Identity theft is the unauthorized
acquisition of a person's personally
identifiable information (PII). The unauthorized
acquisition may occur if the person does not
follow
individual security best practices. It may
also occur if an organization that stores the
PII does not have sufficient or effective
security controls.
According to the Health Insurance Portability
and Accountability Act (HIPAA), there are 18
forms of information that can personally
identify an individual. These include a person's
name, address, birth date, age (if over 89),
e-mail address, Social Security number, account
number, license number, Internet Protocol (IP)
address, etc.
Instead of working hard to get PII a thief
may turn to a hacker for assistance. Data
breaches are one of the main sources of identity
fraud. In 2013, one in three people who received
notifications of a data breach discovered their
identities were used for fraudulent means.
Security Breach Protection
Businesses are subject to a wide range of
threats including identity theft and security
breaches. A security breach is defined as the
compromise of security, confidentiality, or
integrity of, or the loss of, computerized data
that results in unauthorized acquisition of
sensitive PII or access to sensitive PII that is
for an unauthorized purpose. Altius IT
recommends organizations take the following
steps to reduce their risks to security breaches
and identity theft.
CSO. Appoint a Chief Security Officer (CSO)
that oversees physical security and information
security (cyber security) for the organization.
Inventory. Know your sensitive data, where it
is entered, transmitted, stored, and appropriate
disposal procedures. Create charts and other
documents that document the flow of sensitive
information through the organization.
Risk management. Prepare a risk assessment
that identifies your assets, threats to assets,
vulnerabilities that exist as a result of the
threats. Prepare a risk analysis that identifies
the likelihood of the event and impact on the
organization. Prepare a Risk Treatment Plan with
preventive, detective, and corrective controls
that treat risks.
Policies. Prepare and implement
policies,
plans, forms and related controls that provide
top down security guidance and direction.
Safeguards. Implement administrative,
physical, and technical safeguards and controls
that reduce risks to acceptable levels. Controls
include passwords, software patching, firewalls,
anti-malware software, logging and monitoring
systems, network segmentation, wireless network
security, incident response plans, intrusion
detection and prevention systems, security
training, restricted physical access to
facilities, etc.
Compliance. Many state and federal data
breach laws exist. The CSO and/or a compliance
officer should be aware of data breach
requirements and regulations. Procedures should
be established:
- Identify personally identifiable
information (PII) that is collected, used,
accessed, transmitted, stored, or disposed.
- Document how the organization uses PII
and ensure that PII collected for one
purpose cannot be misused for a different
purpose. Implement controls to securely
store PII.
- Notify consumers of a security breach
within 30 days of its discovery. Such notice
may be provided by telephone, in writing, or
via e-mail (if the individual consented to
receive such notice).
- Provide notice to the media in any state
where more than 5,000 residents were the
subject of the breach.
- Customer breach notification must
include a description of the type of breach,
a toll-free number that individuals may use
to contact the company, and contact
information for the major credit reporting
agencies and the Federal Trade Commission
(FTC).
- Identity instances where the
organization must also provide breach
notification to the Department of Homeland
Security.
- Document instances where the
organization is exempted from notification
requirements. For example, if a risk
assessment determined that a security breach
did not (and will not in the future) result
in harm to the individuals whose information
was breached. Risk assessments must be
conducted according to standards generally
accepted by experts in the field of
information security and must involve
logging data for at least six months prior
to submitting the assessment. In addition, a
company invoking the risk assessment
exemption must notify the FTC of its
exemption along with the results of the risk
assessment performed. Situations where there
is a presumption that no reasonable risks
exist include: the breached data was
rendered unusable, unreadable, or
indecipherable through a security technology
(e.g. encryption) or methodology generally
accepted in the information security
industry.
- Remove unnecessary PII and take measures
to protect PII that must be shared.
Security audit. Contact a Certified
Information Systems Auditor to perform a
security audit of your environment to ensure the
safeguards and controls are sufficient and
effective. Typical audits include:
Summary
Leading organizations use a formal approach to
managing risks related to identity theft and
security breaches. Security audits help ensure
security controls are sufficient and effective
at detecting and preventing security breaches.
Formal and documented
policies ensure
a top down approach to managing network security
risks.
Security Blog menu
Tags: identity theft | id theft | identity
fraud |
data breach | cybersecurity
|