This document provides guidance on data protection and incident response. It discusses the importance of knowing your data and systems, having response plans that follow privacy principles, and understanding relevant regulations. Key points include designing security and privacy into systems by default, containing incidents, identifying causes, and learning from mistakes to prevent future issues. Enforcement agencies are identified for different jurisdictions. The overall message is that preparation, knowledge, and careful response are needed to protect assets during a crisis.

1. DATA PROTECTION
& INCIDENT RESPONSE
PROTECTINGYOUR ASSETS DURING A CRISIS.
PHILLIP MAHAN, FELLOW OF INFORMATION PRIVACY, CISSP, CISA, CIPM, CIPT, CCSK

2. STANDARD DISCLAIMER
The presenter of this information may or may not be a lawyer, but even if they are, they are not
YOUR lawyer. Nothing that is said should be considered legal advice or opinion. The
information presented herein represents the speaker’s personal opinion and current
understanding of the topic involved. Neither the speaker nor their respective organization
assumes any responsibility or liability for damages arising out of any reliance on or use of this
information. The presenter is not speaking on behalf of any Company that currently or in the
past has employed them.
Thank you.
TL;DR – The views expressed in this presentation are my views and not those of my employer.

3. JUST A FEW STATEMENTS…
• “Just about anybody can face a crisis. It’s the day-to-day living that wears you out.” – Clifford Odets
• “Mistakes are the portals of discovery.” – James Joyce
• “An unenforced policy is a suggestion.” – Phillip Mahan
• “The investigation of the meaning of words is the beginning of education.” – Antisthenes (445-365 BCE)

4. DEFINITIONS NEEDED FOR TODAY’S DISCUSSION:
• Incident – An event or occurrence. Sometimes good, sometimes bad, but always noteworthy.
• Data – Should be self-explanatory, but you’d be surprised. Data are the 1s and 0s created,
processed, used, disclosed, and deleted in your everyday work.
• Information – Data when it has meaning. This is data that can be linked to a natural person
which can then be used in a manner consistent with a company’s Privacy Guidelines.
• BCP/DR – Business Continuity Plan / Disaster Recovery: Business Continuity deals with
bringing business processes back up including People,Technology, and Data. Disaster
Recovery is a portion of a Business Continuity Plan.

5. KNOWYOUR DATA, KNOWYOUR RESPONSE
• Maintain your composure. First responders do not run into the incident, but walk
quickly and with purpose.
• Know the possible blast radius. Stay out of the way of data debris.
• Security systems need to come up with the production systems, bypassing security will
not help get you back online faster.
• With Security and Privacy by Default and Design, one can respond more quickly to
breaches and incidents while minimizing the possibility of a new incident occurring during
recovery.

6. THE FACTS AND THE RULES
• There is no Cloud. It’s someone else’s Computer. Your Data,Your Responsibility.
• Rule 1: Take yourTime to do things RIGHT!
• Fact: First Responders don’t run into danger. They move quickly and with purpose.
• Rule 2: FollowYour Plan
• Fact: Plans are somewhat malleable, but that flexibility should be INTHE PLAN!
• Rule 3: Don’t sacrifice Privacy for Security, and don’t sacrifice either for SPEED.
• Fact: You could be breached again while trying to rebuild. Build with Privacy AND Security.

7. WHAT IS THE BLAST RADIUS?
Know your boundaries if they exist. Understand the
incident and what actually happened.
Don’t go down rabbit holes chasing shadows that don’t
get you back to where you need to be.
This is where your incident
occurred. The System or
Building breached.
This goes for Physical or
Cyber incidents.
Forensics Are Important.
Keep the area clear.
HUMAN SAFETY
FIRST!!

8. FINDING THE CAUSE AND STOPPING THE LEAK
Human
Error
Machine
Error
Human
Bad
Action
Machine
Bad
Action
Process
Error
Errors occur. Stop the leak
and keep them from
happening again.
Malicious Actions Occur.
Stop the leak and keep
notes on the status of
systems to keep them from
happening again, and to
prosecute if possible.

9. PLAN
DOCUMENT
ACT
AUDIT
WATCH
NOTIFY
REPEAT
Identify
your
assets
KeepTrack
of Processes,
Data Flows,
Roles
Build with
Security
AND
Privacy
You Need
ToValidate
Controls
Keep an Eye
on the Data!
BREACH?
Nothing to
see Here!
Notify as
Required
Repeat As
Systems
Change
GO WITH THE FLOW – THE ROAD TO RESPONSE

10. NEVER FORGET THE RULES
HIPAA
U.S. Healthcare
(PHI)
FFIEC
Financial
Institutions
PIPEDA
Canadian
Data Protection
EU Data
Directive
95/46/EC
EU Data Directive
GLBA
Safeguards Rule
U.S. Banking &
Financial Sector
PCI DSS
Payment Card
Industry Data
Security
ISO
27001
Information
Security
Management
FedRAMP
Cloud Security
Assessment
U.S. Government
GDPR
EU Data
Protection
Regulation
(May, 2018)
ISO
27018
Cloud Security
Assessments

11. PRIVACY BY DESIGN PRINCIPLES
• Proactive not Reactive; Preventative not Remedial
• Privacy as the Default
• Privacy Embedded into the Design
• Full Functionality: Positive-Sum not Zero-Sum
• End-to-End Security: Lifecycle Protection
• Visibility andTransparency
• Respect for User Privacy
Remember:
Your responsibility to maintain
User Privacy does not stop if
there is an incident. BC/DR Plans
should be designed with Privacy in
mind, just like your products or
services.

12. THE ENFORCERS
• You can’t have a rule without enforcement. Here is a list of who you need to know:
• In the United States
• Federal Trade Commission (FTC)
• Federal Communications Commission (FCC)
• Law Enforcement [FBI, Secret Service, Local Police Agencies]
• In Europe
• National Data Protection Authorities [And the EU Court of Justice]
• Europol
• In Canada
• Office of the Privacy Commissioner of Canada (OPC)
• Provincial Authorities
Helpful Hint:
Get to know
members of the
enforcement
agencies. They are
nice people, and
have lots of
experience.

13. PUTTING IT ALL TOGETHER
• Know your data and design systems with Data Protection in mind.
• Gather only what you need, keep only what you must. Destroy it when you are finished.
• Have a plan for major emergencies with enough flexibility to handle change.
• Watch your data /Watch your systems /Watch your processes.
• Know the relevant laws and regulations with which your company has to comply.
• If something happens, stay calm and move out of the blast radius quickly and with purpose.
• Notify as required, fix the problem, keep it from happening again.

14. QUESTIONS?
Thank you for your time. If you have any questions, please don’t hesitate to send me a message at
pmahan.presentation@gmail.com or find me on twitter at @Mahan_Presents