320 likes | 382 Views
Data Security and Privacy. 2019 Annual Conference Presented by: Leslie Bender, BCA Financial Debra Ciskey, The Collection Coach. Agenda. Prevention and preparation. What does data loss prevention mean?.
E N D
Data Security and Privacy 2019 Annual Conference Presented by: Leslie Bender, BCA Financial Debra Ciskey, The Collection Coach
Agenda 2
What does data loss prevention mean? • Simply, “DLP” or data loss prevention refers to the series of safeguards (controls) and activities an organization undertakes to control of access to the data that your company holds. • A DLP strategy makes sure end-users aren’t able to intentionally manipulate, destroy or steal data. • Collection agencies have a wealth of non-public information including but not limited to the following: • Consumers’ financial information and other non-public information • Employees’ non-public information • Creditors’ proprietary and non-public information • The agencies’ own proprietary and non-public information • Potentially key vendors’ proprietary and non-public information. 4
How does an agency do data loss prevention (DLP) &what does it entail? Studies conducted annually by the Ponemon Institute and McAfee focus on five success factors in a data loss prevention program: • A formal data loss prevention or data protection strategy for the organization and metrics to determine if the strategy is effective. • Key metrics from a management console and observation and regular testing of data protection solutions. • Data protection technology features that focus on privileged users, restriction of access and outbound communications are considered critical • Centralized management of the data protection program with such features as actionable information, policy administration, reporting, automatic securing of endpoints and monitoring. • Automated policies for detection and prevention of end-user misuse of information assets. http://www.ponemon.org
No Data Loss Prevention Strategy is Foolproof • There is no guaranteed way to prevent all data loss. • A priority for the Federal Trade Commission. Check out their resources for businesses at https://www.ftc.gov/tips-advice/business-center/privacy-and-security/data-security
Basic Compliance Checklist What would a collection agency need to do to comply with data security laws? • Designate coordinator of program • Identify internal and external risks • Assess sufficiency of existing safeguards • Design and implement safeguards • Monitor effectiveness of safeguards • Retain service providers who maintain appropriate safeguards • Adjust information security program as needed
Threat Likelihood Impact Risk Vulnerability Assessing Risk
Safeguards or Controls “Safeguards” include: • your controls • early warning tools • continuous improvement processes Safeguards are your strategies for protecting your data.
Last “Safeguards” or “Control Issue”: What about Vendor Management? From a confidentiality perspective, friends or foes? • What vendors does an agency use, and how does the agency pass any controls or safeguards along to those vendors? • Initial due diligence • Scope of work and expectations described in any “request for proposals” documentation agency floats • Representations vendors make to you versus inquiries you initiate on your own • Ongoing monitoring • “Certify” their compliance to you? • Should you dictate what their compliance looks like? Can you rely upon any third party certifications? • Communication logistics: is it clear how and when any “incidents” must be reported and any commitments to cooperation in investigation and remediation? • What do creditors agencies support expect? Use as a standard for service providers? • What if they are all different?
Before the Breach Happens… Ideally an organization anticipates that things can go wrong and in peaceful times has laid the groundwork for what to do if an incident occurs. That groundwork would include these features: • Written easy-to-follow procedures for reporting security incidents • A designated individual to be responsible for coordinating internal processes • Workforce trained to at least an “awareness” level on their incident response roles and responsibilities • Templates including a templated plan of measures to contain, control and correct incidents • A clear and well-known policy that requires all members of workforce to give immediate notice internally of suspected incidents • Knowledge of regulators and law enforcement authorities you may need to contact if an incident occurs.
Distinguishing security incidents from breaches • Not all “security incidents” are breaches, but all breaches are security incidents. • Why does it matter? Typically if there is a “breach” consumers must be notified. • 46+ state legislatures define “breaches” differently. Many require there to be “harm” before an incident is viewed as a “breach.” • Example: Under HIPAA/HiTECH the term security incident means “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” • More and varied state laws are being considered or enacted about data collection, consumers’ right to be forgotten, and data disposal. • Colorado, New York and Massachusetts have regulations that spell out data security expectations or standards for businesses serving consumers in their states (commonwealth) regardless of where the businesses are located.
Thank you and some resources • A self-assessment tool: NIST Special Publication 800-66 was designed around industry standards and applied in a healthcare context – but is a reasonable starting place. • The laws passed/considered by states are compiled by the National Conference of State Legislatures at www.ncsl.org 22