You’ve received the dreaded call that your company has just suffered a data breach – what do you do next? Who do you call for help? What notification obligations do you have?
With proper preparation, you can mitigate the damage caused by this unfortunate event and put your business in a position to recover. Your company may have already implemented its information security program and identified the responsible parties, including applicable outside experts, to be contacted in the event of a breach. However, now you must call up your incident response team to investigate the extent of the breach, evaluate the possible damage to your company, and determine whether you must notify your clients, customers, or the public of the breach. This webinar will help prepare you to take action when the worst happens.
Part of the webinar series: Cybersecurity & Data Privacy 2021
See more at https://www.financialpoise.com/webinars/
2. 2
Practical and entertaining education for
attorneys, accountants, business owners and
executives, and investors.
3. Disclaimer
The material in this webinar is for informational purposes only. It should not be considered
legal, financial or other professional advice. You should consult with an attorney or other
appropriate professional to determine what may be best for your individual needs. While
Financial Poise™ takes reasonable steps to ensure that information it publishes is accurate,
Financial Poise™ makes no guaranty in this regard.
3
4.
5. Meet the Faculty
MODERATOR:
Kathryn Nadro – Sugar, Felsenthal, Grais & Helsinger LLP
PANELISTS:
J. Eduardo Campos – Embedded-Knowledge, Inc.
Anna Mercado Clark – Phillips Lytle LLP
Cassandra Porter – Zuora
5
6. About This Webinar-Data Breach Response: Before and
After the Breach
You’ve received the dreaded call that your company has just suffered a data breach – what do you do
next? Who do you call for help? What notification obligations do you have?
With proper preparation, you can mitigate the damage caused by this unfortunate event and put your
business in a position to recover. Your company may have already implemented its information security
program and identified the responsible parties, including applicable outside experts, to be contacted in
the event of a breach. However, now you must call up your incident response team to investigate the
extent of the breach, evaluate the possible damage to your company, and determine whether you must
notify your clients, customers, or the public of the breach. This webinar will help prepare you to take
action when the worst happens.
6
7. About This Series
Cyber Security & Data Privacy 2021
Cybersecurity and data privacy are critical topics of concern for every business in today’s
environment. Data breaches are a threat to every business and can cause both direct losses
from business interruption and loss of data to indirect losses from unwanted publicity and
damage to your business’s reputation. Compliance with a patchwork of potentially applicable
state and federal laws and regulations may cost your business in terms of money and time.
This series discusses the various laws and regulations that affect businesses in the United
States and in Europe, as well as the best practices to use in creating an information security
program and preparing for and responding to data breaches.
Each Financial Poise Webinar is delivered in Plain English, understandable to investors, business owners, and
executives without much background in these areas, yet is of primary value to attorneys, accountants, and other
seasoned professionals. Each episode brings you into engaging, sometimes humorous, conversations designed to
entertain as it teaches. Each episode in the series is designed to be viewed independently of the other episodes so that
participants will enhance their knowledge of this area whether they attend one, some, or all episodes.
7
8. Episodes in this Series
#1 Introduction to US Privacy and Data Security: Regulations and Requirements
Premiere date: 08/04/21
#2: Introduction to EU General Data Protection Regulation: Planning, Implementation, and
Compliance
Premiere date: 9/01/21
#3: How to Build and Implement your Company's Information Security Program
Premiere date: 10/06/21
#4: Data Breach Response: Before and After the Breach
Premiere date: 11/03/21
8
10. Overview
• What is a Data Breach?
