Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
Penetrar un servidor unix por el puerto 139 con metasploit
Download to read offline and view in fullscreen.



Download to read offline

White Paper Preventing Privacy and Security Disasters 01

Download to read offline

Related Books

Free with a 30 day trial from Scribd

See all

White Paper Preventing Privacy and Security Disasters 01

  2. 2. We’re in the midst of a crisis in privacy and data security . Billions of passwords stolen. . . Mammoth data breaches. . . Increasing threats. . . Malicious hackers . . . Damaging privacy violations. . . The numbers keep rising. How should organizations be responding? PREVENTING PRIVACY AND SECURITY DISASTERS Second, significant attention must be given to addressing human behavior, which is the biggest data security risk. The best way to address human behavior is through effective training. A study by Forrester that reveals that internal threats are the “leading cause” of data breaches.1 90% of malware requires a human interaction to infect.2 95% of data security incidents involve human error. 3 Because so many employees don't receive sufficient training, they engage in all sorts of risky data security practices. The recipe can be summed up in a simple rhyme: The C-Suite must care The workforce must be aware After reviewing countless data breaches, I’ve come to the conclusion that there are two things that can most help prevent data breaches. First, upper management (often called “the C-Suite”) must truly understand the risks, the law, and the importance of good data security and privacy.
  3. 3. Strong data protection comes from both the top and the bottom. From the top, upper management understands the risks and provides the appropriate resources. From the bottom, all employees at every level know how to do their part to ensure strong data protection. Much more work needs to be done at both the top and the bottom. At the top, the C-Suite needs a better understanding of the risks and the law. And much more can be done to improve workforce awareness. Data Protection Must Be Part of an Organization’s Culture Ultimately, these two things are really about one thing: Data protection must be part of the culture of an organization. Data protection must be felt in the bones of an organization. I say “data protection” because the term encompasses both security and privacy. Both are essential and go hand-in-hand. From the Top and the Bottom PREVENTING PRIVACY AND SECURITY DISASTERS
  4. 4. After an incident, the lawsuits will start coming. Win or lose, these cases can cost millions to litigate. One study found that the average settlement award in these cases was approximately $2,500 per plaintiff, with mean attorneys’ fees reaching $1.2 million.5 Under HIPAA, big fines are being issued. Fines can be up to $1.5 million per provision of HIPAA violated. When there’s a breach, HHS’s investigation often turns up quite a number of HIPAA violations, and the fines for these add up. State Attorneys General can enforce HIPAA as well as their own state’s law. There are big state fines. The FCC has been stepping up enforcement and issuing big fines. Although the FTC can only issue fines for some of the laws it enforces, its consent decrees last 20 years and require ongoing auditing and reporting to the FCT – and that can be very expensive! The FTC can issue fines when consent decrees are violated. The Need for More Attention to the Risks and Costs According to a recent survey, at most organizations, only a very small percent of the IT budget goes to data security. 19% spent less than 1% .4 These facts indicate the C-Suite needs to pay a lot more attention to data security officials. Indeed, I think that the C-Suite needs to pay more attention to privacy officials too, because privacy and security go hand-in-hand. There are three big costs of an incident that the C-Suite often fails to appreciate: money, time, and reputation. MONEY PREVENTING PRIVACY AND SECURITY DISASTERS
  5. 5. Reputation Time Incidents are not just solved by writing a check. They take time and sweat. These things are tremendously costly not just in terms of money but also in terms of time. A significant number of important personnel will be tied up dealing with these issues. And even the C-Suite might be tied up too, as they need to deal with the PR fallout and might need to address the matter themselves. TIME REPUTATION PREVENTING PRIVACY AND SECURITY DISASTERS Privacy and data security incidents can tarnish an organization’s reputation. Even if the general public isn't paying attention, an entity’s reputation can suffer with other organizations, which might not share personal data with that entity. And all the regulators will now be paying more attention – the various federal agencies, state AGs, state agencies, international regulators, and so on. Just like having a prior criminal record won't help future encounters with the police, the same is true with having a regulatory violation rap sheet. Soiled Reputation
  6. 6. A recent study found that more than 90% of data breaches could have been avoided.6 There’s a story I see replayed again and again. An organization doesn't take security (or privacy) risks seriously enough. The organization gets burned, and that is the wake up call. The organization then gets serious. There are those who must burn before they learn and those who learn rather than burn. For some, despite all warnings, they just won't step it up until after they get burned. The costs of getting burned are enormous. The cost of preventative measures are minimal in comparison. 1. Grant Hatchimonji, Biggest Data Security Threats Come from Inside, Report Says, PC World (Oct. 13, 2013) 2. Ponemon Institute, 2013 Cost of Data Breach Study: Global Analysis, Report_daiNA_cta72382.pdf 3. Marcos Colón, "Human Error" Contributes to Nearly all Cyber Incidents, Study Finds, SC Magazine (June 16, 2014) 4. 6th Annual HIMSS Security Survey (Feb.19, 2014 ) 5. Sasha Romanosky, David A. Hoffman, and Alessandro Acquisti, Empirical Analysis of Data Breach Litigation, 11 Journal of Empirical Legal Studies 74 (2014), 6. Online Trust Alliance, 2015 Data Breach and Readiness Guide (Feb. 13, 2015), PREVENTING PRIVACY AND SECURITY DISASTERS Burn Before You Learn or Learn Rather than Burn Sources
  7. 7. About the Author TeachPrivacy was founded by Professor Daniel J. Solove. He is deeply involved in the creation of all training programs because he believes that training works best when made by subject-matter experts and by people with extensive teaching experience. According to Professor Solove: "Great training isn’t about slickness or tricks. It is about teaching. The goal is to make people understand, care, and remember. Great training must made with genuine passion. " TeachPrivacy provides privacy awareness training, information security awareness training, phishing training, HIPAA training, FERPA training, PCI training, as well as training on many other privacy and security topics. In addition to creating enterprise-wide training, TeachPrivacy has teamed up with the American Health Information Management Association (AHIMA) to produce a series of more advanced courses on the HIPAA Privacy and Security Rules: Professor Daniel J. Solove is the John Marshall Harlan Research Professor of Law at the George Washington University Law School. One of the world’s leading experts in privacy law, Solove has taught privacy and security law for 15 years, has published 10 books and more than 50 articles, including the leading textbook on privacy law and a short guidebook on the subject. His LinkedIn blog has more than 890,000 followers: Professor Solove organizes many events per year, including the new Privacy + Security Forum, Oct. 21-23, 2015 in Washington, DC: About TeachPrivacy
  • InformationData

    Jun. 20, 2016
  • kfb1007

    Jun. 1, 2016
  • barryusa

    Apr. 9, 2016
  • firoz_patel

    Sep. 4, 2015
  • anapquinta7

    Apr. 7, 2015
  • jasonli1880

    Apr. 4, 2015
  • MariaWilken

    Mar. 26, 2015
  • nextdayinstalls

    Mar. 25, 2015
  • RyanKopf

    Mar. 24, 2015
  • monsse89

    Mar. 24, 2015
  • aidandsouza50

    Mar. 24, 2015
  • thuongrr

    Mar. 24, 2015
  • choeungjin

    Mar. 23, 2015
  • hadiaboukhater

    Mar. 23, 2015


Total views


On Slideshare


From embeds


Number of embeds