Practical Guide to Responding to a Data Breach

Copyright © 2019 by DailyDAC, LLC d/b/a Financial Poise Webinars™
Receive our free weekly newsletter at www.financialpoise.com/subscribe
1

Practical and entertaining education for
attorneys, accountants, business owners
and executives, and investors.
2

DISCLAIMER
The material in this webinar is for informational purposes only. It should not be
considered legal, financial or other professional advice. You should consult with an
attorney or other appropriate professional to determine what may be best for your
individual needs. While Financial Poise™ takes reasonable steps to ensure the information
it publishes is accurate, Financial Poise™ makes no guaranty in this regard.
About this PowerPoint: if you are looking at this PowerPoint without the benefit of
listening to the conversation that surrounded it then you are doing yourself a disservice.
This PowerPoint was prepared in contemplation of being viewed in conjunction with
listening to a one hour webinar on the topic
3

MEET THE FACULTY
Moderator:
Lisa Vandesteeg – Sugar Felsenthal Grais & Helsinger LLP
Panelists:
Michael Riela– Tannenbaum Helpern Syracuse & Hirschtritt LLP
Cassandra Porter – Zuora
Patrick Hromisin – Saul Ewing Arnstein & Lehr, LLP
4

ABOUT THIS WEBINAR: Data Breach
Response: Before and After the Breach
Your company has just suffered a data breach – what do you do next? Who do you call for
help? Whom do you need to notify of the breach?
Your company may have already implemented its information security program and has
identified the responsible parties, including applicable outside experts, to be contacted in
the event of a breach. However, now you must assemble your incident response team to
investigate the extent of the breach, evaluate the possible damage to your company, and
determine whether you must notify your clients or the public of the breach. This webinar
gives you an overview of what to do when the worst happens.
5

ABOUT THIS SERIES:
Cybersecurity & Data Privacy 2019
Data security, data privacy, and cybersecurity are critical issues for your company to
consider in today’s business landscape. Data breaches from high profile companies,
including law firms, generate worldwide headlines and can severely damage your
business’s reputation. In certain industries, a patchwork of state and federal laws and
regulations may cover your business, leading to compliance headaches.
This series explores the various laws and regulations which govern businesses both in the
US and abroad, as well as how to implement and enforce an information security policy to
protect your company and limit any damage from a data breach.
6

EPISODES IN THIS SERIES
9/24/19 Episode #1: Introduction to US Privacy and Data Security:
Regulations and Requirements
10/22/19 Episode #2: Introduction to EU General Data Protection
Regulation: Planning, Implementation, and Compliance
11/19/19 Episode #3: How to Build and Implement your Company's
Information Security Program
12/17/19 Episode #4: Data Breach Response: Before and After the Breach
7
Dates shown are premiere dates.
All webinars will be available
On Demand approximately 4 weeks
after they premiere.

Episode #4:
Data Breach Response: Before and
After the Breach
8

OVERVIEW
• What is a Data Breach?
o Simply put, a data breach is a confirmed incident in which sensitive, confidential or
otherwise protected data has been accessed and/or disclosed in an unauthorized
fashion
o Data breach may have different meanings under various state, federal, and
international laws
• Data Breach Consequences
o Substantial costs in breach response
o Private lawsuits
o Government fines
o Reputational harm
9

OVERVIEW (cont’d)
• Data Breach Costs
o Individual: approximately $233
o Event: approximately $8 million
• Average Data Breach Costs According to Each Industry
o Healthcare: $6.45 million
o Financial: $5.86 million
o Energy: $5.60 million
o Industrial: $5.20 million
10

OVERVIEW (cont’d)
• Data Breach Costs (cont’d)
o A few costs include -
 Computer forensics
 Breach notification mailing, call centering and identity restoration services costs
 Public relations
 Regulatory investigation, fines and penalties
 Lawsuit(s)
– Legal services
*The US ranks number in data breach costs in 2019
11

