Industry experts delivered that message during the recent (ISC)2 SecureBoston conference in Quincy, Mass. Privacy and security teams should communicate regularly on each others' challenges and activities, and should work together on an effective response plan in the event of a data breach, the experts said.
"With the growing data breach threat, privacy and security officers must work closer than ever before and accept the fact that they are partners," said Peter Kosmala, assistant director of the York, Maine-based International Association of Privacy Professionals (IAPP).
Kosmala focused his talk on ways for security and privacy officers to build a better dialogue. In particular, he said the two sides can find plenty of common ground on a data breach response plan and that the better the plan, the easier it will be for the company to survive a breach. While the privacy department tends to focus on legal and practical matters and the security department on procedural and technical concerns, each side is responsible for such common challenges as data breach response and notification, information outsourcing and vendor management, identity management, exploits and emerging threats.
By sharing insights and resources, he said, the two camps can do much to make their company more secure and in lockstep with all the latest industry and government security requirements.
Kosmala used Marriott International as a case study on how privacy and security officers can team up on a more effective defense, based on how it was explained to him by Chris Zoladtz, the hotel chain's vice president of information protection and privacy. According to Zoladtz, there are daily interactions between the privacy and security teams. The chief privacy officer is considered the "business owner" of privacy needs, including gap analysis, risk assessment, policy development and communication. The chief information security officer, meanwhile, develops and manages the mechanisms to address those needs as well as the broader needs of IT. Along the way, Kosmala said, there's plenty of cross-pollenization of ideas, skills and credentials.
For Kosmala and other experts at the conference, one of the overriding issues is the need for companies to draw up detailed data breach response plans. No matter how seriously a company takes security, they said, everyone is vulnerable to a successful attack and must plan as if it's eventually going to happen. This has been a major theme at a number of recent security conferences, including the recent Computer Security Institute (CSI) 2007 conference in Arlington, Va., and a data breach panel discussion held last month at the Harvard Club in Boston. As with these other gatherings, experts at the (ISC)2 event used the TJX data breach response as an example of how not to do things.
When TJX first disclosed its data breach in January, the retailer came under heavy criticism for what many considered a sloppy response. The company didn't disclose the breach until a month after it was first discovered, and few accepted its explanation that investigators recommended the period of silence. TJX also seemed to have trouble getting an accurate assessment of the damage. For example, the company initially said that attackers had access to its network between May 2006 and January 2007. Later it admitted that thieves were inside the network several other times, beginning in July 2005. The came word that the stolen data covered transactions dating all the way back to December 2002.
TJX has also come under fire for failing nine of the 12 requirements under the Payment Card Industry's Data Security Standard (PCI DSS). Michael Gavin, a former Forrester Research analyst who now works for Wilmington, Mass.-based Security Innovation, said he can see a scenario where a company can come close to meeting PCI DSS but end up getting slapped for coming up short on more obscure provisions.
"Failing nine of the 12 requirements is quite bad, but each requirement consists of many sub-requirements, and furthermore some of those have sub-requirements," he said in an email exchange. "While unlikely, especially from what I have heard and read about the TJX situation, it is possible to be quite close to passing all 12 requirements, but actually fail nine of the 12 for one relatively minor sub-requirement in each of the nine failed requirements."
It's possible TJX could have achieved better PCI compliance had the privacy and security teams been working more closely together. But even if that wouldn't have made the difference, experts at the (ISC)2 event said better communication between both camps could have meant a better data breach response.
Seth Berman, managing director and deputy general counsel at Stroz Friedberg LLC, a consulting and technical services firm specializing in such things as computer forensics, cyber-crime response and private investigations, said companies can't always prevent a data breach and that the right response plan is key. "It's better to get to the bottom of what happened as quickly as possible," he said.
The experts noted that privacy and security teams can work more effectively together on determining if an incident truly fits the definition of a data breach and, if so, who needs to be notified.
Berman noted that a better response plan on the part of the U.S. Department of Veterans Affairs (VA) might have softened the public outcry. The VA made headlines for months after computer hardware containing the personal data of 26.5 million veterans and about 2.2 million active duty personnel was stolen from the home of an agency employee. But after the stolen laptop was recovered and picked apart by forensics specialists, the VA was able to show that the identities were never used for fraudulent purposes.
He also mentioned the case of a bank that notified customers of a data compromise that, as it turned out, never happened. The bank spent a lot of money to notify customers that a backup tape housing their data had gone missing, but the tape was later found on site.