<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<small><font face="Arial">I agree that no one solution can make a
company secure. Everyone knows that a layered approach is stronger and
does not put all the eggs in one basket. What most people forget when
dealing with compliance ( legal, regulatory, internal, and contractual)
is that many of them are <br>
<br>
1) Start with Senior Management - has to be a top down approach.<br>
2) Based on Risk Management - reduce risk to acceptable levels by risk
mitigation, risk avoidance, risk acceptance, or insurance<br>
3) Must be ongoing and continuous improvement<br>
4) Must be have a return on investment<br>
5) Cannot be cost prohibitive - Cannot expect to spend a million for
preventative measure when the lost of the asset would only cost 100,000<br>
6) Must be documented to allow an independent third-party to come to
the same conclusions. <br>
<br>
Gartner Group and others constantly state that a holistic approach has
to be taken to address the 4 forms of compliance in one process, not a
bunch of individual process, and has to be incorporated into the
culture of the company. How many companies actually do that?<br>
<br>
</font></small><br>
Manny Cho wrote:
<blockquote
cite="mid:3672B0E1061D2E43A8296561C72549883D8E9C@SBS.vrt.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Generator" content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! [u]</title>
<o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="country-region">
<o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="place"><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="City">
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Arial Unicode MS";
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@Arial Unicode MS";
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Arial Unicode MS";}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style></o:SmartTagType></o:SmartTagType></o:SmartTagType>
<div class="Section1">
<p class="MsoPlainText"><font face="Arial Unicode MS" size="2"><span
style="font-size: 10pt;">I agree with <st1:place w:st="on"><st1:City
w:st="on">Sanford</st1:City></st1:place>
in that this incident (and all of the other loss notices that post
every day to
this site) is indicative of the fact that the idea of “one solution”
or one perfect product is just not a reality today.� <o:p></o:p></span></font></p>
<p class="MsoPlainText"><font face="Arial Unicode MS" size="2"><span
style="font-size: 10pt;"><o:p> </o:p></span></font></p>
<p class="MsoPlainText"><font face="Arial Unicode MS" size="2"><span
style="font-size: 10pt;">I do believe that companies are trying to do
the right
thing and are investing the dollars as best as they can to comply with
the
myriad of privacy and regulatory guidelines (PCI, CISSP, HIPAA, GLB,
SOX, etc) that
govern their day to day business practices. Unfortunately, what the
best
security product / service can not eliminate is the system user (i.e.
the human
factor) – <i><span style="font-style: italic;">which would also
include the
use of independent contractors where we believe a lot of
vulnerabilities exist</span></i>
- and this is why we feel that True Privacy / Security for any company
requires
IT, Human Resources, Finance, Legal and finally insurance to work
together and
implement data security best practices to protect the data, train and
update
their employees and set up contingencies (that include p.r., legal
notices and
insurance) to respond to an event.<o:p></o:p></span></font></p>
<p class="MsoPlainText"><font face="Arial Unicode MS" size="2"><span
style="font-size: 10pt;"><o:p> </o:p></span></font></p>
<p class="MsoPlainText"><font face="Arial Unicode MS" size="2"><span
style="font-size: 10pt;">What can/will be implemented by each company
is a
function of time, money and resources. Having seen a number of
companies go
through these incidents, I can say that those companies that are more
proactive
in their data risk management have reduced their potential third party
liabilities and helped to maintain customer / client loyalty.� <o:p></o:p></span></font></p>
<p class="MsoPlainText"><font face="Arial Unicode MS" size="2"><span
style="font-size: 10pt;"><o:p> </o:p></span></font></p>
<p class="MsoPlainText"><font face="Arial Unicode MS" size="2"><span
style="font-size: 10pt;">The final piece of the puzzle is the
insurance component
- most commonly referred to as Cyber Liability and/or Security and
Privacy
Liability.� In the <st1:place w:st="on"><st1:country-region w:st="on">U.S.</st1:country-region></st1:place>,
there are a number of carriers (10+) providing coverage that can
respond to third
party individual and class action suits for breach of privacy.� Many
policies
will also respond to administrative and regulatory actions for defense
costs and
fines and penalties.� Some will also provide coverage for your expenses
–
p.r., forensics, extra expense, third party monitoring services – due
to
the event.� Like software, each carrier has subtle nuances to their
program,
your broker should work with you to develop the right program to fit
your
