Presented by Clark Insurance in Portland, Maine, this two hour seminar featured lead panelists in the privacy security business.
This presentation reviews all aspects of a data breach from preparation, discovery, plan implementation, cyber insurance, crisis communication and PR policies and protocols.
HTML Injection Attacks: Impact and Mitigation Strategies
Cyber Security Planning: Preparing for a Data Breach
1. Cyber Security Planning:
Preparing for a
Data Breach
October 28, 2014
Steve Hasse, INSUREtrust
Eugene Slobodzian, Winxnet
Dianna Fletcher, Fletcher Media
2. + Our Speakers
Steve Hasse, CEO, INSUREtrust
Eugene Slobodzian, PhD, CISSP, Vice President
of Security, Winxnet
Dianna Fletcher, Fletcher Media
1
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
3. + Today’s Agenda
Before the breach: preparations and planning
During the breach: the event
After the breach: managing the aftermath
2
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
4. + Today’s Data Breaches
The
retail industry was the #1 target: 22% percent of network intrusions occ
urring at retailers (Verizon 2013 Data Breach Investigation Report).
47% of American adults have been affected by data breaches in the last year
(Ponemon Institute).
Cybercrime has cost the global economy $575 billion and the US eco
nomy $100 billion, annually. The US is the hardest hit of any country
(Intel Security and the Center for Strategic and International Studies).
3
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
5. + Data Breach Laws & Regulations
No federal law
47 states adopted their own
Me. Rev. Stat. title 10 § 1347 et seq.,
§ 1348. Security breach notice requirements: If an information
broker that maintains computerized data that includes personal
information becomes aware of a breach of the security of the
system, the information broker shall conduct in good faith a
reasonable and prompt investigation to determine the
likelihood that personal information has been or will be
misused and shall give notice of a breach of the security of the
system following discovery or notification of the security
breach to a resident of this State whose personal information
has been, or is reasonably believed to have been, acquired by
an unauthorized person.
4
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
6. + Data Breach Laws & Regulations
HITECH Breach Notification Interim Final
Rule (500 individuals)
GLBA, SEC – more generic
PCI, FERPA, other – no clearly defined
guidance
5
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
7. + Today’s Agenda
Before the Breach:
Preparations and Planning
6
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
8. + Question One
Have you ever received a breach
notification letter?
7
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
9. + Notification Letter
8
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
10. + Notification Letters
Over 80% of the people we have
surveyed received at least one breach
notification letter.
9
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
11. + Question Two
Have you, or has someone you know,
experienced identity theft?
These occur via stolen digital or paper personal information.
10
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
12. + Identity Theft Reality
11
Over 90% of the people we talk to have
experienced identity theft or know someone
who has.
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
13. + Insurance Cyber Security Market
As compared to other products
Cyber as compared to EPLI
Cyber as compared to pollution insurance
What do buyers want?
Many competing carriers
All with state-of-the-art broad coverage
All competing on price and financial strength
What do buyers have?
Many carriers competing
All with different coverage
12
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
14. + Insurance Cyber Security Market
The Good News?
It’s a buyer’s market - possible exception is large retailers
This makes the insurance buying decision very
difficult; hard to compare policies.
13
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
15. +
Revenue Range (£) % Purchasing Cyber
<1.5M 3.8%
1.5M<3M 4.8%
3M<6M 6.6%
6M<15M 7.2%
15M<60M 10%
60M<180M 17.6%
180M<600M 20.5%
600M<3B 21.8%
3B+ 25.9%
14
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
16. + Target Breach: Largest of all Breaches
15
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
17. + Target Breach: Largest of all Breaches
16
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
18. + What Happened After the Breach?
17
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
19. + Every Email
Email is often over looked, but is a significant
exposure of both personal and corporate
information. Most people have sent and received an
enormous amount of email.
Almost every company requires a confidentiality statement at
the footer of every sent email. This implies that the recipient
maintains the confidentiality of the content.
