How Good Privacy Practices Can

Help Prepare for a Data Breach

August 13, 2015

Privacy Insight Series

v

Todays Speakers
Dr Larry Ponemon,
Chairman & Founder,
Ponemon Institute
Joanne Furtsch,
Director of Product Policy,
TRUSTe

Mary Westberg,
Senior Compliance Paralegal
SanDisk Corporation

Privacy Insight Series

v

Is Your Company Ready for a Big

Data Breach?
Dr Larry Ponemon
Chairman and Founder of the Ponemon Institute

Privacy Insight Series

v

Is Your Company Ready for a Big Data Breach?

The Second Annual Study on Data Breach Preparedness

Research Study Sponsored by

Experian Data Breach Resolution

About Ponemon Institute

The Institute is dedicated to advancing responsible information
management practices that positively affect privacy and data protection in
business and government.
The Institute conducts independent research, educates leaders from the
private and public sectors and verifies the privacy and data protection
practices of organizations.
Ponemon Institute is a full member of CASRO (Council of American Survey
Research Organizations). Dr. Ponemon serves as CASROs chairman of
Government & Public Affairs Committee of the Board.
The Institute has assembled more than 60 leading multinational
corporations called the RIM Council, which focuses the development and
execution of ethical principles for the collection and use of personal data
about people and households.
The majority of active participants are privacy or information security
leaders.

August 13, 2015

Ponemon Institute Private and Confidential

In this study we surveyed 14,639 executives located in the United

States about how prepared they think their companies are to respond
to a data breach. Screening and failed reliability checks removed 48
surveys. The final sample was 567 surveys (or a 3.9 percent response
rate).

Sample response

Freq

Pct%

Sampling frame

14,639

100.0%

615

4.2%

48

0.3%

567

3.9%

Total returns
Rejected or screened surveys
Final sample
August 13, 2015

Ponemon Institute Private and Confidential

Current trends in data breach

preparedness

More companies have data breach response plans and teams in place.

Data breaches have increased in frequency.

Most companies have privacy and data protection awareness

programs.

Data breach or cyber insurance policies are becoming a more

important part of a companys preparedness plans.

There was very little change in the training of customer service

personnel.

August 13, 2015

Ponemon Institute Private and Confidential

Data breach and the current state of

preparedness

Ponemon Institute Private and Confidential

Page 8

Most respondents believe their

companies are not able to deal with the
consequences of a data breach
Unsure, disagree and strongly disagree responses

My organization understands what needs to be done

following a material data breach to prevent negative
public opinion, blog posts and media reports

27%

21%

My organization understands what needs to be done

following a material data breach to prevent the loss of
customers and business partners trust and confidence

30%

My organization is prepared to respond to a data breach

involving business confidential information and
intellectual property

29%

My organization is prepared to respond to the theft of

sensitive and confidential information that requires
notification to victims and regulators

19%

0%
Unsure
August 13, 2015

Disagree

10%

20%

23%

20%

18%

20%

30%

14%

13%

12%

40%

50%

60%

70%

80%

Strongly disagree

Ponemon Institute Private and Confidential

Barriers to effective data breach response

Ponemon Institute Private and Confidential

Page 10

How effective is the development and

execution of a data breach response
plan?
35%
30%

30%

25%

23%

21%
20%
17%
15%

9%

10%

5%

0%
Very effective

August 13, 2015

Effective

Somewhat effective

Ponemon Institute Private and Confidential

Not effective

Unsure

11

How often does the company review &

update the data breach response plan?

Each quarter

3%

Twice per year

5%

Once each year

14%

No set time period for reviewing and updating the plan

41%

We have not reviewed or updated since the plan was put

in place

37%

0%

August 13, 2015

5%

10% 15% 20% 25% 30% 35% 40% 45%

Ponemon Institute Private and Confidential

12

How are the board of directors,

chairman and CEO involved?
More than one response permitted

They approve funds and resources for data breach

response efforts

50%

They participate in a high level review of the data breach

response plan in place

45%

They have requested to be notified ASAP if a material

data breach occurs

36%

They participate in a high level review of the

organizations data protection and privacy practices

18%

Other

2%

0%

August 13, 2015

10%

20%

Ponemon Institute Private and Confidential

30%

40%

50%

60%

13

Do you have training programs for

employees handling sensitive personal
information and do you have training
programs for customer service
personnel?
60%
54%
49%

