Top 10 things organizations should understand with a confirmed breach

May 15, 2013

by Luke Sackandy, Immersion

Recently, Immersion’s Larissa Crum participated in a panel discussion produced by HB Litigation Conferences LLC - NetDiligence Cyber Risk & Privacy Liability Forum, titled “Data Breach Preparedness: The Right Way to Survive 30 Days of Hell.”  A more in-depth recap of the conversations can be found here but the following is a brief list Larissa provided of top 10 things organizations should know when a confirmed breach occurs.

1. Time is of the essence. Whether the breach falls under federal regulations (HITECH) or state regulations (47) there is always a time frame where notice needs to occur. Be cognizant of what those time frames are and plan accordingly.

2. Engage a data breach response vendor. Hopefully you have vetted vendors as part of the planning process but you want to work with a vendor that understands data breach response.

3. Credit Monitoring/Identity Theft—to use or not to use. This is dependent on the information that is compromised; for example if bank account information is compromised but not Social Security numbers, an argument can be made that no monitoring is required.

4. When crafting the data breach notice, you will want to remove the phone number from the cover letter—individuals will call whatever number they see.

5. Remember to communicate in the language most common to the individuals.

6. Think about the return address. This is often overlooked but can be very important if a large number of individuals need to be notified. There is an average of 13% return rate on mail.

7. Think about the response to the response—the call center. This is the first live interaction that an affected individual has with an organization.

8. Call center—FAQs. These are the questions and answers relative to the data breach incident. It is important to review these while giving thought to the individual affected. In the example above about credit monitoring, you want to have an FAQ that addresses why credit monitoring is not being offered.

9. Call center—escalations. Make sure that organizations have the appropriate team in place to respond to calls that get escalated from the call center.

10. Respond with the end in mind—class action or regulatory inquiry. It is critical to work with a vendor that has the ability to provide documentation on every step of the notification and call center process, whether it be the results and decisions made on the address scrub or the call information at the call center.

How many of these items are you prepared for?

Immersion to be panelist at joint IAPP/ISSA event in Boston area, May 15th

April 25, 2013

Immersion is pleased to announce that Shawn Melito will be participating in a panel discussion on “Pre-Breach Preparedness: incident response planning, forensics and cyber Insurance” at a joint IAPP/ISSA event on May 15th from 11 am – 3 pm at the Showcase Cinema in Dedham, MA.  More details to follow…

Immersion’s Shawn Melito to speak at Philadelphia KnowledgeNet, April 18th, 2013

April 17, 2013

With the HHS OCR’s release of the Final Rule, and its changes to HIPAA/HITECH especially in regards to Business Associates, enforcement and assurances, you may be worried how this affects your organization.  Even those not in the “healthcare arena” will be surprised how these changes influence them.  Please join us for an interactive presentation and question and answer period about this hot topic led by three seasoned data breach professionals with hands-on experience handling hundreds of breaches.  The session will include a legal update, how these changes affect cyber-insurance, a discussion on recent data breach claims, lawsuits and legal decisions and advice on how to implement any necessary changes within your organizations. 

Speakers: Shawn Melito, Vice President, Immersion Ltd.; Toby Merrill, Vice President, ACE USA; John Mullin, Partner, Nelson Levine de Luca & Hamilton, LLC

Thursday, April 18 11:30 a.m. – 2 p.m.

Ernst & Young
2005 Market Street
Suite 700
8th Floor, Union Conference Room
Philadelphia, PA 19103

Sign up on the IAPP website (  I hope you can attend.

See You at NetDiligence on October 11th and 12th!

October 8, 2012

by Tom DiClemente, Immersion, Ltd.

Look for us at the NetDiligence Cyber Risk & Privacy Liability Forum in Marina del Rey this coming Thursday and Friday, the 11th and 12th of October.

Immersion’s Larissa Crum will be participating on the panel at 9am Friday concerning “Data Breach Preparedness: The Right Way to Survive 30 Days of Hell”. This will be a great forum in which to field your pressing questions about data breach response planning – the who’s, the what’s, the how’s – and get tips from the experts on the stumbling blocks you could encounter along your way.

Looking forward to seeing you there!

The Nightmare of this Journalist Should Put Consumers and Organizations on Notice.

