1 / 31

Eight Strategies to Reduce Your Risk in the Event of A Data Breach Sheryl Falk December 10, 2013

Eight Strategies to Reduce Your Risk in the Event of A Data Breach Sheryl Falk December 10, 2013. Are you ready for a Data breach? . Costs of Data Breach. Q: What is a Data Breach? . A Data breach is the intentional or unintentional release of secure information to an untrusted environment. .

hank
Download Presentation

Eight Strategies to Reduce Your Risk in the Event of A Data Breach Sheryl Falk December 10, 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Eight Strategies to Reduce Your Risk in the Event of A Data BreachSheryl FalkDecember 10, 2013

  2. Are you ready for a Data breach?

  3. Costs of Data Breach

  4. Q: What is a Data Breach? A Data breach is the intentional or unintentional release ofsecure informationto an untrusted environment. 

  5. 1. External Threats: Cybercriminals/ Hackers

  6. 2. External Threats: Vendors/Subcontractors

  7. 3. Insider Threat: Employee Theft

  8. Examples of Trade Secret information • marketing strategies • manufacturing techniques • manufacturing materials • computer algorithms • a new invention (for which a patent application has not yet been filed) • a formula for a sports drink • survey methods used by professional pollsters • Customer lists and information

  9. 4. Insider Threat: Negligent Employees Lost laptop or device containing company data, turning off encryption, not updating security patches, leaving computer on at night, simple passwords, use of public WiFi, stolen laptop, emailing company information to home email address, unnecessary use of social security numbers, use of social media at work, clicking on unfamiliar email links, failure to monitor URL address, using found USB stick, outsourcing data to vendor without security due diligence, using company guest WiFi to access secure information from personal devices, failure to follow security policies, sharing passwords, misdirected emails with PII, foolishness, falling for phishing, written passwords next to computer. 35%

  10. 10

  11. Data Breach Detection • Less than 2% of breaches are detected in the first 24 hours • Less than 46% of breaches are detected in the first 30 days • 60% of breaches have data exfiltrated in first 24 hours • Over 92% of breaches are discovered by a third party • Less than 40% are contained within a week of discovery • 2012 Verizon Data Breach Report

  12. 1Follow your Data Breach Response Plan

  13. Plan your Data Breach Response • Develop a written Plan • Assemble your Team • Identify your vendor partners • Test your Plan

  14. 2Conduct a Privileged Investigation

  15. Investigation Steps • Identify all affected data, machines and devices • Preserve Evidence • Understand how the data was protected • Develop the Record • Conduct interviews with key personnel • Document evidence and findings carefully • Quantify the exposure of data compromised • Track your costs

  16. 3Assess Notification Obligations

  17. Who do you have to Notify? • Federal or State authorities • Depends type of information at issue/threshold numbers affected • SEC Report Requirement • Impacted individuals • Applicable law is where individual resides • International Considerations • Legal implications of failing to properly notify

  18. Texas Data Breach Statute 521.053 Texas Bus. & Com. Code “A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach…to any individual whose sensitive personal information…believed to have been acquired by an unauthorized person.” • Extraterritorial Application • Civil penalty up to $250,000 per breach

  19. 4Cooperate with Regulators/AGs

  20. Responding to the AG/Regulators • Maintain your credibility • Negotiate terms of requests • Circulate a hold for document destruction • Advocate your story

  21. 5Develop Communications Strategies

  22. Effectively Communicate about Breach • Have a Breach Communications Plan • Communicate breach facts accurately and quickly • Understand and follow breach notification timetables • Stay focused and concise • Be prepared to update with new information • What you might offer: • Information about security freezes and credit monitoring • Contact information for credit reporting agencies, FTC or state authorities • Central “ombudsman” for all questions • Credit monitoring or identity restoration services • Coupons or gift certificates

  23. 6Check Privacy/Data Security Policies

  24. What have you represented you would do? Good to Know We aim to provide you with the world’s strongest security and privacy tools. Security and privacy matter to us, we know how important they are to you and we work hard to get them right.

  25. 7Check for Potential Insurance Coverage

  26. Do you have insurance coverage?

  27. 8Assess the Effectiveness of your Response

  28. After Action Event Review • How did the team respond? • What can be improved in response/investigation? • What security issues can be tightened up? • Modify your plan/procedures if necessary

  29. Follow your Data Breach Response Plan Conduct a Privileged Investigation Assess Notification Obligations Cooperate with Regulators/AGS Develop Communication Strategies Check Privacy/Data Security Representations Check for potential insurance Coverage Assess the Effectiveness of Your Response SUMMARY

  30. Sheryl Falk 713.651.2615 sfalk@winston.com

More Related