SESSION ID: LAB1-R02 Preplanning the Data Breach Chess Board with External Vendors Dr. Chris Pierson James T. Shreve Michael Bruemmer CEO BLACKCLOAK @DrChrisPierson @BlackCloakCyber Partner & Cyber Chair Thompson Coburn, LLP @ThompsonCoburn VP, Global Data Breach Experian @Experian_DBR @BruemmerMike #RSAC #RSAC Agenda • • • Introductions Top 5 Things to do Wrong Scenario I – Groups – Review • Big Three Scenario II • Questions • – Groups – Review 2 #RSAC Chatham House Rules 3 #RSAC Top 5 Things to do Wrong #RSAC #1 Thing to do wrong • Lacking proper governance – – – – – – Investors Board Executive Leadership Team Team Employees Customers 5 #RSAC #2 Thing to do wrong • Attorney/Client Privilege – Failing to preserve the privilege – Failing to educate the team – Not using both inside/outside counsel 6 #RSAC #3 Thing to do wrong • Hiring in the heat of the moment – – – – Not having the client be outside counsel Not well articulated Not very drafted well Lacking protections 7 #RSAC #4 Thing to do wrong • Data breach vendor not selected – No practice – No collaboration – Lack of certainty 8 #RSAC #5 Thing to do wrong • Messing it all up – – – – – 9 Bad 1-800# People Training Wrong URLs Documents unclear #RSAC Scenario I. Data Breach Scenario #RSAC Scenario I • Groups of Participants: – Tables 1, 7 – Legal – Tables 2, 8 – CISO – Tables 3, 9 – Board/Execs – Tables 4, 10 – PR/Marketing – Tables 5, 11 – Customer Service – Tables 6, 12 – Compliance/Audit 11 #RSAC Scenario I • The company • The attack – Maker of point of sale terminals and software to manage loyalty programs and coupons (data stored on your cloud server) – Public company – Ransomware locks up POS terminals and encrypts customer loyalty data on your cloud servers – Receive a ransom demand of 1000 BTC to be paid within 8 hours – Initially do not pay and attackers threaten to post some exfiltrated data on dark web sites – Brian Krebs sends an email saying he has heard about the attack and asking for comment 12 #RSAC Big Three Lawyers, Monitoring, Forensics #RSAC Big Three - Forensics • Pre-positioning/planning • 24hr response • Knows the team • Toolkits 14 #RSAC Big Three - Lawyers • Inside v. Outside – – – – Hiring Team Practice Relationships 15 #RSAC Big Three – Consumer Response • Who, what, when and how to protect yourself – – – – Websites Communication Assistance/ 1-800 Regulators 16 #RSAC Scenario II. Operationalizing what you designed #RSAC Scenario II. • Groups of Participants: – Tables 1, 7 – Legal – Tables 2, 8 – CISO – Tables 3, 9 – Board/Execs – Tables 4, 10 – PR/Marketing – Tables 5, 11 – Customer Service – Tables 6, 12 – Compliance/Audit 18 #RSAC Scenario II. • Opt not to pay the ransom • • • • IS reports several similar attempted attacks in the following days The attack is in the press Shares lose 20% of value initially, but regain 10% in 3 months 15% of customers leave, many remaining customers apply enhanced oversight FTC and a few state AGs send letters asking questions about security practices • – Reset POS terminals – Restore loyalty data from backups 19 #RSAC Parting Thoughts & Questions