310 likes | 552 Views
Eight Strategies to Reduce Your Risk in the Event of A Data Breach Sheryl Falk December 10, 2013. Are you ready for a Data breach? . Costs of Data Breach. Q: What is a Data Breach? . A Data breach is the intentional or unintentional release of secure information to an untrusted environment. .
E N D
Eight Strategies to Reduce Your Risk in the Event of A Data BreachSheryl FalkDecember 10, 2013
Q: What is a Data Breach? A Data breach is the intentional or unintentional release ofsecure informationto an untrusted environment.
Examples of Trade Secret information • marketing strategies • manufacturing techniques • manufacturing materials • computer algorithms • a new invention (for which a patent application has not yet been filed) • a formula for a sports drink • survey methods used by professional pollsters • Customer lists and information
4. Insider Threat: Negligent Employees Lost laptop or device containing company data, turning off encryption, not updating security patches, leaving computer on at night, simple passwords, use of public WiFi, stolen laptop, emailing company information to home email address, unnecessary use of social security numbers, use of social media at work, clicking on unfamiliar email links, failure to monitor URL address, using found USB stick, outsourcing data to vendor without security due diligence, using company guest WiFi to access secure information from personal devices, failure to follow security policies, sharing passwords, misdirected emails with PII, foolishness, falling for phishing, written passwords next to computer. 35%
Data Breach Detection • Less than 2% of breaches are detected in the first 24 hours • Less than 46% of breaches are detected in the first 30 days • 60% of breaches have data exfiltrated in first 24 hours • Over 92% of breaches are discovered by a third party • Less than 40% are contained within a week of discovery • 2012 Verizon Data Breach Report
Plan your Data Breach Response • Develop a written Plan • Assemble your Team • Identify your vendor partners • Test your Plan
Investigation Steps • Identify all affected data, machines and devices • Preserve Evidence • Understand how the data was protected • Develop the Record • Conduct interviews with key personnel • Document evidence and findings carefully • Quantify the exposure of data compromised • Track your costs
Who do you have to Notify? • Federal or State authorities • Depends type of information at issue/threshold numbers affected • SEC Report Requirement • Impacted individuals • Applicable law is where individual resides • International Considerations • Legal implications of failing to properly notify
Texas Data Breach Statute 521.053 Texas Bus. & Com. Code “A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach…to any individual whose sensitive personal information…believed to have been acquired by an unauthorized person.” • Extraterritorial Application • Civil penalty up to $250,000 per breach
Responding to the AG/Regulators • Maintain your credibility • Negotiate terms of requests • Circulate a hold for document destruction • Advocate your story
Effectively Communicate about Breach • Have a Breach Communications Plan • Communicate breach facts accurately and quickly • Understand and follow breach notification timetables • Stay focused and concise • Be prepared to update with new information • What you might offer: • Information about security freezes and credit monitoring • Contact information for credit reporting agencies, FTC or state authorities • Central “ombudsman” for all questions • Credit monitoring or identity restoration services • Coupons or gift certificates
What have you represented you would do? Good to Know We aim to provide you with the world’s strongest security and privacy tools. Security and privacy matter to us, we know how important they are to you and we work hard to get them right.
After Action Event Review • How did the team respond? • What can be improved in response/investigation? • What security issues can be tightened up? • Modify your plan/procedures if necessary
Follow your Data Breach Response Plan Conduct a Privileged Investigation Assess Notification Obligations Cooperate with Regulators/AGS Develop Communication Strategies Check Privacy/Data Security Representations Check for potential insurance Coverage Assess the Effectiveness of Your Response SUMMARY
Sheryl Falk 713.651.2615 sfalk@winston.com