August 16, 2012

by Luke Sackandy, Immersion

After Mat Honan was the victim of a crippling hack, it wasn’t the fact that he had been hacked that upset him rather the way in which it came together that left him devastated.  On Friday, August 3rd his entire digital life went up in flames in the matter of a few minutes.  That was certainly unfortunate for him. The fortunate part for us is that Mat is a very credible journalist and his situation attracted a lot of interest.  Most notably, Apple and Amazon took notice and have since closed the gaps that allowed access by the hacker, who identified himself as Phobia.

You can read in detail about this epic hack, but the amazing part is how easy it was for the hacker. 

This was not a complex hack.  Most of us could perform it.  Once Phobia was able to get those basic pieces of information, the hack took less than 10 minutes.  In 10 minutes, Mat lost everything on his MacBook including pictures of the 1st year of his daughter’s life and pictures of people who were no longer with him.  He lost all the information on his iPhone and all the information that he collected in his Gmail account over the years.

Mat initiated conversation with Phobia who agreed to share the details with the hack in exchange for not pressing charges.  Oh and by the way, Phobia is a 19-year-old kid.  Mat wanted to know why Phobia did what he did.  After all, Mat admitted that after gaining that level of access to his online life, he could have ruined him financially as well.  Phobia responded to Mat that all he really wanted was access to the Twitter account.  He wanted to be able to access the Twitter account so that he could embarrass Mat and exploit the security loopholes in the hopes that companies will fix them.

Phobia probably succeeded from that standpoint as both Apple and Amazon have taken notice and are re-evaluating their security procedures. Wired magazine tried to duplicate the hack on the Tuesday after this went public.  When they called Apple to gain access to the account, they were told that the ability to gain access over the phone is no longer available.  When they called Amazon, they were told that you could no longer add information to accounts over the phone.

More importantly, Phobia probably also exploited two, much larger issues.  The first being that, as an online society, we are becoming increasingly more relaxed when it comes to our security.  How many of us use the same prefixes for our various email addresses or feel confident storing our credit cards or other personal information online?  A lot of us; and the problem is only growing.  A hacker no longer necessarily needs to understand the “technical” side of hacking.  A hacker needs to be able to connect the dots.  If I had realized that the same information that Amazon makes visible is the same information Apple uses as security verification, I could have performed the hack myself and I have zero hacking skills. 

The 2nd issue and perhaps more importantly is the fact that companies are making it too easy and convenient for us to be able to log in or change information to our account that the security aspect is becoming an afterthought.  The inconvenience in going through a strict and thorough process in order to gain access to an account should be a fair trade for security.  I understand that there are some responsibilities on the user’s behalf to make sure that we stay safe online.  Mat himself admitted that he should not have tied all his accounts together the way he did.  However, at what point is there an onus placed on these organizations with whom consumers trust with their most important information to work together to create some type of best-practice?  If it’s not their responsibility, then whose responsibility is it?  Consumers can take as many precautions as they want but until there is consistency with what is considered confidential information, hackers like Phobia will continue to prey on unsuspecting victims. 

This could have been much more devastating than it was.  Mat admitted that with this level of access, his financial information could have also been compromised.  With all the contacts he had accumulated as a tech journalist over the years in his Gmail account, they could have been victimized as well.  Who knows how deep this could have gone before there was any real, hardcore, old-fashioned hacking was involved? 

Thank goodness for Mat Honan, the damage stopped with his digital life.  Anyone else may not have been so lucky.

How confident are you in the security of your online life?  Do you feel vulnerable?  Let us know in the comments.

Government Mandated Cyber-Security?

August 9, 2012

by, Luke Sackandy, Immersion

Over the past couple years, you may have grown familiar with the names Anonymous and LulzSec.  These are two of the more popular hacktivist organizations that have taken it upon themselves to shut down websites of organizations that, in their eyes, are immoral or corrupt.  Perhaps some of the websites you frequent have been effected by their activities.  Fortunately for most of us it is nothing more than an inconvenience.  The site goes down for a few hours or, in rare instances, a few days before it is brought back on-line.  Then we go back about our business on those particular sites as if nothing ever happened. 

