$30 off During Our Annual Pro Sale. View Details »

Your Data's Been Breached - What Do You Do Now?

heathriel
August 23, 2017

Your Data's Been Breached - What Do You Do Now?

heathriel

August 23, 2017
Tweet

More Decks by heathriel

Other Decks in Technology

Transcript

  1. #pubcon
    Your Data’s Been Breached –
    What Do You Do Now?!?!

    View Slide

  2. #pubcon
    About Me
    #Me:
    • CTO, ROCeteer
    • Early Employee at Evernote & Spirit Airlines
    • International Executive Coach, Advisor, TEDx
    Speaker, Presenter and Author
    • Coach, Mentor and Advisor for Universities,
    Entrepreneurial Ecosystems, Incubators and
    Accelerators
    • 2016 Top Writer, Quora
    • 2015 & 2016 Mentor/Coach and Female
    Executive of the Year

    View Slide

  3. #pubcon
    Everyone Gets Hacked, Eventually

    View Slide

  4. #pubcon
    Drill Time!
    It’s Friday at 5 before a holiday weekend….
    Phone rings – “We’ve had a breach!"
    Panic ensues - Nobody is completely sure what
    happened.

    View Slide

  5. #pubcon
    The Situation
    Hacker impersonates your company’s CEO and sends
    an email to the CFO requesting that she immediately
    be sent employee W-2s, and various customer
    information.
    Your company’s CFO responds as directed sending
    the requested information, only finding out later
    that something was wrong.

    View Slide

  6. #pubcon
    Primary Concerns
    Understanding What Happened
    Containing the Breach
    Legal Compliance
    Customer Relations

    View Slide

  7. #pubcon
    Pull Out Your Playbook!
    Responding to a data breach incident can present
    unique challenges:
    Significant potential exposure
    Quickly evolving facts
    Short response times
    A thorough and timely response is virtually
    impossible absent advanced planning.

    View Slide

  8. #pubcon
    Quiz Time!
    First Steps
    1. Contact the authorities
    2. Contact your legal counsel
    3. Turn off your systems
    4. Contact your PR firm
    5. Retain an external forensic consultant/expert
    6. Inform your data breach response team

    View Slide

  9. #pubcon
    When Notifying Your Team
    Notify those in your organization of the incident who
    need to know.
    ØNot every incident constitutes a breach that would lawfully
    require notification.
    ØNote the date and time of the discovery of the incident.
    ØBe aware that internal communications could be discoverable
    - be very careful what you say and how you say it.

    View Slide

  10. #pubcon
    What You Need
    Data Breach Incident Response Team – varies by breach but can
    include:
    An executive with decision making authority
    A team leader responsible for handling the overall data breach
    response (deals with counsel, IT consultants, coordinates PR, etc.)
    Internal security and IT personnel with access to systems and
    permissions
    Legal (inside and outside counsel) – preserve privilege!
    Public Relations (internal and possibly external)
    External forensics advisors
    HR (if employees affected)
    Finance (breaches involving loss of financial information)

    View Slide

  11. #pubcon
    Quiz Time!
    Second Steps
    1. Turn off your systems
    2. Notify state authorities
    3. Secure and preserve evidence
    4. Analyze the breach
    5. Contact your PR firm
    6. Contact insurance carrier

    View Slide

  12. #pubcon
    Securing the Scene
    Secure and prevent physical access to affected systems
    • Preserve computer logs
    • If vendor caused the breach - request retention and copies of
    relevant evidence, e.g., forensic server images; logs; tracking
    information; video surveillance; e-mail
    Await forensics team advice and…
    • Do not probe system and alert intruders
    • Leave affected systems running so evidence in temporary memory
    is preserved (may recommend imaging system, leave this to the
    experts!)
    • Avoid running antivirus programs – may destroy evidence

    View Slide

  13. #pubcon
    Getting Answers
    Investigate the breach to determine what type of data involved,
    circumstances involved, how may people are affected.
    • Carefully plan/strategize the investigation before you begin.
    • Document the steps and findings.
    • Date and time of breach
    • Who discovered the breach
    • Nature of the breach
    • Data taken or compromised
    Employee interviews may be appropriate (a high percentage of
    breaches are by employees)
    • Employees who had access to affected systems
    • Employees terminated within the last 90-120 days

    View Slide

  14. #pubcon
    Protecting The Bottom Line
    The demand for cyber insurance has increased significantly in
    response to sharply heightened risk awareness.
    • Cyber insurance is a developing product; no standard forms in
    relation to data breach coverage
    • Network security risks
    • Media liability risks, which covers claims related to slander, libel
    and defamation
    • Extortion liability
    • Business interruption costs

    View Slide

  15. #pubcon
    Quiz Time!
    Third Steps
    1. Contact state authorities
    2. Contact federal authorities
    3. Contact your PR firm
    4. Report credit card breaches to credit card companies
    5. Analyze legal obligations
    6. Notify customer and/or employees potentially impacted
    Assuming personal information has been
    disclosed then….

    View Slide

  16. #pubcon
    Should You Report It?
    State Authorities: Determine which states laws apply
    Ø Time-Sensitive Notification: States have differing requirements on when and how
    notifications must be sent out to individuals.
    ØRisk of Harm Analysis: Some states allow for exceptions to their notification
    requirements upon an assessment of the risk of harm to the affected individuals.
    ØEncryption Safe Harbor: States have different laws affecting the definition of a breach
    and the notification requirements based on whether the data was encrypted.
    ØPrivate Cause of Action: Some states explicitly allow for a private cause of action
    resulting from a data breach; others explicitly exclude such a cause of action from their
    statutes.
    ØPaper or Electronic: States also differ as to whether their laws affect only electronic
    materials, paper materials, or both.
    Federal Authorities
    GDPR - EU Residents

    View Slide

  17. #pubcon
    Remediation
    Assistance to Affected Customers and Employees
    May want to offer at company’s expense:
    ØCredit monitoring services
    ØIdentity theft services
    ØOther
    Public Relations will depend upon the nature and scope of breach
    ØEngage PR firm?
    ØClient PR team only?
    ØBusiness decision, but PR needs to work with legal to avoid
    admissions against interest, loss of privilege, etc.

    View Slide

  18. #pubcon
    Public Inquiry
    Public inquiry response – response plan and response team
    May receive numerous inquiries from the public and affected
    individuals
    Toll-free number or email address for inquiries
    Train call center employees or outsource to service provider
    Website FAQs

    View Slide

  19. #pubcon
    Legal Issues
    Disputes between controllers and processors
    May come down to the language of the processing agreement
    Issues can involve processor’s obligations to cover the controller’s costs
    Legal fees, data breach remediation, costs of notification,
    forensic consultants and other consultants
    Agreements may be silent on these issues or contain limitations on liability that
    affect ability to recover
    The process of dispute resolution can be a long and ongoing process
    Credit Card Company Agreements
    ØMay impose liability for the breach
    ØMay require PCI-certified forensic analyst and report
    Insurance Coverage Disputes

    View Slide

  20. #pubcon
    Summary
    ØCurrent knowledge on tools, standards, risks
    Have a CISO or single name for data security
    Regular penetration testing
    Investigate network warnings immediately
    ØBuild security around obligations, risks and types of data
    Log what goes out and what comes in
    Internal Encryption
    Segmented System
    Access Management
    ØAppropriate budget for security
    ØPre-planning for incidents/breaches
    ØAppropriate, and regular training

    View Slide

  21. #pubcon
    ...the ability to Transcend Awesome awaits :)
    [email protected]
    Remember...

    View Slide