© 2011 Co3 Systems, Inc. The information contained herein is proprietary and confidential. Page 1

Preparing For A Data Breach

Page 2

Agenda

§  Introductions §  Today’s reality with breaches and data loss §  Preparing for breach

–  The process –  Tips for getting it right

§  Q&A

Page 3

Introductions: Today’s Speakers

§  Ted Julian, Chief Marketing Officer, Co3 Systems –  Security / compliance entrepreneur –  Security industry analyst

§  Bob Siegel, Privacy Strategist & Principal, Privacy Ref LLC –  Previously, Sr. Manger of Worldwide Privacy and

Compliance for Staples, Inc. –  Certified Information Privacy Professional (CIPP/US,

CIPP/IT)

Page 4

Co3 at a Glance

Co3 Systems’ incident management system helps organizations that have customer or employee Personal Information

reduce the expense, risk, and stress of a breach.

A web-based/hosted SaaS platform No hardware or software to buy or

manage; it’s running in minutes

Concerns all companies that manage employee or customer data

Retail, Healthcare, Financial Services, Higher Education, Services …

Understands all regulations that concern private information Federal, State, Trade Associations …

can customize for contracts

Can be deployed quickly and is easy to use Intuitive, step-by-step usage model;

no user training needed

Delivers immediate, quantifiable value

Expert, actionable insight in 20 minutes or less – regulatory obligations and industry best practices

Page 5

Breach Epidemic

More than half of American consumers would sue a company that loses its personal information

TRICARE Hit with $4.9 Billion Suit Following Breach

Zappos, Amazon Sued Over Customer Data Breach

Source: DataLossDB.org

… payment provider’s “fourth-quarter profit fell 90 percent on costs related to a security breach…took an $84.4 million pre-tax charge”

Page 6

Breaches Are Common – Firms Must Act

Source: “Planning For Failure” – Forrester Research, Nov. 2011

“… many of them have suffered a breach – they just don’t know it”

*

*

**

** if you haven’t been breached, why wouldn’t you disclose that?

“With an avalanche of… breach notification laws on the horizon, you have no choice but to implement an incident management program. If you don’t have an incident management program… it’s imperative that you do so immediately.”

Page 7

Scope of Data Loss

Malicious Cyber-Attacks

The exposure of consumer or employee Personal Information

Lost/Stolen

Assets Third-Party

Leaks

Internal/ Employee Actions

Global Consumer Electronics Firm:

Hackers stole customer data, including credit card information

100 million records

Community-Based Healthcare Plan:

Laptops with patient data stolen by former employee

208,000 records

Multi-Channel Marketing Service:

Digital marketing agency exposes customer data of dozens of clients

Millions of records

Government Agency:

Employee sent CD-ROM with personal data on registered advisors

139,000 records

In the US there are 46 States, 4 Territories, 14 Federal Authorities and multiple trade associations, each enforcing their own regulations that prescribe the treatment of personal data

Page 8

46 States, 3 Commonwealths, and 14 Federal agencies have established legislation Fines are growing – aggressive AGs are filling state coffers

Trade Associations & Commissions Industry groups, commissions, and certification bodies are imposing stricter guidelines and penalties

More fines – and businesses losing accreditation

Class Action Lawsuits Law firms have noticed and are picking up the pace in class-action lawsuits Even with no “harm”, companies are losing and settling quickly

Contractual Obligations Company obligations extend to 3rd party data sources, vendors, and even corporate customers Extreme sensitivity on vendor and partner use (and storage) of data

Ignoring the Problem is Not an Option

Regulatory Requirements

Brand Damage

Page 9

SIMULATIONS

INC

IDE

N

TSEVE

NT

S

ASSESSPREPARE

MANAGE

RE

PO

RT

Co3 Automates Breach Management

PREPARE Improve Organizational Readiness

•  Assign response team •  Describe environment •  Simulate events and incidents •  Focus on organizational gaps

REPORT Document Results and Track Performance •  Document incident results •  Track historical performance •  Demonstrate organizational

preparedness •  Generate audit/compliance reports

ASSESS Quantify Potential Impact, Support Privacy Impact Assessments •  Track events •  Scope regulatory requirements •  See $ exposure •  Send notice to team •  Generate PIAs

MANAGE Easily Generate Detailed Incident Response Plans

•  Escalate to complete IR plan •  Oversee the complete plan •  Assign tasks: who/what/when •  Notify regulators and clients •  Monitor progress to completion

Page 10

PREPARING FOR A BREACH

Page 11

Some Questions

1.  How do your employees notify you of a potential data breach event?

2.  How does and incident become an event? 3.  How are external communications

coordinated?

