Presentation is loading. Please wait.

Presentation is loading. Please wait.

Preparing for a Security Incident Response: Are You Compromise Ready?

Published byBrandon Cooper Modified over 6 years ago

Similar presentations

Presentation on theme: "Preparing for a Security Incident Response: Are You Compromise Ready?"— Presentation transcript:

1 Preparing for a Security Incident Response: Are You Compromise Ready?
Lynn Sessions, Esq. BakerHostetler @LynnSessions Blog: dataprivacymonitor.com

2 Topics Where are the threats? What is a “data breach”? Breach response
Regulatory enforcement and litigation Preparation

3 Where are the threats? Internal Threats External Threats
Employee Negligence Security failures Lost mobile devices Employee Ignorance Improper disposal of personal information (dumpsters) Lack of education and awareness Malicious Employees External Threats Hackers Malware Ransomware Phishing / Spear Phishing Social Engineering Corporate Espionage Vendors Political “Hacktivists” Anonymous Guardians of Peace

4 Common Breach Scenario
Will be an external attack involving hacking and the use of malware Vulnerability often created by third party vendor’s practices Breach may not be detected for months Entity learns of the breach from a third party (CPP report, law enforcement) Initial exploit relatively simple and avoidable

5 Victims By the Numbers Adapted from Mandiant’s MTrends Beyond the Breach: 2014 Threat Report

6 Credit Card Skimming Devices

7 Source: Google, Behind Enemy Lines in our war against account hijackers (Nov. 2014)

8 A Simplified View of a Data Breach
Handling the Long-Term Consequences Managing the Short-Term Crisis Evaluation of the Data Breach Discovery of a Data Breach Theft, loss, or Unauthorized Disclosure of Personally Identifiable Non-Public Information or Third Party Corporate Information that is in the care, custody or control of the Insured Organization, or a third party for whom the Insured Organization is legally liable Forensic Investigation and Legal Review Notification and Credit Monitoring Class-Action Lawsuits Regulatory Fines, Penalties, and Consumer Redress Public Relations Reputational Damage Income Loss

9 What is a Data Breach? Actual release or disclosure of information to an unauthorized individual / entity that relates to a person and that: May cause the person inconvenience or harm (financial / reputational) Names, home addresses, addresses, usernames, passwords, family-member information, etc. May cause inconvenience or harm to your patients, employees or business partners (financial / reputational) Information that relates to patients (see above) Information that relates to current / former employees and applicants Information relating to internal matters (business plans, employment disputes, Union negotiations) Paper or electronic

10 INDUSTRY SELF REGULATION
Compliance Complexity COMPLIANCE PCI-DSS HIPAA HITECH STATE PRIVACY LAWS (e.g. TX, CA) INDUSTRY SELF REGULATION FTC GLBA STATE BREACH NOTIFICATION LAWS INTERNATIONAL DATA PROTECTION (e.g. EU, CANADA) SEC DISCLOSURE GUIDANCE

11 State Laws 47 states, D.C., & U.S. territories
Laws vary between jurisdictions Varying levels of enforcement by state attorneys general Limited precedent What does “access” mean? What is a reasonable notice time?

12 Virginia (Access + Acquisition)
Two separate statutes: Medical Information Notification Statute – applies to state-funded or state entities and excludes HIPAA covered entities from statute requirements. Personal Information Notification Statute (below) Breach of the Security of the System is the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of the Commonwealth. Personal information is name in combination with and linked to any one or more of the following (unredacted or unencrypted): (1) Social Security number; (2) driver’s license or state identification card number issued in lieu of a driver’s license number; or (3) financial account number, or credit card or debit card number, in combination with any security code, access code or password that would permit access to resident’s financial account. Good Faith Exception Notice must be provided to the affected residents and the Attorney General. HIPAA covered entities are exempt from the notice requirements of the statute through a primary federal regulator exemption. The Office of Attorney General can impose a civil penalty for breaches (up to $150,000)

13 North Carolina (Access + Acquisition)
Security breach is an incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing PI (whether computerized, paper, or otherwise) where illegal use of the PI has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Personal information is a person’s first name or first initial and last name in combination with “identifying information,” including : SSN; driver license number; account number, credit card number, debit card number, PIN, biometric data, or fingerprint. Notice to affected individuals must include a description of incident, PI affected, and remedial measures taken; phone number for more information, if applicable; advice that directs the person to “remain vigilant” by reviewing account statements/credit reports; contact information for consumer reporting agencies; contact information for Federal Trade Commission and NC AG’s office along with the statement that the individual can obtain information from these sources about preventing identity theft. Notify Office of Attorney General--AG’s expectation is to be notified within 2-3 weeks. A violation of the statute can be prosecuted under North Carolina’s unfair methods of competition and unfair or deceptive practices act. This may include a civil penalty against the defendant for $5,000 per violation. No private right of action by an individual unless the individual is injured as a result of a violation of the statute. Treble damages are available.

