SlideShare a Scribd company logo

June 16 2015 P&S Update Webinar

Download as PPTX, PDF
M
Michael R Geske

The document summarizes a webinar on privacy and security updates. It discusses three main topics: 1) the benefits of self-reporting data breaches to authorities, as companies that cooperate are viewed more favorably, 2) that a risk management approach is better than relying solely on firewalls since sophisticated attackers can breach any system, and 3) new rules under the USA Freedom Act and a court ruling that now require specific, relevant requests for government access to metadata and call for independent review of such requests.

1 of 16
Privacy & Security Update June 16, 2015 Webinar Mike Geske GESKE COUNSEL, LLC Washington, DC 202.904.1077 Michael.Geske@GeskeCounsel.com 1
2 Privacy & Security Update 1. Benefits from Self-Reporting Data Breaches to DOJ, FTC 2. Operating Securely: Risk Management v. Firewalls 3. New rules about NSA bulk collection and use of metadata • USA Freedom Act; and • ACLU v. Clapper, No. 14-42-cv (2d Cir. May 7, 2015)
FTC Statement (May 20, 2015): If the FTC Comes to Call Ass’t AG Caldwell Speech (May 20, 2015): Remarks at the Georgetown Cybersecurity Law Institute 3 Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC
FTC Statement (May 20, 2015): An FTC data-breach or security investigation asks: Despite breaches or data security problems, were the company’s data security practices, including its response, on balance, reasonable? 4 Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC
FTC Statement (May 20, 2015): If the FTC Comes to Call  Company’s response is an essential element of FTC’s inquiry • Help affected consumers • Cooperate with criminal, law-enforcement agencies against hackers “In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach. … It’s likely we’d view that company more favorably than a company that hasn’t cooperated.” 5 Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC
FTC Statement (May 20, 2015): If the FTC Comes to Call  FTC data-security investigations are non-public  Can request information and documents, including from • Consumers • Vendors and banks • Other companies • Employees 6 Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC
FTC Statement (May 20, 2015): If the FTC Comes to Call • Information security plan • Employee handbooks; training • Cost effectiveness of available defenses • Audits, risk assessments • Privacy policies; security promises to consumers • Compliance v. policy • Circumstances of breach • What happened • What protections were in place • What consumer harm is likely; any consumer complaints • How company responded 7 Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC
Ass’t AG Caldwell Speech (May 20, 2015): Joint Announcement of FTC Statement • General View: Hacked companies are victims Recounts cooperative take-downs of attacks, capture of hackers • Private sector • DOJ, FBI, DHS, Secret Service, Dep’t of State, Foreign Law Enforcers Cybersecurity Unit in CCIPS (Cyber Crime and Intellectual Property Section) • Self-reporters gain Unit’s expertise, forensic tools, legal authority for warrants 8 Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC
9 Privacy & Security Update Operating Securely: Risk Management v. Firewalls *NACD Cyber-Risk Oversight Handbook (2014) at 4. You can download a copy of the Handbook at the NACD website. “One of the defining characteristics of these attacks is that they can penetrate virtually all of a company’s perimeter defense systems, such as firewalls or intrusion detection systems: Intruders … exploit all layers of security vulnerabilities until they achieve their goal. In other words, if a sophisticated attacker targets a company’s system, they will almost certainly breach them.”*
All risks are not the same; All data are not crown jewels. 10 Privacy & Security Update Operating Securely: Risk Management v. Firewalls *Principle 5 is discussed on pp. 4 & 14 of the NACD Cyber-Risk Oversight Handbook. The NACD Handbook is expressly consistent with CKS guidance to avoid “siloed” thinking. See pp. 7, 13. NACD Handbook Principle 5: “Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance as well as specific plans associated with each approach.”*
DOJ White Paper, Best Practices for Victim Response and Reporting of Cyber Incidents (Apr. 29, 2015). NIST, Computer Incident Handling Guide, Special Publication 800-61 Rev. 2 (Aug. 2012). NIST, Framework for Improving Critical Infrastructure Cybersecurity (Feb. 12, 2014). CSIS/DOJ Active Cyber Defense Experts Roundtable, Summary of Topics and Views (Mar. 10, 2015). 11 Privacy & Security Update Operating Securely: Risk Management v. Firewalls
12 Privacy & Security Update Operating Securely: Risk Management v. Firewalls  Have a Response Plan • Actionable: personnel, procedure, equipment • Identify and protect cyber assets • Collect, preserve data about incident • How to continue operations while responding to attack  Make contacts/relationships prior to breach with • Local FBI field office, DHS (NCCIC), state law enforcement • Consultants, lawyers  Do NOT “hack back” • Generally unlawful under U.S. statutes • Risks warfare with an unknown adversary • Unlikely to succeed
13 Privacy & Security Update Operating Securely: Risk Management v. Firewalls ORDER OF CYBER-RISK MANAGEMENT DECISIONS 1. Data, assets, services meriting most protection Who must have access Under what conditions 2. Appropriate protections and limits for each rank 3. Test, review, learn, amend Before and after next hack
ACLU v. Clapper (2d Cir. May 7, 2015) Specific, relevant request required for government access USA Freedom Act (June 2, 2015) Metadata still collected Held by companies not NSA Specific, relevant request required for government access Independent amici at FISC, FISC-R 14 Privacy & Security Update USA Freedom Act and ACLU v. Clapper
Wise Agnostics  Will USA Freedom Act be effective? Executive Order No. 12333 Director Clapper admittedly and demonstrably lied under oath to Congress Mandated reports will not be under oath, just statutorily mandated  How long will Communication providers keep the data? Where and under what conditions  Integrity matters Data-wealthiest man of all history is now a data-begger 15 Privacy & Security Update USA Freedom Act and ACLU v. Clapper
MICHAEL R. GESKE Leader, CKS Privacy & Security GESKE COUNSEL, LLC 202.904.1077 Washington, DC GeskeCounsel@Outlook.com

