If there was ever any doubt about the importance of data security, consider that the total number of breaches does not appear to be slowing down in the least. Since 2005, the total number has grown from about 580 million records in 2011 to about 870 million in 2014, and more than 250 million of those records have occurred from 574 breaches in the financial and insurance services sector, according to Privacy Rights Clearinghouse (https://www.privacyrights.org/data-breach/new).
Add to those concerns the appearance of bugs such as OpenSSL Heartbleed and a relatively new breed of malware that can lock up computer files until a ransom is paid (also known as ransomware).
CAMICO has long advised policyholders about information security issues and the measures that can be taken to address exposures to data breach and identity theft. The Identity Theft and Data Security Resource Center has been a part of the CAMICO Members-only Site (www.camico.com) since 2008, featuring preventive tools such as the "Information Security Checklist" and solutions for remote mobile device security. Also included are articles and War Stories, steps to consider upon breach of client information, and sample client notification letters.
The following "8 Steps to Breach Preparedness" represent a comprehensive approach that can be taken by CPA firms to reduce exposures to data breaches, to prepare for an incident in case it happens, and to mitigate the effects of a breach. It can be used in conjunction with the "Information Security Checklist" and other tools and articles available in the Identity Theft and Data Security Resource Center.
1. Assign individuals to be responsible for your information security program.
Data security coordinators or information security officers implement, supervise and maintain an information security program. The coordinators or officers are also responsible for:
- Regular testing of the program's safeguards
- Evaluating vendors' ability to implement and maintain appropriate security measures to protect personal information, and requiring vendors to implement and maintain appropriate security measures
- Reviewing the scope of the security measures in the program at least annually, or whenever there is a material change in business practices that may implicate the security or integrity of records containing personal information
- Conducting an annual training session on the elements of the program for all owners, managers, employees and independent contractors, including temporary and contract employees who have access to personal information
- Preparing an incident response plan and recruiting/training an incident response team
2. Prepare an Incident Response Plan
An effective incident response plan provides a framework for responding to a data security incident and helps ensure that your resources are used wisely and efficiently. It also helps business-critical services:
- quickly and efficiently recover from security incidents;
- respond in a systematic manner to incidents and carry out all necessary steps to correctly handle an incident;
- prevent or minimize disruption of critical information systems; and
- minimize loss or theft of sensitive or critical information.
The plan will also govern the flow of communications among the stakeholders (internal) and other organizations (e.g., law enforcement agencies and insurance companies). Outline the basic steps of your plan by establishing checklists and clear action items.
Immediately upon discovery of a cyber incident, the following questions usually arise:
- What happened?
- What data was affected?
- How many individuals were affected?
- Should we notify affected individuals immediately?
- Do we have a legal obligation to notify?
- Whom do we notify? Business partners? Law enforcement or regulatory agencies?
The Payment Card Industry Data Security Standards (PCI DSS) do not provide specific data security incident handling requirements; however, each payment card brand may have its own policies and procedures. Failure to follow a payment brand's procedures and reporting deadlines may expose an organization to fines and the risk of losing authorization to process payment card transactions.
Firms of all sizes may need to have a team in place to respond to a data breach. A data breach triggers a number of issues, and the skills necessary to address the various issues are rarely, if ever, found in just one person.
3. Know where client/personal information is stored
Start with a meeting among key staff members—those who may work with "Customer Information" as defined by law and regulations, regardless of its source. Key players may include legal, human resources, IT, marketing and other personnel with the firm.
There are two basic parts to document security:
- confidentiality of client and firm data while in transit (inbound and outbound sources of confidential information, and all methods of communicating such information); and
- data security when residing with the firm or in the cloud.
4. Prepare information security policies and procedures
An effective information security program satisfies the provisions of state and/or federal regulations. Some state regulations require such programs to be in writing. The development of each program will take into account:
- the size, scope and type of business obligated to safeguard the personal information,
- the amount of resources available,
- the amount of stored data, and
- the need for security and confidentiality of both client and employee information.
The program addresses issues such as scope, risks, potential damage, sufficiency of existing safeguards, design and implementation of additional safeguards, and monitoring of the effectiveness of safeguards.
Safeguards for limiting internal risks should address issues such as:
- Personal information limited to that amount reasonably necessary to accomplish legitimate business purposes, or necessary to comply with other state or federal regulations.
- Access to records containing personal information limited to those persons who are reasonably required to know such information in order to accomplish legitimate business purposes or to enable compliance with other state or federal regulations.
- Electronic access to user identification after multiple unsuccessful attempts to gain access to be blocked. CAMICO recommends remote mobile device security measures including the ability to "kill" the device.
- Access to personal information to be restricted to active users and active user accounts only.
- Access to electronically stored personal information to be electronically limited to those employees having unique login ID.
- All security measures to be reviewed at least annually, or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
- Current employees' user IDs and passwords to be changed periodically; require "strong" passwords.
- Employees to report any suspicious or unauthorized use of customer or client information.
- Whenever there is an incident that requires notification under a state or federal data breach notification law, an immediate post-incident review of the events and actions taken, if any, with a view to determining whether any changes in security practices are required to improve the security of personal information.
- Employees prohibited from keeping open files containing personal information on their desks when they are not at their desks. At the end of the workday, all files and other records containing personal information must be secured in a manner that is consistent with the firm's rules for protecting the security of personal information.
- Visitors' access to be restricted to one entry point for each building in which personal information is stored, and visitors required to present a photo ID, sign in and wear a plainly visible guest badge or tag. Visitors not be permitted to visit unescorted any area within the premises that contain personal information.
