You’ve received the dreaded call that your company has just suffered a data breach – what do you do next? Who do you call for help? What notification obligations do you have?
With proper preparation, you can mitigate the damage caused by this unfortunate event and put your business in a position to recover. Your company may have already implemented its information security program and identified the responsible parties, including applicable outside experts, to be contacted in the event of a breach. However, now you must call up your incident response team to investigate the extent of the breach, evaluate the possible damage to your company, and determine whether you must notify your clients, customers, or the public of the breach. This webinar will help prepare you to take action when the worst happens.
Part of the webinar series:
CYBER SECURITY and DATA PRIVACY 2022
See more at https://www.financialpoise.com/webinars/
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After the Breach
1.
2. 2
Practical and entertaining education for
attorneys, accountants, business owners and
executives, and investors.
3. Disclaimer
The material in this webinar is for informational purposes only. It should not be considered
legal, financial or other professional advice. You should consult with an attorney or other
appropriate professional to determine what may be best for your individual needs. While
Financial Poise™ takes reasonable steps to ensure that information it publishes is accurate,
Financial Poise™ makes no guaranty in this regard.
3
5. Meet the Faculty
MODERATOR
Kathryn Nadro – Sugar Felsenthal Grais & Helsinger LLP
PANELISTS
Anna Mercado Clark – Phillips Lytle LLP
Alison Schaffer - Jump Trading Group
Alex Sharpe - Sharpe LLC
5
6. About This Webinar-
Data Breach Response: Before and After the Breach
You’ve received the dreaded call that your company has just suffered a data breach – what
do you do next? Who do you call for help? What notification obligations do you have?
With proper preparation, you can mitigate the damage caused by this unfortunate event and
put your business in a position to recover. Your company may have already implemented its
information security program and identified the responsible parties, including applicable
outside experts, to be contacted in the event of a breach. However, now you must call up
your incident response team to investigate the extent of the breach, evaluate the possible
damage to your company, and determine whether you must notify your clients, customers,
or the public of the breach. This webinar will help prepare you to take action when the worst
happens.
6
7. About This Series: About This Series: Cyber Security &
Data Privacy 2022
Cybersecurity and data privacy are critical topics of concern for every business in today’s environment.
Data breaches are a threat to every business and can cause both direct losses from business interruption
and loss of data to indirect losses from unwanted publicity and damage to your business’s reputation.
Compliance with a patchwork of potentially applicable state and federal laws and regulations may cost
your business in terms of money and time.
This series discusses the various laws and regulations that affect businesses in the United States and in
Europe, as well as the best practices to use in creating an information security program and preparing for
and responding to data breaches.
Each Financial Poise Webinar is delivered in Plain English, understandable to investors, business owners, and
executives without much background in these areas, yet is of primary value to attorneys, accountants, and other
seasoned professionals. Each episode brings you into engaging, sometimes humorous, conversations designed to
entertain as it teaches. Each episode in the series is designed to be viewed independently of the other episodes so that
participants will enhance their knowledge of this area whether they attend one, some, or all episodes.
7
8. Episodes in this Series
#1 Introduction to US Privacy and Data Security: Regulations and Requirements
Premiere date: 08/03/22
#2 Introduction to EU General Data Protection Regulation: Planning, Implementation, and
Compliance
Premiere date: 9/07/22
#3 How to Build and Implement your Company's Information Security Program
Premiere date: 10/12/22
#4 Data Breach Response: Before and After the Breach
Premiere date: 11/09/22
8
10. Overview
• What is a Data Breach?
