Emerging risks and evolving regulation demand companies pay attention: Aon and Data Privacy Day 2012
Poster: SySAdmin
Posted on January 24, 2012 at 2:07:01 PM
Emerging risks and evolving regulation demand companies pay attention: Aon and Data Privacy Day 2012
Global risk advisor outlines top five steps to safeguard data
CHICAGO, Jan. 24, 2012 /PRNewswire/ -- On Jan. 28, companies around the world will recognize Data Privacy Day 2012, an annual international celebration designed to promote awareness about best privacy practices. Aon Risk Solutions, the global risk management business of Aon Corporation (NYSE: AON), encourages companies to use Data Privacy Day as an opportunity to assess network risk practices and identify where improvement may be needed.
(Logo: http://photos.prnewswire.com/prnh/20100719/AQ37264LOGO)
"New risks, illustrated by the Carrier IQ mobile device privacy controversy, Zappos and Amazon's 24 million records breached, Sony's 100 million records breached and recent hacktivist attacks, are emerging faster than most policies and IT departments can keep up," said Kevin Kalinich, global practice leader of cyber insurance for Aon Risk Solutions. "Organizations that think their network could never be a penetrable target need to think again."
Companies must focus on data privacy risk mitigation practices and become familiar with their cyber risk insurance policy to ensurea financial backstop is in place when - not if - a data breach occurs.
"It is important to understand that data privacy compliance starts with your data. The organization needs to know where its information is located, transferred and how it is accessed," added Adam Nelson, chief privacy counsel for Aon Corporation.
In October 2011, the U.S. Securities and Exchange Commission introduced guidelines that call for public organizations to disclose cyber incidents and whether cyber insurance is purchased. While organizations do not legally have to disclose this information, plaintiffs' attorneys are likely to use the SEC guidelines as a threshold liability standard.
"Additional implications of these guidelines remain an unknown," Kalinich added. "If an organization does not disclose its cyber incidents, it may face fines from the SEC and open the door to increased shareholder lawsuits for not properly disclosing or assessing the risk of an attack. We may also see a time when credit rating agencies take cyber security exposures into account when evaluating a company - just as Standard & Poor's has done with enterprise risk management."
According to Aon, there are five important steps companies must consider taking to safeguard data:
1. Understand your obligations under law and applicable standards - Keep
educated and aware of local, state, federal and foreign regulations, as
they are constantly evolving.
2. Assemble a data security team and assess your data - In addition to
determining the type and amount of personal data maintained, it is
important to identify how data is collected, stored, used and transmitted
as well as understand potential threats to the company's security (e.g.
third-party vendors, such as cloud computing service providers).
3. Develop data protection, privacy policies and procedures - The data
security team should review existing policies and make them consistent
with industry best practices. Social networking sites and related blogs
pose new threats that must be considered.
4. Control hardware and software - Laptops, PDAs and other mobile devices
present additional challenges. A data breach prevention program must
assess and control exposures related to hardware and software used by
company personnel.
5. Review contracts - Update and negotiate services agreements to ensure
privacy and security protections are embedded within the company's
relationships.
Data Privacy Day began in January 2008 as an extension of Data Protection Day, celebrated in Europe. Among its many goals, Data Privacy Day promotes privacy awareness and education among businesses and consumers, focusing on privacy issues raised by the use of social networking sites, cloud computing, smartphones and other mobile devices as well as encouraging users to comply with existing privacy laws and regulations.
Photo:http://photos.prnewswire.com/prnh/20100719/AQ37264LOGO
http://photoarchive.ap.org/
Aon Corporation
Web Site: http://www.aon.com
Global risk advisor outlines top five steps to safeguard data
CHICAGO, Jan. 24, 2012 /PRNewswire/ -- On Jan. 28, companies around the world will recognize Data Privacy Day 2012, an annual international celebration designed to promote awareness about best privacy practices. Aon Risk Solutions, the global risk management business of Aon Corporation (NYSE: AON), encourages companies to use Data Privacy Day as an opportunity to assess network risk practices and identify where improvement may be needed.
(Logo: http://photos.prnewswire.com/prnh/20100719/AQ37264LOGO)
"New risks, illustrated by the Carrier IQ mobile device privacy controversy, Zappos and Amazon's 24 million records breached, Sony's 100 million records breached and recent hacktivist attacks, are emerging faster than most policies and IT departments can keep up," said Kevin Kalinich, global practice leader of cyber insurance for Aon Risk Solutions. "Organizations that think their network could never be a penetrable target need to think again."
Companies must focus on data privacy risk mitigation practices and become familiar with their cyber risk insurance policy to ensurea financial backstop is in place when - not if - a data breach occurs.
"It is important to understand that data privacy compliance starts with your data. The organization needs to know where its information is located, transferred and how it is accessed," added Adam Nelson, chief privacy counsel for Aon Corporation.
In October 2011, the U.S. Securities and Exchange Commission introduced guidelines that call for public organizations to disclose cyber incidents and whether cyber insurance is purchased. While organizations do not legally have to disclose this information, plaintiffs' attorneys are likely to use the SEC guidelines as a threshold liability standard.
"Additional implications of these guidelines remain an unknown," Kalinich added. "If an organization does not disclose its cyber incidents, it may face fines from the SEC and open the door to increased shareholder lawsuits for not properly disclosing or assessing the risk of an attack. We may also see a time when credit rating agencies take cyber security exposures into account when evaluating a company - just as Standard & Poor's has done with enterprise risk management."
According to Aon, there are five important steps companies must consider taking to safeguard data:
1. Understand your obligations under law and applicable standards - Keep
educated and aware of local, state, federal and foreign regulations, as
they are constantly evolving.
2. Assemble a data security team and assess your data - In addition to
determining the type and amount of personal data maintained, it is
important to identify how data is collected, stored, used and transmitted
as well as understand potential threats to the company's security (e.g.
third-party vendors, such as cloud computing service providers).
3. Develop data protection, privacy policies and procedures - The data
security team should review existing policies and make them consistent
with industry best practices. Social networking sites and related blogs
pose new threats that must be considered.
4. Control hardware and software - Laptops, PDAs and other mobile devices
present additional challenges. A data breach prevention program must
assess and control exposures related to hardware and software used by
company personnel.
5. Review contracts - Update and negotiate services agreements to ensure
privacy and security protections are embedded within the company's
relationships.
Data Privacy Day began in January 2008 as an extension of Data Protection Day, celebrated in Europe. Among its many goals, Data Privacy Day promotes privacy awareness and education among businesses and consumers, focusing on privacy issues raised by the use of social networking sites, cloud computing, smartphones and other mobile devices as well as encouraging users to comply with existing privacy laws and regulations.
Photo:http://photos.prnewswire.com/prnh/20100719/AQ37264LOGO
http://photoarchive.ap.org/
Aon Corporation
Web Site: http://www.aon.com