Breaches happen to the best of us. Occasionally they're large, headline grabbers with significant financial impact. For example, last week a payments processor revealed that it took an $84.4 million charge related to a breach it disclosed earlier this year. As a result of this charge, the firm's quarterly profit fell 90%. But even small breaches can be incredibly painful. Last year a local newsstand suffered a small breach. The resulting $22,000 in expenses cut profits in half.
Though we can't prevent breaches, we can certainly prepare for them to minimize the damage and stress. In fact, breach management pros are so good at this that a breach situation doesn't bring the organization to it's knees - they take them in stride.
This webinar will reveal how you can do the same. Based on time in the trenches at a major retailer, our featured speaker will share with you a breach preparation process with specific tactics for its implementation. You'll learn what team members you'll need, how to recruit them, what data you'll need to collect, how to put together a communication plan, and more.
Our featured speaker for this timely Webinar is:
Bob Siegel, Privacy Strategist & Principal, Privacy Ref
formerly Sr. Mgr of WW Privacy & Compliance at Staples
CIPP/US, CIPP/IT
Blogs at: http://privacyref.com/
2. Agenda
§ Introductions
§ Today’s reality with breaches and data loss
§ Preparing for breach
– The process
– Tips for getting it right
§ Q&A
Page 2
3. Introductions: Today’s Speakers
§ Ted Julian, Chief Marketing Officer, Co3
Systems
– Security / compliance entrepreneur
– Security industry analyst
§ Bob Siegel, Privacy Strategist & Principal,
Privacy Ref LLC
– Previously, Sr. Manger of Worldwide Privacy and
Compliance for Staples, Inc.
– Certified Information Privacy Professional (CIPP/US,
CIPP/IT)
Page 3
4. Co3 at a Glance
Co3 Systems’ incident management system helps organizations
that have customer or employee Personal Information
reduce the expense, risk, and stress of a breach.
A web-based/hosted SaaS No hardware or software to buy or
platform manage; it’s running in minutes
Concerns all companies that
Retail, Healthcare, Financial Services,
manage employee or customer
Higher Education, Services …
data
Understands all regulations that Federal, State, Trade Associations …
concern private information can customize for contracts
Can be deployed quickly and is Intuitive, step-by-step usage model;
easy to use no user training needed
Expert, actionable insight in 20
Delivers immediate, quantifiable
minutes or less – regulatory obligations
value
and industry best practices
Page 4
5. Breach Epidemic
… payment provider’s “fourth-quarter profit fell 90 percent on costs
related to a security breach…took an $84.4 million pre-tax charge”
Zappos, Amazon Sued Over Customer Data Breach
More than half of American consumers would sue
a company that loses its personal information
TRICARE Hit with $4.9 Billion Suit Following Breach
Source: DataLossDB.org
Page 5
6. Breaches Are Common – Firms Must Act
*
**
* “… many of them have suffered a breach – they just don’t know it”
** if you haven’t been breached, why wouldn’t you disclose that?
“With an avalanche of… breach notification laws on the horizon, you
have no choice but to implement an incident management program. If
you don’t have an incident management program… it’s imperative that
you do so immediately.”
Source: “Planning For Failure” – Forrester Research, Nov. 2011
Page 6
7. Scope of Data Loss
The exposure of consumer or employee
Personal Information
Internal/
Malicious Lost/Stolen Third-Party
Employee
Cyber-Attacks Assets Leaks
Actions
Global Consumer Community-Based Multi-Channel Government
Electronics Firm: Healthcare Plan: Marketing Service: Agency:
Hackers stole Laptops with Digital marketing Employee sent
customer data, patient data stolen agency exposes CD-ROM with
including credit by former customer data of personal data on
card information employee dozens of clients registered advisors
100 million 208,000 Millions of 139,000
records records records records
In the US there are 46 States, 4 Territories, 14 Federal Authorities
and multiple trade associations, each enforcing their own
regulations that prescribe the treatment of personal data
Page 7
8. Ignoring the Problem is Not an Option
Regulatory Requirements Trade Associations & Commissions
46 States, 3 Commonwealths, and 14 Industry groups, commissions, and
Federal agencies have established certification bodies are imposing
legislation stricter guidelines and penalties
Fines are growing – aggressive AGs More fines – and businesses losing
are filling state coffers accreditation
Brand
Damage
Contractual Obligations Class Action Lawsuits
Company obligations extend to 3rd Law firms have noticed and are
party data sources, vendors, and picking up the pace in class-action
even corporate customers lawsuits
Extreme sensitivity on vendor and Even with no “harm”, companies
partner use (and storage) of data are losing and settling quickly
Page 8
9. Co3 Automates Breach Management
PREPARE ASSESS
Improve Organizational Quantify Potential Impact,
Readiness Support Privacy Impact
• Assign response team Assessments
R E AS
PA
• Describe environment • Track events
• Simulate events and incidents • Scope regulatory requirements
M U LATI O
SE
E
• Focus on organizational gaps
SI
• See $ exposure
PR
SS
• Send notice to team
N
S
• Generate PIAs
I N CI D E N
S
NT
RE
TS
E
REPORT EV MANAGE
E
PO
RT
G
NA
Document Results and Easily Generate Detailed
Track Performance
M A Incident Response Plans
• Document incident results • Escalate to complete IR plan
• Track historical performance • Oversee the complete plan
• Demonstrate organizational • Assign tasks: who/what/when
preparedness • Notify regulators and clients
• Generate audit/compliance reports • Monitor progress to completion
Page 9
11. Some Questions
1. How do your employees notify you of a
potential data breach event?
