© 2016 Tressler LLP

Presented by:

Cyber Security: Concerns for Your Agency

March 10, 2016

Todd M. Rowe, Tressler LLP

Kevin Mahoney, Tressler LLP

Chandler Howell, Nexum Inc.

© 2016 Tressler LLP

» Who Is Our Audience Today?

» Current trends in Data Breaches

» Concerns for Municipal Bodies

» The State of Data Breach

Litigation

Pre-Breach Considerations

2

© 2016 Tressler LLP

» Determining Areas of Vulnerability › What information do we keep?

› What information do we need to keep?

› How is information accessed by employees or third parties?

› Is that access narrowly tailored to what’s necessary?

» Developing a plan › Who is responsible for implementing the

plan?

› Is the plan feasible with our systems and capabilities

› Can one plan address every situation?

Pre-Breach Considerations

3

© 2016 Tressler LLP

» Can we be sued for this? » Are there statutory

requirements for what we need to do next?

» Can we get someone else

to pay for this? » What we can we do to

lower our potential liability?

Pre-Breach Considerations: The Lawyers

4

© 2016 Tressler LLP

» Identifying Threats

» Devices Provided To Employees

» Vendors

» Malware

» Non-Traditional Sources

Pre-Breach Considerations:

The Technology Concerns

5

© 2016 Tressler LLP

» Identify decisionmaking authority. › IT personnel? Consultant? Director? Create a

defined Breach Response Team with clearly outlined responsibilities.

» Determine what data is at risk and how to secure it as quickly as possible.

› Different contingencies for financial, medical, and personal identifying information.

» Decide whether and how to restrict access to systems.

› Differs depending on type of data breach.

› Is it feasible for your organization to be without access for a period of time? What systems will be affected?

» Information Disposal › Do certain elements of your system need to

be changed or deleted immediately?

The Response Plan

6

© 2016 Tressler LLP

» Determine the source of the breach. › External? Employee? Consider

different contingency plans for each.

» If you need outside help, have them in place beforehand. › Don’t wait until a breach to have to

educate a vendor on your system.

» Determine who will handle contact from potentially affected individuals, and what they are permitted to say.

The Response Plan (Cont.)

7

© 2016 Tressler LLP

» Begin the process of notification. › Law enforcement. Other governmental bodies. Potential data

breach victims. Special concerns for governmental bodies. Time to bring in the lawyers for the notification letter itself.

» Insurance notification. › Determine who is responsible for putting a carrier on notice and

when to do so.

» Preservation of evidence. › Have a written policy regarding data deletion or alteration in case

of potential discovery issues. › Documenting efforts during the incident response period.

» Debriefing after the breach. › What steps should be taken to lower future risks?

The Response Plan (Cont.)

8

© 2016 Tressler LLP

» Inadvertent disclosures in response to FOIA requests

» Employees/Employee Information » Patron Information » Medical Information » Vendors » Special reporting

requirements » Open meeting

requirements

Response Plan Considerations for

Governmental Bodies

9

© 2016 Tressler LLP

The Response Plan (Cont.)

10

» TRAIN!

› Staff members

› Vendors

› Attorneys

› Document regular training.

© 2016 Tressler LLP

Technology Considerations

11

» Information stored on the cloud.

» The rise of ransomware.

© 2016 Tressler LLP

» Insurance Issues

» Breaches continue through the “Internet of Things”

» Coming changes to Illinois State Law.

Observations for 2016

12