prepare for breaches like a pro
TRANSCRIPT
© 2011 Co3 Systems, Inc. The information contained herein is proprietary and confidential. Page 1
Preparing For A Data Breach
Page 2
Agenda
§ Introductions § Today’s reality with breaches and data loss § Preparing for breach
– The process – Tips for getting it right
§ Q&A
Page 3
Introductions: Today’s Speakers
§ Ted Julian, Chief Marketing Officer, Co3 Systems – Security / compliance entrepreneur – Security industry analyst
§ Bob Siegel, Privacy Strategist & Principal, Privacy Ref LLC – Previously, Sr. Manger of Worldwide Privacy and
Compliance for Staples, Inc. – Certified Information Privacy Professional (CIPP/US,
CIPP/IT)
Page 4
Co3 at a Glance
Co3 Systems’ incident management system helps organizations that have customer or employee Personal Information
reduce the expense, risk, and stress of a breach.
A web-based/hosted SaaS platform No hardware or software to buy or
manage; it’s running in minutes
Concerns all companies that manage employee or customer data
Retail, Healthcare, Financial Services, Higher Education, Services …
Understands all regulations that concern private information Federal, State, Trade Associations …
can customize for contracts
Can be deployed quickly and is easy to use Intuitive, step-by-step usage model;
no user training needed
Delivers immediate, quantifiable value
Expert, actionable insight in 20 minutes or less – regulatory obligations and industry best practices
Page 5
Breach Epidemic
More than half of American consumers would sue a company that loses its personal information
TRICARE Hit with $4.9 Billion Suit Following Breach
Zappos, Amazon Sued Over Customer Data Breach
Source: DataLossDB.org
… payment provider’s “fourth-quarter profit fell 90 percent on costs related to a security breach…took an $84.4 million pre-tax charge”
Page 6
Breaches Are Common – Firms Must Act
Source: “Planning For Failure” – Forrester Research, Nov. 2011
“… many of them have suffered a breach – they just don’t know it”
*
*
**
** if you haven’t been breached, why wouldn’t you disclose that?
“With an avalanche of… breach notification laws on the horizon, you have no choice but to implement an incident management program. If you don’t have an incident management program… it’s imperative that you do so immediately.”
Page 7
Scope of Data Loss
Malicious Cyber-Attacks
The exposure of consumer or employee Personal Information
Lost/Stolen
Assets Third-Party
Leaks
Internal/ Employee Actions
Global Consumer Electronics Firm:
Hackers stole customer data, including credit card information
100 million records
Community-Based Healthcare Plan:
Laptops with patient data stolen by former employee
208,000 records
Multi-Channel Marketing Service:
Digital marketing agency exposes customer data of dozens of clients
Millions of records
Government Agency:
Employee sent CD-ROM with personal data on registered advisors
139,000 records
In the US there are 46 States, 4 Territories, 14 Federal Authorities and multiple trade associations, each enforcing their own regulations that prescribe the treatment of personal data
Page 8
46 States, 3 Commonwealths, and 14 Federal agencies have established legislation Fines are growing – aggressive AGs are filling state coffers
Trade Associations & Commissions Industry groups, commissions, and certification bodies are imposing stricter guidelines and penalties
More fines – and businesses losing accreditation
Class Action Lawsuits Law firms have noticed and are picking up the pace in class-action lawsuits Even with no “harm”, companies are losing and settling quickly
Contractual Obligations Company obligations extend to 3rd party data sources, vendors, and even corporate customers Extreme sensitivity on vendor and partner use (and storage) of data
Ignoring the Problem is Not an Option
Regulatory Requirements
Brand Damage
Page 9
SIMULATIONS
INC
IDE
N
TSEVE
NT
S
ASSESSPREPARE
MANAGE
RE
PO
RT
Co3 Automates Breach Management
PREPARE Improve Organizational Readiness
• Assign response team • Describe environment • Simulate events and incidents • Focus on organizational gaps
REPORT Document Results and Track Performance • Document incident results • Track historical performance • Demonstrate organizational
preparedness • Generate audit/compliance reports
ASSESS Quantify Potential Impact, Support Privacy Impact Assessments • Track events • Scope regulatory requirements • See $ exposure • Send notice to team • Generate PIAs
MANAGE Easily Generate Detailed Incident Response Plans
• Escalate to complete IR plan • Oversee the complete plan • Assign tasks: who/what/when • Notify regulators and clients • Monitor progress to completion
Page 10
PREPARING FOR A BREACH
Page 11
Some Questions
1. How do your employees notify you of a potential data breach event?
2. How does and incident become an event? 3. How are external communications
coordinated?
