A report has been released by The Online Trust Alliance setting out guidelines for preventing, detecting and responding to data security breaches. The number of high profile data loss cases that reached the public eye in 2010 has made organisations seriously consider their practices and how they can best avoid such occurrences happening.
The 2011 Data Breach & Loss Incident Readiness Guide is intended as an aid to businesses, nonprofits and governmental agencies in creating data incident plans, with recommendations including best security practices and planning models.
“There is no one size to fit all,” said OTA Executive Director Craig Spiezle. But the recommendations outlined in the report should apply to government agencies as well as to businesses. Despite the growing list of regulatory requirements for using best practices in protecting electronic data, “a lot of agencies haven’t thought through all of this,” he said.
Agencies vary widely in their levels of preparedness, and experience has proved a valuable if not always pleasant factor, Spiezle said.
“Those that are best equipped today are the ones that have had incidents in the past,” such as the Veterans Affairs Department, which suffered a black eye from the 2006 theft of a laptop containing information on millions of veterans, he said.
The OTA is a nonprofit group focused on identifying best practices for ensuring privacy and data security. Although it began in 2004 as an industry organization, members today include the U.S. Senate, Commerce Department and the USPS Inspection Service, and it has worked with the Federal CIO Council and the White House task force developing the National Strategy for Trusted Identities in Cyberspace.
Breaches of personally identifiable information that could be used for identity theft or other fraud have become a high-profile problem. It is compounded by the organized theft, sale and exploitation of the data in a growing underground economy. OTA cited reports of more than 400 incidents exposing more than 26 million personal records in 2010, and said that 96 percent of online breaches were preventable using internal controls recommended in its report.
In addition to breaches of personal information, incidents such as the recent release of leaked classified information through WikiLeaks have caused the Office of Management and Budget to require agencies to assess plans and capabilities for protecting classified information.
