You Detected a Data Breach: Now What?

so I'm just going to do our first keynote speaker Kelsey Patrick furry is an attorney who has been working in the area of privacy and data breach law for 10 years she's a member of the International Association of privacy professionals she assists with companies with compliance with her and with responses to data privacy issues she holds a BA from the University of Iowa and a juris doctorate from Duke University School of Law her virtual practice is based in Iowa City healthy and if you have questions i've got a microphone so give a shout out Wow can everybody hear me okay all right excellent so I am a lawyer and I am talking about data breaches today so

what am i doing at a cyber security conference well I was talking to Greg and he asked me to come in and talk miscible what do you want me to talk about and he said well we get so little legal advice just talk about whatever you want to know my gosh it's terrible um so I'm just going to go with something really basic today which is what do you do after you have a data breach you really need to have a methodical solution so just a couple of disclaimers I am NOT talking about the technology side that's what you guys do that's what you're here to learn about later today I'm going to address some of

the stuff from a legal perspective which is what you do not how you do it but what I am doing here is not legal advice you need to have specific advice that specific to your organization in your situation I'm just giving you some basic information I am NOT going to be focusing on regulated industries the rules for regulated industries are different I'm talking about non regulated industries and I'm talking about companies that are only holding domestic information a lot of that stuff adds a lot of complicating factors regulated and raising the international almond so I have a pretty narrow focus but I hope that you will find this information helpful within that narrow focus and the last thing is if you have

questions feel free to jump in anytime Greg's got the mic so that everyone in the room can hear you so just raise your hand and he'll come over and find you so we'll start out with the scope of the data breach problem is just stuff that probably most of you are already aware of but just put this in perspective we have had an increasing number of data breaches over time those were the years i could find information for so 2012 we had 447 2013 614 2014 783 in all since 2005 there have been about 5,400 data breaches and more than 900 10 million individual records have been breached so these numbers are only the ones we know

about these are the ones that have been discovered and then made public there's a if you look at the bottom there there's privacy rights org the privacy rights clearing house this is spray can find this information it's got a lot of interesting stuff on it and links to the publicly released statements from companies that have had data breaches it is axiomatic in the industry at this point that it is not a matter of if it is a matter of when your company will experience a data breach if you google search for it's not if it's when data breach you get almost three million hits now a lot of people think that this is a problem that's unique to large

businesses can I get a show of hands for how many people in the room work for companies with fewer than 50 employees get a handful how about between 50 and let's say 300 employees good number of those two more than that and students hi guys all right so this is not a problem that is unique to large companies I'm showing here a slide that talks about data breaches by for our large companies and data breaches for small companies that i found on that privacy rights Clearinghouse website some of the ones in the left-hand column you've probably all heard of Neiman Marcus had problems twice in the last few years target michael's Neiman Marcus PF changs and home depot and staples are

all in one bullet point there because they were all subject to the same breach it was a Russian hacking group there were millions and millions of records lost by these large companies do we have any in the room who got to work on that particular no nobody will admit it oh hey that was a lot of fun wasn't it getting to deal with you know basically day actors as your three of them okay so then these other companies that you've heard of that have a lot of resources and have things that they in place to deal with this stuff AT&T this actually is a good way to show some of the variety of things that happen we just

had Russian hackers AT&T had a single employee access 1600 records illegally that included Social Security numbers and this happened in October of 2014 the most recent ones that are on here are the IRS this is an ongoing thing you've probably seen it in the headlines that a hundred thousand people's records were breached by the FAFSA interface and RV's which just announced that it lost 335,000 credit cards now we're going to look at these small companies in general with small companies the problem is the third party processors because small companies tend not to have the internal resources to do things like processing there card payment know what I'm going to look at first is this westlake touchless

carwash this is a single location car wash in California that had to make a public announcement about the fact that it lost the records of everybody who visited their car wash during a particular week and then I was looking through the privacy rights Clearing House Records and I saw this ridiculously large number of car washes had to announce a breach around the same time and all of them said something about their third party payment process are having a breach this is a point that I'm going to bring up more than once during this presentation and that is that even though the data holder may be the one who has to make the announcement about the breach you can transfer that

obligation by contract and that seems to me what must have happened here that all of these car washes we're using the same third-party payment process or who had somewhere in its contract that nobody ever reads they just click ok move on with our day that if there is a data breach you have to be the one to announce it to your customers and you have to not use our name because none of these car washes used in the name of whoever this third-party payment processor was that lost the data so when you are involved in negotiating contracts at your company to the extent you get to be involved I hope you are this is something you need to look out

