these young workers might clash with that of more experienced generations, who are less inclined to view technology with the same fervor. But this is perhaps the least worrisome aspect for global organizations hoping to shoehorn these worker expectations and behaviors into a set of increasingly outdated technology policies and business models. Kroll recently noted in its cyber security trends list for 2012 a whole host of issues – including cloud security, social media as a conduit for social engineering, and mobile device security threats – that will consistently clash with the needs and expectations of young employees entering the workforce. Organizations will be under more pressure than ever to perform a precarious balancing act between security needs, employee expectations, productivity essentials, and regulatory requirements.

How is your organization handling the shifting sands of technology integration and security?

by the Kroll team

Kroll’s Licensed Investigators, who have collectively worked with thousands of consumers to keep their identities safe, compiled the following list of tips to help you keep your sensitive information safe.

Practice safe shopping in stores

• Before you hit the stores, remove unnecessary but key identity components (i.e., Social Security card) from your purse/wallet. Make a list of what remains so you’ll know what is missing if your purse/wallet is lost or stolen.

Practice safe shopping online

• Never use a public computer (like those found at the library) or free—yet unsecured—wi-fi to perform online financial transactions. A public computer might contain information-stealing malware, and thieves can steal data via unsecured wireless connections.
• Keep your own computer’s security software up-to-date, and run scans as recommended. Also, practice smart shopping by visiting reputable sites.
• Keep a record of all your online transactions. Then, check your payment account to verify that only the transactions you authorized were registered. If you see any unauthorized transactions, dispute them with your financial institution immediately.

Think before mailing holiday cards

• E-cards are convenient and fun, but beware: disreputable e-card websites may load malware on your computer and may send it along to all of your recipients. If you’re receiving the cards, watch for cards that come with an attachment, particularly an executable (.exe) attachment and delete those.
• Snail mail is still a popular way to send greetings and gift cards or checks. If you send a check, use a dark, pigmented ink that can’t be easily “washed” so the thief won’t be able to rewrite the check.
• Never leave mail with sensitive information in an unlocked mailbox—mail it from an official USPS mail drop box. Consider purchasing a locking mailbox to help secure mail delivered to your home.

Protect yourself and your guests at home for the holidays

• Secure any documentation in your home that may contain sensitive information (bank statements, checkbooks, credit cards, Social Security cards, etc.). Keep these items in an area that will be inaccessible to guests. For your guests, assign a safe area to keep purses and other personal items. Make sure only one person is allowed to collect and retrieve these items.

Protect personal information while traveling

• Never leave sensitive information in your hotel room or car. Consult hotel management to arrange for storage of important items (a laptop, for example) in a centralized safe or secure holding area.
• Beware of pretexting calls while staying at a hotel. This is a scam in which the caller claims to be a front desk employee and asks for your payment information. The front desk already has this information on file and has no need to call you for it.

by the Kroll team

We asked Alan Brill, senior director of the Cyber Security and Information Assurance division of Kroll, to discuss two recent cases where retail clients had experienced extremely similar attacks. There were several parallels to the cases: both were classic SQL injection attacks, both affected legacy systems within the organization, both went unnoticed by staff and, unfortunately, both were entirely preventable.

In each instance, the system attacked had been identified as having reached an end-of-life point, and were scheduled to be replaced with more modern systems. However, due to economic concerns, a decision was made at each company to delay replacement. As a result, the systems did not get scheduled for updates.

Brill notes that the problem with this decision was that “even though these systems contained security developments appropriate for the time when they were installed, the type of threat that was faced really wasn’t out there when these systems were written – the vulnerabilities that were exploited weren’t recognized until recently. So it evolved into a system that wasn’t secure without anything actually changing.”

In both cases, the vulnerability wasn’t discovered until the respective companies began receiving phone calls from customers whose accounts had experienced suspicious activity. “It became evident that if they had put in a filter which would have seen the SQL code and killed it, it wouldn’t have happened. Those filters are available in open source software that’s absolutely free,” commented Brill.

To remediate, the companies took slightly different approaches – one installed the filter and made changes necessary to continue using the system, while the other replaced its system altogether and removed all sensitive information from the database. “This was a fairly simple situation, but the real problem was that they never even thought about fixing it,” said Brill.

