Privacy: "Mobile Technology Concerns Me"
Nationwide's Privacy Officer on Today's Top RisksThat means putting into writing a comprehensive plan that details the appropriate responses to an attack, Herath says in an interview with BankInfoSecurity.com [transcript below].
Herath's leadership has made Nationwide one of the Top 10 Most Trusted Companies for Privacy five times by the Ponemon Institute. He also served on the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee from 2005 to 2011.
IT security professionals should routinely complete exercises to see how the plan is doing. "Figure out what is going right, what is going wrong," Herath says. "Even if a process looks to be working well, you should still shine a light on it and give it some scrutiny to make sure you can't do it better," he says.
Accountability is another important step in responding to a breach. Team members need to constantly complete ongoing training, Herath says, in order to prepare. "We do ongoing training for the team members and we run it like a fire department. You don't want to build a fire department after the house is on fire."
When conducting training and investigations, IT security professionals should go back, debrief, and do root-cause analysis, Herath says. If problems arise in a company's privacy management plan, "be honest with yourselves and fix the things that don't go well," Herath says.
As the recent Sony and Epsilon breaches have shown, organizations can't train enough to protect their privacy after a breach has occurred. "You want to have (the plan) in place, prepared, trained and ready to roll when the alarm goes off," he says.
In the second part of a two-part interview on privacy and incident response, Herath discusses:
- What he has done to improve privacy protection at Nationwide;
- Today's top privacy risks;
- How organizations can improve privacy management in the event of a breach.
In part one of this interview, Herath discusses his role at Nationwide, as well as his reaction to the recent Epsilon and Sony data breaches.
Herath is Vice-President, Associate General Counsel and Chief Privacy Officer for Nationwide Insurance Companies and affiliates based in Columbus, Ohio.
Among other things, he heads up a team that has primary responsibility for corporate privacy policy and implementing privacy across all lines of business. He represents Nationwide's interests on many industry and business privacy groups and before legislative and regulatory bodies. He is responsible for all legal issues impacting privacy, information security, technology and information systems, contracts and supply services management, confidentiality and data integrity. Under his leadership, Nationwide has been selected as one of the Top 10 Most Trusted Companies for Privacy (number one in the insurance sector) five times by the Ponemon Institute.
Herath is Past President of the International Association of Privacy Professionals and is still very active within the association serving on several committees. He also served on the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee from 2005 to 2011. He speaks regularly on a broad array of issues.
How to Protect Privacy
TOM FIELD: You talked about encrypting your laptops. What else have you done to improve how you protect privacy at Nationwide?KIRK HERATH: There is a cultural transformation that you have to go through; any organization has to go through it. At the end of the day your employees are going to do the right thing. Often you will find that they will be too conservative with the way they treat data, which then ultimately hurts the business, and maybe even the customer. So you have to train them. You have to train them and do lots of education awareness activities to build a unified policy around how data should or shouldn't be used, and then what the appropriate and inappropriate uses and practices are.
Sometimes you tailor to the specific business unit. So if the business unit is a HIPAA covered entity, you're going to have some additional restrictions around how data can and can't be used. Then in the business unit it might be under more general privacy and security requirements. GOB is sort of a general statute. It says you have to protect data and you have to protect privacy, and they let you do it under a reasonable standard so you're permitted a lot more flexibility with financial data than with health data. We have also implemented lots of technical solutions. We monitor what goes in and out of here on e-mail. We monitor logs to see who is accessing what data and whether or not it's within their sort of role, and whether or not they are exceeding their role. We do it through people.
In my office, the people that are devoted purely to privacy, we've gone from myself in year 2000 at a project sort-of lead over a very large team to nine people that help me just with the privacy law and management activities. Then I have an additional eight or so that help me in the IT and contract management space, which quite frankly has a large privacy and security component to it as well. Getting more people has helped. There were only a handful of security people in Nationwide that just did pure security in 1999 as this whole space was being born. And there is now well over one hundred at Nationwide that do nothing but information risk management and information security.
And then processes, you have to be constantly looking at your processes. When you do make a mistake, even if it is small, you do cross analysis and you improve your processes. You can't prepare and plan enough. Even if a process looks to be working well, you should still shine a light on it and give it some scrutiny to make sure you can't do it better. We have a very good way of doing that. It really comes down to process, people, and technology - and it's evolution over the last decade.
