HOW TO AVOID COMMON DATA BREACH PITFALLS IAPP Privacy Academy 2014.

Slides:

Advertisements

Similar presentations

Nishidh, CISSP. To comply with Sarbanes oxley and other legislations To comply with industry standards and business partner requirements To protect.

Advertisements

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

Freshfields Bruckhaus Deringer LLP Global investigations What to advise your board Marius Berenbrok Edward Braham Matthew Herman Melissa Thomas 29 February.

This refresher course will:

IAPP Global Privacy Summit, 3/8/12 1. Joanne McNabb, CIPP/US/G/IT Chief California Office of Privacy Protection Lisa Sotto Partner & Head, Privacy & Information.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

Ethical Issues in Data Security Breach Cases Presented by Robert J. Scott Scott & Scott, LLP

August 9, 2005UCCSC Converting Policy to Reality Building Campus Security Programs Karl Heins -- Director of IT Audit Services Office of the University.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

In the Belly of the Breach: What Every In-House Counsel Needs to Know about Data Breach Response ACC International Legal Affairs Committee Legal Quick.

1Copyright Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.

Why are Small and Mid-Size Companies Easy Targets for Hackers, and What can You do to Protect Yourself? 2/11/2015 Asher Dahan.

Investigating & Preserving Evidence in Data Security Incidents Robert J. Scott Scott & Scott, LLP

Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Forensics Services September 10, 2007.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.

Why the Office of Compliance and Ethics was Created

CONFIDENTIAL © 2014 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is confidential, proprietary and the property of.

INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Mayer Brown is a global legal services organization comprising legal practices that are separate entities ("Mayer Brown Practices"). The Mayer Brown Practices.

The Impact of Privacy on HP’s Customer Relationship Management Solution Mike Overly Vice President, Marketing © 2003 Hewlett-Packard Development Company,

℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

UMBC POLICY ON ESH MANAGEMENT & ENFORCEMENT UMBC Policy #VI

DOJ Perspectives on Effective Compliance and Investigations Maxwell Carr-Howard Husch Blackwell, LLP October 8, 2012.

What Keeps Your Board Up at Night? Sylvia Kerrigan, Exec. VP, General Counsel & Secretary – Marathon Oil Sean Gorman, Partner – Bracewell & Giuliani.

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch in Controllership : The Work of the Managerial Accountant,

Implementing an Effective Global Anti-Bribery Program Implementing an Effective Global Anti-Bribery Program Elaine Murphy, MBA Director Health Care Compliance.

1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.

Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.

Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.

Compliance, Defensibility & Usability of Information on a Global Stage Monday, October 19, :00 – 10:30 AM Global Legal Issues 1.

2013 Cost of Data Breach Survey: Global Analysis Ponemon Institute (2013) 1.

New EU General Data Protection Regulation Conference 2016 Managing a Data Breach Prevention-Detection-Mitigation By Gerard Joyce Dun Laoghaire Feb 24 th.

The Privacy Symposium August 22, 2007 ©2007. Goodwin Procter LLP The Ethics and Responsibilities of a Privacy Professional.

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

Investigations: Strategies and Recommendations (Hints and Tips) Leah Lane, CFE Director, Global Investigations, Texas Instruments, Inc.

1 AFCOM Data Center World March 15, 2016 Moderator: Donna Jacobs, MBA Panel: Greg Hartley Bill Kiss Adam Ringle, MBA ITM 9.2 The New Security Challenge:

Security – 2015’s Biggest Threat to Client Confidentiality A Panel Discussion Joseph Abrenio, VP of Cyber Advisory Services & General Counsel Delta Risk.

JOHN M. HUFF NAIC PRESIDENT DIRECTOR, MISSOURI DEPARTMENT OF INSURANCE JUNE 16, 2016 NAIC CYBERSECURITY INITIATIVES.

Cybersecurity as a Business Differentiator

Law Firm Data Security: What In-house Counsel Need to Know

Michael Wright • Chief Security Officer • Tech Lock

Data Minimization Framework

Responding to Intrusions

Privacy principles Individual written policies

Cybersecurity – Three Perspectives

Chapter 3: IRS and FTC Data Security Rules

Information Security: Risk Management or Business Enablement?

