Milwaukee, WI · Washington, DC · Boston, MA
HOME IDENTITY FORCE LINKS CONTACT

  1. Crisis Mode
  2. Data Security Measures
    1. Preparing For The Inevitable
      1. Building a Data Breach Plan
        1. Planning for the Initial Response/Investigation
          1. Social Engineering
          2. Develop an Investigation Plan
          3. Involve Appropriate Company Resources
        2. Building a Notification Plan
          1. Understanding The Laws
            1. State Laws
          2. Who Must Be Notified?
          3. How Will Notifications Be Completed?
        3. Media Issues
          1. Media Plan
          2. Dealing With The Media
        4. Government Agency Issues
          1. Creating a Government Response Plan
          2. Dealing With Government Inquiries
          3. Developing Relationships
        5. Customer/Consumer Issues
          1. Customer Retention Plan
          2. Customer Response Plan
        6. Building Relationships with Vendors/Suppliers
      2. Implementing a Data Breach Plan
        1. Coordinating among Company Departments
        2. The Role of Legal Counsel
      3. Testing a Data Breach Plan
        1. Assessing the Plan
        2. Mock Exercises
        3. Alter/Update as Needed
      4. Assessing Your Data Breach Vulnerabilities
        1. Catalog Your Personal Information
        2. Developing a Company Training Process
        3. Understanding Privacy Promises
        4. Preparing for the Unexpected
        5. Assessments/Audits
        6. Establishing a Point of Responsibility
        7. The Role of Legal Counsel

Assessing Your Data Breach Vulnerabilities

At the moment, you are calm. Your company has not suffered a data breach. You don't believe that your systems are currently under attack. You have no reason to suspect that your company has vulnerabilities. Or do you?

The 2008 Verizon Business RISK Team study (view a copy here) found that 75% of breaches were not discovered by the victim. Indeed, if not informed by outside sources, the victim may have never found out that it was the subject of a data breach incident. Eighty-three percent of all attacks were not highly difficult. Indeed, many involved relatively simple computer or human-related vulnerabilities that any amateur hacker could (and did) exploit. A full 87% of all data breaches were considered avoidable through reasonable controls.

Knowing your computer systems and networks is not simply a task for IT professionals. Company management must also be aware of them and understand how these systems could be exploited. This understanding can only be achieved through a comprehensive data breach vulnerability assessment. And this assessment includes taking into account all of the various forms of personal information that you collect and store from customers, consumers and employees (many a data breach has resulted from the improper disclosure of employee personnel or other records).

That same Verizon study also found that 66% of data breaches involved data that the victim did not even know was stored on its systems. Data ignorance is apparently not the exception. Yet there is no reason why a company should not know what data is maintained, where that data is stored, and how it is protected.

While the list of items to consider is lengthy, and the actual analysis of how personal information is stored can be time-consuming, the effort spent at this stage (pre-breach) may well save you the aggravation and expense of weathering an actual data breach. A trusted professional to assist in the investigation of company resources is of course the ideal. However, there are some things that company management can and should consider:

1. Catalog Your Personal Information
2. Developing a Company Training Process
3. Understanding Privacy Promises
4. Preparing for the Unexpected
5. Assessments/Audits
6. Establishing a Point of Responsibility
7. The Role of Legal Counsel