The Current Approach to Data Handling Isn’t Working – The Equifax Breach Illustrates Why

Are you from the United States or Canada? If so, there is a big chance you had sensitive personal information stolen in the biggest data breach of the summer. Equifax, a major consumer credit agency in North America, experienced a data breach resulting in the loss of the personal information of over 140 million individuals, which puts its victims at increased risk of identity theft and other forms of fraud. The Equifax breach is on a massive scale, but it is only the latest in a very long list of reported data breaches in recent years. According to Gemalto, over nine billion individual records have been lost or stolen in reported data breaches since 2013 – and the vast majority of breaches go unreported. Data handlers of all types continue to act irresponsibly, failing to protect the data of their users or to even attempt to apply basic data protection procedures.

How data handlers protect the privacy of user data isn’t working.

The dominant approach to data handling, based around the concepts of risk and compliance, is over 35-years-old. With this approach, data handlers try to adhere to regulatory requirements and minimize the risk to themselves – not necessarily to the individuals whose data they handle. For some data handlers, the risk that poor security creates may not extend to them. Instead, it may seem riskier to spend resources on data security that could be used elsewhere in the business. After all, if a data breach does occur, how much of its cost is going to fall on the data handler? Research shows that the vast majority of the costs will fall on someone else, most often those with lost or stolen data.

Victims of the Equifax breach face a long and costly process ahead of them. In their analysis of a similar data breach in 2015, Javelin Strategy & Research estimated that each incident of identity theft resulted in approximately $ 3,300 in losses for victims, $ 770 of legal fees, and 20 hours spent trying to fix the problem.Victims, after spending time and money to mitigate the impact of the breach, then must spend more time and money fighting for fair compensation.

Known vulnerabilities are one of the main causes of data breaches. If reports are correct, the Equifax breach was caused by a known and patchable vulnerability in third-party software. Timely patching of known vulnerabilities is critical. As long as they remain unpatched, users’ data is at increased risk of being stolen or lost. If a breach does occur, a data handler can help mitigate its impact by notifying the individuals impacted by the breach in an efficient and responsible manner, allowing them to take precautions.

If we want devastating data breaches like the Equifax breach to stop, the dominant approach for data handling must change.

The Internet Society would like to see organizations like Equifax shift to an ethical data handling approach that includes effective data security. Ethical data handling is about establishing a set of principles that a data handler can affirm, that go beyond what is strictly required for legal or regulatory compliance, and which more fairly represent the balance of interests between the data handler and the data subject. In many ways, the principles are an undertaking by the data handler that there are some things they “could” do (both legally and practically) with your data, but voluntarily commit not to do them. It’s also a commitment to do more than the bare minimum to safeguard personal data.

In practice, this means that rather than only asking, “how much will this cost me” data handlers should ask themselves the following:

  • Does this use of data genuinely reflect the interests of the data subject as well as the interests of the organization?
  • Is there transparency and accountability in its collection, sharing, and use?
  • Would this use of data come as a surprise or a shock to the individual concerned?
  • When the organization faces a choice about what to do with data, which option represents the greatest fairness, transparency, and accountability?
  • What obligations do we have with regard to protecting this data, and how effectively are we meeting them?

If data handlers do not start asking themselves these questions, we, the consumers, or our governments, will.

See the Online Trust Alliance’s guide on Cyber Incidents & Breach Response.

The post The Current Approach to Data Handling Isn’t Working – The Equifax Breach Illustrates Why appeared first on Internet Society.

Internet Society

5 key steps you need to take if you have a data breach

Distributed Denial of service concept with the focus on the return button overlaid with binary code

In the wake of the recent OneLogin data breach, it becomes evident that no one is safe in the cyber world. All companies are susceptible to attacks and should be prepared to react in case of a sensitive data breach. Have you ever paused to consider what you would do if your company became a target? If you haven’t, this post is for you.

Below you will find five steps you can take to secure your business after you discovered a breach. After all, it is in everyone’s interest to move through the process swiftly and thoroughly to restore your operations and bring forth a restored sense of trust between you and your clients.

Step #1: Round up your team

Data breach is a serious matter and its effective resolution will hinge on the quality of the team of experts you’ll assemble to address the problem. This will depend on the size and nature of your business. In most cases, the people who will need to be brought into the fold will include management, IT and legal. It is also a good idea to talk to those who discovered the breach.

See also: Why data security is everyone’s challenge

If your company is larger and the breach extensive, it is wise to include in your strategic discussions information security, human resources, communications, investor relations, and operations. You may also look into bringing forensic investigators on board to help trace the breach to its source, assess its scope and assist you in forging a remediation plan.

Forensic experts supply knowledge of what evidence to collect and how to interpret it. Furthermore, they can be helpful in outlining remediation steps to bring your business back online. In the event of privacy exposure, consider hiring outside legal counsel to advise you on the type of laws implicated in the breach.

