Preparing For A Data Breach

2011 Co3 Systems, Inc. The information contained herein is proprietary and confidential.

Page 1

Agenda Introductions Todays reality with breaches and data loss Preparing for breach
The process Tips for getting it right

Q&A

Page 2

Introductions: Todays Speakers Ted Julian, Chief Marketing Officer, Co3 Systems
Security / compliance entrepreneur Security industry analyst

Bob Siegel, Privacy Strategist & Principal, Privacy Ref LLC

Previously, Sr. Manger of Worldwide Privacy and Compliance for Staples, Inc. Certified Information Privacy Professional (CIPP/US, CIPP/IT)

Page 3

Co3 at a Glance
Co3 Systems incident management system helps organizations that have customer or employee Personal Information reduce the expense, risk, and stress of a breach.
A web-based/hosted SaaS platform Concerns all companies that manage employee or customer data Understands all regulations that concern private information Can be deployed quickly and is easy to use Delivers immediate, quantifiable value No hardware or software to buy or manage; its running in minutes Retail, Healthcare, Financial Services, Higher Education, Services Federal, State, Trade Associations can customize for contracts Intuitive, step-by-step usage model; no user training needed Expert, actionable insight in 20 minutes or less regulatory obligations and industry best practices

Page 4

Breach Epidemic
payment providers fourth-quarter profit fell 90 percent on costs related to a security breachtook an $84.4 million pre-tax charge

Zappos, Amazon Sued Over Customer Data Breach

More than half of American consumers would sue a company that loses its personal information

TRICARE Hit with $4.9 Billion Suit Following Breach

Source: DataLossDB.org
Page 5

Breaches Are Common Firms Must Act

* **

* many of them have suffered a breach they just dont know it ** if you havent been breached, why wouldnt you disclose that?

With an avalanche of breach notification laws on the horizon, you have no choice but to implement an incident management program. If you dont have an incident management program its imperative that you do so immediately.
Page 6

Source: Planning For Failure Forrester Research, Nov. 2011

Scope of Data Loss The exposure of consumer or employee Personal Information

Malicious Cyber-Attacks
Global Consumer Electronics Firm: Hackers stole customer data, including credit card information 100 million records

Lost/Stolen Assets
Community-Based Healthcare Plan: Laptops with patient data stolen by former employee 208,000 records

Third-Party Leaks
Multi-Channel Marketing Service: Digital marketing agency exposes customer data of dozens of clients Millions of records

Internal/ Employee Actions

Government Agency: Employee sent CD-ROM with personal data on registered advisors 139,000 records

In the US there are 46 States, 4 Territories, 14 Federal Authorities and multiple trade associations, each enforcing their own regulations that prescribe the treatment of personal data
Page 7

Ignoring the Problem is Not an Option

Regulatory Requirements
46 States, 3 Commonwealths, and 14 Federal agencies have established legislation Fines are growing aggressive AGs are filling state coffers

Trade Associations & Commissions

Industry groups, commissions, and certification bodies are imposing stricter guidelines and penalties More fines and businesses losing accreditation

Brand Damage
Contractual Obligations
Company obligations extend to 3rd party data sources, vendors, and even corporate customers Extreme sensitivity on vendor and partner use (and storage) of data

Class Action Lawsuits

Law firms have noticed and are picking up the pace in class-action lawsuits Even with no harm, companies are losing and settling quickly

Page 8

Co3 Automates Breach Management

PREPARE Improve Organizational Readiness
Assign response team Describe environment Simulate events and incidents Focus on organizational gaps

R PA

E
SI
M U LATI O

AS

ASSESS Quantify Potential Impact, Support Privacy Impact Assessments

Track events Scope regulatory requirements See $ exposure Send notice to team Generate PIAs

SE

PR

SS

N
S

I N CI D E N

REPORT Document Results and Track Performance

Document incident results Track historical performance Demonstrate organizational preparedness Generate audit/compliance reports

RT

NA A

TS

EV

NT

RE

MANAGE Easily Generate Detailed Incident Response Plans

Escalate to complete IR plan Oversee the complete plan Assign tasks: who/what/when Notify regulators and clients Monitor progress to completion

PO

Page 9

PREPARING FOR A BREACH

Page 10

Some Questions
1. 2. 3.