OVERVIEW (cont’d)
• Data Breach Causes
o Malware/Ransomware
o Unsecured website login systems
o Use of unapproved, insecure software
o Insecure IT infrastructure
o Phishing/e-mail scam
o Employees mishandling data
 In 2018, 53% of executives who suffered a data breach cited external human
error or accidental loss as the culprit
o Human factor/negligence
12

OVERVIEW (cont’d)
• Data Breach Goals
o Money
o Theft of personal information
 Purchase of goods with stolen credit card information
o Filing of fraudulent tax returns
o Sale of personal information
o Disgruntled employee(s) use of information
o Corporate espionage
13

SO YOU THINK YOU’VE BEEN BREACHED…
• Know who to call
o Incident Response Team
o Management
o Legal counsel
o IT support
o Public relations
o Forensic support
o Insurance
o Consider contractual obligations
14

SO YOU THINK YOU’VE BEEN BREACHED (cont’d)
• Breach Response
o Identify
 Determine if a breach actually occurred
o Investigate
 How did the breach occur?
o Contain
 Contain and mitigate the data breach
o Notify
 Provide notifications
o Remediate
 Prevent reoccurrence of breach
15

BREACH RESPONSE: IDENTIFY/DETECT
• First, identify if an incident is a data breach
o Employees may have exposed sensitive personal data by accident; Security
monitoring systems
 Common indicators of compromise include -
– unusual login times
– reduced operating speeds across the network or heavy, unexplained traffic
– use of nonstandard command prompts
– unexpected restarts
– use of unusual software
– malfunctioning of antivirus/security software
– the presence of unexpected IPs
16

BREACH RESPONSE: IDENTIFY/DETECT (cont’d)
• Identify if an incident is a data breach (cont’d)
o Security monitoring systems (cont’d)
 Top Cyber Threat Vulnerabilities
– Un-patched and outdated systems remain top vulnerabilities
» Last year, nearly 60% of organizations that suffered a data breach
attribute the breach to a known vulnerability for which they had not yet
patched
» Yet, 86% of the of vulnerability reports detailed breaches for which a patch
was available
 Conduct Cyber Threat Assessments
– A good cyber threat assessment offers security and threat prevention by
exposing application vulnerabilities;
– detecting malware and botnets;
– identifying “at risk” devices
17

BREACH RESPONSE:
IDENTIFY/DETECT (cont’d)
• Second, investigate promptly
o Consider relevant facts
o Inside or outside threat?
o Conduct interviews
o Analyze compromised systems
o Identify malware employed, if applicable
o Engage forensic experts, as appropriate
o Reconstruct the incident
18

BREACH RESPONSE:
IDENTIFY/DETECT (cont’d)
• Second, investigate promptly (Cont’d)
o Evaluate the nature, extent, and scope of incident
 What information was improperly disclosed?
 Was the information recovered?
 When and how did the incident happen?
 How many individuals were affected?
 Does the incident involve residents of multiple states?
 Document the investigation findings, conclusion and rationale
19

BREACH RESPONSE: CONTAINMENT
• Third, once you discover you’ve been breached, contain the breach
• Move quickly to secure systems and fix vulnerabilities
• Mobilize breach response team ASAP
• Assemble a team of experts based on the size of your company, including:
o Forensics
o Legal
o Internal team leader
20

(cont’d)
• The First 24 Hours Checklist
o Record the date and time when the breach was discovered & response
efforts begin
o Alert and activate everyone on the response team
o Secure the premises around the area where the data breach occurred to help
preserve evidence
21

(cont’d)
• The First 24 Hours Checklist (Cont’d)
o Stop additional data loss
 Take devices offline but DO NOT turn off
o Assess priorities and risks
o Notify customers, affected businesses, law enforcement and other
regulatory agencies
22

BREACH RESPONSE: FIX
VULNERABILITIES
• Service providers
o Ensure service providers that have access to sensitive personal data remedy
their vulnerabilities to protect against another breach
• Network segmentation
o Prevents breach on one server from leaking over to another server
o Determine if network segmentation is correct
23

