SlideShare a Scribd company logo

Advantage ppt data breaches km approved - final (djm notes)

Download as PPTX, PDF
D
Dan Michaluk

This document discusses how to properly respond to data breaches. It emphasizes the importance of having a formal, written incident response plan in place due to how time-sensitive breaches are and how organizations can behave unpredictably in a crisis. The plan should include roles and processes for identification, escalation, assessment, containment, investigation, and managing liability. It also recommends retaining IT forensics and legal experts in advance. Practicing the plan through fire drills can help identify flaws and improve response skills. When notifying individuals of a breach, organizations should explain what happened, containment steps, and provide contact information for support.

Law
1 of 26
Responding to Data Breaches March 25, 2015
Better breach response – how to be good when things go bad Ian Dick Dan Michaluk
Responding to Data Breaches March 25, 2015 Better breach response • The Rules of Professional Conduct • The basis for good breach response • Incident response planning • Notification, harm mitigation and risk management
Responding to Data Breaches March 25, 2015 Rules of Professional Conduct • Rule 3.2-2 – shall be honest and candid (breach reporting duty?) • Rule 3.3-1 – shall hold in strict confidence • Rule 3.5-2 – shall care of a client's property as a careful and prudent owner would…
Responding to Data Breaches March 25, 2015 Why have a formal, written plan? • Breaches are best managed as crises • This means • Time is of the essence • Organizational behaviour can be problematic • Also • Formal incident response plans are required by recognized data security standards
Responding to Data Breaches March 25, 2015 The basis for good breach response • Good records management • Records classified in accordance with sensitivity • Records with personal information tagged • Strong logging of system activity • Security intelligence and periodical vulnerability assessments • Strong vendor contracts (notification, cooperation, control of breach response)
Responding to Data Breaches March 25, 2015 What's in a plan? • Identification – what is an "incident" • Escalation – reporting duties and accountabilities • Role and process definition (typically featuring a multi-disciplinary "breach response team") • Assess – gather facts and triage • Contain – immediate • Investigate – five Ws • Manage – liability, public affairs
Responding to Data Breaches March 25, 2015 What's in a plan? • Don't forget! • Communication norms • Recordkeeping • Confidentiality
Responding to Data Breaches March 25, 2015 Identification and escalation • Internal reporting supports identification • Make clear that individuals are not to self-assess
Responding to Data Breaches March 25, 2015 Identification and escalation • Other means of identification • Internal security analysis (network and system analysis is becoming the norm) • External reports (police, customers, credit card companies and others)
Responding to Data Breaches March 25, 2015 The incident response team • Privacy office • Information security / corporate security • Legal • Risk management • Communications • Management from affected business (or human resources if employees are affected)
Responding to Data Breaches March 25, 2015 Experts to retain in advance • Why? • Objectivity can wither in a crises • Bench strength may be required • Who? • IT forensics • Crises communications • Legal counsel
Responding to Data Breaches March 25, 2015 Role of legal counsel • Control strategic direction • Identify legal risks and potential liabilities • Input into advocacy • Affected persons • The media and public • Regulators • Litigation management
Responding to Data Breaches March 25, 2015 Practice, test, update • Annual update • Plans should, in general, be scenario-neutral • Update based on external and internal analysis • From new contact information to new procedure • Tests / fire drills • Identify flaws in detection capability • Develop tactical IT skills required for correction • Discover data gaps and other problems • Garner decision-making confidence • Can be an intervention that supports change
Responding to Data Breaches March 25, 2015 Notification and remediation • Outside the health sector, only under Alberta legislation currently (S-4 will amend PIPEDA) • But foreign laws will often apply (and notifying half of an affected population does not work) • Notification may be required by a common law duty if harm is reasonably foreseeable • Notification may be desirable b/c people will find out and you can't tolerate the justification process
Responding to Data Breaches March 25, 2015 Notification and remediation • What happened (with identification of personal information elements) • What you've done to contain it • Contact information • Consider • An apology • Telling people where to get help • Making a protective offer
Better breach response – how to be good when things go bad Ian Dick Dan Michaluk
Responding to Data Breaches March 25, 2015

Recommended

The Future of Employment Law
The Future of Employment LawThe Future of Employment Law
The Future of Employment LawDan Michaluk
 
Privacy, Security & Access to Data
Privacy, Security & Access to DataPrivacy, Security & Access to Data
Privacy, Security & Access to DataCybera Inc.
 
