Prepare For Breaches Like a Pro
•
1 like•340 views
Breaches happen to the best of us. Occasionally they're large, headline grabbers with significant financial impact. For example, last week a payments processor revealed that it took an $84.4 million charge related to a breach it disclosed earlier this year. As a result of this charge, the firm's quarterly profit fell 90%. But even small breaches can be incredibly painful. Last year a local newsstand suffered a small breach. The resulting $22,000 in expenses cut profits in half. Though we can't prevent breaches, we can certainly prepare for them to minimize the damage and stress. In fact, breach management pros are so good at this that a breach situation doesn't bring the organization to it's knees - they take them in stride. This webinar will reveal how you can do the same. Based on time in the trenches at a major retailer, our featured speaker will share with you a breach preparation process with specific tactics for its implementation. You'll learn what team members you'll need, how to recruit them, what data you'll need to collect, how to put together a communication plan, and more. Our featured speaker for this timely Webinar is: Bob Siegel, Privacy Strategist & Principal, Privacy Ref formerly Sr. Mgr of WW Privacy & Compliance at Staples CIPP/US, CIPP/IT Blogs at: http://privacyref.com/
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (17)
Similar to Prepare For Breaches Like a Pro
Similar to Prepare For Breaches Like a Pro (20)
More from Resilient Systems
More from Resilient Systems (20)
Recently uploaded
Recently uploaded (20)
Prepare For Breaches Like a Pro
- 1. Preparing For A Data Breach © 2011 Co3 Systems, Inc. The information contained herein is proprietary and confidential. Page 1
- 2. Agenda § Introductions § Today’s reality with breaches and data loss § Preparing for breach – The process – Tips for getting it right § Q&A Page 2
- 3. Introductions: Today’s Speakers § Ted Julian, Chief Marketing Officer, Co3 Systems – Security / compliance entrepreneur – Security industry analyst § Bob Siegel, Privacy Strategist & Principal, Privacy Ref LLC – Previously, Sr. Manger of Worldwide Privacy and Compliance for Staples, Inc. – Certified Information Privacy Professional (CIPP/US, CIPP/IT) Page 3
- 4. Co3 at a Glance Co3 Systems’ incident management system helps organizations that have customer or employee Personal Information reduce the expense, risk, and stress of a breach. A web-based/hosted SaaS No hardware or software to buy or platform manage; it’s running in minutes Concerns all companies that Retail, Healthcare, Financial Services, manage employee or customer Higher Education, Services … data Understands all regulations that Federal, State, Trade Associations … concern private information can customize for contracts Can be deployed quickly and is Intuitive, step-by-step usage model; easy to use no user training needed Expert, actionable insight in 20 Delivers immediate, quantifiable minutes or less – regulatory obligations value and industry best practices Page 4
- 5. Breach Epidemic … payment provider’s “fourth-quarter profit fell 90 percent on costs related to a security breach…took an $84.4 million pre-tax charge” Zappos, Amazon Sued Over Customer Data Breach More than half of American consumers would sue a company that loses its personal information TRICARE Hit with $4.9 Billion Suit Following Breach Source: DataLossDB.org Page 5
- 6. Breaches Are Common – Firms Must Act * ** * “… many of them have suffered a breach – they just don’t know it” ** if you haven’t been breached, why wouldn’t you disclose that? “With an avalanche of… breach notification laws on the horizon, you have no choice but to implement an incident management program. If you don’t have an incident management program… it’s imperative that you do so immediately.” Source: “Planning For Failure” – Forrester Research, Nov. 2011 Page 6
- 7. Scope of Data Loss The exposure of consumer or employee Personal Information Internal/ Malicious Lost/Stolen Third-Party Employee Cyber-Attacks Assets Leaks Actions Global Consumer Community-Based Multi-Channel Government Electronics Firm: Healthcare Plan: Marketing Service: Agency: Hackers stole Laptops with Digital marketing Employee sent customer data, patient data stolen agency exposes CD-ROM with including credit by former customer data of personal data on card information employee dozens of clients registered advisors 100 million 208,000 Millions of 139,000 records records records records In the US there are 46 States, 4 Territories, 14 Federal Authorities and multiple trade associations, each enforcing their own regulations that prescribe the treatment of personal data Page 7
- 8. Ignoring the Problem is Not an Option Regulatory Requirements Trade Associations & Commissions 46 States, 3 Commonwealths, and 14 Industry groups, commissions, and Federal agencies have established certification bodies are imposing legislation stricter guidelines and penalties Fines are growing – aggressive AGs More fines – and businesses losing are filling state coffers accreditation Brand Damage Contractual Obligations Class Action Lawsuits Company obligations extend to 3rd Law firms have noticed and are party data sources, vendors, and picking up the pace in class-action even corporate customers lawsuits Extreme sensitivity on vendor and Even with no “harm”, companies partner use (and storage) of data are losing and settling quickly Page 8
