Your company has just suffered a data breach – what do you do next? Who do you call for help? Whom do you need to notify of the breach? Your company may have already implemented its information security program and has identified the responsible parties, including applicable outside experts, to be contacted in the event of a breach. However, now you must assemble your incident response team to investigate the extent of the breach, evaluate the possible damage to your company, and determine whether you must notify your clients or the public of the breach. This webinar gives you an overview of what to do when the worst happens. To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-breach-response-before-and-after-the-breach-2020/

1. 1

2. 2
Practical and entertaining education for
attorneys, accountants, business owners and
executives, and investors.

3. 3
Thank You To Our Sponsor

4. "I am so in love with the awards. I only wish everyone could
walk away with one. Amazing job! They are perfect."
-Jessica C, European Wax Center
Mention “Financial Poise” and get 10% OFF your entire order!

5. Disclaimer
The material in this webinar is for informational purposes only. It should not be considered
legal, financial or other professional advice. You should consult with an attorney or other
appropriate professional to determine what may be best for your individual needs. While
Financial Poise™ takes reasonable steps to ensure that information it publishes is accurate,
Financial Poise™ makes no guaranty in this regard.
5

6. Meet the Faculty
MODERATOR:
Kathryn Nadro - Sugar Felsenthal Grais & Helsinger LLP
PANELISTS:
Michael Riela - Tannenbaum Helpern Syracuse & Hirschtritt LLP
Cassandra Porter - Zuora
J. Eduardo Campos - Embedded-Knowledge, Inc.
6

7. About This Webinar – Data Breach Response: Before
and After the Breach
Your company has just suffered a data breach – what do you do next? Who do you call for
help? Whom do you need to notify of the breach?
Your company may have already implemented its information security program and has
identified the responsible parties, including applicable outside experts, to be contacted in the
event of a breach. However, now you must assemble your incident response team to
investigate the extent of the breach, evaluate the possible damage to your company, and
determine whether you must notify your clients or the public of the breach. This webinar gives
you an overview of what to do when the worst happens.
7

8. About This Series – Cybersecurity and Data Privacy
Data security, data privacy, and cybersecurity are critical issues for your company to consider
in today’s business landscape. Data breaches from high profile companies, including law
firms, generate worldwide headlines and can severely damage your business’s reputation. In
certain industries, a patchwork of state and federal laws and regulations may cover your
business, leading to compliance headaches. This series explores the various laws and
regulations which govern businesses both in the US and abroad, as well as how to implement
and enforce an information security policy to protect your company and limit any damage from
a data breach.
Each Financial Poise Webinar is delivered in Plain English, understandable to investors, business owners, and
executives without much background in these areas, yet is of primary value to attorneys, accountants, and other
seasoned professionals. Each episode brings you into engaging, sometimes humorous, conversations designed to
entertain as it teaches. Each episode in the series is designed to be viewed independently of the other episodes so that
participants will enhance their knowledge of this area whether they attend one, some, or all episodes.
8

9. Episodes in this Series
#1: Introduction to US Privacy and Data Security: Regulations and Requirements
Premiere date: 9/24/20
#2: Introduction to EU General Data Protection Regulation: Planning,
Implementation, and Compliance
Premiere date: 10/22/20
#3: How to Build and Implement your Company's Information Security Program
Premiere date: 11/19/20
#4: Data Breach Response: Before and After the Breach
Premiere date: 12/17/20
9

10. Episode #4
Data Breach Response: Before and After the Breach
10

11. Overview
• What is a Data Breach?
 Simply put, a data breach is a confirmed incident in which sensitive, confidential or
otherwise protected data has been accessed and/or disclosed in an unauthorized
fashion
 Data breach may have different meanings under various state, federal, and
international laws
• Data Breach Consequences
 Substantial costs in breach response
 Private lawsuits
 Government fines
 Reputational harm
11

12. Overview
• Data Breach Costs
 Individual: approximately $233
 Event: approximately $8 million
• Average Data Breach Costs According to Each Industry
 Healthcare: $6.45 million
 Financial: $5.86 million
 Energy: $5.60 million
 Industrial: $5.20 million
12

13. Overview
• Data Breach Costs (cont’d)
 A few costs include -
 Computer forensics
 Breach notification mailing, call centering and identity restoration services costs
 Public relations
 Regulatory investigation, fines and penalties
 Lawsuit(s)
Legal services
*The US ranks number in data breach costs in 2019
13

