The Risk-based Approach to Data Breach Response Meeting mounting expectations for effective, relevant solutions

Similar documents
CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY

Cyber Risks & Insurance

ROCHESTER INSTITUTE OF TECHNOLOGY

Protecting Yourself from Fraud including Identity Theft Advanced Level

503 SURVIVING A HIPAA BREACH INVESTIGATION

Services and Features

Services & Features for Employee Benefit Members

Best Practice: Responding to a Privacy Breach

DATA COMPROMISE COVERAGE FORM

Summary Comparison of Current Senate Data Security and Breach Notification Bills


Notification of Rights for Texas Consumers

What to expect as a LifeLock member LEARN HOW TO GET THE MOST FROM YOUR MEMBERSHIP

PRIVACY AND CYBER SECURITY

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

SAFEGUARDING YOUR CHILD S FUTURE. Child Identity Theft. Protecting Your Child s Identity

Cyberinsurance: Necessary, Expensive and Confusing as Hell. Presenters: Sharon Nelson and Judy Selby

BERKELEY POLICE DEPARTMENT. DATE ISSUED: February 6, 2013 GENERAL ORDER V-5 PURPOSE

UNDERSTANDING HIPAA COMPLIANCE IN 2014: ETHICS, TECHNOLOGY, HEALTHCARE & LIFE

DATA COMPROMISE COVERAGE RESPONSE EXPENSES AND DEFENSE AND LIABILITY

Evaluating Your Company s Data Protection & Recovery Plan

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

April 27, Dear John Sample:

Cyber & Privacy Liability and Technology E&0


October 30, 2017 File No VIA ELECTRONIC SUBMISSION

Personal Information Protection Act Breach Reporting Guide

ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them

Identity Theft Solutions

Slide 1. Slide 2. Slide 3. Identity Theft Coverage. Today s Agenda. What is Identity Theft? What is Identity Theft?

Cardholder Agreement. Effective 10/1/17

CARDHOLDER AGREEMENT IMPORTANT: PLEASE READ CAREFULLY AND KEEP FOR YOUR RECORDS.

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING

LEGALSHIELD PRESENTATION. Worry Less. Live More.

Cyber-Insurance: Fraud, Waste or Abuse?

c» BALANCE C:» Financially Empowering You The World of Credit Reports Podcast [Music plays] Nikki:

Loaded Everyday card terms and conditions

Attachment to Identity Theft Prevention Service Provider Attestation

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017

CYBER CLAIMS BRIEF A SEMI-ANNUAL PUBLICATION FROM YOUR WNA FINEX CLAIMS & LEGAL GROUP

UNIT 3-4 Preventing Identity Theft

H 7789 S T A T E O F R H O D E I S L A N D

Responding to Privacy Breaches

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

Consumer Federation of America Best Practices for Identity Theft Services. March 10, 2011

The Smartest Employee Benefit Is Identity Theft Management

Data Breach Financial Protection Program Terms and Conditions

Personal Finance Unit 2 Chapter Glencoe/McGraw-Hill

Deluxe Provent SM : Protecting against expanded threats. Providing for expanded opportunities.

Kasasa Protect. FAQ and Product Overview

A GUIDE TO CYBER RISKS COVER

BUSINESS MASTERCARD CARDHOLDER DISCLOSURE AND AGREEMENT STANDARD AND CASH REWARDS MASTERCARDS

MONROE COUNTY SHERIFF S OFFICE. General Order

Protecting Against the High Cost of Cyberfraud

SAFE Visa Business Credit Card

Anatomy of a Data Breach

CYBER LIABILITY REINSURANCE SOLUTIONS

SAFE Visa Business Credit Card

Not All Breaches Are Created Equal. Nicholas L. Cramer Director of Data Breach Response

Year-end 2016 fraud update: Payment cards, remote banking and cheque

Identity Theft Protection Plans

Introduction to Fraud Detective Kirby Shoemake

Privacy & Data Protection Procedure-Box Hill Institute Group

Public Act No

ISPFCU VISA PLATINUM PROGRAMS TERMS AND CONDITIONS The information about the costs of the card described is accurate as of July 14, 2017.

Date Here. Welcome University of Michigan International Students

MEASURING & PRICING THE COST DRIVERS OF A CYBER SECURITY RISK EVENT

Identity Theft Victim s Packet

HIPAA and Lawyers: Your stakes have just been raised

Cyber Risks & Cyber Insurance

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

Privacy and Data Breach Protection Modular application form

Identity Theft Victim s Packet

PRIVACY POLICY: INSURANCE OPERATIONS

Citrus Valley Health Partners notifies patients of data security incident

Cyber breaches: are you prepared?

