finance and governance workshop management of a data breach james webster hiscox insurance

Finance and Governance Workshop

Management of a Data BreachJames Webster

Hiscox Insurance

Question

What industry makes up the highest percentage of

investigations?

Answer

Source: Trustwave 2013 Global Security Report

Question

What is the average timeframe from an initial breach to

detection?

Answer

210 days

Source: Trustwave 2013 Global Security Report

Question

What are the most common methods of detection?

Answer

Source: Trustwave 2013 Global Security Report

Question

From which country do most attacks originate?

Answer

Source: Trustwave 2013 Global Security Report

Question

What percentage of breaches involve a third party

responsible for system support, development or maintenance?

Answer

Source: Trustwave 2013 Global Security Report

Question

What is the average cost per compromised record after a

data breach?

Answer

Source: 2013 Cost of Data Breach Study, Ponemon Institute

Question

What is the average cost per data breach incident?

Answer $3.14 million (£2.05 million) in the UK

Source: 2013 Cost of Data Breach Study, Ponemon Institute

Question

Which industries have the highest breach costs?

Answer Hospitality:

£68 per record

Public services:

£48 per record

Source: 2013 Cost of Data Breach Study, Ponemon Institute

Question

What is the most common cause of data breaches?

Answer

Source: 2013 Cost of Data Breach Study, Ponemon Institute

Guess who?

20

Management of a data breach

Breakfast with MalcolmTeam trainingCoffee with Alan from BarclaysCall Jenna Murray re: licensingLunch with Board

Review outsourcing agreement and call with the lawyersMeeting with Arnold re: finance(do not miss!)Conference call with Heads of DepartmentDiscuss conference call with FDTom’s appraisal

Management of a data breach

• Importance of Incident Response Plans– Containment and recovery – Assessment of ongoing risk – Notification of breach– Evaluation and response

These are not linear activities, following one another in orderly sequence.......

Breakfast with MalcolmTeam trainingCoffee with Alan from BarclaysCall Jenna Murray re: licensingLunch with Board

Review outsourcing agreement and call with the lewyersMeeting with Arnold re: finance(do not miss!)Conference call with Heads of DepartmentDiscuss conference call with FDTom’s appraisal

Re-arrange for Friday

Jill – rearramge this please Handover to John

Move to tomorrow (pm)

Management of a data breach

• Containment and recovery

– Decide who is to take the lead in investigating– Establish who needs to be informed (internally and

externally – separately from any formal notifications) – Identify actions to recover loss and/or limit damage– Consider whether appropriate to inform the police

Breakfast with MalcolmTeam trainingCoffee with Alan from BarclaysCall Jenna Murray re: licensingLunch with Board

Review outsourcing agreement and call with the lawyersMeeting with Arnold re: finance(do not miss!)Conference call with Heads of DepartmentDiscuss conference call with FDTom’s appraisal

Re-arrange for Friday

Jill – rearrange this please Handover to John

Jill – send my apologies

Move to tomorrow (pm)

Move to Monday – tell HR

July

Send apologies!!

Management of a data breach• Risk Assessment

– What sort of data is involved? – What level of sensitivity is it?– What is your best assessment of what has happened to the data (in

terms of unauthorised parties who have access to it, and for how long they have had access)?

– What is its value to the unauthorised party? what harm could come to the affected individuals?

– How much data is involved?– Are there wider consequences e.g. risk to public health?– Should passwords be changed or banks contacted?

Anniversary today!!Jill – can you rearrange dinner for tomorrow and please send Trudy some flowers?

Data protection training (until 12.30)

Lunch with TomLunch with Arnold re: financeMeeting with Jenna Murray

Oursourcing Agreement!

Pick up kids (Trudy at

hairdressers)

JILL CANCEL EVERYTHING!!!

Management of a data breach

• Notification– ICO notification: telecoms sector and public bodies

must notify. Other sectors currently voluntary regime– FCA and other regulators: sector-specific rules apply– Individuals: "will notification help them?" is the ICO's

overriding concern

Conclusion: notification is not an end in itself

Management of a data breach• Notification Content

– “How and when" details and overview – Affected data, affected number of individuals– Breach response so far, mitigation steps taken so far– Security measures in place– Whether individuals have been informed– Whether there has been media coverage– Whether investigation is being carried out, and if so, when is it due

and in what format– Whether other regulators or the police have been informed– What future preventive measures you plan– Is there any other information that would be useful?

Thank you