Posts

Rebuilding Trust After a Data Breach

American Perspective on Data Breaches

According to Pew Research Center, half of Americans feel that their personal information is less secure than it was five years ago. Even more so, 64% of American adults have experienced data theft via credit card, account number, email account, social media accounts, Social Security number, loan, or tax return compromises. Yahoo, eBay, Equifax, Target, Anthem, Home Depot – it has become habitual to worry about data breaches, identity theft, and other privacy concerns. Why am I being shown this ad? How much does Facebook know about me? Has my data been sold? Is Google tracking me?

At KirkpatrickPrice, we talk a lot about how to prevent a data breach and put a heavy focus on the “before,” rather than the “after.” But, what happens after a data breach has occurred? How can your business recover? Let’s take a look at three advertising campaigns that aim to rebuild trust after a breach.

Facebook Data Scandal

With GDPR enforcement on the rise and data privacy at the top of digital consumers’ minds, the Facebook-Cambridge Analytica data breach has become one of the largest of all time. Out of the 2.2 billion Facebook users, 78 million were impacted by this breach. The data was used to build a software program that predicts, profiles, and influences voter choices. Now that Facebook’s data privacy practices are in the spotlight, more and more questionable practices are rising up.

The scandal is still unfolding, as Mark Zuckerberg is questioned by Congress and the GDPR enforcement date has officially passed. In an effort to win back user trust, Facebook launched a major advertising campaign, “Here Together,” which promises to protect users from spam, click bait, fake news, and data misuse.

How has the Facebook scandal impacted your use of the platform?

Uber Cover-Up

When Uber announced its breach in 2017, it hit close to home for the millions of drivers and riders who use the app every day. Uber reported that not only did hackers steal 57 million credentials (phone numbers, email addresses, names, and driver’s license numbers) from a third-party cloud-based service, but Uber also kept the data breach secret for more than a year after paying a $100,000 ransom.

The New York Times points out, “The handling of the breach underscores the extent to which Uber executives were willing to go to protect the $70 billion ride-hailing giant’s reputation and business, even at the potential cost of breaking users’ trust and, perhaps more important, state and federal laws.” Uber recognizes that driver and rider trust is the core of their business, and when they announced this cover-up and breach, they knew they’d be facing major backlash.

In response to the breach, Uber began their “Moving Forward” campaign in an effort to rebuild trust. What do you think of this commercial – have they regained your trust? Would you still use the app?

Wells Fargo Incentives

The 2016 Wells Fargo breach was incredibly eye-opening to many consumers because it wasn’t a malicious hacker taking data; it was Wells Fargo. The bank was fined $185 million because of the 5,300 bank employees who created over 1.5 million unauthorized bank and credit card accounts on behalf of unsuspecting customers. Their reason for doing this was incentives; bank employees were rewarded for opening new bank and credit card accounts.

What is Wells Fargo doing now? In an effort to rebuild trust, Wells Fargo completely restructured its incentive plans by ending sales goals for branch bankers. Do you think that firing the 5,300 guilty bank employees and restructuring their incentive program is enough?

We believe that client trust is one of the most valuable benefits of compliance. Undergoing information security audits can help your organization maintain customers and attract new ones, distinguish your business from the rest, avoid fines for non-compliance, and answer to any sort of regulatory body.

How do you perceive this trend of public rebranding – is it convincing? Do you believe that companies like Facebook, Uber, and Wells Fargo have changed enough to rebuild trust?

More Resources

Turning Audit Into Enablement

Incident Response Planning: 6 Steps to Prepare your Organization

What Is an Incident Response Plan? The Collection and Evaluation of Evidence

When Will You See the Benefit of an Audit?

Are you considering going through an information security audit for the first time? Are you contemplating a requirement for all of your vendors to undergo information security audits? Are you looking for an auditing firm who can help your organization utilize the benefits of auditing? Do you need help explaining the value of information security audits to executive management? Are you trying to cultivate a culture of compliance within your organization? We’re here to help.

What are the Advantages to Auditing?

Many people are intimidated by the requirements, price, and efforts of auditing, but we believe the benefits outweigh the cost. Yes, undergoing information security audits is a challenging and time-consuming process for most organizations, but our Information Security Specialists aim to educate clients on the value that attestations and compliance can bring to their business, which range from competitive advantages to reputational improvement. When your organization has completed an information security audit and gained compliance, the challenges you faced will be worth it.

However, getting executives on board with undergoing information security audits can be challenging, because many organizations are fearful of the process. We see many organizations get stuck in the checkbox mentality, where they view auditing as an item to be checked off a list rather than understanding the purpose and benefits. At KirkpatrickPrice, we want to be your audit partner, not just an item to check off on a list. We want to walk through this audit lifecycle with you, enhancing your business by placing security and compliance at the forefront of the current threat landscape.

