Your company has just suffered a data breach – what do you do next? Who do you call for help? Whom do you need to notify of the breach?
Your company may have already implemented its information security program and has identified the responsible parties, including applicable outside experts, to be contacted in the event of a breach. However, now you must assemble your incident response team to investigate the extent of the breach, evaluate the possible damage to your company, and determine whether you must notify your clients or the public of the breach. This webinar gives you an overview of what to do when the worst happens.
To view the accompanying webinar, go to:
https://www.financialpoise.com/financial-poise-webinars/data-breach-response-before-and-after-the-breach-2020/
4. "I am so in love with the awards. I only wish everyone could
walk away with one. Amazing job! They are perfect."
-Jessica C, European Wax Center
Mention “Financial Poise” and get 10% OFF your entire order!
5. Disclaimer
The material in this webinar is for informational purposes only. It should not be considered
legal, financial or other professional advice. You should consult with an attorney or other
appropriate professional to determine what may be best for your individual needs. While
Financial Poise™ takes reasonable steps to ensure that information it publishes is accurate,
Financial Poise™ makes no guaranty in this regard.
5
6. Meet the Faculty
MODERATOR:
Kathryn Nadro - Sugar Felsenthal Grais & Helsinger LLP
PANELISTS:
Michael Riela - Tannenbaum Helpern Syracuse & Hirschtritt LLP
Cassandra Porter - Zuora
J. Eduardo Campos - Embedded-Knowledge, Inc.
6
7. About This Webinar – Data Breach Response: Before
and After the Breach
Your company has just suffered a data breach – what do you do next? Who do you call for
help? Whom do you need to notify of the breach?
Your company may have already implemented its information security program and has
identified the responsible parties, including applicable outside experts, to be contacted in the
event of a breach. However, now you must assemble your incident response team to
investigate the extent of the breach, evaluate the possible damage to your company, and
determine whether you must notify your clients or the public of the breach. This webinar gives
you an overview of what to do when the worst happens.
7
8. About This Series – Cybersecurity and Data Privacy
Data security, data privacy, and cybersecurity are critical issues for your company to consider
in today’s business landscape. Data breaches from high profile companies, including law
firms, generate worldwide headlines and can severely damage your business’s reputation. In
certain industries, a patchwork of state and federal laws and regulations may cover your
business, leading to compliance headaches. This series explores the various laws and
regulations which govern businesses both in the US and abroad, as well as how to implement
and enforce an information security policy to protect your company and limit any damage from
a data breach.
Each Financial Poise Webinar is delivered in Plain English, understandable to investors, business owners, and
executives without much background in these areas, yet is of primary value to attorneys, accountants, and other
seasoned professionals. Each episode brings you into engaging, sometimes humorous, conversations designed to
entertain as it teaches. Each episode in the series is designed to be viewed independently of the other episodes so that
participants will enhance their knowledge of this area whether they attend one, some, or all episodes.
8
9. Episodes in this Series
#1: Introduction to US Privacy and Data Security: Regulations and Requirements
Premiere date: 9/24/20
#2: Introduction to EU General Data Protection Regulation: Planning,
Implementation, and Compliance
Premiere date: 10/22/20
#3: How to Build and Implement your Company's Information Security Program
Premiere date: 11/19/20
#4: Data Breach Response: Before and After the Breach
Premiere date: 12/17/20
9
11. Overview
• What is a Data Breach?
