DATA BREACH NUTS AND BOLTS

Transcription

1 DATA BREACH NUTS AND BOLTS Your Company Has Been Hacked Now What? January 20, 2016 Universal City, California Sponsored by Hogan Lovells Moderator: Stephanie Yonekura, Hogan Lovells #IHCC16 Panelists: Mike Maddigan, Hogan Lovells Justin Vallese, FBI Stephanie Christensen, US Attorney s Office of LA James Aquilina, Stroz Friedberg #IHCC ACC-SoCal In-House Counsel Conference 1

2 Insert Sponsor Logo here Cyber Threat Overview 2016 ACC-SoCal In-House Counsel Conference #IHCC _2 2

3 090701_3 The Cyber Threat Reality Individuals Organized Crime Syndicates Hacktivist Groups Nation States Individuals Industry Law Enforcement & Government Infrastructure

4 Key elements of an incident response plan: Pre-incident Identify and Prepare for the Most Likely Incidents Incorporate threat intelligence in a timely way to identify the most likely incident types and attack vectors. Prepare incident responses for most likely types of incidents. Identify the Team Identify core team members, and their backups to establish 24/7 coverage Identify extended team members and their backups to establish 24/7 coverage Develop and maintain 24/7 contact lists. Clearly delineate roles and responsibilities. Document the Plan Appoint a lead to document the main enterprise wide plan, which can take the form of a core policy, one or more procedures, and a playbook. Individual functional groups (e.g. Communications, Legal, Investor Relations) may develop their own playbooks and templates, in coordination with and support of enterprise wide plan. Identify External Resources Identify, vet, and arrange in advance, if possible, retention of specialized and supplementary resources likely to be required in the event of a major incident, such as forensics and other technical vendors; consumer identity theft/credit monitoring services; legal services; public relations consulting. Rehearse the Plan Internally and Externally Rehearse the enterprise-wide plan regularly, with credit for an actual incident that requires the plan to be deployed. Participate in industry-wide simulation exercises as appropriate to role and scale of the business. Regularly update plan to reflect learnings and new requirements _4

5 Key elements of an incident response plan: During incident Contain and Control the Incident Technical and other teams to lead work to isolate the breach and to monitor and mitigate impact. Process to rate severity and escalate within organization as appropriate. Work with Law Enforcement to Coordinate Activities Establish or supplement relationships with key law enforcement players. Assist in coordinating company activities to avoid obstructing law enforcement operations. Obtain information from law enforcement to aid company response. Determine Scope and Nature of Incident, and Address Document how and when the incident occurred. Assess risks and remediation options. Determine what information or systems may have been affected. Deploy remediation and recovery plan. Ensure coordinated and appropriate reports to senior management and board of directors. Assess Notification Obligations Review and analyze applicable regulatory notification requirements. Identify relevant contracts and other agreements. Review the contracts and agreements for the scope, nature, and timing of any breach notification obligations, including obligations to notify law enforcement. 5 Conduct Notification Process If Necessary Provide notifications as needed, including drafting and review of internal announcements; customer notices; FAQs; letters to law enforcement, business partners, consumer reporting agencies, regulators, and other third parties; call center scripts; website notices; and media releases. Coordinate the offering of remediation services (e.g., credit monitoring and identity theft insurance). Coordinate with and support public relations and public affairs actions _5

6 Pathology of a Major Data Incident or Attack _6 Internal Investigation Consumer Litigation Shareholder Litigation Vendors/Forensic Experts Coordination with Law Enforcement/FBI Insurance Coverage Investigation Notification Media Inquiries and Public Relations Congressional Investigation and Inquires FTC Information Inquiry or Civil Investigative Demand SEC Investigation and 10K/10Q Statements State Attorneys General Investigation State Regulatory Investigations International Regulatory Inquiries and Investigations OCR Investigation (HIPAA) Customer Inquiries

7 September 10th And So It Begins Multiple employees of XYZ, Inc. notify the Help Desk of strange activity on their work computers Every associate who contacted the Help Desk received a prompt regarding a required update. IT confirms no updates were pushed out recently _7 7

8 Insert Sponsor Logo here Discussion 2016 ACC-SoCal In-House Counsel Conference #IHCC _8 8

9 October 10th Malware Everywhere! Infected computer shows malware with the ability to communicate with other computers on the network and extract passwords. At least 75 systems across the network contain evidence of the same malware Includes associate computers and one domain controller (server with associate usernames and passwords) Network logs show unusual activity involving multiple computers with connections to/from unknown outside location _9 9

10 Insert Sponsor Logo here Discussion 2016 ACC-SoCal In-House Counsel Conference #IHCC _10 10

11 October 30th Law Enforcement Law enforcement officials contact someone within XYZ about suspicious network traffic. Large data transfers were observed leaving the XYZ network and going to a malicious IP address. Law enforcement indicates security has been compromised by a group that typically targets payment card information _11 11

12 Insert Sponsor Logo here Discussion 2016 ACC-SoCal In-House Counsel Conference #IHCC _12 12

13 12 th Annual In-House Counsel Conference January 20, 2016 (Universal City, CA) #IHCC _13