for who is going to be making the data breach announcements and how are they going to be making them or if you're evaluating different vendors you might want to pick the one that's not going to make you publicly announce that you lost the credit card information that they actually lost looking at some of these other breaches you notice a lot of medical names on their small medical groups are very target or rich targets right now because they don't have a lot of resources to prevent a breach but they have a lot of information that people would like to have very personal information that can be used in a lot of different ways let's see oh and the metropolitan

urology group is particularly interesting they had a problem with some ransomware which is getting to be a bigger and bigger problem these days let's see and this just goes back to the problems with everybody using the same service provider so I'll give you a minute to read

but to be perfectly honest I really just wanted an excuse to let you all see an XKCD comic in the middle of my presentation so all right okay so when you have a data breach you get a warning something is wrong you're seeing unusual file movement you're seeing things on your firewall not really pings on your fire while I just said that because somebody was complaining to me about not having any sort of systemic response in their company and they're saying well the CEO wants to be informed of everything am I supposed to tell them about a very ping on our firewall so I thought you might find that funny okay so when you first notice a play a

problem it's going to be unclear what the problem is but you know since this is really important of course you already have a plan in place to cover it right raise your hand if you already have a place plan in place to cover it not nearly as many people as I was expecting to see about four-fifths of companies have a data breach response plan as of 2015 according to experience now how many of you are confident that the plan you have in place is going to work I see one hand to two hands in the room only about a third of companies are confident that the plan that they have in place will work now having a plan is

not just a good idea it's actually the law if you have any information from people who live in Massachusetts I am not aware of any other states that actually have anything as comprehensive as Massachusetts requirement but they require you to have is a comprehensive information security plan you have to develop it you have to implement it you have to maintain it and it has to have administrative technical and physical safeguards and it has to be understandable to just you know regular guy on the streets and having data on a single Massachusetts resin then triggers this requirement so unless you are completely confident that nobody who lives in Boston has ever used your services you should have a plan so let's

say you do have a plan but you're not very confident in it or you don't have a plan what do you do you don't panic because now we're going to stop talk through the steps that should be in your plan all right so this is who needs to be involved in the creation of your plan and its implementation if you already have one you need to have security technology legal customer service and PR or communications whoever you've gotten your company depending on the size of your company these might be the same two people they might be 20 different people it's hard to say but if you do have a plan and it doesn't include the roles

and responsibilities of all of these different departments you need to go back and update your plan as a quick aside this picture here I was google searching through the creative commons for diverse business meeting and literally half of the photos that came up had Vladimir Putin in them so we're just saying I don't understand all right so we're going to talk about the things that your plan should cover and we're going to come back to these sort of marking your spot slides on right now and then and whatever's in yellow is the next thing I'm going to talk about so right now I'm going to talk about steps to follow and the first step to follow

is escalation it is concurrent with the next step to follow which is investigation so here are the people you need to think about what point in time am I going to contact these people your chief information officer and your lawyers depending on the size of your company the chief information officer and your main internal or external counsel might be to the first people you contact you know if we're we're talking about a 3m they're going to be you know the general counsel and the chief information officer and the CEO are going to be very late in the process you're not going to contact them until you find out Russia hack to you right but you need to know

when you will contact them that's one of the things that you have to have in the plan is what are the triggering events at what point in time is it worth waking up the CEO at two in the morning if you've got your employee who stole the 1600 Social Security numbers yeah that's a big deal but it's not a wake up the CEO at two in the morning big deal if you have Russian hackers infiltrating your systems that's probably a wake up the CEO at two in the morning kind of big deal for external contact your data forensics consultant is going to be one of the first people you want to contact do we have any data forensics

consultants in the room there are a couple so are you guys the first people that should be contacted they're nodding yes and part of the reason for that is that they're going to help you not destroy evidence that's one of the most important things that you can do is make sure you're keeping very good records as what you have done and what happened before you started doing it alright so the next interlocked step which I've sort of started talking about a little bit already right is investigation so bring in the cavalry that's that external data forensics consultant if you can afford it you probably want to bring in outside help in all of those areas i was talking about outside legal

