The data breach lifecycle: From prevention to response IAPP global privacy summit

March 6, 2014 (4:30-5:30) Draft v8 2-25-14

www.pwc.com

PwC

Common Myths

1. You have not been hacked.

2. Cyber security is about keeping the hacker out.

3. Cyber threats are a technical issue managed locally.

4. You are not in a regulated industry so you don’t have to worry.

5. Your contract and/or your insurance protects you from a breach at your third party provider.

6. You don’t need to think about data breaches and privacy incidents until they happen.

7. You are [insert regulation here] compliant, and you have privacy notices, so you are all set.

8. “There’s an App for that!”

2

March 6, 2014

PwC

Myth #1

You have not been hacked.

March 6, 2014

3

PwC

Reality: Don’t bet on it. Advanced threats usually maintain remote access to target environments for 6-18 months before being detected.

4

March 6, 2014

Security Market Paradigm Shift:

“Inclusion & Exclusion

Security”

“Layered

Security”

“Perimeter

Security”

Assumed state of compromise

Heavy focus on identity management –

right people, right place, right access

Focus on enhanced layers of security,

adoption of incremental security solutions

Focus on security technology for the

perimeter

Tech

no

log

y R

elian

ce/C

om

ple

xit

y

Time

“Resilient Cyber Security”

2010+ 2000s 1990s 1980s

• Significant and evolving cyber threats unlike ever before

• Highly skilled/motivated, and yet patient adversaries, including nation states

• Increasing speed of business, digital transformation, and hyper connectivity across

supply chain and to customers

• Massive consumerization of IT and reliance on mobile technologies

• Increasing regulatory compliance requirements (e.g., State and Global Breach

notification laws, HIPAA)

PwC

Myth #2

Cyber security is about keeping the hacker out.

March 6, 2014

5

PwC

Reality: Not anymore. Evolution of IT as well as sophistication of the threat drive a need for anticipation and resilience, not just prevention.

6

March 6, 2014

Cyber Evolution:

A new holistic approach

Increased volume, complexity, and

detection difficulty of attacks and the

associated impact are driving

enterprises to adopt a new approach

to security and privacy. Cyber Incident

& Crisis

Management

Security & Privacy

Management

Prevent

Detect

Detect/Discover

Triage/Contain

Respond/ Remediate

Correct/Enhance

Traditional Security &

Privacy Lifecycle

State of Compromise

PwC

Myth #3

Cyber threats are a technical issue managed locally.

March 6, 2014

7

PwC

Reality: Security and privacy are more than a local IT challenge – They are a global business challenge.

8

March 6, 2014

g Historical IT security perspectives Today’s leading

cybersecurity and privacy insights

Scope of the challenge • Limited to your “four walls” and the extended

enterprise

• Spans your interconnected global business

ecosystem

• Borderless data collection, transfer and storage

• Regulations and cross-border data flow frameworks

vary by country, region and state.

Ownership and

accountability

• IT led and operated • Business-aligned and owned; CEO and board

accountable

Adversaries’

characteristics

• One-off and opportunistic; motivated by

notoriety, technical challenge, and individual

gain

• Organized, funded and targeted; motivated by

economic, monetary and political gain

Information asset

protection

• One-size-fits-all approach • Data flow analysis and risk based mitigation approach

• Prioritize and protect your “crown jewels”

Defense posture • Protect the perimeter; respond if attacked • Proactive, continuous risk assessment & monitoring

• Plan, monitor, and rapidly respond for when attacked

or when an incident occurs

Security and privacy

intelligence and information

sharing

• Keep to yourself

• Public/private partnerships; collaboration with industry

working groups

Enforcement • Rare • Increasing fines and public disclosures for data

breaches and privacy incidents

PwC

Myth #4

You are not in a regulated industry so you don’t have to worry.

March 6, 2014

9

PwC

1,037 1,612

2011 2012

492

May 31, 2013

2,562

2,989

3,741

2011 2012 2013

Reality: Threats and regulatory enforcement are industry agnostic. Breaches are costly. The number of incidents detected in the past 12 months increased by 25%1

10

March 6, 2014

1 Source: PwC: Global Information Security Survey 2014 2 Source: Ponemon Institute 2013 Cost of a Data Breach Study: U.S.

