21St CeNtUrY CrISIS: PREPARING FOR AND RESPONDING TO THE INEVITABLE DATA BREACH. A Step-by-Step Guide for Any Organization

Transcription

1 21St CeNtUrY CrISIS: PREPARING FOR AND RESPONDING TO THE INEVITABLE DATA BREACH A Step-by-Step Guide for Any Organization

2 TABLE OF CONTENTS Foreword. Chapter 1: Introduction... Privacy and Data Security Best Practices... Costs of a Data Breach... Incident Preparedness Process Overview... Chapter 2: Getting the Board On Board... Enhancing the Board s Cyber Risk Oversight... Board Preparedness... Data Security Incident Preparedness Questionnaire... Chapter 3: Building an Incident Response Team... Internal Incident Response Team... Guidance for Selecting Internal IRT Members... Incident Response Teams for Small Organizations... Identifying Response Capabilities and the External Team... Establishing Relationships with Regulators and Law Enforcement... Chapter 4: Training Employees to Identify and Report Data Security Incidents... Types of Incidents to Report... Handling Initial Communications... Chapter 5: Preparing an Incident Response Plan... Purpose... Benefits... Response Plan Considerations... Components of an Effective Plan... Chapter 6: Incident Response Phases... Detection and Analysis... Incident Prioritization. Containment... 1 eplace Solutions, Inc. 2015

3 Eradication and Recovery... Preserving Evidence and Documenting an Incident... Post Incident Activity.. Chapter 7: Communication Plan... Communications Procedure... Audiences... Messaging... Spokesperson... Media Training... Collateral Material... Chapter 8: Notification Plan... State Regulatory Considerations... Federal, Contractual, and Industry-Specific Considerations... The Importance of a Breach Coach... The Notification Process... Notification Best Practices... Chapter 9: Call Center and Customer Support Plan... Considerations for Third Party Call Centers... Preparation of FAQs... Logistical Considerations... Chapter 10: Remediation Plan for Affected Persons... Determining Whether to Offer Protection to Affected Persons... Evaluating Appropriate Protection to Remediate Harm... Chapter 11: Testing the Plan... Preparation... Documenting Lessons Learned... Best Practices for an Effective Exercise... Sample Breach Scenarios... Healthcare-Specific Breach Scenarios... 2 eplace Solutions, Inc. 2015

4 Chapter 12: Utilizing Technology and Other Resources to Defend Against, Detect, and Recover from Incidents... Intrusion Detection Systems and Traffic Monitoring... Backup and Recovery. Information Sharing Resources... Chapter 13: Mitigating Risks with Cyber Insurance... Benefits of Cyber Insurance... Recommendations for Buying Cyber Insurance... Insurance Best Practices... Chapter 14: Industry-Specific Considerations... Retail and Organizations Accepting Payment Cards... Healthcare Organizations... Financial Institutions. Appendix A: Sample Information Security Incident Reporting Policy... Appendix B: Sample Incident Reporting Guidance for Supervisors and Managers... Appendix C: Information Security Incident Reporting Procedures... Appendix D: Sample Information Security Incident Response Policy... Appendix E: Sample Information Security Incident Response Plan... Exhibit A: Internal Incident Response Team Contacts... Exhibit B: External Incident Response Team and Resources... Exhibit C: Information Security Incident Response Checklist... Exhibit D: Information Security Incident Response Flowchart... Exhibit E: Information Security Incident Report Form... Appendix F: Sample Exercise Evaluation Form... Glossary... Additional Resources... 3 eplace Solutions, Inc. 2015

5 NOTICE: This work is protected by the copyright laws of the United States and foreign countries. No part of this work may be produced or used in any other format, in any other form, or by any other means than this printed publication without the express written permission of eplace Solutions, Inc. Additional copies are available from Advisen, Ltd. This publication is designed to provide general information in regard to the subject matter covered. This publication is provided with the understanding that the publisher is not engaged in rendering legal, accounting, insurance, or other professional services. If legal, accounting, insurance or other professional services are required, the services of an independent professional should be sought. NOTE: Nothing in this publication should be considered legal advice, and it is not a substitute for your own judgment and legal consultation. Privacy and data breach notification laws change frequently. Consult a qualified privacy and data security lawyer to assist with implementation. This book is provided as is, with all faults, without warranties of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. 4 eplace Solutions, Inc. 2015

