thursday, may 28, 2015 after anthem: cybersecurity, data ......2. alert and activate everyone on the...

© Copyright 2015 by K&L Gates LLP. All rights reserved.

After Anthem: Cybersecurity, Data Privacy, and Cyber-Resilience for the Health Care Sector

Thursday, May 28, 2015

Moderator: Mary Beth F. Johnston (Partner, Research Triangle Park)

Presenters:Roberta D. Anderson (Partner, Pittsburgh)David P. Baghdassarian (Partner, Miami)David A. Bateman (Partner, Seattle)

AGENDA• Understanding Cyber Risks and

Security Options (1:30-2:10 p.m.) Identifying cyber risks, including new and

emerging threats Improving internet safety and network security

• Cybersecurity in Health Care(2:10-2:50 p.m.) Regulatory framework, including HIPAA Performing a risk assessment Risks of using a cloud service provider Security of medical devices and mobile

devices

• Managing the Consequences of a Data Breach (2:50-3:30 p.m.) Preparing for the inevitable breach The first 24 hours Notice requirements Civil litigation issues and trends

• Break (3:30-3:45 p.m.)• Managing and Mitigating Cyber

Risks (3:45-4:25 p.m.) Pro-active management at the Board level Adequate training and internal procedures Vendor contracting and business associate

agreements

• Insuring Against Cyber Risks (4:25-5:05 p.m.)

klgates.com 1

Understanding Cyber Risks and Security Options

The Spectrum of Cyber Attacks• Advanced Persistent Threats (“APT”)• Cybercriminals, Exploits and Malware• Denial of Service attacks (“DDoS”)• Domain name hijacking • Corporate impersonation and Phishing• Employee mobility and disgruntled

employees• Lost or stolen laptops and mobile devices• Inadequate security and systems: third-

party vendors

Advanced Persistent Threats

• targeted, persistent, evasive and advanced• nation state sponsored

P.L.A. Unit 61398“Comment Crew”

Advanced Persistent Threats

• United States Cyber Command and director of the National Security Agency, Gen. Keith B. Alexander, has said the attacks have resulted in the “greatest transfer of wealth in history.”

Source: New York Times, June 1, 2013.

Advanced Persistent Threats

• Penetration:– 67% of organizations admit that their current

security activities are insufficient to stop a targeted attack.*

• Duration:– average = 356 days**

• Discovery: External Alerts– 55 percent are not even aware of intrusions*

*Source: Trend Micro, USA. http://www.trendmicro.com/us/enterprise/challeng

es/advance-targeted-attacks/index.html

**Source: Mandiant, “APT1, Exposing One of China’s Cyber Espionage Units”

Advanced Persistent Threats: Penetration

• Spear Phishing

• Watering Hole Attackrely on insecurity of frequently visited

websites

• Infected Thumb Drive*Source: Trend Micro, USA.

http://www.trendmicro.com/us/enterprise/challenges/advance-targeted-attacks/index.html

**Source: Mandiant, “APT1, Exposing One of China’s Cyber Espionage Units”

Advanced Persistent Threats: Penetration

Employee Theft

Inadequate security and systems: third-party vendors

• Vendors with client data• Vendors with password access• Vendors with direct system integration

– Point-of-sale

Cloud Computing Risks

• Exporting security function and control• Geographical uncertainty creates

exposure to civil and criminal legal standards

• Risk of collateral damage

Source: Ponemon Institute 2014 Cost of Data Breach Study – Global

PREPARING FOR THE INEVITABLE BREACH

klgates.com 14

Source: Ponemon Institute LLC

Cost of Data Breach Study:Global Analysis

(May 2014)

klgates.com 15

16

Source: Ponemon Institute LLCCost of Data Breach Study:Global Analysis(May 2014)

klgates.com 17

Security Tips1. Logging

- Centralize, retain 3-6 months, verbose2. Access Controls

- No shared admin rights accounts- Dual Factor Auth for sensitive data, admin accounts,

vpn access3. Manage BYODs

- group policies, require password, encryption, wipe4. Application Whitelisting5. Encrypt sensitive data

klgates.com

Cybersecurity in Health Care

CYBERSECURITY IN HEALTH CARE

DAVE BAGHDASSARIAN Regulatory framework, including HIPAA Performing a risk assessment Risks of using a cloud service provider Security of medical devices and mobile devices

klgates.com 20

Managing the Consequences of a Data Breach

klgates.com

THE FIRST 24 HOURS

• Don’t panic. Follow the plan.• Mobilize first-response team • Immediately call breach coach counsel• Forensics