✓ A data breach is a confirmed incident in which sensitive, confidential or otherwise
protected data has been accessed and/or disclosed in an unauthorized fashion
✓ Data breach may have different meanings under various state, federal, and
international laws
11. Overview
Data Breach Facts (IBM Cost of a Data Breach Report 2022)
✓ Average cost of a data breach in the US: $9.44 million
✓ Average cost of a data breach globally: $4.35 million
✓ Share of ransomware breaches rose 41% since 2021 and took 49 days longer to
remediate
✓ $4.54 million average total cost of a ransomware breach
✓ $45% of data breaches happen in the cloud
12. Overview
Data Breach Costs
✓ Computer forensics
✓ Breach notification mailing, call centering and identity restoration services costs
✓ Public relations
✓ Regulatory investigation, fines and penalties
✓ Lawsuit(s)
✓ Legal services
• Average number of days to identify and contain a breach: 287 days
13. Overview
• Examples of Data Breach Causes
✓ Malware/Ransomware
✓ Unsecured website login systems
✓ Use of unapproved or insecure software
✓ Insecure IT infrastructure
✓ Phishing/e-mail scam
✓ Employees mishandling data
✓ Human factor/negligence
14. Overview
What hackers are seeking:
✓ Money (e.g., wire theft)
✓ Theft of personal information
- Purchase of goods with stolen credit card information
✓ Filing of fraudulent tax returns
✓ Sale of personal information
✓ Disgruntled employee(s) use of information
✓ Corporate espionage
15. Before the Breach: Data Breach Response Plan
• What is a data breach response plan?
✓ Aims to help you manage a data breach
✓ Provides a framework that sets out roles and responsibilities for managing an
appropriate response to data breach
✓ Describes steps an entity should take to manage a breach, should one occur
✓ Prevention is better than remediation
• Why do you need a data breach response plan?
✓ Provides clarity and mitigates confusion
✓ Gives all employees knowledge of how to address a data breach
✓ Establishes a chain of command and responsibilities of each employee
✓ Quicker response time to fixing the breach
16. Data Breach Response Plan
• A data breach response plan should:
✓ Provide the actions to be taken if a breach is suspected, discovered or reported by a
staff member, including when it is to be escalated to the response team
✓ Identify members of your data breach response team
✓ Identify the actions the response team is expected to take
✓ Be in writing
▪ Staff and employees could clearly understand the roles and responsibilities
✓ Identify goals and objectives of the plan
17. Data Breach Response Plan
• Data breach response plan should cover:
✓ A strategy for assessing, managing and containing data breaches
✓ A clear explanation of what constitutes a data breach
✓ The reporting line if staff do suspect a data breach
✓ The circumstances in which the breach can be handled by a line manager or when it
should be escalated to the response team
✓ Recording data breaches
✓ A strategy to identify and address any weaknesses in data handling that contributed
to the breach
✓ A system for a post-breach review and assessment of your entity’s response to the
data breach and the effectiveness of your data breach response plan
18. Before the Breach: Tabletop Exercises
Incident Response or Breach Response Plans must be practiced:
✓ Tabletop exercises allow incident response teams to test out their incident response
plans and find any gaps or holes in the organization’s policies and procedures
✓ Will involve a simulated breach on an appropriate system for each organization,
such as vendor systems, business operations such as data processing or
transactions, or critical digital assets such as networks, applications, or sensitive
data
✓ Also include group discussions to review the effectiveness of strategies and tactics,
sometimes including a facilitator such as an outside cybersecurity expert
✓ All members of the incident response team should participate in the exercise,
including any additional stakeholders who would be activated in a breach
19. So, You Think You’ve Been Breached…
• Know who to call: the Incident Response Team
• Management
• Legal counsel
• IT support
• Public relations
• Forensic support
• Insurance contact
20. So, You Think You’ve Been Breached… (cont’d)
Breach Response
✓ Identify/Detect
Determine if a breach occurred
✓ Contain
Contain and mitigate the data breach
✓ Investigate
How did the breach occur and what was the scope?