6 AUTHOR: eplace Solutions, Inc. WRITERS: Lara Forde, Esq. is a licensed attorney and Certified Information Privacy Professional (CIPP/US). As a Privacy and Data Security Advisor for eplace Solutions, Inc., Ms. Forde helps organizations mitigate risks through counseling regarding data breach prevention and response, employee training, and developing incident response plans designed to minimize the costs and harm from a data breach. Ms. Forde is also a frequent speaker on data breach preparedness and response. Prior to joining eplace, managed a data breach response team which handled many of the largest U.S. data breaches to date. Randall J. Krause, Esq. is the president and CEO of eplace Solutions, Inc., an attorney, and a Certified Information Privacy Professional (CIPP/US). Prior to co-founding eplace, Mr. Krause engaged in a national law practice. He is an active member of the California and Michigan bars. Mr. Krause is the co-founder and current partner of the Privacy Law Group, a boutique law firm that provides advice to clients throughout the United States on data privacy/security matters. A frequent speaker on data privacy and employment topics, Mr. Krause regularly conducts data breach workshops for large entities across the nation. William Ewy is a Certified Information Privacy Professional (CIPP/US). As the Privacy and Data Security Practice Manager at eplace Solutions, Inc., Mr. Ewy is responsible for the overall operation of eplace s cyber risk management services. A key part of his role is providing clients access to accurate and useful information that helps them prevent privacy and data security incidents. Prior to joining eplace, Mr. Ewy was an International Privacy Manager for a Fortune 500 company and gained significant international business experience during his twenty years working in Asia. eplace Solutions, Inc. Founded in 1999, eplace Solutions, Inc. delivers cyber security, human resources/employment practices liability, and director and officer risk management and loss mitigation services to over 50,000 organizations. eplace s pre-breach cyber risk management services are used by organizations of all sizes and industries, including Fortune 500 companies, healthcare organizations, financial institutions, educational institutions, and governmental entities. 5 eplace Solutions, Inc. 2015

7 ACKNOWLEDGMENTS eplace Solutions, Inc. extends its thanks and appreciation to Melis Jackob, Senior Cyber Security Consultant at eplace Solutions, and Suzzanne Ravitz, Marketing Manager at eplace Solutions. Mr. Jackob contributed to the technical content, and Ms. Ravitz provided significant editorial assistance. eplace Solutions would also like to thank David Bradford and Advisen Ltd. for their contributions and data regarding the costs of a data breach, and Alisa Schulz who edited the book. A special acknowledgement also goes to the following individuals who contributed to the book: Melanie Thomas, CEO and Managing Director of Inform, LLC, contributed to the communications chapter of the book. Ms. Thomas has over 25 years of experience in marketing and communications. Her experience transcends traditional communications, with expertise in strategy, media relations, crisis communications and integrating new media tools to leverage exposure for her clients. Ms. Thomas started Capitol Communications (now Inform) over a decade ago to meet the growing need for highly specialized public relations talent in Washington, D.C. The firm now has nearly a dozen communications veterans, each with over 20 years of experience. Melissa Ventrone, Chair of Wilson Elser s Data Privacy & Security practice, contributed to the notification chapter of the book. Ms. Ventrone advises a wide range of clients on identifying and managing risks associated with data privacy and security under federal, state and international laws. She also serves as a first responder for situations involving use or misuse of computers and other devices. When assisting a client with a potential breach, Ms. Ventrone and her team of first responders are able to quickly mobilize the assets necessary to effectively respond to the breach. Among her many leadership roles, she has served in several key positions in the Marine Corps Reserve, including Company Commander for a 200-person unit, Executive Officer for a 329-person company forward deployed to Afghanistan, and most recently Operations Officer for a 1,000-person motor transport battalion. 6 eplace Solutions, Inc. 2015

8 FOREWORD I n recent years, privacy and data security breaches resulting from simple record exposure and stolen laptops have given way to complex, aggressive, and oftentimes sustained cyber attacks. Motivations range from criminal cyber gangs seeking identities to sell on the dark web, to geopolitical battles among nation-states looking for intelligence and a presence on utilities and banking networks to exact future war, and corporate espionage where intellectual property is the great currency. Data breach response procedures have become thoroughly developed, debated, rehearsed, branded, and marketed to businesses as a critical enterprise risk tool. But, as data breaches and cybersecurity attacks have grown in numbers and complexity, it has become obvious to many of us that many organizations lack basic data breach preparedness. Time and again, we have seen both large and small organizations bungle responses to data breaches and cybersecurity attacks. The problem is not lack of money, or intellectual capital, or access to the leading legal, forensics, communications, or notification experts. The problem is lack of advance planning. Data privacy, breach, and cybersecurity awareness must be enterprise-wide initiatives, from the boardroom to the mailroom, with deep, and thorough understanding among every employee, contractor, business partner, vendor, and intern. Begin with regular risk assessments that include actionable recommendations. Build the best security apparatus available on the market and continue to make improvements. Have outside experts assess and build a data privacy program, with procedures, roles, messaging, media training, and a contingency plan. Train your employees regularly so the response develops muscle memory. The success, maybe even the survival of your organization depends upon your data privacy program. You don t have to lead from behind. It is time to get ahead of the game. Melanie Dougherty-Thomas, Inform LLC 7 eplace Solutions, Inc. 2015