Hillard Heintze Presentation to ATAP - Part 3
Hillard Heintze Presentation to ATAP - Part 3Hillard Heintze Presentation to ATAP - Part 3
Hillard Heintze Presentation to ATAP - Part 3Hillard Heintze
 
Hillard Heintze Presentation to ATAP - Part 2
Hillard Heintze Presentation to ATAP - Part 2Hillard Heintze Presentation to ATAP - Part 2
Hillard Heintze Presentation to ATAP - Part 2Hillard Heintze
 
Hillard Heintze Presentation to ATAP - Part 4
Hillard Heintze Presentation to ATAP - Part 4Hillard Heintze Presentation to ATAP - Part 4
Hillard Heintze Presentation to ATAP - Part 4Hillard Heintze
 
Hillard Heintze Presentation to ATAP - Part 1
Hillard Heintze Presentation to ATAP - Part 1Hillard Heintze Presentation to ATAP - Part 1
Hillard Heintze Presentation to ATAP - Part 1Hillard Heintze
 
LDITSITAM WebinarSept2016
LDITSITAM WebinarSept2016LDITSITAM WebinarSept2016
LDITSITAM WebinarSept2016Yvette Mathews
 
CERN 5 Things you should know about Data Protection
CERN 5 Things you should know about Data ProtectionCERN 5 Things you should know about Data Protection
CERN 5 Things you should know about Data ProtectionEUDAT
 

Recommended

The Future of Employment Law
The Future of Employment LawThe Future of Employment Law
The Future of Employment LawDan Michaluk
 
Privacy, Security & Access to Data
Privacy, Security & Access to DataPrivacy, Security & Access to Data
Privacy, Security & Access to DataCybera Inc.
 
Hillard Heintze Presentation to ATAP - Part 3
Hillard Heintze Presentation to ATAP - Part 3Hillard Heintze Presentation to ATAP - Part 3
Hillard Heintze Presentation to ATAP - Part 3Hillard Heintze
 
Hillard Heintze Presentation to ATAP - Part 2
Hillard Heintze Presentation to ATAP - Part 2Hillard Heintze Presentation to ATAP - Part 2
Hillard Heintze Presentation to ATAP - Part 2Hillard Heintze
 
Hillard Heintze Presentation to ATAP - Part 4
Hillard Heintze Presentation to ATAP - Part 4Hillard Heintze Presentation to ATAP - Part 4
Hillard Heintze Presentation to ATAP - Part 4Hillard Heintze
 
Hillard Heintze Presentation to ATAP - Part 1
Hillard Heintze Presentation to ATAP - Part 1Hillard Heintze Presentation to ATAP - Part 1
Hillard Heintze Presentation to ATAP - Part 1Hillard Heintze
 
LDITSITAM WebinarSept2016
LDITSITAM WebinarSept2016LDITSITAM WebinarSept2016
LDITSITAM WebinarSept2016Yvette Mathews
 
CERN 5 Things you should know about Data Protection
CERN 5 Things you should know about Data ProtectionCERN 5 Things you should know about Data Protection
CERN 5 Things you should know about Data ProtectionEUDAT
 
NTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
NTXISSACSC2 - Software Security - My Other Marathon by Harold ToomeyNTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
NTXISSACSC2 - Software Security - My Other Marathon by Harold ToomeyNorth Texas Chapter of the ISSA
 
Privacy-by-design for Startups - why, what and how
Privacy-by-design for Startups - why, what and howPrivacy-by-design for Startups - why, what and how
Privacy-by-design for Startups - why, what and howPrivacyRoad
 
Your Employees and Information Security
Your Employees and Information SecurityYour Employees and Information Security
Your Employees and Information SecurityShred-it
 
Sensitive data
Sensitive dataSensitive data
Sensitive dataS.M. Towhidul Islam
 
IT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdfIT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdfAlan McSweeney
 
Nine HIPAA Compliance Questions to ask Yourself
Nine HIPAA Compliance Questions to ask YourselfNine HIPAA Compliance Questions to ask Yourself
Nine HIPAA Compliance Questions to ask YourselfLERNER Consulting
 
Everyone is talking Cloud - How secure is your data?
Everyone is talking Cloud - How secure is your data? Everyone is talking Cloud - How secure is your data?
Everyone is talking Cloud - How secure is your data? Bianca Mueller, LL.M.
 
CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015Health IT Conference – iHT2
 
Winning the war on data breaches in a changing data landscape
Winning the war on data breaches in a changing data landscapeWinning the war on data breaches in a changing data landscape
Winning the war on data breaches in a changing data landscapeAvinash Ramineni
 
2015-11-17 Time for an IT Assessment
2015-11-17 Time for an IT Assessment2015-11-17 Time for an IT Assessment
2015-11-17 Time for an IT AssessmentRaffa Learning Community
 
3 Reasons Why Manufacturing Companies are Moving to Dynamics 365FO
3 Reasons Why Manufacturing Companies are Moving to Dynamics 365FO3 Reasons Why Manufacturing Companies are Moving to Dynamics 365FO
3 Reasons Why Manufacturing Companies are Moving to Dynamics 365FONandita Nityanandam
 
DPA seminar presentation
DPA seminar presentationDPA seminar presentation
DPA seminar presentationRodonoghue72
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team SportQuarles & Brady
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breachDan Michaluk
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response FunctionResilient Systems
 
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...drsajjad13
 
Ingenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM complianceIngenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM complianceSami Benafia
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseCGTI
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)Sam Bowne
 

More Related Content

What's hot

NTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
NTXISSACSC2 - Software Security - My Other Marathon by Harold ToomeyNTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
NTXISSACSC2 - Software Security - My Other Marathon by Harold ToomeyNorth Texas Chapter of the ISSA
 
Privacy-by-design for Startups - why, what and how
Privacy-by-design for Startups - why, what and howPrivacy-by-design for Startups - why, what and how
Privacy-by-design for Startups - why, what and howPrivacyRoad
 
Your Employees and Information Security
Your Employees and Information SecurityYour Employees and Information Security
Your Employees and Information SecurityShred-it
 
IT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdfIT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdfAlan McSweeney
 
Nine HIPAA Compliance Questions to ask Yourself
Nine HIPAA Compliance Questions to ask YourselfNine HIPAA Compliance Questions to ask Yourself
Nine HIPAA Compliance Questions to ask YourselfLERNER Consulting
 
Everyone is talking Cloud - How secure is your data?
Everyone is talking Cloud - How secure is your data? Everyone is talking Cloud - How secure is your data?
Everyone is talking Cloud - How secure is your data? Bianca Mueller, LL.M.
 
Winning the war on data breaches in a changing data landscape
Winning the war on data breaches in a changing data landscapeWinning the war on data breaches in a changing data landscape
Winning the war on data breaches in a changing data landscapeAvinash Ramineni
 
3 Reasons Why Manufacturing Companies are Moving to Dynamics 365FO
3 Reasons Why Manufacturing Companies are Moving to Dynamics 365FO3 Reasons Why Manufacturing Companies are Moving to Dynamics 365FO
3 Reasons Why Manufacturing Companies are Moving to Dynamics 365FONandita Nityanandam
 

What's hot (11)

NTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
NTXISSACSC2 - Software Security - My Other Marathon by Harold ToomeyNTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
NTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
 
Privacy-by-design for Startups - why, what and how
Privacy-by-design for Startups - why, what and howPrivacy-by-design for Startups - why, what and how
Privacy-by-design for Startups - why, what and how
 
Your Employees and Information Security
Your Employees and Information SecurityYour Employees and Information Security
Your Employees and Information Security
 
Sensitive data
Sensitive dataSensitive data
Sensitive data
 
IT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdfIT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdf
 
Nine HIPAA Compliance Questions to ask Yourself
Nine HIPAA Compliance Questions to ask YourselfNine HIPAA Compliance Questions to ask Yourself
Nine HIPAA Compliance Questions to ask Yourself
 
Everyone is talking Cloud - How secure is your data?
Everyone is talking Cloud - How secure is your data? Everyone is talking Cloud - How secure is your data?
Everyone is talking Cloud - How secure is your data?
 
CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015
 
Winning the war on data breaches in a changing data landscape
Winning the war on data breaches in a changing data landscapeWinning the war on data breaches in a changing data landscape
Winning the war on data breaches in a changing data landscape
 
2015-11-17 Time for an IT Assessment
2015-11-17 Time for an IT Assessment2015-11-17 Time for an IT Assessment
2015-11-17 Time for an IT Assessment
 
3 Reasons Why Manufacturing Companies are Moving to Dynamics 365FO
3 Reasons Why Manufacturing Companies are Moving to Dynamics 365FO3 Reasons Why Manufacturing Companies are Moving to Dynamics 365FO
3 Reasons Why Manufacturing Companies are Moving to Dynamics 365FO
 

Similar to Advantage ppt data breaches km approved - final (djm notes)

DPA seminar presentation
DPA seminar presentationDPA seminar presentation
DPA seminar presentationRodonoghue72
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team SportQuarles & Brady
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breachDan Michaluk
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response FunctionResilient Systems
 
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...drsajjad13
 
Ingenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM complianceIngenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM complianceSami Benafia
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseCGTI
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)Sam Bowne
 
Broadening Your Cybersecurity Mindset
Broadening Your Cybersecurity MindsetBroadening Your Cybersecurity Mindset
Broadening Your Cybersecurity MindsetCSI Solutions
 
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)Paul C. Van Slyke
 
5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response PlanResilient Systems
 
Privacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector PerspectivePrivacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector Perspectivecanadianlawyer
 
Webinar: Don’t Be a Victim to Cyber Liability Risks
Webinar: Don’t Be a Victim to Cyber Liability RisksWebinar: Don’t Be a Victim to Cyber Liability Risks
Webinar: Don’t Be a Victim to Cyber Liability RisksKeenanSolutions
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehAnne Starr
 
Why your Information Security MUST mesh with your Business Continuity Program
Why your Information Security MUST mesh with your Business Continuity ProgramWhy your Information Security MUST mesh with your Business Continuity Program
Why your Information Security MUST mesh with your Business Continuity ProgramPECB
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPRJessvin Thomas
 
Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011Atlantic Security Conference
 

Similar to Advantage ppt data breaches km approved - final (djm notes) (20)

DPA seminar presentation
DPA seminar presentationDPA seminar presentation
DPA seminar presentation
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team Sport
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breach
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response Function
 
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
 
Ingenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM complianceIngenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM compliance
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)
 
Broadening Your Cybersecurity Mindset
Broadening Your Cybersecurity MindsetBroadening Your Cybersecurity Mindset
Broadening Your Cybersecurity Mindset
 
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
 
5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan
 
Privacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector PerspectivePrivacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector Perspective
 
Webinar: Don’t Be a Victim to Cyber Liability Risks
Webinar: Don’t Be a Victim to Cyber Liability RisksWebinar: Don’t Be a Victim to Cyber Liability Risks
Webinar: Don’t Be a Victim to Cyber Liability Risks
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
 
Why your Information Security MUST mesh with your Business Continuity Program
Why your Information Security MUST mesh with your Business Continuity ProgramWhy your Information Security MUST mesh with your Business Continuity Program
Why your Information Security MUST mesh with your Business Continuity Program
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPR
 
Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011
 

Recently uploaded

Test Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptxTest Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptxsrikarna235
 
Key Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesKey Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesHome Tax Saver
 
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书 如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书Sir Lt
 
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.pptFINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.pptjudeplata
 
Special Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementSpecial Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementShubhiSharma858417
 
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书Fir L
 
Comparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesComparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesritwikv20
 
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTSVIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTSDr. Oliver Massmann
 
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptxAn Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptxKUHANARASARATNAM1
 
如何办理澳洲南澳大学(UniSA)毕业证学位证书
如何办理澳洲南澳大学(UniSA)毕业证学位证书如何办理澳洲南澳大学(UniSA)毕业证学位证书
如何办理澳洲南澳大学(UniSA)毕业证学位证书Fir L
 
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书SD DS
 
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书SD DS
 
Arbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in IndiaArbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in IndiaNafiaNazim
 
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书FS LS
 
Trial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionTrial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionNilamPadekar1
 
Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...shubhuc963
 
国外大学毕业证《奥克兰大学毕业证办理成绩单GPA修改》
国外大学毕业证《奥克兰大学毕业证办理成绩单GPA修改》国外大学毕业证《奥克兰大学毕业证办理成绩单GPA修改》
国外大学毕业证《奥克兰大学毕业证办理成绩单GPA修改》o8wvnojp
 
如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书 如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书Fir sss
 
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书1k98h0e1
 
如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书Fir L
 

Recently uploaded (20)

Test Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptxTest Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptx
 
Key Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesKey Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax Rates
 
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书 如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
 
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.pptFINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
 
Special Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementSpecial Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreement
 
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
 
Comparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesComparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use cases
 
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTSVIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
 
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptxAn Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
 
如何办理澳洲南澳大学(UniSA)毕业证学位证书
如何办理澳洲南澳大学(UniSA)毕业证学位证书如何办理澳洲南澳大学(UniSA)毕业证学位证书
如何办理澳洲南澳大学(UniSA)毕业证学位证书
 
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
 
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
 
Arbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in IndiaArbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in India
 
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
 
Trial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionTrial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 sedition
 
Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...
 
国外大学毕业证《奥克兰大学毕业证办理成绩单GPA修改》
国外大学毕业证《奥克兰大学毕业证办理成绩单GPA修改》国外大学毕业证《奥克兰大学毕业证办理成绩单GPA修改》
国外大学毕业证《奥克兰大学毕业证办理成绩单GPA修改》
 
如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书 如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书
 
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
 
如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书
 

Advantage ppt data breaches km approved - final (djm notes)

  • 1. Responding to Data Breaches March 25, 2015
  • 2. Better breach response – how to be good when things go bad Ian Dick Dan Michaluk
  • 3. Responding to Data Breaches March 25, 2015 Better breach response • The Rules of Professional Conduct • The basis for good breach response • Incident response planning • Notification, harm mitigation and risk management
  • 4. Responding to Data Breaches March 25, 2015 Rules of Professional Conduct • Rule 3.2-2 – shall be honest and candid (breach reporting duty?) • Rule 3.3-1 – shall hold in strict confidence • Rule 3.5-2 – shall care of a client's property as a careful and prudent owner would…
  • 5. Responding to Data Breaches March 25, 2015 Why have a formal, written plan? • Breaches are best managed as crises • This means • Time is of the essence • Organizational behaviour can be problematic • Also • Formal incident response plans are required by recognized data security standards
  • 6. Responding to Data Breaches March 25, 2015 The basis for good breach response • Good records management • Records classified in accordance with sensitivity • Records with personal information tagged • Strong logging of system activity • Security intelligence and periodical vulnerability assessments • Strong vendor contracts (notification, cooperation, control of breach response)
  • 7. Responding to Data Breaches March 25, 2015 What's in a plan? • Identification – what is an "incident" • Escalation – reporting duties and accountabilities • Role and process definition (typically featuring a multi-disciplinary "breach response team") • Assess – gather facts and triage • Contain – immediate • Investigate – five Ws • Manage – liability, public affairs
  • 8. Responding to Data Breaches March 25, 2015 What's in a plan? • Don't forget! • Communication norms • Recordkeeping • Confidentiality
  • 9. Responding to Data Breaches March 25, 2015 Identification and escalation • Internal reporting supports identification • Make clear that individuals are not to self-assess
  • 10. Responding to Data Breaches March 25, 2015 Identification and escalation • Other means of identification • Internal security analysis (network and system analysis is becoming the norm) • External reports (police, customers, credit card companies and others)
  • 11. Responding to Data Breaches March 25, 2015 The incident response team • Privacy office • Information security / corporate security • Legal • Risk management • Communications • Management from affected business (or human resources if employees are affected)
  • 12. Responding to Data Breaches March 25, 2015 Experts to retain in advance • Why? • Objectivity can wither in a crises • Bench strength may be required • Who? • IT forensics • Crises communications • Legal counsel
  • 13. Responding to Data Breaches March 25, 2015 Role of legal counsel • Control strategic direction • Identify legal risks and potential liabilities • Input into advocacy • Affected persons • The media and public • Regulators • Litigation management
  • 14. Responding to Data Breaches March 25, 2015 Practice, test, update • Annual update • Plans should, in general, be scenario-neutral • Update based on external and internal analysis • From new contact information to new procedure • Tests / fire drills • Identify flaws in detection capability • Develop tactical IT skills required for correction • Discover data gaps and other problems • Garner decision-making confidence • Can be an intervention that supports change
  • 15. Responding to Data Breaches March 25, 2015 Notification and remediation • Outside the health sector, only under Alberta legislation currently (S-4 will amend PIPEDA) • But foreign laws will often apply (and notifying half of an affected population does not work) • Notification may be required by a common law duty if harm is reasonably foreseeable • Notification may be desirable b/c people will find out and you can't tolerate the justification process
  • 16. Responding to Data Breaches March 25, 2015 Notification and remediation • What happened (with identification of personal information elements) • What you've done to contain it • Contact information • Consider • An apology • Telling people where to get help • Making a protective offer
  • 17. Better breach response – how to be good when things go bad Ian Dick Dan Michaluk
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26. Responding to Data Breaches March 25, 2015

