The Online Trust Alliance, a nonprofit organization representing the Internet ecosystem, announced the release of the "2011 Data Breach Incident Readiness Guide," outlining key questions and recommendations to help businesses with breach prevention and incident management. In the wake of increasing levels of data breaches, accidental data losses and incidents of users' privacy being compromised, the OTA has expanded its annual report to address the emerging security and privacy threats impacting businesses throughout the world.
According to the guide, the true test for organizations and businesses should be the ability to meet challenges such as knowing what sensitive information is maintained by a company, where it is stored and how it is kept secure, whether an incident response team is in place ready to respond 24/7, and management team awareness of security, privacy and regulatory requirements related specifically to the business.
In addition, the guide recommends completing a privacy and security audit of all data collection activities, including cloud services, mobile devices and outsourced services, and a communication plan for customers, partners and stockholders in the event of a breach or data loss incident. The complete guide is available for immediate download via the organization's Website.
"We live in a digital world where organizations must defend against data breaches and be prepared to quickly mitigate additional harm should personal information be compromised," said Washington State Attorney General Rob McKenna. "We encourage businesses and agencies to consider the resources provided by the Online Trust Alliance and other organizations as they develop their own plans to protect sensitive data."
In 2010, more than 400 incidents were reported impacting over 26 million records for a cost to U.S. businesses of more than $5.3 billion. Of these, 98 percent were a result of a server exploit; yet on analysis, 90 percent were avoidable if the recommendations outlined in the OTA report were in place. OTA research and industry surveys indicate the data reported is just the tip of the iceberg as a great majority of breaches continue to occur undetected or unreported. While the OTA encourages self-regulation and reporting, the trends outlined in the report suggest the need for broader transparency and self-reporting requirements.
"In the past five years, over 525 million records containing sensitive personal information have been compromised, significantly undermining the foundation of consumer trust," said Craig Spiezle, executive director and president of the OTA. "With the onslaught of criminal and deceptive business activities, we are calling on business leaders to develop a readiness plan. Those failing to act may be faced with increased public scrutiny, regulatory pressures and a tarnished brand reputation."
The guide aims to raise awareness of the severity of a data breach while helping businesses and organizations prevent and mitigate data security and privacy crises. Walking readers through the key points of designing a data incident plan, the guide offers insights, prescriptive advice and actionable recommendations for businesses of all sizes.
The guide also aids businesses in creating an internal plan for what to do in the aftermath of a security breach. Providing plan fundamentals such as creating a 24-hour response team, developing vendor and law enforcement relationships, and providing ideas for a crisis communication plan, the OTA readiness guide gives insights into questions that companies need to ask themselves to ensure they are taking all the precautions they can.
"The 2011 Data Breach Guide is a key resource for any business that is committed to ensuring the privacy and security if its consumers. OTA has done a terrific job at providing the actionable steps that can help a company avoid a crisis and be ready to respond when one occurs," said Jules Polonetsky, co-chair and director of the Future of Privacy Forum.
The OTA "Data Breach Incident Readiness Guide" was developed in collaboration with and support from the following organizations: the American National Standards Institute (ANSI), Center for Democracy & Technology, Email Service & Provider Coalition (ESPC), Identity Theft Assistance Center (ITAC), Identity Theft Council, Internet Security Alliance (ISA), LaMagna and Associates, U.S. Chamber of Commerce, and members of InfraGard Seattle and DC Chapters.