- Paper or electronic records (including records stored on hard drives or other electronic media) containing personal information to be destroyed in a manner that complies with state law.
Safeguards for limiting external risks should address issues such as:
- up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
- up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, installed on all systems processing personal information
- all personal information stored on laptops or other mobile devices to be encrypted, as must all records and files transmitted across public networks or wirelessly, to the extent technically feasible. Encryption means the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key. State or federal regulation may define encryption even further.
- All computer systems monitored for unauthorized use of or access to personal information.
- Secure user authentication protocols in place, including:
- Protocols for control of user IDs and other identifiers
- A reasonably secure method of assigning and selecting passwords, or the use of unique identifier technologies, such as biometrics or token devices
- Control of data security passwords to ensure that such passwords are kept in a secure location
- Use two-factor authentication whenever feasible or necessary under the circumstances
- Protocols for control of user IDs and other identifiers
5. Conduct risk assessments
The scale and complexity of a firm's operations, and the scope and nature of its activities, will affect the nature of the threats the firm will face. The risk assessment also should address the reasonably foreseeable risks to: client information stored on systems owned or managed by service providers, and client information disposed of by the firm's service providers.
A risk assessment should also evaluate the potential damage from the threats identified. A firm should also consider its ability to identify unauthorized changes to client records, and take into consideration its ability to reconstruct the records from duplicate records or backup information systems. The designated lead (e.g., a data security coordinator, managing partner) should ensure that the following steps are performed:
- Review and identify all sources of confidential information. This may include employee information, payroll data, medical information, business plans, customer usernames/passwords, customer personal data, business partner data, and other corporate-confidential information.
- Develop an inventory checklist for the information and update at regular intervals.
- Identify all policies and procedures that could impact existing security controls.
- Identify all methods of disposing of confidential/customer information.
- Identify all methods for communication of confidential information, include FAX transmissions, email, Internet, etc.
- All sources of confidential information and all methods of communicating such information should have a corresponding team member who understands the technical and operational issues related to that information or means of communication.
National Institute of Standards and Technology (NIST) Publication 800-30, Guide for Conducting Risk Assessments, which provides guidance for (a) preparing for the assessment, (b) conducting the assessment, (c) communicating the results of the assessment, and (d) maintaining the assessment.
6. Implement mitigation measures
Mitigation measures or safeguards minimize the threat or risk associated with each type and location of confidential information. Some safeguards are simple, while others are more complex. (See preceding "4. Prepare information security policies and procedures." "Internal Risks," "External Risks.")
Data destruction needs to be consistent with the law, your document retention policy, and any preservation obligations you may have. Many states have laws governing the destruction of confidential personal information.
Evaluate all policies and procedures, including disposal policies and practices, for weaknesses or other deficiencies in existing security controls.
- Prioritize the risks to be addressed starting with the highest risks.
- dentify controls that will mitigate each risk to an acceptable level. Consider:
- Administrative controls (policies and procedures)
- Physical controls (ways to prevent the unauthorized disclosure of confidential information)
- Technical controls (using technology, like encryption, to reduce risk)
- Cost (some regulatory schemes allow the consideration of cost in the mitigation/control analysis)
- Administrative controls (policies and procedures)
- Select the preferred control/mitigation alternative for each source of risk.
- Develop a plan to implement each control/mitigation measure.
- Develop a process to monitor risk sources and risk mitigation controls.
- Mitigate each risk to an acceptable level.
7. Review and update risk assessment, mitigation measures, policies and procedures
Your risk assessment and mitigation measures will change over time. You should have a written procedure to review and update the risk assessment, mitigation measures, policies, plans and procedures to respond to changes in your operations, experience or working environment. Under some regulatory schemes, this is not optional.
Your procedure must be customized to your needs and environment. Consider the following suggestions when preparing your procedure:
- Select two dates each year, approximately six months apart, to review your risk assessment table. Discuss any changes to your operations, experience or environment that may translate into a need to modify the risk assessment and mitigation controls.
- Incorporate into your operational process a trigger to notify your data security coordinator or managing partner when there are changes in administrative procedures, information systems, etc. The coordinator or partner, after consulting with others, will evaluate if there is a need to modify the risk assessment and/or mitigation controls.
8. Train your workforce
Managing your data security risks means managing your "weakest links"—employees who inadvertently click on the wrong hyperlink or open a file from an unknown or untrusted source, thereby opening a door to your firm's client and/or confidential information. Training is critical in at least two areas: (a) policies/procedures, and (b) recognizing and avoiding potential threats. All of the policies, plans, and procedures will do little good if people do not know about them or how to implement them.
Training all staff, including management, on how to avoid, detect, and effectively report cyber-incidents is essential to reducing your risk profile. Your policies and procedures will change to keep up with the evolving nature of data security threats and regulatory changes. Accordingly, your training will change, too.
Every person in your firm plays an important role in the security of the firm's computer network, electronically stored personal data, and employee privacy.
NIST Special Publication 800-50 - Building an Information Technology Security Awareness and Training Program; and NIST Special Publication 800-16 - Information Technology Security Training Requirements: A Role- and Performance-Based Model
NAS Insurance Services, Encino, Calif., contributed content to this list. For more information visit the Identity Theft and Data Security Resource Center on the CAMICO Members-only Site (www.camico.com).
As always, CAMICO policyholders can call 1.800.652.1772 or email the Loss Prevention department at firstname.lastname@example.org with any questions.