✓ Notify
Provide notifications to affected individuals
✓ Remediate
Prevent reoccurrence of breach and identify lessons learned
21. Breach Response: Identify/Detect
• First, identify if an incident is a data breach
✓ Employees may have exposed sensitive personal data by accident – still an incident,
but requires a different response
✓ Common indicators of external compromise include –
- unusual login times
- reduced operating speeds across the network or heavy, unexplained traffic
- use of nonstandard command prompts
- unexpected restarts
- use of unusual software
- malfunctioning of antivirus/security software
- the presence of unexpected IP addresses
22. Breach Response: Containment
• Second, once you discover you’ve been breached, contain the breach
• Move quickly to secure systems and fix vulnerabilities
✓ Key is to stop the immediate business impact of the breach – cut off the access to
the external party, secure internal systems, stop the bleeding
• Deploy breach response team to work on investigation and containment and determine
additional resources to deploy:
✓ Forensics
✓ Legal
✓ Internal team leaders
23. Breach Response: Containment
• The First 24 Hours Checklist
✓ Record the date and time when the breach was discovered & response efforts begin
✓ Alert and activate everyone on the response team
✓ Secure the premises around the area where the data breach occurred to help
preserve evidence
24. Breach Response: Containment
• The First 24 Hours Checklist (Cont’d)
✓ Stop additional data loss
▪ Take devices offline but DO NOT turn off
✓ Assess priorities and risks
✓ Determine whether any early notification to customers, affected businesses, law
enforcement and other regulatory agencies is required or advisable
25. Breach Response: Fix Vulnerabilities
• Work with forensic experts
✓ Encryption enabled
✓ Analyze backup or preserved data
✓ Review the type of information compromised
• Develop a communication plan
✓ Develop comprehensive plan to communicate internally
26. Breach Response: Investigate
• Third, investigate the cause and scope of the breach promptly
✓ Consider relevant facts
✓ Inside or outside threat?
✓ Conduct interviews
✓ Analyze compromised systems
✓ Identify malware employed, if applicable
✓ Engage incident response team
✓ Engage forensic experts, as appropriate
✓ Engage legal counsel early in the process
✓ Determine whether insurance contact should be notified
✓ Reconstruct the incident
27. Breach Response: Investigate
• During the investigation:
✓ Evaluate the nature, extent, and scope of incident
✓ What information was improperly disclosed?
✓ Was the information recovered?
✓ When and how did the incident happen?
✓ How many individuals were affected?
✓ Does the incident involve residents of multiple states?
✓ Document the investigation findings, conclusion and rationale
28. Breach Response: Notice
• Fourth, determine your notification obligations
• Potential parties to notify:
✓ Customers
✓ Law enforcement and other regulatory agencies
✓ Affected businesses
29. Breach Response: Notice (cont’d)
• Notification requirements vary based on state, federal, and international law
✓ 54 U.S. states, territories, and tribal jurisdictions require some level of notification to
individuals when a breach occurs
✓ If breaches reach a certain size (e.g., over 500 individuals), many states require
notification to attorneys general
✓ Notification generally must occur within a “reasonable time” after the breach is
discovered
• Generally, must include description of the circumstances of the breach, steps
taken to remedy the incident, steps intended to be taken after the notification,
and occasionally whether law enforcement is involved in investigating the
incident
✓ International law may be stricter than your specific state
✓ GDPR requires notice in 72 hours in some cases
30. Breach Response: Notice…to the FBI?
• Consider contacting the FBI and/or local authorities when a breach involves:
✓ Significant loss in data, system availability, or control of systems
✓ A large number of victims
✓ Unauthorized access to or malicious software on critical information technology
systems
✓ Critical infrastructure or core government functions
✓ National security, economic security, or public health and safety
✓ Financial transactions, such as unauthorized wire transfers
31. Breach Response: Remediation
• Fifth, remediate the data breach
✓ Requires looking at other potential flaws in security infrastructure – identify any
“lessons learned” in data security environment and response plan
✓ Develop a remediation plan that is tailored to the breach or incident to prevent it from
happening again
✓ Requires an honest and true assessment of the cause of the breach
32. Breach Response: Remediation (cont’d)
• Remediation practices can include:
✓ Developing an internal and external communications plan
✓ Strengthen data security policies
✓ Planning to prevent reoccurrence
✓ Providing additional training to employees on data security
✓ Maintaining documentation of actions
✓ Insurance considerations
33. Breach Response: Remediation
• Insurance Considerations
✓ Traditional policies
• E&O: errors and omissions
• D&O: directors and officers
• CGL: commercial general liability
✓ These policies frequently do not cover costs arising out of a security incident or data
breach
34. Breach Response: Remediation (cont’d)
• Insurance Considerations (Cont’d)
✓ 1st party cyber insurance coverage typically includes -
▪ Business interruption
▪ Cyber extortion
▪ Data restoration
▪ Forensic costs
▪ Crisis management
▪ Legal costs
▪ Notification, call center, credit monitoring/identity restoration
35. Breach Response: Remediation (cont’d)
• Insurance Considerations (Cont’d)
✓ 3rd party cyber coverage typically includes -
▪ Regulatory investigation
▪ PCI assessments and fines
▪ Lawsuits
✓ Insurance coverage frequently requires notice to the insurer prior to hiring counsel or
