breached! the first 48
TRANSCRIPT
© 2011 Co3 Systems, Inc. The information contained herein is proprietary and confidential. Page 1
The severity of your breach will be substantially determined by what you do in the next 48 hours…
BREACHED: THE FIRST 48
Page 2
Agenda
§ Introductions § Today’s reality with breaches and data loss § The First 48
– 6 Steps To Weather A Breach
§ Q & A
Page 3
Introductions: Today’s Speakers
§ Ted Julian, Chief Marketing Officer, Co3 Systems – Security / compliance entrepreneur – Security industry analyst
§ Deb Hampson, AVP & Assistant General Counsel, The Hartford – Head of Corporate Privacy Office since 2006 – Previously head of The Hartford Life's Corporate
Compliance Unit and the Group Benefits Legal Team – Specialties: privacy law, insurance law, corporate
compliance, social media legal and compliance issues.
Page 4
About Co3 Systems
Co3 Systems’ incident management system helps organizations that have customer or employee Personal Information reduce the expense, risk, and stress of a breach.
A web-based/hosted SaaS platform No hardware or software to buy or
manage; it’s running in minutes
Concerns all companies that manage employee or customer data
Retail, Healthcare, Financial Services, Higher Education, Services …
Understands all regulations that concern private information Federal, State, Trade Associations …
can customize for contracts
Can be deployed quickly and is easy to use Intuitive, step-by-step usage model;
no user training needed
Delivers immediate, quantifiable value Expert, actionable insight in 20
minutes or less
Page 5
About The Hartford
Personal Lines
Small Commercial
Middle Market
Group Benefits Specialty
Retirement
Individual Life
Mutual Funds
Annuities
Page 6
Breach Epidemic
More than half of American consumers would sue a company that loses its personal information
Since 2010, Data Breaches Affect 2 Mil in Mass
TRICARE Hit with $4.9 Billion Suit Following Breach
Zappos, Amazon Sued Over Customer Data Breach
Source: DataLossDB.org
Page 7
Malicious Cyber-Attacks
The exposure of consumer or employee Personal Information
Lost/Stolen Assets
Third-Party Leaks
Internal/ Employee Actions
Data Loss Comes in Several Forms
Global Consumer Electronics Firm:
Hackers stole customer data, including credit card information
100 million records
Community-Based Healthcare Plan:
Laptops with patient data stolen by former employee
208,000 records
Multi-Channel Marketing Service:
Digital marketing agency exposes customer data of dozens of clients
Millions of records
Government Agency:
Employee sent CD-ROM with personal data on registered advisors
139,000 records
Page 8
46 States, 3 Commonwealths, and 14 Federal agencies have established legislation Fines are growing – aggressive AGs are filling state coffers
Trade Associations & Commissions Industry groups, commissions, and certification bodies are imposing stricter guidelines and penalties
More fines – and businesses losing accreditation
Class Action Lawsuits Law firms have noticed and are picking up the pace in class-action lawsuits Even with no “harm”, companies are losing and settling quickly
Contractual Obligations Company obligations extend to 3rd party data sources, vendors, and even corporate customers Extreme sensitivity on vendor and partner use (and storage) of data
Ignoring the Problem is Not an Option
Regulatory Requirements
Brand Damage
© 2011 Co3 Systems, Inc. The information contained herein is proprietary and confidential. Page 9
The severity of your breach will be substantially determined by what you do in the next 48 hours…
BREACHED: THE FIRST 48
Page 10
Step 1: Don’t Panic, Investigate.
§ It’s easy to get whipped into a frenzy given the stakes and uncertainty – don’t let this happen
§ Investigate carefully to verify: – What data was involved? Is it personal information (PI) – Was the data encrypted? – Do you need to notify consumers? In what states? – Do you need to contact Attorneys General (AGs)? – Forensics are your friend
§ Harm determination – What does “risk of harm” mean?
• Ex. is verbal agreement to destroy enough?
§ May need to reconstruct data § Can be tough to outsource
– Do they know your data and industry?
Page 11
Step 2: Coordinate Internally
§ Pull your incident response (IR) team together, execute your IR plan
§ Notify Senior Management – Identify core people and message
• Ex. Business unit head, Compliance, and General Counsel
§ Get Media Relations on board and on message – They need to be ready the moment you notify regulators
§ Remediate the source of breach § Train Customer Service on process and message
Page 12
Step 3: Coordinate Externally
§ Outsourced customer service – Have a contract in place in advance
§ Credit Reporting Agencies (CRAs) – Have a contract in place in advance – Have different products available depending on the situation
(product offering ability to lock/unlock credit file) – 1 or 2 years of coverage? – Get codes for consumer notifications – Define how freezes will be paid for
§ Law enforcement § Cyber insurance provider § Notification fulfillment provider
Page 13
Step 4: Get Consumer Notifications Out
§ Who needs to get them? – Everyone? Just those in the required states?
• What needs to be said? – Understand content requirements imposed by statute/law
- Ex. Letters to MA residents will look different than letters to CA residents
– How much credit monitoring will be offered? – If vendors are involved, will they be identified?
§ How quickly do they need to go out? – Understand deadlines set forth by
statute/law § Who will send them?
– May want to do small internally, outsource large
§ Include a FAQ
Page 14
Step 5: Other Notifications
§ Legally Required Regulator Notifications May include: - State Regulators such as Attorney General - Federal Regulators such as HHS - Industry Specific Regulators such as Insurance Commissioners
§ Consider Other Legally Required Notifications - Contractually Required Notifications (customers, vendors, credit
card brands, etc.)
§ Make Decisions regarding Non-Legally Required Entities: - Other Regulators: All Attorneys General, Local Regulators, etc.? - Consider pairing state consumer notifications with state regulators?
- Ex. If Maine residents, then Maine AG, Maine Insurance Commissioner, etc.
Page 15
Step 6: Be Ready To Clean Up and Follow Up
§ Returned notifications § Bad, outdated contact information
– Might want a provider to get updated information
§ Monitor media for false information – Make decision about whether or not to publicly
correct information
§ Be prepared for a flood of consumer inquiries and questions
© 2011 Co3 Systems, Inc. The information contained herein is proprietary and confidential. Page 16
Questions?
Page 17
Thanks!
Gartner: “Co3 …define(s) what software packages for privacy look like.”
1 Alewife Center, Suite 450 Cambridge, MA 02140
ph: 617-206-3900 e: [email protected]
www.co3sys.com