IDENTIFYING AND RESPONDING TO DATA BREACHES

Similar documents
Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

Law Firm Cyber Security & Compliance Risks

Data Security Incident Response Plan. [Insert Organization Name]

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

What Data? I m A Trucking Company!

Cybersecurity y Managing g the Risks

Prepare for the Worst: Best Practices for Responding to Cybersecurity Breaches Trivalent Solutions Expo June 19, 2014

DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

KEY STEPS FOLLOWING A DATA BREACH

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

The Legal Pitfalls of Failing to Develop Secure Cloud Services

Anatomy of a Cloud Computing Data Breach

Cyber Risks in the Boardroom

Standard: Information Security Incident Management

SEC Cybersecurity Findings May Establish De Facto Standard

DATA BREACH RESPONSE READINESS Is Your Organization Prepared?

Cybersecurity Workshop

Insurance for Data Breaches in the Hospitality Industry

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

Network Security & Privacy Landscape

Computer Security at Columbia College. Barak Zahavy April 2010

HCCA Compliance Institute 2013 Privacy & Security

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

CYBER READINESS FOR FINANCIAL INSTITUTIONS

2016 OCR AUDIT E-BOOK

Cyber Risks Connect With Directors and Officers

CYBER SECURITY SPECIALREPORT

plantemoran.com What School Personnel Administrators Need to know

7 Steps to Protect Your Company from a Data Breach

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Litigating Privacy, Data Breach and Cybersecurity Issues in 2014: The SEC View on Disclosure Obligations

Cyber Insurance: How to Investigate the Right Coverage for Your Company

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

Brief. The BakerHostetler Data Security Incident Response Report 2015

CYBER RISK MANAGEMENT IN THE BOATING INDUSTRY

Health Care Data Breach Discovery Strategies for Immediate Response

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Data Privacy & Security: Essential Questions Every Business Must Ask

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Incident Response Plan for PCI-DSS Compliance

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION

IAPP Global Privacy Summit 2014 The SEC and Cybersecurity: What Every Publicly Traded Company Must Know

INFORMATION SHARING What Companies Can Learn from Cybersecurity Resources in Pittsburgh

Clients Legal Needs in HIPAA Security Compliance

Industrial Security & Compliance Using the Holistic Lifecycle Model

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Preventing And Dealing With Cyber Attacks And Data Breaches. Arnold & Porter LLP Lockheed Martin WMACCA February 12, 2014

Data Breaches and Trade Secrets: What to Do When Your Client Gets Hacked

$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Overview of the HIPAA Security Rule

Case Study: Hiring a licensed Security Provider

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Cyber and data Policy wording

Changing Legal Landscape in Cybersecurity: Implications for Business

BOARD OF GOVERNORS MEETING JUNE 25, 2014

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Trends in and Tips for Market Conduct Exams. Agenda

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Federal Trade Commission Privacy Impact Assessment

Breach Found. Did It Hurt?

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Cyber Security Risk Management

Texas Environmental, Health and Safety Audit Privilege Act

Understanding the Business Risk

TERMS AND CONDITIONS OF SERVICE

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

By Daniel E. Frank and Don Borelli

Cybersecurity Risk Factors: Five Tips to Consider When Any Public Company Might be The Next Target

Joe A. Ramirez Catherine Crane

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Legal Ethics in the Information Age: Unique Data Privacy Issues Faced by Law Firms. v , rev

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND

How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Advice from the Trenches: Preparing for the Challenges and Pressures of a Security Incident Investigation

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Cyber-insurance: Understanding Your Risks

Defensible Strategy To. Cyber Incident Response

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July Tex Med. 2012;108(7):33-37.

Beazley presentation master

Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 )

Preparing for the Inevitable Data Breach: What to Do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised

Anatomy of a Privacy and Data Breach

TERMS OF SERVICE. This Agreement shall be construed in all respects in accordance with the laws of the province of Ontario and Canada.

New Privacy Laws Impacting the Health Care Work Place

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

Right to Financial Privacy Act

INTERNET BANKING SERVICES AGREEMENT

Transcription:

IDENTIFYING AND RESPONDING TO DATA BREACHES Michael P. Hindelang Honigman Miller Schwartz and Cohn LLP October 14, 2015 Merit Security Summit

DATA SECURITY RISKS, THREATS & REAL WORLD EXAMPLES

OVERVIEW What is a data breach? Is this a real risk for my organization? What is the worst that can happen? What does cybersecurity mean today? 3

WHAT IS AT RISK Information and systems needed to run your business Competitive information Controls for machines Information about your business Financial information Information belonging to others Customers Employees Third Parties 4

YOUR INFORMATION HAS VALUE All three categories Regardless of industry In ways that it may be more valuable to others 5