“Organizing is what you do before you do something, so that when you do it, it is not all mixed up.”

-- A. A. Milne

Page 12

Sample Event Process

Incident Occurs

Follow Incident Management

Process

Escalate to CPO and CSO

Engage Event Management Team

Engage Event Communication

Plan

• Decides if this may be a data breach event based on currently known information

• Determines scope of the event •  Identifies risks and responsibilities • Reports back to CPO and CSO • Coordinates remediation

• Defines how all communication to stakeholders is coordinated

Page 13

Incident Management Processes

§  Generally owned by IT •  Provides logging and tracking services •  May be focused on data processing incidents •  May not be sensitive to paper-based issues

§  Metrics-centric process •  Response time •  Resolution time •  Close / Completion time

§  Check to see how non-IT events are addressed •  Are non-IT events routinely handled? •  Are they tracked in the Incident Management system? •  Has a test scenario been run recently?

Page 14

Sample Event Process

Incident Occurs

Follow Incident Management

Process

Escalate to CPO and CSO

Engage Event Management Team

Engage Event Communication

Plan

• Decides if this may be a data breach event based on currently known information

• Determines scope of the event •  Identifies risks and responsibilities • Reports back to CPO and CSO • Coordinates remediation

• Defines how all communication to stakeholders is coordinated

Page 15

Event Management Team

§  Cross-functional team •  Initially determines scope and impact of the event •  Coordinates remediation efforts

§  Led by the Chief Privacy Officer §  Core members should represent…

•  Legal •  Privacy •  Compliance •  Incident Management •  IT

§  Other members added based on the event

Page 16

Facts To Gather During An Event

1.  Information lost 2.  Was data encrypted 3.  Amount of data lost 4.  Has the data loss

been stopped? 5.  When loss occurred 6.  Where it was lost 7.  Who was affected

8.  Residence of affected 9.  Can data be

recovered? 10.  Applicable laws 11.  Notification

requirements 12.  Potential impact to

other applications 13.  Potential impact on

other organizations

Page 17

Sample Event Process

Incident Occurs

Follow Incident Management

Process

Escalate to CPO and CSO

Engage Event Management Team

Engage Event Communication

Plan

• Decides if this may be a data breach event based on currently known information

• Determines scope of the event •  Identifies risks and responsibilities • Reports back to CPO and CSO • Coordinates remediation

• Defines how all communication to stakeholders is coordinated

Page 18

Event Communication Plan

§  Identifies members of the Event Communication Team –  Contains contact information for the members

§  Defines communication parameters •  Who talks to whom and when

§  Contains frameworks for communications

Page 19

Event Communication Team

•  Customers •  Employees •  Marketing Dept. •  Media •  Law enforcement •  Other Government

Officials •  Shareholders

•  Marketing * •  Internal Communications •  Public Relations*

•  Security / Loss Prevention •  Legal •  Investor Relations •  Chief Privacy Officer * Potential Lead

Stakeholders Team Members

Page 20

Communication Parameters

§  Spokespeople must be identified •  Spokesperson designation by stakeholder •  Limit communication to be done to designees

§  Message content must be reviewed •  Consistent messages sent across stakeholders

§  Keep Executive Leadership informed •  Frequent updates from chairs of both teams

§  Use Executives as spokespeople sparingly

Page 21

Communication Frameworks

§  Most communications can be prewritten •  Details of the specific event added at Event

§  Prepared items may include… •  Press releases •  Letters / emails to customers •  Website updates •  Employee notices •  Talking points for the media

Page 22

Test, Test, and Retest

§  Make all participants familiar with processes before they are implemented

§  Two common types of testing

Table Top Exercises •  Multiple scenarios defined •  Key participants meet •  Each scenario is discussed

Scenario exercise •  One scenario is defined •  Participants notified day of

exercise happening •  Production processes and

tools are used to manage the event

•  Key participants meet to debrief

Page 23

Other Considerations

§  System of record §  Methods of communications §  Independent divisions

•  Multinational divisions •  Acquired businesses •  Recognized brands

© 2011 Co3 Systems, Inc. The information contained herein is proprietary and confidential. Page 24

Questions

Page 25

Thanks!

Gartner: “Co3 …define(s) what software packages for privacy look like.”

1 Alewife Center, Suite 450 Cambridge, MA 02140

ph: 617-206-3900 e: info@co3sys.com

www.co3sys.com

ph: 508-474-5125 e: info@privacyref.com

privacyref.com