Creating a Security Breach Action Plan: From Laws, Policies & Procedures to

Dealing with an Actual Breach Incident

The Incident Response Plan: The 10 Essential Elements of Incident

Response Policies & Procedures

Christopher Hacker chris@shorttrack.io

312-719-5837 ShortTrack LLC

1016 W Jackson Blvd #101 Chicago IL 60607

Breach Life Cycle

1. Discover Breach 2. Investigate & Remediate 3. Assemble Existing Response Team 4. Contact Law Enforcement 5. Hire Vendors: Forensic, Legal, PR 6. Begin Notification Process 7. Make Pubic Announcement 8. Send Notifications 9. Handle Inquiries 10.Resume Business

Breach Life Cycle Discover Investigate

& Remediate

Assemble Team

Contact Law Enforcement

Hire Vendors: Forensic, Legal, PR

Notification Process

Pubic Announcement

Mail/Email Notifications

Handle Inquiries

Resume Business

Incident Response Plan

• Identify Response Team Members • Procedures for analyzing and containing a

potential data security breach • Plan for notifying affected individuals • Remediation measures to be taken

following a data security breach • Collect Relevant Resources:

• Train and Test Plan

Legal Communications IT Security/Forensics

Credit Bureau Insurance Information

Links

• https://www.experian.com/assets/data-breach/brochures/response-guide.pdf

• https://iapp.org/resources/article/security-

breach-response-plan-toolkit • https://www.americanbar.org/content/dam/ab

a/administrative/litigation/materials/sac_2012/22-15_intro_to_data_security_breach_preparedness.authcheckdam.pdf

Data Breach Notification Laws & Notification Requirements

Christopher J. Gulotta, Esq. Founder & CEO

Real Estate Data Shield, Inc. cgulotta@redatashield.com

Real Estate Data Shield, Inc.© 2016

Terminology & NPPI Defined

Real Estate Data Shield, Inc.© 2016

Outline: I. Introduction: Data

Security II. State Data Breach

and Data Disposal Laws

III. What we know-information from recent data breach reports

What’s in a Breach or Disposal Statute?

Real Estate Data Shield, Inc.© 2016

Statues typically have provisions regarding: • Who must comply with the law

• E.g., businesses, individuals, and/or state agencies

• What qualifies as "personally identifiable information” • E.g., name combined with social security number

• What constitutes as a breach • E.g., unauthorized acquisition of data

• Notice requirements • E.g., timing, method, who must be notified

• Disposal requirements • E.g., destroy personal information no longer retained

• Exceptions • E.g., encrypted information

Breach Notification Statutes

• 47 States, D.C., Guam, Puerto Rico, and the Virgin Islands have enacted statutes*

• California enacted first such statute, which became effective in 2003

• Most other states’ statutes are modeled on California’s, but there are some significant differences *There have been proposals for federal legislation, yet none have been enacted

Real Estate Data Shield, Inc.© 2016

State Data Disposal Statutes • Numerous states require a business to

destroy personal information in a safe and effective fashion once it is no longer retained

• California: – Must take all reasonable steps to destroy or arrange for the

destruction of a customer’s records within its custody or control that contains personal information no longer retained

Real Estate Data Shield, Inc.© 2016

Real Estate Data Shield, Inc.© 2016

Breach Notifications Statutes

California Breach Notification Law • Business must

disclose in specified ways any breach of security of data when unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized party

Real Estate Data Shield, Inc.© 2016

Recent Data Breach Legislation: 2014

From 2014-2015, at least 21 states have enacted legislation. 2014: 23 states introduced or considered legislation, with 15 enacting new laws.

– KY became the latest state-the 47th- to adopt its first breach law – States required special policies and procedures for health

agencies or facilities (CA,LA) – States required public agencies to follow stricter policies for

technology security or employee training (FL, KY, LA, MN, SC, VT, WV)

– IA required breach notification for breach of any medium containing sensitive information, even paper

– States required special notification and breach procedures for students (KA, LA, WV, WY)

Real Estate Data Shield, Inc.© 2016

Recent Data Breach Legislation: 2015

2015: 32 states introduced or considered legislation with at least 14 laws enacted so far.

– States broadened the meaning of PII (OR, WY) – States strengthened notification requirements for private

businesses or state agencies (MT, ND, OR, TN, WA, WY) – States directed education agencies or schools to

strengthen student and teacher data protection through policy or technology changes (NH, ND, TY, VA)

– TX authorized its AG to pursue criminal penalties against perpetrators of security breaches

Real Estate Data Shield, Inc.© 2016

Massachusetts Privacy Law

Data breach notification law – Considered as among most

burdensome in the United States

– Requires privacy and security compliance, that is, more than mere breach notification

– Data destruction law

Real Estate Data Shield, Inc.© 2016

Massachusetts Gen. Laws § 93H-1 et seq.

Section 2. (a) The department of consumer affairs and business regulation shall adopt regulations relative to any person that owns or licenses personal information about a resident of the commonwealth. Such regulations shall be designed to safeguard the personal information of residents of the commonwealth and shall be consistent with the safeguards for protection of personal information set forth in the federal regulations by which the person is regulated.

