Today s Speakers. Retailer Readiness Planning for Data Breaches 2/20/2014. DMA Members Only Briefing

Transcription

1 Retailer Readiness Planning for Data Breaches DMA Members Only Briefing We will begin at the top of the hour. You will not hear anything until then. Today s Speakers Xenia Senny Boone, Esq. SVP, Compliance & General Counsel, DMA Stuart Ingis, Esq. DMA General Counsel Partner, Venable LLP Milo Cividanes, Esq. Partner, Venable LLP 1

2 Discussion Points 1. DMA Guidelines: Be Prepared 2. Legally Speaking: What Leading Retailers are Doing 3. Self Assessment for Marketers 4. The Reality of Risk 5. Consumer Reaction & Complaints 6. The Legislative Agenda 7. Your Questions DMA GUIDELINES: BE PREPARED 2

3 DMA Task Force» Two years ago DMA Ethics Policy formulated a task force to review recent data breach issues and concerns particular to . DMA Guidelines» Article #37 Checklist» Marketer is at the epicenter, should own the issue, break down silos.» Have a written data security policy in place.» Get training to protect pii» What about BYD? 3

4 DMA Guidelines» Periodic monitoring» Contracts be aware and require data security within agreements» Be proactive and establish a plan now.» Who is the appropriate law enforcement contact should a breach occur? DMA Guidelines» For marketers use authentication protocols (SPF, DKIM, DMARC ) to reduce spoofed s.» For sensitive data extra precautions needed.» Be sensitive to consumers and have a communications plan in place for breach. 4

5 More Advice» Be prepared: build local, state, federal, forensics team ahead of time» Monitor and analyze log data data breaches can be discovered there.» Segment and isolate networks based on business function marketers using social networks need to ensure they understand the limits and limit sensitive data via social DMA Guidelines» Marketer: Know your third parties» Third Party: Do you know what steps to take if your client was in a breach? Impacts, other clients?» Bottom line: Reduce and mitigate always a risk, greater now in the digital economy. 5

6 LEGALLY SPEAKING: WHAT LEADING RETAILERS ARE DOING Response Planning 1. Don t Assume You Know What s Required More than 46 States, D.C., and territories have breach notification laws, each with their own requirements. Each breach event can offer unique challenges you didn t see coming. 2. Plan Ahead Identify a team before a breach Lower costs of breach response Minimize risk of adverse consequences regulatory enforcement actions, lawsuits 6

7 Developing an Incident Response Plan 1. Purpose of the plan is to facilitate a prompt and coordinated response: Prompt investigation of the incident; Detection and prevention of ongoing activity; Restoration of systems security and integrity; Prevention of the reoccurrence; Notification and engagement of departments within the company; Notification of external parties affected by the incident, if any, such as customers, associates, or credit card companies; Notification of state or federal regulatory agencies, if required; Notification of and cooperation with law enforcement officials, if deemed necessary; and Prompt disclosure or financial reporting if required by federal or state securities laws. Developing an Incident Response Plan 1. Elements of the Plan Ordinary remediation for security breach, plus... Identification/assemble a team that will deal with incidents Investigation Evaluation assess whether a reportable breach has occurred Notification Education train employees to report incidents and train team re: plan implementation 7

8 Data Breach Response Timeline Sprinting A Marathon Triage Get Team Forensic Analysis Legal Analysis Contact FBI, Clients, PCI, Vendors Identify Consumers Hire Mailing Services Hire Call Center Support Draft Letters & Scripts Print & Mail Letters Incident Response Team Outside Security Experts Outside Counsel In-House Counsel In-House IT/Security Compliance Incident Response Business Unit Client, Media, Gov t Relations 8

9 Triage: The First 72 Hours 1. Execute Your Plan Assemble your incident response team Contact insurer 2. Respond to the Incident Preserve the evidence Identify the compromised data Assess legal obligations SELF ASSESSMENT FOR MARKETERS 9

10 Where do You Stand? 1. What are your current plans? Do you have a team identified? Have you reviewed potential notification requirements for your organization? Are there clear lines of communication between departments? Do you currently train employees about their data security duties? 2. Where is your data? Third parties that process your data? Current state of network and POS security monitoring? THE REALITY OF RISK 10

11 Are you at Risk of a Breach? 1. High profile breaches of retailers have made headlines over the past few months. 2. One report found 621 confirmed data breaches in Retailers represented 21.7% of network based breach incidents in Outside attacks represent the biggest threat 3. Point-of-Sale ( POS ) systems remain a key vulnerability. POS systems are a required part of doing business, but they also open paths to attackers. 4. The risk is real, and could impact retailers of all sizes. Potential Costs of a Breach 1. Financial The average cost of a data breach in 2012 was estimated at $5.4 million per breach in the United States. 2. Reputation Consumer good will, employee relations, even stock price 3. Litigation Cases filed for inadequate security, negligence, etc. 4. Regulatory investigations, civil penalties, consent decrees 11

12 CONSUMER REACTION Consumers» Types of hacker attacks from the DMA consumer files: -Phishing: user receives saying online account was compromised and asks for account information. -Malware: user clicks on links that contain malicious software. 12

13 THE LEGISLATIVE AGENDA Proposed Legislation 1. DMA is supportive of a federal breach notification law, and will continues to work towards its enactment. Currently 5 bills are pending in the Senate touching on data security and breach notification. They are: S.1193 (Toomey), S (Leahy), S (Carper/Blunt), S (Rockefeller) and S (Blumenthal) 2. Continue to promote the benefits of self-regulation for data security Updated DMA Guidelines for Ethical Business Practice include recommendations for the adoption of data security programs 13

14 YOUR QUESTIONS DMA Membership» All DMA Members agree to uphold the industry standards Ethical Business Guidelines Visit thedma.org/compliance» New! Retail Roundtables Small group, Issue-based knowledge-sharing events For your invitation, just Read the DMA Advance blog thedma.org/blog 14

15 Thank you! 15