Developing a Company Personal Information Breach Response Plan

Similar documents
Data Security Incident Response Plan. [Insert Organization Name]

REDEFINING THE BOUNDARIES OF RISK MANAGEMENT, NOW AND INTO THE FUTURE

Cybersecurity and Insurance Companies

plantemoran.com What School Personnel Administrators Need to know

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

Iowa Health Information Network (IHIN) Security Incident Response Plan

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

Best Practice for a Healthcare Data Breach: What You Don t t Know Will Cost You

Cyber Liability. What School Districts Need to Know

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Anatomy of a Privacy and Data Breach

State of Illinois Department of Central Management Services ACTION PLAN FOR NOTIFICATION OF A SECURITY BREACH

The potential legal consequences of a personal data breach

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

KEY STEPS FOLLOWING A DATA BREACH

Clients Legal Needs in HIPAA Security Compliance

Data Security Breach. How to Respond

Am I a Business Associate?

Computer Security Incident Reporting and Response Policy

Cyber Liability. AlaHA Annual Meeting 2013

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Preparing for the Inevitable Data Breach: What to Do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised

DATA BREACH COVERAGE

How To Protect Your Data From Theft

Current Developments Concerning Cybersecurity. ICI General Membership Meeting Legal Forum Jillian Bosmann and Nancy O Hara Thursday, May 19, 2016

Anatomy of a Hotel Breach

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Health Care Data Breach Discovery Strategies for Immediate Response

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Information Security Incident Response

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

Data Breach and Senior Living Communities May 29, 2015

Information Technology Policy

PRIORITIZING CYBERSECURITY

ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010

C-103 External Communications Policy

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

EXECUTIVE CRISIS MANAGEMENT TRAINING. Presented by Roseanne Rostron, CBCP Raido Response

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

CYBER SECURITY A L E G A L P E R S P E C T I V E

Defensible Strategy To. Cyber Incident Response

IDENTIFYING AND RESPONDING TO DATA BREACHES

UCSD Implementation Plan For Protection of Electronic Personal Identity Information. September 10, 2003

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

Hot Topics and Trends in Cyber Security and Privacy

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Cybersecurity..Is your PE Firm Ready? October 30, 2014

The Data Breach: How to stay defensible before, during and after the incident. Alex Ricardo, CIPP/US Breach Response Services

Data Security Breach Notice Letter

Beazley presentation master

California State University, Sacramento INFORMATION SECURITY PROGRAM

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Data Breaches and Trade Secrets: What to Do When Your Client Gets Hacked

IAPP Practical Privacy Series. Data Breach Hypothetical

IDENTITY THEFT IN SOUTH CAROLINA: 2014 UPDATE. Marti Phillips, Esq. Director, Identity Theft Unit South Carolina Department of Consumer Affairs

Helpful Tips. Privacy Breach Guidelines. September 2010

Information Security Incident Management Guidelines

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

PRIVACY BREACH MANAGEMENT POLICY

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

May 11, Re: Data Security Breach at Honig s Whistle Stop

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

Standard: Information Security Incident Management

UK Data Risks Incident RoadMap

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Rowan University Data Governance Policy

Protecting Your Assets: How To Safeguard Your Fund Against Cyber Security Attacks

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

HCCA Compliance Institute 2013 Privacy & Security

The ReHabilitation Center Buffalo Street. Olean. NY

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Best Practices in Incident Response. SF ISACA April 1 st Kieran Norton, Senior Manager Deloitte & Touch LLP

Data Protection Breach Management Policy

DATA BREACH RESPONSE READINESS Is Your Organization Prepared?

Cybersecurity The role of Internal Audit

Data Breach Strikes - Nerds & Geeks Unite: Effective Cooperation Between Privacy and Technical Experts Presented by: Paul H. Luehr, Managing Dir.

