identity theft & data security concerns are you meeting your obligations to protect customer...

22
Identity Theft & Data Identity Theft & Data Security Concerns Security Concerns Are You Meeting Your Obligations to Protect Are You Meeting Your Obligations to Protect Customer Information? Customer Information? Finance & Administration Finance & Administration Roundtable Roundtable February 28, 2007 February 28, 2007 Claudia Volk, Principal Claudia Volk, Principal CJVolk Associates CJVolk Associates & & Carol Van Cleef, Partner Carol Van Cleef, Partner Bryan Cave, PC Bryan Cave, PC

Upload: faith

Post on 25-Feb-2016

38 views

Category:

Documents


0 download

DESCRIPTION

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?. Finance & Administration Roundtable February 28, 2007 Claudia Volk, Principal CJVolk Associates & Carol Van Cleef, Partner Bryan Cave, PC. Agenda. Background : Current Events - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

Identity Theft & Data Security Identity Theft & Data Security ConcernsConcerns

Are You Meeting Your Obligations to Protect Customer Are You Meeting Your Obligations to Protect Customer Information?Information?

Finance & Administration Finance & Administration RoundtableRoundtable

February 28, 2007February 28, 2007

Claudia Volk, Principal Claudia Volk, Principal CJVolk AssociatesCJVolk Associates

&&Carol Van Cleef, PartnerCarol Van Cleef, Partner

Bryan Cave, PCBryan Cave, PC

Page 2: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

AgendaAgenda Background : Current EventsBackground : Current Events

Disposal Rule of the Fair and Disposal Rule of the Fair and Accurate Credit Transactions ActAccurate Credit Transactions Act

Payment Card Industry Data Payment Card Industry Data Security StandardSecurity Standard

Page 3: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

Scope of the ProblemScope of the Problem 10 million people each year are 10 million people each year are

victims of identity theftvictims of identity theft Mean fraud loss per victim in 2005 Mean fraud loss per victim in 2005

was $6,383.was $6,383. Victims spend, on average, 40 Victims spend, on average, 40

hours and $422 to resolve issues hours and $422 to resolve issues related to identity theft. related to identity theft.

Losses as a result of identity theft Losses as a result of identity theft ranged from $53.2 billion in 2003 ranged from $53.2 billion in 2003 to $56.6 billion in 2005to $56.6 billion in 2005

Javelin Strategy & Research

Page 4: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

PervasivenessPervasiveness Changing methods to pentrate data Changing methods to pentrate data

securitysecurity The threat withinThe threat within MacAffee AnalysisMacAffee Analysis

Planted employees to engage in identity Planted employees to engage in identity theft and money launderingtheft and money laundering

Avoid assumptions about the trusted Avoid assumptions about the trusted employeeemployee

Page 5: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

The Disposal RuleThe Disposal Rule Protect the privacy of the consumer’s Protect the privacy of the consumer’s

information information Reduce risk and fraud of identity theftReduce risk and fraud of identity theft Applies to any business or individual Applies to any business or individual

using consumer reports for business using consumer reports for business purposespurposes

Federal Trade CommissionFederal Trade Commission June 1, 2005June 1, 2005 State Laws may applyState Laws may apply

Page 6: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

The Disposal RuleThe Disposal Rule The FACT Act requires that:The FACT Act requires that:

Any person that maintains or otherwise possesses Any person that maintains or otherwise possesses consumer information, or any compilation of consumer consumer information, or any compilation of consumer information, derived from consumer reports for a information, derived from consumer reports for a business purpose {, } properly dispose of any such business purpose {, } properly dispose of any such information or compilationinformation or compilation

The Federal Trade Commission RuleThe Federal Trade Commission Rule Any person who maintains or otherwise possesses Any person who maintains or otherwise possesses

consumer information for a business purpose must consumer information for a business purpose must properly dispose of such information by taking properly dispose of such information by taking reasonable measures to protect against unauthorized reasonable measures to protect against unauthorized access to, or use of information in connection with its access to, or use of information in connection with its disposal. disposal.

