Breach Response: Transparency RequiredNationwide's Privacy Officer on Sony & Epsilon
"I'm glad it's not me," Kirk Herath, chief privacy officer at Nationwide Insurance Companies, says about the breaches in an interview with Information Security Media Group [transcript below].
Herath's leadership has made Nationwide one of the Top 10 Most Trusted Companies for Privacy five times by the Ponemon Institute. He also served on the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee from 2005 to 2011. Herath's interview highlights the top privacy trends and recent incidents.
Herath draws lessons from the recent breaches. Namely, when it comes time to start the notification process, companies need to be prepared to anticipate questions from customers, internal associates, law enforcement, regulators and, in the case of Sony, from Congress.
"At the end of the day, the worst you can do is look like you're not transparent," Herath says.
In the case of Sony, "they seemed unprepared for the public relations and political side of the breach," he says.
A lack of transparency can affect a company when responding to a breach. Having a communications professional who understands the issues can help in explaining what happened and control the damage.
The Epsilon breach, which affected e-mail addresses, brings up the question of whether security professionals need to treat all non-public information the same.
"A lot of times we try to do risk assessments and we protect more sensitive data maybe a little stronger than less sensitive information," Herath says. And an e-mail address certainly would ... fall into this [category]. It's not a very sensitive piece of information."
Now matter how good a company's privacy policies and management are, breaches will continue to occur. "You can have mistakes, you can have hiccups," Herath says.
In part one of a two-part interview on privacy and incident response, Herath discusses:
- The scope and scale of the privacy officer's job today;
- How the Epsilon and Sony incidents were handled;
- His experience managing privacy in the event of a breach.
Herath is Vice-President, Associate General Counsel and Chief Privacy Officer for Nationwide Insurance Companies and affiliates based in Columbus, Ohio.
Herath is Past President of the International Association of Privacy Professionals and is still very active within the association serving on several committees. He also served on the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee from 2005 to 2011. He speaks regularly on a broad array of issues.
Role of a Chief Privacy OfficerTOM FIELD: To start with, how about you tell us a little bit about yourself and your role at Nationwide please?
KIRK HERATH: I have been a chief privacy officer since January of 2000, and the role began as a project manager right after Gramm-Leach-Bliley passed in November of 1999. Quickly, we realized that it really wasn't a project; it was more of a program. From there the role has evolved over the years. I am an attorney as well, and it is sort of a hybrid role. I have privacy/compliance. I also do all of the law around information security. That has been versioned into an IT counsel role, and just recently the supply management services contract management group now reports to me. So I sort of have the entire end-to-end sourcing and IT process, from a legal perspective, under my control, which from a privacy perspective ... helps us out immeasurably.
FIELD: Well it's great to talk with you because you've really seen the evolution of the role. When we talk about managing privacy today, what are the scope and the scale of that job?
HERATH: The scope of it is inherently policy and legal, and that really permits my team and myself to get involved in everything. So from a scale perspective, we're involved in virtually everything. We are involved in what IT systems we're using, how we secure them, and how we control the access to them. We look at all of the new processes around sales and marketing, and how data is to be or not to be used. How preferences are managed, we work very closely with our inside analytics team so we have a very strong data governance role. It's about coming up with the rules around what people can and can not do with the data, how we collect it, how we store it, who can have access to it, and for how long. It is a cradle to grave data management role.
Analyzing the Sony & Epsilon BreachesFIELD: When you hear about breaches such as we've seen with Epsilon and Sony, what goes through your mind?
HERATH: What goes through my mind is: I'm glad it's not me. If you have customers and you have associates, you have data. There are some companies that don't think they necessarily have a data management or data governance issue, but if you have data, then a breach can befall you, regardless of how good your privacy policies and management are. No matter how good you are, IT security controls and access controls are your governance. You can have mistakes, you can have hiccups.
