Online Trust Alliance - Incident & Breach Plan

The Online Trust Alliance (OTA) takes the threat of security breaches very serious and is committed to educating businesses about the imminent threat of a data breach. The goal of the 2013 Data Protection & Breach Readiness Guide is to provide prescribed guidelines that help businesses proactively develop a plan to minimize data collection, enhance data protection and to create a customer-centric incident response plan. By planning, businesses of all sizes can minimize their risks, costs and the impact of a breach on customers, investors, and brands

A data breach, defined as the intentional or unintentional release of secure information to an untrusted environment, can have devastating consequences on the brand value of a business and a significant financial impact and loss of customers. In 2012, 2,644 breaches were reported worldwide increasing over 117% from 2011, exposing over 267 million records.(1) The largest reported breaches included Zappos and Global Payments, with 26 million and 7 million records exposed respectively. The direct and indirect costs can be staggering. Global Payments, a credit card processer reported direct costs of nearly $94 million in addition to the reputational and business harm incurred.(2)

Not surprisingly, criminals are becoming more sophisticated and organized as they target more robust databases with a plethora of personal information gathered by health, financial, education, government and ecommerce providers. Verizon’s 2012 data breach report showed that 94% of all their data breaches occurred because of direct attacks on their server infrastructure.(4) These criminals steal strategic and highly sensitive information that compromises national security, public and private technology infrastructures worldwide. Add to this the growing usage of mobile devices and the overall risk landscape is growing exponentially.

Regardless of company size, employees continue to be a potential threat to companies and consumers when they bring their personal devices to work. This trend known as “Bring Your Own Device” (BYOD), is introducing a complex set of technical and operational policies for all organizations. Whether intentionally or unintentionally, employees can put an organization at risk by passing malware and viruses on to company platforms, or by downloading valuable company information. In 2012, 43% of breaches targeted non-business organizations. While breaches and data loss incidents are typically focused on external threats, 26% were a result of internal losses and 4% were unknown. (5)

Executive support for making data privacy part of the business culture, and for building, testing, and maintaining a DIP, is critical for ensuring that a business is prepared before a breach occurs. It is also important for executives to acknowledge the need for businesses to work to ensure that their customers have clear, conspicuous, and readable notices which can be easily understood by the target audience of the product or service. Additionally, consumers must have the ability to permanently opt-out of all collection of their personal data and be provided notice on the use and sharing of any such data after it has been collected.

OTA encourages all businesses, non-profits and government organizations to make a renewed commitment to data protection and privacy. Being prepared for a breach is good for your business, your brand and most importantly your customers.

^{^[1]} http://datalossdb.org/statistics & OTA analysis of unique incidents reported

^{^[2]} Open Security Foundation / DataLossDB.org

^{^[3]} http://www.bankinfosecurity.com/global-payments-breach-tab-94-million-a-5415/op-1

^{^[4]} 2012 Data Breach Investigations Report (DBIR), Verizon business, April 2012

^{^[5]} http://datalossdb.org/statistics?utf8=%E2%9C%93&timeframe=last_year