individual risk profile.<o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;">Manny<o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;"><a
moz-do-not-send="true" href="mailto:manny@vrtinsurance.com">manny@vrtinsurance.com</a><o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;"><a
moz-do-not-send="true" href="http://www.vrtinsurance.com/">www.vrtinsurance.com</a>
– Vantage, Resolve and Trust<o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;"><o:p> </o:p></span></font></p>
<div>
<p class="MsoNormal"><font color="navy" face="Times New Roman"
size="3"><span style="font-size: 12pt; color: navy;"><o:p> </o:p></span></font></p>
</div>
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;"><o:p> </o:p></span></font></p>
<div>
<div class="MsoNormal" style="text-align: center;" align="center"><font
face="Times New Roman" size="3"><span style="font-size: 12pt;">
<hr tabindex="-1" align="center" size="2" width="100%"></span></font></div>
<p class="MsoNormal"><b><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma; font-weight: bold;">From:</span></font></b><font
face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">
<a class="moz-txt-link-abbreviated" href="mailto:dataloss-bounces@attrition.org">dataloss-bounces@attrition.org</a> [<a class="moz-txt-link-freetext" href="mailto:dataloss-bounces@attrition.org">mailto:dataloss-bounces@attrition.org</a>] <b><span
style="font-weight: bold;">On Behalf Of </span></b>macadamiamac<br>
<b><span style="font-weight: bold;">Sent:</span></b> Thursday, March
20, 2008
6:15 PM<br>
<b><span style="font-weight: bold;">To:</span></b> Sasha Romanosky<br>
<b><span style="font-weight: bold;">Cc:</span></b>
<a class="moz-txt-link-abbreviated" href="mailto:dataloss@attrition.org">dataloss@attrition.org</a><br>
<b><span style="font-weight: bold;">Subject:</span></b> Re:
[Dataloss] rant:
Abandon Ship! Data Loss Ahoy!</span></font><o:p></o:p></p>
</div>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;"><o:p> </o:p></span></font></p>
<div>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;"> A Qualsys (a good
system) - or equivalent installation, insurance and whatever other
components a
business may implement to protect its PII data is not a set it and
forget
it procedure. Kryptonite proof it ain't. No system is 100% immune from
all risk.<o:p></o:p></span></font></p>
</div>
<div><x-tab>
</x-tab>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;"> A savvy CTSO, with
the cooperation and support of senior management will implement all of
the
components: training its personnel, hard and software firewalls,
changing
passwords periodically, encrypting data in use, purging data no longer
needed,
periodic random testing of the system, and whatever else to reduce risk
of data
loss - internal and external.<o:p></o:p></span></font></p>
</div>
<div><x-tab>
</x-tab>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;"> An even smarter
management team will have all of the foregoing incorporated into its
culture
and have on deck 1)a breach management plan; 2)notification and PR
templates;
3) a recovery plan; and, 4) a re$erve or insurance.<o:p></o:p></span></font></p>
</div>
<div>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;"><o:p> </o:p></span></font></p>
</div>
<div><x-tab>
</x-tab>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;"> There are federal
regulations - [see FTC 12 CFR � 315 et. seq. of the FACT Act], becoming
effective in November 2008 that mandate that financial institutions,
their
providers and anyone else who deals with consumer credit (and the PII
data
necessary to conduct their business), implement a host of must dos or
face
penalties.<o:p></o:p></span></font></p>
</div>
<div>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;"><o:p> </o:p></span></font></p>
</div>
<div><x-tab>
</x-tab>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;"> A not in compliance
business that suffers a breach will be subject to:<o:p></o:p></span></font></p>
</div>
<div>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="3"><x-tab><span style="font-size: 12pt; color: black;">
</span></x-tab>* Civil Liability - Actual damages sustained if
identity is stolen as a
result of corporate inaction or statutory damages up to $1,000 per
affected
individual;</font><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="3"><x-tab><span style="font-size: 12pt; color: black;">
</span></x-tab>* Class-Action Lawsuits - If large numbers of
individuals are affected,
they may be able to bring class-action suits and get punitive damages; </font><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="3"><x-tab><span style="font-size: 12pt; color: black;">
</span></x-tab>* Federal Fines - Up to $2,500 for each violation; and </font><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="3"><x-tab><span style="font-size: 12pt; color: black;">
</span></x-tab>* State Fines - Up to $1,000 for each violation
depending upon
jurisdiction.</font><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;"><o:p> </o:p></span></font></p>
</div>
<div><x-tab>
</x-tab>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;"> So maybe a little
