|
|
OverviewLooking at recent regulatory trends, it seems likely that there may be a Federal law that requires notifying customers in the event of a security breach that may involve their personal information. (See the recent Information Week story.) These requirements have been encapsulated in the widely-publicized California Senate Bill 1386. (For more information, see the whitepaper Does CA Senate Bill 1386 Apply to your business? in our Research and Whitepapers directory.) California Senate Bill 1386 was introduced in July 2003. The bill was the first attempt by a state legislature to address the problem of identity theft. In short, the bill introduces stiff disclosure requirements for businesses and government agencies that experience security breaches that might contain the personal information of California residents. It is expected that many organizations in the Unites States (and possibly worldwide) are subject to these requirements. Basically, the CA SB 1386 law states that if a business experiences a security breach that may involve the personal information of California residents, that the business must make "reasonable" efforts to notify these residents. The bill goes into a fair amount of detail of what constitutes "reasonable." Even without Federal legislation, many companies are taking the responsibility of notifying customers because it makes good business sense. Assuming that most organizations what to at least be in a position to make this decision, there are a number of important policy issues to consider.
Incident Response Policies and ProceduresIt would be a good idea to review incident response policies and procedures for a number of issues. First, do we have formal written policies on how incidents are reported and managed within the organization? If so, are there any special procedures for incidents that may involve customer information. For example, if your organization did have to notify hundreds or thousands of customers, do you have access to proper contact information for them? For example, having email addresses can drastically reduce the cost of notifying large numbers of customers. (However, it will be important to be able to reach individuals without the notification appearing like a phishing attack!) As we mentioned in our recent newsletter on Data Classification, do your Data Classification policies define the proper level of control for customer information? What IS the classification for customer information in your enterprise? Is all customer information treated with the same level of protection? Do you have an asset inventory of systems that carry personal information? Checking these various components of your information security architecture will help demonstrate due-diligence and allow you to identify potential gaps before they become a problem. Disclosure RequirementsIt is a good idea to define disclosure requirements in written policies. For example, what types of incidents should be reported to law enforcement? Does the organization have an established mechanism for reporting incidents to law enforcement, and if so, what data is included? Digital Evidence CollectionAssuming that an incident is reported to law enforcement, is the organization prepared for an investigation? Does the organization have policies for digital evidence collection? (See the sample policy in the May 2005 newsletter) It is a good idea for the organization to examine what types of data would need to be collected for digital evidence, and then specify data handling requirements for a proper chain-of-custody process including capture, storage and ultimate destruction of the data. Roles and ResponsibilitiesFinally, are specific individuals charged with the responsibility for detecting, reporting and responding to incidents? Are these documented in formal job descriptions? It is especially important that those employees who regularly handle critical customer information are aware of the proper controls for protecting it. In many retail organizations, for example, it is cashiers or customer-service representatives who are in the front lines of capturing this information from customers. Do you have an awareness and training program for these employees that defines the types of customer information that needs protecting, and how to recognize possible fraud before it happens? Customer InquiriesThe day will soon come when your customers will ask: How do you protect my personal information? Are you prepared to answer this question? For example, why did DSW have complete, un-encrypted credit card information stored on their systems? Where there any controls in place to protect this data. If so, where they documented? In the near future, security and privacy will become a competitive advantage for certain companies. Companies that can demonstrate a proactive approach to protecting customer information will enjoy higher customer satisfaction and greater loyalty. By taking a proactive approach to these policy issues, you can help keep yourself off of the front page. However, if you do end up with a breach, some proactive thinking about how you will respond will help reduce the cost and organizational damage. For organizations that need help in writing information security policies covering incident response, data classification, digital evidence, and other related topics, Information Security Policies Made Easy, Version 10 by Charles Cresson Wood, CISSP, CISM, CISA provides over 1350 pre-written information security policies. Related Resources and Information Information Security Policies Made Easy, Version 10.0 contains over 1350 pre-written policies, including incident response and disclosure policies. If you have any gaps in your incident policies, this is the most cost-effective way to fill them.Information Shield Whitepaper - "Overview of CA SB 1386" - A detailed look at this California Privacy legislation with important considerations for businesses. Information Shield Whitepaper - "Does California Privacy Law SB 168 Apply To Your Organization?" - A paper discussing another of California's important privacy laws relating to the use of Social Security Numbers. Full regulatory text of CA SB 1386 from the California Senate web site.
|
|