14 Decisions, Decisions, Decisions
Is it a breach? Do you involve law enforcement? Do you hire a forensics company? Do you retain counsel? Do you involve regulatory agencies? Is crisis management necessary? Do you offer credit monitoring? Do you get relief from a “law enforcement” delay?

15 Communications Strategy
Target: Speaking too soon and on the fly Dec. 20, 2013: Initial notice indicated that the breach affected card data (no PINs) of 40 million Dec. 27, 2013: PIN numbers captured Jan. 10, 2014: Personal information of 70 million customers taken

16 16

17 “I am notifying you of this loss because approximately 4,676 patient records were included on the external backup drive, and I believe some of your records might have been among those on this drive.” “Again, I sincerely apologize for this considerable inconvenience.”

18 “We hope this letter finds you well
“We hope this letter finds you well. We are writing to inform you that on May 19, 2014, our office was broken into and many items were stolen, including three desktop computers.” “Significantly and fortunately, no social security numbers, dates of birth, financial information, contact information nor medical conditions were listed.”

19 What Will Entity Encounter?
Initial public disclosure before you are ready Forensic investigation Media & customer inquiries Regulatory inquiries Operational challenges Decisions on public statements State breach notification law analysis Law enforcement Consumer class actions Issuing bank lawsuits Card network fines / assessments D&O lawsuits System remediation and revalidation Reporting of impact Regaining customer trust

20 Respond Respond quickly Bring in the right team Preserve evidence
Contain & remediate Let the forensics drive the decision-making Law enforcement Document analysis Involve the C-suite Be guarded, consistent, and honest in communications Plan for likely reaction of customers, employees, & key stakeholders Mitigate harm

21 Prepare Cyber Liability Insurance Written Information Security Policy
Incident Response Plan Training & Education Identify & Mitigate Risk Manage Vendors

22 Information Security & Privacy Insurance:
Legal Liability Coverages Legal Liability coverage (defense costs and damages) “Theft, loss or unauthorized disclosure” of information Regulatory Defense & Penalties Payment Card Industry Fines and Penalties Breach Response Expenses Legal Counsel Computer Forensics Public Relations Notification Costs Credit Monitoring First Party Coverages Cyber Extortion Data Restoration Business Interruption

23 Information Security & Privacy Insurance:
‘Cyber’ Insurance is more than indemnification Client’s often have very little experience with data breach issues. Breach response can be complex and time consuming. What do insureds that incur a data breach want? (To put it behind them so they can get back to business!) Top breach response insurers have handled thousands of incidents and are prepared to provide guidance and direction to an insured. It’s not the fact that you had a breach that is important, it is how you handle the breach that matters.

24 Become “Compromise-Ready”
Incident response tabletop exercises Security assessments Understand where assets and sensitive data are located “Reasonable security” Detection capabilities Technology Personnel Threat information gathering Ongoing diligence

25 What are regulators looking at?
Transparency Risk assessments Encryption Business Associate Agreements (health care) / Vendor Agreements Minimum necessary (health care) Documentation of breaches Policies and procedures Old data Prompt and thorough investigation Good attitude & cooperation (commitment to compliance and safeguarding PII) Appropriate and prompt notification Remediation and Mitigation Regulators look beyond the breach incident and look at information security enterprise wide.

26 Litigation Common theories of harm: Increased risk of identity theft;
Time and effort to monitor / fix credit; Emotional distress; Personal information as property; Invasion of privacy; Breach of contract; Breach of fiduciary duty; Negligence; Unfair, deceptive and unlawful business practices; Defamation, libel, and slander; and Unjust enrichment

27 Conclusions: Not “if” but “when”
Information exists in multiple formats throughout an organization Information is subject to a multiple forms of loss The costs of a data breach event may be significant! Notification Costs Credit Monitoring Expenses Defense Costs Cost of settlement or judgments The assistance and guidance of a trusted partner may be more valuable Costs generally not covered by traditional insurance Information security & privacy liability insurance is available as a specialty coverage

28 Questions?

Download ppt "Preparing for a Security Incident Response: Are You Compromise Ready?"

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
Responding to a Data Security Breach

Responding to a Data Security Breach
Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.

Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.

Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.
Presented by: Jamie Orye, JD, RPLU Beazley Group Pennsylvania Association of Mutual Insurance Companies Annual Spring Conference March 12, 2015.

Presented by: Jamie Orye, JD, RPLU Beazley Group Pennsylvania Association of Mutual Insurance Companies Annual Spring Conference March 12, 2015.
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.

1Copyright Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
Overview of Cybercrime

Overview of Cybercrime
2015 ANNUAL TRAINING By: Denise Goff

2015 ANNUAL TRAINING By: Denise Goff
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, 2013 11:30 am – 12:30 pm.

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.

Similar presentations

Ads by Google