WIXLIB

Data Breach Preparedness ContinuedPreparedness TrainingIn addition to a company-wide focus on datasecurity and breach preparedness, departmentspecific training should trickle down from thedata breach response team. Each member ofthe team has a unique responsibility to applyprevention and preparedness best practices tohis/her own department. Work with employees to integrate datasecurity efforts into their daily work habits. Develop data security and mobile devicepolicies, update them regularly andcommunicate them to business associates. Invest in the proper cyber security software,encryption devices and firewall protection.Update these security measures regularly. Limit the type of both hard and electronicdata someone can access based on jobrequirements. Establish a method of reporting for employeeswho notice that others aren’t following theproper security measures. Conduct employee security training/re-trainingat least once a year.While your data breach response teamcoordinates your preparedness and responseefforts, everyone in your company plays a rolein data security. Therefore everyone should beinvolved in data breach preparedness.Conduct practice runsof your preparednessplan and regular reviewsto ensure you haveeverything covered.Prepare for the Worst So You Can Respond at Your BestBe sure everyone on your data breach response teams understands their specific responsibilities –bothin preparing for and responding to a breach. The contact forms in the back (See Page 22) will give you astarting point for organizing the contacts for your team. Be sure to update and distribute the contact listevery quarter so everyone is always prepared to act.6 Data Breach Response Guide Contact us at 866.751.1323 or email us at databreachinfo@experian.com.

Data Breach Incident ResponseActing quickly and strategically following a data breach can help you regain your security, preserveevidence and protect your brand. Always collect, document and record as much information aboutthe data breach and your response efforts, including conversations with law enforcement and legalcounsel, as you can.One out of fiveThe First 24 Hours Checklistorganizations doPanicking won’t get you anywhere once you’ve discovered a data breach. Accept that it’s happenedand immediately contact your legal counsel for guidance on initiating these 10 critical steps:not have a formalincident responseRecord the date and time when the breach was discovered, as well as the currentdate and time when response efforts begin, i.e. when someone on the response team isalerted to the breach.Alert and activate everyone on the response team, including external resources, tobegin executing your preparedness plan.plan in place.1Secure the premises around the area where the data breach occurred to helppreserve evidence.Stop additional data loss. Take affected machines offline but do not turn them off orstart probing into the computer until your forensics team arrives.Document everything known thus far about the breach: Who discovered it, who reportedit, to whom was it reported, who else knows about it, what type of breach occurred, whatwas stolen, how was it stolen, what systems are affected, what devices are missing, etc.Interview those involved in discovering the breach and anyone else who may knowabout it. Document your investigation.Review protocols regarding disseminating information about the breach for everyoneinvolved in this early stage.Assess priorities and risks based on what you know about the breach.Bring in your forensics firm to begin an in-depth investigation.Notify law enforcement, if needed, after consulting with legal counsel andupper management.1 IT Security and Privacy Survey, Protiviti Risk & Business Consulting, May 2013Contact us at 866.751.1323 or email us at databreachinfo@experian.com. Data Breach Response Guide 7

Data Breach Incident Response ContinuedOnce you have begun or completed the 10initial steps, stop briefly to take inventory of yourprogress. Ensure your preparedness plan is ontrack and continue with these next steps:Identify Conflicting InitiativesAny data breach couldlead to litigation. Workclosely with your legaland compliance expertsto analyze risks and waysto mitigate them, such asproper documentationand notification.Fix the Issue that Caused the Breach Rely on your forensics team to deletehacker tools. Determine if you have other security gaps orrisks and address them. Put clean machines online in place ofaffected ones. Ensure the same type of breach cannothappen again. Make the response team and executives awareof any upcoming business initiatives that mayinterfere or clash with response efforts. Decide whether to postpone these efforts andfor how long in order to focus on the breach.Alert Your Data BreachResolution Vendor Contact your pre-selected vendor to choosebusiness services for your company andprotection products for individuals affected inthe breach. Determine how many activation codes you willneed for the protection products based on thenumber of affected individuals. Draft and sign a data breach resolutionagreement if you do not have a pre-breachagreement in place. Engage your vendor to handle notifications(learn more in the next section: BreachNotification) and set up a call center soaffected individuals have access to customerservice representatives trained on the breach. Work closely with your account manager toreview incident reporting and metrics.Identify Legal Obligations Revisit state and federal regulationsgoverning your industry and the type ofdata lost. Determine all entities that need to be notified,i.e. customers, employees, the media,government agencies, regulation boards, etc. Ensure all notifications occur within anymandated timeframes.Document when and how the breach wascontained.Don’t just document whatsteps you take. Documentwhy you took them. Report to Upper ManagementContinue Working with Forensics Determine if any countermeasures, suchas encryption, were enabled when thecompromise occurred.Analyze backup, preserved or reconstructeddata sources. Ascertain the number of suspected peopleaffected and type of information compromised. Begin to align compromised data withcustomer names and addresses for notification.8 Compile daily breach reports for uppermanagement. The first report should include all of the factsabout the breach as well as the steps andresources needed to resolve it. Create a high-level overview of priorities andprogress, as well as problems and risks.Never send sensitiveinformation, such as SSNs,unnecessarily to vendorssupporting the breach.Keep Your Response Efforts on TrackResolving a data breach requires a coordinatedeffort between your response team members,executives, external resources, lawenforcement, forensic firm and data breachresolution vendor. Staying organized anddocumenting every step and decision shouldbe a top priority. Act quickly to minimize thedamage but don’t lose sight of your priorities orof the needs of affected individuals. Data Breach Response Guide Contact us at 866.751.1323 or email us at databreachinfo@experian.com.

