Cyber War Games: Data Breach at Ground Zero

Association of Corporate Counsel – Annual Meeting

November 10, 2015 at 4:00 pm

Columbia, South Carolina

Players:

  1. Narrator/CEO – Robert Sumner, Moore & Van Allen
  2. In-house Counsel – Robert Wilson, CSC
  3. Insurance Broker – Brian Warszona, Willis of Illinois (Chicago)
  4. Outside Counsel – Karin McGinnis, Moore & Van Allen
  5. IT Professional – Mark Lester, South Carolina Ports Authority
  6. Computer ForensicsProfessional – Serge Jorgenson, Sylint Group

*Contact information below at the end of the outline *

  1. Introduction (Robert Sumner)
  1. Introduce the scenario
  2. Explain the goal
  3. Introduce the players
  1. Voting(Robert Sumner)
  1. Poll Everywhere
  2. Text vote
  3. Real-time reporting
  4. Announce results
  1. Initial Meeting (Robert Wilson and Robert Sumner)
  1. Between CEO and Corporate Counsel
  2. How did the breach occur?
  3. How were we notified?
  4. Chief Information Security Officer (CISO)
  5. Data Breach Plan
  6. Cyber-Insurance
  7. Information Technology & Computer Forensics
  1. Information Technology (Mark Lester)
  1. Detection
  2. Analysis
  3. Containment
  4. Eradication
  5. Recovery
  6. Post-incident activities
  1. Insurance Broker(Brian Warszona)
  1. Data Breach Coach
  2. Notice to Carrier
  3. Choose Vendors
  1. Outside Legal Counsel
  2. Forensic Investigation Firm
  3. Notification and Call Center
  4. Public Relations Firm / Media
  1. Keep broker up-to-date
  1. Setbacks or delays that broker can assist
  2. Interpretation of policy by carrier
  1. Outside Counsel(KarinMcGinnis)
  1. Legal Landscape
  2. Overview of laws and guidelines governing data breach
  3. Data Breach
  4. Definition of Personal Information
  5. Internal Notification
  6. Investigation Scope and Coordination
  7. Treatment of Investigation Communications and Documentation
  8. Immediate Information Collection
  9. Containing the Breach
  10. Official Notifications
  11. Other Notifications
  1. Outside Computer Forensics(Serge Jorgenson)
  1. What is the Scope?
  2. What is the state of the Evidence?
  3. What Tools are available?
  4. What is the Timeline?
  5. How much does this Cost?
  6. What are the Outcomes?
  1. Data Breach Notification – Outside Counsel(Karin McGinnis)
  1. Identify state laws in play – states where victims reside
  2. Confirm deadlines for notification
  3. Notice to state attorneys general, consumer protection, etc.
  4. Data breach notification company
  1. Letters
  2. Emails
  3. Call center
  4. Consider hiring a data breach notification company
  1. Prospective actions(Robert Wilson and Karin McGinnis)
  1. Public relations
  2. Need to protect customers
  3. Need identify potential risks
  4. Security/Identity Monitoring
  1. Wrap-up (Everyone)
  1. Final thoughts
  2. Words of warning
  3. Lessons learned
  4. Questions

Contributors:

Brian Warszona

Assistant Vice President

Willis of Illinois (Chicago)

312-288-7850

Mr. Warszona is a Cyber and E&O broker for large organizations with responsibilities of negotiating terms and conditions, limits, placing coverage, and post placement handling including incident/breach organization for clients.

______

Mark Alan Lester

Information Security Manager

South Carolina Ports Authority

843-724-4057

Mr. Lester is the Information Security Manager, charged with building the Information Security Framework that provides prevention, detection, response and recovery, and measurement of items related to the confidentiality, integrity, and availability of the information created, changed, or used to accomplish the mission of the SC Ports Authority.

______

Robert Wilson, Esq.

Principal: Attorney, Mergers & Acquisitions and Global Alliances

CSC (Computer Sciences Corporation)

803-528-4007

Mr. Wilson the primary in-house attorney supporting over $1 billion annually in global M&A activity as well as corporate governance and global commercial transactions, alliances, and joint ventures.

______

Serge Jorgensen

Founding Partner, Chief Technology Officer

Sylint Group

941-951-6015

Mr. Jorgensen and his team manage incident responses and security architecture for international companies and government entities.

______

Karin M. McGinnis, Esq.

Member

Moore & Van Allen, PLLC

704-331-1078

Ms. McGinnis is the co-head of Moore & Van Allen’s Privacy and Data Security group and has handled a wide range of employment, privacy and data-security matters. She has successfully litigated a variety of issues on employers’ behalves in federal and state court, and in arbitration.

______

Robert E. Sumner, IV, Esq.

Member

Moore & Van Allen, PLLC

843-579-7018

Mr.Sumner is the Litigation Team Leader for the Charleston Office for Moore & Van Allen and a member of the firm’s Privacy and Data Security practice group. Mr. Sumner has handled a wide range of privacy and data-security matters in litigation and pre-litigation settings. Mr. Sumner’s litigation practice includes filing and defending wide ranging commercial litigation matters in state and federal courts across the country.

______