“Organizing is what you do before you do something, so that when you do it, it is not all mixed up.”
-- A. A. Milne
Page 12
Sample Event Process
Incident Occurs
Follow Incident Management
Process
Escalate to CPO and CSO
Engage Event Management Team
Engage Event Communication
Plan
• Decides if this may be a data breach event based on currently known information
• Determines scope of the event • Identifies risks and responsibilities • Reports back to CPO and CSO • Coordinates remediation
• Defines how all communication to stakeholders is coordinated
Page 13
Incident Management Processes
§ Generally owned by IT • Provides logging and tracking services • May be focused on data processing incidents • May not be sensitive to paper-based issues
§ Metrics-centric process • Response time • Resolution time • Close / Completion time
§ Check to see how non-IT events are addressed • Are non-IT events routinely handled? • Are they tracked in the Incident Management system? • Has a test scenario been run recently?
Page 14
Sample Event Process
Incident Occurs
Follow Incident Management
Process
Escalate to CPO and CSO
Engage Event Management Team
Engage Event Communication
Plan
• Decides if this may be a data breach event based on currently known information
• Determines scope of the event • Identifies risks and responsibilities • Reports back to CPO and CSO • Coordinates remediation
• Defines how all communication to stakeholders is coordinated
Page 15
Event Management Team
§ Cross-functional team • Initially determines scope and impact of the event • Coordinates remediation efforts
§ Led by the Chief Privacy Officer § Core members should represent…
• Legal • Privacy • Compliance • Incident Management • IT
§ Other members added based on the event
Page 16
Facts To Gather During An Event
1. Information lost 2. Was data encrypted 3. Amount of data lost 4. Has the data loss
been stopped? 5. When loss occurred 6. Where it was lost 7. Who was affected
8. Residence of affected 9. Can data be
recovered? 10. Applicable laws 11. Notification
requirements 12. Potential impact to
other applications 13. Potential impact on
other organizations
Page 17
Sample Event Process
Incident Occurs
Follow Incident Management
Process
Escalate to CPO and CSO
Engage Event Management Team
Engage Event Communication
Plan
• Decides if this may be a data breach event based on currently known information
• Determines scope of the event • Identifies risks and responsibilities • Reports back to CPO and CSO • Coordinates remediation
• Defines how all communication to stakeholders is coordinated
Page 18
Event Communication Plan
§ Identifies members of the Event Communication Team – Contains contact information for the members
§ Defines communication parameters • Who talks to whom and when
§ Contains frameworks for communications
Page 19
Event Communication Team
• Customers • Employees • Marketing Dept. • Media • Law enforcement • Other Government
Officials • Shareholders
• Marketing * • Internal Communications • Public Relations*
• Security / Loss Prevention • Legal • Investor Relations • Chief Privacy Officer * Potential Lead
Stakeholders Team Members
Page 20
Communication Parameters
§ Spokespeople must be identified • Spokesperson designation by stakeholder • Limit communication to be done to designees
§ Message content must be reviewed • Consistent messages sent across stakeholders
§ Keep Executive Leadership informed • Frequent updates from chairs of both teams
§ Use Executives as spokespeople sparingly
Page 21
Communication Frameworks
§ Most communications can be prewritten • Details of the specific event added at Event
§ Prepared items may include… • Press releases • Letters / emails to customers • Website updates • Employee notices • Talking points for the media
Page 22
Test, Test, and Retest
§ Make all participants familiar with processes before they are implemented
§ Two common types of testing
Table Top Exercises • Multiple scenarios defined • Key participants meet • Each scenario is discussed
Scenario exercise • One scenario is defined • Participants notified day of
exercise happening • Production processes and
tools are used to manage the event
• Key participants meet to debrief
Page 23
Other Considerations
§ System of record § Methods of communications § Independent divisions
• Multinational divisions • Acquired businesses • Recognized brands
© 2011 Co3 Systems, Inc. The information contained herein is proprietary and confidential. Page 24
Questions
Page 25
Thanks!
Gartner: “Co3 …define(s) what software packages for privacy look like.”
1 Alewife Center, Suite 450 Cambridge, MA 02140
ph: 617-206-3900 e: [email protected]
www.co3sys.com
ph: 508-474-5125 e: [email protected]
privacyref.com