✓ Simply put, a data breach is a confirmed incident in which sensitive, confidential or
otherwise protected data has been accessed and/or disclosed in an unauthorized
fashion
✓ Data breach may have different meanings under various state, federal, and
international laws
• Data Breach Consequences
✓ Substantial costs in breach response
✓ Private lawsuits
✓ Government fines
✓ Reputational harm
11. Overview
• Data Breach Facts (IBM Cost of a Data Breach Report 2021)
✓ Per Record with Personally Identifiable Information: approximately $180
✓ 10% increase in average total cost of a breach from 2020 to 2021
✓ $4.62 million average total cost of a ransomware breach
✓ $4.24 million global average total cost of a data breach
• Average Data Breach Costs According to Each Industry
✓ Healthcare: $9.23 million
✓ Financial: $5.72 million
✓ Communications: $3.62 million
✓ Industrial: $4.24 million
12. Overview
• Data Breach Costs (cont’d)
✓ A few costs include -
▪ Computer forensics
▪ Breach notification mailing, call centering and identity restoration services costs
▪ Public relations
▪ Regulatory investigation, fines and penalties
▪ Lawsuit(s)
▪ Legal services
• Average number of days to identify and contain a breach: 287 days
13. Overview
• Data Breach Causes
✓ Malware/Ransomware
✓ Unsecured website login systems
✓ Use of unapproved, insecure software
✓ Insecure IT infrastructure
✓ Phishing/e-mail scam
✓ Employees mishandling data
✓ Human factor/negligence
14. Overview
• Data Breach Goals
✓ Money
✓ Theft of personal information
▪ Purchase of goods with stolen credit card information
✓ Filing of fraudulent tax returns
✓ Sale of personal information
✓ Disgruntled employee(s) use of information
✓ Corporate espionage
15. So, You Think You’ve Been Breached…
• Know who to call
✓ Incident Response Team
✓ Management
✓ Legal counsel
✓ IT support
✓ Public relations
✓ Forensic support
✓ Insurance
✓ Consider contractual obligations
16. So, You Think You’ve Been Breached… (cont’d)
• Breach Response
✓ Identify
▪ Determine if a breach actually occurred
✓ Investigate
▪ How did the breach occur?
✓ Contain
▪ Contain and mitigate the data breach
✓ Notify
▪ Provide notifications
✓ Remediate
▪ Prevent reoccurrence of breach
17. Breach Response: Identify/Detect
• First, identify if an incident is a data breach
✓ Employees may have exposed sensitive personal data by accident;
✓ Common indicators of compromise include –
o unusual login times
o reduced operating speeds across the network or heavy, unexplained traffic
o use of nonstandard command prompts
o unexpected restarts
o use of unusual software
o malfunctioning of antivirus/security software
o the presence of unexpected IPs
18. Breach Response: Identify/Detect (cont’d)
• Identify if an incident is a data breach (cont’d)
✓ Security monitoring systems (cont’d)
▪ Top Cyber Threat Vulnerabilities
o Phishing
o Malware
o Ransomware
o Data Breaches
o Compromised passwords
▪ Conduct Cyber Threat Assessments
o A good cyber threat assessment offers security and threat prevention by
exposing application vulnerabilities;
o detecting malware and botnets;
o identifying “at risk” devices
19. Breach Response: Identify/Detect (cont’d)
• Second, investigate promptly
✓ Consider relevant facts
✓ Inside or outside threat?
✓ Conduct interviews
✓ Analyze compromised systems
✓ Identify malware employed, if applicable
✓ Engage forensic experts, as appropriate
✓ Engage legal counsel early in the process
✓ Reconstruct the incident
20. Breach Response: Identify/Detect (cont’d)
• Second, investigate promptly (Cont’d)
✓ Evaluate the nature, extent, and scope of incident
✓ What information was improperly disclosed?
✓ Was the information recovered?
✓ When and how did the incident happen?
✓ How many individuals were affected?
✓ Does the incident involve residents of multiple states?