“The takeaway from all of this is: Just because the system is secure today, that does not provide assurance that the same system will be secure tomorrow,” Brill explained. “You must have a schedule to assess all active systems – including those that are going to be replaced.”

How is your company keeping its systems up to speed – do you know if your legacy systems are at risk?

By, The Kroll Team

The developers point out that they aren’t collecting anyone’s mobile phone number, and the system doesn’t take pictures, so it isn’t a privacy issue. And, if someone sees one of the small signs announcing that the system is in use, they can “opt-out” by shutting off the phone.

Within hours of the announcement of the system, there was a hue and cry about privacy, reaching all the way to Washington, where Sen. Charles E. Schumer called for the system to be opt-in. Consequently, the two malls quickly ended their tests.

This seems to me another example of fielding a technology without giving consideration to what is known as the “law of unintended consequences.” I can understand the desire for a mall and merchants to better understand the movement of customers. But I have to admit that I was surprised that the company making the system and the malls using it felt that saying “we only collect the unique identifier, and we encrypt it” was going to deflect all criticism. Privacy is an area of concern not only in the U.S. but globally — particularly in the European Union, where this technology originated.

Could the vendors have done more to ensure privacy? I haven’t reviewed the technology in detail, but there were probably some technical options that could have been (and may have been) considered. For example, taking the unique phone ID and running it through a one-way encryption algorithm would still give a unique code for movement analysis, but would never record the actual phone ID, making it less likely that a person could be linked to their mobile phone numbers. Changing the algorithm every day would prevent using history records to track multiple visits across time.

But the real myopia was, I think, in believing (perhaps hoping) that no one would notice, or if they did, no one would care. As one of my friends pointed out, the average shopper doesn’t care about technology details. Whether the phone codes are encrypted or converted to indecipherable codes, the system in most people’s minds is simple – they’re recording information from my cell phone and tracking me as I move around the mall.

As complex as these systems may be, and as powerful a tool as the analytic output may be, there is a simple lesson. Systems can have privacy implications that were never intended by the developers but which are very real. Technology can only go so far in addressing fears, so taking the time and the effort to understand how a new system will be perceived is vital.

Without that understanding, you can expect the strong reactions that we saw to this news story. Sometimes it takes an outside, independent viewpoint to play devil’s advocate, particularly where those in an organization are very involved with a new technology. Playing that role may not be popular with the developers, but in today’s world, it is vital that someone play it, and that their critiques be carefully considered in determining how – or if – the technology should be used.

Alan E. Brill, CISSP, CFE, CIPP

Senior Managing Director

Computer Forensics & Secure Information Services Practice

The case, Anderson v. Hannaford Bros. Co. (2011 U.S. App. LEXIS 21239), involved a sophisticated data breach targeting credit and debit card numbers, expiration dates, and security codes (possibly PIN numbers or three-digit card verification codes) of over 4.2 million customers of Hannaford Brothers’ grocery chains. The thieves used the data to make over 1,800 fraudulent charges. While many banks and card issuers distributed new cards upon learning of the breach, some plaintiffs incurred charges when requesting a new card and some plaintiffs purchased credit monitoring and identity theft insurance to protect themselves from the risk of unauthorized charges. The court held that these costs were reasonable and recoverable mitigation costs in these circumstances. It noted that the case involved a large-scale criminal operation by sophisticated thieves intending to use the information to their financial advantage. Moreover, over 1,800 fraudulent charges were identified at the time plaintiffs were notified of the breach, so there was a real, rather than just hypothetical, risk of harm to card owners.

The court took care to distinguish the case from those where no actual misuse of information occurred and the data was not known to be accessed by someone with malicious intent. Thus, a lost laptop with no resulting identity theft or fraud would not meet the court’s standard for recoverable damages to affected individuals. The court also noted that “where neither the plaintiff nor those similarly situated have experienced fraudulent charges resulting from a theft or loss of data, the purchase of credit monitoring services may be unreasonable and not recoverable.” 

Unauthorized charges or at least a very real risk of such charges therefore appear to be a key element for class actions to survive a motion to dismiss. While the First Circuit case was decided under Maine law and is not binding precedent in other jurisdictions, it’s likely to have influence on other courts considering the issue. Plaintiff’s counsel will certainly cite the case and may be more likely to bring class action claims where at least some identity theft or fraud resulted from the data breach.  

By Francesca Wolf
Legal Counsel & Compliance Officer