Page 7: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

The Disposal RuleThe Disposal Rule FlexibleFlexible Reasonable measures based on Reasonable measures based on

Sensitivity of dataSensitivity of data Costs and benefits of different methodsCosts and benefits of different methods Changes in technologyChanges in technology

Consumer reports Consumer reports andand any personal and any personal and financial informationfinancial information

No de minimus exceptionNo de minimus exception Actual, statutory and punitive damages, plus Actual, statutory and punitive damages, plus

attorney’s fees and civil money penaltiesattorney’s fees and civil money penalties

Page 8: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

Key TermsKey Terms Consumer InformationConsumer Information

Any record about an individualAny record about an individual Consumer report or derived from a consumer reportConsumer report or derived from a consumer report

Information obtained from a consumer reporting companyInformation obtained from a consumer reporting company Used or expected to be used in establishing eligibility for Used or expected to be used in establishing eligibility for

credit, insurance, and employmentcredit, insurance, and employment Paper, electronic or other formPaper, electronic or other form Compilation of such recordsCompilation of such records Not included: aggregate information or blind data Not included: aggregate information or blind data

Page 9: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

Key TermsKey Terms Disposal / DisposeDisposal / Dispose

Discarding or abandonment of consumer Discarding or abandonment of consumer informationinformation

Sale, donation or transfer of any Sale, donation or transfer of any medium on which consumer information medium on which consumer information is storedis stored

Page 10: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

Reasonable MeasuresReasonable Measures Non exclusive examplesNon exclusive examples

Burn, pulverize or shred papers – cannot practicably be Burn, pulverize or shred papers – cannot practicably be read or reconstructedread or reconstructed

Destroy or erase electronic media – cannot practicably be Destroy or erase electronic media – cannot practicably be read or reconstructedread or reconstructed

Contract with a third party after appropriate due diligenceContract with a third party after appropriate due diligence Review independent audit of operations or compliance with Review independent audit of operations or compliance with

disposal ruledisposal rule Obtain several referencesObtain several references Require certification by recognized trade associationsRequire certification by recognized trade associations Review and evaluate information security polices or Review and evaluate information security polices or

proceduresprocedures Take other appropriate measures to determine competency Take other appropriate measures to determine competency

and integrityand integrity

Page 11: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

Action ItemsAction Items Catalog your informationCatalog your information Review where and how it is storedReview where and how it is stored Determine who can access it and howDetermine who can access it and how Develop appropriate procedures and Develop appropriate procedures and

control to comply with the Disposal Rulecontrol to comply with the Disposal Rule Designate a responsible personDesignate a responsible person Train employeesTrain employees Audit Audit

Page 12: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

Some Suggested Policies and Some Suggested Policies and ProceduresProcedures

Conduct personal background checksConduct personal background checks Permanent employeesPermanent employees Temporary hiresTemporary hires

Sensitive data limitsSensitive data limits Access Access UseUse DistributionDistribution

Secure records – physical and onlineSecure records – physical and online Collect and retain only essential informationCollect and retain only essential information Make accessible disposal toolsMake accessible disposal tools

Page 13: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

General Data Safeguarding General Data Safeguarding and Security Breach Tipsand Security Breach Tips

Integrate into information Integrate into information safeguarding programsafeguarding program

Ensure information safeguarding Ensure information safeguarding program reflects other changes in lawprogram reflects other changes in law

Prepare ready response plan in the Prepare ready response plan in the event of data security breachevent of data security breach

Understand requirements of data Understand requirements of data security breach lawssecurity breach laws

Page 14: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

Data Security Breach LawsData Security Breach Laws What businesses are covered?What businesses are covered? What information is covered?What information is covered? What triggers notification?What triggers notification? Who must be notified?Who must be notified? Who is responsible for the notice?Who is responsible for the notice? When must the notices be given? When must the notices be given?