✓ Document the investigation findings, conclusion and rationale
21. Breach Response: Containment
• Third, once you discover you’ve been breached, contain the breach
• Move quickly to secure systems and fix vulnerabilities
• Mobilize breach response team ASAP
• Assemble a team of experts based on the size of your company, including:
✓ Forensics
✓ Legal
✓ Internal team leader
22. Breach Response: Containment
• The First 24 Hours Checklist
✓ Record the date and time when the breach was discovered & response efforts begin
✓ Alert and activate everyone on the response team
✓ Secure the premises around the area where the data breach occurred to help
preserve evidence
23. Breach Response: Containment
• The First 24 Hours Checklist (Cont’d)
✓ Stop additional data loss
▪ Take devices offline but DO NOT turn off
✓ Assess priorities and risks
✓ Notify customers, affected businesses, law enforcement and other regulatory
agencies
24. Breach Response: Fix Vulnerabilities
• Service providers
✓ Ensure service providers that have access to sensitive personal data remedy their
vulnerabilities to protect against another breach
• Network segmentation
✓ Prevents breach on one server from leaking over to another server
✓ Determine if network segmentation is correct
25. Breach Response: Fix Vulnerabilities
• Work with forensic experts
✓ Encryption enabled
✓ Analyze backup or preserved data
✓ Review the type of information compromised
• Develop a communication plan
✓ Develop comprehensive plan to communicate internally
26. Breach Response: Breach Team
• Forensics Team - helps determine the source and scope of breach
✓ Captures forensic images of affected systems
✓ Collects and analyze evidence, and
✓ Outlines remediation steps
• Hire independent forensics investigators
27. Breach Response: Breach Team
• Legal Counsel - helps identify your legal obligations
✓ Identifies state and federal regulations regarding data breaches for your industry
✓ Identifies entities that need to be notified, i.e. customers, employees, government
agencies, regulation boards, etc.
✓ May provide privilege to the investigation process if retained early enough and if
directs forensic investigation
❑ Certain courts have refused to apply privilege to investigation even under
those circumstances
✓ Ensures notifications occur within any mandated timeframes
28. Breach Response: Notice
• Fourth, determine your notification obligations
• Potential parties to notify:
✓ Customers
✓ Law enforcement and other regulatory agencies
✓ Affected businesses
29. Breach Response: Notice (cont’d)
• Notification requirements vary based on state, federal, and international law
✓ All 50 U.S. states require some level of notification to individuals when a breach
occurs
✓ If breaches reach a certain size (e.g., over 500 individuals), many states require
notification to attorneys general
✓ Notification generally must occur within a “reasonable time” after the breach is
discovered
✓ Generally, must include description of the circumstances of the breach,
steps taken to remedy the incident, steps intended to be taken after the
notification, and occasionally whether law enforcement is involved in
investigating the incident
✓ International law may be stricter than your specific state
✓ GDPR requires notice in 72 hours in some cases
30. Breach Response: Notice…to the FBI?
• Consider contacting the FBI and/or local authorities when a breach involves:
o Significant loss in data, system availability, or control of systems
o A large number of victims
o Unauthorized access to or malicious software on critical information technology
systems
o Critical infrastructure or core government functions
o National security, economic security, or public health and safety
o Financial transactions, such as unauthorized wire transfers
31. Breach Response: Remediation
• Fifth, remediate the data breach
• Generally long and thorough and requires looking at other potential flaws in security
infrastructure
• Develop a remediation plan that is tailored to the breach incident to prevent it from
happening again
✓ Honest & true assessment of cause of breach
32. Breach Response: Remediation (cont’d)
• A few remediation practices include -
✓ Developing an internal and external communications plan
✓ Strengthen data security policies
✓ Planning to prevent reoccurrence
✓ Providing additional training to employees on data security
✓ Maintaining documentation of actions
✓ Insurance considerations
33. Prevention is Better than Remediation: Data Breach
Response Plan
• What is a data breach response plan?
✓ Aims to help you manage a data breach
✓ Provides a framework that sets out roles and responsibilities for managing an
appropriate response to data breach
✓ Describes steps an entity should take to manage a breach, should one occur
• Why do you need a data breach response plan?
