Presentation is loading. Please wait.

Presentation is loading. Please wait.

P RESENTED B Y DAVIS WRIGHT TREMAINE LLP T-MOBILE USA, INC. KROLL W HEN, N OT I F, THERE IS A CYBER SECURITY BREACH AND THE ISSUE OF CYBERSECURITY INSURANCE.

Published byJonas Simon Modified over 8 years ago

Similar presentations

Presentation on theme: "P RESENTED B Y DAVIS WRIGHT TREMAINE LLP T-MOBILE USA, INC. KROLL W HEN, N OT I F, THERE IS A CYBER SECURITY BREACH AND THE ISSUE OF CYBERSECURITY INSURANCE."— Presentation transcript:

1 P RESENTED B Y DAVIS WRIGHT TREMAINE LLP T-MOBILE USA, INC. KROLL W HEN, N OT I F, THERE IS A CYBER SECURITY BREACH AND THE ISSUE OF CYBERSECURITY INSURANCE

2 Panelists  Christin McMeley, Partner, Davis Wright Tremaine LLP  Christy Kunin, Director, Legal Affairs, T-Mobile  Michael Quinn, Associate Managing Director, Kroll  Sean Hoar, Partner, Davis Wright Tremaine LLP 2

3 Overview Building a Comprehensive Information Security Program: What is “Reasonable Security” Incident Response Programs: Creating, Testing, and Putting the Plan into Action Cyber Insurance: Are you Covered? 3

4 Data breach report calls for race to catch up with hackers Law360 House passes email privacy bill The Hill FTC wants piece of set-top privacy enforcement Broadcasting & Cable FCC proposes new privacy rules for ISPs TechCrunch US spy court judge dismissed privacy advocate’s concerns about data use Los Angeles Times Why big data and privacy are often at odds TechRepublic US government data security is an embarrassment Network World Hackers breach law firms, including Cravath and Weil Gotshal Wall Street Journal What becomes of Facebook when people start to value privacy? Engadget Retailers battle financial sector over data breach legislation The Hill Passcodes, Privacy and Public Safety: Apple vs. DOJ New York Law Journal Uncertainty abounds in Europe’s data privacy vverhaul Wall Street Journel The CFPB issues first data security consent order Mondaq News Alerts Why plan for a breach?

5 Many Enforcers

6 Consistent Requirements Information Security Program Designated Administrator Risk Assessment Controls to Address Risks Administrative Technical Physical TrainingTesting Oversight of Third-Party Service Providers 6

7 “Reasonable” Security: FTC Data Minimization/Limited Retention Access Control Secure Passwords & Authentication Secure Storage and Transmission Secure Remote Access to Network Security by Design Oversight of Service Providers Address Vulnerabilities Secure physical records and devices 7

8 “Reasonable” Security: California Excerpt from California Data Breach Report, Feb. 2016 8

9 “Reasonable” Security Practices: CA Focus  Use multi-factor authentication to protect critical systems and data AND make it available on consumer-facing online accounts that contain sensitive personal information.  Consistently use strong encryption to protect personal information on laptops and other portable devices, and consider it for desktops.  Encourage breach victims to place a fraud alert on their credit files when Social Security numbers or driver’s license numbers are breached. 9

10 Wrong When Things Go Wrong … Top Causes of Breaches  Malware, hacking and other theft  Lost or stolen devices  Errors 10

11 Be Prepared Number of companies that don’t have a written incident response plan. 26% 47% 78% Number of companies that reported that they weren’t sure if their plan was effective, or affirmatively felt that their plan was not effective. Number of companies that reported that their plan has either never been reviewed or updated, or there is no set schedule for conducting such a review. Ponemon Institute, "Is your company ready for a big data breach?” (Sept. 2014) at 8 11

12 Incident Response Plans Computer Security Incident Handling Guide, NIST SP 800-61 Rev. 2 12

13 Your Incident Response Plan Should…. Be developed and implemented before the breach Have support and endorsement from senior management Incorporate legal counsel to preserve privilege. Assign specific leadership and investigative responsibilities. Provide a clear internal escalation plan. Address the need for preserving evidence and provide appropriate resources. 13

14 Your Incident Response Plan Should…. (cont.) Include internal and external communications plans 14 BE PREPARED TO ADDRESS LEAKS!  Employees  Consumers  Insurance carriers and other third parties  Law enforcement  Government officials  Media

15 Your Incident Response Plan Should…. (cont.) Include provisions to identify and acquire resources necessary to respond Include contact information for internal resources and pre- approved external resources Be communicated  Stakeholders should be trained to respond  All employees should be trained to identify and report incidents Be tested: Perform a simulation/table top exercise 15