My second impression is sort of two-fold. With the Sony response, again I feel bad that it happened to them, but they seemed unprepared for the public relations and political side of the breach, particularly considering the scale of it and the fact that it was credit card numbers on so many millions of customers that were stolen. Then on the Epsilon side, what struck me was that it wasn't a breach under the typical breach laws. So what is or isn't a breach is a very technical term You've got to look at the state or federal laws and determine whether or not something was a breach based upon the jurisdiction in which it happened. It generally falls around your name and association with what we consider sensitive data - credit card numbers, social security numbers, driver's license numbers and then some sort of transactional account, a debit card, maybe a banking account.
Epsilon was e-mail addresses, and everybody in the United States, including both of my kids, got at least one notice from somebody they do business with that their e-mail address was stolen, and that they should watch and be careful about phishing attacks. This may have been the very first instance ... where somebody actually told them that their e-mail addresses are potentially dangerous and damaging to them. And it's not only the e-mail address, but the association with probably a name and even an address.
It pushes the definition of what is considered to be a breach a little further out and makes it even more imperative to stop distinguishing between good non-colorful personal information and bad non-public personal information. By that I mean a lot of times we try to do risk assessments and we protect more sensitive data maybe a little stronger than less sensitive information. And an e-mail address certainly would, before Epsilon and maybe even today for some companies, fall into this. It's not a very sensitive piece of information. We put access controls and authentication around it like firewalls, just like we would around any web-facing app. We might not worry about redacting it or encrypting it from view. You now have to begin to question whether or not you need to treat all non-public personal information the same. There hasn't been, knock on wood, to the best of my knowledge, any suits against Epsilon yet, where Sony does have at least one class action suit out there. But they are going to have real damages as a result of having to cancel and reissue all the credit cards that were affected by that breach.
FIELD: Kirk, you touched on some when you spoke about Sony. From your perspective, and I realize you've got some distance here, what is your take on how these incidents were handled in terms of privacy?
HERATH: With the Epsilon one, they probably did more than they legally needed to do. I am sure that the contracts that Epsilon has with its customers, and all the companies that were affected, probably said they needed to tell their customers if any information was ever stolen. I didn't get a letter from Epsilon. I got a letter from about six or seven other brands that I do business with, either hotel chains or airline miles, those sorts of things.
It comes back to the lack of preparedness and the lack of transparency. When you finally pull the trigger on a notification, you've got to have all your ducks in a row and you need to anticipate the likely questions that are going to come, not only from customers, but from your own internal associates from law enforcement, from regulators, and in the case of Sony, from Congress. There seemed to be an air of secrecy which in and of itself tended to cause concern among the regulators in particular and Congress, because there was a feeling that they weren't getting the whole story. Now that may have been the whole story, but the impression that they left ... was that there was something more. There was another shoe that was going to fall and everybody was waiting with trepidation to see what that would be. With breach incident response, part of it is having a communications professional on your team, and it is a team effort, who understands the issues and can work with internal and external constituencies from a public relations perspective to explain what happens and somewhat control the damage. At the end of the day the worst you can do is look like you're not transparent.
Managing Privacy during a BreachFIELD: Kirk, what is your personal experience managing privacy in the event of a breach?
HERATH: Fortunately we've had very few notifications over the years. The few that we did have were back in the mid-2000s and were a result of some laptops. Once we encrypted those laptops, those generally went away. Anybody who is in the business, there are occasionally mistakes where you've got miss-mailings, but our experience has been that you can't prepare enough.
It is a multi-role, inter-disciplinary process. My office tends to control, or at least kick off, the investigation if we have some sort of an allegation. But we have information security people. We'll involve the IT folks who are over the business unit. The business unit has to have skin in the game. Communications is always on the team. We'll have forensics people if it requires a forensics investigation. We have our HR team who usually has a representative, and we have internal investigations if it is an allegation against an associate and we need to do an investigation. Each of these individuals plays a role. They are almost like satellites orbiting a celestial body, and when they are needed they beam in and they do their role. Then when their role is over, they beam back out again. So it is a role-based process, but it requires a lot of preparation in planning. We've had a really good process for about six years, but we evolve it; we evolve it several times a year. It's been getting better every year since probably 2005.
In part two of this interview, Herath discusses how he has helped improve privacy protection at Nationwide, and he talks about two of his top concerns: Mobile technology and cloud computing.