Friday, September 28, 2007

Lose Your Customer or Employee Data?

by Rick Kam

Eric McNulty authored a Harvard Business Review case study September 2007 called "Boss, I Think Someone Stole Our Customer Data".

In this HBR case study, McNulty illustrates how a small business called Flayton Electronics learns that the security of its customer data has been compromised—and faces tough decisions about what to do next.

90% of organizations lose or have customer data stolen each year (see related blog). If you are one of the 65 million business in America and have this happen to you, how would you respond?

The most important decision a CEO and/or Chief Security Officer will make is what to do once you find out this has happened to their organization.

Remain calm. Just because personal protected information may be lost or stolen doesn't mean that the information will be misused by perpetrators to commit ID theft of financial fraud. In many cases, the perpetrator was targeting the laptop to resell it to a pawn shop for a few bucks to buy drugs. But, you still have to act quickly to determine if the information was compromised and do a risk assessment of whether or not the information may cause harm if it were misused.

There are several questions you have to ask. Here are a few of the key questions:

1. was the information encrypted or not?
2. if it was encrypted, was the encryption key protected?
3. when did we discover the information was missing or stolen?
4. what information was lost (name, SSN, account numbers, etc.)
5. was there evidence to believe there was criminal intent?
6. did we contact law enforcement?
7. who knows about the issue?
8. how many records were compromised?

Once you have an initial assessment of the issue, you make a risk assessment, develop a risk mitigation plan, and implement your incident response plan. If all of these sound foreign to you, ask your privacy or compliance officer to do a review of your ability to respond to a data breach.

3 comments:

Anonymous said...

Do you mind if I quote a couple of your posts as long as I provide
credit and sources back to your weblog? My blog site is in the very same area of interest as yours and my
visitors would really benefit from a lot of the information you present here.
Please let me know if this ok with you. Cheers!


Stop by my web blog: phen375 phentermine

Anonymous said...

Nοt sure if I shοuld buу a book on
thіѕ myself, оr just reaԁ a
lοаd оf websіtes.
Iѕ thеre ѕο much to іt?



my web site ... bostonmagazine.com

Anonymous said...

Deffo wasnt the response Ι waѕ prеԁіcting.


Alsο visit my ωeb site :: http://wiki.urospace.de/index.php?title=Benutzer:CecileMcq