Identity Theft Repair Kit

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Privacy Rights Clearing House

CYBERSECURITY EXAMINATION SWEEP SUMMARY

Cybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015

Procedure for Managing a Privacy Breach

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

Personal Information Protection Act Information Sheet 11

INCIDENT RESPONSE CHECKLIST

How to prepare your organization for an OCR HIPAA audit

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

Data Security Breach Management Procedure

Reducing Cyber Risk in Your Organization

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

PENN STATE UNIVERSITY SENSITIVE DATA EXPOSURE INCIDENT KIT Created and Maintained by the Privacy Office

The Future of Data Breach Risk Management Response and Recovery. The Cybersecurity Forum April 14, 2016

Cyber Risks in the Boardroom

Transcription:

Developing a Company Personal Information Breach Response Plan September 9, 2014 Joyce Shroka Director Business Continuity & Records jashroka@nisource.com Presenta3on developed exclusively for the September, 2014 DRJ Conference From the Gulf Coast through the Midwest to NiSource At A Glance the Northeast, our portfolio of companies serves some of the nation s highest-value GAS DISTRIBUTION One of the Nation s Largest Natural Gas Distribution Companies Serving More than 3.4 Million Customers Established Best-in-Class Platform for Sustainable Earnings Growth Through: Comprehensive Long-Term Infrastructure- Investment Programs Responsive Customer Programs Creative Regulatory Approaches ELECTRIC OPERATIONS Approximately 460,000 Industrial, Commercial and Residential Electric Customers in a Stable Marketplace Environmentally Compliant Fleet of Electric Generation Facilities Total Generating Capability of 3,300 Megawatts Long-Term Infrastructure Investment Program energy markets, with services ranging from natural gas transmission, storage and local distribution, to electricity generation, transmission and distribution. COLUMBIA PIPELINE GROUP Approximately 15,000 Mile Network of Interstate Natural Gas Pipelines One of the Nation s Largest Underground Market-Area Storage Systems Unparalleled Strategic Footprint in the Marcellus and Utica Shale Production Regions Deep Inventory of Attractive Investment Opportunities Long-Term Pipeline System Modernization Program 2

Agenda Definitions: Breach, Personal Information Breach Team Members Responsibilities of Each Breach Team Member Responsibility Matrix Groups to Notify Breach Crisis Service Breach Checklist Draft Breach Letter(s) Change Log Training/Exercise 3 Definition of a Breach A Breach occurs whenever personal information in the custody or control of your company may have been stolen, lost, or subject to unauthorized access. 4

What is Personal Information? Commonly involves a person s name in combination with the person s: Social Security number or Driver's License number or State-Issued Identification card number or Financial Account number or Credit or Debit card number 5 Breach Team Members Determine team structure: What departments need involvement? Who needs to be communicated to or contacted? Safety/security issues? Regulatory considerations? Answering these questions helps you hone in on the appropriate functional involvement. 6

Breach Team at NiSource Breach Response Leader Security (cyber & physical) Leader Communications/Public Affairs Leader Governmental Leader Legal Counsel Leader 7 Breach Team Structure Breach Response Leader Security Leader Communica3ons / Public Affairs Leader Governmental Leader Legal Counsel Leader 8

Breach Response Leader Responsible for overall breach management: Development of overall breach objectives Sets priorities for the team/company Strategies B 9 Breach Leader Responsibilities Coordinate an immediate response to limit the breach impact. Additionally: Executive Notification Executives determine activation of other plans Making the Record Document all activities Suspected Criminal Activity Involve law enforcement Health Info Breach- Contact security/privacy official 10

Breach Leader - Think About What is the extent of the breach? What information was disclosed and to whom? Was the data encrypted? Is there a potential for data disclosure? 11 Breach Leader - Think About (cont.) Who owns the breached data, which department? What data fields were breached (if that can be determined)? Is the threat of the unauthorized access continuing? 12

Security Leader Monitors breach operations on all matters relating to security and safety. Note: May need a cyber security leader and a physical security leader. 13 Security Leader Responsibilities Accountable for information and operational security. Additionally: Forensic investigation involving IT assets or data Preserve any/all potential evidence Identify/execute security activities Implement measures to contain and protect 14

Security Leader Responsibilities (cont.) Authority to stop and prevent unsafe/unsecure acts Coordinate with law enforcement Determine accuracy of incident information Determine if breach was intentional or accidental Outside parties cooperation 15 Communications/Public Affairs Develops, prioritizes and conducts briefings for: Press/Media Employees Customers 16

Communications/Public Affairs Responsibilities Communication interfaces with the press, media and employees. Additionally: Prioritize communication and public relation activities Execute information activities to: press, media, employees, investors, customers and other stakeholders Conduct periodic media briefings Contact appropriate HR or Customer management Determine need to activate Corporate Crisis Communications plan 17 Communications/Public Affairs (cont.) At direction of the Breach Response Leader, implement any limits on information release Communicate status to appropriate groups Develop/manage all messages Monitor information sources (tweets, blogs, etc.), forward pertinent information to Breach Leader Update internal/external web sites 18

