5. Pre-Breach: “When” Not “If”
In the field of observation,
chance favors the
prepared mind.
Louis Pasteur
(Translated)
5
6. Pre-Breach: “When” Not “If”
Incident Response Plan: Test…
• Plan
• People
• Technology
Preparation
Detection
Containment
Eradication
Recovery
Post-
Incident
6
7. Life Cycle of a Breach
Phase 1:
Discovery
Theft, loss, or
unauthorized
disclosure of:
Personally
Identifiable
Information (PII) or
Protected Health
Information (PHI)
that is in the care,
custody or control of
an organization, or a
third party for whom
the organization is
legally liable.
Phase 2:
Investigation
Legal and
Forensic
Investigation
Phase 3:
Response
Notification, Call
Center, and
Credit Monitoring
Public Relations
Crisis
Management
Phase 4: Defense
Class Actions
Lawsuits
Regulatory
Investigations
Reputational
Damage
Income Loss
7
8. Legal and Forensic
Investigation
Life Cycle of a Breach: The Claim Process
Phase 1:
Discovery
Theft, loss, or
unauthorized
disclosure of:
Personally Identifiable
Information (PII) or
Protected Health
Information (PHI) that
is in the care, custody
or control of an
organization, or a third
party for whom the
organization is legally
liable.
Phase 2:
Investigation
Legal and Forensic
Investigation
Phase 3:
Response
Notification, Call
Center, and
Credit Monitoring
Public Relations
Crisis
Management
Phase 4: Defense
Class Actions
Lawsuits
Regulatory
Investigations
Reputational
Damage
Income Loss
Phase 1:
Discovery
Theft, loss, or
unauthorized
disclosure of:
Personally Identifiable
Information (PII) or
Protected Health
Information (PHI) that
is in the care, custody
or control of an
organization, or a third
party for whom the
organization is legally
liable.
Notification, Call
Center, and
Credit Monitoring
Public Relations
Crisis
Management
Phase 2:
Investigation
Phase 3:
Response
Phase 4: Defense
Class Actions
Lawsuits
Income Loss
Regulatory
Investigations
Reputational
Damage
Notice
the
Carrier
Coverage Analysis
Legal – Forensic – Vendor Consent
Settlement and
Recovery
8
9. Phase 1: Discovering the Breach
Theft, loss, or unauthorized disclosure of:
Personally Identifiable Information (PII)
or
Protected Health Information (PHI)
that is in the care, custody or control of an
organization, or a third party for whom the
organization is legally liable.
9
10. Phase 1: Discovering the Breach
Notice Your Carrier
• Identify the Policy
• (Brief) Description of Incident
• Status
• Contact Information
Acknowledgment
• Identifies Key Decision Makers
• Questions to Insured/Requests
a Call
• Begin Facilitating Engagements
with Legal, Forensics, and
Vendors
10
11. Life Cycle of a Breach
Phase 1:
Discovery
Theft, loss, or
unauthorized
disclosure of:
Personally Identifiable
Information (PII) or
Protected Health
Information (PHI) that
is in the care, custody
or control of an
organization, or a third
party for whom the
organization is legally
liable.
Phase 2:
Investigation
Legal and Forensic
Investigation
Phase 3:
Response
Notification, Call
Center, and
Credit Monitoring
Phase 4: Defense
Class Actions
Lawsuits
Income Loss
Regulatory
Investigations
Reputational
Damage
Regulatory
Investigations
Reputational
Damage
Regulatory
Investigations
Reputational
Damage
Notice
the
Carrier
Coverage Analysis
Legal – Forensic – Vendor
Management
Settlement and
Recovery
11
12. Phase 2: Investigating the Breach
Ransomware Analysis
• Vendor engagement
• Threat actor communications
• Backups
• Data exfiltration
• Settlement
12
13. Phase 2: Investigating the Breach
Legal Investigation:
• Notification Obligations for Individuals
and Regulators
Forensic Investigation:
• Who, What, Where, When, Why and
How of Affected Systems, Data, and
Persons
13
14. Phase 2: Investigating the Breach
Coverage Analysis
• Recitation of Known Facts
• Identify Unknown Facts that
Might be Relevant
• Facilitate Legal, Forensics, Call
Center, Mailing Service, Credit
Monitoring
14
15. Life Cycle of a Breach
Phase 1:
Discovery
Theft, loss, or
unauthorized
disclosure of:
Personally Identifiable
Information (PII) or
Protected Health
Information (PHI) that
is in the care, custody
or control of an
organization, or a third
party for whom the
organization is legally
liable.
Phase 2:
Investigation
Legal and Forensic
Investigationv
Phase 4: Defense
Class Actions
Lawsuits
Regulatory
Investigations
Reputational
Damage
Income Loss
Phase 3:
Response
Notification, Call
Center, and
Credit Monitoring
Public Relations
Crisis
Management
Regulatory
Investigations
Reputational
Damage
Regulatory
Investigations
Reputational
Damage
Regulatory
Investigations
Reputational
Damage
Notice
the
Carrier
Coverage Analysis
Legal – Forensic – Vendor
Management
Settlement and
Recovery
15
16. Phase 3: Responding to the Breach
Defensible Notice:
• Affected Individuals
• Notification
• Call Center
• Credit Monitoring
• Government Entities
• Public Relations
• Crisis Management
16
17. Life Cycle of a Breach
Phase 1:
Discovery
Theft, loss, or
unauthorized
disclosure of:
Personally Identifiable
Information (PII) or
Protected Health
Information (PHI) that
is in the care, custody
or control of an
organization, or a third
party for whom the
organization is legally
liable.
Phase 3:
Response
Notification, Call
Center, and
Credit Monitoring
Public Relations
Crisis
Management
Phase 4: Defense
Class Actions
Lawsuits
Regulatory
Investigations
Reputational
Damage
Income Loss
Phase 2:
Investigation
Legal and Forensic
Investigation
Regulatory
Investigations
Reputational
Damage
Public Relations
Crisis
Management
Regulatory
Investigations
Reputational
Damage
Regulatory
Investigations
Reputational
Damage
Regulatory
Investigations
Reputational
Damage
Notice
the
Carrier
Coverage Analysis
Legal – Forensic – Vendor
Management
Settlement and
Recovery
17
18. Phase 4: Defending The Response
Third-Party and Regulatory
Defense:
• Class Action(s) by Affected
Individuals
• Business Partners
• Regulatory Investigations
• Payment Card Industry (PCI)
Investigation
18
19. Phase 4: Defending The Response
Claims Support
• Timely Consent for Potential
Settlement
• Retention/Limit Analysis
• Co-ordinate Various “Fronts”
(Third-Party, Regulatory, and
PCI)
19