Recommended

Working with law enforcement
Working with law enforcementWorking with law enforcement
Working with law enforcementMeg Weber
 
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Shawn Tuma
 
Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)
Dan Michaluk
 
Cybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to KnowCybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to Know
Shawn Tuma
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breach
Dan Michaluk
 
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
Shawn Tuma
 
Third-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & ActThird-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & Act
TrustArc
 
Privacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy ProgramPrivacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy Program
TrustArc
 

Recommended

Working with law enforcement
Working with law enforcementWorking with law enforcement
Working with law enforcementMeg Weber
 
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Shawn Tuma
 
Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)
Dan Michaluk
 
Cybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to KnowCybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to Know
Shawn Tuma
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breach
Dan Michaluk
 
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
Shawn Tuma
 
Third-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & ActThird-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & Act
TrustArc
 
Privacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy ProgramPrivacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy Program
TrustArc
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
TrustArc
 
The Future of Employment Law
The Future of Employment LawThe Future of Employment Law
The Future of Employment Law
Dan Michaluk
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
TrustArc
 
2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
TrustArc
 
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
TrustArc
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
TechSoup Canada
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
TechSoup Canada
 
Building Trust in a Tense Information Society, Daniel Weitzner, Director, MIT...
Building Trust in a Tense Information Society, Daniel Weitzner, Director, MIT...Building Trust in a Tense Information Society, Daniel Weitzner, Director, MIT...
Building Trust in a Tense Information Society, Daniel Weitzner, Director, MIT...
MIT Startup Exchange
 
Www.calguard.ca.gov Computer-Network-Defense
Www.calguard.ca.gov Computer-Network-DefenseWww.calguard.ca.gov Computer-Network-Defense
Www.calguard.ca.gov Computer-Network-Defense
David Sweigert
 
COVID-19: What are the Potential Impacts on Data Privacy?
COVID-19: What are the Potential Impacts on Data Privacy?COVID-19: What are the Potential Impacts on Data Privacy?
COVID-19: What are the Potential Impacts on Data Privacy?
TrustArc
 
Assessing Risk: How Organizations Can Proactively Manage Privacy Risk
Assessing Risk: How Organizations Can Proactively Manage Privacy RiskAssessing Risk: How Organizations Can Proactively Manage Privacy Risk
Assessing Risk: How Organizations Can Proactively Manage Privacy Risk
TrustArc
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Amy Purcell
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsCyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Shawn Tuma
 
