BDO KNOWLEDGE WEBINAR SERIES Data Breach Essentials June 2014 BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. Page 1 CPE AND SUPPORT CPE Participation Requirements To receive CPE credit for this webcast: You ll need to actively participate throughout the program. Be responsive to at least 75% of the participation pop-ups. Certificate of Attendance: If you are logged in the entire time and respond to all participation pop-ups, you will be able to print your certificate from the Participation section at the end of the webcast. If you log out before printing your certificate: BDO USA professionals CPE will automatically be issued in CPE Tracking & Reporting at the end of every week. A copy of your certificate will be sent after you have been issued credit. Clients and Contacts and all other individual participants You will be emailed instructions on how to access your certificate. Page 2 1
CPE AND SUPPORT (CONTINUED) Group Participation To receive credit: Sign-in sheets must list a Proctor name and CPA license number. Clients and contacts Email sign-in sheets to cpe@bdo.com within 24 hours of the webcast. BDO USA professionals Submit your sign-in sheets using a General Training & Development Request in BDO Service Now found at: BDOWorld > Applications & Resources > BDO Service Now > Click Service Catalog in the left menu, then under Training & Development, Make a Request. Alliance Firm Members Should proctor their own group participants. This process is detailed in the LearnLive Participant Guide, which can be found by searching LearnLive Participant Guide on the Alliance Portal. Call LearnLive Support below for questions. International Firm Members Unfortunately, we cannot currently support group CPE for International Firms. Those wanting CPE must register and log in on their own computer. Handouts: Handouts, including group CPE sign-in sheets, may be accessed from the Handouts tab at the bottom of your screen Q&A: Submit all questions using the Q&A feature on the lower right corner of the screen. At the end of the presentation, the presenter(s) will review and answer all questions submitted. Technical Support: If you should have technical issues, please contact LearnLive: Click on the Live Chat icon under the Support tab, OR Call: 1-888-228-4088 Page 3 LEARNING OBJECTIVES Upon completion of this course participants will be able to: Apply the key elements required to prepare for and respond to a data breach Recognize certain data breach indicators, including but not limited to internal threats, external threats and other risk factors Identify activities necessary to determine the extent of a data breach and methodologies to contain the breach Identify appropriate personnel, both internally and externally, to involve in the cyber investigation and notification processes Recognize methods that allow for monitoring and detection of potential future breach events Page 4 2
PRESENTERS Dean Irwin, Principal, BDO USA, LLP dirwin@bdo.com Amy Rojik, Director BDO USA, LLP arojik@bdo.com Rick Sanders, Attorney, Aaron & Sanders, PLLC Rick@aaronsanderslaw.com Karen Schuler, Managing Director, BDO USA, LLP kschuler@bdo.com Greg Shrader, Information Technology Executive Greg_shrader@hotmail.com Page 5 AGENDA Data Breaches in the Headlines Managing Data Environments Creating an Environment that Promotes Strong Internal Controls Developing Unified Threat Management System and Protocols to Recognize Threats Elements of a Cyber Investigation and Incident Response Ability to Respond Elements of a Cyber Investigation Victim Notification Requirements and Reporting Monitoring and Preventative Steps Page 6 3
DATA BREACHES IN THE HEADLINES Selected losses greater than 30,000 records Page 7 Source: Information is Beautiful.net MANAGING DATA ENVIRONMENTS Page 8 4
DEVELOPING UNIFIED THREAT MANAGEMENT SYSTEM AND PROTOCOLS TO RECOGNIZE THREATS Setting Tone Establish Risk Committee Risk Policies and Procedures Identify the data and (IT) Systems Page 9 CREATING AN ENVIRONMENT THAT PROMOTES STRONG INTERNAL CONTROLS Safeguarding of assets Customer Data is an Asset! Controls over customer data Authorizations/access Adequacy of controls being maintained by third party outsourcers Continuous monitoring Real-time/Manual Performing regular assessments on up-to-date software Offer regularly scheduled training Documentation Page 10 5
ELEMENTS OF A CYBER INVESTIGATION AND INCIDENT RESPONSE Page 11 WHAT, WHEN AND HOW DID THIS HAPPEN? YOUR ABILITY TO RESPOND IS CRITICAL Incidents may be the result of one or more factors Response plans are critical don t wait until something happens Forming a response team can save you time and money Response teams may include your personnel, attorneys, outside consultants that specialize in cyber investigations and incident response Potential Causes of a Breach Page 12 6
