What does the CCPA and the GDPR address regarding data breaches?
CCPA: provides statutory damages
GDPR: addresses how a company responds to a breach
When a company faces privacy breach litigation, what factors are condidered?
- Obligation to prevent unauthorized access to or use of the data
- If the company satisfied an applicable industry standard of care
- Whether there were damage or injury
- If the organization’s conduct or lack thereof was the proximate cause of the damages
What is the average cost of a data incident (Ponemon Institute)?
$3.86 M and cost per individual record lost is $ 146.
Loss of revenue
Class action litigation and settlement amounts
Impact on business relationship with third parties
What is the difference between a security incident and a breach?
Incident: confidentiality, integrity, or availability of PI may be potentially compromised.
Breach: unauthorized access or acquisition of PI. Breach is a legal term and definitions may vary. If a breach exists impacted individuals and regulatory authorities must be notified.
Breaches are incidents but not all incidents are breaches.
What measures can a company take to prepare for incidents?
- Training
- Incident response plan
- Insurance coverage
- Vendor management (if part of the incident)
How does training help with data incidents?
It exposes gaps in applications, procedures, and pre-incident plans.
Has the potential to reduce financial liability and regulatory exposure.
What should be considered when putting together an incident response plan?
- Type of PI collected
- Format and method of collection
- Third-party relationships
What is the purpose of an incident response plan?
Map for people in the organization to let them know what to do. The plan should include regulatory requirements.
What makes an incident response plan successful?
How effectively stakeholders and constituent teams execute assigned tasks a crisis unfolds.
Who should be involved in an incident response?
- IT or information security
- HR/marketing
- Customer relationship management
- Audit and compliance
- Shareholder management
- Business development
- Communications and PR
- Union leadership
- Finance
- President, CEO
- BOD
What may cyber-liability insurance cover?
- Forensic investigations
- Outside counsel fees
- Crisis management services
- PR experts
- Breach notification
- Call center costs
- Credit/identity monitoring
- Fraud resolution and restoration services
What is a Business Continuity Plan (BCP)?
A plan drafted and maintained by key stakeholders and spells out departmental responsibilities and actions teams must take before, during, and after an event. Situations covered: fire, natural disaster, and terrorist attacks.
What is a tabletop exercise?
A structured readiness-testing activity that simulates an emergency situation, such as data breach, in an informal, stress-free setting. It prepares people and identifies gaps.
Why should incident response plans and BCPs be current and tested?
There is little strategic, practical, or economic value to a plan that is painstakingly developed but seldom tested or improved.
What are the benefits to investing in breach preparedness training?
- Exposure of critical gaps in applications, procedures, and plans in a pre-incident phase
- Greater overall security for customers, partners and employees
- Reduced financial liability and regulatory exposure
- Lower breach-related costs, including legal counsel and consumer notification
- Preservation of brand reputation
What are the challenges to breach preparedness training?
It requires an organization-wide commitment backed by resources to see it through.
Many businesses utilize a shared-cost arrangement that equitably split training costs among participating stakeholder groups (IT, finance, and HR)
What costs are incurred responding to a breach?
- Threat isolation
- Forensic investigation
- Engaging of legal counsel
- PR communications and media outreach
- Reporting and notification (printing, postage, call center)
Is incident handling a linear process?
No. Incidents are handled in parallel steps along the following broad categories:
- Secure operations
- Notify appropriate parties
- Fix vulnerabilities
Who should review and approve an incident preparedness plan?
Internal or external legal counsel.
Consideration should be given to:
- How to best protect the potentially discoverable documentation including tracking and other workflow tools that are created during the incident.
- Consider issues of privilege and determine what consent should be documented
What should organizations ensure during layoffs and departures?
A procedure for retrieving portable storage devices or media is in place.
What is the responsibility of a data breach response team leader?
- Keep individual response team members on track to meet their performance objectives and timelines
- Track budget adherence for all response activities
- Contact outside incident response resources to confirm engagement and monitor performance
- Prepare a final analysis of the response effort
- Lead a post response evaluation process
How many levels are there to a response team?
Two:
- Leaders - make the key decisions about how the incident is handled
- Individuals who will be providing input and support to the core team.
What is the focus of an investigation regarding containment and legal?
Containment: focus on isolating compromised systems, containing the damage and documenting any actions taken
Legal: focus on determining whether the event constitutes a breach as defined by relevant laws, preserving electronic evidence, and establishing a chain of custody
-
1. Introduction30
-
2. Framework: Privacy Governance33
-
3. Framework: Applicable Privacy Laws and Regulations30
-
4. Operations: Data Assessment71
-
5. Operations: Protecting PI29
-
6. Operations: Policies24
-
7. Operations: Monitoring and Auditing Program Performance41
-
8. Operations: Training and Awareness16
-
9. Operations: Data Subject Rights83
-
10. Operations: Data Breach Incident Plans23