any investigators or other vendors, so notify the insurer as soon as possible
36. Breach Response – When and What to Document?
Document the steps you took in your investigation:
✓ Individuals interviewed
✓ Systems investigated and secured
✓ Identified vulnerabilities and remediation of same (including the cause and source,
if known, of the breach)
✓ What information was compromised and the scope of the breach
When documentation is required:
✓ GDPR requires certain documentation of breaches, whether they must be reported
or not (if not reported, should document reasons for that decision)
✓ Insurance carriers will require certain documentation of most breaches if claims are
made
✓ Other statutes may require documentation of the breach and investigation – many
state AGs or other regulatory agencies may also require documentation
37. Breach Response: Breach Team Members
• Forensics Team - helps determine the source and scope of breach
✓ Captures forensic images of affected systems
✓ Collects and analyze evidence, and
✓ Outlines remediation steps
• Hire independent forensic investigators to perform the investigation
38. Breach Response: Breach Team Members
• Legal Counsel - helps identify your legal obligations
✓ Identifies state and federal regulations regarding data breaches for your industry
✓ Identifies entities that need to be notified, such as customers, employees,
government agencies, regulatory boards, etc.
✓ May provide privilege to the investigation process if retained early enough and if
counsel directs forensic investigation
- Certain courts have refused to apply privilege to investigation even under those
circumstances
✓ Ensures notifications occur within any mandated timeframes
39. Trending Topics: Ransomware
• Ransomware is a growing threat, particularly since the pandemic increased remote work
o Companies may face both paying a ransom and then dealing with a data breach
remediation
o Attacks on critical infrastructure, such as the Colonial Pipeline incident in May 2021
o FBI and other agencies prioritized fighting ransomware in a similar way to fighting
terrorism
o Email is among the most prevalent attack vectors used to deliver ransomware
• In 2020, the U.S. Office of Foreign Asset Control (OFAC) issued guidance stating that the
government would start enforcing sanctions in connection with ransomware attacks
o OFAC announced it would enforce it not only against ransomware victims, but also
against their insurers and the intermediaries hired by companies or their insurers,
such as cybersecurity firms that negotiate with threat actors
• Insurance may be available for ransomware, but many policies require consent prior to
making a payment
40. Trending Topics: Standing for data breach victims in
court
• Plaintiffs in data breach litigation have had an uphill battle in establishing standing when
there is only an increased risk of identify theft due to a data breach
• McMorris Factors (McMorris v. Carlos Lopez & Associates LLC, 995 F.3d 295 (2d Cir.
2021)):
o Whether plaintiff’s data was exposed as the result of a targeted attempt to obtain the
data
o Whether any portion of the compromised dataset already has been misused; and
o Whether the exposed data includes high-risk information – e.g., Social Security
numbers and dates of birth
42. About The Faculty
Kathryn Nadro - knadro@sfgh.com
Kathryn (“Katie”) Nadro leads Sugar Felsenthal Grais & Helsinger’s Data Security and Privacy practice.
Katie advises clients on a diverse array of business matters, including data security and privacy
compliance, commercial and business disputes, and employment issues. Katie works with individuals and
businesses of all sizes to craft successful resolutions tailored to each individual matter.
