Kroll - Breach Management Services - Privacy Review





Nymity's Independent Privacy Solutions Review provides an unbiased assessment of the legal and privacy benefits of Kroll's Breach Management Services.

Privacy Compliance: Responding to a Privacy Breach

Organizations that experience a privacy breach are mandated to comply with privacy laws in Canada as in the rest of the world. In Ontario, the Personal Health Information Protection Act, 2004 has mandatory breach notification which requires organizations to notify individuals if there has been a breach of their personal health information. In fact, all of the 23 privacy laws in Canada restrict organizations from providing unauthorized access or disclosure of personal information.

Many of the Canadian Privacy Commissioners have published guidelines that document how they expect organizations to respond to a breach. These guidelines go beyond just providing notification to affected parties; they document a series of activities that an organization should implement if they experience a data breach.

Commissioners expect breach containment and preliminary assessment, including designating an appropriate individual to lead the initial investigation. If the breach appears to involve theft or other criminal activity, the organization should notify the police; evaluate the risks associated with the breach; and determine what personal information was involved, what the cause/extent of the breach was, how many individuals have been affected, and who they are and what harm could result from the breach. The organizations should determine whether affected individuals should be notified and if they are to be notified, determine when and how, and who will notify them. They must decide what should be included in the notification and if others should be informed (i.e., privacy commissioners, police). Then the organization must take steps to prevent future breaches.

Privacy laws are changing
To combat the number one growth area of criminal activity, identity theft, it is expected that many of the federal and provincial private sector privacy laws will be amended to include breach notification provisions for notifying affected individuals. It is expected the amendments will require organizations to report the breach to the Privacy Commissioner’s office. These amendments virtually mandate an organization have a breach response protocol in place and be prepared for a breach.

Privacy Breach

A privacy breach is the result of an unauthorized access to, or collection, use or disclosure of personal information.

Privacy Review: Kroll Breach Management Services

Breach Preparedness Program

Organizations can enroll in Kroll’s program in advance of any problem so that rapid and decisive actions can be taken if customer data is breached. This includes completion of necessary contracts, preferred pricing arrangements should a breach occur, and access to Kroll’s web based Client Portal, which allows an enrolled organization to manage their breach efficiently and gives them access to a library of data breach response tools. Other benefits to the Breach Preparedness Program include:
  • Consulting Services - Kroll provides consulting services, including gap analysis and benchmarking, to clearly identify information security risks and illustrate mitigation best practices.
  • Risk Assessment Self Audit - This risk assessment test is designed to be taken by various members of an organization’s team and can be used to help develop a strategy to address areas of concern.
  • Customized Incident Response Plan - Kroll works with the organization to formulate an in-depth plan for emergency response to a data breach. The timeline for implementation depends upon the level of consulting services used and speed of response to Kroll’s inquiries.
  • Employee Awareness Training - Continuing education is provided on new developments while reinforcing standard operating procedures. Kroll has the ability to develop and customize educational tools, including e-learning courseware that delivers best practice training.

Breach Management and Recovery Services

Even the tightest security can be breached, especially when not fully enforced. After a breach, an organization must respond and Kroll has a number of services that help:

  • Conducting Data Forensics - An organization should ensure they truly have had a breach and that personal information has been compromised. Responding to a breach without conducting forensics could result in unnecessary notification. Notification is not required in all circumstances and having a third-party data forensics expert assist in making the decision and creating the documentation to support a non-notification decision is essential.

  • Crisis Communications and Media Management - Some breaches will quickly draw the attention of media and other external audiences. Once that occurs, the priority at the commissioner’s office escalates. Kroll Fraud Solutions provides access to immediate, effective help with crisis communications. Services include:
    • Training a spokesperson
    • Providing talking points for media interaction
    • Developing FAQs
    • Drafting or editing press releases, internal memos, or website content
  • Enrollment and Notification - When notifying breach victims, it is imperative to deliver a solution simultaneously and understand how each component of the response works in harmony. To do so, Kroll’s notification process is composed of the following services:
    • Enrollment of all breach victims as protected members
    • Mailed delivery of breach notification and services being made available (credit reports, credit monitoring)
    • Access to a toll-free, bilingual customer service team to triage and address questions
    These notification services are key to meeting the published guidelines.
    • Domestic Call Centre Consultation - Individuals affected by a breach will have toll free telephone access to a call centre where Canadian based client representatives, highly skilled in their abilities to handle breach events, fraud, and identity theft issues, are available Monday through Friday from 8:30 a.m. to 6:30 p.m. EST for English and 8:30 a.m. to 4:30 p.m. EST for French to answer questions and manage the expectations of those affected. This allows the organization to extend the same breadth of services to each member of a breach, thereby ensuring each breach victim receives the same level of professional attention and guidance.
    • Fraud Consultation, Investigation and Restoration Services - The core of Kroll’s offering is its depth of involvement and dedication to consultation and restoration. Kroll’s Certified Fraud Restoration Specialists have thousands of hours of experience working on the consumer’s behalf. Cases of identity theft are assigned a single specialist who will work with the consumer to restore his or her identity to pre-theft status as quickly and efficiently as possible. Restoration services include:
      • Confirming identity fraud and identifying its nature and scope
      • Investigating known, unknown, and potentially complicated trails of fraudulent activity
      • Organizing details of issues and explaining the fraud victim’s rights
      • Contacting, following up, and escalating issues with affected agencies and institutions on the victim’s behalf
      • Issuing fraud alerts and victim’s statements, when warranted, to the appropriate agencies
    		•