BREACH RESPONSE: FIX
VULNERABILITIES (cont’d)
• Work with forensic experts
o Encryption enabled
o Analyze backup or preserved data
o Review the type of information compromised
• Develop a communication plan
o Develop comprehensive plan to communicate internally
24

BREACH RESPONSE: BREACH TEAM
Depending on the size of your business, your breach team may include:
Link:
https://www.processdeliverysystems.com/images/databreach/Data_Breach_Response_Team.png
25

(cont’d)
• Forensics Team - helps determine the source and scope of breach
o Captures forensic images of affected systems
o Collects and analyze evidence, and
o Outlines remediation steps
• Hire independent forensics investigators
26

(cont’d)
• Legal Counsel - helps identify your legal obligations
o Identifies state and federal regulations regarding data breaches for your
industry
o Identifies entitles that need to be notified, i.e. customers, employees,
government agencies, regulation boards, etc.
o Ensures notifications occur within any mandated timeframes
27

BREACH RESPONSE: NOTICE
• Fourth, determine your notification obligations
• Generally, you must notify -
o Customers
o Law enforcement and other regulatory agencies
o Affected businesses
• Notification requirements vary based on state, federal, and international law
o 48 U.S. states require some level of notification to customers when a breach occurs
o Federal law various based on industry
 In 2017, Congress introduced the Data Security and Breach Notification Act bill
o GDPR notification is very specific
28

BREACH RESPONSE: NOTICE (cont’d)
• Massachusetts
o A business or entity must notify -
 Office of Consumer Affairs and Business Regulation;
 Attorney General’s Office; within a
 reasonable amount of time of discovery of any breach or knowledge that
personal information was obtained
29

• Massachusetts (cont’d)
o The notification must contain -
 Detailed description of the circumstances of the breach or unauthorized
acquisition of personal information
 Number of Massachusetts residents affected
 Steps taken to remedy the incident
 Steps intended to be taken subsequent to this notification; and
 Whether law enforcement is involved in investigating the incident
30

• New York – Financial Services Breaches
• A covered entity must notify -
o Superintendent of Financial Services promptly;
o And no later than 72 hours after discovery that a cybersecurity event has occurred
that is either:
 Events affecting the Covered Entity of which notice is required to be provided to
the government, an agency, or any other body; or
 Events that have a reasonable likelihood of materially harming the normal
operations of a Covered Entity.
31

• New York – Stop Hacks and Improve Electronic Data Security (SHIELD) Act
(2019)
o The SHIELD Act created new security requirement for companies to
“develop, implement and maintain reasonable safeguards to protect the
security, confidentiality and integrity of” the private information of New
York residents
o The Act applies to any person/business that owns or licenses private
computerized data of New York residents, regardless of whether the
person/business conducts business in New York
32

• New York – SHIELD Act (cont’d)
o The Act broadened New York’s notification obligations by expanding the definition
of “private information” to include:
 Biometric information (including biometric time clocks)
 Email addresses, corresponding passwords or security questions and answers
 Financial account information without a required security code
o The Act also expanded the definition of the term “breach” which now requires
notification in the event of any unauthorized access rather than unauthorized
acquisition
33

• New York – SHIELD Act (cont’d)
o If the Act’s notification obligations are triggered, the New York Attorney General,
Department of State, and State Police must all be notified regarding the number of
impacted individuals and the timing, content, and distribution of the entity’s
breach notice
o However, inadvertent disclosures of private information that are not likely to result
in misuse of information need not be reported
o Failure to comply with the SHIELD Act can result in a $10 to $20 per failed
notification with a maximum penalty of $250,000
34

• California –
o A breach notification disclosure must be made in the most expedient
time possible without undue delay
o Notification may be delayed if law enforcement determines notification
will impede an investigation
 Notification must be made after law enforcement determines
notification will not compromise the investigation
35

