Now that your data breach response plan is in place and you’re confident that your company is safeguarded from malicious  data breach attempts, what can possibly be still the biggest threat to your data breach protection plan?  Answer: the plan itself. All the planning and preparation in the world won’t protect your business from a data breach if the response plan fails to work.  The business world is ever changing so it’s necessary to ensure that your response plan stays current and functional.

That is why it’s imperative that you regularly audit, test and update your plan on preferably, a quarterly basis.

Here are 7 checklist items to keep in mind when auditing your response plan:

1) Update your data breach response team contact list – Employees come and go therefore it’s important that the contact information for the members of your internal and external breach response team is current.  Make sure department heads are noted and once updated, re-distribute the list to the appropriate people.

2) Verify that your data breach response plan is comprehensive – Revise the plan to include any major company changes, such as new departments or adjustments in data management policies.  Check in with each response team member to ensure their department understands its role and what they need to do during a data breach.  Set up a mock breach of data scenario so that your response team can practice trial runs. Practice a full scale rehearsal annually so the plan is fully vetted and any adjustments can be made before an event occurs.

3) Double check your vendor contracts – Check that your contracts with your forensics firm, data breach resolution provider and other vendors are current and easily accessible.  Review your vendors and contracts and make sure they both still match your data protection and security needs.

4) Review notification guidelines – Verify that the data breach notification section of your response plan reflects the latest state legislation and that your notification letter templates address any new laws.  Ensureyour contact list of attorneys, government agencies and media is updated so you can easily notify them after a breach.  For medical data breaches, healthcare providers need to verify that Department of Health & Human Services contacts are updated and their response team understands data breach information reporting procedures.

5) Check up on third parties that have access to your data – Evaluate how third parties are managing your data and if they are following your data protection rules.  Educate them on any new legislation that may affect you during a data breach.  Stress to third parties the importance of reporting a data breach to you immediately and what is expected in the resolution process. Healthcare companies need to meet HIPAA requirements and should check that business associate agreements (BAAs) are established.

6) Evaluate IT Security – Ensure proper data access controls are in place. Check that automated software and operating system updates for the entire company are installed properly. Verify that any automated security monitoring and reporting system is up to date and working.  Store backup copies of data securely.

7) Review staff security awareness – Verify that your staff is up to date on company policy regarding data security procedures, including what digital and paper documents to keep and how to securely discard what is not needed.  Train staffto identify signs of cyber security threats in their daily work life and know the proper course of action in reporting a breach.  Check that employees are keeping their work related laptops, mobile and digital devices secure at all times and remind them to change passwords every three months.

Our guest blogger this week is Gant Redmon, General Counsel & Vice President of Business Development at Co3 Systems.

Working for a company that navigates 46 different state breach notice laws and a plethora of sector based federal breach notice laws, I’m often asked what I think the likelihood is that the Federal Government will pass a comprehensive data breach notification law that supersedes all the state laws. While I don’t rule out a federal law passing at some point, I see it setting a floor of breach response responsibility rather than superseding everything already in place.

Put yourself in the shoes of a legislator trying to harmonize all the different state laws. That legislator is going to have three big political challenges.

The first challenge is choosing a single standard in the face of wildly different state standards. How will affected states feel about the Federal government imposing a different standard than the one they’ve settled on? Changing the rules in dozens of states will cause upheaval with political fallout.

The second challenge will be dealing with state attorneys general and treasurers. State AG’s are becoming more and more active in tracking breaches and cracking down on companies that don’t provide proper notice or have adequate security procedures. Part of that crackdown includes fines collected that go to the state treasury. A federal law will strip those AGs of the rule of privacy protectors and redirect funds to the federal government and away from the states.

The third challenge is that some states, like California and Virginia, go above even Federal notice requirements. What legislator wants to be known as the one who diluted people’s privacy rights by pre-empting strong protections and replacing them with weaker ones?

When trying to solve a problem, the first thing I ask is if I’m dealing with a problem worth solving. Privacy professionals and law firms have become well versed in the different state laws. Software solutions also exist that track all the different laws and provide incident response plans that are easy to follow. If the problem here is the complexity involved in dealing with disparate state breach notice laws, then we don’t have a problem worth solving.

“The opinions reflected in this article are solely those of the author and do not reflect the views of Experian Data Breach Resolution or any of its sister companies.”

Get ready, Connecticut. A new data breach law is now in effect that brings the Office of the Attorney General (OAG) into the reporting loop.

The new law requires notifying the OAG by email no later than when affected consumers are notified. Previously, businesses were only required to report a breach to consumers. Yet Attorney General George Jepsen and his office were tasked with enforcing state breach laws – hard to do when you don’t know about the incidents.

But that’s all changed. Assistant Attorney General Matthew Fitzsimmons and the office’s Privacy Task Force will monitor the incoming emails. The new reporting requirement and newish task force (it was created last year) give the OAG more oversight of breach activity that may be putting consumers at risk. With more oversight comes better enforcement – at least that’s certainly what the OAG hopes.