Data Breach NotificationNot all breaches requirenotification. If your datawas encrypted or anSixty days. That’s generally the amount of timebusinesses have to notify affected individuals ofa data breach, assuming notification is requiredby law. The countdown starts the moment abreach is discovered. Depending on varyingcircumstances, you may have even less time.Notification Challenges to Considerunauthorized employeeYour legal counsel can help you determine if anyof these or other challenges may impact yournotification process:accidentally accessed but didn’t misuse thedata, you may not needto notify. Be sure toseek and follow legalCertain state laws and federal regulationsshrink the timeline to 30 or 45 days,meaning there’s no time to waste in verifyingaddresses; writing, printing and mailingnotification letters; and setting up a call centerand other services for affected individuals. Some states mandate specific content for youto include in your notification letters. This caninclude toll-free numbers and addresses forthe three major credit bureaus, the FTC and astate’s attorney general. Notification may be delayed if lawenforcement believes it would interfere with anongoing investigation. Multiple state laws may apply to one databreach because jurisdiction depends onwhere the affected individuals reside, notwhere the business is located.advice before decidingto forgo notification. If some affected individuals live in a state thatmandates notification and others live in a statethat doesn’t, you should notify everyone soyou’re not singled out for inequality. Keep in mind that some recipients will thinkthe notification letter itself is a scam.Mishandling notifications can lead to severeconsequences, including fines and otherunbudgeted expenses. It could also tarnish yourbrand reputation and customer loyalty, leading topotential revenue loss.What you say, how yousay it and when you say itare all important elementsof data breach notification.Organizations can improve the outcome of adata breach if they contract with vendors aheadof time. That way, if a breach does occur, youwould already have a forensics partner, a privacyattorney and a breach notification partner inplace and ready to hit the ground running.Successful NotificationIt is your responsibility to determine thedeadlines for notification according to state law.The notification deadline is a heavy weight ontop of the already burdensome and stressfulordeal of a data breach. One way to helpeliminate some of that stress is determininghow you’ll handle notifications before a breachoccurs. Lining up a data breach resolutionprovider in advance can help shave off both timeand stress from your response efforts. In manycases, you can even save money by signing acontract with a provider in advance of a breach.What to Look For in a Data BreachResolution ProviderAbove all, your data breach resolution providershould make security a top priority throughoutthe notification process. Unlike standard directmail production, data breach notification requirescritical service and quality assurance elementsto ensure compliance. Look for one vendorthat can seamlessly handle notifications frombeginning to end and make a positive impact onyour brand.Legal Notice: The information you obtain herein is not, nor intended to be, legal advice. We try to provide quality information but make no claims, promises or guarantees about theaccuracy, completeness or adequacy of the information contained. As legal advice must be tailored to the specific circumstances of each case and laws are constantly changing,nothing provided herein should be used as a substitute for the advice of competent legal counsel.Contact us at 866.751.1323 or email us at databreachinfo@experian.com. Data Breach Response Guide 9

Data Breach Notification ContinuedAccount ManagementAmid the stress of a data breach, you’llappreciate having an experienced accountmanager that streamlines and simplifies thenotification process for you. Your accountmanager should know the ins and outs of yourbreach, your priorities and your deadlines.That can only happen if you have an assigned,dedicated account manager. Otherwise you’llwaste valuable time working with a differentaccount manager every time you call.Be sure to doublecheck and test phonenumbers and URLs in allcommunications.Comprehensive letter management Templates for you to customize to yourcompany and breach Management of multiple letter versions basedon state regulations, affected individuals(employee vs. consumer audience), etc. Four-color or black-and-white letters Professional printing with your company logoand electronic signatureCoding accuracy support system – addressstandardizationoDelivery point validation – validateaddress existsoLocatable address conversion system –update address National change of address verified by USPS Deceased and criminal identification tominimize unnecessary mailings First-class postageQuality assurance for printingand fulfillment Dedicated quality assurance personnel Robust integration controls to ensure 100%produced and mailed Tier-1 data security protocols with a secure/restricted access production area Ongoing training and certification of personnel 24/7 camera monitoring with secure archivingCritical Notification ServicesA full-service data breach resolution vendorshould offer a range of options, as well as strictsecurity standards, to fit your business needsand the scope of your breach:oReporting for compliance Daily inventory reportingoInitial mailingsoAddress changesoUndeliverable and returned letters Electronic letter copies for proof of notification USPS postal delivery reportAs dictated by statelaw, a notification lettermay need to include:Clear language, notindustry jargon, thatthe average personcould understand.A toll-free phonenumber for individualswanting additionalinformation.Details about thetype of data lost andhow it was lost, unlessprohibited by law.Next steps to helpaffected individualsregain their security,such as signing up for acomplimentary identityprotection product.Address validation & delivery Return mail management to securely handleand discard returned notification letters Certified address cleansing confirmed againstUSPS standardsNotification letters maycontain sensitive dataand require secure handlingthrough every stage ofdrafting, printing and mailing.Legal Notice: Always check with your legal counsel in order to identify the notificationrequirements for your specific incident.10 Data Breach Response Guide Contact us at 866.751.1323 or email us at databreachinfo@experian.com.

