Developing a Company Personal Information Breach Response Plan September 9, 2014 Joyce Shroka Director Business Continuity & Records jashroka@nisource.com Presenta3on developed exclusively for the September, 2014 DRJ Conference From the Gulf Coast through the Midwest to NiSource At A Glance the Northeast, our portfolio of companies serves some of the nation s highest-value GAS DISTRIBUTION One of the Nation s Largest Natural Gas Distribution Companies Serving More than 3.4 Million Customers Established Best-in-Class Platform for Sustainable Earnings Growth Through: Comprehensive Long-Term Infrastructure- Investment Programs Responsive Customer Programs Creative Regulatory Approaches ELECTRIC OPERATIONS Approximately 460,000 Industrial, Commercial and Residential Electric Customers in a Stable Marketplace Environmentally Compliant Fleet of Electric Generation Facilities Total Generating Capability of 3,300 Megawatts Long-Term Infrastructure Investment Program energy markets, with services ranging from natural gas transmission, storage and local distribution, to electricity generation, transmission and distribution. COLUMBIA PIPELINE GROUP Approximately 15,000 Mile Network of Interstate Natural Gas Pipelines One of the Nation s Largest Underground Market-Area Storage Systems Unparalleled Strategic Footprint in the Marcellus and Utica Shale Production Regions Deep Inventory of Attractive Investment Opportunities Long-Term Pipeline System Modernization Program 2
Agenda Definitions: Breach, Personal Information Breach Team Members Responsibilities of Each Breach Team Member Responsibility Matrix Groups to Notify Breach Crisis Service Breach Checklist Draft Breach Letter(s) Change Log Training/Exercise 3 Definition of a Breach A Breach occurs whenever personal information in the custody or control of your company may have been stolen, lost, or subject to unauthorized access. 4
What is Personal Information? Commonly involves a person s name in combination with the person s: Social Security number or Driver's License number or State-Issued Identification card number or Financial Account number or Credit or Debit card number 5 Breach Team Members Determine team structure: What departments need involvement? Who needs to be communicated to or contacted? Safety/security issues? Regulatory considerations? Answering these questions helps you hone in on the appropriate functional involvement. 6
Breach Team at NiSource Breach Response Leader Security (cyber & physical) Leader Communications/Public Affairs Leader Governmental Leader Legal Counsel Leader 7 Breach Team Structure Breach Response Leader Security Leader Communica3ons / Public Affairs Leader Governmental Leader Legal Counsel Leader 8
Breach Response Leader Responsible for overall breach management: Development of overall breach objectives Sets priorities for the team/company Strategies B 9 Breach Leader Responsibilities Coordinate an immediate response to limit the breach impact. Additionally: Executive Notification Executives determine activation of other plans Making the Record Document all activities Suspected Criminal Activity Involve law enforcement Health Info Breach- Contact security/privacy official 10
Breach Leader - Think About What is the extent of the breach? What information was disclosed and to whom? Was the data encrypted? Is there a potential for data disclosure? 11 Breach Leader - Think About (cont.) Who owns the breached data, which department? What data fields were breached (if that can be determined)? Is the threat of the unauthorized access continuing? 12
Security Leader Monitors breach operations on all matters relating to security and safety. Note: May need a cyber security leader and a physical security leader. 13 Security Leader Responsibilities Accountable for information and operational security. Additionally: Forensic investigation involving IT assets or data Preserve any/all potential evidence Identify/execute security activities Implement measures to contain and protect 14
Security Leader Responsibilities (cont.) Authority to stop and prevent unsafe/unsecure acts Coordinate with law enforcement Determine accuracy of incident information Determine if breach was intentional or accidental Outside parties cooperation 15 Communications/Public Affairs Develops, prioritizes and conducts briefings for: Press/Media Employees Customers 16
Communications/Public Affairs Responsibilities Communication interfaces with the press, media and employees. Additionally: Prioritize communication and public relation activities Execute information activities to: press, media, employees, investors, customers and other stakeholders Conduct periodic media briefings Contact appropriate HR or Customer management Determine need to activate Corporate Crisis Communications plan 17 Communications/Public Affairs (cont.) At direction of the Breach Response Leader, implement any limits on information release Communicate status to appropriate groups Develop/manage all messages Monitor information sources (tweets, blogs, etc.), forward pertinent information to Breach Leader Update internal/external web sites 18
