Professional Documents
Culture Documents
2011 Co3 Systems, Inc. The information contained herein is proprietary and confidential.
Page 1
Agenda Introductions Todays reality with breaches and data loss Preparing for breach
The process Tips for getting it right
Q&A
Page 2
Introductions: Todays Speakers Ted Julian, Chief Marketing Officer, Co3 Systems
Security / compliance entrepreneur Security industry analyst
Page 3
Co3 at a Glance
Co3 Systems incident management system helps organizations that have customer or employee Personal Information reduce the expense, risk, and stress of a breach.
A web-based/hosted SaaS platform Concerns all companies that manage employee or customer data Understands all regulations that concern private information Can be deployed quickly and is easy to use Delivers immediate, quantifiable value No hardware or software to buy or manage; its running in minutes Retail, Healthcare, Financial Services, Higher Education, Services Federal, State, Trade Associations can customize for contracts Intuitive, step-by-step usage model; no user training needed Expert, actionable insight in 20 minutes or less regulatory obligations and industry best practices
Page 4
Breach Epidemic
payment providers fourth-quarter profit fell 90 percent on costs related to a security breachtook an $84.4 million pre-tax charge
Source: DataLossDB.org
Page 5
* **
* many of them have suffered a breach they just dont know it ** if you havent been breached, why wouldnt you disclose that?
With an avalanche of breach notification laws on the horizon, you have no choice but to implement an incident management program. If you dont have an incident management program its imperative that you do so immediately.
Page 6
Lost/Stolen Assets
Community-Based Healthcare Plan: Laptops with patient data stolen by former employee 208,000 records
Third-Party Leaks
Multi-Channel Marketing Service: Digital marketing agency exposes customer data of dozens of clients Millions of records
In the US there are 46 States, 4 Territories, 14 Federal Authorities and multiple trade associations, each enforcing their own regulations that prescribe the treatment of personal data
Page 7
Brand Damage
Contractual Obligations
Company obligations extend to 3rd party data sources, vendors, and even corporate customers Extreme sensitivity on vendor and partner use (and storage) of data
Law firms have noticed and are picking up the pace in class-action lawsuits Even with no harm, companies are losing and settling quickly
Page 8
R PA
E
SI
M U LATI O
AS
SE
PR
SS
N
S
I N CI D E N
RT
NA A
TS
EV
NT
RE
PO
Page 9
Page 10
Some Questions
1. 2. 3.
How do your employees notify you of a potential data breach event? How does and incident become an event? How are external communications coordinated?
Organizing is what you do before you do something, so that when you do it, it is not all mixed up. -- A. A. Milne
Page 11
Incident Occurs
Decides if this may be a data breach event based on currently known information
Determines scope of the event Identifies risks and responsibilities Reports back to CPO and CSO Coordinates remediation
Page 12
Metrics-centric process
Response time Resolution time Close / Completion time
Page 13
Incident Occurs
Decides if this may be a data breach event based on currently known information
Determines scope of the event Identifies risks and responsibilities Reports back to CPO and CSO Coordinates remediation
Page 14
Page 15
Information lost Was data encrypted Amount of data lost Has the data loss been stopped? When loss occurred Where it was lost Who was affected
Residence of affected 9. Can data be recovered? 10. Applicable laws 11. Notification requirements 12. Potential impact to other applications 13. Potential impact on other organizations
8.
Page 16
Incident Occurs
Decides if this may be a data breach event based on currently known information
Determines scope of the event Identifies risks and responsibilities Reports back to CPO and CSO Coordinates remediation
Page 17
Page 18
* Potential Lead
Page 19
Page 20
Page 21
Test, Test, and Retest Make all participants familiar with processes before they are implemented Two common types of testing
Table Top Exercises Scenario exercise
Multiple scenarios defined Key participants meet Each scenario is discussed One scenario is defined Participants notified day of exercise happening Production processes and tools are used to manage the event Key participants meet to debrief
Page 22
Page 23
Questions
2011 Co3 Systems, Inc. The information contained herein is proprietary and confidential.
Page 24
Thanks!
1 Alewife Center, Suite 450 Cambridge, MA 02140 ph: 617-206-3900 e: info@co3sys.com www.co3sys.com
Gartner: Co3 define(s) what software packages for privacy look like.
Page 25