Testimony. Submitted for the Record. American Bankers Association. Financial Institutions and Consumer Credit Subcommittee

July 21, Data Security Incident. Dear Attorney General Ferguson:

Cyber, Data Risk and Media Insurance Application form

We re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber

ELECTRONIC FUND TRANSFER AGREEMENT AND DISCLOSURE

NAU Police Department s Identity Theft Victim s Packet

September 29, 2017 VIA AND OVERNIGHT MAIL

January to June 2016 fraud update: Payment cards, remote banking and cheque

IN THE CIRCUIT COURT OF THE FOURTH JUDICIAL CIRCUIT IN AND FOR DUVAL COUNTY, FLORIDA. Plaintiff, v. Case No. COMPLAINT

The Litigation Discovery Support Group, LLC. Signature Product: Forensic Abstract

Insuring your online world, even when you re offline. Masterpiece Cyber Protection

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

Preparing for California's New Privacy Law Will Make for a Busy 2019 for Legal, IT and Info Governance Departments

NORTH CAROLINA ** ALTA BEST PRACTICES 2.0 ** APPROVED ATTORNEY. Resources, Policies & Procedures

CLEAR, ACCURATE AND CONSPICUOUS DISCLOSURE pursuant to the Federal Credit Reporting Act 15 U.S.C. Section 604 (b)(2)(a)(i):

PAI Secure Program Guide

Office of Privacy Protection Safeguarding Information for Your Future

NORTH CAROLINA ** ALTA BEST PRACTICES 2.0 ** APPROVED ATTORNEY. Resources, Policies & Procedures. February 2015

Cyber Risk Management

IC Repealed (As added by P.L , SEC.12. Amended by P.L , SEC.16; P.L , SEC.20. Repealed by P.L , SEC.379.

Drexel and FMFCU. Presented By

CHAPTER 22 MANDATED POLICIES ARTICLE I IDENTITY THEFT PREVENTION POLICY

How to Freeze Your Credit Files

Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016

Transcription:

The Risk-based Approach to Data Breach Response Meeting mounting expectations for effective, relevant solutions

Our Speakers Mark Melodia is Partner and Co-Head of the Global Data Security, Privacy & Management Group for Reed Smith. Timothy P. Ryan is managing director and Cyber Investigations Practice Leader for Kroll. Brian Lapidus is managing director and InfoSec Practice Leader for Kroll. Moderator Steven Littleson is a director in Cyber Security at Kroll.

The Data Breach Investigation before Mitigation Accuracy above Assumption In the Beginning Match Remedy to Risk

The Data Breach A broken promise.

Prepare to be Judged in Hindsight Encourage broad thinking about types of litigation and potential causes of action.» Negligence» Waste and conversion» Invasion of privacy» Breach of contract» Breach of fiduciary duty» Unjust enrichment 1» Unjust enrichment 2» Violation of the Fair Credit Reporting Act» State consumer protection statutes» Business-to-business litigation» Shareholder/Securities Litigation

Set Realistic Expectations Communications» Controlling the flow of internal communications» Crafting and directing effective external messages» Monitoring and responding to reactions to the breach Litigation» Hundreds of class action suits, fueled by tens of millions of breach letters» Most privacy class actions seek millions or billions in statutory penalties, even absent any out-of-pocket harm to consumers» Even nominal damages under common law (e.g., $1 per person for invasion of privacy) can mount quickly into millions of dollars in potential classwide liability» Not just consumer suits

Factor in the Government, Part 1: Federal Trade Commission Actions Unfair and deceptive acts in commerce Dozens of investigations, many enforcement actions Jointly with other agencies that may also have specific industry jurisdiction Multi-million dollar consent resolution amounts and agreements to change process will last for decades Settling with private class counsel without satisfying the government may be a lost opportunity

Factor in the Government, Part 2: State Attorney General Actions Often the first notified of a potential privacy or security issue Can demand that companies offer credit monitoring to resolve investigations, even if courts in private class actions do not Often obtain large resolution payments in situations where the private class action bar fails Data Security/Privacy as a politically popular consumer protection issue

Investigation before Mitigation Get out of your own way.