help outside consulting help side PR help just because in these situations or you don't want to bring them in in every situation but you want to have a list of people who you can go to if the situation demands it and already have those relationships in place so again don't destroy evidence have people on hand who can help you make sure that you don't destroy evidence not only is the evidence important if there is any kind of law enforcement going on with this but it's also important if you get sued over what happened later you want to be able to show that you did everything right or at least show that you did as many things

as you could write you want to notify law enforcement who exactly that is is going to depend on what happened and what your company is so again that is the whole triggering events element of the plan and you want to make sure that you're asking the right question what specifically was compromised what can we do to prevent further damage can this system be quarantined what data can be salvaged what data can we still trust can we figure out who did it that might be more of law enforcement problem but it might help you figure out how you're going to react to it and then there is the big legal question which is is it a

data breach as defined by law there can be breaches of your system that are very important to you as a company like someone gets hold of your trade secret you have to tell well you may have to tell some people that you don't have to tell your customers about it the data breaches that get a lot of attention in the media tend to be the ones where people's Social Security numbers and credit card numbers are stolen so it's important that someone in your company know the applicable laws one question that I get all time is is there a strictest law that we can just comply with and not worry about the 50 different state laws and several

different laws of us protectorates and so on and unfortunately the answer to that is no there is no strictest law there are just different requirements some states include biometric data if you lose biometric data some states include genetic data some don't so if your breach includes people from you know a state that doesn't include genetic data and your 23andme you don't have to tell them that you lost their genetic information let's see Massachusetts and California are ones that you should be aware of because Massachusetts is the one that requires the plan and California just has a very active enforcement although interestingly the Attorney General who was in charge of enforcement in California Kamala Harris is now one of

the state senators for California so one of the things that we might see out of that and fingers crossed is federal legislation that covers this stuff so that we can supersede this patchwork of 50 different laws to comply wit that's what happened with canned spam back in the early 2000s there were all these state laws coming out and then the federal government says hey this is silly let's just have one rule that would make your jobs much much easier if we just had one law okay so what is a data breach then if it means very so much it's generally the unauthorized acquisition of computerized data and that compromises the security confidentiality or integrity of personal

information maintained by a data collector so I underlined some of the important words there unauthorized means that if it was an authorized person it a data breach unless they use it in a way they shouldn't that 18 key employee who you know took the 1600 Social Security numbers for personal gain that was not authorized computerized data is underlined because that is not a consistent requirement most of the state laws deal only with computerized data but there's a handful that just say data so you'll occasionally hear about things where I'm not going to say the name of the company because I'm not entirely sure which one it was off the top of my head but a shoe store dumped a bunch of

printed records into a garbage can outside back and it had full credit card numbers printed out on it and this was several years ago now it wasn't actually violation of the state data breach law it wound up that the FTC enforced it as a violation of unfair competition laws at the federal level but it wasn't a violation of the state's data breach law because the state didn't include paper records personal information I'm going to come back to and then data collector i underlined because i want to drive home again that point about contracts and how important it is that you make sure that your third-party data collectors where you know you're the little tiny car wash and you never

actually see a credit card number don't voice the obligations back on you because by contracts in most states you can voice the obligations on someone else so moving back to personal information this is a non complete list of the types of personal information that tend to be included in these laws so as information security professionals these are the kinds of information that you want to make sure are very well protected because one of the other elements of the state data breach laws in most but not all state is that if this information is encrypted or redacted or otherwise technologically secured and the bad guys get in and get the information but they don't know how

to unencrypt it you know they don't have they didn't get your key for unencrypted it or unredacted it or otherwise technologically freeing it it's not a breach you don't have to do all of the informing people steps of what happened and Iowa is one of those states that does not require if it's in encrypted form I would does not require that you do the data breach notification so this is really the main legal obligation point is the we have a question

everything about like username and password conditioning or authentication information is that illegal it probably is in a few state I couldn't tell you which one as I had to guess I would guess California right right right so a that was just a general list of the kinds of things I mean if I had to give broad categories of what those requirements are it's going to be contact information sensitive financial numbers and health-related information is usually going to be subject to the data breach laws but you know I I can't give anything specific in this context okay so response is in reporting this is a part where all those laws are making you go out and do something and I

mentioned reporting several times it's going to be in the form of oh wait we don't want to stop yet sorry it's going to be in the form of sending letters to people or contacting the media or sending emails to people who were affected by a breach now we want to stop before you do reporting you need to check two things the first one is those contracts make sure that it's not someone elses obligation to report based on your company's contract the second one is law enforcement do you remember we already contacted law enforcement way back when we were doing the investigation and escalation step well if law enforcement tells you I don't want you to contact the victims yet

