Cyber War Games: Data Breach at Ground Zero
advertisement
Cyber War Games: Data Breach at Ground Zero Association of Corporate Counsel – Annual Meeting November 10, 2015 at 4:00 pm Columbia, South Carolina Players: 1. Narrator/CEO – Robert Sumner, Moore & Van Allen 2. In-house Counsel – Robert Wilson, CSC 3. Insurance Broker – Brian Warszona, Willis of Illinois (Chicago) 4. Outside Counsel – Karin McGinnis, Moore & Van Allen 5. IT Professional – Mark Lester, South Carolina Ports Authority 6. Computer Forensics Professional – Serge Jorgenson, Sylint Group * Contact information below at the end of the outline * I. Introduction (Robert Sumner) A. Introduce the scenario B. Explain the goal C. Introduce the players II. Voting (Robert Sumner) A. Poll Everywhere B. Text vote C. Real-time reporting D. Announce results III. Initial Meeting (Robert Wilson and Robert Sumner) A. Between CEO and Corporate Counsel B. How did the breach occur? C. How were we notified? D. Chief Information Security Officer (CISO) E. Data Breach Plan F. Cyber-Insurance G. Information Technology & Computer Forensics IV. Information Technology (Mark Lester) A. Detection B. Analysis C. Containment D. Eradication E. Recovery F. Post-incident activities V. Insurance Broker (Brian Warszona) A. Data Breach Coach B. Notice to Carrier C. Choose Vendors 1. Outside Legal Counsel 2. Forensic Investigation Firm 3. Notification and Call Center 4. Public Relations Firm / Media D. Keep broker up-to-date 1. Setbacks or delays that broker can assist 2. Interpretation of policy by carrier VI. Outside Counsel (Karin McGinnis) A. Legal Landscape B. Overview of laws and guidelines governing data breach C. Data Breach D. Definition of Personal Information E. Internal Notification F. Investigation Scope and Coordination G. Treatment of Investigation Communications and Documentation H. Immediate Information Collection I. Containing the Breach J. Official Notifications K. Other Notifications VII. Outside Computer Forensics (Serge Jorgenson) A. What is the Scope? B. What is the state of the Evidence? C. What Tools are available? D. What is the Timeline? E. How much does this Cost? F. What are the Outcomes? VIII. Data Breach Notification – Outside Counsel (Karin McGinnis) A. Identify state laws in play – states where victims reside B. Confirm deadlines for notification C. Notice to state attorneys general, consumer protection, etc. D. Data breach notification company 1. Letters 2. Emails 3. Call center 4. Consider hiring a data breach notification company IX. Prospective actions (Robert Wilson and Karin McGinnis) A. Public relations B. Need to protect customers C. Need identify potential risks D. Security/Identity Monitoring X. Wrap-up (Everyone) A. Final thoughts B. Words of warning C. Lessons learned D. Questions Contributors: Brian Warszona Assistant Vice President Willis of Illinois (Chicago) Brian.Warszona@willis.com 312-288-7850 Mr. Warszona is a Cyber and E&O broker for large organizations with responsibilities of negotiating terms and conditions, limits, placing coverage, and post placement handling including incident/breach organization for clients. ______________________________________________________________________________ Mark Alan Lester Information Security Manager South Carolina Ports Authority mlester@scspa.com 843-724-4057 Mr. Lester is the Information Security Manager, charged with building the Information Security Framework that provides prevention, detection, response and recovery, and measurement of items related to the confidentiality, integrity, and availability of the information created, changed, or used to accomplish the mission of the SC Ports Authority. ______________________________________________________________________________ Robert Wilson, Esq. Principal: Attorney, Mergers & Acquisitions and Global Alliances CSC (Computer Sciences Corporation) rwilson53@csc.com 803-528-4007 Mr. Wilson the primary in-house attorney supporting over $1 billion annually in global M&A activity as well as corporate governance and global commercial transactions, alliances, and joint ventures. ______________________________________________________________________________ Serge Jorgensen Founding Partner, Chief Technology Officer Sylint Group sdj@usinfosec.com 941-951-6015 Mr. Jorgensen and his team manage incident responses and security architecture for international companies and government entities. ______________________________________________________________________________ Karin M. McGinnis, Esq. Member Moore & Van Allen, PLLC karinmcginnis@mvalaw.com 704-331-1078 Ms. McGinnis is the co-head of Moore & Van Allen’s Privacy and Data Security group and has handled a wide range of employment, privacy and data-security matters. She has successfully litigated a variety of issues on employers’ behalves in federal and state court, and in arbitration. ______________________________________________________________________________ Robert E. Sumner, IV, Esq. Member Moore & Van Allen, PLLC robertsumner@mvalaw.com 843-579-7018 Mr.Sumner is the Litigation Team Leader for the Charleston Office for Moore & Van Allen and a member of the firm’s Privacy and Data Security practice group. Mr. Sumner has handled a wide range of privacy and data-security matters in litigation and pre-litigation settings. Mr. Sumner’s litigation practice includes filing and defending wide ranging commercial litigation matters in state and federal courts across the country. ______________________________________________________________________________
