26 January 2009

PII: Achieving a Defensible Standard of Care...

A data security breach of "Personal Identifiable Information" (PII) will impact your organization in the future. This incident is no different than other Operational Risk loss events to your global enterprise this year, such as occupational fraud or the settlement of a lawsuit. Correct?

This time however, the difference is that now your own employees or your customers are the victim. Their PII has been lost or stolen and your organization has been the safeguarding entity of that valuable data until now. Your response is vital and the way you legally and ethically behave is a significant risk factor in itself.

Your brand reputation in the marketplace is on the line and the potential churn in lost customers or employees is at stake. Like many post 9/11 companies, your crisis response protocol is already in place for incidents that require your senior executives and the establishment of an immediate Incident Response Team (IRT).

So why is lost or stolen PII such an important executive issue for any organization?

In privacy, PII is less restrictive than in Information security and one definition can be found in the EU directive 95/46/EC:[1]

Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

Although the concept of PII is ancient, it has become much more important as information technology and the Internet have made it easier to collect PII, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to plan a person's murder or robbery, among other crimes. As a response to these threats, many web site privacy policies specifically address the collection of PII, and lawmakers have enacted a series of legislation to limit the distribution and accessibility of PII.


As your General Counsel and Chief Privacy Officer begin to assess the magnitude and breadth of your recent PII exposure, so too does the plaintiff lawyers. Now the clock starts ticking and each tick gets louder and louder, as different litigation strategies are discussed. In Board Rooms and judges court chambers across the United States, the Federal Rules of Civil Procedure (FRCP) and the admissibility of "Electronically Stored Information" (ESI) is being discussed as a legitimate component of evidence and it's relevance in the case.

What if you could now "Rewind" this scenario and find yourself in a "legal safe zone" to adequately prepare, prevent and even preempt a "Data Security Breach" in your organization. This "legal safe zone" is available today and is as close as your corporate executive conference room, with several "Subject Matter Experts" working side-by-side. It's a professional service solution from the data breach services leader, idexperts.

The "Achieving a Defensible Standard of Care" Readiness workshop in your organization begins with a two day facilitated process for discovery and convergence with your fellow company executives. You will be engaged in a proactive, preventive and preemptive tactical plan in preparation for the day of your next PII-involved Data Security Breach. Upon completion, this operational plan establishes the baseline framework for a complete team-based drill. This outcome will then test the readiness of your key stakeholders internally and external to the company. More importantly, it provides the strategic insight on what vulnerabilities still exist in your particular organizations approach to remediation and legal compliance.


Each year, despite security efforts, millions of personal records are compromised as a result of corporate and public-sector data breaches. Breach response costs - mandated notification, PR, call handling, credit monitoring and legal fees - can add up, yet traditional approaches don't fully mitigate the risk to your business or your customers.


A data security breach of "Personal Identifiable Information" (PII) will impact your organization in the future. The next one will be different.

18 January 2009

Vigilance: Human Factors of Complacency...

Two days from now, Washington, DC will be in the midst of a historic Presidential Inauguration and President Obama will be moving into his new house on Pennsylvania Avenue.

The day after, on January 21, 2009 our Operational Risk Managers from across the spectrum of government will be looking to set their respective agendas for the next four years. The outgoing administration is quickly getting their new offices set up with lobby shops and law firms to continue their power agendas. Some are headed to the private sector, to return to their roots in business.

Regardless of the complexity and the change factors associated with all of the political fan fare, there are still "Black Swan" risks to our economic and global vitality. These operational risks continue to interface with Homeland Security, the Department of Defense (DoD), Treasury, Justice, and the State Department priorities. It all exists with great anticipation.

The United States will continue it's quest to secure the homeland from foreign and domestic terrorism. She will defend our allies against the aggression by other rogue states or countries in political turmoil. She will work harder than ever before to help other nations rebuild or build the foundations for economic stability, democracy and the rule of law. So what has or will change in the next four years in the context of Operational Risk Management?

It's almost like the feeling when you lose a loved one, to some catastrophic event. Or hear the news from a co-worker that your boss is being indicted for some corporate financial malfeasance. There is a feeling of despair and uncertainty. The event and sudden impact brings on a form of decision paralysis. Everyone starts to question each other and there is a tremendous amount of finger pointing on what could have prevented or what caused the incident to occur.