insurance isn't such a bad idea, n'est pas?<o:p></o:p></span></font></p>
</div>
<div>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;"><o:p> </o:p></span></font></p>
</div>
<div>
<p class="MsoNormal"><st1:City w:st="on"><st1:place w:st="on"><font
face="Times New Roman" size="3"><span style="font-size: 12pt;">Sanford</span></font></st1:place></st1:City>
Lung<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><st1:City w:st="on"><st1:place w:st="on"><font
face="Times New Roman" size="3"><span style="font-size: 12pt;">Honolulu</span></font></st1:place></st1:City>
(yes, there are ID fraudsters in paradise)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><font face="Times New Roman" size="2"><span
style="font-size: 10pt;"><a class="moz-txt-link-freetext" href="http://www.identitysafeguards.com">http://www.identitysafeguards.com</a></span></font><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;"><o:p> </o:p></span></font></p>
</div>
<div class="MsoNormal" style="text-align: center;" align="center"><font
face="Times New Roman" size="3"><span style="font-size: 12pt;">
<hr align="center" size="2" width="100%"></span></font></div>
<div>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;"><o:p> </o:p></span></font></p>
</div>
<div>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;"><o:p> </o:p></span></font></p>
</div>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;" type="cite"
cite="">
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;">Whoops, wrote too soon:<br>
<br>
<a class="moz-txt-link-freetext" href="http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1306207">http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1306207</a>,<br>
00.html<br>
(Thanks to a student post for pointing this out.)<br>
<br>
<br>
> -----Original Message-----<br>
> From: Sasha Romanosky [<a class="moz-txt-link-freetext" href="mailto:sromanos@andrew.cmu.edu">mailto:sromanos@andrew.cmu.edu</a>]<br>
> Sent: Thursday, March 20, 2008 6:27 PM<br>
> To: '<a class="moz-txt-link-abbreviated" href="mailto:dataloss@attrition.org">dataloss@attrition.org</a>'<br>
> Subject: RE: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!<br>
><br>
><br>
> To my knowledge, this firm in <st1:country-region w:st="on"><st1:place
w:st="on">Canada</st1:place></st1:country-region> is the one that
offers<br>
> data breach insurance:<br>
><br>
> From SANS NewsBites Vol. 10 Num. 22:<br>
> --Canadian Firm to Offer Data Breach Insurance (March 13,<br>
> 2008) As data security breaches appear more and more<br>
> frequently in the news, at least one Canadian insurance<br>
> company is starting to offer a product that would cover costs<br>
> incurred by companies when they have suffered a data privacy<br>
> breach. The policy would cover the cost of fixing computer<br>
> damage as well as costs associated with customer notification<br>
> and reimbursement and compensation paid to credit card<br>
> companies for losses from fraud. The coverage is structured<br>
> to address Canadian data privacy laws.<br>
> <a class="moz-txt-link-freetext" href="http://www.theglobeandmail.com/servlet/story/LAC.20080313.RINS">http://www.theglobeandmail.com/servlet/story/LAC.20080313.RINS</a><br>
> URANCE13/TPStory/Business<br>
><br>
> [Editor's Note (Schultz): Insurance against security<br>
> incidents in general has not caught on all that well in the<br>
> information security arena for a number of reasons. However,<br>
> this new type of insurance is likely to fare much better<br>
> because of the widespread concern about and high likelihood<br>
> of data security breaches.]<br>
><br>
> cheers,<br>
> sasha<br>
> <a class="moz-txt-link-abbreviated" href="http://www.romanosky.net">www.romanosky.net</a><br>
><br>
> > -----Original Message-----<br>
> > From: <a class="moz-txt-link-abbreviated" href="mailto:dataloss-bounces@attrition.org">dataloss-bounces@attrition.org</a><br>
> > [<a class="moz-txt-link-freetext" href="mailto:dataloss-bounces@attrition.org">mailto:dataloss-bounces@attrition.org</a>] On Behalf Of Kevin
McPoyle<br>
> > Sent: Thursday, March 20, 2008 6:00 PM<br>
> > To: Chris Walsh; Tracy Blackmore<br>
> > Cc: <a class="moz-txt-link-abbreviated" href="mailto:dataloss@attrition.org">dataloss@attrition.org</a><br>
> > Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!<br>
> ><br>
> > What I find interesting is the recognition among the readers
and<br>
> > pundits that this is an imperfect world with respect to
security. <o:p></o:p></span></font></p>
</blockquote>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;" type="cite"
cite="">
<p class="MsoNormal" style="margin-bottom: 12pt;"><font
face="Times New Roman" size="3"><span style="font-size: 12pt;">>
> With that in
mind, I'm unclear as to why organizations<br>
> don't transfer<br>
> > a portion of this risk to others through an insurance
product?
It<br>
> > seems rational and clearly represents some mitigating of a
scenario<br>
> > that will happen, not if, when. Policies are readily
available,<br>
> > negotiable and clearly a deal compared to other costs. No<br>
> one like to<br>
> > "waste" money on insurance...until there is a claim.
