Orlando, FL September 23-27, Your School Has Been Breached Now What? Cyber Incident Simulation Exercise

Transcription

1 Your School Has Been Breached Now What? Cyber Incident Simulation Exercise Andrew Liuzzi U.S. Crisis Lead, Data Security & Privacy Group Edelman Dominic Paluzzi Partner McDonald Hopkins Brad Wells Associate Vice President, Business and Finance California State University Sue Yi Breach Response Services Beazley Pre-Read Materials 2 1

2 What Keeps You up at Night? What Keeps You up at Night? Sources may have suffered data breach affecting students. More info : kso.ly/1zpx8ta 2

3 What Keeps You up at Night? Scope of SCHOOL breach widens School, who confirmed several days ago that it had suffered a data breach exposing the personal health information of about half a million current/former students now says the breach is much larger than originally thought. A spokesperson told the WSJ today that the school s forensics investigation concluded that the breach likely affects more than one million customers, and may include their personal information as well. 3

4 Incident Trends Incident Trends 4

5 Incident Trends Brand Recovery From a university perspective, the goals are clear: Respond swiftly to campus community concerns, once have adequate information, reinforcing the school s commitment to data security and citing improvements already underway above all, demonstrate a bias towards action in response to the issue Chart an operational course to help inoculate the school from future risk Strategies: Creating a consistent, credible story about a school s strengths, areas for improvement and commitment to excellence in data security (especially if there are relevant ties/courses/curricula at the school) Setting a sustained course to build awareness, comprehension and thought leadership for the school and its leadership Maximizing our efforts through an engagement model that crosses multiple channels, drives message penetration across audiences and leverages third parties for credibility, where applicable 5

6 Managing the Message Communications Response Students, faculty, staff and alumni must be your north star so make sure that you communicate with them clearly and effectively However, don t neglect the wide variety of stakeholders interested in breaches including policymakers, regulators (state and federal) and industry stakeholders (e.g. DoE, OCR) Be lean, but integrate legal, IT, PR and business group into communications planning Media train campus leadership (and not just a campus chancellor or president) Set up the appropriate media/social monitoring and listening posts Develop a long-term reputation recovery strategy, versus treating it as an isolated incident especially critical given the number of cyber security incidents at campuses in last few years Responding Not Reacting Creating response team with a practiced policy and plan Arranging logistics in advance Gaining buy-in and cooperation from different divisions of the college or university Incorporating the board of trustees and executives appropriately Communicating across and beyond the organization Working with the media 6

7 The Early Bird Doesn t Always Catch the Worm Move quickly, but remember that going out with information too early can hurt an organization in a data breach Resist communicating numbers early in the investigation; offer a timetable for additional information Be careful of claiming the issue is fully resolved; acknowledge that the situation may change Focus initial messages on the steps being taken to investigate the issue Facts are very fluid - so rushing public statements can result in several bad outcomes for a company: Inaccurate dissemination of information Compromising more data Damaging company reputation further by breaking trust again Keep an Eye Towards Litigation Preserve attorney-client privilege. Use discretion in both internal and external communication. Consider how actions may affect potential litigation. 7

8 Why We Should Be Careful with the Word Breach" Using breach to describe a data-privacy related incident assumes the incident meets the definition of a security breach which triggers various notification requirements An incident does not always rise to the level of breach (e.g., encryption safe harbor) Incident is better received by the public than breach Consistency in Message is Critical from a Legal Perspective Colleges and Universities must coordinate with privacy counsel and crisis communication firm to manage public relations issues and respond promptly, consistently, and with honesty, utilizing tailored statements and Frequently Asked Questions (FAQs) What is said during breach investigation and incident response will be heavily examined later in: Regulatory Inquiries/Investigations Demands/Litigation Colleges and Universities should provide dedicated call center support, explaining the steps impacted individuals can take to reduce their risk of harm, and monitor escalated questions from callers Providing support to impacted population during breach response can significantly reduce legal exposure 8

9 An Ounce of Preparation Is Worth a Pound of Cure The average data breach in the United States costs an organization more than $6.5 million in investigations, customer notification, lost business and reputation management Organizations with an incident response plan at the time of their breaches saw an average cost that was $42 per record less than the national average per compromised record What Data Must Be Protected? Personally Identifiable Information (PII) Social Security number Drivers license number Credit/debit card numbers Passport number Bank Account Information Date of Birth Medical Information Biometric data (i.e., fingerprints) Mother s maiden name /username in combination with password/security question & answer In combination with name (either First Name & Last Name or First Initial & Last Name) 9

10 What Data Must Be Protected? Protected Health Information (PHI) Medical records Health status Provision of health care Payment for health care HIPAA What Data Must Be Protected? Payment Card Information (PCI) Primary Account Number (PAN) Cardholder Name Expiration Date Service Code (3 or 4 digit code) PIN 10

11 What Is a Data Breach? Definition varies from state to state, but typically includes: Unauthorized acquisition / access / use of Personally Identifiable Information (PII) Unencrypted Compromising the security, confidentiality or integrity of PI Does not include good faith acquisition of PI Breach Notification Laws State laws differ with respect to: Deadline for notifying (14, 30, 45 days; reasonable time) Notification to Attorney General Notification to other state agencies Including Attorney General contact information Substitute notice ( , website, media) Specific facts of incident and type of PI compromised Maintaining records of incident (for 3-5 years) Countries also differ with notice requirements 11

12 Fail to Plan Plan to Fail NO organization is immune to a cyber attack or data breach NO amount of technology can account for human error or deception DON T WAIT for a breach to occur BE PROACTIVE create a plan, practice and develop muscle memory Who Should Be on Your Incident Response Team? Because the issue impacts almost every component of the organization, and failure to properly manage can result in both long and short term consequences, the team should include C level decision makers in the following areas: Legal IT Risk Management/Insurance HR Marketing Public Relations Compliance & Internal Audit Physical security Other executives, as appropriate 3rd party response services (e.g., forensics, privacy counsel, notification) 12

13 Prevention Is Key Proactive steps to take: Identify internal and external crisis team Keep the team lean and empower a decision-maker Meet your state s legislators, regulators and policy makers Determine your lobbying, forensics and legal firm before a crisis Conduct a mock crisis situation Develop communications chain of command for multiple scenarios Cyber Incident Simulation Exercise Factual injects to be provided the day of presentation 26 13