Prepare For Breaches Like a Pro

Preparing For A Data Breach

© 2011 Co3 Systems, Inc.
The information contained herein is proprietary and confidential.
Page 1

Agenda

§  Introductions
§  Today’s reality with breaches and data loss
§  Preparing for breach
–  The process
–  Tips for getting it right
§  Q&A

Page 2

Introductions: Today’s Speakers

§  Ted Julian, Chief Marketing Officer, Co3
Systems
–  Security / compliance entrepreneur
–  Security industry analyst
§  Bob Siegel, Privacy Strategist & Principal,
Privacy Ref LLC
–  Previously, Sr. Manger of Worldwide Privacy and
Compliance for Staples, Inc.
–  Certified Information Privacy Professional (CIPP/US,
CIPP/IT)

Page 3

Co3 at a Glance

Co3 Systems’ incident management system helps organizations
that have customer or employee Personal Information
reduce the expense, risk, and stress of a breach.

A web-based/hosted SaaS No hardware or software to buy or

platform manage; it’s running in minutes

Concerns all companies that
Retail, Healthcare, Financial Services,
manage employee or customer 
Higher Education, Services …
data

Understands all regulations that Federal, State, Trade Associations …

concern private information can customize for contracts

Can be deployed quickly and is Intuitive, step-by-step usage model;

easy to use no user training needed

Expert, actionable insight in 20
Delivers immediate, quantifiable
 minutes or less – regulatory obligations
value
and industry best practices

Page 4

Breach Epidemic
… payment provider’s “fourth-quarter profit fell 90 percent on costs
related to a security breach…took an $84.4 million pre-tax charge”

Zappos, Amazon Sued Over Customer Data Breach
More than half of American consumers would sue
a company that loses its personal information

TRICARE Hit with $4.9 Billion Suit Following Breach

Source: DataLossDB.org
Page 5

Breaches Are Common – Firms Must Act

*

**

* “… many of them have suffered a breach – they just don’t know it”

** if you haven’t been breached, why wouldn’t you disclose that?

“With an avalanche of… breach notification laws on the horizon, you
have no choice but to implement an incident management program. If
you don’t have an incident management program… it’s imperative that
you do so immediately.”
Source: “Planning For Failure” – Forrester Research, Nov. 2011

Page 6

Scope of Data Loss

The exposure of consumer or employee
Personal Information
Internal/
Malicious Lost/Stolen Third-Party
Employee
Cyber-Attacks Assets Leaks
Actions
Global Consumer Community-Based Multi-Channel Government
Electronics Firm: Healthcare Plan: Marketing Service: Agency:
Hackers stole Laptops with Digital marketing Employee sent
customer data, patient data stolen agency exposes CD-ROM with
including credit by former customer data of personal data on
card information employee dozens of clients registered advisors
100 million 208,000 Millions of 139,000
records records records records

In the US there are 46 States, 4 Territories, 14 Federal Authorities
and multiple trade associations, each enforcing their own
regulations that prescribe the treatment of personal data

Page 7

Ignoring the Problem is Not an Option

Regulatory Requirements Trade Associations & Commissions
46 States, 3 Commonwealths, and 14 Industry groups, commissions, and
Federal agencies have established certification bodies are imposing
legislation stricter guidelines and penalties
Fines are growing – aggressive AGs More fines – and businesses losing
are filling state coffers accreditation

Brand
Damage

Contractual Obligations Class Action Lawsuits
Company obligations extend to 3rd Law firms have noticed and are
party data sources, vendors, and picking up the pace in class-action
even corporate customers lawsuits
Extreme sensitivity on vendor and Even with no “harm”, companies
partner use (and storage) of data are losing and settling quickly

Page 8

Co3 Automates Breach Management

PREPARE ASSESS
Improve Organizational Quantify Potential Impact,
Readiness Support Privacy Impact
•  Assign response team Assessments
R E AS
PA
•  Describe environment •  Track events
•  Simulate events and incidents •  Scope regulatory requirements
M U LATI O

SE
E
•  Focus on organizational gaps
SI
•  See $ exposure

PR

SS
•  Send notice to team

N
S
•  Generate PIAs
I N CI D E N

S
NT
RE

TS

E
REPORT EV MANAGE

E
PO

RT

G
NA
Document Results and Easily Generate Detailed
Track Performance
M A Incident Response Plans
•  Document incident results •  Escalate to complete IR plan
•  Track historical performance •  Oversee the complete plan
•  Demonstrate organizational •  Assign tasks: who/what/when
preparedness •  Notify regulators and clients
•  Generate audit/compliance reports •  Monitor progress to completion

Page 9

PREPARING FOR A BREACH

Page 10

Some Questions

1.  How do your employees notify you of a
potential data breach event?
2.  How does and incident become an event?
3.  How are external communications
coordinated?

