Privacy: Responding to the Next Breach

Nationwide's Privacy Officer on How to Improve Privacy Management

By , May 31, 2011.
Privacy: Responding to the Next Breach

O

See Also: Actionable Threat Intelligence: From Theory to Practice

rganizations looking to improve privacy management in the event of a breach "have to continually plan and prepare," says Nationwide's Chief Privacy Officer Kirk Herath.

That means putting into writing a comprehensive plan that details the appropriate responses to an attack, Herath says in an interview with BankInfoSecurity.com [transcript below].

Herath's leadership has made Nationwide one of the Top 10 Most Trusted Companies for Privacy five times by the Ponemon Institute. He also served on the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee from 2005 to 2011.

IT security professionals should routinely complete exercises to see how the plan is doing. "Figure out what is going right, what is going wrong," Herath says. "Even if a process looks to be working well, you should still shine a light on it and give it some scrutiny to make sure you can't do it better," he says.

Accountability is another important step in responding to a breach. Team members need to constantly complete ongoing training, Herath says, in order to prepare. "We do ongoing training for the team members and we run it like a fire department. You don't want to build a fire department after the house is on fire."

When conducting training and investigations, IT security professionals should go back, debrief, and do root-cause analysis, Herath says. If problems arise in a company's privacy management plan, "be honest with yourselves and fix the things that don't go well," Herath says.

As the recent Sony and Epsilon breaches have shown, organizations can't train enough to protect their privacy after a breach has occurred. "You want to have (the plan) in place, prepared, trained and ready to roll when the alarm goes off," he says.

In the second part of a two-part interview on privacy and incident response, Herath discusses:

  • What he has done to improve privacy protection at Nationwide;
  • Today's top privacy risks;
  • How organizations can improve privacy management in the event of a breach.

In part one of this interview, Herath discusses his role at Nationwide, as well as his reaction to the recent Epsilon and Sony data breaches.

Herath is Vice-President, Associate General Counsel and Chief Privacy Officer for Nationwide Insurance Companies and affiliates based in Columbus, Ohio.

Among other things, he heads up a team that has primary responsibility for corporate privacy policy and implementing privacy across all lines of business. He represents Nationwide's interests on many industry and business privacy groups and before legislative and regulatory bodies. He is responsible for all legal issues impacting privacy, information security, technology and information systems, contracts and supply services management, confidentiality and data integrity. Under his leadership, Nationwide has been selected as one of the Top 10 Most Trusted Companies for Privacy (number one in the insurance sector) five times by the Ponemon Institute.

Herath is Past President of the International Association of Privacy Professionals and is still very active within the association serving on several committees. He also served on the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee from 2005 to 2011. He speaks regularly on a broad array of issues.

How to Protect Privacy

TOM FIELD: You talked about encrypting your laptops. What else have you done to improve how you protect privacy at Nationwide?

KIRK HERATH: There is a cultural transformation that you have to go through; any organization has to go through it. At the end of the day your employees are going to do the right thing. Often you will find that they will be too conservative with the way they treat data, which then ultimately hurts the business, and maybe even the customer. So you have to train them. You have to train them and do lots of education awareness activities to build a unified policy around how data should or shouldn't be used, and then what the appropriate and inappropriate uses and practices are.

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Cyber-Attacks Target Energy Firms

The Trojan "Laziok" targets energy firms throughout the Middle East, India, the U.S. and the U.K.,...

Latest Tweets and Mentions

ARTICLE Cyber-Attacks Target Energy Firms

The Trojan "Laziok" targets energy firms throughout the Middle East, India, the U.S. and the U.K.,...

The ISMG Network