Katie is a Certified Information Privacy Professional (CIPP/US) and counsels clients on a variety of data
security and privacy issues, including breach response, policy drafting, program management, data
collection, vendor management, and compliance with ever-changing state, federal, and international
privacy law. Katie also has broad litigation experience representing companies and individuals in
contract, non-compete, discrimination, harassment, fiduciary duty, and trade secret litigation in state and
federal court and arbitration. With a background as both in-house and outside counsel, Katie
understands that business objectives, time, and resources play an important role in reaching a favorable
outcome for each client.
42
43. About The Faculty
Anna Mercado Clark – AClark@phillipslytle.com
Anna Mercado Clark, Esq., CIPP/E, CIPP/US, CIPM, FIP is a partner at Phillips Lytle LLP, a full service
law firm in the U.S. and Canada. She leads Phillips Lytle’s Data Security & Privacy and e-Discovery &
Digital Forensics Practice Teams and is the co-team leader of the firm’s Cryptocurrency & Bitcoin Mining
Practice Team. Additionally, Anna focuses her practice in the areas of business and commercial litigation
and, as a former district attorney, also handles white-collar criminal matters and investigations. She
regularly counsels sophisticated clients on technology solutions, risk mitigation, data protection and
compliance strategies given the constantly evolving regulatory landscape, and speaks at national and
international conferences as a subject-matter expert on these issues. Ms. Clark is an adjunct professor at
Fordham University School of Law, teaching a course on data security and privacy, as well as
fundamental lawyering skills.
/To read more, go to https://www.financialpoise.com/webinar-faculty/anna-mercado-clark
43
44. About The Faculty
Alison Schaffer – ASchaffer@jumptrading.com
Alison Schaffer is Legal and Regulatory Counsel at the Jump Trading Group in Chicago. Alison works
extensively in the areas of trading, technology, human resources, venture capital, and data protection
and privacy. Specifically, Alison leads GDPR implementation and data protection and privacy application
for all of the Jump Trading Group’s business lines. Alison graduated from Northwestern University with
Honors in Legal Studies and Communication Studies and a Certificate in Service Learning and attained a
Masters in Education while a Teach For America corps member in New York. Alison obtained her Juris
Doctor from Chicago-Kent College of Law, where she was an avid member of the Trial Team. She is a
member of the International Association of Privacy Professionals and looks forward to completing her
CIPP-E certification.
44
45. About The Faculty
Alex Sharpe – Alex@sharpellc.com
Alex Sharpe is a long-time Cybersecurity, Governance, and Digital Transformation expert with
real-world operational experience. He has spent much of his career helping corporations and
government agencies reap the rewards afforded by advances in technology while mitigating
risk. He began his career at the NSA before moving into the Management Consulting ranks
building practices at Booz Allen and KPMG. He subsequently co-founded two firms with
successful exits, including The Hackett Group. Alex holds degrees in Business from Columbia
Business School, Systems Engineering from Johns Hopkins University, and Electrical
Engineering from New Jersey Institute of Technology (NJIT). He is a published author,
speaker, instructor, and advisor.
45
46. Questions or Comments?
If you have any questions about this webinar that you did not get to ask during the live
premiere, or if you are watching this webinar On Demand, please do not hesitate to email us
at info@financialpoise.com with any questions or comments you may have. Please include
the name of the webinar in your email and we will do our best to provide a timely response.
IMPORTANT NOTE: The material in this presentation is for general educational purposes
only. It has been prepared primarily for attorneys and accountants for use in the pursuit of
their continuing legal education and continuing professional education.
46
49. About Financial Poise
49
DailyDAC LLC, d/b/a Financial Poise™ provides
continuing education to attorneys, accountants,
business owners and executives, and investors. It’s
websites, webinars, and books provide Plain
English, entertaining, explanations about legal,
financial, and other subjects of interest to these
audiences.
Visit us at www.financialpoise.com
Our free weekly newsletter, Financial Poise
Weekly, updates you on new articles
published on our website and Upcoming
Webinars you may be interested in.
To join our email list, please visit:
https://www.financialpoise.com/subscribe/