Slide 1

Eight Strategies to Reduce Your Risk in the Event of A Data Breach Sheryl Falk December 10, 2013 Slide 2 Are you ready for a Data breach? 2 Slide 3 Costs of Data Breach 3 Slide 4 Q: What is a Data Breach? 4 A Data breach is the intentional or unintentional release of secure information to an untrusted environment. Slide 5 1. External Threats: Cybercriminals/ Hackers 5 Slide 6 2. External Threats: Vendors/Subcontractors 6 Slide 7 3. Insider Threat: Employee Theft 7 Slide 8 Examples of Trade Secret information marketing strategies manufacturing techniques manufacturing materials computer algorithms a new invention (for which a patent application has not yet been filed) a formula for a sports drink survey methods used by professional pollsters Customer lists and information 8 Slide 9 Lost laptop or device containing company data, turning off encryption, not updating security patches, leaving computer on at night, simple passwords, use of public WiFi, stolen laptop, emailing company information to home email address, unnecessary use of social security numbers, use of social media at work, clicking on unfamiliar email links, failure to monitor URL address, using found USB stick, outsourcing data to vendor without security due diligence, using company guest WiFi to access secure information from personal devices, failure to follow security policies, sharing passwords, misdirected emails with PII, foolishness, falling for phishing, written passwords next to computer. 4. Insider Threat: Negligent Employees 9 35% Slide 10 10 Slide 11 Data Breach Detection 11 Less than 2% of breaches are detected in the first 24 hours Less than 46% of breaches are detected in the first 30 days 60% of breaches have data exfiltrated in first 24 hours Over 92% of breaches are discovered by a third party Less than 40% are contained within a week of discovery 2012 Verizon Data Breach Report Slide 12 12 Slide 13 13 1 Follow your Data Breach Response Plan Slide 14 Develop a written Plan Assemble your Team Identify your vendor partners Test your Plan Plan your Data Breach Response 14 Slide 15 15 2 Conduct a Privileged Investigation Slide 16 Investigation Steps Identify all affected data, machines and devices Preserve Evidence Understand how the data was protected Develop the Record Conduct interviews with key personnel Document evidence and findings carefully Quantify the exposure of data compromised Track your costs 16 Slide 17 17 3 Assess Notification Obligations Slide 18 Federal or State authorities Depends type of information at issue/threshold numbers affected SEC Report Requirement Impacted individuals Applicable law is where individual resides International Considerations Legal implications of failing to properly notify Who do you have to Notify? 18 Slide 19 521.053 Texas Bus. & Com. Code A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breachto any individual whose sensitive personal informationbelieved to have been acquired by an unauthorized person. Texas Data Breach Statute Extraterritorial Application Civil penalty up to $250,000 per breach 19 Slide 20 20 4 Cooperate with Regulators/AGs Slide 21 Responding to the AG/Regulators 21 Maintain your credibility Negotiate terms of requests Circulate a hold for document destruction Advocate your story Slide 22 22 5 Develop Communications Strategies Slide 23 Effectively Communicate about Breach Have a Breach Communications Plan Communicate breach facts accurately and quickly Understand and follow breach notification timetables Stay focused and concise Be prepared to update with new information What you might offer: Information about security freezes and credit monitoring Contact information for credit reporting agencies, FTC or state authorities Central ombudsman for all questions Credit monitoring or identity restoration services Coupons or gift certificates 23 Slide 24 24 6 Check Privacy/Data Security Policies Slide 25 Good to Know We aim to provide you with the worlds strongest security and privacy tools. Security and privacy matter to us, we know how important they are to you and we work hard to get them right. What have you represented you would do? 25 Slide 26 26 7 Check for Potential Insurance Coverage Slide 27 Do you have insurance coverage? 27 Slide 28 28 8 Assess the Effectiveness of your Response Slide 29 How did the team respond? What can be improved in response/investigation? What security issues can be tightened up? Modify your plan/procedures if necessary After Action Event Review 29 Slide 30 30 SUMMARY 1Follow your Data Breach Response Plan 2Conduct a Privileged Investigation 3Assess Notification Obligations 4Cooperate with Regulators/AGS 5Develop Communication Strategies 6Check Privacy/Data Security Representations 7Check for potential insurance Coverage 8Assess the Effectiveness of Your Response Slide 31 Sheryl Falk 713.651.2615 sfalk@winston.com