Hackers are now using sophisticated tools to capture your
email as you send it. Then, they use your email to
impersonate you or others in spear phishing attacks.
18
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
20. + Every Email
Email is often over looked, but is a significant
exposure of both personal and corporate
information. Most people have sent and received an
enormous amount of email.
Most people know about phishing attacks but, when they get an
email from a known source, they do not expect to be
accidentally downloading malicious code.
A breach of your email exposes everyone you communicate
with to spear phishing attacks as well as other privacy
breaches.
19
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
21. + Shhh…
20
Inside information on a new breach that the
“feds” have not made public.
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
22. + Underwriter’s Perspective:
Good Risk vs. Bad Risk
Vertical Industry/Revenues/Number of
Records
Completing the application forms
Dos and Don’ts: Encryption Question
Need a good story to tell if you go to court
21
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
23. + Before: IT Security Perspective
Most common
22
Incident Response
Plan implementation
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
24. + Before: IT Security Perspective
Winning battles before they are fought
Should be most time-consuming phase
Is hopefully the most expensive phase
Minimizes the chances of a breach
Minimizes the impact of a breach
“Beef up” security
23
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
25. + Before: IT Security Perspective
Preventive: Beef up security controls
Detective: Implement detection mechanisms
Assemble Computer Incident Response Team
(CIRT)
Create an Incident Response Program
Policy
Plan
Procedures
Practice makes perfect
24
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
26. + Crisis Communications Scenarios
25
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
27. + Crisis Communications: Data Breach
26
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
28. + Crisis Communications:
Team Building
Know your notification laws
www.ncsl.org: National Conference of State Legislatures
Assemble an A-team
Corporate lead: privacy officer or internal lead
Legal
IT partner: internal & incident response team
Investigatory representative: company liaison
PR professional: national vs. local
Customer care
HR
Social media manager
Web master
27
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
29. + Crisis Communications Outreach
Identify your stakeholders
Gather your troops: review your internal
social media policies
Assess your media relations
Assess your social media outreach to
customers
Open all channels of communications
Build your bank of PR
28
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
30. + Train Your Team
Media-train spokespeople
Map your messages
Communicate with transparency and empathy
29
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
31. + Today’s Agenda
During the Breach:
The Event
30
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
32. + Data Breach Notification Costs
31
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
33. + Have a Good Story to Tell
Consider investigating the breach under
attorney/client privilege:
What if the FBI requests that you continue to allow the hackers
access so they can catch them? This might be the first step
before you notify the carrier.
Implement pre-planning
Loss Prevention: Have a plan, train your people, test your
people
Crisis Management: Have a plan, have a resource approved by
your insurance carrier; practice-run (i.e. fire drill)
Collect all computer logs and gather all evidence
32
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
34. + Have a Good Story to Tell
Report all incidents in a timely basis
Obtain acknowledgement from the carrier
Expect a reservation of rights letter
You may have forgotten how overly broad these policies
are.
Don’t wait until you are filling out the renewal application
form.
Do not go public or start notification without all
of the facts. (Ex: DSW)
33
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
35. + Evaluating Coverage/Claims Process
Gather and review all potentially relevant
policies and indemnity/vendor agreements
Consider which policies to put on notice –
may be primary and excess layers; may be
cyber policies and/or other lines (e.g., D&O)
Crime coverage vs. cyber coverage
Provide timely notice of actual or potential
breaches, claims or losses under appropriate
policies and under appropriate indemnity/
vendor agreements
34
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
36. + Evaluating Coverage/Claims Process
Promptly obtain consent for expenses
and defense arrangements
Obtain consent to settle or offer other relief
Adhere to cooperation obligations and respond to
reasonable requests for information (privilege
issues)
Resolve coverage issues
Vast majority of claims are covered
35
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
37. + During: IT Security Actions
Detect
Analyze
Contain
Eradicate
Preserve evidence
Notify
Recover
36
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
38. + Before the News Breaks
Determine: “when the clock starts ticking.”
