Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Incident Response When You Didn’t Have a Plan

Published byHubert Parker Modified over 6 years ago

Similar presentations

Presentation on theme: "Cyber Incident Response When You Didn’t Have a Plan"— Presentation transcript:

1 Cyber Incident Response When You Didn’t Have a Plan
Moderator: Shakara Barnes Panelists: Monique Brown April F. Doss Anne E. Winner

2 Source: Verizon 2017 Data Breach Investigations Report 10th Edition

3 Source: Verizon 2017 Data Breach Investigations Report 10th Edition

4 Response Without A Plan
A Data Breach Incident Can Create Chaos It Can Be Managed If You… Think fast Act deliberately Keep first things first Resist The Temptation To DIY Don’t let the first incident you handle be your own Plenty of other people specialize in breach response

5 Think About Attorney-Client Privilege Early And Often
Practical Steps Do No Harm Act quickly to prevent the spread of damage (ransomware, unauthorized access, etc.) Assessing The Risk What kind of incident is it? What systems or data has been compromised? Can you isolate that system from the network? Who Needs To Be Called? C-suite? Board? Other Leadership? In-House Legal Department Outside Vendor(s) How Will They Be Reached? Have s accounts been compromised? Outside Vendor Support Outside Counsel? Forensics Experts? Public Relations? Regulatory Response Some States Have Open-ended Deadlines Others Have Rigid Deadlines Florida & Puerto Rico Sectoral Laws Have Rigid Deadlines HIPAA Expectations: Expect to be on the phone every day The facts can – and should – unfold quickly Counsel should be on all calls and s Expect to think about privilege a lot Not everything done at counsel’s direction will be privileged, but you risk waiving any claim of privilege if you don’t preserve it at the outset Expect to ask lots of questions Especially about data inventory, file directories, network connections, backups of data, and burdens of proof Think About Attorney-Client Privilege Early And Often

6 Post Incident Debrief What Costs Were Incurred?
Notification? ID Theft Remediation Regulatory Corporate Brand 3rd Party Litigation What precipitated the event? Hacker? Disgruntled Employee? Human Error? Malware Has any kind of information been compromised? Personally Identifiable Information? Protected Health Information? Confidential Business Information Who Did You Engage? Leadership? Outside Vendor(s)