“Organizing is what you do before you do something, so that when
you do it, it is not all mixed up.”
-- A. A. Milne

Page 11

Sample Event Process

Incident • Decides if this may be a data
Escalate to
Occurs breach event based on currently
CPO and CSO
known information

• Determines scope of the event
Follow Incident • Identifies risks and responsibilities
Management Engage Event
• Reports back to CPO and CSO
Process Management Team
• Coordinates remediation

Engage Event • Defines how all communication to
Communication stakeholders is coordinated
Plan

Page 12

Incident Management Processes

§  Generally owned by IT
•  Provides logging and tracking services
•  May be focused on data processing incidents
•  May not be sensitive to paper-based issues
§  Metrics-centric process
•  Response time
•  Resolution time
•  Close / Completion time
§  Check to see how non-IT events are addressed
•  Are non-IT events routinely handled?
•  Are they tracked in the Incident Management system?
•  Has a test scenario been run recently?

Page 13


Escalate to
CPO and CSO
known information


Plan

Page 14

Event Management Team

§  Cross-functional team
•  Initially determines scope and impact of the event
•  Coordinates remediation efforts
§  Led by the Chief Privacy Officer
§  Core members should represent…
•  Legal
•  Privacy
•  Compliance
•  Incident Management
•  IT
§  Other members added based on the event

Page 15

Facts To Gather During An Event

1.  Information lost 8.  Residence of affected
2.  Was data encrypted 9.  Can data be
3.  Amount of data lost recovered?
4.  Has the data loss 10.  Applicable laws
been stopped? 11.  Notification
5.  When loss occurred requirements
6.  Where it was lost 12.  Potential impact to

7.  Who was affected other applications
13.  Potential impact on
other organizations

Page 16


Escalate to
CPO and CSO
known information


Plan

Page 17

Event Communication Plan

§  Identifies members of the Event Communication
Team
–  Contains contact information for the members
§  Defines communication parameters
•  Who talks to whom and when
§  Contains frameworks for communications

Page 18

Event Communication Team

Stakeholders Team Members
•  Customers •  Marketing *
•  Employees •  Internal Communications
•  Marketing Dept. •  Public Relations*
•  Media •  Security / Loss Prevention
•  Legal
•  Law enforcement
•  Investor Relations
•  Other Government
•  Chief Privacy Officer
Officials
•  Shareholders * Potential Lead

Page 19

Communication Parameters

§  Spokespeople must be identified
•  Spokesperson designation by stakeholder
•  Limit communication to be done to designees
§  Message content must be reviewed
•  Consistent messages sent across stakeholders
§  Keep Executive Leadership informed
•  Frequent updates from chairs of both teams
§  Use Executives as spokespeople sparingly

Page 20

Communication Frameworks

§  Most communications can be prewritten
•  Details of the specific event added at Event
§  Prepared items may include…
•  Press releases
•  Letters / emails to customers
•  Website updates
•  Employee notices
•  Talking points for the media

Page 21

Test, Test, and Retest

§  Make all participants familiar with processes
before they are implemented
§  Two common types of testing
Table Top Exercises Scenario exercise
•  Multiple scenarios defined •  One scenario is defined
•  Key participants meet •  Participants notified day of
•  Each scenario is discussed exercise happening
•  Production processes and
tools are used to manage the
event
•  Key participants meet to
debrief

Page 22

Other Considerations

§  System of record
§  Methods of communications
§  Independent divisions
•  Multinational divisions
•  Acquired businesses
•  Recognized brands

Page 23

Thanks!

1 Alewife Center, Suite 450 ph: 508-474-5125
Cambridge, MA 02140 e: info@privacyref.com
ph: 617-206-3900 privacyref.com
e: info@co3sys.com
www.co3sys.com

Gartner:
“Co3 …define(s) what software
packages for privacy look like.”

Page 25

Prepare For Breaches Like a Pro

More Related Content

What's hot

Viewers also liked

Similar to Prepare For Breaches Like a Pro

More from Resilient Systems

Recently uploaded

Prepare For Breaches Like a Pro