The<br>
> supermarket<br>
> > had D&O with which to fend off the legal dogs.<br>
> > Why don't they have a "cyber" policy?<br>
> > Whose making these good decisions?<br>
> ><br>
> > -----Original Message-----<br>
> > From: <a class="moz-txt-link-abbreviated" href="mailto:dataloss-bounces@attrition.org">dataloss-bounces@attrition.org</a><br>
> > [<a class="moz-txt-link-freetext" href="mailto:dataloss-bounces@attrition.org">mailto:dataloss-bounces@attrition.org</a>] On Behalf Of Chris
Walsh<br>
> > Sent: Thursday, March 20, 2008 5:49 PM<br>
> > To: Tracy Blackmore<br>
> > Cc: <a class="moz-txt-link-abbreviated" href="mailto:dataloss@attrition.org">dataloss@attrition.org</a><br>
> > Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!<br>
> ><br>
> > IANAL, but this question of "due diligence" and comparing<br>
> oneself to<br>
> > one's competitors begs the question -- what harm (in the<br>
> legal sense)<br>
> > has been done here to anyone whose CC or debit card # was
revealed?<br>
> > Does your answer vary depending on whether there was fraud<br>
> associated<br>
> > with that card #?<br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > Dataloss Mailing List (<a class="moz-txt-link-abbreviated" href="mailto:dataloss@attrition.org">dataloss@attrition.org</a>)<br>
> > <a class="moz-txt-link-freetext" href="http://attrition.org/dataloss">http://attrition.org/dataloss</a><br>
> ><br>
> > Tenable Network Security offers data leakage and compliance<br>
> > monitoring solutions for large and small networks. Scan your<br>
> > network and monitor your traffic to find the data needing<br>
> > protection before it leaks out!<br>
> > <a class="moz-txt-link-freetext" href="http://www.tenablesecurity.com/products/compliance.shtml">http://www.tenablesecurity.com/products/compliance.shtml</a><br>
> > _______________________________________________<br>
> > Dataloss Mailing List (<a class="moz-txt-link-abbreviated" href="mailto:dataloss@attrition.org">dataloss@attrition.org</a>)<br>
> > <a class="moz-txt-link-freetext" href="http://attrition.org/dataloss">http://attrition.org/dataloss</a><br>
> ><br>
> > Tenable Network Security offers data leakage and compliance<br>
> > monitoring solutions for large and small networks. Scan your<br>
> > network and monitor your traffic to find the data needing<br>
> > protection before it leaks out!<br>
> > <a class="moz-txt-link-freetext" href="http://www.tenablesecurity.com/products/compliance.shtml">http://www.tenablesecurity.com/products/compliance.shtml</a><br>
> ><br>
> ><br>
<br>
_______________________________________________<br>
Dataloss Mailing List (<a class="moz-txt-link-abbreviated" href="mailto:dataloss@attrition.org">dataloss@attrition.org</a>)<br>
<a class="moz-txt-link-freetext" href="http://attrition.org/dataloss">http://attrition.org/dataloss</a><br>
<br>
Tenable Network Security offers data leakage and compliance monitoring<br>
solutions for large and small networks. Scan your network and monitor
your<br>
traffic to find the data needing protection before it leaks out!<br>
<a class="moz-txt-link-freetext" href="http://www.tenablesecurity.com/products/compliance.shtml">http://www.tenablesecurity.com/products/compliance.shtml</a><br>
<br>
<o:p></o:p></span></font></p>
</blockquote>
<div>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;"><o:p> </o:p></span></font></p>
</div>
</div>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
Dataloss Mailing List (<a class="moz-txt-link-abbreviated" href="mailto:dataloss@attrition.org">dataloss@attrition.org</a>)
<a class="moz-txt-link-freetext" href="http://attrition.org/dataloss">http://attrition.org/dataloss</a>
Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
<a class="moz-txt-link-freetext" href="http://www.tenablesecurity.com/products/compliance.shtml">http://www.tenablesecurity.com/products/compliance.shtml</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
James Ritchie
CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+
Linkedin <a class="moz-txt-link-freetext" href="http://www.linkedin.com/pub/1/b89/433">http://www.linkedin.com/pub/1/b89/433</a>
Attachments with this email, not explicitly referenced, should not be opened. Always scan your email and their associated attachments for viruses prior to opening.
This message and any accompanying documents are confidential and may contain information covered under the Privacy Act, 5 USC 552(a), the Health Insurance Portability and Accountability Act (PL 104-191), or the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its various implementing regulations and must be protected in accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of the information may result in civil or criminal sanctions.
This e-mail is strictly confidential and intended solely for the addressee. Should you not be the intended addressee you have no right to any information contained in this e-mail. If you received this message by mistake you are kindly requested to inform us of this and to destroy the message.</pre>
</body>
</html>