China's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 DaysChina's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 Days
TrustArc
 
Cybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data EncryptionCybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data Encryption
Shawn Tuma
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015
Dan Michaluk
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
Jim Brashear
 
Cyber Liability Insurance Counseling and Breach Response
Cyber Liability Insurance Counseling and Breach ResponseCyber Liability Insurance Counseling and Breach Response
Cyber Liability Insurance Counseling and Breach Response
Shawn Tuma
 
Cas cyber prez
Cas cyber prezCas cyber prez
Cas cyber prez
Dan Michaluk
 
5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You
TrustArc
 
Autoyou Market Place version 1.3
Autoyou Market Place version 1.3Autoyou Market Place version 1.3
Autoyou Market Place version 1.3
Florian Voko
 
Cedar Rapids Travel Loop Card
Cedar Rapids Travel Loop CardCedar Rapids Travel Loop Card
Cedar Rapids Travel Loop CardMadison Luke
 

More Related Content

What's hot

Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
TrustArc
 
The Future of Employment Law
The Future of Employment LawThe Future of Employment Law
The Future of Employment Law
Dan Michaluk
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
TrustArc
 
2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
TrustArc
 
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
TrustArc
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
TechSoup Canada
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
TechSoup Canada
 
Building Trust in a Tense Information Society, Daniel Weitzner, Director, MIT...
Building Trust in a Tense Information Society, Daniel Weitzner, Director, MIT...Building Trust in a Tense Information Society, Daniel Weitzner, Director, MIT...
Building Trust in a Tense Information Society, Daniel Weitzner, Director, MIT...
MIT Startup Exchange
 
Www.calguard.ca.gov Computer-Network-Defense
Www.calguard.ca.gov Computer-Network-DefenseWww.calguard.ca.gov Computer-Network-Defense
Www.calguard.ca.gov Computer-Network-Defense
David Sweigert
 
COVID-19: What are the Potential Impacts on Data Privacy?
COVID-19: What are the Potential Impacts on Data Privacy?COVID-19: What are the Potential Impacts on Data Privacy?
COVID-19: What are the Potential Impacts on Data Privacy?
TrustArc
 
Assessing Risk: How Organizations Can Proactively Manage Privacy Risk
Assessing Risk: How Organizations Can Proactively Manage Privacy RiskAssessing Risk: How Organizations Can Proactively Manage Privacy Risk
Assessing Risk: How Organizations Can Proactively Manage Privacy Risk
TrustArc
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Amy Purcell
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsCyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Shawn Tuma
 
China's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 DaysChina's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 Days
TrustArc
 
Cybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data EncryptionCybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data Encryption
Shawn Tuma
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015
Dan Michaluk
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
Jim Brashear
 
Cyber Liability Insurance Counseling and Breach Response
Cyber Liability Insurance Counseling and Breach ResponseCyber Liability Insurance Counseling and Breach Response
Cyber Liability Insurance Counseling and Breach Response
Shawn Tuma
 
Cas cyber prez
Cas cyber prezCas cyber prez
Cas cyber prez
Dan Michaluk
 
5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You
TrustArc
 

What's hot (20)

Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
 
The Future of Employment Law
The Future of Employment LawThe Future of Employment Law
The Future of Employment Law
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
 
2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
 
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
 
Building Trust in a Tense Information Society, Daniel Weitzner, Director, MIT...
Building Trust in a Tense Information Society, Daniel Weitzner, Director, MIT...Building Trust in a Tense Information Society, Daniel Weitzner, Director, MIT...
Building Trust in a Tense Information Society, Daniel Weitzner, Director, MIT...
 
Www.calguard.ca.gov Computer-Network-Defense
Www.calguard.ca.gov Computer-Network-DefenseWww.calguard.ca.gov Computer-Network-Defense
Www.calguard.ca.gov Computer-Network-Defense
 
COVID-19: What are the Potential Impacts on Data Privacy?
COVID-19: What are the Potential Impacts on Data Privacy?COVID-19: What are the Potential Impacts on Data Privacy?
COVID-19: What are the Potential Impacts on Data Privacy?
 