14. Overview
• Data Breach Causes
 Malware/Ransomware
 Unsecured website login systems
 Use of unapproved, insecure software
 Insecure IT infrastructure
 Phishing/e-mail scam
 Employees mishandling data
 In 2018, 53% of executives who suffered a data breach cited external human
error or accidental loss as the culprit
 Human factor/negligence
14

15. Overview
• Data Breach Goals
 Money
 Theft of personal information
 Purchase of goods with stolen credit card information
 Filing of fraudulent tax returns
 Sale of personal information
 Disgruntled employee(s) use of information
 Corporate espionage
15

16. So You Think You’ve Been Breached…
• Know who to call
 Incident Response Team
 Management
 Legal counsel
 IT support
 Public relations
 Forensic support
 Insurance
 Consider contractual obligations
16

17. So You Think You’ve Been Breached…
• Breach Response
 Identify
 Determine if a breach actually occurred
 Investigate
 How did the breach occur?
 Contain
 Contain and mitigate the data breach
 Notify
 Provide notifications
 Remediate
 Prevent reoccurrence of breach
17

18. Breach Response: Identify/Detect
• First, identify if an incident is a data breach
 Employees may have exposed sensitive personal data by accident; Security
monitoring systems
 Common indicators of compromise include -
o unusual login times
o reduced operating speeds across the network or heavy, unexplained traffic
o use of nonstandard command prompts
o unexpected restarts
o use of unusual software
o malfunctioning of antivirus/security software
o the presence of unexpected IPs
18

19. Breach Response: Identify/Detect
• Identify if an incident is a data breach (cont’d)
 Security monitoring systems (cont’d)
 Top Cyber Threat Vulnerabilities
o Un-patched and outdated systems remain top vulnerabilities
o Last year, nearly 60% of organizations that suffered a data breach attribute the
breach to a known vulnerability for which they had not yet patched
o Yet, 86% of the of vulnerability reports detailed breaches for which a patch was
available
 Conduct Cyber Threat Assessments
o A good cyber threat assessment offers security and threat prevention by
exposing application vulnerabilities;
o detecting malware and botnets;
o identifying “at risk” devices
19

20. Breach Response: Identify/Detect
• Second, investigate promptly
 Consider relevant facts
 Inside or outside threat?
 Conduct interviews
 Analyze compromised systems
 Identify malware employed, if applicable
 Engage forensic experts, as appropriate
 Reconstruct the incident
20

21. Breach Response: Identify/Detect
• Second, investigate promptly (Cont’d)
 Evaluate the nature, extent, and scope of incident
 What information was improperly disclosed?
 Was the information recovered?
 When and how did the incident happen?
 How many individuals were affected?
 Does the incident involve residents of multiple states?
 Document the investigation findings, conclusion and rationale
21

22. Breach Response: Containment
• Third, once you discover you’ve been breached, contain the breach
• Move quickly to secure systems and fix vulnerabilities
• Mobilize breach response team ASAP
• Assemble a team of experts based on the size of your company, including:
 Forensics
 Legal
 Internal team leader
22

23. Breach Response: Containment
• The First 24 Hours Checklist
 Record the date and time when the breach was discovered & response efforts begin
 Alert and activate everyone on the response team
 Secure the premises around the area where the data breach occurred to help
preserve evidence
23

24. Breach Response: Containment
• The First 24 Hours Checklist (Cont’d)
 Stop additional data loss
 Take devices offline but DO NOT turn off
 Assess priorities and risks
 Notify customers, affected businesses, law enforcement and other regulatory
agencies
24

25. Breach Response: Fix Vulnerabilities
• Service providers
 Ensure service providers that have access to sensitive personal data remedy their
vulnerabilities to protect against another breach
• Network segmentation
 Prevents breach on one server from leaking over to another server
 Determine if network segmentation is correct
25

26. Breach Response: Fix Vulnerabilities
• Work with forensic experts
 Encryption enabled
 Analyze backup or preserved data
 Review the type of information compromised
• Develop a communication plan
 Develop comprehensive plan to communicate internally
26

27. Breach Response: Breach Team
Depending on the size of your business, your breach team may include:
Link: https://www.processdeliverysystems.com/images/databreach/Data_Breach_Response_Team.png
27

28. Breach Response: Breach Team
• Forensics Team - helps determine the source and scope of breach
 Captures forensic images of affected systems
 Collects and analyze evidence, and
 Outlines remediation steps
• Hire independent forensics investigators
28