How do your employees notify you of a potential data breach event? How does and incident become an event? How are external communications coordinated?

Organizing is what you do before you do something, so that when you do it, it is not all mixed up. -- A. A. Milne

Page 11

Sample Event Process

Incident Occurs

Escalate to CPO and CSO

Decides if this may be a data breach event based on currently known information

Follow Incident Management Process

Engage Event Management Team

Determines scope of the event Identifies risks and responsibilities Reports back to CPO and CSO Coordinates remediation

Engage Event Communication Plan

Defines how all communication to stakeholders is coordinated

Page 12

Incident Management Processes

Generally owned by IT
Provides logging and tracking services May be focused on data processing incidents May not be sensitive to paper-based issues

Metrics-centric process
Response time Resolution time Close / Completion time

Check to see how non-IT events are addressed

Are non-IT events routinely handled? Are they tracked in the Incident Management system? Has a test scenario been run recently?

Page 13

Sample Event Process

Incident Occurs

Escalate to CPO and CSO

Decides if this may be a data breach event based on currently known information

Follow Incident Management Process

Engage Event Management Team

Determines scope of the event Identifies risks and responsibilities Reports back to CPO and CSO Coordinates remediation

Engage Event Communication Plan

Defines how all communication to stakeholders is coordinated

Page 14

Event Management Team

Cross-functional team
Initially determines scope and impact of the event Coordinates remediation efforts

Led by the Chief Privacy Officer Core members should represent

Legal Privacy Compliance Incident Management IT

Other members added based on the event

Page 15

Facts To Gather During An Event

1. 2. 3. 4. 5. 6. 7.

Information lost Was data encrypted Amount of data lost Has the data loss been stopped? When loss occurred Where it was lost Who was affected

Residence of affected 9. Can data be recovered? 10. Applicable laws 11. Notification requirements 12. Potential impact to other applications 13. Potential impact on other organizations
8.

Page 16

Sample Event Process

Incident Occurs

Escalate to CPO and CSO

Decides if this may be a data breach event based on currently known information

Follow Incident Management Process

Engage Event Management Team

Determines scope of the event Identifies risks and responsibilities Reports back to CPO and CSO Coordinates remediation

Engage Event Communication Plan

Defines how all communication to stakeholders is coordinated

Page 17

Event Communication Plan

Identifies members of the Event Communication Team

Contains contact information for the members

Defines communication parameters

Who talks to whom and when

Contains frameworks for communications

Page 18

Event Communication Team

Stakeholders Customers Employees Marketing Dept. Media Law enforcement Other Government Officials Shareholders Team Members
Marketing * Internal Communications Public Relations* Security / Loss Prevention Legal Investor Relations Chief Privacy Officer

* Potential Lead

Page 19

Communication Parameters Spokespeople must be identified

Spokesperson designation by stakeholder Limit communication to be done to designees

Message content must be reviewed

Consistent messages sent across stakeholders

Keep Executive Leadership informed

Frequent updates from chairs of both teams

Use Executives as spokespeople sparingly

Page 20

Communication Frameworks Most communications can be prewritten

Details of the specific event added at Event

Prepared items may include

Press releases Letters / emails to customers Website updates Employee notices Talking points for the media

Page 21

Test, Test, and Retest Make all participants familiar with processes before they are implemented Two common types of testing
Table Top Exercises Scenario exercise
Multiple scenarios defined Key participants meet Each scenario is discussed One scenario is defined Participants notified day of exercise happening Production processes and tools are used to manage the event Key participants meet to debrief

Page 22

Other Considerations System of record Methods of communications Independent divisions

Multinational divisions Acquired businesses Recognized brands

Page 23

Questions

2011 Co3 Systems, Inc. The information contained herein is proprietary and confidential.

Page 24

Thanks!

1 Alewife Center, Suite 450 Cambridge, MA 02140 ph: 617-206-3900 e: info@co3sys.com www.co3sys.com

ph: 508-474-5125 e: info@privacyref.com privacyref.com

Gartner: Co3 define(s) what software packages for privacy look like.

Page 25