Security Breaches: How to Prepare and Respond
BIOS SARAH A. SARGENT Sarah is a CIPP/US- and CIPP/E-certified attorney at Godfrey & Kahn S.C. in Milwaukee, Wisconsin. She specializes in cybersecurity and data privacy, specifically with respect to compliance planning and data breach response. CHRIS KIMMEL Chris Kimmel ACE, CHPA, CISSP, GCFA the Security Incident Manager at Associated Bank in Green Bay, Wisconsin. Chris has over eight years experience within the field specializing in Security Incident Response, Penetration Testing, and Risk Management. Chris has led the response for hundreds of Information Security Breaches
AGENDA What is a data security breach? What should you do to prepare for a breach? What steps do you need to take when a breach happens? What laws are implicated in breach response? What are the latest trends?
WHAT IS A SECURITY BREACH? Any incident that results in unauthorized access of data, applications, services, networks and/or devices by bypassing their underlying security mechanisms.
COMMON TYPES OF BREACHES Social Engineering Business Email Compromise Spoofed Emails Accidental Email Disclosures Ransomware Cryptojacking Stolen & Lost Devices Denial of Service Insider Threat
Cybercrime Value of PII, credit cards, SSN Trade Secrets Nation-state actors Impact critical infrastructure Steal intelligence Theft of Trade Secrets Hacktivism Extortion MOTIVATIONS
READINESS VS. RESPONSE Readiness is preparing your organization for an incident before it occurs: Business Impact Assessments Data Classification Policies and Procedures Training Response is the process of handling an incident once a threat event is identified: Identification / Verification Notification / Escalation Containment / Eradication Recovery Lessons Learned
INCIDENT RESPONSE PROCESS
HOW TO PREPARE FOR A BREACH Make a Plan Assign Roles and Responsibilities Determine Notification and Escalation Timings Practice the Plan Training
HOW TO RESPOND: DETECTION & CONTAINMENT Keep calm! Ensure all key personnel / 3 rd party support are available and assisting Gather / Verify scope of Incident Contain the incident Is the goal immediate remediation or monitoring? Eradicate the Incident once goals are achieved Initiate and cooperate with forensic investigation if necessary
HOW TO RESPOND: DOCUMENTATION Preserve records Pull insurance policies, relevant contracts, bank information (if wire fraud) Control communications internally and externally Utilize attorney-client privilege
HOW TO RESPOND: REMEDIATION Recover systems & data to the extent possible Determine notification obligations under state, federal, and international law Analyze contractual obligations & make required notifications
HOW TO RESPOND: WRAP UP Team meeting to discuss lessons learned Review policies and adjust accordingly Create action list for security improvements
FEDERAL, STATE, AND INTERNATIONAL LAW Health Insurance Portability and Accountability Act; Gramm- Leach-Bliley Act All fifty (50) states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring notification to individuals of security breaches involving personally identifiable information. General Data Protection Regulation (European Union); Canada s Personal Information Protection and Electronic Documents Act
BREACH NOTIFICATIONS STATE MATTERS Organizational footprint matters. If you have a location in Washington State and Wisconsin, the reporting laws can be different. Texas requires anyone providing notice in Texas to notify all individuals regardless of state Most organizations will conform to the strictest laws and apply that precedence for all impacted records
DIFFERENCES IN LAW Definition of Personally Identifiable Information or Personal Data Definition of breach: access or acquired Notice to consumer reporting agencies Timeline of notices Language of notices Notice to state agencies
EXAMPLE - NOTIFICATION TO REGULATORS (WASHINGTON) Washington State Any person or business required to notify more than 500 Washington residents as a result of a single breach shall, by the time notice is provided to affected consumers, electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the attorney general. The person or business shall also provide to the attorney general the number of Washington consumers affected by the breach, or an estimate if the exact number is not known. Notice to the attorney general shall be made in the most expedient time possible and without unreasonable delay, no more than forty-five calendar days after the breach was discovered, unless at the request of law enforcement or due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.
EXAMPLE NOTIFICATION TO REGULATORS (WISCONSIN) Notice, without unreasonable delay, to consumer reporting agencies is required for any breach requiring notification to more than 1,000 individuals.
TRENDS 68% of breaches took months or longer to discover Ransomware is the top variety of malicious software, found in 39% of cases where malware was identified 4% of people will click on any given phishing campaign Statistics taken from 2018 Verizon Breach Report, available at https://www.verizonenterprise.com/resources/reports/rp_dbir_2018_report_execsum mary_en_xg.pdf (accessed on 11/16/2018)
TRENDS 94% of security incidents and 90% of confirmed data breaches fall into nine incident classification patterns 76% of breaches were financially motivated Statistics taken from 2018 Verizon Breach Report, available at https://www.verizonenterprise.com/resources/reports/rp_dbir_2018_report_execsum mary_en_xg.pdf (accessed on 11/16/2018)
QUESTIONS? THANK YOU