because I'm still figuring out what happened on my end and I think I can catch the bad guys you do what law enforcement tells you just about every law has an exception to its required timeframe for the notification for the needs of law enforcement when these laws were first starting to come out everybody said within 45 days but you know not if law enforcement says not then everybody said 30 days and now everybody says as expeditiously as possible but consistent with the needs of law enforcement I wouldn't push that past 30 or 45 days if you can at all avoid it because you don't want to be the company who has the test case case

of what exactly does as expeditiously as possible mean you don't want to be the guy who's like well I thought six months was fine right no all right so the steps to follow response is reporting you've got required reporting and non required reporting we've talked about law enforcement if you're a public company you might have to tell your investors you should talk to your lawyer about whether a breach is significant enough to trigger an 8k report depending on the size of the breach and the state you may have to tell the state attorney general of the state where your customers reside you may have to tell regulators if you're in a regulated industry you may

have to tell credit reporting agencies depending on the state you might have to report to the media if you don't have contact information for your customers or again depending on the state some states make you fall on your sword no matter what and then you do have to tell your affected customers in every state there are also some excuse me some communications that are not required but are just a good idea you want to tell your employees before they find out from the media or from someone else if you're a nun public company you may not be required to tell your investors you may be required you should consult with a lawyer who does that particular type of

law but you want to tell them anyway because you don't want them coming to you saying hey why am i hearing about this in the paper and then you may want to have media statements prepared that are beyond what is legally required because sometimes the media finds out about things while you're right in the middle of figuring out what the heck happened and you want to have something that's a little more reassuring than no comment so in view of that you should have these statements prepared ahead of time you want to have breached letter templates for your customers credit reporting agencies and any required media statements you want to have an idea of what you're going to tell any regulators

that you need to inform and your investors and employees you want to have those template non-required media statement the other things that you might want to consider is because these are going to be really fast pacific you probably can't have prepared templates for these but you might want to have on hand a list of the kinds of things that you're going to need to let your insurer know about and let in law enforcement know about and so what you need to hang up yes

first our targets are bringing in it that really doesn't work for you or is under control and prevent pollution control not acting and we want Alexis okay so the question is how do you prevent losing control of the situation when you bring in law enforcement and my answer is you really shouldn't try not try to because if you do anything that they consider to be interference with their investigation you've just brought a whole new level of trouble on your company when you are contacting law enforcement you want to be smart about which law enforcement you're contacting you don't want to just call the local police no matter what happened you might want to have a list of contacts oh

you've already got a relationship with which actually is something I'm covering a little later which like so the the local FBI agent in charge of cybercrime you want to call that person up say hi introduce yourself and make sure that you've got a relationship before something happened I hear the guy we had in Iowa is leaving he got promoted good for him so if you already have that contact be ready to refresh it ok so the kinds of things that you need to include in these breach reports this is specific to the reports that you're sending to your customers who are affected you want to talk about what you know how it happened what information was taken and

how the seeds have used the information if you already know that you want to tell them what remedial actions you're taking so how are you going to make sure this doesn't happen to them again why should they keep trusting you with their information you want to talk about protective actions that your company is taking to fix what happened and also what your victims can do there's a great website that you can just send people to its identity theft gov and it will always have current information about steps people can take to protect themselves after a data breach you want to have contact information that where people can contact people in your organization who can answer any questions that they have

I was talking to someone last night who had had a day data breaches their organization and he told me that they sent out their letters and you know they were all ready to answer any questions and one person called and that one person had one question and after they answer the question the person says oh whatever so you may not have a lot to do if there's a data breach but you should be ready to answer questions then you want to make sure that the letter includes how you will contact them in the future to prevent re victimization by someone who comes in posing as you because they heard about this big data breach and they're thinking oh I can get

these people to tell me something on the phone if I call them and you also want to include any additional information that is required by law since word Iowa I included that Iowa also requires this letter to include advice to the consumer to report suspected incidents of identity theft to local law enforcement or the Attorney General which is not a big deal to include but you're going to be in trouble if you don't include it so tips for these communications which you should all be involved in writing it's really important that you folks be involved in writing these communications because you get to be the ones who fill in the blanks in these letters and you

