Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Your Data's Been Breached - What Do You Do Now?

August 23, 2017

Your Data's Been Breached - What Do You Do Now?


August 23, 2017

More Decks by heathriel

Other Decks in Technology


  1. #pubcon About Me #Me: • CTO, ROCeteer • Early Employee

    at Evernote & Spirit Airlines • International Executive Coach, Advisor, TEDx Speaker, Presenter and Author • Coach, Mentor and Advisor for Universities, Entrepreneurial Ecosystems, Incubators and Accelerators • 2016 Top Writer, Quora • 2015 & 2016 Mentor/Coach and Female Executive of the Year •
  2. #pubcon Drill Time! It’s Friday at 5 before a holiday

    weekend…. Phone rings – “We’ve had a breach!" Panic ensues - Nobody is completely sure what happened.
  3. #pubcon The Situation Hacker impersonates your company’s CEO and sends

    an email to the CFO requesting that she immediately be sent employee W-2s, and various customer information. Your company’s CFO responds as directed sending the requested information, only finding out later that something was wrong.
  4. #pubcon Pull Out Your Playbook! Responding to a data breach

    incident can present unique challenges: Significant potential exposure Quickly evolving facts Short response times A thorough and timely response is virtually impossible absent advanced planning.
  5. #pubcon Quiz Time! First Steps 1. Contact the authorities 2.

    Contact your legal counsel 3. Turn off your systems 4. Contact your PR firm 5. Retain an external forensic consultant/expert 6. Inform your data breach response team
  6. #pubcon When Notifying Your Team Notify those in your organization

    of the incident who need to know. ØNot every incident constitutes a breach that would lawfully require notification. ØNote the date and time of the discovery of the incident. ØBe aware that internal communications could be discoverable - be very careful what you say and how you say it.
  7. #pubcon What You Need Data Breach Incident Response Team –

    varies by breach but can include: An executive with decision making authority A team leader responsible for handling the overall data breach response (deals with counsel, IT consultants, coordinates PR, etc.) Internal security and IT personnel with access to systems and permissions Legal (inside and outside counsel) – preserve privilege! Public Relations (internal and possibly external) External forensics advisors HR (if employees affected) Finance (breaches involving loss of financial information)
  8. #pubcon Quiz Time! Second Steps 1. Turn off your systems

    2. Notify state authorities 3. Secure and preserve evidence 4. Analyze the breach 5. Contact your PR firm 6. Contact insurance carrier
  9. #pubcon Securing the Scene Secure and prevent physical access to

    affected systems • Preserve computer logs • If vendor caused the breach - request retention and copies of relevant evidence, e.g., forensic server images; logs; tracking information; video surveillance; e-mail Await forensics team advice and… • Do not probe system and alert intruders • Leave affected systems running so evidence in temporary memory is preserved (may recommend imaging system, leave this to the experts!) • Avoid running antivirus programs – may destroy evidence
  10. #pubcon Getting Answers Investigate the breach to determine what type

    of data involved, circumstances involved, how may people are affected. • Carefully plan/strategize the investigation before you begin. • Document the steps and findings. • Date and time of breach • Who discovered the breach • Nature of the breach • Data taken or compromised Employee interviews may be appropriate (a high percentage of breaches are by employees) • Employees who had access to affected systems • Employees terminated within the last 90-120 days
  11. #pubcon Protecting The Bottom Line The demand for cyber insurance

    has increased significantly in response to sharply heightened risk awareness. • Cyber insurance is a developing product; no standard forms in relation to data breach coverage • Network security risks • Media liability risks, which covers claims related to slander, libel and defamation • Extortion liability • Business interruption costs
  12. #pubcon Quiz Time! Third Steps 1. Contact state authorities 2.

    Contact federal authorities 3. Contact your PR firm 4. Report credit card breaches to credit card companies 5. Analyze legal obligations 6. Notify customer and/or employees potentially impacted Assuming personal information has been disclosed then….
  13. #pubcon Should You Report It? State Authorities: Determine which states

    laws apply Ø Time-Sensitive Notification: States have differing requirements on when and how notifications must be sent out to individuals. ØRisk of Harm Analysis: Some states allow for exceptions to their notification requirements upon an assessment of the risk of harm to the affected individuals. ØEncryption Safe Harbor: States have different laws affecting the definition of a breach and the notification requirements based on whether the data was encrypted. ØPrivate Cause of Action: Some states explicitly allow for a private cause of action resulting from a data breach; others explicitly exclude such a cause of action from their statutes. ØPaper or Electronic: States also differ as to whether their laws affect only electronic materials, paper materials, or both. Federal Authorities GDPR - EU Residents
  14. #pubcon Remediation Assistance to Affected Customers and Employees May want

    to offer at company’s expense: ØCredit monitoring services ØIdentity theft services ØOther Public Relations will depend upon the nature and scope of breach ØEngage PR firm? ØClient PR team only? ØBusiness decision, but PR needs to work with legal to avoid admissions against interest, loss of privilege, etc.
  15. #pubcon Public Inquiry Public inquiry response – response plan and

    response team May receive numerous inquiries from the public and affected individuals Toll-free number or email address for inquiries Train call center employees or outsource to service provider Website FAQs
  16. #pubcon Legal Issues Disputes between controllers and processors May come

    down to the language of the processing agreement Issues can involve processor’s obligations to cover the controller’s costs Legal fees, data breach remediation, costs of notification, forensic consultants and other consultants Agreements may be silent on these issues or contain limitations on liability that affect ability to recover The process of dispute resolution can be a long and ongoing process Credit Card Company Agreements ØMay impose liability for the breach ØMay require PCI-certified forensic analyst and report Insurance Coverage Disputes
  17. #pubcon Summary ØCurrent knowledge on tools, standards, risks Have a

    CISO or single name for data security Regular penetration testing Investigate network warnings immediately ØBuild security around obligations, risks and types of data Log what goes out and what comes in Internal Encryption Segmented System Access Management ØAppropriate budget for security ØPre-planning for incidents/breaches ØAppropriate, and regular training