29. Breach Response: Breach Team
• Legal Counsel - helps identify your legal obligations
 Identifies state and federal regulations regarding data breaches for your industry
 Identifies entitles that need to be notified, i.e. customers, employees, government
agencies, regulation boards, etc.
 Ensures notifications occur within any mandated timeframes
29

30. Breach Response: Notice
• Fourth, determine your notification obligations
• Generally, you must notify -
 Customers
 Law enforcement and other regulatory agencies
 Affected businesses
• Notification requirements vary based on state, federal, and international law
 48 U.S. states require some level of notification to customers when a breach occurs
 Federal law various based on industry
 In 2017, Congress introduced the Data Security and Breach Notification Act bill
 GDPR notification is very specific
30

31. Breach Response: Notice
• Massachusetts
 A business or entity must notify -
 Office of Consumer Affairs and Business Regulation;
 Attorney General’s Office; within a
 reasonable amount of time of discovery of any breach or knowledge that personal
information was obtained
31

32. Breach Response: Notice
• Massachusetts (cont’d)
 The notification must contain -
 Detailed description of the circumstances of the breach or unauthorized acquisition
of personal information
 Number of Massachusetts residents affected
 Steps taken to remedy the incident
 Steps intended to be taken subsequent to this notification; and
 Whether law enforcement is involved in investigating the incident
32

33. Breach Response: Notice
• New York – Financial Services Breaches
• A covered entity must notify -
 Superintendent of Financial Services promptly;
 And no later than 72 hours after discovery that a cybersecurity event has occurred
that is either:
 Events affecting the Covered Entity of which notice is required to be provided to
the government, an agency, or any other body; or
 Events that have a reasonable likelihood of materially harming the normal
operations of a Covered Entity.
33

34. Breach Response: Notice
• New York – Stop Hacks and Improve Electronic Data Security (SHIELD) Act (2019)
 The SHIELD Act created new security requirement for companies to “develop,
implement and maintain reasonable safeguards to protect the security, confidentiality
and integrity of” the private information of New York residents
 The Act applies to any person/business that owns or licenses private computerized
data of New York residents, regardless of whether the person/business conducts
business in New York
34

35. Breach Response: Notice
• New York – SHIELD Act (cont’d)
 The Act broadened New York’s notification obligations by expanding the definition of
“private information” to include:
 Biometric information (including biometric time clocks)
 Email addresses, corresponding passwords or security questions and
answers
 Financial account information without a required security code
 The Act also expanded the definition of the term “breach” which now requires
notification in the event of any unauthorized access rather than unauthorized
acquisition
35

36. Breach Response: Notice
• New York – SHIELD Act (cont’d)
 If the Act’s notification obligations are triggered, the New York Attorney General,
Department of State, and State Police must all be notified regarding the number of
impacted individuals and the timing, content, and distribution of the entity’s breach
notice
 However, inadvertent disclosures of private information that are not likely to result in
misuse of information need not be reported
 Failure to comply with the SHIELD Act can result in a $10 to $20 per failed
notification with a maximum penalty of $250,000
36

37. Breach Response: Notice
• California –
 A breach notification disclosure must be made in the most expedient time possible
without undue delay
 Notification may be delayed if law enforcement determines notification will impede an
investigation
 Notification must be made after law enforcement determines notification will not
compromise the investigation
37

38. Breach Response: Notice
• GDPR
 Breach notification is mandatory where the breach is likely to “result in a risk for the
rights and freedoms of individuals.”
 Must be done with 72 hours of discovery of the breach.
 Data processors are required to notify customers and controllers without delay after
discovery of the data breach
 Must have a formal incident/breach response plan
38

39. Breach Response: Remediation
• Fifth, remediate the data breach
• Generally long and thorough and requires looking at other potential flaws in security
infrastructure
• Develop a remediation plan that is tailored to the breach incident to prevent it from
happening again
 Honest & true assessment of cause of breach
39

40. Breach Response: Remediation
• A few remediation practices include -
 Developing an internal and external communications plan
 Strengthen data security policies
 Planning to prevent reoccurrence
 Providing additional training to employees on data security
 Maintaining documentation of actions
 Insurance considerations
40