Assessing Risk: How Organizations Can Proactively Manage Privacy Risk
Assessing Risk: How Organizations Can Proactively Manage Privacy RiskAssessing Risk: How Organizations Can Proactively Manage Privacy Risk
Assessing Risk: How Organizations Can Proactively Manage Privacy Risk
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsCyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
 
China's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 DaysChina's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 Days
 
Cybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data EncryptionCybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data Encryption
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
 
Cyber Liability Insurance Counseling and Breach Response
Cyber Liability Insurance Counseling and Breach ResponseCyber Liability Insurance Counseling and Breach Response
Cyber Liability Insurance Counseling and Breach Response
 
Cas cyber prez
Cas cyber prezCas cyber prez
Cas cyber prez
 
5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You
 

Viewers also liked

Autoyou Market Place version 1.3
Autoyou Market Place version 1.3Autoyou Market Place version 1.3
Autoyou Market Place version 1.3
Florian Voko
 
Cedar Rapids Travel Loop Card
Cedar Rapids Travel Loop CardCedar Rapids Travel Loop Card
Cedar Rapids Travel Loop CardMadison Luke
 
Arithlogic presentation
Arithlogic presentationArithlogic presentation
Arithlogic presentation
Deepak Pant
 
Competitive Traffic Analytic Data
Competitive Traffic Analytic DataCompetitive Traffic Analytic Data
Competitive Traffic Analytic DataIvy Wilcher
 
Tic Web 2.0
Tic Web 2.0Tic Web 2.0
Tic Web 2.0UNISARC
 
How Family Lawyers Use Practice Management Software
How Family Lawyers Use Practice Management SoftwareHow Family Lawyers Use Practice Management Software
How Family Lawyers Use Practice Management Software
Rocket Matter, LLC
 
Guia Quimico Farmacobiologo BUAP MUM-2012
Guia Quimico Farmacobiologo BUAP MUM-2012Guia Quimico Farmacobiologo BUAP MUM-2012
Guia Quimico Farmacobiologo BUAP MUM-2012
Víctor Bravo P
 
1diaporama tbi
1diaporama tbi1diaporama tbi
1diaporama tbi
emansutti
 
BTEC Level 3 Extended Diploma in IT certification
BTEC Level 3 Extended Diploma in IT certificationBTEC Level 3 Extended Diploma in IT certification
BTEC Level 3 Extended Diploma in IT certificationSam Pope
 
Me Myself and I and the Others
Me Myself and I and the OthersMe Myself and I and the Others
Me Myself and I and the Others
karinka2
 
Cytoplasmic Inheritance
Cytoplasmic Inheritance Cytoplasmic Inheritance
Cytoplasmic Inheritance
Shreya Ahuja
 
Am Acad Actuaries Presentation 090315
Am Acad Actuaries Presentation 090315Am Acad Actuaries Presentation 090315
Am Acad Actuaries Presentation 090315Michael R Geske
 
Registro Primer Ágape 2016 pdf
Registro Primer Ágape 2016 pdfRegistro Primer Ágape 2016 pdf
Registro Primer Ágape 2016 pdf
Anaïs Heine Ling
 

Viewers also liked (16)

Autoyou Market Place version 1.3
Autoyou Market Place version 1.3Autoyou Market Place version 1.3
Autoyou Market Place version 1.3
 
Cedar Rapids Travel Loop Card
Cedar Rapids Travel Loop CardCedar Rapids Travel Loop Card
Cedar Rapids Travel Loop Card
 
Arithlogic presentation
Arithlogic presentationArithlogic presentation
Arithlogic presentation
 
Competitive Traffic Analytic Data
Competitive Traffic Analytic DataCompetitive Traffic Analytic Data
Competitive Traffic Analytic Data
 
Tic Web 2.0
Tic Web 2.0Tic Web 2.0
Tic Web 2.0
 
cv_ed_TH
cv_ed_THcv_ed_TH
cv_ed_TH
 
How Family Lawyers Use Practice Management Software
How Family Lawyers Use Practice Management SoftwareHow Family Lawyers Use Practice Management Software
How Family Lawyers Use Practice Management Software
 
Guia Quimico Farmacobiologo BUAP MUM-2012
Guia Quimico Farmacobiologo BUAP MUM-2012Guia Quimico Farmacobiologo BUAP MUM-2012
Guia Quimico Farmacobiologo BUAP MUM-2012
 