WHAT, WHEN AND HOW DID THIS HAPPEN? THE ELEMENTS OF A CYBER INVESTIGATION Identification Containment Eradication Recovery Lessons Learned Location of the incident How was it discovered? Other areas compromised? Scope of the impact Have sources been identified? Business impact Short-term containment (is problem isolated / are systems isolated?) System-backup (evidence collection, imaging) Long-term containment (system off-line) Re-image and update patches, harden system(s) Removal of malware and artifacts from system(s) When can system(s) come back online? Have systems been prepared to thwart future attacks? What testing, monitoring solutions are going to be used for future? How can we prevent this in the future? Incident Report Who? What? Why? How? Where? When? Prevention CYBER INVESTIGATION Page 13 VICTIM NOTIFICATION REQUIREMENTS AND REPORTING All data breach statutes require the custodian of consumer data to notify the consumer if the consumer s personal information has been subject to a breach, but they vary markedly along several axes: 1. How broadly personal information is defined. Does it include information beyond SSN, DLN & financial info? 2. What triggers the duty to notify? Mere access? Something more? 3. Whether there are exceptions to the duty to notify. 4. How quickly notification must be given. 5. Who, if anyone, must be notified in addition to the affected consumer, such as the attorney general or consumer protection agency. 6. The effect, if any, of encryption. 7. What must be included in the notification? 8. How notification must be given? 9. Whether there are private causes of action for failure to given notice and/or failure to protect data. 10. Whether the statute also protects hard documents? Page 14 7
RESOURCES The National Conference of State Legislatures maintains links to every state s data protection statutes: http://www.ncsl.org/research/telecommunications-andinformation-technology/security-breach-notificationlaws.aspx The law firm of Baker Hostetler maintains a constantly updated data privacy blog and other resources: http://www.dataprivacymonitor.com Page 15 MONITORING AND PREVENTATIVE STEPS Page 16 8
DETERRING FUTURE DATA BREACHES Identification and measurement of risk Security initiatives (and ROI) Executive participation/oversight Education Communication Plan Page 17 SUMMARY: NEXT STEPS Recognize data breach indicators internal/external Identify activities necessary to determine the extent of a data breach and methodologies to contain the breach Identify appropriate personnel, both internally and externally, to involve in the cyber investigation and notification processes Recognize methods that allow for monitoring and detection of potential future breach events Page 18 9
ADDITIONAL WEBINARS BDO Knowledge Webinar Archives: Managing Risk in Cyberspace http://www.bdo.com/acsense/archive.aspx BDO Knowledge Upcoming Webinars: Technical Update Q2 2014 July 9, 10 and 11 Revenue Recognition: Overview of ASU 2014-09 July 14 and 15 http://www.bdo.com/acsense Page 19 Page 19 BDO BOARD REFLECTIONS Additional resources accessible via the BDO Board Reflections: http://www.bdo.com/library/boardreflections.aspx Recent BDO Publications: Cybersecurity Its Impact on the External Audit and Other Recent Developments Cybersecurity A Board Primer For a complete listing of publications, refer to: http://www.bdo.com/publications/assurance/ Page 20 Page 20 10
EVALUATION We continually try and improve our programming and appreciate constructive feedback. Following the program, we will be sending out a thank you e-mail that contains a link to a brief evaluation. Thank you in advance for your participation! Page 21 CONCLUSION THANK YOU FOR YOUR PARTICIPATION! Certificate Availability If you participated the entire time and responded to at least 75% of the polling questions, click the Participation tab to access the print certificate button. Group Participation Reminder to receive credit: Sign-in sheets must list a Proctor name and CPA license number. Clients and Contacts email sign-in sheets to bdoevents@bdo.com within 24 hours of the webcast. BDO USA professionals Submit your sign-in sheets using BDO Service Now. Alliance Firm Members Should proctor their own group participants. This process is detailed in the LearnLive Participant Guide on Alliance Portal > Resource Center. Call LearnLive Support for questions 1-888-228-4088. International Firm Members - Unfortunately, we cannot currently support group CPE for International Firms. Those requesting CPE must have registered and participated from their own computer. Please exit the interface by clicking the red X in the upper right hand corner of your screen. Page 22 11