looking forward - regulators and data incidents
TRANSCRIPT
Page 2
Agenda
• Introductions
• Breach Impact On The C-Suite
• How Breaches Occur
• Data Breach Study Results
• Breach Legal Considerations
• Q&A
Page 3
Introductions: Today’s Speakers
• Gant Redmon - General Counsel and VP
Business Development, Co3 Systems
• Bill Hardin - Director, Disputes and Investigations,
Navigant
• Jennifer Coughlin - Privacy and Data Security,
Nelson Levine DeLuca Hamilton
Page 4
Co3 Automates Breach Management
PREPARE
Improve Organizational
Readiness
• Assign response team
• Describe environment
• Simulate events and incidents
• Focus on organizational gaps
REPORT
Document Results and
Track Performance
• Document incident results
• Track historical performance
• Demonstrate organizational
preparedness
• Generate audit/compliance reports
ASSESS
Quantify Potential Impact,
Support Privacy Impact
Assessments
• Track events
• Scope regulatory requirements
• See $ exposure
• Send notice to team
• Generate Impact Assessments
MANAGE
Easily Generate Detailed
Incident Response Plans
• Escalate to complete IR plan
• Oversee the complete plan
• Assign tasks: who/what/when
• Notify regulators and clients
• Monitor progress to completion
Page 5
• Premium brand and reputation with critical mass
• Deep relationships with premier law firms and Fortune 500
• Disputes and Investigation Services:
• Government, regulatory and investigative actions
• Data Breach and Theft of Trade Secrets Investigations
• Global investigations and compliance issues
• Forensic Accounting
Introduction to Navigant
Page 8
Balancing the Needs (CEO and Board)
CFO & COO CIO & CTO
Legal & Regulatory
Business & Financial Technology
The C-Suite
CLO & CRO
Page 9
When an Event Triggers Something Else..
9
$22.15
$10.75
$-
$5.00
$10.00
$15.00
$20.00
$25.00
$30.00
$35.00
Jun-27-2011 Sep-27-2011 Dec-27-2011 Mar-27-2012 Jun-27-2012 Sep-27-2012 Dec-27-2012 Mar-27-2013
Stock Price around Large Health Care Data Breach Disclosure
Page 10
Ranking in 2008 Ranking in 2012 International operations Information security Project management International operations
Extended enterprise Excess cash
Data privacy Corporate culture
Fraud Compliance
IT Third-party relationships Business continuity management Cost reduction pressures
Shared services Human resources
Tax management
Social media
*CFO.com December 2011
How does a CFO rank risk?
Page 15
Snowmageddon – USA Today Coverage
As Snowden told The Guardian in a videotaped interview: "When you're
in positions of privileged access, like a systems administrator, for these
sort of intelligence community agencies, you're exposed to a lot more
information on a broader scale than the average employee ... Anybody
in the positions of access with the technical capabilities that I had
could, you know, suck out secrets."
He also claimed to possess the "full rosters of everyone working at the
NSA, the entire intelligence community and undercover assets all
around the world, the locations of every station we have, what their
missions are and so forth."
Page 16
How Do Data Breaches Occur?
Lost Devices & Inadvertent
Publication of Data
Disgruntled Employees
Vendors & Subcontractors
Hackers & Unsecured Websites
Accidental Intentional
Inte
rnal
E
xter
nal
Page 17
Navigant’s Data Breach Study (Jan. 2011 to Dec. 2012)
0
1,000,000
2,000,000
3,000,000
4,000,000
5,000,000
6,000,000
7,000,000
8,000,000
9,000,000
2012
2011
YOY Growth – 57%
YOY Growth – 145%
Page 18
Navigant’s Data Breach Study (Jan. 2011 to Dec 2012)
Change from 2011?
No Significant
Changes Noted
Page 20
Legal & Regulatory Risks
Legal Risk
Contracts
Federal, State and Foreign
Laws
Industry Specific
Regulations
Common Law
Page 21
Is there a lawyer in the room?
• 46 states with privacy breach notification laws
• HIPAA/HITECH regulations
• Gramm – Leach – Bliley
• FTC
• State Consumer Protection Laws
• Foreign laws and regulations
• Other federal laws • SEC Guidance on Regulation S-K Item 503(c), CAN-SPAM, Children’s Online
Privacy Protection Act (COPPA), Fair Credit Reporting Act (FCRA), Fair and Accurate Credit Transactions Act (FACTA), Computer Fraud and Abuse Act, Federal Privacy Act
Page 23
Data Security and Privacy Liability Exposure
Liability
Suits from your
customers
Consumer Class
Action Suits
Regulatory
Settlements with the FTC,
State AGs, HHS, FINRA,
SEC, etc.
Privacy Regulatory Proceeding inc. Fines
and Consumer Redress Funds
Defense costs
Privacy Event Expenses
Notification Costs
Forensics Legal
and PR
Credit Monitoring
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of
planning for a nightmare scenario as
painless as possible, making it an Editors’
Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages
for privacy look like.”
GARTNER
“Platform is comprehensive, user
friendly, and very well designed.”
PONEMON INSTITUTE
Bill Hardin
30 S. Wacker Drive Suite 3100, Chicago, IL 60606
312.583.4119 Office | 773.415.3076 Mobile |
WWW.NAVIGANT.COM
Jennifer Coughlin
Nelson Levine de Luca & Hamilton, LLC
215-358-5134
[email protected] WWW.NLDHLAW.COM