• GDPR
o Breach notification is mandatory where the breach is likely to “result in a
risk for the rights and freedoms of individuals.”
o Must be done with 72 hours of discovery of the breach.
o Data processors are required to notify customers and controllers without
delay after discovery of the data breach
o Must have a formal incident/breach response plan
36

BREACH RESPONSE: REMEDIATION
• Fifth, remediate the data breach
• Generally long and thorough and requires looking at other potential flaws in
security infrastructure
• Develop a remediation plan that is tailored to the breach incident to prevent it
from happening again
o Honest & true assessment of cause of breach
37

BREACH RESPONSE:
REMEDIATION(cont’d)
• A few remediation practices include -
o Developing an internal and external communications plan
o Strengthen data security policies
o Planning to prevent reoccurrence
o Providing additional training to employees on data security
o Maintaining documentation of actions
o Insurance considerations
38

DATA BREACH RESPONSE PLAN
• What is a data breach response plan?
o Aims to help you manage a data breach
o Provides a framework that sets out roles and responsibilities for managing an
appropriate response to data breach
o Describes steps an entity should take to manage a breach, should one occur
• Why do you need a data breach response plan?
o Provides clarity and mitigates confusion
o Gives all employees knowledge of how to address a data breach
o Establishes a chain of command and responsibilities of each employee
o Quicker response time to fixing the breach
39

DATA BREACH RESPONSE PLAN
(cont’d)
• A data breach response plan should:
o Provide the actions to be taken if a breach is suspected, discovered or reported by
a staff member, including when it is to be escalated to the response team
o Identify members of your data breach response team (response team)
o Identify the actions the response team is expected to take
o Be in writing
 Staff and employee could clearly understand the roles and responsibilities
o Identify goals and objectives of the plan
40

DATA BREACH RESPONSE PLAN (cont’d)
• Data breach response plan should cover:
o A strategy for assessing, managing and containing data breaches
o A clear explanation of what constitutes a data breach
o The reporting line if staff do suspect a data breach
o The circumstances in which the breach can be handled by a line manager or when it
should be escalated to the response team
o Recording data breaches
o A strategy to identify and address any weaknesses in data handling that contributed
to the breach
o A system for a post-breach review and assessment of your entity’s response to the
data breach and the effectiveness of your data breach response plan
41

DATA BREACH RESPONSE PLAN (cont’d)
Link: https://www.privacyrisksadvisors.com/data-breach-toolkit/
42

(cont’d)
• Insurance Considerations
o Traditional policies
 E&O
 D&O
 CGL
o These policies do not cover costs arising out of a security incident or data
breach
43

(cont’d)
• Insurance Considerations (Cont’d)
o 1st party coverage typically includes -
 Business interruption
 Cyber extortion
 Data restoration
 Forensic costs
 Crisis management
 Legal costs
 Notification, call center, credit monitoring/identity restoration
44

(cont’d)
• Insurance Considerations (Cont’d)
o 3rd party coverage typically includes -
 Regulatory investigation
 PCI assessments and fines
 Lawsuits
45

SOURCES
• https://searchsecurity.techtarget.com/definition/data-breach
• 2016 Ponemon Cost of a Data Breach Report
• https://www.digitaltransactions.net/whats-the-cost-of-a-data-breach-about-233-per-person-a-
report-finds/
• https://www.helpnetsecurity.com/2019/06/17/human-error-data-breach/
• https://www.techrepublic.com/article/8-steps-to-take-within-48-hours-of-a-data-breach/
• https://www.ccsinet.com/blog/how-to-detect-data-breaches-before-its-too-late/
• https://www.secureworks.co.uk/resources/at-gdpr-breach-notification-a-spotlight-on-
detection-reporting
46

SOURCES
• https://www.shrm.org/resourcesandtools/legal-and-compliance/state-and-local-
updates/pages/new-york-shield-act.aspx
• https://www.cio.com/article/2692972/data-breach/5-steps-to-take-when-a-data-breach-
hits.html
• https://digitalguardian.com/blog/whats-cost-data-breach-2019
• https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
• https://www.scstatehouse.gov/sess122_2017-2018/bills/4655.htm
47