Message map: What is your end-goal?
One statement vs. interviews
First statement: Foundation of ALL
communications
37
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
39. + Determine What You Want to Say
38
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
40. + Sample Press Statement
(For Immediate Release): February 15, 2011: Waterville, ME:
Day’s Jewelers recently became aware of possible unauthorized and illegal
access to credit and debit card information by third parties. Day’s Jewelers
cannot release details about the suspected breach because there is an ongoing
investigation, according to the Maine State Police Computer Crimes Unit.
Investigators have informed Day’s Jewelers that the suspected breach involved
hackers outside of the company. Upon notification, Day’s Jewelers immediately
began taking steps to protect against any unauthorized access. Within hours of
contact by law enforcement, Day’s IT partners were on site, locating any suspect
software. When the company received approval from law enforcement agencies,
Day’s Jewelers contacted the bankcard processing companies.
39
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
41. + Sample Press Statement
Day’s has hired a nationally recognized computer forensic team to
determine the nature and extent of any unauthorized access to customer
information, and to identify the information that may have been
compromised. As a result of the company’s initial investigation, a likely time
frame of the breach has been determined. This narrows the number of Day’s
customers that may have been affected by any security breach.
40
According to Day’s Jewelers President Jeff Corey, the initial investigation by the
company indicates personal identification was not accessed. Also, the
unauthorized access does not affect customers who made online purchases..
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
42. + Sample Press Statement
“At Day’s Jewelers, our customers are our primary concern,” said Jeff
Corey. “We are working diligently with law enforcement as it investigates
this criminal activity. We apologize for any concerns this may raise with our
customers. We are talking directly with any consumer who may have
questions or concerns.”
Day’s Jewelers is in contact with its customers. It is recommending
customers review credit and debit card statements. If questionable
transactions appear, consumers should contact their card company
immediately.
Also, consumers can contact Day’s directly at 1-800-439-3297.
41
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
43. + As Notification Begins & News Breaks
Channels of outreach
What is required by law
What is expected by your customers, stakeholders
Phone banks
Emails
Media monitoring: traditional and social
Website updates
Determine frequency of updates
42
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
44. + Today’s Agenda
After the Breach:
Managing the Aftermath
43
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
45. + Proper Claims Reporting
Report all incidents in a timely basis
Obtain acknowledgement from the carrier
Expect a reservation of rights letter
You may have forgotten how overly broad
these policies are.
Don’t wait until you are filling out the
renewal application form.
44
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
46. + Proper Claims Reporting
Consider Investigating the Breach under
attorney/client privilege:
What if the FBI requests that you continue to allow the
hackers access so they can catch them?
Does insured have “choice of counsel”?
45
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
47. + Evaluating Coverage/Claims Process
Gather and review all potentially relevant
policies and indemnity/vendor agreements
Consider which policies to put on notice –
may be primary and excess layers; may be
cyber policies and/or other lines (e.g., D&O)
Crime coverage vs. cyber coverage
Provide timely notice of actual or potential
breaches, claims or losses under appropriate
policies and under appropriate indemnity/
vendor agreements
46
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
48. + Evaluating Coverage/Claims Process
Promptly obtain consent for expenses
and defense arrangements
47
Adhere to cooperation obligations and respond to
reasonable requests for information (privilege
issues)
Obtain consent to settle or offer other relief
Resolve coverage issues
Vast majority of claims are covered
Other carrier provided services
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
49. + After: IT Security Actions
Review actions
Analyze effectiveness
Augment Incident Response Program
Implement additional security measures
Create incident report
Review lessons learned
48
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
50. + Reputation Management
New normal
Reputation management team
Media monitoring: traditional and social
49
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
51. + Reputation Management
Listen to your stakeholders: What do
they need?
Reputation management team
Privacy and security statements
50
Cyber Security Planning: Preparing for a Data Breach October 28, 2014
52. + Reputation Management
51
Cyber Security Planning: Preparing for a Data Breach October 28, 2014