Top 8 Mistakes Companies Make When preparing for and responding to a data breach 1. Escalation and Employee Security Awareness 2. The Need to Preserve Evidence: Competing Interests 3. The Ability to Collect Evidence: Forensic Capabilities 4. The Ability to Demand Evidence: Third Parties 5. Log Creation and Centralization 6. Internal Conflicts: IT versus Security 7. Network Visibility and Architecture 8. Containment and Eradication Strategy

and One to Avoid: Involve the Police Goals: Enforcement versus Breach Notification Evidence Seizure, Review and Return How it is seized What the reviewer is searching for: government versus private Does the corporation get to look at it Who does Remediation Arrest Attorney-Client Privilege Control Life and Death/Only Government Can Assist

Focus on Facts Without Fear 1. How did the data breach occur? 2. What was the size of the breach? 3. What type of PII/PHI was exposed? 4. Who is the impacted population?

Case Study Situation:» Hacking incident left a retailer s network exposed for three months; credit card numbers and PINs processed during that time vulnerable» The client contacted Kroll, ready to notify 275,000 customers Kroll actions:» Reverse-engineered the code used to compromise the data and discovered two key findings: only one type of credit card had been targeted, and a bug had caused the code to stop working after 21 days Outcome:» Significant reduction in the number of impacted individuals and notifications required from 275,000 to 27,000» Reduced the client s cost to meet notification requirements by 90%

What Was the Size of the Breach? Comparison Exact Notification vs. Over-Notification Exact Notification ~ Cost Forensic Investigation $50,000.00 Notification, Call Center, ID Theft Consultation & $88,000.00 Restoration 1Bureau Credit Monitoring $50,500.00 Total $188,000.00 Over-Notification ~ Cost Forensic Investigation $50,000.00 Notification, Call Center, ID Theft $600,000.00 Consultation & Restoration $800,000.00 $300,000.00 1Bureau Credit Monitoring $450,000.00 Total $900,000 - $1,250,000.00 Bottom Line: for an investment of $50,000 in forensic investigation work, the scope of the breach was reduced by hundreds of thousands of records. Total Savings on Known Costs: $712,000 $1,062,000

In the Beginning there was Credit Monitoring

When Credit Monitoring Isn t Enough Traffic stop reveals fraudulent 8-year-old DUI charge Online tax filing rejected: SS# already used to file Stranger s hospital bill linked to name and address A $30k loan a car cosmetic surgery a summons 4 years to resolve

You Need New Tools for New Threats Name address DATE OF BIRTH MARITAL STATUS gender race ethnicity national origin Grade Point Average drivers license number personal income bank account and routing numbers credit or debit card number financial account number username PASSWORD government-issued identification number insurance numbers warrants for arrest personal medical data

If this data is exposed Name, address, date of birth Credit card numbers Bank account numbers alternative monitoring can: Search for additional addresses associated with that person Crawl Internet monitoring sites where criminals buy and sell financial details Scan for short-term, pay-day or cash advance loans where no credit check is required

Match Remedy to Risk Real need, real solution.

Published Guidance from the CA AG California Office of Privacy Protection advises organizations:» If you are considering offering notice recipients credit monitoring or another identity theft assistance service as a mitigation, make sure it is relevant to the situation.» Credit monitoring is not helpful for breaches of account numbers only.

Published Guidance from the IL AG Illinois Attorney General advises organizations to:» determine when to offer credit monitoring and when to contract for an alternative form of monitoring.» explore their options because credit monitoring may not be appropriate in all breach situations.

Wise Investments Here Known Costs» Legal Counsel» Forensic Investigation» PII/PHI Identification» Notification» Call Center» Monitoring» Preventative Services Help Control Costs Here Unknown Costs» Brand Damage» Customer Churn» Settlement Fees» Fines» Business Transactions: IPO, Mergers & Acquisitions

It Works struck the claim for damages already reasonably compensated the affected The judge ruled in our favor on all points.

Take-Aways How did the data breach occur? How was data accessed? Can you confirm data was, in fact, exposed? To whom was the data potentially exposed? Can you confirm what was done with the data? What was the size of the breach? Has the incident been contained? How many records have been impacted? What response efforts can you afford based upon the size of the breach? What type of PII/PHI was exposed? Can you confirm what PII/PHI was compromised? What constitutes a record for the purpose of notification? Was other data compromised that could lead to risk of identity theft or other harm? Who was the impacted population? Who are the victims? What is the relationship of the insured with the breach victims? What is the relationship of the victims to one another? Where are the victims located?

Questions: Mark S. Melodia Phone (609) 520-6015» mmelodia@reedsmith.com» Please visit the Reed Smith Global Regulatory Enforcement Blog at globalregulatoryenforcementlawblog.com Tim Ryan Phone (212) 833-3461» TPRyan@kroll.com Brian Lapidus Phone (615) 577-6770» Blapidus@kroll.com» Find out more at Krollcybersecurity.com or» Kroll.com

Thank you.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback