Upload
todd-rowe
View
76
Download
0
Embed Size (px)
Citation preview
© 2016 Tressler LLP
Presented by:
Cyber Security: Concerns for Your Agency
March 10, 2016
Todd M. Rowe, Tressler LLP
Kevin Mahoney, Tressler LLP
Chandler Howell, Nexum Inc.
© 2016 Tressler LLP
» Who Is Our Audience Today?
» Current trends in Data Breaches
» Concerns for Municipal Bodies
» The State of Data Breach
Litigation
Pre-Breach Considerations
2
© 2016 Tressler LLP
» Determining Areas of Vulnerability › What information do we keep?
› What information do we need to keep?
› How is information accessed by employees or third parties?
› Is that access narrowly tailored to what’s necessary?
» Developing a plan › Who is responsible for implementing the
plan?
› Is the plan feasible with our systems and capabilities
› Can one plan address every situation?
Pre-Breach Considerations
3
© 2016 Tressler LLP
» Can we be sued for this? » Are there statutory
requirements for what we need to do next?
» Can we get someone else
to pay for this? » What we can we do to
lower our potential liability?
Pre-Breach Considerations: The Lawyers
4
© 2016 Tressler LLP
» Identifying Threats
» Devices Provided To Employees
» Vendors
» Malware
» Non-Traditional Sources
Pre-Breach Considerations:
The Technology Concerns
5
© 2016 Tressler LLP
» Identify decisionmaking authority. › IT personnel? Consultant? Director? Create a
defined Breach Response Team with clearly outlined responsibilities.
» Determine what data is at risk and how to secure it as quickly as possible.
› Different contingencies for financial, medical, and personal identifying information.
» Decide whether and how to restrict access to systems.
› Differs depending on type of data breach.
› Is it feasible for your organization to be without access for a period of time? What systems will be affected?
» Information Disposal › Do certain elements of your system need to
be changed or deleted immediately?
The Response Plan
6
© 2016 Tressler LLP
» Determine the source of the breach. › External? Employee? Consider
different contingency plans for each.
» If you need outside help, have them in place beforehand. › Don’t wait until a breach to have to
educate a vendor on your system.
» Determine who will handle contact from potentially affected individuals, and what they are permitted to say.
The Response Plan (Cont.)
7
© 2016 Tressler LLP
» Begin the process of notification. › Law enforcement. Other governmental bodies. Potential data
breach victims. Special concerns for governmental bodies. Time to bring in the lawyers for the notification letter itself.
» Insurance notification. › Determine who is responsible for putting a carrier on notice and
when to do so.
» Preservation of evidence. › Have a written policy regarding data deletion or alteration in case
of potential discovery issues. › Documenting efforts during the incident response period.
» Debriefing after the breach. › What steps should be taken to lower future risks?
The Response Plan (Cont.)
8
© 2016 Tressler LLP
» Inadvertent disclosures in response to FOIA requests
» Employees/Employee Information » Patron Information » Medical Information » Vendors » Special reporting
requirements » Open meeting
requirements
Response Plan Considerations for
Governmental Bodies
9
© 2016 Tressler LLP
The Response Plan (Cont.)
10
» TRAIN!
› Staff members
› Vendors
› Attorneys
› Document regular training.
© 2016 Tressler LLP
Technology Considerations
11
» Information stored on the cloud.
» The rise of ransomware.
© 2016 Tressler LLP
» Insurance Issues
» Breaches continue through the “Internet of Things”
» Coming changes to Illinois State Law.
Observations for 2016
12