16  Internal stakeholders – information security, legal, information technology, compliance, risk management, human resources, communications, media relations, more….  External service providers – outside counsel, forensics firm, consumer notification provider, identity protection service provider, PR firm, customer support resources, localization. Preparation: Incident Response Team 16

17 Tiered Response 17 Different responses for different levels of incidents Sensitive Information Impact/Degree of Visibility No Data at Risk Incident May Lead to Risk to Data Reasonable Likelihood of Risk to Data Sensitive Information at Risk Disruptive Impact to Technology Systems No disruption Low Moderate High Critical Address 1st & 3rd party (service providers) breach scenarios

18 Cyber Insurance Can Mitigate Risk  Data loss now typically excluded from general liability policies  Do you have cyber insurance? 35% of respondents in Ponemon 2015 Study had cyber insurance 18 Ponemon Institute, “Third Annual Study: Is Your Company Ready for a Big Data Breach?” (Oct. 2015) 63% of U.S. respondents in 2015 PWC Global State of Information Security Survey said they had purchased policies last year.

19 How Can Cyber Insurance Help? Designed to mitigate data breaches business interruption, network damage First party Forensic investigation Network/business interruption Extortion Data recovery Third party Privacy liability coverage Regulatory actions Notification costs Crisis management Call Center/identity monitoring Transmission of viruses/malicious codes 19

20 Cyber Policies Continue to Evolve What to look for: The relevant “retroactive” date “Sub-limits” on coverage amounts must match the risk “Sub-retentions” should not be set so high that they would almost never be reached The biggest risks should be covered (e.g., PCI fines, class actions, AG investigations) The most likely expenses should be covered (e.g., legal, forensic, credit monitoring/identity restoration) “Voluntary” notice to impacted individuals should be covered Know who your vendor responders are and whether all costs are covered 20

21 Detection and Analysis Initial assessment Work with in-house or outside counsel Notify broker/insurer Engage digital forensics examiner, if needed Preserve Evidence Implement incident response plan 21

22 Detection and Analysis (cont.) Determine whether to engage law enforcement Identify notification obligations Determine whether services will be provided to affected consumers Draft notification letters and FAQs Create litigation hold Draft joint defense agreement with 3 rd parties if necessary Implement incident response plan (cont.) 22

23 Containment, Eradication, and Recovery Determine risk of continued operation Disable accounts and change passwords Isolate system Monitor system and network activities 23

24 Containment, Eradication, and Recovery (cont.) Verify backup systemsRemove cause of incidentRepair/replace hardwareReplace/upgrade softwareRestore and monitor systems 24

25 State Data Breach Notice Requirements States with harm standard  Consumer, regulator and other required notices sent  Credit monitoring and/or identity theft restoration services provided 25

26 Post-Incident Activity Hold “Lessons Learned” session Write follow- up report Update Incident Response Plan, Contractual Provisions, etc. Remediate and take steps to prevent future similar incidents 26

Download ppt "P RESENTED B Y DAVIS WRIGHT TREMAINE LLP T-MOBILE USA, INC. KROLL W HEN, N OT I F, THERE IS A CYBER SECURITY BREACH AND THE ISSUE OF CYBERSECURITY INSURANCE."

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
2 3 4 5 6 www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Security Controls – What Works

Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.
Network security policy: best practices

Network security policy: best practices
October 2013. The Insider Financial Crime and Identity Theft Hacktivists Piracy Cyber Espionage and Sabotage.

October The Insider Financial Crime and Identity Theft Hacktivists Piracy Cyber Espionage and Sabotage.
In the Belly of the Breach: What Every In-House Counsel Needs to Know about Data Breach Response ACC International Legal Affairs Committee Legal Quick.

In the Belly of the Breach: What Every In-House Counsel Needs to Know about Data Breach Response ACC International Legal Affairs Committee Legal Quick.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Why are Small and Mid-Size Companies Easy Targets for Hackers, and What can You do to Protect Yourself? 2/11/2015 Asher Dahan.

Why are Small and Mid-Size Companies Easy Targets for Hackers, and What can You do to Protect Yourself? 2/11/2015 Asher Dahan.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
NEFEC - Cyber Liability MICHAEL GUZMAN, ARM ARTHUR J. GALLAGHER & CO.

NEFEC - Cyber Liability MICHAEL GUZMAN, ARM ARTHUR J. GALLAGHER & CO.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

Similar presentations

Ads by Google