Cyber Incident Response When You Didn’t Have a Plan Moderator: Shakara Barnes Panelists: Monique Brown April F. Doss Anne E. Winner

Source: Verizon 2017 Data Breach Investigations Report 10th Edition

Source: Verizon 2017 Data Breach Investigations Report 10th Edition

Response Without A Plan A Data Breach Incident Can Create Chaos It Can Be Managed If You… Think fast Act deliberately Keep first things first Resist The Temptation To DIY Don’t let the first incident you handle be your own Plenty of other people specialize in breach response

Think About Attorney-Client Privilege Early And Often Practical Steps Do No Harm Act quickly to prevent the spread of damage (ransomware, unauthorized access, etc.) Assessing The Risk What kind of incident is it? What systems or data has been compromised? Can you isolate that system from the network? Who Needs To Be Called? C-suite? Board? Other Leadership? In-House Legal Department Outside Vendor(s) How Will They Be Reached? Have emails accounts been compromised? Outside Vendor Support Outside Counsel? Forensics Experts? Public Relations? Regulatory Response Some States Have Open-ended Deadlines Others Have Rigid Deadlines Florida & Puerto Rico Sectoral Laws Have Rigid Deadlines HIPAA Expectations: Expect to be on the phone every day The facts can – and should – unfold quickly Counsel should be on all calls and emails Expect to think about privilege a lot Not everything done at counsel’s direction will be privileged, but you risk waiving any claim of privilege if you don’t preserve it at the outset Expect to ask lots of questions Especially about data inventory, file directories, network connections, backups of data, and burdens of proof Think About Attorney-Client Privilege Early And Often

Post Incident Debrief What Costs Were Incurred? Notification? ID Theft Remediation Regulatory Corporate Brand 3rd Party Litigation What precipitated the event? Hacker? Disgruntled Employee? Human Error? Malware Has any kind of information been compromised? Personally Identifiable Information? Protected Health Information? Confidential Business Information Who Did You Engage? Leadership? Outside Vendor(s)

Incident Response Plan Checklist Review, Prepare, and Commit Evaluate Security Understand Exposures Regulatory Realm Improve Security Train Management Commitment When A Breach Occurs – What Will Happen? Report & Confirm Discovery Engagement Investigation Notification Evaluation Incident Response Plan Build A Team Implement A Process Communicate The Plan Readiness Simulate Improve Incident Response Plan Select your internal Incident Response Team (IRT) and empower them to act in the event of a reported data breach. Appoint one person from the IRT to serve as the Internal Breach Manager in the event of a suspected breach. The Breach Manager will assure completeness and continuity of communications among internal and external team members during the breach response, complete the breach response checklist provided by the Breach Coach during the response, maintain communications and receive direction from the Breach Coach, assure that the breach response plan is followed and note deviations required by the event, and follow up on the effectiveness of the breach response for a period to be determined by Executive Management. The internal team includes: Executive Management IT Security Financial, Audit, Compliance and Legal Communications & Human Resources Customer Service B. Select external team including: i. Essential at the start of any breach: Privacy Attorney/Breach Coach: In selecting the Breach Coach, ask him/her to walk your team through an example breach, also displaying a sample breach response checklist, notification letters, and call center FAQ’s. Forensics Firm: In selecting the forensics firm, ask to be filled in on their discovery process, their suite of intrusion detection, data recovery and malware detection tools, and their experience in data breach forensics. Notification and Call Center Vendor: Look for a vendor who has a history of quick response and on-time delivery with knowledge of privacy laws, HIPPA and HITECH, and real time reporting tools for call center services. You will want a vendor who can mobilize when you need them, not a week later as well as one who can communicate on a professional basis with your Breach Coach. Communications Firm Monitoring Services: May be required but may be engaged after forensics analysis has evaluated the breach: a. Credit Monitoring b. Identity Monitoring c. Identity Restoration Services 6. Law Enforcement C. Prepare a 24 x 7 contact list for your internal and external data breach teams. D. Know your process Each team member must know what is expected to happen during the breach, and that they will look to the Breach Coach and the Internal Breach Manager for direction, especially should there be a deviation from the plan. Deviations may require timely Executive Management approval and emphasis should be placed on the Breach Coach’s recommendations. Each team member must also become familiar with the documentation they will be processing during each stage of the breach response process. Develop a protocol to use when a potential breach is reported which requires an initial breach report format be completed detailing what is known of where, when, how and why the breach occurred as well as anything which is known about who may be responsible. Require the internal IRT member, with responsibility closest to where the breach is suspected to have occurred, to be responsible for the initial breach report’s completion, interview of the person reporting the potential breach, and distribution of the report to the internal IRT. Remember, from start to finish, complete, timely, and accurate documentation will be of utmost importance, particularly in the event your compliance with regulations is later challenged. Have a communication plan for each step of the typical breach. Beyond your internal IRT, limit communication internally to a need to know basis with emphasis on preventing immediate recurrence and not destroying critical evidence of the breach. Do NOT communicate externally without first engaging and receiving guidance from your Privacy Attorney/Breach Coach. Obtain the following examples for your IRP, through your external team members including the Breach Coach, Risk Management Firm: a. Sample notification letters to affected individuals. b. Sample FAQs for affected individuals with questions about the breach. c. Internal Communications when appropriate. d. Notices to regulatory agencies where required. e. Appropriate local, state and federal law enforcement agency contact lists. f. Replies to audit requests from state Attorneys General or the US Department of Health and Human Services. g. Be prepared for communications to any other stakeholders identified through the forensic and investigative processes. Develop a business strategy for public announcements. Reputational concerns must also be taken into account. Develop a protocol and report format for the internal IRT meeting where determination will be made of whether a data breach is likely to have occurred, and approval to proceed or not obtained from Executive Management. Error on the side of “if there is a possibility a breach occurred, assume it did” and act accordingly. Regulatory: While it was important for the internal IRT to be trained in state and federal regulations, these are complex and your IRP should provide for relying on the Privacy Be Prepared Prepare a postulated data breach scenario which would bring into play all the elements of your IRP and perform an internal simulated data breach response following your IRP. i. Note any disruptions with particular emphasis to communication failures, confusion over who does what, and gaps between the IRP and your day to day operating rules which may cause failures in the breach response process while under the pressure and timing constraints of an actual data breach occurrence. ii. Improve your IRP, your security procedures, and your training plans in accordance with the conclusions of the simulation. ONGOING IMPROVEMENT A. With significant changes to infrastructure, operating procedures, lines of business, or physical plant, re-evaluate your IRP and security plans and update accordingly. Barring such changes, re-evaluate both on at least an annual basis. B. Even if you have not experienced a reportable data breach, review and revise your IRP and conduct a dry run of a data breach occurrence at least annually. C. It is critical to have training programs for all employees, including refresher courses on a regular basis, with regard to both the IRP and security procedures. D. Whether on your own or with the help of an outside firm, prepare a risk assessment on at least an annual basis. i. Prepare a self-insured versus coverage analysis – the growth in cyber and network liability coverage has been accelerating, more options are available, and it is prudent to evaluate coverage versus remaining uncovered.

Best Practices Tailor To Your Organization Establish Vendor Relationships Test Train Update Regularly