- 9. Co3 Automates Breach Management PREPARE ASSESS Improve Organizational Quantify Potential Impact, Readiness Support Privacy Impact • Assign response team Assessments R E AS PA • Describe environment • Track events • Simulate events and incidents • Scope regulatory requirements M U LATI O SE E • Focus on organizational gaps SI • See $ exposure PR SS • Send notice to team N S • Generate PIAs I N CI D E N S NT RE TS E REPORT EV MANAGE E PO RT G NA Document Results and Easily Generate Detailed Track Performance M A Incident Response Plans • Document incident results • Escalate to complete IR plan • Track historical performance • Oversee the complete plan • Demonstrate organizational • Assign tasks: who/what/when preparedness • Notify regulators and clients • Generate audit/compliance reports • Monitor progress to completion Page 9
- 10. PREPARING FOR A BREACH Page 10
- 11. Some Questions 1. How do your employees notify you of a potential data breach event? 2. How does and incident become an event? 3. How are external communications coordinated? “Organizing is what you do before you do something, so that when you do it, it is not all mixed up.” -- A. A. Milne Page 11
- 12. Sample Event Process Incident • Decides if this may be a data Escalate to Occurs breach event based on currently CPO and CSO known information • Determines scope of the event Follow Incident • Identifies risks and responsibilities Management Engage Event • Reports back to CPO and CSO Process Management Team • Coordinates remediation Engage Event • Defines how all communication to Communication stakeholders is coordinated Plan Page 12
- 13. Incident Management Processes § Generally owned by IT • Provides logging and tracking services • May be focused on data processing incidents • May not be sensitive to paper-based issues § Metrics-centric process • Response time • Resolution time • Close / Completion time § Check to see how non-IT events are addressed • Are non-IT events routinely handled? • Are they tracked in the Incident Management system? • Has a test scenario been run recently? Page 13
- 14. Sample Event Process Incident • Decides if this may be a data Escalate to Occurs breach event based on currently CPO and CSO known information • Determines scope of the event Follow Incident • Identifies risks and responsibilities Management Engage Event • Reports back to CPO and CSO Process Management Team • Coordinates remediation Engage Event • Defines how all communication to Communication stakeholders is coordinated Plan Page 14
- 15. Event Management Team § Cross-functional team • Initially determines scope and impact of the event • Coordinates remediation efforts § Led by the Chief Privacy Officer § Core members should represent… • Legal • Privacy • Compliance • Incident Management • IT § Other members added based on the event Page 15
- 16. Facts To Gather During An Event 1. Information lost 8. Residence of affected 2. Was data encrypted 9. Can data be 3. Amount of data lost recovered? 4. Has the data loss 10. Applicable laws been stopped? 11. Notification 5. When loss occurred requirements 6. Where it was lost 12. Potential impact to 7. Who was affected other applications 13. Potential impact on other organizations Page 16
- 17. Sample Event Process Incident • Decides if this may be a data Escalate to Occurs breach event based on currently CPO and CSO known information • Determines scope of the event Follow Incident • Identifies risks and responsibilities Management Engage Event • Reports back to CPO and CSO Process Management Team • Coordinates remediation Engage Event • Defines how all communication to Communication stakeholders is coordinated Plan Page 17
- 18. Event Communication Plan § Identifies members of the Event Communication Team – Contains contact information for the members § Defines communication parameters • Who talks to whom and when § Contains frameworks for communications Page 18
- 19. Event Communication Team Stakeholders Team Members • Customers • Marketing * • Employees • Internal Communications • Marketing Dept. • Public Relations* • Media • Security / Loss Prevention • Legal • Law enforcement • Investor Relations • Other Government • Chief Privacy Officer Officials • Shareholders * Potential Lead Page 19
- 20. Communication Parameters § Spokespeople must be identified • Spokesperson designation by stakeholder • Limit communication to be done to designees § Message content must be reviewed • Consistent messages sent across stakeholders § Keep Executive Leadership informed • Frequent updates from chairs of both teams § Use Executives as spokespeople sparingly Page 20
- 21. Communication Frameworks § Most communications can be prewritten • Details of the specific event added at Event § Prepared items may include… • Press releases • Letters / emails to customers • Website updates • Employee notices • Talking points for the media Page 21
- 22. Test, Test, and Retest § Make all participants familiar with processes before they are implemented § Two common types of testing Table Top Exercises Scenario exercise • Multiple scenarios defined • One scenario is defined • Key participants meet • Participants notified day of • Each scenario is discussed exercise happening • Production processes and tools are used to manage the event • Key participants meet to debrief Page 22
- 23. Other Considerations § System of record § Methods of communications § Independent divisions • Multinational divisions • Acquired businesses • Recognized brands Page 23
- 24. Questions © 2011 Co3 Systems, Inc. The information contained herein is proprietary and confidential. Page 24
- 25. Thanks! 1 Alewife Center, Suite 450 ph: 508-474-5125 Cambridge, MA 02140 e: info@privacyref.com ph: 617-206-3900 privacyref.com e: info@co3sys.com www.co3sys.com Gartner: “Co3 …define(s) what software packages for privacy look like.” Page 25