Simply put, a data breach is a confirmed incident in which sensitive, confidential or
otherwise protected data has been accessed and/or disclosed in an unauthorized
fashion
Data breach may have different meanings under various state, federal, and
international laws
• Data Breach Consequences
Substantial costs in breach response
Private lawsuits
Government fines
Reputational harm
11
12. Overview
• Data Breach Costs
Individual: approximately $233
Event: approximately $8 million
• Average Data Breach Costs According to Each Industry
Healthcare: $6.45 million
Financial: $5.86 million
Energy: $5.60 million
Industrial: $5.20 million
12
13. Overview
• Data Breach Costs (cont’d)
A few costs include -
Computer forensics
Breach notification mailing, call centering and identity restoration services costs
Public relations
Regulatory investigation, fines and penalties
Lawsuit(s)
Legal services
*The US ranks number in data breach costs in 2019
13
14. Overview
• Data Breach Causes
Malware/Ransomware
Unsecured website login systems
Use of unapproved, insecure software
Insecure IT infrastructure
Phishing/e-mail scam
Employees mishandling data
In 2018, 53% of executives who suffered a data breach cited external human
error or accidental loss as the culprit
Human factor/negligence
14
15. Overview
• Data Breach Goals
Money
Theft of personal information
Purchase of goods with stolen credit card information
Filing of fraudulent tax returns
Sale of personal information
Disgruntled employee(s) use of information
Corporate espionage
15
16. So You Think You’ve Been Breached…
• Know who to call
Incident Response Team
Management
Legal counsel
IT support
Public relations
Forensic support
Insurance
Consider contractual obligations
16
17. So You Think You’ve Been Breached…
• Breach Response
Identify
Determine if a breach actually occurred
Investigate
How did the breach occur?
Contain
Contain and mitigate the data breach
Notify
Provide notifications
Remediate
Prevent reoccurrence of breach
17
18. Breach Response: Identify/Detect
• First, identify if an incident is a data breach
Employees may have exposed sensitive personal data by accident; Security
monitoring systems
Common indicators of compromise include -
o unusual login times
o reduced operating speeds across the network or heavy, unexplained traffic
o use of nonstandard command prompts
o unexpected restarts
o use of unusual software
o malfunctioning of antivirus/security software
o the presence of unexpected IPs
18
19. Breach Response: Identify/Detect
• Identify if an incident is a data breach (cont’d)
Security monitoring systems (cont’d)
Top Cyber Threat Vulnerabilities
o Un-patched and outdated systems remain top vulnerabilities
o Last year, nearly 60% of organizations that suffered a data breach attribute the
breach to a known vulnerability for which they had not yet patched
o Yet, 86% of the of vulnerability reports detailed breaches for which a patch was
available
Conduct Cyber Threat Assessments
o A good cyber threat assessment offers security and threat prevention by
exposing application vulnerabilities;
o detecting malware and botnets;
o identifying “at risk” devices
19
20. Breach Response: Identify/Detect
• Second, investigate promptly
Consider relevant facts
Inside or outside threat?
Conduct interviews
Analyze compromised systems
Identify malware employed, if applicable
Engage forensic experts, as appropriate
Reconstruct the incident
20
21. Breach Response: Identify/Detect
• Second, investigate promptly (Cont’d)
Evaluate the nature, extent, and scope of incident
What information was improperly disclosed?
Was the information recovered?
When and how did the incident happen?
How many individuals were affected?
Does the incident involve residents of multiple states?
Document the investigation findings, conclusion and rationale
21
22. Breach Response: Containment
• Third, once you discover you’ve been breached, contain the breach
• Move quickly to secure systems and fix vulnerabilities
• Mobilize breach response team ASAP
• Assemble a team of experts based on the size of your company, including:
Forensics
Legal
Internal team leader
22
23. Breach Response: Containment
• The First 24 Hours Checklist
Record the date and time when the breach was discovered & response efforts begin
Alert and activate everyone on the response team
Secure the premises around the area where the data breach occurred to help
preserve evidence
23
24. Breach Response: Containment
• The First 24 Hours Checklist (Cont’d)
Stop additional data loss
Take devices offline but DO NOT turn off
Assess priorities and risks
Notify customers, affected businesses, law enforcement and other regulatory
agencies
24
25. Breach Response: Fix Vulnerabilities
• Service providers
Ensure service providers that have access to sensitive personal data remedy their
vulnerabilities to protect against another breach
• Network segmentation
Prevents breach on one server from leaking over to another server
Determine if network segmentation is correct
25
26. Breach Response: Fix Vulnerabilities
• Work with forensic experts
Encryption enabled
Analyze backup or preserved data
Review the type of information compromised
• Develop a communication plan
Develop comprehensive plan to communicate internally
26
27. Breach Response: Breach Team
Depending on the size of your business, your breach team may include:
Link: https://www.processdeliverysystems.com/images/databreach/Data_Breach_Response_Team.png
27
28. Breach Response: Breach Team
• Forensics Team - helps determine the source and scope of breach
Captures forensic images of affected systems
Collects and analyze evidence, and
Outlines remediation steps
• Hire independent forensics investigators
28
29. Breach Response: Breach Team
• Legal Counsel - helps identify your legal obligations
Identifies state and federal regulations regarding data breaches for your industry
Identifies entitles that need to be notified, i.e. customers, employees, government
agencies, regulation boards, etc.