Governmental Leader Point of contact for governmental agencies: Federal State Local Tribal 19 Governmental Leader Responsibilities Point of contact for coordinating information with governmental entities. Additionally: Execute governmental response activities Determine appropriate agencies to be contacted and appropriate person to contact them Involve company state presidents Inform state regulatory commissions 20

Legal Counsel Leader Provides status reports, manages the planning process and ensures actions are documented. 21 Legal Counsel Responsibilities Accountable for the collection, analysis and dissemination of the breach information. Additionally: Gather and preserve documents, data and evidence Determine if a Legal Hold notification is needed Review all communications messages before dissemination 22

Legal Counsel Responsibilities (cont.) Organize/facilitate Breach Team status meetings Document status of resources assigned to the incident and forecast resource requirements Establish data collection procedures and processes as needed (e.g., Breach log, sign-in sheets) Review with Governmental Leader all agency contacts and communications 23 Legal Counsel Responsibilities (cont.) Familiar with notification requirements to affected parties based on laws/regulations Document notifications to affected parties Provide periodic risk assessment to Breach Response Leader 24

Responsibility Matrix Breach Team Member Determine Breach Occurred Breach Response Leader Primary Security Leader Assist Containment Assist Primary Comm. Leader Governmental Leader Legal Counsel Media Primary Assist Employee Primary Assist Bulletin Board Management Primary Assist Assist High-Speed Primary Assist Notification Governmental Assist Primary Assist Agencies Etc. 25 Groups to Notify List each person/agency, organized by groups List each person/agency: name, title, address, contact information (phone, email) Important: During a breach, you will lose precious time figuring out who to call if it isn t documented in the plan 26

Groups to Notify (cont.) Executives CEO CLO CIO CFO Company Presidents Etc. Inside Counsel/Outside Counsel Corporate Insurance 27 Groups to Notify (cont.) HR Employee list: names, addresses Customer centered departments Customer list: names, addresses Shareholder custodian Is this your Corporate Secretary or Shareholder Relations? 28

Groups to Notify (cont.) Governmental Officials Federal: FERC, NERC, FTC, SEC, etc. State: Attorney General for each state your company operates in Reporting Agencies: Equifax, Experian, TransUnion Payment card providers used by customers 29 Groups to Notify (cont.) Printing vendors Letter Address labels Media/PR Reputation Specialists Breach Crisis Service 30

Breach Crisis Service Negotiate advanced agreement with a Breach Crisis Service: Has experience managing breaches Can set up an 800# and call center Assists in drafting letters, FAQs, providing triage 31 Breach Crisis Service (cont.) Advantage: Has tried and true breach processes Might lower your Cyber Insurance premiums 32

Breach Response Checklist Action Items: Identify and notify Breach Team Security Leader Governmental Leader Legal Counsel Leader Communications/Public Affairs Leader Convene meeting of Breach Team Activate Breach Plan Is breach ongoing? Implement measures to contain breach Credit card information Employee information Protected health information Critical energy infrastructure information Date Completed 33 Breach Response Checklist (cont.) Action Items: Notify executives Identify person to contact Breach Crisis Service Notify Insurance department Activate Corporate Crisis Communication Plan Activate Corporate Crisis Management Plan Notify law enforcement Update external facing web sites Communicating with employees Etc. Date Completed 34

Create Draft Breach Letter(s) Drafts for both customers and employees: Loss of electronic information Malware infection Loss of hard copy information 35 Change Log in Plan List of changes made to the plan, including: Date of change Who made the change Specific pages changed Brief description of the change 36

Sample Table of Contents Plan Purpose Roles and Responsibilities Execute Evaluate Breach Determination Process Notifications Responsibility Matrix Samples of Public Breach Notifications Breach Response Checklist Change Log 37 Breach Team Member Training Thoroughly train each breach team member Walk through the plan in detail Explain their individual role Engage entire team in a tabletop exercise Determine scenario, objectives, participants Post exercise update plan Important: Identify and train backup Breach Team members 38

Conclusion Questions? Joyce Shroka Director Business Continuity & Records jashroka@nisource.com 39

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information