This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
Building an Information Security Program Jane Martinsons, PRISM International staff writer


We’ve all heard the news reports of data breaches that seem to grow exponentially in size and impact with each transgression.


• In August 2014, a computer security service in Milwaukee, WI, reportedly found that a Russian group hacked 1.2 bil- lion usernames and passwords belonging to more than 500 e-mail addresses.


• Earlier in 2014, hackers breached the networks of or used malware to access the point of sale (POS) systems at Neiman Marcus and Michaels Stores, Inc.


• Human error was to blame for a breach at Goldman Sachs in June 2014, when a contractor sent an e-mail to the wrong address.


• In December 2013, hackers breached Target’s network, stealing credit card and debit card information from 40 million customers. The data breach reportedly cost Target $148 million. The same month hackers breached the net- work of JPMorgan Chase & Co.


According to Peter Guffin and Kyle Glover, attorneys at Pierce Atwood LLP, who will speak at the 2014 PRISM International Data Protection Conference in Rosemont, IL, there were 411 reported data breaches in the United States from January 1 to July 22, 2014, marking a 20.5% increase over the same period in 2013. The total number of records exposed in the first quarter of 2014 exceeded 176 million, a 46% in- crease compared with the same period in 2013.


The Information Security Program What can RIM companies do to protect themselves from breaches? The first step is for companies to devise and imple- ment an information security program, Glover said.


“More than ever, information security is an important thing


for records and information (RIM) companies to think about and take very seriously,” he said. “There are more risks to data and more people who care about what happens to data than ever before. Regulators are very concerned about it, and they can impose hefty fines and require long-term oversight over a company if it looks like the breach was due to inadequate se- curity at that company.


“The best way to avoid this is to do everything you can up- front to make sure that you have a reasonable and appropri- ate information security program, including appropriate poli- cies and procedures.”


Guffin stressed that RIM companies need to understand what an information security program does and how to build one. “It’s not rocket science,” he said, “but it does require fo- cus, intention, and resources to get the job done. Fortunately, there are well-developed tools and methodologies for doing this.”


“Incidents happen. Even for folks who are doing everything right.” —Kyle Glover, Pierce Atwood LLP


10 The challenge for companies is to make sure that the in-


formation security program they implement actually minimiz- es risk from the start. “Incidents happen,” Glover said, “even for folks who are doing everything right. However, no one wants to experience a breach and then have the Federal Trade Commission say that it was the company’s fault because that company could have done more upfront.”


Causes of Data Breaches


The majority of data breaches are caused not by hackers but by internal failures, such as an employee losing a laptop or an information system malfunction. Indeed, The Ponemon Institute found that data breaches that occurred worldwide in 2013 were most often caused by human error or a system glitch (59%). Malicious or criminal attacks only accounted for 30% of data breaches.


To reduce the chance of these internal failures, an impor- tant component of any information security program is train- ing and education for employees. “It is something that really needs to be thought through and taken seriously because of that risk,” Glover said.


For example, lost boxes pose a data-breach risk, but the underlying cause may be an organizational work-flow or


continued on page 12


The Cost of Data Breaches


Per capita cost* in the United States 2013: $188 2014: $201


Average organizational cost in the United States 2013: $5.40 million 2014: $5.85 million


Highest average notification costs 1. United States: $509,237 2. Germany: $317,635


Highest average lost business costs 1. United States: $3,324,959 2. France: $1,692,192


*total cost of a data breach/number of lost or stolen records


Source: 2014 Cost of Data Breach Study: Global Analysis, Ponemon Institute (May 2014), available at www.ponemon.org/ blog/ponemon-institute-releases-2014-cost-of-data-breach- global-analysis.


PRISM International


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28