Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Creating a Security Breach Action Plan: From Laws, Policies & Procedures to
Dealing with an Actual Breach Incident
The Incident Response Plan: The 10 Essential Elements of Incident
Response Policies & Procedures
Christopher Hacker [email protected]
312-719-5837 ShortTrack LLC
1016 W Jackson Blvd #101 Chicago IL 60607
Breach Life Cycle
1. Discover Breach 2. Investigate & Remediate 3. Assemble Existing Response Team 4. Contact Law Enforcement 5. Hire Vendors: Forensic, Legal, PR 6. Begin Notification Process 7. Make Pubic Announcement 8. Send Notifications 9. Handle Inquiries 10.Resume Business
Breach Life Cycle Discover Investigate
& Remediate
Assemble Team
Contact Law Enforcement
Hire Vendors: Forensic, Legal, PR
Notification Process
Pubic Announcement
Mail/Email Notifications
Handle Inquiries
Resume Business
Incident Response Plan
• Identify Response Team Members • Procedures for analyzing and containing a
potential data security breach • Plan for notifying affected individuals • Remediation measures to be taken
following a data security breach • Collect Relevant Resources:
• Train and Test Plan
Legal Communications IT Security/Forensics
Credit Bureau Insurance Information
Links
• https://www.experian.com/assets/data-breach/brochures/response-guide.pdf
• https://iapp.org/resources/article/security-
breach-response-plan-toolkit • https://www.americanbar.org/content/dam/ab
a/administrative/litigation/materials/sac_2012/22-15_intro_to_data_security_breach_preparedness.authcheckdam.pdf
Data Breach Notification Laws & Notification Requirements
Christopher J. Gulotta, Esq. Founder & CEO
Real Estate Data Shield, Inc. [email protected]
Real Estate Data Shield, Inc.© 2016
Terminology & NPPI Defined
Real Estate Data Shield, Inc.© 2016
Outline: I. Introduction: Data
Security II. State Data Breach
and Data Disposal Laws
III. What we know-information from recent data breach reports
What’s in a Breach or Disposal Statute?
Real Estate Data Shield, Inc.© 2016
Statues typically have provisions regarding: • Who must comply with the law
• E.g., businesses, individuals, and/or state agencies
• What qualifies as "personally identifiable information” • E.g., name combined with social security number
• What constitutes as a breach • E.g., unauthorized acquisition of data
• Notice requirements • E.g., timing, method, who must be notified
• Disposal requirements • E.g., destroy personal information no longer retained
• Exceptions • E.g., encrypted information
Breach Notification Statutes
• 47 States, D.C., Guam, Puerto Rico, and the Virgin Islands have enacted statutes*
• California enacted first such statute, which became effective in 2003
• Most other states’ statutes are modeled on California’s, but there are some significant differences *There have been proposals for federal legislation, yet none have been enacted
Real Estate Data Shield, Inc.© 2016
State Data Disposal Statutes • Numerous states require a business to
destroy personal information in a safe and effective fashion once it is no longer retained
• California: – Must take all reasonable steps to destroy or arrange for the
destruction of a customer’s records within its custody or control that contains personal information no longer retained
Real Estate Data Shield, Inc.© 2016
Real Estate Data Shield, Inc.© 2016
Breach Notifications Statutes
California Breach Notification Law • Business must
disclose in specified ways any breach of security of data when unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized party
Real Estate Data Shield, Inc.© 2016
Recent Data Breach Legislation: 2014
From 2014-2015, at least 21 states have enacted legislation. 2014: 23 states introduced or considered legislation, with 15 enacting new laws.
– KY became the latest state-the 47th- to adopt its first breach law – States required special policies and procedures for health
agencies or facilities (CA,LA) – States required public agencies to follow stricter policies for
technology security or employee training (FL, KY, LA, MN, SC, VT, WV)
– IA required breach notification for breach of any medium containing sensitive information, even paper
– States required special notification and breach procedures for students (KA, LA, WV, WY)
Real Estate Data Shield, Inc.© 2016
Recent Data Breach Legislation: 2015
2015: 32 states introduced or considered legislation with at least 14 laws enacted so far.
– States broadened the meaning of PII (OR, WY) – States strengthened notification requirements for private
businesses or state agencies (MT, ND, OR, TN, WA, WY) – States directed education agencies or schools to
strengthen student and teacher data protection through policy or technology changes (NH, ND, TY, VA)
– TX authorized its AG to pursue criminal penalties against perpetrators of security breaches
Real Estate Data Shield, Inc.© 2016
Massachusetts Privacy Law
Data breach notification law – Considered as among most
burdensome in the United States
– Requires privacy and security compliance, that is, more than mere breach notification
– Data destruction law
Real Estate Data Shield, Inc.© 2016
Massachusetts Gen. Laws § 93H-1 et seq.
Section 2. (a) The department of consumer affairs and business regulation shall adopt regulations relative to any person that owns or licenses personal information about a resident of the commonwealth. Such regulations shall be designed to safeguard the personal information of residents of the commonwealth and shall be consistent with the safeguards for protection of personal information set forth in the federal regulations by which the person is regulated.
