2014 DATA PROTECTION & BREACH READINESS GUIDE The Online Trust Alliance’s mission is to enhance online trust and empower users while promoting innovation and the vitality of the Internet. Online Trust Alliance Updated April 7, 2014 © 2014 Online Trust Alliance (OTA) All Rights Reserved While consumers are realizing significant benefits, complex data analytics and data appending applications have created a set of complex policy and regulatory concerns regarding the use, control and sharing of data. This Guide identifies key questions and recommendations for businesses to consider when creating a baseline data protection framework. Depending on your industry, size of your business, and the type of data collected, your requirements may vary. The designation and appointment of chief data protection officers and creation of virtual teams of privacy professionals, security specialists and operational managers are becoming commonplace in U.S and regulated in other geographies. All organizations in both the public and private sector are faced with key considerations when it comes to their data collection practices. As illustrated in Figure 2, data may be collected, used, transmitted and shared in multiple dimensions. Information is gathered from multiple devices and platforms, both online and offline, including retail point of sale, in-store mailing lists to event registrations and ecommerce shopping carts. A major challenge is the evolving definition of “covered” or “sensitive” information. Organizations need to continually inventory the data attributed they have collected and compare against the evolving definition of covered information. User rights access and the blurring of the workplace, further exacerbates the risk of unintended exposure and unauthorized access. Whether it be rogue employees or sophisticated cyber criminals, it is imperative that companies take steps to protect their data from abuse and protect their infrastructure from compromise. As a best practice, companies need to adopt leading security and privacy practices, including implementing a BYOD and device management policies. In addition all organizations should designate a data protection officer who understands today’s complex security and privacy regulatory framework and technological landscape. TABLE OF CONTENTS Introduction 3 Executive Summary 4 Data Lifecycle Management & Stewardship 5 Business Impact 6 Data Incident Plan Framework 7 Security & Privacy Enhancing Best Practices 8 Data Governance and Loss Prevention 10 Data Classification 10 Validate & Audit Employee Data Access 11 Forensics, Intrusion Analysis & Auditing 12 Data Loss Prevention (DLP) Technologies 14 Data Minimization 14 Data Destruction Policies 15 Inventory System Access & Credentials 15 Incident Response Planning 15 Creating an Incident Response Team 16 Establish Vendor and Law Enforcement Relationships 16 Create a Project Plan 17 Determine Notification Requirements 17 Communicate & Draft Appropriate Responses 19 Providing Assistance & Possible Remedies 20 Training, Testing & Budget 21 Employee Awareness & Readiness Training 21 Analyze the Legal Implications 21 Funding and Budgeting 22 Critique & After Action Analysis 22 International Considerations 23 Summary 25 Appendix A – Resources 26 Appendix B – Sample Notification Letter 29 Appendix C – Regulatory Requirements & Considerations 32 Appendix D – Cyber Security & Liability Insurance Considerations 33 Appendix E – Computer Forensics Basics 34 Appendix F – Encryption Resources 36 Appendix G – Sample Data Incident Plan Outline 38 About OTA 39 © 2014 Online Trust Alliance (OTA) All Rights Reserved 2 While consumers are realizing significant benefits, complex data analytics and data appending applications have created a set of complex policy and regulatory concerns regarding the use, control and sharing of data. This Guide identifies key questions and recommendations for businesses to consider when creating a baseline data protection framework. Depending on your industry, size of your business, and the type of data collected, your requirements may vary. The designation and appointment of chief data protection officers and creation of virtual teams of privacy professionals, security specialists and operational managers are becoming commonplace in U.S and regulated in other geographies. All organizations in both the public and private sector are faced with key considerations when it comes to their data collection practices. As illustrated in Figure 2, data may be collected, used, transmitted and shared in multiple dimensions. Information is gathered from multiple devices and platforms, both online and offline, including retail point of sale, in-store mailing lists to event registrations and ecommerce shopping carts. A major challenge is the evolving definition of “covered” or “sensitive” information. Organizations need to continually inventory the data attributed they have collected and compare against the evolving definition of covered information. User rights access and the blurring of the workplace, further exacerbates the risk of unintended exposure and unauthorized access. Whether it be rogue employees or sophisticated cyber criminals, it is imperative that companies take steps to protect their data from abuse and protect their infrastructure from compromise. As a best practice, companies need to adopt leading security and privacy practices, including implementing a BYOD and device management policies. In addition all organizations should designate a data protection officer who understands today’s complex security and privacy regulatory framework and technological landscape. INTRODUCTION As society and business become increasingly Even the most cyber-savvy organizations have found reliant on data, the threat landscape continues themselves exposed and ill prepared to manage the to exponentially expand. Online services effects of a data breach. The best defense is introduce stronger and more innovative implementing a broad set of operational and defenses against cybersecurity threats with each technical best practices that helps protect your passing year. Unfortunately, cybercriminals company and your customers’ personal data. The simultaneously create new techniques and second step is to be prepared with a data lifecycle deceptive tactics that outpace such efforts. The plan that allows a company to respond with result underscores the need for businesses to immediacy. Ultimately, industry needs to understand make security and data protection a priority, and that effectively handling a breach is a shared to be prepared for a breach incident. responsibility of every functional group within the organization. A key to success is moving from a The 2014 Data Protection & Breach Readiness compliance perspective to one of stewardship. This Guide (Guide) has been developed to help perspective recognizes the long term impact to a organizations of all sizes in both the public and brand, the importance of consumer trust and private sector. Content has been included to implications and considerations with vendors and help aid a broad range of stakeholders ranging business partners. from business and technical decision makers and privacy and security professionals to web and The Online Trust Alliance (OTA) and its contributing app developers. The goal is to help readers authors and reviewers provide this document as a better understand the issues and solutions which public service, based on collective expertise and can enhance their data protection practices and opinion. There is no implied warranty on the enable them to develop readiness plans in the guidance in this document. While this document is event they incur a data loss incident. not meant to be an exhaustive list of all of the steps that need to be taken to prepare for, and deal with, a This Guide reflects input from a broad group of data breach, it includes links to resources that stakeholders, industry and breach analysis provide added detail in several areas such as data experts as well as interviews with companies who classification, data destruction and computer have experienced data loss incidents. New to forensics. the 2014 report is an expanded discussion on a breach’s impact to a business, including Report updates and resources are posted at contractual obligations to customers, how https://otalliance.org/breach.html. To submit crimes of opportunity target unsuspecting comments please email [email protected]. organizations and the resulting “business shock.” In addition, the report outlines current best practices in data security and brand protection. © 2014 Online Trust Alliance (OTA) All Rights Reserved 3 While consumers are realizing significant benefits, complex data analytics and data appending applications have created a set of complex policy and regulatory concerns regarding the use, control and sharing of data. This Guide identifies key questions and recommendations for businesses to consider when creating a baseline data protection framework. Depending on your industry, size of your business, and the type of data collected, your requirements may vary. The designation and appointment of chief data protection officers and creation of virtual teams of privacy professionals, security specialists and operational managers are becoming commonplace in U.S and regulated in other geographies. All organizations in both the public and private sector are faced with key considerations when it comes to their data collection practices. As illustrated in Figure 2, data may be collected,