Are you ready to get started on securing your business? Do you want to ensure your security posture is as strong as possible? Do you want to see how your mindset toward auditing can change over a three-year period?

Get the full report now.

Making Sense of the Regulatory Alphabet Soup

SSAE 16, SOC 2, HIPAA, PCI DSS, FISMA, ISO 27001. We’ve all heard of the Alphabet Soup, but what do they all really mean?

Which one is right for me? Which one should I pursue? Why would I get this audit over that audit? As auditors, these are the questions we are most frequently asked.

To help answer these questions and truly familiarize you with the different audit frameworks, we’ve broken down the Who’s, What’s, and Why’s for the most commonly reported on frameworks.

SSAE 16/SOC 1

Who asks for an SSAE 16? If you work with publicly traded companies, financial institutions, or state or local government, you will frequently be required to have an SSAE 16 audit performed by a third party. It is the most commonly used form of attestation for service providers in the US. So what is an SSAE 16? It’s an audit and report on internal controls (whether related to information security, financial, operational, or compliance controls) at a service provider that are relevant to their client’s data. The SSAE 16 audit takes a risk-based approach, with specified objectives that are created to address client risk, and controls, or activities, to accomplish each objective. A third-party auditor would be looking at your environment to make sure your objectives are appropriate, your controls are effectively designed, and that you are doing what you say you are doing. An SSAE 16 audit is as good as its scope.

SOC 2

Typically, the same clients who are asking you for an SSAE 16 will be the ones asking you for a SOC 2. Whereas SOC 1 was designed to validate internal controls at a service provider that relate to client financial reporting and validate information security, SOC 2 was a framework specifically designed for companies delivering technology related services. The SOC 2 framework is finally gaining popularity. SOC 2 was specifically designed to report on one of five principles: Security, Availability, Confidentiality, Processing Integrity, and Privacy. The established criteria for each principle address the following questions: How are your policies and procedures relative to the standard documented? How do you communicate those to all interested parties? How do you monitor that those controls are being effectively performed?

HIPAA

If you are working for a healthcare provider or a Business Associate who services a healthcare provider, you are going to be asked for validation of your compliance with HIPAA laws. Any entity who handles Protected Health Information (PHI) will be responsible for compliance with HIPAA. Legislation requires appropriate Physical, Administrative, and Technical Safeguards to protect PHI. Much like the SSAE 16, HIPAA compliance is risk-based. You must begin by performing a Risk Assessment to determine what the appropriate physical, administrative, and technical safeguards are, implement those, and then perform regular monitoring to ensure the safeguards are still appropriate. There is no “hard list” of requirements for HIPAA, and there is no certification. A third-party audit would provide validation of your controls and their appropriateness and effectiveness.

PCI

The PCI Data Security Standard applies primarily to the payment card industry. If you store, transmit, or process cardholder data, you will be required to comply with PCI DSS. Additionally, if you have a client who is required to comply with PCI DSS, they are required to validate your compliance with the standard as well. PCI DSS is a very robust information security standard, and is also sometimes used as a best practice, even without handling credit card data. A PCI audit is an information security audit focused on the protection of credit card data. All PCI audits are performed by a PCI Qualified Security Assessor (QSA). There are over 200 controls and 1,000 audit tests that make up the framework and process. There are six control objectives with 12 subject areas. When a third-party auditor performs a PCI audit, it results in a PCI Report on Compliance (ROC).

FISMA

FISMA Compliance is required of anyone working with the federal government, a federal contractor, or a sub-service provider of a federal contractor. FISMA is the law. NIST Special Publication 800-53 is the actual standard that lists the individual security controls required to comply with FISMA. A FISMA audit is a thorough assessment of your information security practices as it relates to NIST SP 800-53 requirements. It involves a detailed risk assessment, and a selection of comprehensive controls determined by whether you are a low, moderate, or high category. Out of the frameworks we’ve covered so far, FISMA is the most extensive.

ISO 27001-27002

If your customers are doing business globally, chances are you’ll be asked for an ISO 27001 audit. It is a very mature, holistic, information security standard that is widely recognized and highly revered on an international level. 27001 is the entire standard, and 27002 refers to just the controls. An ISO 27001 audit is a complete audit of your Information Security Management System (ISMS). This includes management system, risk management, internal audit, management review, continual improvement, and information security controls.

Determining which audit framework is the best for your organization depends on a number of things; who your clients are, who your clients’ clients are, and what kind of information you process. For more information on a specific framework, or if you are interested in speaking with an Information Security Specialist for a consultation, contact us today.