might be the ones who have to answer questions when the phone calls come in so these communications need to be honest don't lie if you have to omit information it should be because law enforcement told you to omit the information because of their ongoing investigation it should give information to consumers about how they can protect themselves and you don't give information again that might put them at further risk you consult with law enforcement on that one when you're doing these letters I just like to point out might be a good time to pitch projects that you've been wanting to get done at your company because one of the things you're going to want to do is be involved in deciding

which kinds of letters you should be prepared to send which kinds of breaches do you think your system is most vulnerable to and that might be the time to say you know hey we could fix this if you give me budget for next year and then we won't have to send this letter right the other thing that these letters need to do is anticipate what the questions will be and answer them in advance I've seen a lot of them that are just an FAQ format and that works really well for people all right so our next step in our plan is remediation so one of the things you need to make sure that you do is if the information that was

breached winds up on website make sure you get it taken down and make sure you include any cash information in search engines you should be in a position to make sure that the same kind of hack never happened twice so when you bring in those outside consultants after all of the excitement is done they're going to have recommendations for you to make sure that this does not happen again you need to follow the remedial steps that are in the forensic report it might be training it might be hey this idiot clicked on a link and it brought down your whole system for a day you need to make sure your employees know not to click on those kinds of links it might

be that you need some new software I was doing a walkthrough the other day that involves a foreign state actor getting into a bank system because they were too cheap to buy outside software I don't know if this is based on a real situation or not big disclaimer but they had done their own homegrown encryption and it wasn't as good as the cover site I know it wasn't as good as commercially available software so their remediation was go pay people who know what they're doing next time it might be new hardware it's possible that somebody just walked right into your hardware location and got in that way and you should make sure you have hardware that isn't susceptible to

that and also locks on the doors locks on the doors are good you may need to tell your service providers that they need to make some changes and you may need new service providers you may say look we just can't trust this third-party payment provider anymore with our car wash and we're just going to find somebody who's not going to make us fall in our swords next time the other thing you need to think about from the information security perspective is to see if your network segmentation works the way it should don't ask me any questions about that lets you guys okay so the final steps are reevaluation and practice after you have had a breach you

need to go back and look at your plan again and say did this work did it do what it was supposed to do what can we do about our next time because there's going to be a next time it's not if it's when and then you need to practice the plan periodically this practice sessions might be scheduled or unscheduled you may actually have obligations especially in regulated industries to have these unscheduled drills and your regulators if you're in a regulated industry are usually willing to run these drills with you I have heard but not actually confirmed that you know when you build that relationship with the FBI agent the FBI agent is going to be willing to run

through with you as well they may want to schedule at once though when playing them okay so now we have walked through the steps that you should follow in your plan now we're going to talk about there's a few appendices that your plan should have and we're going to talk about what should be in those appendices the first one is the regulatory requirements in context if you are a regulated industry you you are aware of it and you know that if there's a breach of HIPAA information there's certain people you got to tell about it make sure all of our contact information is in your appendix and make sure it's regularly updated when you hear oh by

the way this person has moved on or that you've got maybe a website where you know that you will be able to find the current contact information every time same with the financial industry there's a lot of regulations and they will involve contacting people if your company is included in those critical infrastructure regulations that were promulgated under the Obama administration there may be specific people that you need to contact when something goes wrong their contact information should be in their state data breach laws I mentioned that you might have to talk to the attorney general but different states have different requirements I was actually one of them we have no I'm sorry Massachusetts I'm thinking of nevermind

so in Massachusetts there is a subdivision of the governor's office that you have to contact to let know of the breach in addition to the Attorney General Social Security number laws I haven't talked about very much but there are special requirements for how you treat social security numbers and of course there are 50 of them and of course they sometimes conflict with one another you know unlike the data breach laws which may just have different requirements there are actual requirements and some of the social security number laws that say you have to reject this part in this state but the other part in a different state it's very frustrating but those may also have contacts you may have to contact

specific people in specific states in the event of a social security number of rate and then the FTC this one is generally you're going to know already if the FTC needs to be informed because you're probably already in trouble but if they need to be informed you need to make sure you know who to call and again all of these contacts there's going to be triggers for contacting them make sure you don't just call everybody right at the start don't just flip to the back and start making phone calls because you don't know what happened and that's panic mode we don't want to panic and you might be telling people things that you didn't need to tell them and cause