Page 15: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

Data Breach Notification Best Data Breach Notification Best PracticesPractices

Encrypt information Encrypt information Prepare consumer notification planPrepare consumer notification plan Notify general counsel or outside counsel Notify general counsel or outside counsel

immediatelyimmediately Conduct an immediate internal investigationConduct an immediate internal investigation Contact local law enforcement contactContact local law enforcement contact Provide consumer and other notifications if Provide consumer and other notifications if

necessary necessary

Page 16: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

Industry ResponseIndustry ResponseCardholder Information Security Program Cardholder Information Security Program

(CISP)(CISP)

American ExpressAmerican Express®®, Diners Club, Diners Club®®, Discover, Discover®®, , JCBJCB®®, MasterCard, MasterCard®® and Visa and Visa®® USA USA

Safekeeping of account information Safekeeping of account information requirements:requirements: Storage of Cardholder InformationStorage of Cardholder Information Destruction of Cardholder InformationDestruction of Cardholder Information Use of Third PartiesUse of Third Parties Reporting a Security IncidentReporting a Security Incident

Page 17: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

Payment Card Industry (PCI) Payment Card Industry (PCI) Data Security StandardData Security Standard

Build and Maintain a Secure NetworkBuild and Maintain a Secure Network Protect Cardholder DataProtect Cardholder Data Maintain a Vulnerability Management Maintain a Vulnerability Management

ProgramProgram Implement Strong Access Control Implement Strong Access Control

MeasuresMeasures Regularly Monitor & Test NetworksRegularly Monitor & Test Networks Maintain an Information Security Maintain an Information Security

PolicyPolicy

Page 18: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

VISA’s Cardholder Information VISA’s Cardholder Information Security Program (CISP)Security Program (CISP)

Classification defines merchant audit requirementsClassification defines merchant audit requirements Level 1 merchants:Level 1 merchants:

Process > 6 million transactions annuallyProcess > 6 million transactions annually Have suffered a breachHave suffered a breach Are identified as Level 1 by another card issuerAre identified as Level 1 by another card issuer Risk is determined to warrant level 1 requirementsRisk is determined to warrant level 1 requirements

Level 2 process between 150,000 and 6 million e-Level 2 process between 150,000 and 6 million e-commerce transactions annuallycommerce transactions annually

Level 3 process 20,000-150,000 e-commerce Level 3 process 20,000-150,000 e-commerce transactions annuallytransactions annually

All other merchants are considered Level 4All other merchants are considered Level 4

Page 19: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

CISP Compliance ValidationCISP Compliance ValidationOn Site On Site Security Security

AuditAudit

Self-Self-Assessment Assessment QuestionnairQuestionnair

ee

Network Network ScanScan

MerchantMerchantss

Required Required annually for annually for

Level 1Level 1

Required annually Required annually for Level 2 & 3for Level 2 & 3

Recommended for Recommended for Level 4 Level 4

Required Required Quarterly for Quarterly for Level 1 & 2Level 1 & 2

RecommendRecommended for Level ed for Level

44

Service Service ProvidersProviders

Required Required annually for annually for Level 1 & 2Level 1 & 2

Required annually Required annually for Level 3for Level 3

Required Required QuarterlyQuarterly

Page 20: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

What YOU can doWhat YOU can do ““Know thy data”Know thy data”

What you have collectedWhat you have collected Where it isWhere it is Who has access to itWho has access to it

Stay informed about Stay informed about Related laws and regulationsRelated laws and regulations Current breach incidents Current breach incidents Best practicesBest practices

http://usa.visa.com/business/accepting_visa/ops_risk_management/http://usa.visa.com/business/accepting_visa/ops_risk_management/ http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.htmlhtml

Page 21: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

Questions and Questions and Comments?Comments?

?? ????

Page 22: Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?

Contact InformationContact InformationBryan Cave LLPBryan Cave LLP CJVolk Associates, CJVolk Associates,

Inc.Inc.

2776 S. Arlington Mill Rd, Ste. 2776 S. Arlington Mill Rd, Ste. 530530

Arlington, VA 22206Arlington, VA 22206

www.cjvolk.comwww.cjvolk.com

Claudia Volk, PrincipalClaudia Volk, Principal Phone 703-405-4404703-405-4404Fax 703-940-2510703-940-2510

[email protected]

700 Thirteenth Street, NW700 Thirteenth Street, NWWashington, DC 20005Washington, DC 20005

www.bryancave.comwww.bryancave.com

Carol Van Cleef, PartnerCarol Van Cleef, Partner Phone 202-508-6112202-508-6112Fax 202-508-6200202-508-6200

[email protected]