Industries reporting $10million+

losses1

Oil & Gas: 24%

Pharmaceuticals: 20%

Financial Services: 9%

Technology: 9%

Industrial Products: 8%

August 2012

FTC issues a large fine for a

privacy violation.

September 2013

FTC sanctions a large technology company for security

flaws in their web-enabled video camera.

August 2013

The OCR fines a company for

not removing sensitive data from

returned leased equipment: Average cost of a compromised record:

$1882

Financial losses due1

to security incidents in Europe increased

Over last year.

In North America,1

detected incidents increased

Over last year. 28% 117%

Average number of security incidents in post 12 months1

Do not

allow

9%

Do not

allow

14%

Do not

allow

18%

PwC

Myth #5

Your contract and/or your insurance protects you from a breach at your third party provider.

March 6, 2014

11

PwC

Reality– More than 40% of companies sustained a data breach caused by a third party1. Breaches caused by third party errors cost more1.

12

March 6, 2014

57% of companies do not evaluate security at third parties or are not sure if they do2

78% of companies do not or are unsure if they conduct incident response planning with third parties2

Key foundational areas for establishing an effective third-party risk management

program

• Vendor management

office

• Operational risk

governance body

Data & Information

Governance Methodology

• Standard operational risk

methodologies and defined

risk levels

• Standard controls

effectiveness assessment

methodology

• Escalation, exception, and

exemption process

• Well defined general ledger

• Comprehensive contracts management system and contract data

• Well defined and maintained third-party repositories (vendor master, etc.)

• Third-party/vendor usage data

• Strong organizational and employee data for identifying third-party linkages across the

organization

• Issue an and incidents repositories to track third-party issues

1 Source: Ponemon Institute 2013 Cost of Data Breach Study: U.S. 2 Source: PwC Global State of Information Security Survey 2014

PwC

Myth #6

You don’t need to think about data breaches and privacy incidents until they happen.

March 6, 2014

13

PwC

Reality: Threat Actors are thinking about you. Effective cybersecurity includes understanding the threat, prioritizing critical data assets, and creating a crisis response plan.

14

March 6, 2014

Adversary Motives Targets Impact

Insiders

• Personal advantage,

monetary gain

• Professional revenge

• Patriotism

• Sales, deals, market strategies

• Corporate secrets, IP, R&D

• Business operations

• Personnel information

• Loss of market share

• Erosion of corporate confidence

• National security impact

Organized Crime

• Immediate financial gain

• Collect information for

future financial gains

• Financial/Payment Systems

• Personally Identifiable

Information

• Payment Card Information

• Protected Health Information

• Costly regulatory inquiries and

penalties

• Consumer and shareholder

lawsuits

• Loss of consumer confidence

Hacktivists

• Influence political and/or

social change

• Pressure business to

change their practices

• Corporate secrets

• Sensitive business information

• Information related to key

executives, employees,

customers & business partners

• Disruption of business activities

• Brand and reputation

• Loss of consumer confidence

Nation State

• Economic, political,

and/or military

advantage

• Trade secrets

• Sensitive business

information

• Emerging technologies

• Critical infrastructure

• Loss of competitive advantage

• Disruption to critical

infrastructure

PwC

Reality. It takes a village. Breach response is more than a technical problem with a technical solution.

15

March 6, 2014

Cyber crisis management team

External counsel

External

counsel

Stakeholders

Privacy, Legal, IT,

Finance, Sr. Executives

Investigative team

Technical Lead,

Info. Security, BU SME

Cyber incident

management team

Public relations

Breach notification

Credit monitoring

Fraud mitigation

Monitor criminal

underground

External service

providers

Law enforcement

Government

regulators

Law enforcement &

government regulators

Core Team

Team Leader,

Support Team

PwC

Threats actors are organized, funded and targeted; you should be too.