Step #2: Boost your security

To prevent having to face multiple compromises, it is critical that you act quickly and secure all your systems. This may include changing access codes and even a physical lock up. For machines running online, it’s best to unplug them from the network but not shut them down to allow forensic experts to trace the history of what happened. Be sure to inform your team to not damage any forensic evidence in their post-compromise activity.

It is critical that your employees change their administrative credentials as soon as the breach is discovered. This will prevent any hacker who has gained access to such credentials from having unimpeded access to your data. If you need to access the web, consider plugging in uncontaminated machines. Make sure your IT team is closely monitoring the ingress and egress points, especially those implicated in the breach.

Have your team investigate any inappropriate postings of stolen data on your as well as other public websites and request their removal. Contact search engines to ensure that they don’t archive personal information posted in error. Also, determine exactly what kind of data was compromised, how many were affected and have their contact information ready.

Step #3: Develop a communications plan

Being upfront with your employees and customers can save you much time, money and headaches in the long run. To be most effective, your communication plan should address all implicated parties: customers, employees, investors, and business partners. Avoid being misleading in your communication and withholding details that could help people better protect themselves.

If the breach compromised the privacy and security of individuals, bringing media into the fold via a public relations campaign could help you reach the people whose contact information you lack. For all others, set up a communication channel, such as a website or a toll-free number, to keep them informed of the case.

When speaking publicly about the breach, aim to address common questions in a plain language while avoiding sharing information that can put people at risk. Have a trained communications team in place designated as point of contact to help disseminate intelligence about the event.

Step #4: Reach out to all relevant parties

To minimize the risk of identity theft, it is wise to notify your local police, or even FBI, immediately after you discover the breach. Depending on your legal requirements, you may also need to contact specific government branches. Do your research to find out what exactly you are required to disclose. The type of data stolen, financial versus health for example, may require additional steps for you to take, such as notifying the FTC.

See also: Will these Chinese satellites provide hack-proof data security

If the breach affected other businesses you are partnering with, be sure to let them know as soon as possible. To prevent access to financial information that you do not store on your machines, contact banking and credit institutions to make them aware of what has happened and allow them to monitor their systems. If the theft included Social Security numbers, major credit bureaus, such as Equifax and Experian can be of assistance.

To help individuals reduce risk, notify them as soon as you’re able so that they can take steps to prevent identity theft. Educate them on what they can do if their sensitive data was exposed. As a make good, you may consider offering your clients free monitoring or identity restoration service. Work with the law enforcement and your investigative team to determine what information to disclose and when.

Step #5: Don’t let it happen again

Data breaches expose system vulnerabilities. Therefore, before closing the case it is imperative to know what areas of the system need additional bolstering and what precautions need to be taken to prevent a future breach. A careful review and analysis of logs and history should reveal the blind spots. You may also limit access of certain individuals to sensitive data, and take a look at your encryption and network segmentation meant to prevent the spread of infection to multiple servers.

Most importantly, make sure to choose the most appropriate hosting solution for your data. If cyber security isn’t your company’s expertise, you may want to work with an expert provider whose job is to ensure the safety of your data. Since cyber attacks will only become more sophisticated over time, do your research and select an organization that has taken extra steps to fortify their security with the best tools

The post 5 key steps you need to take if you have a data breach appeared first on ReadWrite.


Half of US firms on IoT network say they have experienced a security breach

Nearly half of US firms using an Internet of Things (IoT) network have been hit by a recent security breach, according to a study from strategy consulting provider Altman Vilandrie & Company.

The research, conducted in April 2017, evaluated about 400 IT executives across 19 industries that have purchased some form of IoT security solution and found that 48% of the firms have experienced at least one security breach.

The cost of the breaches amounted to 13.4% of the total revenues for companies having annual revenues less than $ 5 million. For the firms having annual revenues of above $ 2 billion, the estimated potential cost of one IoT breach stood at more than $ 20 million.

The survey also noted that companies who had not experienced a security breach have invested 65% more on IoT security. Provider reputation and product quality were of higher importance when choosing these security solutions. Of the participants, 68% considered IoT as a distinct category but only 43% had a dedicated budget for it. IoT security decisions were found to be centralised organisation-wide in 74% of the firms, in spite of separate business units having different needs. After “preventing loss of control over IoT devices”, traditional cybersecurity concerns such as “preventing breaches of customer information” and “preventing breaches of company data” were ranked as the next most important reasons to adopt IoT security.

Elsewhere, the Ponemon Institute surveyed 553 individuals in industries across various sectors and reported a general lack of oversight in IoT security implementation and lack of preparedness and inter-departmental communication, even among those companies that had a considerable part to lose on IoT’s failure. As per the findings, there was a gap in understanding mitigation of the security risks especially those related to third parties. It noted a dependence on legacy technologies and governance practices to address potential threats. Latest from the homepage