SOURCES
• https://www.oaic.gov.au/resources/privacy-law/privacy-archive/privacy-resources-
archive/guide-to-developing-a-data-breach-response-plan.pdf
• https://www.foley.com/files/Publication/c31703ac-ee93-40a5-b295-
7e1d9fe45814/Presentation/PublicationAttachment/9f655df2-8276-4ff2-8205-
f2b4e21131b5/18.MC12803%20Data%20Breach%20Chart%200918.pdf
• https://dd80b675424c132b90b3-
e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/2017-data-breach-
legislation.pdf
• natlawreview.com/article/new-york-enacts-shield-act
• https://www.mass.gov/files/documents/2017/10/02/201cmr17.pdf
48

ABOUT THE FACULTY
49

Lisa Vandesteeg – evandesteeg@sfgh.com
Elizabeth (“Lisa”) B. Vandesteeg, partner at Sugar Felsenthal Grais & Helsinger, is a legal team leader and tactical
advisor for businesses. Coming from a commercial litigation background, her practice is focused on risk identification
and mitigation for her clients, primarily in the areas of business continuity and business tort, data security and privacy,
and bankruptcy and restructuring. Lisa counsels businesses in a wide variety of industries on issues that arise on a day-
to-day basis, such as contracting with third parties or partnership/ownership disputes. She often adds value by acting
in an external general counsel role. And as a business litigator, she represents clients on both offense and defense, in
state, federal, and bankruptcy courts, in municipal and administrative proceedings, and using alternative dispute
resolution processes. She also has experience in nearly every facet of commercial bankruptcy and restructuring, having
represented debtors, secured creditors, unsecured creditors, and unsecured creditors’ committees. Within the
bankruptcy arena, she has prosecuted complex adversary and contested litigation matters including, among others,
actions to pierce the corporate veil, to undo fraudulent transfers, and to avoid liens.When it comes to data security and
privacy issues, Lisa assists clients in the development of reasonable and appropriate data security and privacy
programs, appropriate for their specific business needs and legal requirements. This includes the drafting and
implementation of a company’s broad information security program, and related policies related to use of technology,
mobile devices, or document retention. To read more, go to:
https://www.financialpoise.com/financialpoisewebinars/faculty/elizabeth-b-vandesteeg/
50

Michael Riela – Riela@thsh.com
Mike Riela is a partner in Tannenbaum Helpern’s Creditors’ Rights and Business Reorganization practice. With more
than 15 years of experience, Mike advises companies on complex restructuring, distressed M&A, loan transactions and
bankruptcy related litigation matters. Mike has in-depth experience in advising clients on corporate and real estate
bankruptcies, workouts, Chapter 11 and Chapter 7 bankruptcy cases, debtor-in-possession (DIP) and bankruptcy exit
loan facilities, secondary market trading of distressed debt and trade claims, Section 363 sales and bankruptcy
retention and fee agreements and disputes. His clients include banks, administrative agents, indenture trustees, hedge
funds, private equity firms, professional services firms, trade creditors, contract counterparties, shareholders, debtors
and investors. Mike has represented buyers of assets in Section 363 and out-of-court sales. Mike also works with
clients on cybersecurity and data privacy issues, including the assessment and investigation of information security
and data breach incidents. Before any data breaches occur, Mike prepares and helps clients implement written
information security programs, systems access policies, and incident response plans. After clients suffer a breach, Mike
assists with their response and advises on their legal duties, including clients’ duties under various security breach
notification laws. Prior to joining Tannenbaum Helpern, Mike was a shareholder at Vedder Price and was a counsel at
Latham & Watkins. He has been recently selected to serve on the 2016 Bankruptcy editorial advisory board for
the Law360 publication. Mike can be reached at riela@thsh.com or at 212.508.6773 or connect with him on LinkedIn:
https://www.linkedin.com/in/michael-riela-9644658
51