1diaporama tbi
1diaporama tbi1diaporama tbi
1diaporama tbi
 
BTEC Level 3 Extended Diploma in IT certification
BTEC Level 3 Extended Diploma in IT certificationBTEC Level 3 Extended Diploma in IT certification
BTEC Level 3 Extended Diploma in IT certification
 
Me Myself and I and the Others
Me Myself and I and the OthersMe Myself and I and the Others
Me Myself and I and the Others
 
Cytoplasmic Inheritance
Cytoplasmic Inheritance Cytoplasmic Inheritance
Cytoplasmic Inheritance
 
tarek
tarektarek
tarek
 
Am Acad Actuaries Presentation 090315
Am Acad Actuaries Presentation 090315Am Acad Actuaries Presentation 090315
Am Acad Actuaries Presentation 090315
 
BALJINDER kUMAR
BALJINDER kUMARBALJINDER kUMAR
BALJINDER kUMAR
 
Registro Primer Ágape 2016 pdf
Registro Primer Ágape 2016 pdfRegistro Primer Ágape 2016 pdf
Registro Primer Ágape 2016 pdf
 

Similar to June 16 2015 P&S Update Webinar

U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
Robert Craig
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
Casey Ellis
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Casey Ellis
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
bugcrowd
 
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossLeadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Shawn Tuma
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-dataNumaan Huq
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Financial Poise
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1
Michael C. Keeling, Esq.
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Financial Poise
 
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSCYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
HB Litigation Conferences
 
Data Privacy Compliance
Data Privacy ComplianceData Privacy Compliance
Data Privacy Compliance
Financial Poise
 
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?
Brian K. Dickard
 
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Shawn Tuma
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
cliff_rudolph
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALSteve Knapp
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
- Mark - Fullbright
 
Data breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundationData breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundation
Bradley Arant Boult Cummings LLP
 
Cyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive DiscussionCyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive Discussion
Joe Nathans
 

Similar to June 16 2015 P&S Update Webinar (20)

U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Data breaches at home and abroad
Data breaches at home and abroad Data breaches at home and abroad
Data breaches at home and abroad
 
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossLeadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-data
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
 
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSCYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
 
Data Privacy Compliance
Data Privacy ComplianceData Privacy Compliance
Data Privacy Compliance
 
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?
 
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
 
BEA Presentation
BEA PresentationBEA Presentation
BEA Presentation
 
Data breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundationData breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundation
 
Cyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive DiscussionCyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive Discussion
 