Governmental Leader Point of contact for governmental agencies: Federal State Local Tribal 19 Governmental Leader Responsibilities Point of contact for coordinating information with governmental entities. Additionally: Execute governmental response activities Determine appropriate agencies to be contacted and appropriate person to contact them Involve company state presidents Inform state regulatory commissions 20
Legal Counsel Leader Provides status reports, manages the planning process and ensures actions are documented. 21 Legal Counsel Responsibilities Accountable for the collection, analysis and dissemination of the breach information. Additionally: Gather and preserve documents, data and evidence Determine if a Legal Hold notification is needed Review all communications messages before dissemination 22
Legal Counsel Responsibilities (cont.) Organize/facilitate Breach Team status meetings Document status of resources assigned to the incident and forecast resource requirements Establish data collection procedures and processes as needed (e.g., Breach log, sign-in sheets) Review with Governmental Leader all agency contacts and communications 23 Legal Counsel Responsibilities (cont.) Familiar with notification requirements to affected parties based on laws/regulations Document notifications to affected parties Provide periodic risk assessment to Breach Response Leader 24
Responsibility Matrix Breach Team Member Determine Breach Occurred Breach Response Leader Primary Security Leader Assist Containment Assist Primary Comm. Leader Governmental Leader Legal Counsel Media Primary Assist Employee Primary Assist Bulletin Board Management Primary Assist Assist High-Speed Primary Assist Notification Governmental Assist Primary Assist Agencies Etc. 25 Groups to Notify List each person/agency, organized by groups List each person/agency: name, title, address, contact information (phone, email) Important: During a breach, you will lose precious time figuring out who to call if it isn t documented in the plan 26
Groups to Notify (cont.) Executives CEO CLO CIO CFO Company Presidents Etc. Inside Counsel/Outside Counsel Corporate Insurance 27 Groups to Notify (cont.) HR Employee list: names, addresses Customer centered departments Customer list: names, addresses Shareholder custodian Is this your Corporate Secretary or Shareholder Relations? 28
Groups to Notify (cont.) Governmental Officials Federal: FERC, NERC, FTC, SEC, etc. State: Attorney General for each state your company operates in Reporting Agencies: Equifax, Experian, TransUnion Payment card providers used by customers 29 Groups to Notify (cont.) Printing vendors Letter Address labels Media/PR Reputation Specialists Breach Crisis Service 30
Breach Crisis Service Negotiate advanced agreement with a Breach Crisis Service: Has experience managing breaches Can set up an 800# and call center Assists in drafting letters, FAQs, providing triage 31 Breach Crisis Service (cont.) Advantage: Has tried and true breach processes Might lower your Cyber Insurance premiums 32
Breach Response Checklist Action Items: Identify and notify Breach Team Security Leader Governmental Leader Legal Counsel Leader Communications/Public Affairs Leader Convene meeting of Breach Team Activate Breach Plan Is breach ongoing? Implement measures to contain breach Credit card information Employee information Protected health information Critical energy infrastructure information Date Completed 33 Breach Response Checklist (cont.) Action Items: Notify executives Identify person to contact Breach Crisis Service Notify Insurance department Activate Corporate Crisis Communication Plan Activate Corporate Crisis Management Plan Notify law enforcement Update external facing web sites Communicating with employees Etc. Date Completed 34
Create Draft Breach Letter(s) Drafts for both customers and employees: Loss of electronic information Malware infection Loss of hard copy information 35 Change Log in Plan List of changes made to the plan, including: Date of change Who made the change Specific pages changed Brief description of the change 36
Sample Table of Contents Plan Purpose Roles and Responsibilities Execute Evaluate Breach Determination Process Notifications Responsibility Matrix Samples of Public Breach Notifications Breach Response Checklist Change Log 37 Breach Team Member Training Thoroughly train each breach team member Walk through the plan in detail Explain their individual role Engage entire team in a tabletop exercise Determine scenario, objectives, participants Post exercise update plan Important: Identify and train backup Breach Team members 38
Conclusion Questions? Joyce Shroka Director Business Continuity & Records jashroka@nisource.com 39