finance and governance workshop management of a data breach james webster hiscox insurance
TRANSCRIPT
Finance and Governance Workshop
Management of a Data BreachJames Webster
Hiscox Insurance
Question
What industry makes up the highest percentage of
investigations?
Answer
Source: Trustwave 2013 Global Security Report
Question
What is the average timeframe from an initial breach to
detection?
Answer
210 days
Source: Trustwave 2013 Global Security Report
Question
What are the most common methods of detection?
Answer
Source: Trustwave 2013 Global Security Report
Question
From which country do most attacks originate?
Answer
Source: Trustwave 2013 Global Security Report
Question
What percentage of breaches involve a third party
responsible for system support, development or maintenance?
Answer
Source: Trustwave 2013 Global Security Report
Question
What is the average cost per compromised record after a
data breach?
Answer
Source: 2013 Cost of Data Breach Study, Ponemon Institute
Question
What is the average cost per data breach incident?
Answer $3.14 million (£2.05 million) in the UK
Source: 2013 Cost of Data Breach Study, Ponemon Institute
Question
Which industries have the highest breach costs?
Answer Hospitality:
£68 per record
Public services:
£48 per record
Source: 2013 Cost of Data Breach Study, Ponemon Institute
Question
What is the most common cause of data breaches?
Answer
Source: 2013 Cost of Data Breach Study, Ponemon Institute
Guess who?
20
Management of a data breach
Breakfast with MalcolmTeam trainingCoffee with Alan from BarclaysCall Jenna Murray re: licensingLunch with Board
Review outsourcing agreement and call with the lawyersMeeting with Arnold re: finance(do not miss!)Conference call with Heads of DepartmentDiscuss conference call with FDTom’s appraisal
Management of a data breach
• Importance of Incident Response Plans– Containment and recovery – Assessment of ongoing risk – Notification of breach– Evaluation and response
These are not linear activities, following one another in orderly sequence.......
Breakfast with MalcolmTeam trainingCoffee with Alan from BarclaysCall Jenna Murray re: licensingLunch with Board
Review outsourcing agreement and call with the lewyersMeeting with Arnold re: finance(do not miss!)Conference call with Heads of DepartmentDiscuss conference call with FDTom’s appraisal
Re-arrange for Friday
Jill – rearramge this please Handover to John
Move to tomorrow (pm)
Management of a data breach
• Containment and recovery
– Decide who is to take the lead in investigating– Establish who needs to be informed (internally and
externally – separately from any formal notifications) – Identify actions to recover loss and/or limit damage– Consider whether appropriate to inform the police
Breakfast with MalcolmTeam trainingCoffee with Alan from BarclaysCall Jenna Murray re: licensingLunch with Board
Review outsourcing agreement and call with the lawyersMeeting with Arnold re: finance(do not miss!)Conference call with Heads of DepartmentDiscuss conference call with FDTom’s appraisal
Re-arrange for Friday
Jill – rearrange this please Handover to John
Jill – send my apologies
Move to tomorrow (pm)
Move to Monday – tell HR
July
Send apologies!!
Management of a data breach• Risk Assessment
– What sort of data is involved? – What level of sensitivity is it?– What is your best assessment of what has happened to the data (in
terms of unauthorised parties who have access to it, and for how long they have had access)?
– What is its value to the unauthorised party? what harm could come to the affected individuals?
– How much data is involved?– Are there wider consequences e.g. risk to public health?– Should passwords be changed or banks contacted?
Anniversary today!!Jill – can you rearrange dinner for tomorrow and please send Trudy some flowers?
Data protection training (until 12.30)
Lunch with TomLunch with Arnold re: financeMeeting with Jenna Murray
Oursourcing Agreement!
Pick up kids (Trudy at
hairdressers)
JILL CANCEL EVERYTHING!!!
Management of a data breach
• Notification– ICO notification: telecoms sector and public bodies
must notify. Other sectors currently voluntary regime– FCA and other regulators: sector-specific rules apply– Individuals: "will notification help them?" is the ICO's
overriding concern
Conclusion: notification is not an end in itself
Management of a data breach• Notification Content
– “How and when" details and overview – Affected data, affected number of individuals– Breach response so far, mitigation steps taken so far– Security measures in place– Whether individuals have been informed– Whether there has been media coverage– Whether investigation is being carried out, and if so, when is it due
and in what format– Whether other regulators or the police have been informed– What future preventive measures you plan– Is there any other information that would be useful?
Thank you