7 Incident Response Plan Checklist
Review, Prepare, and Commit Evaluate Security Understand Exposures Regulatory Realm Improve Security Train Management Commitment When A Breach Occurs – What Will Happen? Report & Confirm Discovery Engagement Investigation Notification Evaluation Incident Response Plan Build A Team Implement A Process Communicate The Plan Readiness Simulate Improve Incident Response Plan Select your internal Incident Response Team (IRT) and empower them to act in the event of a reported data breach. Appoint one person from the IRT to serve as the Internal Breach Manager in the event of a suspected breach. The Breach Manager will assure completeness and continuity of communications among internal and external team members during the breach response, complete the breach response checklist provided by the Breach Coach during the response, maintain communications and receive direction from the Breach Coach, assure that the breach response plan is followed and note deviations required by the event, and follow up on the effectiveness of the breach response for a period to be determined by Executive Management. The internal team includes: Executive Management IT Security Financial, Audit, Compliance and Legal Communications & Human Resources Customer Service B. Select external team including: i. Essential at the start of any breach: Privacy Attorney/Breach Coach: In selecting the Breach Coach, ask him/her to walk your team through an example breach, also displaying a sample breach response checklist, notification letters, and call center FAQ’s. Forensics Firm: In selecting the forensics firm, ask to be filled in on their discovery process, their suite of intrusion detection, data recovery and malware detection tools, and their experience in data breach forensics. Notification and Call Center Vendor: Look for a vendor who has a history of quick response and on-time delivery with knowledge of privacy laws, HIPPA and HITECH, and real time reporting tools for call center services. You will want a vendor who can mobilize when you need them, not a week later as well as one who can communicate on a professional basis with your Breach Coach. Communications Firm Monitoring Services: May be required but may be engaged after forensics analysis has evaluated the breach: a. Credit Monitoring b. Identity Monitoring c. Identity Restoration Services 6. Law Enforcement C. Prepare a 24 x 7 contact list for your internal and external data breach teams. D. Know your process Each team member must know what is expected to happen during the breach, and that they will look to the Breach Coach and the Internal Breach Manager for direction, especially should there be a deviation from the plan. Deviations may require timely Executive Management approval and emphasis should be placed on the Breach Coach’s recommendations. Each team member must also become familiar with the documentation they will be processing during each stage of the breach response process. Develop a protocol to use when a potential breach is reported which requires an initial breach report format be completed detailing what is known of where, when, how and why the breach occurred as well as anything which is known about who may be responsible. Require the internal IRT member, with responsibility closest to where the breach is suspected to have occurred, to be responsible for the initial breach report’s completion, interview of the person reporting the potential breach, and distribution of the report to the internal IRT. Remember, from start to finish, complete, timely, and accurate documentation will be of utmost importance, particularly in the event your compliance with regulations is later challenged. Have a communication plan for each step of the typical breach. Beyond your internal IRT, limit communication internally to a need to know basis with emphasis on preventing immediate recurrence and not destroying critical evidence of the breach. Do NOT communicate externally without first engaging and receiving guidance from your Privacy Attorney/Breach Coach. Obtain the following examples for your IRP, through your external team members including the Breach Coach, Risk Management Firm: a. Sample notification letters to affected individuals. b. Sample FAQs for affected individuals with questions about the breach. c. Internal Communications when appropriate. d. Notices to regulatory agencies where required. e. Appropriate local, state and federal law enforcement agency contact lists. f. Replies to audit requests from state Attorneys General or the US Department of Health and Human Services. g. Be prepared for communications to any other stakeholders identified through the forensic and investigative processes. Develop a business strategy for public announcements. Reputational concerns must also be taken into account. Develop a protocol and report format for the internal IRT meeting where determination will be made of whether a data breach is likely to have occurred, and approval to proceed or not obtained from Executive Management. Error on the side of “if there is a possibility a breach occurred, assume it did” and act accordingly. Regulatory: While it was important for the internal IRT to be trained in state and federal regulations, these are complex and your IRP should provide for relying on the Privacy Be Prepared Prepare a postulated data breach scenario which would bring into play all the elements of your IRP and perform an internal simulated data breach response following your IRP. i. Note any disruptions with particular emphasis to communication failures, confusion over who does what, and gaps between the IRP and your day to day operating rules which may cause failures in the breach response process while under the pressure and timing constraints of an actual data breach occurrence. ii. Improve your IRP, your security procedures, and your training plans in accordance with the conclusions of the simulation. ONGOING IMPROVEMENT A. With significant changes to infrastructure, operating procedures, lines of business, or physical plant, re-evaluate your IRP and security plans and update accordingly. Barring such changes, re-evaluate both on at least an annual basis. B. Even if you have not experienced a reportable data breach, review and revise your IRP and conduct a dry run of a data breach occurrence at least annually. C. It is critical to have training programs for all employees, including refresher courses on a regular basis, with regard to both the IRP and security procedures. D. Whether on your own or with the help of an outside firm, prepare a risk assessment on at least an annual basis. i. Prepare a self-insured versus coverage analysis – the growth in cyber and network liability coverage has been accelerating, more options are available, and it is prudent to evaluate coverage versus remaining uncovered.

8 Best Practices Tailor To Your Organization
Establish Vendor Relationships Test Train Update Regularly

Download ppt "Cyber Incident Response When You Didn’t Have a Plan"

Similar presentations

Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.

Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Ethical Issues in Data Security Breach Cases www.ScottandScottllp.com Presented by Robert J. Scott Scott & Scott, LLP 800-596-6176.

Ethical Issues in Data Security Breach Cases Presented by Robert J. Scott Scott & Scott, LLP
Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.

Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.
Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.

Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
Network security policy: best practices

Network security policy: best practices
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Why are Small and Mid-Size Companies Easy Targets for Hackers, and What can You do to Protect Yourself? 2/11/2015 Asher Dahan.

Why are Small and Mid-Size Companies Easy Targets for Hackers, and What can You do to Protect Yourself? 2/11/2015 Asher Dahan.
Investigating & Preserving Evidence in Data Security Incidents www.ScottandScottllp.com Robert J. Scott Scott & Scott, LLP 214-999-2902.

Investigating & Preserving Evidence in Data Security Incidents Robert J. Scott Scott & Scott, LLP
Electronic Records Management: What Management Needs to Know May 2009.

Electronic Records Management: What Management Needs to Know May 2009.
THE CLOUD Risks and Benefits from the Business, Legal and Technology Perspective September 11, 2013 KEVIN M. LEVY, ESQ. GUNSTER YOAKLEY.

THE CLOUD Risks and Benefits from the Business, Legal and Technology Perspective September 11, 2013 KEVIN M. LEVY, ESQ. GUNSTER YOAKLEY.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.

Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.

Similar presentations

Ads by Google