What will change for Operational Risk and managing the current and yet to know "What If's" is that it can't be ignored any longer. In analyzing the 1-in-a-100-year event, people have to go far beyond the mathematical equations and start looking at human behavior. Operational Risk managers across our international governments and business will now realize that even the "Human Factors" in Operational Risk can't always be counted.


Writers Wilber and Smith from the Washington Post have this to say about a vital component of our continued national risk management vigilance:

"A special federal appeals court yesterday released a rare declassified opinion that backed the government's authority to intercept international phone conversations and e-mails from U.S. soil without a judicial warrant, even those involving Americans, if a significant purpose is to collect foreign intelligence.

The ruling, which was issued in August but not made public until now, responded to an unnamed telecommunications firm's complaint that the Bush administration in 2007 improperly demanded information on its clients, violating constitutional protections against unreasonable searches and seizures. The company complied with the demand while the case was pending.

In its opinion, a three-judge panel of the U.S. Foreign Intelligence Surveillance Court of Review ruled that national security interests outweighed the privacy rights of those targeted, affirming what amounts to a constitutional exception for matters involving government interests "of the highest order of magnitude."


Our greatest threat to national security or business and global economic welfare may well come down to the ability to mitigate complacency and a lack of vigilance. A high degree of complacent people, working in an environment of non-vigilance, could set the stage for those human factors to play a major role in exploiting our vulnerabilities as a business and a nation.

The weight of protecting our nation from economic tidal waves and well trained non-state actors is a tremendous responsibility. Operational Risk Management will continue to be a vital aspect of all the existing and new decision makers over the next four years. Becoming ever vigilant and eliminating complacency will keep us from falling victim to the risk of "Human Factors". Gods speed to the 44th Presidency!

07 January 2009

Managing the Business Risk of Fraud...

Operational Risk Management is in full swing at distressed institutions as the TARP funds continue to flow to these needy corporations. One thing is certain; you can expect increased oversight. The risk management mechanisms to determine how and where funds are being utilized will be the focus. Anti-fraud planning and investigative projects are on the radar of the Board of Directors and the Audit committee chair. The US government Anti-Fraud Task Force is gearing up:

Six more U.S. government agencies, including the Federal Reserve, will take part in a federal anti- fraud task force to strengthen its focus on uncovering mortgage and securities crimes.

Deputy Attorney General Mark Filip announced the expansion yesterday of the President's Corporate Fraud Task Force, which was formed in 2002. Joining the group are the Federal Housing Finance Agency, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the Department of Housing and Urban Development and the Office of Inspector General for the financial industry rescue program approved last year by Congress.

"These new members reflect the breadth and depth of the mortgage crisis that we are now confronting and the urgency of the task before us," Filip said in a statement.

Current members of the task force include the heads of the Securities and Exchange Commission and the Commodity Futures Trading Commission.

Gil Soffer, associate deputy attorney general, said the task force expansion would let FBI officials coordinate with monitors of the Troubled Asset Relief Program.

"To be able to bring in our resources and to be able to tap into our expertise and to be able to work with our investigators and our prosecutors when there's criminal activity afoot, it's a tremendous boon" to TARP investigators, he said in an interview.

Congress passed the $700 billion TARP rescue package in October, and lawmakers have said oversight is needed to ensure the funds aren't misused.


The business of Fraud Risk Management has been spelled out for years and continues to be a high priority. Most Fortune 50 organizations have established sophisticated frameworks for addressing compliance, ethics and governance in their organizations. However, the question remains how well they understand their respective roles, responsibilities and jurisdictions. This organizational challenge is no different than the battle between the physical security and information security domains who are now converging. The ACFE, AICPA and the Institute of Internal Auditors have released their latest Practical Guide for Managing the Business Risk of Fraud. Here are the key principles:


Only through diligent and ongoing effort can an organization protect itself against significant acts of fraud. Key principles for proactively establishing an environment to effectively manage an organization’s fraud risk include:

  • Principle 1: As part of an organization’s governance structure, a fraud risk management program should be in place, including a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk.
  • Principle 2: Fraud risk exposure should be assessed periodically by the organization to identify specific potential schemes and events that the organization needs to mitigate.
  • Principle 3: Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization.
  • Principle 4: Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized.
  • Principle 5: A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely.


Operational Risk Management issues still exist in Tier II organizations who have market caps below $1B. in assets and are more vulnerable. This is typically due to the lack of resources and extensive staff devoted to a an enterprise wide program that incorporates the mission from the Board of Directors and the "Tone-at-the-Top". 2009 will be busy and you can bet the General Counsel and CxO's will be burning the midnight oil.