Connecticut requires consumer notification when a breach involves unencrypted, computerized personal data. The state’s definition of “personal data” includes someone’s first and last names in combination with at least one of three data types: a Social Security number; a driver’s license or state identification number; or a financial account number, such as a credit card number, along with the access code for the account.

Businesses that don’t comply with the new law may find themselves in violation of the state’s Fair Trade Practices Act. Remember that sooner is better than later when it comes to breach reporting. At least if you want to avoid fines and violations.

Here’s the new email address for reporting breaches in Connecticut: ag.breach@ct.gov.

The U.S. tops Germany, the U.K. and France when it comes to data breach notification costs. In other words, it costs American companies more to notify people of a data breach when their personal information is lost or stolen.

The Ponemon Institute, which recently conducted a global data breach study, found that it cost U.S. companies an average of $561,500 to notify victims per breach, compared to $303,600 for German companies and $223,100 for companies in the U.K. Even more interesting, is that in some countries – like India and Australia – companies only spend an average of $31,000 (India) and $80,000 (Australia) to notify customers of a data breach. (All figures are U.S. dollars)

So why do American companies spend so much more on data breach notification?

The answer is mainly due to numerous laws and regulations. Currently, 46 states have breach notification laws and several federal agencies, such as the Department of Health and Human Services, require organizations to notify potential victims when their unsecured protected health information is breached.

In contrast, countries without breach notification laws – like India and Australia – spend much less because they don’t have to notify all of their data breach victims. Countries like Germany and the U.K. have strict notification requirements, although not as tough as the U.S.

American companies and organizations may not be able to do much about notification costs, which are expected to continue to rise. But there are other measures that can be taken to lower the cost of a breach. For example:

• Negotiating a pre-breach agreement with a data breach resolution provider to lock in a good rate ahead of time.
• A chief information security officer (CISO) who is responsible for enterprise data protection can reduce the cost of a breach by as much as $80 per record, according to the Ponemon Institute.
• Increased loyalty by treating potential victims fairly and providing them with credit and/or identity protection can prevent the loss of customers and potentially save millions.

Can you imagine losing backup disks containing information for 300,000 patients? Or having computer back-up tapes stolen? What if someone hacked into your network servers or lost important laptops? These aren’t hypothetical scenarios. They’re real data breach cases that have occurred in recent years. Can this happen to you? You bet. The key is being prepared for the inevitable.

I would like to invite you to participate in an informative webinar on this important issue. I will be joined by Dr. Larry Ponemon, a data protection “think tank” pioneer and Chairman of the Ponemon Institute, and Karen Murray, Vice President, Chief Compliance Officer of Steward Health Care System in a discussion focusing on the latest data breach trends, how to prepare for a data breach and the best ways to respond to a breach.

The 90-minute webinar, delivered in conjunction with the Health Care Compliance Association (HCCA), will be held at noon CST on July 25, 2012 and participants may be eligible for CEUs.

In addition, the webinar will feature:

• The latest research about consumer notification from the Ponemon Institute
• A look at healthcare data breach statistics
• Best practices for data breach preparation from a compliance officer’s perspective.
• Examples of what works – and doesn’t work – when responding to a data breach
• How and why data breaches happen
• How to budget the resources for a  potential breach
• What do regulators expect from an organization that experienced a breach?
• A question and answer period for participants

Come learn the best ways to try and prevent a data breach and the most effective methods to respond to one. Learn to minimize your costs and help protect your reputation.

Still using the less-is-more approach to notification letters? As it turns out, consumers want more – much more than they’re getting.

In a new study, 72% of consumers who recall receiving a notification letter express disappointment. The Ponemon Institute explores why in the 2012 Consumer Study on Data Breach Notification.

Among all survey respondents, those who do and do not recall receiving a notice, 85% verify that learning about the loss or theft of their data is pertinent to them. But only if there’s a certainty of risk, a belief shared by 57% of respondents. An even larger percentage (63%) feels entitled to compensation, such as credit monitoring or identity protection, if their data is lost.

Yet, despite having clear ideas on what they do or don’t want following the loss of their data, most consumers aren’t paying attention to breach notices, according to Ponemon. Only 25% of participants in the study could recall receiving one. Among that group, 35% recalled receiving at least three.

It’s this subset of the study that provides valuable insight into why today’s notifications aren’t working. Here are three flaws:

1. Too Few Details
Sixty-seven percent of respondents who recall receiving a breach notice did not receive enough information about the incident. That includes 44% who did not know what type of data had been lost or stolen, leaving them unsure of what steps to take to protect themselves.

2. Difficult to Understand
Sixty-one percent did not understand the notification, largely due to the length of the letter and complexity of the language. In addition, 37% had no idea what the incident was about even after reading the notice. This led 41% to assume their data had been stolen.

3. Not Believable
Forty-five percent found the message in the letter unbelievable, and 44% of them believed the company was hiding key facts about the breach.

Consumers acted on their disappointment to varying degrees:
• 15% planned to terminate their relationship with the breached company
• 39% contemplated doing so
• 35% would continue the relationship so long as the organization doesn’t experience another breach

The numbers reflect poorly on today’s notification efforts, confirming the need for change. Consumers want simple language and clear explanations of what happened and the risks they face, plus a protection product to compensate for the data exposure, according to the study.

