Looking Forward:

Regulators and

Data Incidents

Page 2

Agenda

• Introductions

• Breach Impact On The C-Suite

• How Breaches Occur

• Data Breach Study Results

• Breach Legal Considerations

• Q&A

Page 3

Introductions: Today’s Speakers

• Gant Redmon - General Counsel and VP

Business Development, Co3 Systems

• Bill Hardin - Director, Disputes and Investigations,

Navigant

• Jennifer Coughlin - Privacy and Data Security,

Nelson Levine DeLuca Hamilton

Page 4

Co3 Automates Breach Management

PREPARE

Improve Organizational

Readiness

• Assign response team

• Describe environment

• Simulate events and incidents

• Focus on organizational gaps

REPORT

Document Results and

Track Performance

• Document incident results

• Track historical performance

• Demonstrate organizational

preparedness

• Generate audit/compliance reports

ASSESS

Quantify Potential Impact,

Support Privacy Impact

Assessments

• Track events

• Scope regulatory requirements

• See $ exposure

• Send notice to team

• Generate Impact Assessments

MANAGE

Easily Generate Detailed

Incident Response Plans

• Escalate to complete IR plan

• Oversee the complete plan

• Assign tasks: who/what/when

• Notify regulators and clients

• Monitor progress to completion

Page 5

• Premium brand and reputation with critical mass

• Deep relationships with premier law firms and Fortune 500

• Disputes and Investigation Services:

• Government, regulatory and investigative actions

• Data Breach and Theft of Trade Secrets Investigations

• Global investigations and compliance issues

• Forensic Accounting

Introduction to Navigant

Page 6

Intro To Navigant - Our Teams are Deployed

REACTIVE PROACTIVE

WHERE DOES CYBER

SECURITY RANK ON YOUR

RISK PROFILE FOR

2013/2014?

Page 8

Balancing the Needs (CEO and Board)

CFO & COO CIO & CTO

Legal & Regulatory

Business & Financial Technology

The C-Suite

CLO & CRO

Page 9

When an Event Triggers Something Else..

9

$22.15

$10.75

$-

$5.00

$10.00

$15.00

$20.00

$25.00

$30.00

$35.00

Jun-27-2011 Sep-27-2011 Dec-27-2011 Mar-27-2012 Jun-27-2012 Sep-27-2012 Dec-27-2012 Mar-27-2013

Stock Price around Large Health Care Data Breach Disclosure

Page 10

Ranking in 2008 Ranking in 2012 International operations Information security Project management International operations

Extended enterprise Excess cash

Data privacy Corporate culture

Fraud Compliance

IT Third-party relationships Business continuity management Cost reduction pressures

Shared services Human resources

Tax management

Social media

*CFO.com December 2011

How does a CFO rank risk?

ARE YOUR EMPLOYEES WELL

TRAINED AND UNDERSTAND THE

RISK WITH SENSITIVE

INFORMATION?

Page 12

Increased Asset Value

=

Increased Liabilities

Page 13

Where is the Payroll File?

ADP

Page 14

Human Element

The faces of the company

Page 15

Snowmageddon – USA Today Coverage

As Snowden told The Guardian in a videotaped interview: "When you're

in positions of privileged access, like a systems administrator, for these

sort of intelligence community agencies, you're exposed to a lot more

information on a broader scale than the average employee ... Anybody

in the positions of access with the technical capabilities that I had

could, you know, suck out secrets."

He also claimed to possess the "full rosters of everyone working at the

NSA, the entire intelligence community and undercover assets all

around the world, the locations of every station we have, what their

missions are and so forth."

Page 16

How Do Data Breaches Occur?

Lost Devices & Inadvertent

Publication of Data

Disgruntled Employees

Vendors & Subcontractors

Hackers & Unsecured Websites

Accidental Intentional

Inte

rnal

E

xter

nal

Page 17

Navigant’s Data Breach Study (Jan. 2011 to Dec. 2012)

0

1,000,000

2,000,000

3,000,000

4,000,000

5,000,000

6,000,000

7,000,000

8,000,000

9,000,000

2012

2011

YOY Growth – 57%

YOY Growth – 145%

Page 18

Navigant’s Data Breach Study (Jan. 2011 to Dec 2012)

Change from 2011?

No Significant

Changes Noted

HOW MANY LAWS AND

REGULATIONS DO YOU THINK

COVER CYBER SECURITY?

Page 20

Legal & Regulatory Risks

Legal Risk

Contracts

Federal, State and Foreign

Laws

Industry Specific

Regulations

Common Law

Page 21

Is there a lawyer in the room?

• 46 states with privacy breach notification laws

• HIPAA/HITECH regulations

• Gramm – Leach – Bliley

• FTC

• State Consumer Protection Laws

• Foreign laws and regulations

• Other federal laws • SEC Guidance on Regulation S-K Item 503(c), CAN-SPAM, Children’s Online

Privacy Protection Act (COPPA), Fair Credit Reporting Act (FCRA), Fair and Accurate Credit Transactions Act (FACTA), Computer Fraud and Abuse Act, Federal Privacy Act

MY COMPANY HAS REVIEWED IT’S

INSURANCE COVERAGE WITH

RESPECT TO PRIVACY AND CYBER

SECURITY

Page 23

Data Security and Privacy Liability Exposure

Liability

Suits from your

customers

Consumer Class

Action Suits

Regulatory

Settlements with the FTC,

State AGs, HHS, FINRA,

SEC, etc.

Privacy Regulatory Proceeding inc. Fines

and Consumer Redress Funds

Defense costs

Privacy Event Expenses

Notification Costs

Forensics Legal

and PR

Credit Monitoring

Page 24

Who do you

TRUST

QUESTIONS

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of

planning for a nightmare scenario as

painless as possible, making it an Editors’

Choice.”

PC MAGAZINE, EDITOR’S CHOICE

“Co3…defines what software packages

for privacy look like.”

GARTNER

“Platform is comprehensive, user

friendly, and very well designed.”

PONEMON INSTITUTE

Bill Hardin

30 S. Wacker Drive Suite 3100, Chicago, IL 60606

312.583.4119 Office | 773.415.3076 Mobile |

bill.hardin@navigant.com

WWW.NAVIGANT.COM

Jennifer Coughlin

Nelson Levine de Luca & Hamilton, LLC

215-358-5134

jcoughlin@nldhlaw.com WWW.NLDHLAW.COM