June 16 2015 P&S Update Webinar

  • 1. Privacy & Security Update June 16, 2015 Webinar Mike Geske GESKE COUNSEL, LLC Washington, DC 202.904.1077 Michael.Geske@GeskeCounsel.com 1
  • 2. 2 Privacy & Security Update 1. Benefits from Self-Reporting Data Breaches to DOJ, FTC 2. Operating Securely: Risk Management v. Firewalls 3. New rules about NSA bulk collection and use of metadata • USA Freedom Act; and • ACLU v. Clapper, No. 14-42-cv (2d Cir. May 7, 2015)
  • 3. FTC Statement (May 20, 2015): If the FTC Comes to Call Ass’t AG Caldwell Speech (May 20, 2015): Remarks at the Georgetown Cybersecurity Law Institute 3 Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC
  • 4. FTC Statement (May 20, 2015): An FTC data-breach or security investigation asks: Despite breaches or data security problems, were the company’s data security practices, including its response, on balance, reasonable? 4 Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC
  • 5. FTC Statement (May 20, 2015): If the FTC Comes to Call  Company’s response is an essential element of FTC’s inquiry • Help affected consumers • Cooperate with criminal, law-enforcement agencies against hackers “In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach. … It’s likely we’d view that company more favorably than a company that hasn’t cooperated.” 5 Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC
  • 6. FTC Statement (May 20, 2015): If the FTC Comes to Call  FTC data-security investigations are non-public  Can request information and documents, including from • Consumers • Vendors and banks • Other companies • Employees 6 Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC
  • 7. FTC Statement (May 20, 2015): If the FTC Comes to Call • Information security plan • Employee handbooks; training • Cost effectiveness of available defenses • Audits, risk assessments • Privacy policies; security promises to consumers • Compliance v. policy • Circumstances of breach • What happened • What protections were in place • What consumer harm is likely; any consumer complaints • How company responded 7 Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC
  • 8. Ass’t AG Caldwell Speech (May 20, 2015): Joint Announcement of FTC Statement • General View: Hacked companies are victims Recounts cooperative take-downs of attacks, capture of hackers • Private sector • DOJ, FBI, DHS, Secret Service, Dep’t of State, Foreign Law Enforcers Cybersecurity Unit in CCIPS (Cyber Crime and Intellectual Property Section) • Self-reporters gain Unit’s expertise, forensic tools, legal authority for warrants 8 Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC
  • 9. 9 Privacy & Security Update Operating Securely: Risk Management v. Firewalls *NACD Cyber-Risk Oversight Handbook (2014) at 4. You can download a copy of the Handbook at the NACD website. “One of the defining characteristics of these attacks is that they can penetrate virtually all of a company’s perimeter defense systems, such as firewalls or intrusion detection systems: Intruders … exploit all layers of security vulnerabilities until they achieve their goal. In other words, if a sophisticated attacker targets a company’s system, they will almost certainly breach them.”*
  • 10. All risks are not the same; All data are not crown jewels. 10 Privacy & Security Update Operating Securely: Risk Management v. Firewalls *Principle 5 is discussed on pp. 4 & 14 of the NACD Cyber-Risk Oversight Handbook. The NACD Handbook is expressly consistent with CKS guidance to avoid “siloed” thinking. See pp. 7, 13. NACD Handbook Principle 5: “Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance as well as specific plans associated with each approach.”*
  • 11. DOJ White Paper, Best Practices for Victim Response and Reporting of Cyber Incidents (Apr. 29, 2015). NIST, Computer Incident Handling Guide, Special Publication 800-61 Rev. 2 (Aug. 2012). NIST, Framework for Improving Critical Infrastructure Cybersecurity (Feb. 12, 2014). CSIS/DOJ Active Cyber Defense Experts Roundtable, Summary of Topics and Views (Mar. 10, 2015). 11 Privacy & Security Update Operating Securely: Risk Management v. Firewalls
  • 12. 12 Privacy & Security Update Operating Securely: Risk Management v. Firewalls  Have a Response Plan • Actionable: personnel, procedure, equipment • Identify and protect cyber assets • Collect, preserve data about incident • How to continue operations while responding to attack  Make contacts/relationships prior to breach with • Local FBI field office, DHS (NCCIC), state law enforcement • Consultants, lawyers  Do NOT “hack back” • Generally unlawful under U.S. statutes • Risks warfare with an unknown adversary • Unlikely to succeed
  • 13. 13 Privacy & Security Update Operating Securely: Risk Management v. Firewalls ORDER OF CYBER-RISK MANAGEMENT DECISIONS 1. Data, assets, services meriting most protection Who must have access Under what conditions 2. Appropriate protections and limits for each rank 3. Test, review, learn, amend Before and after next hack
  • 14. ACLU v. Clapper (2d Cir. May 7, 2015) Specific, relevant request required for government access USA Freedom Act (June 2, 2015) Metadata still collected Held by companies not NSA Specific, relevant request required for government access Independent amici at FISC, FISC-R 14 Privacy & Security Update USA Freedom Act and ACLU v. Clapper
  • 15. Wise Agnostics  Will USA Freedom Act be effective? Executive Order No. 12333 Director Clapper admittedly and demonstrably lied under oath to Congress Mandated reports will not be under oath, just statutorily mandated  How long will Communication providers keep the data? Where and under what conditions  Integrity matters Data-wealthiest man of all history is now a data-begger 15 Privacy & Security Update USA Freedom Act and ACLU v. Clapper
  • 16. MICHAEL R. GESKE Leader, CKS Privacy & Security GESKE COUNSEL, LLC 202.904.1077 Washington, DC GeskeCounsel@Outlook.com