WHAT CAUSES BREACHES? Hackers/criminals Employees/insiders System failures All of the above 6

STATISTICS Recent studies have shown that breaches were caused by: Hackers or malware 47-49% System issues 20-31% 85% of those were from third-party services Negligent employees 19-30% Including lost devices 7

HOW HARD IS IT? Does your information have value? Hackers can compromise some systems within minutes Do you ever have computer glitches? Do your employees have access to any part of your IT system? 8

THERE ARE NUMEROUS AREAS OF VULNERABILITY Mobile and remote access Online presence Traditional systems Insiders 9

INDUSTRIES WITH UNIQUE OR ADDITIONAL RISKS Health Care Financial Services Technology Manufacturing Anyone who handles payment cards 10

REPERCUSSIONS Business interruption Property loss Reputational risk Legal risk 11

LEGAL RISKS Employment issues Regulatory issues Civil liability Consumer class actions Business partner litigation 12

IDENTIFYING THE BREACH AND CONTAINING IT

HOW DO YOU KNOW YOU HAVE A PROBLEM? IT discovers an issue Direct evidence Indirect evidence Business unit discovers an issue Suspicious emails Missing money Notified by a third-party Business partners Media Notified by law enforcement 14

IS IT REALLY A DATA SECURITY ISSUE? Determining what is actually going on When do you move from an IT issue to a data breach response situation? Counsel Preservation of information 15

INDICIA OF A BREACH Responses to emails that your personnel did not send Financial transactions your personnel did not authorize Creation or discovery of unauthorized accounts Especially administrative accounts Unusual network activity Large number of failed logins 16

IT S A BREACH! Now what? Call a lawyer Privilege Legal ramifications of many early decisions 17

PRELIMINARY CONCERNS IN CONTAINING A DATA BREACH Speed Protecting your systems vs. hampering investigation Capabilities IT Legal Scope of access Location of data 18

SPEED Natural tendency is to run scans, test settings, etc. Risk trampling the digital footprints a forensic analyst could preserve May notify the hacker Law enforcement considerations May be necessary 19

CONFIDENTIALITY AND PRIVILEGE The role of counsel Who is involved? Risks of disclosure Capabilities of members of the team 20

DETERMINING THE SCOPE OF ACCESS What systems are affected What those systems connect to Security protocols What data is on the affected systems 21

DETERMINING WHO IS INVOLVED There is a human element to many data breaches Are employees involved? Who can you rely on? Is the information sensitive? Can you bring in consultants? 22

INVESTIGATING THE BREACH Interviews Technical analysis Employment considerations Law enforcement considerations 23

USING FORENSIC ANALYSTS Capabilities How to engage them Who they report to Translating tech-speak to management-speak Limitations 24

HANDLING LAW ENFORCEMENT When to involve them When they involve themselves Providing access to your systems Seeking prosecution of bad actors 25

DISCLOSING AND REMEDIATING THE BREACH

REMEDIATION ISSUES You can t fix what you can t find What if there is not a clear technical issue? You can t fix what you don t control You can t fix what you don t understand 27

IDENTIFYING THE BREACH VS IDENTIFYING WHAT TO FIX Knowing what was taken does not necessarily tell you how it was taken Can you determine the means of access? Can you determine that there were no other points of access? Can you determine how to address the problems? Can you test your fixes? 28

OTHER REMEDIATION CONSIDERATIONS Do you control the affected systems? Collateral effects of technical changes Business interruption De facto disclosure of the breach 29

DISCLOSURE ISSUES Insurance Publicity Consumer notification laws Regulatory notifications SEC filings Litigation Timing 30

CYBERINSURANCE Do you have a cyberinsurance policy? What does it cover? Can you choose your professionals? When are you required to notify them? What else do you need to do for coverage? 31

PUBLICITY Can you keep the breach confidential? What happens if you do? What happens if you don t? Reputational issues Planning for the media attention 32

CONSUMER NOTIFICATION 47 different state laws Plus municipal laws And different countries Timing Content What must be offered 33

REGULATORY NOTIFICATIONS State attorneys general FTC Industry regulators Local law enforcement Federal law enforcement 34

SEC FILINGS For public companies Cybersecurity risk factors Effect of breaches Potential for lawsuits 35

POTENTIAL LITIGATION Consumer class actions Employment Securities FTC and state attorneys general 36

TIMING How do these work together? Law enforcement Insurance Consumer notifications Reasons to delay Reasons to expedite 37

ADDITIONAL STEPS Security audits Policy reviews Contract reviews 38

Michael P. Hindelang Honigman Miller Schwartz and Cohn LLP mhindelang@honigman.com (313) 465-7412 39

WWW.HONIGMAN.COM

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information