[Company Logo][Return Address][Date][Recipient’s Name][Address][City, State, Zip (shows thru outer envelope window)]An examplenotification letter.Important Security and Protection Notification.Please read this entire letter.Dear [Insert customer name]:I am contacting you regarding a data security incident that has occurred at [Insert Company Name]. This incident involved your [describe the type of personal information (of your client) thatmay be potentially exposed due to the breach incident (i.e., Social Security number, etc.)]. As a result, your personal information may have been potentially exposed to others. Please be assuredthat we have taken every step necessary to address the incident, and that we are committed to fully protecting all of the information that you have entrusted to us.[Insert Company Name] takes this incident seriously and is committed to assuring the security of your data. To help protect your identity, we are offering a complimentary one-year membershipof Experian’s ProtectMyID Elite. This product helps detect possible misuse of your personal information and provides you with superior identity protection services focused on immediateidentification and resolution of identity theft.Activate ProtectMyID Now in Three Easy Steps1. ENSURE That You Enroll By: [date]2. VISIT the ProtectMyID Web Site: www.protectmyid.com/enroll or call 1-XXX-XXX-XXXX to enroll3. PROVIDE Your Activation Code: [code]Once your ProtectMyID membership is activated, your credit report will be monitored daily for 50 leading indicators of identity theft. You’ll receive timely Surveillance AlertsTM from ProtectMyIDon any key changes in your credit report, a change of address, or if an Internet Scan detects that your information may have been found in an online forum where compromised credentials aretraded or sold.ProtectMyID provides you with powerful identity protection that will help detect, protect and resolve potential identity theft. In the case that identity theft is detected, ProtectMyID will assign adedicated U.S.-based Identity Theft Resolution Agent who will walk you through the process of fraud resolution from start to finish for seamless service.Your complimentary 12-month ProtectMyID membership includes: Credit Report: A copy of your Experian credit report Surveillance Alertso Daily 3 Bureau Credit Monitoring: Alerts you of suspicious activity including new inquiries, newly opened accounts, delinquencies, or medical collections found on your Experian,Equifax, and TransUnion credit reports.o Internet Scan: Alerts you if your Social Security Number or Credit and/or Debit Card numbers are found on sites where compromised data is found, traded or sold.o Change of Address: Alerts you of any changes in your mailing address. Identity Theft Resolution: If you have been a victim of identity theft, you will be assigned a dedicated, U.S.-based Experian Identity Theft Resolution Agent who will walk you through thefraud resolution process, from start to finish. Lost Wallet Protection: If you ever misplace or have your wallet stolen, an agent will help you cancel your credit, debit and medical insurance cards. 1 Million Identity Theft Insurance*: As a ProtectMyID member, you are immediately covered by a 1 million insurance policy that can help you cover certain costs including, lost wages,private investigator fees, and unauthorized electronic fund transfers.Activate your membership today at www.protectmyid.com/enrollor call 1-XXX-XXX-XXXX to register with the activation code above.Once your enrollment in ProtectMyID is complete, you should carefully review your credit report for inaccurate or suspicious items. If you have any questions about ProtectMyID, need helpunderstanding something on your credit report or suspect that an item on your credit report may be fraudulent, please contact Experian’s customer care team at XXX-XXX-XXXX.[Insert a detailed explanation about the circumstances surrounding the breach incident (e.g., this information was contained on a computer that was stolen from our offices.), what investigativesteps have been t

1 2011 Cost of a Data Breach Study: United States, Symantec Corp. and Ponemon Institute. 2 2011 Cost of a Data Breach Study: United States, Symantec Corp. and Ponemon Institute. 3 Congressional Research Service Report for Congress, 2012 4 Consumer Study on Data Breach Notification, Ponemon Institute, 2012. 1. h e. 2 3. l m. 4. w t ) 5. s , h .