Editor's Notes

  1. FTC in particular realizes that companies may be reluctant to share information with government (particularly an agency with as broad a mandate as Section 5 of FTC Act) when not compelled to do so, because the same agency can use that same information in a consumer protection action.
  2. This statement is a slight paraphrase. But what the FTC Statement from May 20 does is unpack it so that a company knows what the FTC does in a breach investigation and how it does that.
  3. Non-public means the FTC can’t disclose whether a company is under investigation prior to taking some additional official action, e.g., an administrative action or lawsuit. That generally suggests it’s in an investigated entity’s interest to cooperate in the first instance. But for all its protestations about “looking for cooperation” on investigating hacks, FTC is still a prosecutorial entity. There are two warnings here, too, though they are not ever stated expressly. If you don’t give FTC cooperation in the form of providing the information it needs, it can get that information elsewhere and will do so. Putting FTC to that trouble removes FTC’s incentive not to cause the company any trouble. If necessary, the FTC has broad powers to fact check what you tell the FTC to ensure its accuracy. So don’t play games here.
  4. Audits, risk assessments: 1.Keep legal advice and work product, legal assessment of potential claims separate 2. Audits implies testing of the plan. Employee handbooks and training: It’s one thing to have a plan, quite another to have people internalize that plan in their everyday business plans Particularly, IT folks. It’s one thing to say employees can’t bring their own devices, but IT folks are constantly allowed to tae stuff home for work on thumb drives. That’s Edward Snowden. Taking classified info (classic No BYOD) took it all out. FTC Section 5.
  5. CCIPS is in DOJ Criminal Division
  6. Why? Users, customers, and even IT staff are individually and collectively the source of most breaches. On June 10, 2015, BBC.com “Kaspersky Lab Cybersecurity firm is hacked” (leading supplier of anti-virus software. Malware was spread through the MS Software Installer files which even sophisticated IT staff routinely user to install programs on remote computers
  7. Insurance that covers cybersecurity losses are much better than even a couple years ago, but you must still expressly ask about and understand any exclusions Subcontracting certain tasks to vendors or other non-employees
  8. DOJ Best Practices white paper provides an outline of how to start preparing a plan. Written with small to medium sized companies in mind.
  9. Surveys (by, e.g., PwC; Cisco 2015 Annual Security Report ) show that fewer than half of large firms, and a much smaller percentage of small and medium firms have a plan. DHS (Nat’l Cybersecurity & Communications Integration Center) is 24/7: share and receive info about an ongoing incident to/from gov’t, other victims Incident data is not just computer logs or other IT databases or reports: Breaches often accompanied by emails, phone calls, communications All 56 FBI Field Offices have a Cyber Task Force or Inftaguard chapter. Hold regular outreach sessions with private sector. Call them.
  10. One size does not fit all; but the government documents I have referenced so far, provide a conceptual framework for how to go about generating, executing and revising a cyber-risk management , and explaining why it’s better to consider certain questions before others when assembling or revising a cyber Risk response plan. First, ask: question 1: We nee to unpack three important insights buried there. A. Some companies generates profit by mining data that they have collected on their customers and selling the insights from that mining; retail banks on the other hand make money by making the confidential, sensitive , traditionally private data they hold about their customers freely and easily available to those customers. How the company makes money will guide your ranking. This process must be revisited and revised And let us recall that cyber attacks are not just data hacks. Even bricks & mortar assets are more often than not wired to communicate through networks, the so-called Internet of Things. Services, e.g., legal advice and representation are now entirely dependent on the successful operation and security of private and public networks. This results of identifying and ranking the value of the data, assets, and services cannot be carved in stone. The value of each to the company’s mission may change over time, which means that the level of protection each deserves will change, too The ability to protect each item changes over time as cyber attacks moprh The cost of protection changes constantly, too. The title of this section is prime example: not long ago, and still today for most companies, having a good firewall was the best protection on offer. So great cost and effort was devoted to that; but as hackers have found ever more successful ways of penetrating firewalls, we have switched to a risk management model because firewalls are routinely breached Only after identification and ranking of assets at risk, can a company decide what protections would be reasonable, i.e., cost-effective, for each type. Otherwise, you’ll just be chasing the latest fashion. That’s how we got to everyone thinking a firewall is enough and suddenly that is not true but the majority of companies have no plan to find additional, aklternative plan. No one is suggesting that every company will get it right