41. Data Breach Response Plan
• What is a data breach response plan?
 Aims to help you manage a data breach
 Provides a framework that sets out roles and responsibilities for managing an
appropriate response to data breach
 Describes steps an entity should take to manage a breach, should one occur
• Why do you need a data breach response plan?
 Provides clarity and mitigates confusion
 Gives all employees knowledge of how to address a data breach
 Establishes a chain of command and responsibilities of each employee
 Quicker response time to fixing the breach
41

42. Data Breach Response Plan
• A data breach response plan should:
 Provide the actions to be taken if a breach is suspected, discovered or reported by a
staff member, including when it is to be escalated to the response team
 Identify members of your data breach response team (response team)
 Identify the actions the response team is expected to take
 Be in writing
 Staff and employee could clearly understand the roles and responsibilities
 Identify goals and objectives of the plan
42

43. Data Breach Response Plan
• Data breach response plan should cover:
 A strategy for assessing, managing and containing data breaches
 A clear explanation of what constitutes a data breach
 The reporting line if staff do suspect a data breach
 The circumstances in which the breach can be handled by a line manager or when it
should be escalated to the response team
 Recording data breaches
 A strategy to identify and address any weaknesses in data handling that contributed
to the breach
 A system for a post-breach review and assessment of your entity’s response to the
data breach and the effectiveness of your data breach response plan
43

44. Data Breach Response Plan
Link: https://www.privacyrisksadvisors.com/data-breach-toolkit/
44

45. Breach Response: Remediation
• Insurance Considerations
 Traditional policies
 E&O
 D&O
 CGL
 These policies do not cover costs arising out of a security incident or data breach
45

46. Breach Response: Remediation
• Insurance Considerations (Cont’d)
 1st party coverage typically includes -
 Business interruption
 Cyber extortion
 Data restoration
 Forensic costs
 Crisis management
 Legal costs
 Notification, call center, credit monitoring/identity restoration
46

47. Breach Response: Remediation
• Insurance Considerations (Cont’d)
 3rd party coverage typically includes -
 Regulatory investigation
 PCI assessments and fines
 Lawsuits
47

48. Sources
https://searchsecurity.techtarget.com/definition/data-breach
2016 Ponemon Cost of a Data Breach Report
https://www.digitaltransactions.net/whats-the-cost-of-a-data-breach-about-233-per-person-a-
report-finds/
https://www.helpnetsecurity.com/2019/06/17/human-error-data-breach/
https://www.techrepublic.com/article/8-steps-to-take-within-48-hours-of-a-data-breach/
https://www.ccsinet.com/blog/how-to-detect-data-breaches-before-its-too-late/
https://www.secureworks.co.uk/resources/at-gdpr-breach-notification-a-spotlight-on-detection-
reporting
48

49. Sources
https://www.shrm.org/resourcesandtools/legal-and-compliance/state-and-local-
updates/pages/new-york-shield-act.aspx
https://www.cio.com/article/2692972/data-breach/5-steps-to-take-when-a-data-breach-
hits.html
https://digitalguardian.com/blog/whats-cost-data-breach-2019
https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
https://www.scstatehouse.gov/sess122_2017-2018/bills/4655.htm
49

50. Sources
https://www.oaic.gov.au/resources/privacy-law/privacy-archive/privacy-resources-
archive/guide-to-developing-a-data-breach-response-plan.pdf
https://www.foley.com/files/Publication/c31703ac-ee93-40a5-b295-
7e1d9fe45814/Presentation/PublicationAttachment/9f655df2-8276-4ff2-8205-
f2b4e21131b5/18.MC12803%20Data%20Breach%20Chart%200918.pdf
https://dd80b675424c132b90b3-
e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/2017-data-breach-
legislation.pdf
natlawreview.com/article/new-york-enacts-shield-act
https://www.mass.gov/files/documents/2017/10/02/201cmr17.pdf
50

51. About the Faculty
51

52. About The Faculty
Kathryn Nadro - knadro@sfgh.com
Kathryn (“Katie”) Nadro advises clients on a diverse array of business matters, including commercial and
business disputes, employment issues, and data security and privacy compliance. Katie works with
individuals and businesses of all sizes to craft successful resolutions tailored to each individual matter.
Katie has broad experience representing companies and individuals in contract, non-compete,
discrimination, harassment, fiduciary duty, and trade secret litigation in state and federal court. With a
background as both in-house and outside counsel, Katie understands that business objectives, time, and
resources play an important role in reaching a favorable outcome for each client. Katie assists clients in
navigating employment issues ranging from employee handbooks and FMLA policies to litigating
discrimination and harassment claims, all while ensuring business needs and objectives are met. She
also counsels clients on data security and privacy issues, including policy drafting and compliance with
state, federal, and international law.
52

