1 Incident Response Comes of AgeDaily Journal Professional Education Cyber Boot Camp, January 12, 2017 Sarah Bruno, Arent Fox LLP Patrick Hynes, PwC John Mullen, Redacted, Inc. Tracy L. Wilkison, Assistant United States Attorney, Chief, Cyber and Intellectual Property Crimes Section, National Security Division Moderator: Tanya Forsheit

2 Agenda A Brief History of Breach Notification LawsPreventative Medicine Evolving Threat Vectors After an Incident

3 A Brief History of Breach Notification LawsBreach Notification Laws Enter the Teen Years

4 Data Breach Notification LawsBeginning in 2002, legislators across the country began passing laws requiring consumer notification when there is a security breach involving private information. Forty-seven states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have passed security breach notification laws affecting private entities. Most follow California’s lead, but with some key differences (e.g., “material” breach requirement; expanded definition of “personal information”; breach involving non-computerized data; notification procedures; requirement to notify consumer reporting and/or law enforcement agencies; exemptions from mandatory notification (e.g., encryption); penalties)

5 Preventative Medicine

6 “Reasonable Security”Floor, not a ceiling State Data Security Laws Federal Trade Commission Section 5 authority and enforcement actions/consent decrees California Attorney General 2016 Annual Data Security Breach Report Dual Factor Authentication Center for Internet Security Controls

7 Service Provider Oversight and ContractsDue Diligence RFPs Contract Negotiation “Reasonable Security” Controls (again) Indemnification and Limitations on Liability Insurance Audits

8 Practice, Practice, PracticeWhile data breaches are inevitable, the company can take measures to be ready for the next breach. The Team Internal Stakeholders External Vendors Legal Forensics Mailing and Call Center Remediation Crisis Communications The Incident Response Plan Drills/Tabletop Exercises

9 Evolving Threat Vectors

10 Evolving Threat VectorsCopyright: leolintang / 123RF Stock Photo

11 After an Incident

12 First and Foremost

13 Evaluate Risks State Breach Notification LawsState Attorney General Enforcement and Guidance FTC Enforcement and Guidance Reputational Damage International Issues

14 Investigate, Contain & RespondInvestigate! (Remember Forensics 101 from this morning) Contain! Notify (as applicable and pursuant to statute): Internal Stakeholders and affected Business Partners/Vendors Affected Individuals Regulators Card companies Law enforcement Auditors Others? Remediation Services? Communications Strategy?