Ensures notifications occur within any mandated timeframes
29
30. Breach Response: Notice
• Fourth, determine your notification obligations
• Generally, you must notify -
Customers
Law enforcement and other regulatory agencies
Affected businesses
• Notification requirements vary based on state, federal, and international law
48 U.S. states require some level of notification to customers when a breach occurs
Federal law various based on industry
In 2017, Congress introduced the Data Security and Breach Notification Act bill
GDPR notification is very specific
30
31. Breach Response: Notice
• Massachusetts
A business or entity must notify -
Office of Consumer Affairs and Business Regulation;
Attorney General’s Office; within a
reasonable amount of time of discovery of any breach or knowledge that personal
information was obtained
31
32. Breach Response: Notice
• Massachusetts (cont’d)
The notification must contain -
Detailed description of the circumstances of the breach or unauthorized acquisition
of personal information
Number of Massachusetts residents affected
Steps taken to remedy the incident
Steps intended to be taken subsequent to this notification; and
Whether law enforcement is involved in investigating the incident
32
33. Breach Response: Notice
• New York – Financial Services Breaches
• A covered entity must notify -
Superintendent of Financial Services promptly;
And no later than 72 hours after discovery that a cybersecurity event has occurred
that is either:
Events affecting the Covered Entity of which notice is required to be provided to
the government, an agency, or any other body; or
Events that have a reasonable likelihood of materially harming the normal
operations of a Covered Entity.
33
34. Breach Response: Notice
• New York – Stop Hacks and Improve Electronic Data Security (SHIELD) Act (2019)
The SHIELD Act created new security requirement for companies to “develop,
implement and maintain reasonable safeguards to protect the security, confidentiality
and integrity of” the private information of New York residents
The Act applies to any person/business that owns or licenses private computerized
data of New York residents, regardless of whether the person/business conducts
business in New York
34
35. Breach Response: Notice
• New York – SHIELD Act (cont’d)
The Act broadened New York’s notification obligations by expanding the definition of
“private information” to include:
Biometric information (including biometric time clocks)
Email addresses, corresponding passwords or security questions and
answers
Financial account information without a required security code
The Act also expanded the definition of the term “breach” which now requires
notification in the event of any unauthorized access rather than unauthorized
acquisition
35
36. Breach Response: Notice
• New York – SHIELD Act (cont’d)
If the Act’s notification obligations are triggered, the New York Attorney General,
Department of State, and State Police must all be notified regarding the number of
impacted individuals and the timing, content, and distribution of the entity’s breach
notice
However, inadvertent disclosures of private information that are not likely to result in
misuse of information need not be reported
Failure to comply with the SHIELD Act can result in a $10 to $20 per failed
notification with a maximum penalty of $250,000
36
37. Breach Response: Notice
• California –
A breach notification disclosure must be made in the most expedient time possible
without undue delay
Notification may be delayed if law enforcement determines notification will impede an
investigation
Notification must be made after law enforcement determines notification will not
compromise the investigation
37
38. Breach Response: Notice
• GDPR
Breach notification is mandatory where the breach is likely to “result in a risk for the
rights and freedoms of individuals.”
Must be done with 72 hours of discovery of the breach.