even more trouble for your company so make sure that it's really clear what those triggering events are in your plan for contacting these people I'm skipping over prepared statements because we talked about that in the responses and reporting section but business continuity plans should be in your appendix there are two different kinds of business continuity plans there's your regular plan which you should have in place just because it's a really good idea to have one and then you need to have a special data breach plan it is possible that your regular plan already covers the kinds of things that you need to have in a data breach plan so your appendix might just say go back to the

bookshelf and get a copy of our business continuity plan but the kinds of things that you need to be able to do is figure out how to keep your company running while you're taking the steps to quarantine evident our quarantine affected systems and maintain evidence not destroy evidence so if your regular plan doesn't already address that make sure that you have something specific in your data breach plan about what you're going to do then there's a few things the plan just doesn't cover because it shouldn't these are the things that are legal actions that you might face after a breach and these are the parts that are why it's so important that you not inadvertently destroy evidence and that

you keep good records while you are addressing the data breach you might face regulator actions if you're in a regulated industry the Attorney General may take enforcement action against you for the breach after you inform them that you had the breach you have to tell them but you might be subject to fines after that you may face class action lawsuits that one is actually probably the easiest one to deal with because you can just have something in your customer agreement that says you can't do a class action lawsuit everything is subject to individual arbitration but if it's not in there you might be subject to a class action lawsuit and then the science can come from either the regulators or the

state attorneys general so the things I want you to take away from this presentation it will happen to you you will have to deal with this at some point of your career when it does don't panic if you don't have a plan go back to work and make one on Monday gather all those people up and get going on it if you do have a plan especially if you were one of the people who did not raise your hand and say I am confident that it will work go practice it on monday schedule a drill or figure out when you're going to do an unscheduled room and the last thing is you can't do this

on your own does all those departments need to be involved for a reason so don't try to do it on your own use your internal and external resources they are there for a reason and now does anyone have any questions

cremation all the questions about personal information

the state God's the other running to quality requirements by state where they basically say you not have more or 10,000 more in order to constitute a breach George okay so um there's usually not a requirement I I don't think I've ever seen one that says it's not a breach if you know you have sure than 50 people affected what it's going to say though is you have to notify the individuals who are affected but where you're going to have more things kick in is like maybe you don't have to tell the Attorney General until there are 500 residents of the state affected maybe there's a necessity for a public announcement to the media if you have

more than 500 individuals in the state affected but you are you know it's still abrasion you have to tell the person who was affected if there is some kind of breach so I've actually worked on a breach where there was a single person affected and it wasn't anything nefarious it was just people had really stupid passwords and someone got into the wrong persons account and could see their social security number from there which if you can avoid it to still collect those if there is any way that you your company can avoid having social security numbers it's really better not to have them anyway that one individual had to be informed had to go through the

whole process but there wasn't you know it was an attorney general notification because it was just one person and it wasn't you know scary breach

but some conversations of whether that citrus park they did a moment that your forensics teams government a loss or loved it a lot eight months ago actually when I thought the work you can obviously average so it's generally from the time of detection you can't tell people what you don't know about so [Music]

and they should have done this before um you know you might have your you know your local guy who set up your business for you and been doing this for 30 years but he's never done a data breach plan but ask him for a referral that's another thing you should always look for an attorney is if you have a referral to that person if you've got people you trust who also trust the attorney that's a good attorney to go to you want to look for someone who is going to be available when the breach happens you know if you need to call them at two in the morning milk they need to be there at two in the morning hopefully that

never happens for all involved but it could and now that's the main thing is is that they need to know what they're doing if they if they start talking about oh we're only going to comply with the laws of Iowa cuz you're in Iowa walk out the door so the question was basically how do you decide whose laws apply and all of these data breach laws apply based on where the residency is of the person affected so you might be organized in Delaware and operating in Iowa and have offices in Massachusetts and none of that matters because if the person affected is in Alaska you're following Alaska's law

and generally the international laws are also based on the residents of the person affected but they're less concerned with data breach than they are with making sure things stay private in the first place as a general rule yep so when we were looking at that definition way back the general definition of a data breach okay I'm not going to go all the way back fence to parks but the general definition of a data breach is unauthorized access it doesn't matter whether the unauthorized access is by somebody you know Russian hackers or because someone sent the attachment to the wrong person it is unauthorized access now one of the ways that you can prevent that is if you're emailing the

kinds of sensitive information that might trigger a data breach notification is to encrypt the attachment and send the password separately right because then they have the information but not the key right just to any other questions all right well then you have a short break before the next person I think

[Applause]