50%
43%
40%
34%
30%

20%

17%

10%
3%
0%
Yes

No

Unsure

Privacy/data protection awareness program for employees and other stakeholders who have access to
sensitive or confidential personal information
Customer service personnel trained on how to respond to questions about a data breach incident
August 13, 2015

Ponemon Institute Private and Confidential

14

The primary person/function to manage

the data breach response team
Chief Information Security Officer

21%

Compliance Officer

12%

Head of Business Continuity Management

10%

Chief Information Officer

8%

Chief Risk Officer

6%

Chief Security Officer

6%

Head of PR and communications

5%

General Counsel

5%

Chief Privacy Officer

4%

Human Resources

2%

No one person/department has been designated to

manage data breach response

21%
0%

August 13, 2015

5%

10%

Ponemon Institute Private and Confidential

15%

20%

25%

15

Technical security considerations

Ponemon Institute Private and Confidential

Page 16

Barriers to improving the ability of IT

security to respond to a data breach
Two responses permitted
Lack of visibility into end-user access of sensitive and
confidential information

56%

Proliferation of mobile devices and cloud services

43%

Third party access to or management of data

40%

Lack of expertise

23%

Lack of investment in much needed technologies

21%

Lack of C-suite support

15%

None of the above

2%
0%

August 13, 2015

10%

20%

Ponemon Institute Private and Confidential

30%

40%

50%

60%

17

Technologies in place to quickly detect

a data breach
More than one response permitted

Anti-virus

89%

Intrusion prevention systems

54%

Mobile Device Management (MDM)

34%

Security Incident & Event Management

31%

Analysis of netflow or packet captures

25%

None of the above

5%
0%

August 13, 2015

10%

20%

30%

40%

50%

Ponemon Institute Private and Confidential

60%

70%

80%

90%

100%

18

Frequency for monitoring information

systems for unusual or anomalous
traffic
30%

28%

25%

20%

20%

21%

16%
15%

10%

8%
4%

5%

2%

1%

0%
Continuous
monitoring

August 13, 2015

Daily

Weekly

Monthly

Quarterly

Ponemon Institute Private and Confidential

Annually

Never

Unsure

19

How data breach preparedness can be

improved

Ponemon Institute Private and Confidential

Page 20

How could the data breach response

plan become more effective?
More than one response permitted

Conduct more fire drills to practice data breach response

77%

More participation and oversight from senior executives

70%

A budget dedicated to data breach preparedness

69%

Individuals with a high level of expertise in security

assigned to the team

63%

Individuals with a high level of expertise in compliance

with privacy, data protection laws and regulations

45%

Other

2%
0%

August 13, 2015

10% 20% 30% 40% 50% 60% 70% 80% 90%

Ponemon Institute Private and Confidential

21

The best approach to keep customers

and maintain reputation

Free identity theft protection and credit monitoring

services

45%

Access to a call center to respond to their concerns and

provide information

17%

Gift cards

13%

Discounts on products or services

13%

None of the above would make a difference

9%

A sincere and personal apology (not a generic

notification)

3%
0%

August 13, 2015

5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Ponemon Institute Private and Confidential

22

Conclusion

The incident response plans should undergo frequent reviews and reflect the
current security risks facing the company.

Risk assessments should be conducted to ensure the appropriate technologies

are in place to prevent and detect a data breach.

The board of directors, CEO and chairman should play an active role in helping
their companies prepare for and respond to a data breach. These include
briefings on the security posture of the company and a review of the incident
response plan.

Employees should receive training on the importance of safeguarding sensitive

dataespecially customer information. Call center employees should become
skilled at answering customers questions about the privacy and security
practices of the company as well as explaining what the company is doing in the
aftermath of a data breach.

Accountability and responsibility for data breach response should be clearly

defined and not dispersed throughout the company. Cross-functional teams that
include the expertise necessary to respond to a data breach should be part of
the incident response planning process.