Real Estate Data Shield, Inc.© 2016
Florida: FIPA: Overview of Major Changes
• New obligation to report data security incidents that have not or are unlikely to produce harm by written email notice to Florida Department of Legal Affairs within 30 days
• Mandatory reporting to Florida Department of Legal Affairs (FDLA) when breach affecting more than 500 customers occurs
• Expanded Definition of PII • Breach notifications must go out within
30 days instead of 45 • All covered entities must take
reasonable measures to protect and secure data
• Customer records containing PII must be destroyed
Real Estate Data Shield, Inc.© 2016
FLA: FIPA: Expanded Definition of PII • 501.171 (1) (g) 1.a. states that PII under FIPA means “an
individual’s first name or first initial in combination with any one or more of the following data elements for that individual.”
• New categories of data elements that constitute PII in conjunction with above include:
• (IV) information regarding an individual’s health or medical history
• (V) any unique identifiers used by health insurance providers • (VI) any other information about that person that could be
used to personally identify that person • (VI)b. “A user name or email address, in conjunction with a
password or security question and answer that would permit access to an online account.
Real Estate Data Shield, Inc.© 2016
FLA: FIPA: New Reporting Requirements
• New obligation to report incident that has not or is unlikely to result in harm • Written confirmation of determination of no harm generally
to be provided to Florida Department of Legal Affairs (FLDLA) (can be by email) within 30 days of the security incident
• FDLA now can potentially challenge no harm determination • New mandatory reporting to Department of Legal Affairs
when 500 or more Florida residents affected by data breach • Notice to FDLA to include key details of the event and
FDLA allowed to request copies of the relevant police report, forensic report, and existing policies. FDLA has right to review policies of affected entity
• Breach notifications required within 30 days, instead of 45 days under the previous version of the law
• Breach notifications can be sent by email
Real Estate Data Shield, Inc.© 2016
FIPA: New Data Security Requirement
• FIPA adds a requirement that covered entities take “reasonable measures” to protect and secure data in electronic form containing personal information and to prevent breaches of security [501.171 § (2)]
• “Covered entity” means any commercial entity that “acquires, stores, maintains, or uses personal information” [501.171 § (1)(b)]
Real Estate Data Shield, Inc.© 2016
FLA: FIPA: New Requirements for Disposal of Customer Records, No Private Cause of Action
• Customer records includes both paper and electronic records
• FIPA requires taking reasonable measures to dispose of customer records that contain personal information when they “are no longer to be retained”
• Required action includes shredding, erasing, or making the personal information unreadable or undecipherable [501.171 § (8)]
• A violation of FIPA treated as deceptive trade practice, enforceable by the FDLA (located in the AG’s office)
• Fines run up to $500,000, $1,000 for each day a breach goes unreported to customers/FDLA, and $50,000 for each month the breach goes unreported [501.171 § (9)]
• No private cause of action under FIPA [501.171 § (10)]
Real Estate Data Shield, Inc.© 2016
Real Estate Data Shield, Inc.© 2016
Real Estate Data Shield, Inc.© 2016
Real Estate Data Shield, Inc.© 2016
Real Estate Data Shield, Inc.© 2016
State Data Breach Laws
Real Estate Data Shield, Inc.© 2016
Why so many data breaches?
Source: http://www.csoonline.com/article/2847269/business-continuity/nearly-a-billion-records-were-compromised-in-2014.html
Matthew Froning Chief Information Officer
Security Compliance Associates, Inc. [email protected]
(727) 571-1141
http://www.scasecurity.com
Security Compliance Associates, LLC © 2016
Security Compliance Associates, LLC © 2016
Major Concerns of Data Breach
Lawsuits / Fines
Damage to Reputation
Not Knowing How To Respond
Cost of Resuming Operations
Security Compliance Associates, LLC © 2016
Impact of Major Data Breach
Unable to Continue Normal Operations
Loss of Trust
Lost Future Business
Security Compliance Associates, LLC © 2016
Cost - Reputation
Security Compliance Associates, LLC © 2016
Cost – Per Breach
• IBM & Ponemon Institute Study – Average number of Breached records: 28,070 – Cost per record breached: $217
• Indirect costs (Abnormal turnover of clients): $143/record • Direct Costs to Resolve (Technology, Legal Fees): $74/record
– Heavily reg – ulated (Financial Institutions) have higher than
average costs
Security Compliance Associates, LLC © 2016
Key Initial Steps
Security Compliance Associates, LLC © 2016
Stop The Bleeding
Security Compliance Associates, LLC © 2016
Security Compliance Associates, LLC © 2016
Find Help
Security Compliance Associates, LLC © 2016
Security Compliance Associates, LLC © 2016
Be Prepared!
Key Parts of Incident Response Plan: • Define Policy & Scope • Identify Key Personnel (names, contact
information, roles & responsibilities) • Assessing Potential Incidents • Identify Countermeasures • Corrective Actions • Monitor
Security Compliance Associates, LLC © 2016
QUESTIONS?
Security Compliance Associates, LLC © 2016