Protecting.Personally.Identifiable.Information.2016.jpgDo you think you are doing everything you can do protect the Personally Identifiable Information (PII) of your clients, colleagues, employees and partners? Think again!

Are you prepared to handle a data breach? What is your data breach response procedure? For example, you suspect that your business has experienced a data breach. What do you do? The FTC’s new Data Breach Response: A Guide for Business: A Guide for Business outlines the steps to take and whom to contact. 

Why is it important to have a data breach response ready? 
  • According to a recent cyber security report by Cisco, defenders are not protecting systems in a way that matches how attackers do their work. Although defenders have evolved their strategies and tools for fighting online criminals, attackers are still permitted far too much unconstrained time to operate. The reports states e-mail and malicious advertising (malvertising) are the primary vectors for ransomware campaigns. However, some threat actors are now using network and server-side vulnerabilities. Currently, the majority of known ransomware cannot be easily decrypted, leaving victimzed organizations and businesses with little option but to pay the asking price in most instances. 
  • In fact, ransomware attacks against businesses are on pace to be four times higher during 2016 than 2015, with a growing number of ransom-seeking hackers demanding bitcoin rather than money, according to a report by specialty insurer Beazley. The Beazley Breach Insights report is based on the insurer’s client data breaches in the first nine months of 2016.  During the first nine months of 2016, Beazley Breach Response (BBR) Services unit managed 1,437 data breaches on behalf of clients, compared to 931 breaches during the same period last year. Overall, hackers are focusing more attention on financial institutions, according to Beazley. 
  • Lest we forget that during September of 2016 Yahoo reported that data associated with at least 500 million user accounts had been stolen in what many reported to be one of the largest cybersecurity breaches ever. Yahoo said it believed a "state-sponsored actor" was behind the data breach, meaning an individual acting on behalf of a government. The breach is said to have occurred in late 2014.

personally.identifiable.information.brand.reputation.2016.jpgData Breach? What To Do?

The FTC’s new Data Breach Response: A Guide for Business: A Guide for Business outlines the steps to take and whom to contact. The Data Breach Response guide includes a model data breach notification letter. Here’s a glimpse of what the guide recommends in regard to securing your data - and reporting a breach.

  • Secure physical areas potentially related to the breach. Lock them and change codes, if needed.
  • Stop additional data loss. Take all affected equipment offline right away, but be careful not to destroy evidence. Monitor all access points to your system. If a hacker stole credentials, you’ll need to change those credentials too, even if you’ve removed the hacker’s tools.
  • Think about your service providers. If they were involved, make sure they’ve remedied all vulnerabilities and consider whether you need to change their access privileges. Also, check your network segmentation so a breach at one server or site doesn’t lead to a breach at another.  
  • What about breach notification? That’s where many companies have questions. First, take a look at your state’s data breach notification law. If it’s a breach involving health information, also look at the HIPAA Breach Notification Rule and the FTC’s Health Breach Notification Rule. Notify law enforcement, affected businesses and individuals.

For businesses today, protecting customer data such as credit card information, log-in credentials, and other personally identifiable information is one of the top priorities for both security and risk leaders, as well as business leaders. A breach of customer information could result in an organization’s loss of public trust, legal liability and significant cost to remedy damages. 

While it is best practice for organizations to limit the use, collection, and retention of PII to only what is absolutely required for business purposes, often it is not known exactly what information is stored and where it is located to effectively manage it and ensure its protection. If a breach does take place, it's imperative an enterprise reacts swiftly and in the best interests of its clients, employees and partners to manage any breach effectively and protect PII from further compromise. Unfortunately, many organizations do not do all they can to protect PII.

The reality is, businesses today have an obligation to protect the sensitive data of their employees and customers.