2. How does and incident become an event?
3. How are external communications
coordinated?
“Organizing is what you do before you do something, so that when
you do it, it is not all mixed up.”
-- A. A. Milne
Page 11
12. Sample Event Process
Incident • Decides if this may be a data
Escalate to
Occurs breach event based on currently
CPO and CSO
known information
• Determines scope of the event
Follow Incident • Identifies risks and responsibilities
Management Engage Event
• Reports back to CPO and CSO
Process Management Team
• Coordinates remediation
Engage Event • Defines how all communication to
Communication stakeholders is coordinated
Plan
Page 12
13. Incident Management Processes
§ Generally owned by IT
• Provides logging and tracking services
• May be focused on data processing incidents
• May not be sensitive to paper-based issues
§ Metrics-centric process
• Response time
• Resolution time
• Close / Completion time
§ Check to see how non-IT events are addressed
• Are non-IT events routinely handled?
• Are they tracked in the Incident Management system?
• Has a test scenario been run recently?
Page 13
14. Sample Event Process
Incident • Decides if this may be a data
Escalate to
Occurs breach event based on currently
CPO and CSO
known information
• Determines scope of the event
Follow Incident • Identifies risks and responsibilities
Management Engage Event
• Reports back to CPO and CSO
Process Management Team
• Coordinates remediation
Engage Event • Defines how all communication to
Communication stakeholders is coordinated
Plan
Page 14
15. Event Management Team
§ Cross-functional team
• Initially determines scope and impact of the event
• Coordinates remediation efforts
§ Led by the Chief Privacy Officer
§ Core members should represent…
• Legal
• Privacy
• Compliance
• Incident Management
• IT
§ Other members added based on the event
Page 15
16. Facts To Gather During An Event
1. Information lost 8. Residence of affected
2. Was data encrypted 9. Can data be
3. Amount of data lost recovered?
4. Has the data loss 10. Applicable laws
been stopped? 11. Notification
5. When loss occurred requirements
6. Where it was lost 12. Potential impact to
7. Who was affected other applications
13. Potential impact on
other organizations
Page 16
17. Sample Event Process
Incident • Decides if this may be a data
Escalate to
Occurs breach event based on currently
CPO and CSO
known information
• Determines scope of the event
Follow Incident • Identifies risks and responsibilities
Management Engage Event
• Reports back to CPO and CSO
Process Management Team
• Coordinates remediation
Engage Event • Defines how all communication to
Communication stakeholders is coordinated
Plan
Page 17
18. Event Communication Plan
§ Identifies members of the Event Communication
Team
– Contains contact information for the members
§ Defines communication parameters
• Who talks to whom and when
§ Contains frameworks for communications
Page 18
19. Event Communication Team
Stakeholders Team Members
• Customers • Marketing *
• Employees • Internal Communications
• Marketing Dept. • Public Relations*
• Media • Security / Loss Prevention
• Legal
• Law enforcement
• Investor Relations
• Other Government
• Chief Privacy Officer
Officials
• Shareholders * Potential Lead
Page 19
20. Communication Parameters
§ Spokespeople must be identified
• Spokesperson designation by stakeholder
• Limit communication to be done to designees
§ Message content must be reviewed
• Consistent messages sent across stakeholders
§ Keep Executive Leadership informed
• Frequent updates from chairs of both teams
§ Use Executives as spokespeople sparingly
Page 20
21. Communication Frameworks
§ Most communications can be prewritten
• Details of the specific event added at Event
§ Prepared items may include…
• Press releases
• Letters / emails to customers
• Website updates
• Employee notices
• Talking points for the media
Page 21
22. Test, Test, and Retest
§ Make all participants familiar with processes
before they are implemented
§ Two common types of testing
Table Top Exercises Scenario exercise
• Multiple scenarios defined • One scenario is defined
• Key participants meet • Participants notified day of
• Each scenario is discussed exercise happening
• Production processes and
tools are used to manage the
event
• Key participants meet to
debrief
Page 22
23. Other Considerations
§ System of record
§ Methods of communications
§ Independent divisions
• Multinational divisions
• Acquired businesses
• Recognized brands
Page 23