Today's Top Privacy Risks
FIELD: Now I know you're active in the profession, not just within your own industry and role. What do you see as some of today's top privacy risks to organizations of all types?HERATH: It probably is going to sound rather passé but mobile technology concerns me. Mobile technology that controls around it has not kept pace. It is basically a retail technology that people are trying to use in an enterprise way. People who are using Smart Phone technology to do their banking and such don't truly understand the information security and privacy risks inherent in that if they don't have certain applications on their phones. The whole I-Pad issue and the fact that Apple technology has not been created, it hasn't been created for as an enterprise solution. It is very hard to protect it. As of right now, there are few ways to manage and protect data on a lot of the tablets that are out there today. Now it is improving, and probably in twelve to eighteen months we'll have a whole sweep. I think the market will respond. We'll have a whole sweep of applications and software that will help us manage this better, but in May of 2011 it's kind of a "Wild Wild West".
And then there's the cloud. I see our IT people, and my peers are seeing their IT people, either rush to the cloud or begin to seriously investigate software, service or platforms of the service, or infrastructure of the service. They are trying to get out there and figure out a way of cutting their IT costs while also being able to perform better. As a financial service company, which is at the root of what we are, it is very difficult to get the sort of contractual protections in a contract that you need to persuade your regulator that you are actually doing what you need to do under the law to safeguard your customer information. There is a huge gap between what cloud providers are willing to contractually stand behind from a liability perspective and what their customers, particularly regulated customers, are demanding of them.
The very last revision that is fought over in all of these contracts is the identification for breaches. It gets ugly. I can tell you that having gone through a few of these, neither party is ever truly happy with the outcome, which probably means you've reached a perfect compromise if neither party is satisfied.
I am not as jazzed about behavioral advertising and tracking my clicks on the internet. I know that some people are, and I think they have valid reasons. I know my web browsing is going to be tracked to improve my web browsing experience. It is also for the most part free, where it wouldn't be free if this data was not available to advertisers. Monetizing the web becomes much more difficult and I don't think people truly understand. I'm not sure at the end of the day what the harm is. People want to know that I'm interested in Jeeps because I have a Jeep and like the off-road, and they are beaming me advertisements around off-road vacations and outdoor activities. Where's the harm in all of this? Mobile tracking through phones might be a little more problematic. From a civil rights sort of perspective, I think the libertarian in me has some issues with that. But that is probably more of my inherent distrust of government. So those are the ones that I think are the big ones today. Most of us are getting very weary of stories about breaches. It's getting to be almost like the car wreck. You have to rubberneck while you go by, but then you forget about it as soon as you do.
The Makeup of a Breach Response Plan
FIELD: You hinted at this earlier talking about your organization. What can you tell us about the makeup and the readiness of your breach response plan and your team?HERATH: We are very well prepared. You can't ever prepare enough. In addition to the things I talked about earlier, we do table-top exercises a couple times a year and we try to come up with some pretty wild breach scenarios. We then call together a team of people to try and respond to them and go through a written debrief afterwards. We hold each other accountable or take each other to task if we don't think we did it fast enough or well enough. Did we actually include everybody that we should have included? We do ongoing training for the team members and we run it like a fire department or an emergency preparedness department. You don't want to build a fire department after the house is on fire. You want to have it in place, prepared, trained and ready to roll when the alarm goes off. That is really how we've approached this thing. When you actually need it you want to be prepared, you don't want to be ill-prepared, so we are constantly training and making the process better.
Breach Response: How to Improve Privacy Management
FIELD: If you could advise organizations that are looking to improve their privacy management in the event of a breach, what are the one or two pieces of advice you'd give to them?HERATH: Put it down in writing, first of all. Part of the planning process is to actually write it down. Our first emergency response policy in 2005 probably wasn't more than four pages long, and there were big margins. But we laid out a plan of what we wanted to accomplish, what we wanted our incident process to do, and since then it has merged into a document that is fifty or sixty pages long. You have to continually plan and prepare. You go through your table-top exercise; figure out what is going right, what is going wrong. Identify all of the rules and prepare to lend a hand. And they don't all have to be involved in every investigation. If you have an external vendor breach, obviously your HR people wouldn't be involved. The internal investigation people wouldn't be involved. Have a good outreach with local law enforcement or even the local unit of the FBI. The FBI is a phenomenal resource to have in your rolodex. They often will come in and be more than happy to talk to your teams in an off-site or how they can help you. And their cyber fraud guys are top notch, very smart people. They are not out to get you; they are there to help you in the event that you need them.
Train your people, train your people, and train your people. You can't train enough. Have somebody who is formally responsible and accountable to keep the process alive. At the top of the pyramid I sit there, but I have a person on my team who is formally responsible for managing my incident response process and does a good job at it. Then, when you train and you are actually doing investigations, go back and debrief, do root-cause analysis, figure out what went right and what went wrong. Then fix the things that didn't go so well. Be honest with yourselves and fix the things that don't go well, and then look at the things that are still going right and ask everybody, "Could we do it better?" Yes it worked but is there something, some piece of technology or some process that was not around two or three years ago, that will make this thing flow better? And then hope you don't need to use it.