General Counsel and Chief Privacy Officer

The State of Cybersecurity and

Cybersecurity compliance for attorneys

Michael J. Bridwell John F. Kuckelman

Neil Kirton and Zoë Newman

Cyber Security: What the Head & Board Need to Know

DSC Contract Management Committee Meeting

Microsoft Data Insights Summit

Sam elkholy Director, systems engineering

2019 Thales Global Cloud Security Study

Anatomy of a Common Cyber Attack

Presentation transcript:

HOW TO AVOID COMMON DATA BREACH PITFALLS IAPP Privacy Academy 2014

© Goodwin Procter LLP 2 COSTS OF A DATA BREACH IN 2014 Source: 2014 Cost of Data Breach Study: Global Analysis, Sponsored by IBM, Conducted by Ponemon Institute LLC 15% Annual increase in the average cost of a data breach around the world U.S. average cost of a data breach $5.9 M Average cost paid for each exposed record $201

© Goodwin Procter LLP 3 $417,700 Average Detection & Escalation Costs $510,000 Average Notification Costs Average Cost of Lost Business $3.2 M Average Post Breach Costs $1.6 M COSTS OF A DATA BREACH Source: 2014 Cost of Data Breach Study: Global Analysis, Sponsored by IBM, Conducted by Ponemon Institute LLC

© Goodwin Procter LLP 4 42% 29% 30% ROOT CAUSES OF A DATA BREACH Source: 2014 Cost of Data Breach Study: Global Analysis, Sponsored by IBM, Conducted by Ponemon Institute LLC

© Goodwin Procter LLP 5 $246 $171 $160 PER CAPITA COST FOR EACH ROOT CAUSE Malicious or criminal attack System glitch Human error Source: 2014 Cost of Data Breach Study: Global Analysis, Sponsored by IBM, Conducted by Ponemon Institute LLC

© Goodwin Procter LLP 1.Inventory data – what, where, how is it used & shared, sensitivity 2.Analyze vendor agreements 3.Review privacy policies and disclosures for robustness, consistency with actual practices, and legality 6 BEFORE A BREACH

© Goodwin Procter LLP 4.Develop Incident Response Plan 5.Build an effective incident response team led by legal counsel 7 BEFORE A BREACH Incident Response Team Client & Media Relations In-House Counsel In-House IT Business Unit Human Resources Outside Forensics Experts CPO, CSO Compliance Outside Counsel

© Goodwin Procter LLP 8 6.Train employees on privacy and data security responsibilities and incident response 7.Set a tone from the top that privacy and data security are core company values 8.Conduct periodic privacy reviews and risk assessments BEFORE A BREACH

© Goodwin Procter LLP 9 Activate incident response plan WHEN THE BREACH HITS Contain the breach SECURITY THREAT

© Goodwin Procter LLP Follow the legal team’s lead 2. Employ a third party forensic team to investigate 3. Protect the integrity of the data and systems 4. Document response and containment actions 5. Protect the privilege BREACH INVESTIGATION

© Goodwin Procter LLP 11 Develop an Effective Communications Plan BREACH RESPONSE Critical Audiences & Messaging Press & Media Impacted Parties Law Enforcement Internal Teams Key Partners & Customers Regulators Board of Directors Audit Committee

© Goodwin Procter LLP 12 Notification: To Whom? Analyze client and vendor agreements Analyze statutory notification obligations How Soon? The Timing Paradox More careful analysis takes time More careful analysis increases certainty More careful analysis reduces cost BREACH RESPONSE

© Goodwin Procter LLP 1.Conduct post-breach review 2.Implement lessons learned 13 AFTER THE BREACH Goodwin Procter LLP

© Goodwin Procter LLP Brenda R. Sharton Celeste A. Lipworth Partner Vice President, Global Compliance Officer Chair, Business Litigation Ryder System, Inc. Co-chair, Privacy & Data Security (305) Goodwin Procter (617) Questions?