More Related Content
Similar to March 10 Cyber Presentation
Similar to March 10 Cyber Presentation (20)
March 10 Cyber Presentation
- 1. © 2016 Tressler LLP
Presented by:
Cyber Security:
Concerns for Your Agency
March 10, 2016
Todd M. Rowe, Tressler LLP
Kevin Mahoney, Tressler LLP
Chandler Howell, Nexum Inc.
- 2. © 2016 Tressler LLP
» Who Is Our Audience Today?
» Current trends in Data Breaches
» Concerns for Municipal Bodies
» The State of Data Breach
Litigation
Pre-Breach Considerations
2
- 3. © 2016 Tressler LLP
» Determining Areas of Vulnerability
› What information do we keep?
› What information do we need to keep?
› How is information accessed by employees or
third parties?
› Is that access narrowly tailored to what’s
necessary?
» Developing a plan
› Who is responsible for implementing the
plan?
› Is the plan feasible with our systems and
capabilities
› Can one plan address every situation?
Pre-Breach Considerations
3
- 4. © 2016 Tressler LLP
» Can we be sued for this?
» Are there statutory
requirements for what we
need to do next?
» Can we get someone else
to pay for this?
» What we can we do to
lower our potential
liability?
Pre-Breach Considerations: The Lawyers
4
- 5. © 2016 Tressler LLP
» Identifying Threats
» Devices Provided To Employees
» Vendors
» Malware
» Non-Traditional Sources
Pre-Breach Considerations:
The Technology Concerns
5
- 6. © 2016 Tressler LLP
» Identify decisionmaking authority.
› IT personnel? Consultant? Director? Create a
defined Breach Response Team with clearly
outlined responsibilities.
» Determine what data is at risk and how to
secure it as quickly as possible.
› Different contingencies for financial, medical,
and personal identifying information.
» Decide whether and how to restrict access
to systems.
› Differs depending on type of data breach.
› Is it feasible for your organization to be
without access for a period of time? What
systems will be affected?
» Information Disposal
› Do certain elements of your system need to
be changed or deleted immediately?
The Response Plan
6
- 7. © 2016 Tressler LLP
» Determine the source of the
breach.
› External? Employee? Consider
different contingency plans for
each.
» If you need outside help, have
them in place beforehand.
› Don’t wait until a breach to have to
educate a vendor on your system.
» Determine who will handle
contact from potentially affected
individuals, and what they are
permitted to say.
The Response Plan (Cont.)
7
- 8. © 2016 Tressler LLP
» Begin the process of notification.
› Law enforcement. Other governmental bodies. Potential data
breach victims. Special concerns for governmental bodies. Time to
bring in the lawyers for the notification letter itself.
» Insurance notification.
› Determine who is responsible for putting a carrier on notice and
when to do so.
» Preservation of evidence.
› Have a written policy regarding data deletion or alteration in case
of potential discovery issues.
› Documenting efforts during the incident response period.
» Debriefing after the breach.
› What steps should be taken to lower future risks?
The Response Plan (Cont.)
8
- 9. © 2016 Tressler LLP
» Inadvertent disclosures
in response to FOIA
requests
» Employees/Employee
Information
» Patron Information
» Medical Information
» Vendors
» Special reporting
requirements
» Open meeting
requirements
Response Plan Considerations for
Governmental Bodies
9
- 10. © 2016 Tressler LLP
The Response Plan (Cont.)
10
» TRAIN!
› Staff members
› Vendors
› Attorneys
› Document regular
training.
- 11. © 2016 Tressler LLP
Technology Considerations
11
» Information stored
on the cloud.
» The rise of
ransomware.
- 12. © 2016 Tressler LLP
» Insurance Issues
» Breaches continue through the “Internet of
Things”
» Coming changes to Illinois State Law.
Observations for 2016
12