August 13, 2015

Ponemon Institute Private and Confidential

23

Privacy Best Practices to Mitigate

Risk/Damage from Data Breach
Joanne Furtsch
Director of Product Policy, TRUSTe

Privacy Insight Series

v

24

Data breach prevention starts with strong data

privacy management policies, and processes
Incident
Response
Plan

Employee
Training

Collection
Limitation

Data
Privacy
Office

Vendor
Management

Privacy Insight Series

v

Policy
Management

25

Develop & practice incident response plan

Its not a matter of if, its a matter of when
Identify cross functional team members and clearly define roles
Involve senior management
Practice practice practice increases response effectiveness
At least 1-2 times annually
When a new team member joins the response team

Include public relations crisis management & front line customer

response plan
Identify who needs to be notified and when
Develop communication templates
Understand requirements before the breach happens

Review and update your organizations plan at least annually

Privacy Insight Series

v

26

Collection Limitation
Limit information collection to what is necessary to fulfill business
purposes
Understand what information your organization has
Conduct a data inventory
Assess where the information goes, who has access to it, and how long the
information is retained

Data classification
Classify information based on level of sensitive and business impact if that data is
breached

Assess whether the information is

required in order to meet business goals

Privacy Insight Series

v

27

Collection Limitation

Privacy Insight Series

v

28

Manage internal policies and procedures

Review, update, and communicate

Internal policies, systems, and procedures need to be reviewed regularly

to account for business or regulatory changes
In addition to security, review policies, systems, and procedures around
Data Collection, Use, Sharing, & Retention
Employee access
BYOD
Vendor and third party risk management
Privacy and security related compliant escalation and resolution process

Communicate policy changes and updates to affected employees

Privacy Insight Series

v

29

Manage vendors & third party partners

Know who your organizations vendors and third party partners are & what
data they have access to
Maintain an inventory of vendors and
third party partners that have access
to data
Prioritize conducting risk
assessments where there is high
business and privacy impact
Ensure vendors and third party
partners have policies in place
providing equal or greater protections

Review agreements or terms of

service to determine what happens in
the event of breach is addressed
Hold vendors and third parties
accountable
Privacy Insight Series
v

30

Employee training
Most breaches caused by
insiders
Building employee awareness key to
breach prevention

Front line employees are key to

effective data breach prevention
and response
May be first to recognize when a
breach has happened
o Train on escalation process and
procedures

Face of your organization after a

breach incident
o Train customer support on how to
respond to customer questions

Train employees, and then do it

again
Training is an ongoing process
Privacy Insight Series
v

31

Key Take-Aways
Mary Westberg
Senior Compliance Paralegal, SanDisk

Privacy Insight Series

v

32

Designing an Incident Response Plan

2
Identify Stakeholders

Each organization is different!

Consider likely data gatekeepers
- often HR; Web; Mobile; Sales;
Product Managers
Get input from Information
Security, Legal, Compliance,
Internal Audit, Insurance, Public
or Investor Relations
Buy-ins from key executives

Privacy Insight Series

v

3
Know Your Data and
Systems

Draft the Plan

Youll draft a better plan and

mitigate risks if you know upfront the data types and
quantities
Classify data by type
Consider systems, locations,
accesses, vulnerabilities
While evaluating data and
systems for personal data, use
this opportunity to also
consider non-PI confidential
information such as trade
secrets; third party confidential
information

Be clear this plan will bring

needed structure during crisis
time
Be actionable - give instructions
to persons reporting an incident;
accountability and guidelines to
responders
Be flexible incidents will vary
and so must the response
Be practical - leverage existing
resources, if possible
Publish the plan and be prepared
to re-work

33

Post-Publication; Work Continues

5
Communicate & Train

Create awareness
Layer approaches to reach
those who need to know
General audience training or
instruction integrate with
other trainings
Specialized training for
responders, incident response
team members

Privacy Insight Series

v

Evaluate and Improve

Test the plan conduct a trial run

Review for effectiveness
Make adjustments
Take corrective actions
Summarize and report
Regularly revisit plan

34

Manage & Mitigate Risks

Data Minimization

you cant loose what you dont have!

legitimate business purpose for collections
mind data retention schedules securely destroy

Vendor Management

on-boarding processes, contractual terms

security assessment; audit; red flags
saying goodbye - termination procedures, including a
certificate of destruction

Layered Internal
Processes

published policies and procedures that support data

security and permitted data uses; related trainings
phase gates for product, services and programs
self-help tools and resources
build awareness such as a Privacy Committee

Privacy Insight Series

v

35

Questions?

Privacy Insight Series

v

36

Contacts
Dr Larry Ponemon
Joanne Furtsch
Mary Westberg

Privacy Insight Series

v

research@ponemon.org
jfurtsch@truste.com
Mary.Westberg@sandisk.com

37

Thank You!
Dont miss the next webinar in the Series
What Does the Proposed EU Regulation Mean for Business
On September 16th
See http://www.truste.com/insightseries for details of future
webinars and recordings.
Privacy Insight Series
v

38