Data Breach and Privacy Incident Life Cycle

16

March 6, 2014

Su

pp

ort

Are

a I

nv

olv

em

en

t

Risk

Assessment

Develop

Program Detection

Incident

Response

Notification/

Media Remediation

Post Mortem/

Strategy

Privacy

Legal

Incident Response

Internal Audit

BU SME/Leadership

Internal Audit

Information Security

Compliance

IT

Compliance

PwC

Learning from each other is critical in building and maintaining an effective program.

17

March 6, 2014

Incident lifecycle Leading practice Common pitfalls

Risk Assessment • Ongoing assessment of internal and external privacy

and security threats

• Policies and procedures that are current,

communicated, and followed

• Non existent. incomplete, or outdated data

inventory, including third parties

• No process for consistent threat analysis

Develop Program • Cross-stakeholder, multi-disciplinary effort

• Process for program training and awareness,

communication, and maintenance

• Controls aligned with threats from risk assessment

and a selected framework

• Design privacy and security into products and

systems

• Minimum senior leadership involvement and

lack of governance structure and processes

• Focus solely on regulatory compliance

Detection • Automation, risk based tuning/correlation

• Process for managing privacy and security concerns

raised by employees and consumers

• Not understanding data flow

Incident Response • Testing that includes all stakeholders and external

providers

• Inventory of breach notification laws/regulations

• Lack of clarity around roles and responsibilities

• Limited forensic capabilities or trusted partner

Notification/Media • Template media notice/Pre-defined pubic relations

process

• Notification prior to completion of full analysis

Remediation/Post

Mortem/Strategy

• Strategic versus tactical focus and approach. • Limited involvement from internal

audit/compliance

PwC

Myth #7

You are [insert regulation here] compliant, and you have privacy notices, so you are all set.

March 6, 2014

18

PwC

Reality. There is much more at stake than compliance. Key drivers for data protection & privacy.

19

March 6, 2014

Legal Requirements

Reputation/Brand

Competitive Advantage

National Security

Contractual Requirements

Shareholder Value/Financial

Proprietary Business Information: intellectual

property, pricing & sales/marketing strategy,

sourcing strategy

Personally Identifiable Information: name, age,

identification numbers, home or e-mail address,

income or physical characteristics; opinions

Sensitive Personal Information: Information on

medical or health conditions, financial information

(including credit cards), racial or ethnic origin

Business Customer Information: Franchisee

information, Customer sensitive information

(financial, IP, etc.)

PwC

Myth #8

“There’s an App for that!”

March 6, 2014

20

PwC

Reality. There is no silver bullet. A comprehensive data protection & privacy program is required.

21

March 6, 2014

Data and Vendor Inventory Accountability and

Governance

Vendor

Management Process and Controls

Incident Management and

Response

Training and Awareness

Monitoring and

Auditing

Risk and Compliance

Assessment Data

PwC

Thank you!

22

March 6, 2014

Carolyn Holcomb Partner, National Data Protection & Privacy Leader Carolyn.C.Holcomb@us.pwc.com (678) 419-1696

Emily Stapf Director, Forensic Technology Emily.Stapf@us.pwc.com (703) 868-0269

© 2014 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each

member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

The information contained in this document is shared as a matter of courtesy and for information or interest only. PwC has exercised reasonable

professional care and diligence in the collection, processing, and reporting of this information. However, data used may be from third-party sources and PwC

has not independently verified, validated, or audited such data. PwC does not warrant or assume any legal liability or responsibility for the accuracy,

adequacy, completeness, availability and/or usefulness of any data, information, product, or process disclosed in this document; and is not responsible for

any errors or omissions or for the results obtained from the use of such information. PwC gives no express or implied warranties, including, but not limited to,

warranties or merchantability or fitness for a particular purpose or use. In no event shall PwC be liable for any indirect, special, or consequential damages in

connection with use of this document or its content. Information presented herein by a third party is not authored, edited or reviewed by PwC and PwC is not

endorsing third parties or their views. Reproduction of this document or recording of its presentation, in whole or in part, in any form, is prohibited except with

the prior written permission of PwC. Before making any decision or taking any action, you should consult a competent professional adviser.