Few events can damage a company‟s reputation and cause the loss of consumer trust faster than the misuse or breach of personal and sensitive data. Once that damage has been done, it is very difficult and time resource consuming to turn the boat around. Over 525 million records containing sensitive personal information have been compromised due to breaches in the last 5 years alone. The Online Trust Alliance (OTA) has just announced the release of their 2011 Data Breach Incident Readiness Guide to outline key questions and recommendations for businesses to consider integrating into their baseline framework.
The OTA’s mission is to develop and advocate best practices and public policies which mitigate emerging privacy, identity and security threats to online services, organizations and consumers, enhancing online trust and confidence. By facilitating an open dialog with industry, business and governmental agencies to work collaboratively, OTA is making progress to address various forms of online abuse, threats and poor security practices.
Depending on your industry, size, and the type of data collected, your requirements may vary, and you should consult with specialists to aid you in planning. This document provides a comprehensive framework, outlining key questions and recommendations to help businesses build breach prevention and incident management practices. OTA has expanded its annual report to address the emerging security and privacy threats impacting businesses throughout the world. With the White House, members of Congress, Commerce Department and the FTC calling for greater privacy controls and breach notifications, the OTA guide represents a significant self-regulatory effort to enhance data stewardship, consumer trust and ultimately the long-term vitality of commerce.
According to the OTA’s 2011 Data Breach Incident Readiness Guide, the true test for organizations and businesses should be the ability to answer key questions such as:
- Do you know what sensitive information is maintained by your company, where it is stored, and how it is kept secure?
- Do you have an incident response team in place ready to respond 24/7?
- Are management teams aware of security, privacy and regulatory requirements related specifically to your business?
- Have you completed an audit of all data collection activities, including cloud services, mobile devices and outsourced services?
- Are you prepared to communicate to customers, partners and stockholders in the event of a breach or data loss incident?
In 2010, over 400 incidents were reported impacting over 26 million records for a cost to US businesses of over $5.3 billion dollars. Of these, 98% were a result of a server exploit; yet on analysis, 90% were avoidable if the recommendations outlined in the OTA report were in place. OTA research and industry survey indicates the data reported is just the tip of the iceberg as a great majority of breaches continue to occur undetected or unreported. While OTA encourages self-regulation and reporting, the trends outlined in the report suggest the need for broader transparency and self-reporting requirements.
Recommendations for Businesses and Organizations
The OTA Data Brach Incident Readiness Guide aims to raise awareness of the severity of a data breach while helping businesses and organizations prevent and mitigate data security and privacy crises. It walks readers through the key points of designing a Data Incident Plan (DIP), offering insights, prescriptive advice and actionable recommendations for businesses of all sizes. The guide provides pre and post incident plan fundamentals, such as creating a 24-hour response team, developing vendor and law enforcement relationships, and ideas for developing crisis communication plans. The OTA readiness guide also gives key insights into questions that companies need to ask themselves to ensure they are taking all the precautions they can.
Definitely worth the time to read if you are considering building a new response team, or want to update your current practices and plans. Also check out their online resources page. OTA Response Readiness Guide