Editor's Notes

  1. Ian Dick is my partner and my source of guidance on complex litigation. I'll let you read his bio but what you won't see on there is experience in the mop up after major crises including Walkerton and the tainted blood scandal.   With no slight to Ian I'll say that I know the reason you're all here is to see Karen Gordon of Squeaky Wheel Communications. Karen and I cut our teeth together on a 65000 person data breach in 2006. It's very important when your in crises to have legal and communications work in tandem. We had that and I can say very confidently from that file and subsequent files that Karen is an amazing crises communicator.
  2. Not making a general pitch on taking care of data security…. Our pitch is more specific It's about the need to plan ahead for the inevitable To create a written, reasonably robust incident response policy Who's got one? Spend 30 minutes – making the pitch and explaining how -one of three components here but is the key message
  3. Ian (Explain and frame presentation as supportive of Rule compliance.)
  4. You need a breach response plan because you will be in crises -Important decisions… -…about significant harms… -…under great time pressure (as soon as reasonably possible, 30 from discovery under Obama legislation) If you do not plan in advance you will be slow -poor identification and escalation -responsibility and authority won't be clear or will be dispersed -resources won't be clear Protect against bad behavior -groupthink - bone person accountable will promote best decision-making -self protection - theme/messages "when they come asking, you will answer" "we will not tolerate self-protecting behavior" -PCI-DSS --- 12.10 -ISO 27002 – requirement 16
  5. Ian
  6. -Not starting from scratch! -Look at ISO – 27002:2013 requirement 16 -Look at PCI-DSS – 12.10 -Calibrate to your culture. Tolerance. Err towards bureaucratic for this type of policy. … -core elements on this slide -policy to facilitate identification and escalation -role and process definition -who is responsible for what -at each stage of the process -what resources are available and can be drawn upon
  7. Also address critical communication and recordkeeping issues Questions to answer via policy -How will people be contacted on a 24/7 basis? -What's the back up plan? (Anticipate network failure) -What will and will not be communicated over-email? -What will and will not be said to others over e-mail? -Who keeps a record of decisions and their rationale? In what form? These things also go in policy -Commitment to training and communication -Commitment to periodic review and updating
  8. Ian -note that this one is narrow -excludes "significant threats" and "near misses"
  9. Ian
  10. -Recognition that these are complex problems that require (for due diligence) expert input -This is a typical team -Do you have a significantly different composition at your organization? -Appropriate for team or individual on team to have broad decision making authority, at least to make the type of decisions that can be readily anticipated -shut down an affected service -retain outside assistance -authorize communications to public -authorize communication to authorities -make remedial offers Consensus? One person assigned?
  11. Ian
  12. Two kinds of legal advisors Strategic advisor – explained on this slide Expert advisor – sounding board, notification opinions Note that your incident response policy may affect whether you can claim privilege over communications If the breach response process is framed as a process if getting information to counsel so counsel can advise then communications in support of that process are likely to be privileged May be more difficult when the lawyer is merely part of the team, but if you establish by policy that lawyer's only role is to provide legal advice you should be okay
  13. -annual update is the best practice -if you drill into specific risks, update the risks based on an annual risk assessment … -fire drills may be appropriate
  14. Ian (Comment on last bullet.)
  15. Ian