Cybersecurity Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048 Setting expectations Are you susceptible to a data breach? 1
October 7, 2014 Setting expectations Victim Perpetrator 2
It s only a matter of time 14% 17% Insider theft Hacking 42% 27% Accidental exposure or negligence Subcontractor Breach Types 2007 through 2013 (4215 breaches) Breach trends Financial Institutions Retail (B&M and ecommerce) Healthcare Higher Education Governmental Entities Defense and Aerospace Technology Energy/Utilities All employers 2005 Today 3
Part I: Cybersecurity and data breach law Part II: What you should do right now 4
Get the management on board Ensure focus on cybersecurity Provide oversight of the risk management process Identify and empower experts Include cybersecurity as a regular agenda item Create an information security plan Why? Minimize employee related breaches Reduce overall exposure Reductions for CISO, information security program, strong security Legally important 5
Create an information security plan Designate a lead Conduct a systems assessment Implement a security program include visual hacking measures Policies and training Consider cyber insurance Review third party contracts Create and implement a crisis response plan Create your crisis response team Think dress rehearsal versus the show Useful for other situations, too Whistleblowers Create a crisis response team Identify the key constituents Recognize their motivations Identify and empower the decision maker 6
Part III: I ve been breached (and I can t get up) 7
Crisis response Feel free to take all the time you need!... yeah. Just kidding. Clock starts ticking from DOB (discovery of breach**) **Nobody else knows what this means, either. Crisis response What did Part II give you? Faster reaction time More thorough reaction Ability to minimize risk and damage Without Part II... 8
Crisis response Coordinate first response team (IT, HR, legal, PR, etc.) Investigate, isolate, contain, and secure Notify (federal, state, int l, individual, media, and other) Consider referral to law enforcement and/or civil remedy Re evaluate Crisis response Coordinate first response team (IT, HR, legal, PR, etc.) Investigate, isolate, contain, and secure Notify (federal, state, int l, individual, media, and other) Consider referral to law enforcement and/or civil remedy Re evaluate 9
Crisis response Coordinate first response team (IT, HR, legal, PR, etc.) Investigate, isolate, contain, and secure Retain forensic investigator Interview witnesses Preserve documents and systems Identify what was compromised Document everything Notify (federal, state, int l, individual, media, and other) Consider referral to law enforcement and/or civil remedy Re evaluate Crisis response Coordinate first response team (IT, HR, legal, PR, etc.) Investigate, isolate, contain, and secure Notify (federal, state, int l, individual, media, and other) Federal, state, international Individuals Insurers and credit card companies (PFI!) Media Employees Consider referral to law enforcement and/or civil remedy Re evaluate 10
Crisis response Coordinate first response team (IT, HR, legal, PR, etc.) Investigate, isolate, contain, and secure Notify (federal, state, int l, individual, media, and other) Consider referral to law enforcement and/or civil remedy E.g., 18 U.S.C. 1030 Re evaluate Crisis response Coordinate first response team (IT, HR, legal, PR, etc.) Investigate, isolate, contain, and secure Notify (federal, state, int l, individual, media, and other) Consider referral to law enforcement and/or civil remedy Re evaluate 11
Contact Information Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048 shamoil.shipchandler@bgllp.com We Know Energy Approximately 70% of our total revenue is generated from energy transactions Represent companies throughout the energy value chain: oil, natural gas and renewables, chemical companies, refiners and power Named one of the Energy Groups of the Year by Law360 in 2011 2014. 12