Real Estate Data Shield, Inc.© 2016

Florida: FIPA: Overview of Major Changes

• New obligation to report data security incidents that have not or are unlikely to produce harm by written email notice to Florida Department of Legal Affairs within 30 days

• Mandatory reporting to Florida Department of Legal Affairs (FDLA) when breach affecting more than 500 customers occurs

• Expanded Definition of PII • Breach notifications must go out within

30 days instead of 45 • All covered entities must take

reasonable measures to protect and secure data

• Customer records containing PII must be destroyed

Real Estate Data Shield, Inc.© 2016

FLA: FIPA: Expanded Definition of PII • 501.171 (1) (g) 1.a. states that PII under FIPA means “an

individual’s first name or first initial in combination with any one or more of the following data elements for that individual.”

• New categories of data elements that constitute PII in conjunction with above include:

• (IV) information regarding an individual’s health or medical history

• (V) any unique identifiers used by health insurance providers • (VI) any other information about that person that could be

used to personally identify that person • (VI)b. “A user name or email address, in conjunction with a

password or security question and answer that would permit access to an online account.

Real Estate Data Shield, Inc.© 2016

FLA: FIPA: New Reporting Requirements

• New obligation to report incident that has not or is unlikely to result in harm • Written confirmation of determination of no harm generally

to be provided to Florida Department of Legal Affairs (FLDLA) (can be by email) within 30 days of the security incident

• FDLA now can potentially challenge no harm determination • New mandatory reporting to Department of Legal Affairs

when 500 or more Florida residents affected by data breach • Notice to FDLA to include key details of the event and

FDLA allowed to request copies of the relevant police report, forensic report, and existing policies. FDLA has right to review policies of affected entity

• Breach notifications required within 30 days, instead of 45 days under the previous version of the law

• Breach notifications can be sent by email

Real Estate Data Shield, Inc.© 2016

FIPA: New Data Security Requirement

• FIPA adds a requirement that covered entities take “reasonable measures” to protect and secure data in electronic form containing personal information and to prevent breaches of security [501.171 § (2)]

• “Covered entity” means any commercial entity that “acquires, stores, maintains, or uses personal information” [501.171 § (1)(b)]

Real Estate Data Shield, Inc.© 2016

FLA: FIPA: New Requirements for Disposal of Customer Records, No Private Cause of Action

• Customer records includes both paper and electronic records

• FIPA requires taking reasonable measures to dispose of customer records that contain personal information when they “are no longer to be retained”

• Required action includes shredding, erasing, or making the personal information unreadable or undecipherable [501.171 § (8)]

• A violation of FIPA treated as deceptive trade practice, enforceable by the FDLA (located in the AG’s office)

• Fines run up to $500,000, $1,000 for each day a breach goes unreported to customers/FDLA, and $50,000 for each month the breach goes unreported [501.171 § (9)]

• No private cause of action under FIPA [501.171 § (10)]

Real Estate Data Shield, Inc.© 2016

Real Estate Data Shield, Inc.© 2016

Real Estate Data Shield, Inc.© 2016

Real Estate Data Shield, Inc.© 2016

Real Estate Data Shield, Inc.© 2016

State Data Breach Laws

Real Estate Data Shield, Inc.© 2016

Why so many data breaches?

Source: http://www.csoonline.com/article/2847269/business-continuity/nearly-a-billion-records-were-compromised-in-2014.html

Matthew Froning Chief Information Officer

Security Compliance Associates, Inc. mfroning@scasecurity.com

(727) 571-1141

http://www.scasecurity.com

Security Compliance Associates, LLC © 2016

Security Compliance Associates, LLC © 2016

Major Concerns of Data Breach

Lawsuits / Fines

Damage to Reputation

Not Knowing How To Respond

Cost of Resuming Operations

Security Compliance Associates, LLC © 2016

Impact of Major Data Breach

Unable to Continue Normal Operations

Loss of Trust

Lost Future Business

Security Compliance Associates, LLC © 2016

Cost - Reputation

Security Compliance Associates, LLC © 2016

Cost – Per Breach

• IBM & Ponemon Institute Study – Average number of Breached records: 28,070 – Cost per record breached: $217

• Indirect costs (Abnormal turnover of clients): $143/record • Direct Costs to Resolve (Technology, Legal Fees): $74/record

– Heavily reg – ulated (Financial Institutions) have higher than

average costs

Security Compliance Associates, LLC © 2016

Key Initial Steps

Security Compliance Associates, LLC © 2016

Stop The Bleeding

Security Compliance Associates, LLC © 2016

Security Compliance Associates, LLC © 2016

Find Help

Security Compliance Associates, LLC © 2016

Security Compliance Associates, LLC © 2016

Be Prepared!

Key Parts of Incident Response Plan: • Define Policy & Scope • Identify Key Personnel (names, contact

information, roles & responsibilities) • Assessing Potential Incidents • Identify Countermeasures • Corrective Actions • Monitor

Security Compliance Associates, LLC © 2016

QUESTIONS?

Security Compliance Associates, LLC © 2016