    Kroll Facts



    Kroll Inc. claims to be the world’s leading risk consulting company, providing a broad range of investigative, intelligence, financial, security, and technology services to help clients reduce risks, solve problems, and capitalize on opportunities.

    Founded in 1972, Kroll has continuously expanded the breadth and depth of its risk management services for multinational corporations, non-profit institutions and government agencies. Kroll has continued to grow its breach crisis management and identity restoration services, and has been working to resolve identity fraud issues through its Fraud Solutions unit.

    Kroll’s Fraud Solutions unit helps organizations prevent and recover from loss of sensitive personal information. Certified Fraud Restoration Specialists have counseled and provided representation for millions of individuals and worked to restore identities of victims on their behalf. Currently, over 30 million members are enrolled in Kroll Fraud Solutions’ program.

    Canadian Services

    Kroll’s services are all Canadian based and fully bilingual. Its call triage centres are located in Kitchener and Montreal, and its investigative team is based in Toronto.

    Additional Information

    Kroll Fraud Solutions - Data Breach: What You Don't Know Can Hurt Your
    Kroll Fraud Solutions - Your Single Resource for Multiple Protection

    Kroll Breach Management Services - Privacy ROI

    To calculate the privacy return on investment (Privacy ROI) an organization needs to consider costs and the likelihood of a breach. According to a Ponemon study, the average cost of a breach is $237 per record and the costs are increasing every year.

    With Kroll, the costs can be managed based on the forensics and the form of notification. This will provide an immediate and significant privacy ROI if they determine and document the breach does not meet the regulatory thresholds for notification. If notification is required, it will likely be more cost-effective to outsource the breach response then handling it with internal resources. Redeploying internal resources from their primary objectives is costly and prone to errors.

    The likelihood of a breach can be calculated by conducting a full privacy self-assessment or by making estimates based on the following factors:

    • Number of employees
    • Locations of employees
    • Number of customers
    • Quantity of sensitive information collected
    • Quantity of data transfers
    • Location of the data (countries)
    • Quality of the safeguards in place to protect the personal information
    • Retention periods
    • Media in which the information is stored
    • Number of audits/self assessments conducted
    • Quantity and quality of third parties processing the data
    • Maturity of privacy management programs, including the quality of:
      • Data handling policies and procedures
      • Employee training
      • Privacy self-assessments and audits
      • Incident tracking and investigation programs
      • Breach response protocol
      • Data retention and destruction programs
      • Data leakage protection programs

    With the increase in identity theft, the likelihood of a data breach that could result in harm is increasing. With increased costs and the likelihood of a breach, organization will likely realize a privacy ROI with Kroll’s Breach Services. Leastwise, it does not cost anything to investigate the services available.

    Testimonials

    Healthcare Provider: “The Kroll team was imminently professional and worked closely with our team to ensure a smooth implementation. From the beginning, communications and interactions with our internal team were well-coordinated. Kroll worked closely with our legal team on an as-needed basis. Fraud Solutions investigators were responsive and sensitive to our customers’ needs. They were reflective of our organizational culture at all times. The investigators, always focused on compliance, worked with the consumers and helped to restore their identities AND their peace of mind. We would highly recommend Kroll’s Fraud Solutions to any enterprise addressing a data breach, or issues surrounding identity theft and fraud."

    Specialty Outdoor Equipment Manufacturer: “We’re a 25-year-old company with incredibly high standards; that meant our employees would expect—and deserve—the best incident response and consumer support we could find. Within a matter of hours on Monday morning, Kroll Fraud Solutions had answers for us, bringing a level of comprehensive service and expertise that helped us weather the storm. Kroll’s global leadership in security brought a sense of calm to both the management team and the staff, and their ongoing diligence on our behalf has helped us to minimize the impact on our team. Kroll has become a key business partner for us.”

    Next Steps

    For more information about Kroll, visit     www.krollfraudsolutions.com , or contact:

    Shawn Melito
    Director, Kroll Canada
    70 University Avenue
    Suite 200, Box #9
    Toronto, Ontario, Canada
    M5J 2M4
    866.570.0942 ext. 5015

    Additional Information

    Kroll Fraud Solutions - Data Breach: What You Don't Know Can Hurt You
    Kroll Fraud Solutions - Your Singe Resource for Multiple Protection

    Privacy Statement · Legal notice