So why not work with your legal counsel to deliver just that in a way that protects your company and satisfies your consumers? Otherwise, your breach notices will continue to alienate and confuse. As this study shows, that only serves to erode customer loyalty and trust, making data loss even more costly in the long run.

It’s safe to say that healthcare data is/are under attack. Breaches of medical records increased 97% from 2010 to 2011 according to HHS data. Statistics like that lend new urgency and importance to gatherings such as the upcoming HCCA 2012 Compliance Institute.

Be prepared: Does your organization observe security protocols and have controls in place to protect patient health information (PHI)?

Have a response plan ready to deploy: In the event of a data breach, the first thing to do is activate your response plan. In general, this plan spells out in great detail everything from who will lead the response team to step-by-step processes for sending out notifications, customer care and more.

Evaluate your situation post-breach: Once you’ve weathered the storm of a data breach and its consequences, take time to review the ways your organization responded and grade your response plan. This is also the time to make changes, small and substantial, to the response plan and implement any other protections or processes that you feel would improve your readiness and ability to respond in the event of another incident.

Look for Experian at the 2012 Compliance Institute in Las Vegas from April 29 to May 1. It’s a great opportunity to immerse yourself in solutions for preventing and managing data breaches, as well as meet experts who can help your organization be better prepared in the event of an incident.

Customers see a data breach and the loss of their personal data as a threat to their security and finances, and with good reason. Identity theft occurs every four seconds in the United States, according to figures from the Federal Trade Commission.

As consumers become savvier about protecting their personal data, they expect companies to do the same. And to go the extra mile for them if a data breach occurs. That means providing protection that holds up under scrutiny. Protection that offers peace of mind, not just in the interim but years down the line.

The stronger the level of protection you provide to individuals affected in a breach, the stronger their brand loyalty. Just like with any product, consumers can tell the difference between valid protection products that work and ones that just don’t.

Experian® Data Breach Resolution takes care to provide the former, protection that works for your customers or employees affected in a breach and that reflects positively on you, as the company providing the protection.

Experian’s ProtectMyID® Elite or ProtectMyID Alert provides industry-leading identity protection and, now, extended fraud resolution care. ExtendCARE™ now comes standard with every ProtectMyID data breach redemption membership, at no additional cost to you or the member.

With ExtendCARE, the identity theft resolution portion of ProtectMyID remains active even when the full membership isn’t. ExtendCARE allows members to receive personalized assistance, not just advice, from an Identity Theft Resolution Agent. This high level of assistance is available any time identity theft occurs after individuals redeem their ProtectMyID memberships.

Extended protection from a global leader like Experian can put consumers’ minds at ease following a breach. If we can help you with pre-breach planning or data breach resolution, please contact us at 1 866 751 1323 or databreachinfo@experian.com.

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

As an organization specializing in monitoring and tracking data breaches, the ITRC has come across varying degrees of breaches and reasons for notification due to the varying types of compromised information. We would like to take this opportunity to address some of the differences and provide some insight into our approach for tracking data breach incidents.

According to most state laws, a data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.  Note that under these state breach laws, non-personal identifying information is not included.

Next, let’s consider hacking.  By definition, “hacking” is the deliberate and unauthorized access, use, disclosure, and/or taking of electronic data on a computer.  Hacking efforts target all types of information – from high level intellectual property down to individual personal information, both sensitive and non-sensitive information.  Taken together, these two situations result in nearly 26% of the “reported breaches” included on the 2011 Identity Theft Resource Center Breach List.

This brings us to the definition of “reported breaches”.  ITRC only publishes breach incident information which is available from credible, public resources.  Breach incidents are tracked daily from sources such as state Attorneys General offices, a variety of media sources, and other well-recognized and respected entities that track and capture this information from publicly available sources.  This approach means that the ITRC Breach Report only reflects the tip of the iceberg.

In 2011, 41% of the breaches on the ITRC report show the number of records exposed as “unknown.”  In addition, ITRC is aware of a significant number of breaches that are not made public.  As a result, it is not possible to provide truly accurate numbers – either for the number of breaches or the number of records.

The majority of “reported breaches” included in the list are those which have met “breach notification triggers” established by the various state laws regarding this issue.  Usually these incidents are electronic in nature, and must also expose information identified as PII, such as first and last name combined with a social security number, driver’s license or state identification number and/or financial account numbers (including debit and credit cards).   Some states have expanded this “trigger” definition to include medical and healthcare information.  This situation leaves large loopholes for breaches to remain unreported.

Currently we know that –

• An indeterminable number of breaches go unreported, even when notification should have been triggered according to the applicable state laws.
• Many breach notifications (at least what is disclosed by the entity) underreport the number of records
• Many breach notifications also do not clearly define the types of information exposed.
• Public information is often incomplete in detailing how the breach occurred
• Many breaches involving non-PII, such as email addresses, user names, and passwords, are not reported because they do not meet “breach notification triggers” as established by various state laws