53. About The Faculty
Michael Riela - Riela@thsh.com
Mike Riela is a partner in Tannenbaum Helpern’s Creditors’ Rights and Business Reorganization practice.
With more than 15 years of experience, Mike advises companies on complex restructuring, distressed
M&A, loan transactions and bankruptcy related litigation matters. Mike has in-depth experience in
advising clients on corporate and real estate bankruptcies, workouts, Chapter 11 and Chapter 7
bankruptcy cases, debtor-in-possession (DIP) and bankruptcy exit loan facilities, secondary market
trading of distressed debt and trade claims, Section 363 sales and bankruptcy retention and fee
agreements and disputes. His clients include banks, administrative agents, indenture trustees, hedge
funds, private equity firms, professional services firms, trade creditors, contract counterparties,
shareholders, debtors and investors. Mike has represented buyers of assets in Section 363 and out-of-
court sales from sellers such as Evergreen Solar, Inc., Sonic Telecommunications International, Ltd,
Urban Communicators PCS Limited Partnership, US Aggregate, Inc., and Vectrix Corporation, as well as
representing lenders, trustees and administrative agents in major Chapter 11 cases and workouts such
as Delta Air Lines, Inc., Extended Stay Inc., Buffets Inc., Legends Gaming LLC, Nortel Networks, Premier
International Holdings Inc., and many others.
53

54. About The Faculty
J. Eduardo Campos – jeduardo.campos@embedded-knowledge.com
After creating business growth opportunities on four continents, J. Eduardo Campos spent
thirteen years at Microsoft, first as a cybersecurity advisor, then leading innovative projects at
the highest levels of government in the U.S. and abroad. Today, Eduardo is living his dream
of building a better tomorrow through his consulting firm, Embedded-Knowledge, Inc. Working
with organizations and entrepreneurs, he develops customized business strategies and forms
partnerships focused on designing creative solutions to complex problems.
54

55. Cassandra Porter - caporter@zuora.com
Cassandra M. Porter is the Americas/APAC data privacy lead attorney for a Fortune 100 Tech company
working to transform clients’ businesses, operations and technology models for the digital era. She
counsels internal clients on privacy-related matters such as data collection practices, online advertising,
mobile commerce, along with the development and acquisition of new technology, data incidents and
management. Cassandra is a member of the inaugural class of Privacy Law Specialists, a new specialty
recognized by the American Bar Association, and a Fellow of Information Privacy by the International
Association of Privacy Professionals (IAPP). Her IAPP credentials as a Certified Information Privacy
Professional and Certified Information Privacy Manager designate her as thought leader in the field. She
is a former co-chair of the IAPP’s New Jersey Chapter and member of the Bankruptcy Lawyers Advisory
Committee for the District of New Jersey. As a member of the United States Trustee’s Consumer Privacy
Ombudsman (CPO) panel, she served as the CPO in the Golfsmith International chapter 11
cases. Previously she was counsel at Lowenstein Sandler LLP where, in addition to assisting clients with
data privacy-related issues, she also regularly represented debtors in possession and creditors in chapter
11 matters along with indigents in chapter 7 proceedings in association with the Volunteer Lawyers for
Justice. Prior to joining Lowenstein, she clerked for the Honorable Cecelia Morris, United States
Bankruptcy Judge for the Southern District of New York and was the Assistant Managing Attorney at
Kaye Scholer LLP.
55

56. Questions or Comments?
If you have any questions about this webinar that you did not get to ask during the live
premiere, or if you are watching this webinar On Demand, please do not hesitate to email us
at info@financialpoise.com with any questions or comments you may have. Please include
the name of the webinar in your email and we will do our best to provide a timely response.
IMPORTANT NOTE: The material in this presentation is for general educational purposes
only. It has been prepared primarily for attorneys and accountants for use in the pursuit of
their continuing legal education and continuing professional education.
56

57. About Financial Poise
57
Financial Poise™ has one mission: to provide
reliable plain English business, financial, and legal
education to individual investors, entrepreneurs,
business owners and executives.
Visit us at www.financialpoise.com
Our free weekly newsletter, Financial Poise
Weekly, updates you on new articles published
on our website and Upcoming Webinars you
may be interested in.
To join our email list, please visit:
https://www.financialpoise.com/subscribe/