 At first glance, this probably has very little to do with you.  Other than these hacktivist groups gaining more notoriety and proving to be an inconvenience for the affected companies, there are little long-term effects.  If you begin to look a little closer, as many governments are beginning to do, you will see the beginning of a new kind of warfare.  Governments are taking the lead of hacktivist groups and are beginning to launch their own cyber wars.  Anyone that has heard about the Stuxnet and Flame cyberweapons should know where this is going.  The U.S. and Israel reportedly worked together to build a virus that was slowly crippling the Iranian nuclear program until its accidental discovery.  In addition, we have seen governments of other countries, particularly in the middle east, launching cyber attacks within their own country to avoid another Arab Spring like we recently saw in Egypt.

What if these same types of attacks are launched on the infrastructure of the U.S.?  Could you imagine if the same power outage that just rocked India happened here?  Everything would stop.  People wouldn’t be able to communicate, businesses would not be able to operate, and, as a nation, we would be crippled.   It’s not unrealistic to believe that  an effective virus, much like Stuxnet or Flame, could wreak havoc on the infrastructure of the United States.

Scenarios like these are the ones that prompted the proposed and recently defeated Cyber-Security Bill.  Some of the top security individuals, including the head of the National Security Agency and the chairman of the Joint Chiefs of Staff, have been pleading for a White House-backed bill that would regulate crucial, privately-owned infrastructure such as electric utilities, chemical plants, and water systems.  Unfortunately for the bill, it was met with strong resistance from the United States Chamber of Commerce who argued that government regulation could actually hinder companies’ abilities to properly defend against cyber intrusions on their own.  Prior to Congress going into recess, the bill was defeated by a 52-46 vote. 

For the time-being it looks as there will be no regulation for cyber security.  However, with recent events around the world, one does have to question if this is a threat that we should be taking more seriously.  For a long-time the U.S. has felt relatively safe from physical warfare and attacks being so far from the more hostile areas of the world.  Unfortunately, with these new cyberweapons, geographic location is no longer a luxury that we can look to. 

What do you think?  Should the United States Government play a more active role in regulating cyber-security for our infrastructure?

Think you aren’t being targeted as a small business? Think again.

July 6, 2012

by Luke Sackandy, Immersion

As a small business owner, you may think that you are not a target of cybercriminals.  The truth is, you are a much larger target you think.  You are probably a larger target than most large organizations.  In fact, 72% of the 855 data breaches that were analyzed by Verizon Communications last year were at companies with 100 employees or less.  That is up from 62% from the prior year.  Smaller organizations are much more vulnerable when it comes to data breaches so cybercriminals are beginning to prey on them more regularly.  Why? Because small businesses are more focused on everything else.  With fewer employees, they are typically stretched as thin as possible and they do not have an IT department to monitor everything as it should be.  They usually only utilize standard security software and nothing beyond.  Computer hackers are getting more skilled each day and software that is effective today, may be a weakness next week.

As an example, you can look at a recent article in the Wall Street Journal.  A mannequin maker in Brooklyn, New York named Lifestyle Forms & Displays, Inc. experienced a breach that resulted in the theft of $1.2 million in just a few hours through online transactions.  Money was transferred to bank accounts in three U.S. banks; Bank of America, Wells Fargo, and JP Morgan Chase, and one Chinese Bank; Agricultural Bank of China.   The problem was discovered when the individual in charge of finance for the organization was unable to make a routine online payment and was repeatedly seeing error messages.  The organizations bank was contacted immediately at which time they were assured that there were no issues on the banks end.  Shortly after, the IT department determined that the computers must have been infected with a virus.  By the time, the computers were fixed nine transactions of about $150,000 each were taken from the account. 

As you can see, a data breach can affect anyone regardless of the size of your organization.  One could even argue that smaller organizations are at a much higher risk than large ones.  So what can you do?  The Wall Street Journal offered these four suggestions.

1. Pay for protection beyond what is offered through free security software.

2. Have your bank require verbal authorizations for transactions over a certain limit.

3. Insure your assets.  The average breach in 2011 cost $194 per breached record according to the Ponemon Institute.  It will be worth it.

4.  Have a plan of whom to contact immediately should a breach occur.  Breaches can be very intense situations and it can be easy to forget something.  Planning ahead will help make sure everything is taken care of.

Do you feel you are protected against a breach?  Let us know in the comments.