Cassandra Porter – caporter@zuora.com
Cassandra M. Porter is the Americas/APAC data privacy lead attorney for a Fortune 100 Tech company working to
transform clients’ businesses, operations and technology models for the digital era. She counsels internal clients on
privacy-related matters such as data collection practices, online advertising, mobile commerce, along with the
development and acquisition of new technology, data incidents and management. Cassandra is a member of the
inaugural class of Privacy Law Specialists, a new specialty recognized by the American Bar Association, and a Fellow of
Information Privacy by the International Association of Privacy Professionals (IAPP). Her IAPP credentials as a
Certified Information Privacy Professional and Certified Information Privacy Manager designate her as thought leader
in the field. She is a former co-chair of the IAPP’s New Jersey Chapter and member of the Bankruptcy Lawyers
Advisory Committee for the District of New Jersey. As a member of the United States Trustee’s Consumer Privacy
Ombudsman (CPO) panel, she served as the CPO in the Golfsmith International chapter 11 cases. Previously she was
counsel at Lowenstein Sandler LLP where, in addition to assisting clients with data privacy-related issues, she also
regularly represented debtors in possession and creditors in chapter 11 matters along with indigents in chapter 7
proceedings in association with the Volunteer Lawyers for Justice. Prior to joining Lowenstein, she clerked for the
Honorable Cecelia Morris, United States Bankruptcy Judge for the Southern District of New York and was the
Assistant Managing Attorney at Kaye Scholer LLP. Before practicing law, she built a foundation for her career in data
privacy as a senior reference librarian and acquired a master’s degree from Pratt Institute. Cassandra obtained her law
degree from Brooklyn Law School and a certificate in Pharmaceutical & Medical Device Law from Seton Hall
University Law School.
To read more, go to https://www.financialpoise.com/financialpoisewebinars/faculty/cassandra-m-porter/
52

Patrick Hromisin – patrick.hromisin@saul.com
Patrick Hromisin, associate at Saul Ewing Arnstein & Lehr, assists clients with white collar,
compliance, and complex commercial litigation matters, including representations through
trial, arbitration, mediation and negotiations with prosecutors and regulators. Patrick also
advises clients on issues involving cybersecurity and data privacy. He has counseled
numerous clients on compliance with the European Union's General Data Protection
Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA).
He also helps clients prepare for cybersecurity incidents; respond to potential breaches and
conduct related internal investigations; and provides representation in related litigation.
Patrick is credentialed as a Certified Information Privacy Professional/United States
(CIPP/US) and a Certified Information Privacy Professional/Europe (CIPP/E) through the
International Association of Privacy Professionals (IAPP).
53

QUESTIONS OR COMMENTS?
If you have any questions about this webinar that you did not get to ask during
the live premiere, or if you are watching this webinar On Demand, please do
not hesitate to email us at info@financialpoise.com with any questions or
comments you may have. Please include the name of the webinar in your email
and we will do our best to provide a timely response.
IMPORTANT NOTE: The material in this presentation is for general educational purposes only. It has been prepared primarily
for attorneys and accountants for use in the pursuit of their continuing legal education and continuing professional education.
54

ABOUT FINANCIAL POISE
DailyDAC LLC, d/b/a Financial Poise™ provides
continuing education to attorneys, accountants,
business owners and executives, and investors. Its
websites, webinars, and books provide Plain
English, entertaining, explanations about legal,
financial, and other subjects of interest to these
audiences.
Visit us at www.financialpoise.com.
55
Our free weekly newsletter, Financial Poise
Weekly, educates readers about business,
business law, finance, and investing. To receive
it simply add yourself by going to:
https://www.financialpoise.com/newsletter/
Email addresses are never sold to or shared
with third parties.

Practical Guide to Responding to a Data Breach

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Practical Guide to Responding to a Data Breach

Similar to Practical Guide to Responding to a Data Breach (20)

More from Financial Poise

More from Financial Poise (20)

Recently uploaded

Recently uploaded (20)

Practical Guide to Responding to a Data Breach