Identity Theft - Protect Customer Information

Identity theft is the unauthorized acquisition of a person's personally identifiable information (PII). The unauthorized acquisition may occur if the person does not follow individual security best practices. It may also occur if an organization that stores the PII does not have sufficient or effective security controls.

According to the Health Insurance Portability and Accountability Act (HIPAA), there are 18 forms of information that can personally identify an individual. These include a person's name, address, birth date, age (if over 89), e-mail address, Social Security number, account number, license number, Internet Protocol (IP) address, etc.

Instead of working hard to get PII a thief may turn to a hacker for assistance. Data breaches are one of the main sources of identity fraud. In 2013, one in three people who received notifications of a data breach discovered their identities were used for fraudulent means.

Security Breach Protection

Businesses are subject to a wide range of threats including identity theft and security breaches. A security breach is defined as the compromise of security, confidentiality, or integrity of, or the loss of, computerized data that results in unauthorized acquisition of sensitive PII or access to sensitive PII that is for an unauthorized purpose. Altius IT recommends organizations take the following steps to reduce their risks to security breaches and identity theft.

CSO. Appoint a Chief Security Officer (CSO) that oversees physical security and information security (cyber security) for the organization.

Inventory. Know your sensitive data, where it is entered, transmitted, stored, and appropriate disposal procedures. Create charts and other documents that document the flow of sensitive information through the organization.

Risk management. Prepare a risk assessment that identifies your assets, threats to assets, vulnerabilities that exist as a result of the threats. Prepare a risk analysis that identifies the likelihood of the event and impact on the organization. Prepare a Risk Treatment Plan with preventive, detective, and corrective controls that treat risks.

Policies. Prepare and implement policies, plans, forms and related controls that provide top down security guidance and direction.

Safeguards. Implement administrative, physical, and technical safeguards and controls that reduce risks to acceptable levels. Controls include passwords, software patching, firewalls, anti-malware software, logging and monitoring systems, network segmentation, wireless network security, incident response plans, intrusion detection and prevention systems, security training, restricted physical access to facilities, etc.

Compliance. Many state and federal data breach laws exist. The CSO and/or a compliance officer should be aware of data breach requirements and regulations. Procedures should be established:

• Identify personally identifiable information (PII) that is collected, used, accessed, transmitted, stored, or disposed.
• Document how the organization uses PII and ensure that PII collected for one purpose cannot be misused for a different purpose. Implement controls to securely store PII.
• Notify consumers of a security breach within 30 days of its discovery. Such notice may be provided by telephone, in writing, or via e-mail (if the individual consented to receive such notice).
• Provide notice to the media in any state where more than 5,000 residents were the subject of the breach.
• Customer breach notification must include a description of the type of breach, a toll-free number that individuals may use to contact the company, and contact information for the major credit reporting agencies and the Federal Trade Commission (FTC).
• Identity instances where the organization must also provide breach notification to the Department of Homeland Security.
• Document instances where the organization is exempted from notification requirements. For example, if a risk assessment determined that a security breach did not (and will not in the future) result in harm to the individuals whose information was breached. Risk assessments must be conducted according to standards generally accepted by experts in the field of information security and must involve logging data for at least six months prior to submitting the assessment. In addition, a company invoking the risk assessment exemption must notify the FTC of its exemption along with the results of the risk assessment performed. Situations where there is a presumption that no reasonable risks exist include: the breached data was rendered unusable, unreadable, or indecipherable through a security technology (e.g. encryption) or methodology generally accepted in the information security industry.
• Remove unnecessary PII and take measures to protect PII that must be shared.

Security audit. Contact a Certified Information Systems Auditor to perform a security audit of your environment to ensure the safeguards and controls are sufficient and effective. Typical audits include:

• Network security audit - on-site internal audit of network infrastructure and technical controls
• External network security audit - penetration testing of public IP addresses
• Web application security audit - web site security, web software application security
• Social engineering security audit - evaluates effectiveness of staff security training
• Mobile application security audit - evaluates custom mobile software applications

Summary

Leading organizations use a formal approach to managing risks related to identity theft and security breaches. Security audits help ensure security controls are sufficient and effective at detecting and preventing security breaches. Formal and documented policies ensure a top down approach to managing network security risks.