✓ Provides clarity and mitigates confusion
✓ Gives all employees knowledge of how to address a data breach
✓ Establishes a chain of command and responsibilities of each employee
✓ Quicker response time to fixing the breach
34. Data Breach Response Plan
• A data breach response plan should:
✓ Provide the actions to be taken if a breach is suspected, discovered or reported by a
staff member, including when it is to be escalated to the response team
✓ Identify members of your data breach response team (response team)
✓ Identify the actions the response team is expected to take
✓ Be in writing
▪ Staff and employees could clearly understand the roles and responsibilities
✓ Identify goals and objectives of the plan
35. Data Breach Response Plan
• Data breach response plan should cover:
✓ A strategy for assessing, managing and containing data breaches
✓ A clear explanation of what constitutes a data breach
✓ The reporting line if staff do suspect a data breach
✓ The circumstances in which the breach can be handled by a line manager or when it
should be escalated to the response team
✓ Recording data breaches
✓ A strategy to identify and address any weaknesses in data handling that contributed
to the breach
✓ A system for a post-breach review and assessment of your entity’s response to the
data breach and the effectiveness of your data breach response plan
✓
36. Breach Response: Remediation
• Insurance Considerations
✓ Traditional policies
E&O
D&O
▪ CGL
✓ These policies frequently do not cover costs arising out of a security incident or data
breach
37. Breach Response: Remediation (cont’d)
• Insurance Considerations (Cont’d)
✓ 1st party coverage typically includes -
▪ Business interruption
▪ Cyber extortion
▪ Data restoration
▪ Forensic costs
▪ Crisis management
▪ Legal costs
▪ Notification, call center, credit monitoring/identity restoration
38. Breach Response: Remediation (cont’d)
• Insurance Considerations (Cont’d)
✓ 3rd party coverage typically includes -
▪ Regulatory investigation
▪ PCI assessments and fines
▪ Lawsuits
▪ Insurance coverage frequently requires notice to the insurer prior to hiring counsel or any
investigators or other vendors, so notify the insurer as soon as possible
39. Trending Topics: Ransomware
• Ransomware is a growing threat, particularly since the pandemic increased remote work
o Companies may face both paying a ransom and then dealing with a data breach
remediation
o Attacks on critical infrastructure, such as the Colonial Pipeline incident in May 2021
o FBI and other agencies prioritized fighting ransomware in a similar way to fighting
terrorism
o Email is among the most prevalent attack vectors used to deliver ransomware
• In 2020, the U.S. Office of Foreign Asset Control (OFAC issued guidance stating that the
government would start enforcing sanctions in connection with ransomware attacks
o OFAC announced it would enforce it not only against ransomware victims, but also
against their insurers and the intermediaries hired by companies or their insurers,
such as cybersecurity firms that negotiate with threat actors
• Insurance may be available for ransomware, but many policies require consent prior to
making a payment
40. Trending Topics: Standing for data breach victims in
court
• Plaintiffs in data breach litigation have had an uphill battle in establishing standing when
there is only an increased risk of identify theft due to a data breach
• McMorris Factors (McMorris v. Carlos Lopez & Associates LLC, 995 F.3d 295 (2d Cir.
2021)):
o Whether plaintiff’s data was exposed as the result of a targeted attempt to obtain the
data
o Whether any portion of the compromised dataset already has been misused; and
o Whether the exposed data includes high-risk information – e.g., Social Security
numbers and dates of birth
42. About The Faculty
Kathryn Nadro - knadro@sfgh.com
Kathryn (“Katie”) Nadro leads Sugar Felsenthal Grais & Helsinger’s Data Security and Privacy practice.
Katie advises clients on a diverse array of business matters, including data security and privacy
compliance, commercial and business disputes, and employment issues. Katie works with individuals
and businesses of all sizes to craft successful resolutions tailored to each individual matter.
Katie is a Certified Information Privacy Professional (CIPP/US) and counsels clients on a variety of data
security and privacy issues, including breach response, policy drafting, program management, data
collection, vendor management, and compliance with ever-changing state, federal, and international
privacy law. Katie also has broad litigation experience representing companies and individuals in
contract, non-compete, discrimination, harassment, fiduciary duty, and trade secret litigation in state
and federal court. With a background as both in-house and outside counsel, Katie understands that
business objectives, time, and resources play an important role in reaching a favorable outcome for
each client.
