Anatomy of a Data Breach: A Practical Guide for Small Law Departments

Transcription

1 Anatomy of a Data Breach: A Practical Guide for Small Law Departments

2

3 Judy Branzelle is the Chief Legal Officer and General Counsel for Goodwill Industries International, Inc. where she has been employed for the past twelve years. Good will Industries International is comprised of 165 independent organizations across North America, with 13 affiliates in 14 countries around the world, each dedicated to assisting people with disabilities to obtain jobs and job training. She manages the legal team in the fields corporate compliance, non-profit law, trademarks, licensing, contracts, international issues, litigation and a wide variety of other legal issues. Judy is a regular speaker to different audiences on legal subjects.

4 James L. Calis is the Associate General Counsel and a Deputy Chief Privacy Officer for Global Tel*Link Corporation. He focuses on complex commercial and technology transactions, and software licensing, including technology acquisition and outsourcing, and stand-alone and hosted software solutions. He also handles merger due diligence and integration. As the only attorney on the Privacy Team, Mr. Calis leads Global Tel*Link s efforts on compliance with federal and state privacy laws and private contractual obligations concerning the protection of personal and financial information. He also drafts various policies for the company regarding the collection, use, storage, and retention of information. Mr. Calis began his career with the Federal Government in the areas of administrative law and appellate litigation. He later moved to Nextel Communications, Inc. (now Sprint Corporation) where he worked on securing radio spectrum rights for the company through transactions ranging from complex mergers to single license acquisitions. Mr. Calis is a graduate of Catholic University of America s Columbus School of Law and the University of South Florida.

5 Polsinelli, P.C., Shareholder, Washington, D.C. George Kostel is an aggressive advocate with a mind for unraveling difficult client problems, both before and during litigation. He uses the breadth of his complex commercial litigation experience in trying cases in federal courts around the country. He has practiced in federal courts nationwide, particularly in the Eastern District of Virginia, a preferred venue for some of the most complex litigation in the U.S. George has advised companies in adopting and implementing data breach response plans, and has spoken numerous times on cyber-litigation and insurance coverage. He assisted in the litigation response to a data breach involving a large U.S. hospital system.

6 Since joining MRIS in 2005 as the company's first General Counsel, Mr. Feig has become an established leader engaged in many of the most challenging and rapidly evolving legal issues facing technology providers and practitioners in the real estate industry. Mr. Feig's "sleeves up," practical leadership style empowers innovation and efficiency by driving real-world legal solutions that work. His work related to intellectual property law in particular has helped establish MRIS as a thought leader and precedent setting organization for the industry. A frequent speaker and writer for both the legal and professional communities, he is an advocate for building highly collaborative relationships between legal counsel and business teams to realize efficiencies and create viable long-term alliances. He also is a co-chair of the Small Law Department initiative of ACC NCR.

7

8 Cyber attached are ubiquitous 42.8 million detected incidents in Estimated global impact is $ billion. We know cybercrime is inevitable. The positive side of this is that the headline risk has diminished.

9 400 Reported Breaches Up 100% in 3 Years Identities Exposed by Sector Retail Financial Computer and Software Healthcare Citation: Symantec Internet Security Threat Report 2015

10 What does it mean to be prepared? Data security is not just an IT issue. Officers and directors face heightened duties. Organizations must undertake a systematic approach to evaluate and address risk.

11

12 DO: Assume You are a Target Small size and relative anonymity no longer ensure that you will be left alone Lead by Example Cybersecurity is not simply the domain of the IT person ; executive management has to get involved Map and Encrypt Data Need to know the types of data you have and the location of that data. Encrypt the data you need to keep Bank Securely Online banking should only be performed using a secure browser connection in private mode

13 DO: Defend Yourself guard against single points of failure in any specific technology or protection method Educate Employees raise employees awareness about the risks of cyberthreats, mechanisms for mitigating the risk, and the value of your businesses' intellectual property and data Be Password Wise Change any default username or passwords for computers, printers, routers, smartphones, or other devices Operate Securely using layered security defenses and keeping all operating systems and software up to date Plan for the worst put together a disaster recovery plan so that when a Cyberincident happens California Department of Justice, Making Your Privacy Practices Public, May 2014

14 DON T: Modify stored data in a way that could hinder incident response or subsequent criminal investigation Use a system suspected of being compromised to communicate about an incident or to discuss its response to the incident. Attempt to access, damage, or impair another system that may appear to be involved in the intrusion or attack. Fail to Notify Key Regulators and Secure Coverage from Available Insurance Policies (perhaps more than one) Citation: DOJ, Best Practices for Victim Response and Reporting of Cyber Incidents

15 DON T: Turn off your computer Might destroy evidence and erase clues about the attack Use technical or legal jargon in privacy policies Ignore the risk

16 3 KEY STEPS Calculated Preparation Support During Crisis Post-Incident Audit

17 Identify the organization s most prized assets Not all assets warrant the same level of protection Create a clear, concise and actionable response plan Identify key response personnel in each department Prioritize mission-critical processes Identify what data and services need to be prioritized in the response plan Establish important relationships Identify contacts in law enforcement and government before an incident

18 Keep Records and Logs - Preservation Keep records for any criminal investigation Also document the remediation process - just like any other litigation threat Communicate with state and federal law enforcement Find technical and operational specialists to partner with Crucial for small organizations Notification of Affected Parties Notification of necessary state and federal authorities

19

20 On-site Review Assess strength and weakness of performance Recommendations for the future Minimize operational and reputational risks

21 Office of Personnel Management data on 4 million current and former federal workers hacked Washington Post Chinese breach data of 4 million federal workers, June 4, House passed 2 bills in April, Senate considering the Cybersecurity Information Sharing Act (CISA) Congressional Quarterly reports: President Obama said House bills go too far in offering immunity to companies that share cyberthreat information House Republicans argue that it would be unreasonable to expect small firms to take defensive steps every time they hear of a threat. Both bills offer safe harbor if reasonable defenses in place Supporters citing OPM breach to push quick action Senate action appears to be a matter of time. Citation: Congressional Quarterly, Torn Over Privacy, Congress Lags on Cybersecurity, June 5, 2015

22 THANK YOU