Data processors are required to notify customers and controllers without delay after
discovery of the data breach
Must have a formal incident/breach response plan
38
39. Breach Response: Remediation
• Fifth, remediate the data breach
• Generally long and thorough and requires looking at other potential flaws in security
infrastructure
• Develop a remediation plan that is tailored to the breach incident to prevent it from
happening again
Honest & true assessment of cause of breach
39
40. Breach Response: Remediation
• A few remediation practices include -
Developing an internal and external communications plan
Strengthen data security policies
Planning to prevent reoccurrence
Providing additional training to employees on data security
Maintaining documentation of actions
Insurance considerations
40
41. Data Breach Response Plan
• What is a data breach response plan?
Aims to help you manage a data breach
Provides a framework that sets out roles and responsibilities for managing an
appropriate response to data breach
Describes steps an entity should take to manage a breach, should one occur
• Why do you need a data breach response plan?
Provides clarity and mitigates confusion
Gives all employees knowledge of how to address a data breach
Establishes a chain of command and responsibilities of each employee
Quicker response time to fixing the breach
41
42. Data Breach Response Plan
• A data breach response plan should:
Provide the actions to be taken if a breach is suspected, discovered or reported by a
staff member, including when it is to be escalated to the response team
Identify members of your data breach response team (response team)
Identify the actions the response team is expected to take
Be in writing
Staff and employee could clearly understand the roles and responsibilities
Identify goals and objectives of the plan
42
43. Data Breach Response Plan
• Data breach response plan should cover:
A strategy for assessing, managing and containing data breaches
A clear explanation of what constitutes a data breach
The reporting line if staff do suspect a data breach
The circumstances in which the breach can be handled by a line manager or when it
should be escalated to the response team
Recording data breaches
A strategy to identify and address any weaknesses in data handling that contributed
to the breach
A system for a post-breach review and assessment of your entity’s response to the
data breach and the effectiveness of your data breach response plan
43
44. Data Breach Response Plan
Link: https://www.privacyrisksadvisors.com/data-breach-toolkit/
44
45. Breach Response: Remediation
• Insurance Considerations
Traditional policies
E&O
D&O
CGL
These policies do not cover costs arising out of a security incident or data breach
45
46. Breach Response: Remediation
• Insurance Considerations (Cont’d)
1st party coverage typically includes -
Business interruption
Cyber extortion
Data restoration
Forensic costs
Crisis management
Legal costs
Notification, call center, credit monitoring/identity restoration
46
47. Breach Response: Remediation
• Insurance Considerations (Cont’d)
3rd party coverage typically includes -
Regulatory investigation
PCI assessments and fines
Lawsuits
47
48. Sources
https://searchsecurity.techtarget.com/definition/data-breach
2016 Ponemon Cost of a Data Breach Report
https://www.digitaltransactions.net/whats-the-cost-of-a-data-breach-about-233-per-person-a-
report-finds/
https://www.helpnetsecurity.com/2019/06/17/human-error-data-breach/
https://www.techrepublic.com/article/8-steps-to-take-within-48-hours-of-a-data-breach/
https://www.ccsinet.com/blog/how-to-detect-data-breaches-before-its-too-late/
https://www.secureworks.co.uk/resources/at-gdpr-breach-notification-a-spotlight-on-detection-
reporting
48
52. About The Faculty
Kathryn Nadro - knadro@sfgh.com
Kathryn (“Katie”) Nadro advises clients on a diverse array of business matters, including commercial and
business disputes, employment issues, and data security and privacy compliance. Katie works with
individuals and businesses of all sizes to craft successful resolutions tailored to each individual matter.
Katie has broad experience representing companies and individuals in contract, non-compete,
discrimination, harassment, fiduciary duty, and trade secret litigation in state and federal court. With a
background as both in-house and outside counsel, Katie understands that business objectives, time, and
resources play an important role in reaching a favorable outcome for each client. Katie assists clients in
navigating employment issues ranging from employee handbooks and FMLA policies to litigating
discrimination and harassment claims, all while ensuring business needs and objectives are met. She
also counsels clients on data security and privacy issues, including policy drafting and compliance with
state, federal, and international law.
52
53. About The Faculty
Michael Riela - Riela@thsh.com
Mike Riela is a partner in Tannenbaum Helpern’s Creditors’ Rights and Business Reorganization practice.
With more than 15 years of experience, Mike advises companies on complex restructuring, distressed
M&A, loan transactions and bankruptcy related litigation matters. Mike has in-depth experience in
advising clients on corporate and real estate bankruptcies, workouts, Chapter 11 and Chapter 7
bankruptcy cases, debtor-in-possession (DIP) and bankruptcy exit loan facilities, secondary market
trading of distressed debt and trade claims, Section 363 sales and bankruptcy retention and fee
agreements and disputes. His clients include banks, administrative agents, indenture trustees, hedge
funds, private equity firms, professional services firms, trade creditors, contract counterparties,
shareholders, debtors and investors. Mike has represented buyers of assets in Section 363 and out-of-
court sales from sellers such as Evergreen Solar, Inc., Sonic Telecommunications International, Ltd,
Urban Communicators PCS Limited Partnership, US Aggregate, Inc., and Vectrix Corporation, as well as
representing lenders, trustees and administrative agents in major Chapter 11 cases and workouts such
as Delta Air Lines, Inc., Extended Stay Inc., Buffets Inc., Legends Gaming LLC, Nortel Networks, Premier
International Holdings Inc., and many others.
53
54. About The Faculty
J. Eduardo Campos – jeduardo.campos@embedded-knowledge.com
After creating business growth opportunities on four continents, J. Eduardo Campos spent
thirteen years at Microsoft, first as a cybersecurity advisor, then leading innovative projects at
the highest levels of government in the U.S. and abroad. Today, Eduardo is living his dream
of building a better tomorrow through his consulting firm, Embedded-Knowledge, Inc. Working
with organizations and entrepreneurs, he develops customized business strategies and forms
partnerships focused on designing creative solutions to complex problems.
54
55. Cassandra Porter - caporter@zuora.com
Cassandra M. Porter is the Americas/APAC data privacy lead attorney for a Fortune 100 Tech company
working to transform clients’ businesses, operations and technology models for the digital era. She
counsels internal clients on privacy-related matters such as data collection practices, online advertising,
mobile commerce, along with the development and acquisition of new technology, data incidents and
management. Cassandra is a member of the inaugural class of Privacy Law Specialists, a new specialty
recognized by the American Bar Association, and a Fellow of Information Privacy by the International
Association of Privacy Professionals (IAPP). Her IAPP credentials as a Certified Information Privacy
Professional and Certified Information Privacy Manager designate her as thought leader in the field. She
is a former co-chair of the IAPP’s New Jersey Chapter and member of the Bankruptcy Lawyers Advisory
Committee for the District of New Jersey. As a member of the United States Trustee’s Consumer Privacy
Ombudsman (CPO) panel, she served as the CPO in the Golfsmith International chapter 11
cases. Previously she was counsel at Lowenstein Sandler LLP where, in addition to assisting clients with
data privacy-related issues, she also regularly represented debtors in possession and creditors in chapter
11 matters along with indigents in chapter 7 proceedings in association with the Volunteer Lawyers for
Justice. Prior to joining Lowenstein, she clerked for the Honorable Cecelia Morris, United States
Bankruptcy Judge for the Southern District of New York and was the Assistant Managing Attorney at
Kaye Scholer LLP.
55
56. Questions or Comments?
If you have any questions about this webinar that you did not get to ask during the live
premiere, or if you are watching this webinar On Demand, please do not hesitate to email us
at info@financialpoise.com with any questions or comments you may have. Please include
the name of the webinar in your email and we will do our best to provide a timely response.
IMPORTANT NOTE: The material in this presentation is for general educational purposes
only. It has been prepared primarily for attorneys and accountants for use in the pursuit of
their continuing legal education and continuing professional education.
56
57. About Financial Poise
57
Financial Poise™ has one mission: to provide
reliable plain English business, financial, and legal
education to individual investors, entrepreneurs,
business owners and executives.
Visit us at www.financialpoise.com
Our free weekly newsletter, Financial Poise
Weekly, updates you on new articles published
on our website and Upcoming Webinars you
may be interested in.
To join our email list, please visit:
https://www.financialpoise.com/subscribe/