42
43. About The Faculty
J. Eduardo Campos - jeduardo.campos@embedded-knowledge.com
After creating business growth opportunities on four continents, J. Eduardo Campos spent thirteen
years at Microsoft, first as a cybersecurity advisor, then leading innovative projects at the highest
levels of government in the U.S. and abroad. Today, Eduardo is living his dream of building a better
tomorrow through his consulting firm, Embedded-Knowledge, Inc. Working with organizations and
entrepreneurs, he develops customized business strategies and forms partnerships focused on
designing creative solutions to complex problems.
43
44. About The Faculty
Anna Mercado Clark - AClark@phillipslytle.com
As leader of Phillips Lytle’s Data Security & Privacy and E-Discovery & Digital Forensics Practice Teams, Ms. Clark
focuses on complex e-discovery and digital forensics, cybersecurity and data privacy, and complex commercial
litigation. As a former Assistant District Attorney, she also handles white collar criminal matters and investigations.
Additionally, Ms. Clark has been awarded the following ANSI-accredited credentials by the International
Association of Privacy Professionals (IAPP): Certified Information Privacy Professional/Europe (CIPP/E) and
Certified Information Privacy Professional for the U.S. Private Sector (CIPP/US), preeminent certifications for
advanced concentration in European data protection laws and U.S. private-sector laws, standards and practices,
respectively. Ms. Clark routinely counsels sophisticated clients on data governance issues to address business
needs while minimizing risks and complying with a rapidly evolving regulatory landscape and other legal
obligations. She has extensive experience advising businesses in the technology, consumer, health care and
financial industries regarding information management and disposition policies, litigation readiness, data transfers,
third-party/vendor negotiation and management relative to data administration, and disaster recovery and
avoidance.
To read more, go to https://www.financialpoise.com/webinar-faculty/anna-mercado-clark/
44
45. About The Faculty
Cassandra M. Porter - caporter@zuora.com
Cassandra M. Porter is the Americas/APAC data privacy lead attorney for a Fortune 100 Tech company working to
transform clients’ businesses, operations and technology models for the digital era. She counsels internal clients on
privacy-related matters such as data collection practices, online advertising, mobile commerce, along with the
development and acquisition of new technology, data incidents and management. Cassandra is a member of the inaugural
class of Privacy Law Specialists, a new specialty recognized by the American Bar Association, and a Fellow of Information
Privacy by the International Association of Privacy Professionals (IAPP). Her IAPP credentials as a Certified Information
Privacy Professional and Certified Information Privacy Manager designate her as thought leader in the field. She is a
former co-chair of the IAPP’s New Jersey Chapter and member of the Bankruptcy Lawyers Advisory Committee for the
District of New Jersey. As a member of the United States Trustee’s Consumer Privacy Ombudsman (CPO) panel, she
served as the CPO in the Golfsmith International chapter 11 cases. Previously she was counsel at Lowenstein Sandler LLP
where, in addition to assisting clients with data privacy-related issues, she also regularly represented debtors in
possession and creditors in chapter 11 matters along with indigents in chapter 7 proceedings in association with the
Volunteer Lawyers for Justice. Prior to joining Lowenstein, she clerked for the Honorable Cecelia Morris, United States
Bankruptcy Judge for the Southern District of New York and was the Assistant Managing Attorney at Kaye Scholer LLP.
45
46. Questions or Comments?
If you have any questions about this webinar that you did not get to ask during the live
premiere, or if you are watching this webinar On Demand, please do not hesitate to email us
at info@financialpoise.com with any questions or comments you may have. Please include
the name of the webinar in your email and we will do our best to provide a timely response.
IMPORTANT NOTE: The material in this presentation is for general educational purposes
only. It has been prepared primarily for attorneys and accountants for use in the pursuit of
their continuing legal education and continuing professional education.
46
47. About Financial Poise
47
DailyDAC LLC, d/b/a Financial Poise™ provides
continuing education to attorneys, accountants,
business owners and executives, and investors. It’s
websites, webinars, and books provide Plain English,
entertaining, explanations about legal, financial, and
other subjects of interest to these audiences.
Visit us at www.financialpoise.com
Our free weekly newsletter, Financial Poise
Weekly, updates you on new articles published
on our website and Upcoming Webinars you
may be interested in.
To join our email list, please visit:
https://www.financialpoise.com/subscribe/