• Investigate, isolate, contain, and secure systems / data• Preserve evidence• Document everything

• PR• Consider contacting law enforcement• Think notification

22

1. Record the date and time of discovery and time when response efforts begin

2. Alert and activate everyone on the response team, including external resources, to begin executing your preparedness plan

3. Investigate, while preserving evidence

4. Stem additional data loss5. Document everything known

about the breach

6. Interview those involved in discovering the breach and anyone else who may know about it

7. Consider notifying law enforcement after consulting with legal counsel

8. Revisit state and federal regulations governing your industry and the type of data lost

9. Determine all persons/entities to be notified, i.e. customers, employees, the media

10.Ensure all notifications occur within any mandated timeframes

Don’t Panic. Follow the plan.

klgates.com

THE FIRST 24 HOURS

23

klgates.com

APT Response

6

Detect Impacted Systems- Firewall Logs- IDS Logs- Network Packet Captures- Lima Scans/Host-based Scanning - SEIM

Analysis- Host Forensics- Memory Analysis- Network Logs- Malware Analysis- Connections

Indicators of Compromise (IOC)- IP Addresses- Protocols- Registry Keys- Filenames- Hash Values

Client Provided• Logs• Reports• Notifications• Interviews• Malware

klgates.com

Source: Ponemon Institute LLCCost of Data Breach Study:Global Analysis(May 2014)

v

v

NOTICE REQUIREMENTS

25

• Industry-specific, e.g. HIPAA / HITECH• 47 different state notification laws• Others, e.g., Regulators, AGs, consumer reporting agencies, law

enforcement?• Media• Social media• SEC

klgates.com 26

NOTICE REQUIREMENTS

klgates.com

• Industry-specific, e.g. HIPAA / HITECH

vv

NOTICE REQUIREMENTS

27

NOTICE REQUIREMENTS

28klgates.com

• 47 different state notification laws, e.g., Pennsylvania

Any business or public entity that compiles or maintains computerized records that include personal information on behalf of another business or public entity shall notify that business or public entity, who shall notify its New Jersey customers, as provided in subsection a. of this section, of any breach of security of the computerized records immediately following discovery, if the personal information was, or is reasonably believed to have been, accessed by an unauthorized person.

NOTICE REQUIREMENTS

29klgates.com

• Business partners, e.g., New Jersey

NOTICE REQUIREMENTS

30klgates.com

MEDIA

klgates.com 31

SOCIAL MEDIA

klgates.com 32

33

CIVIL LITIGATION ISSUES AND TRENDS

klgates.com

34klgates.com

CIVIL LITIGATION ISSUES AND TRENDS

35klgates.com

CIVIL LITIGATION ISSUES AND TRENDS

36klgates.com

CIVIL LITIGATION ISSUES AND TRENDS

37klgates.com

CIVIL LITIGATION ISSUES AND TRENDS

38klgates.com

CIVIL LITIGATION ISSUES AND TRENDS

39klgates.com

CIVIL LITIGATION ISSUES AND TRENDS

40klgates.com

CIVIL LITIGATION ISSUES AND TRENDS

Managing and Mitigating Cyber Risks

Ten Tips for Cyber Security Protection and Risk Mitigation

1. Proactive management at Board Level Not an IT problem - board level support is required to

ensure that the resources both in time and capital are expended. Ensure that a cyber management policy is part of the

company’s governance framework and given the same level of attention as financial and other risk management regimes.

klgates.com

Ten Tips for Cyber Security Protection and Risk Mitigation

2. Know Your Data: data mapping what data you hold how sensitive the data is which systems control the management of key

information how critical is the information to the management of

the business purge unnecessary data

klgates.com

Ten Tips for Cyber Security Protection and Risk Mitigation

3. Plan for Data Breach Events “Not a question of IF, but WHEN” Create and implement a data breach response plan Designate core team for responses Interview and retain vendors Develop PR plan

klgates.com

Ten Tips for Cyber Security Protection and Risk Mitigation

4. Systems Security, Monitoring and Penetration Testing Monitor systems for unusual activity. Implement malware protection to all business areas

and produce a policy on dealing with any malwareissues. Install security patches Implement basic security controls on networks. Ex-

employees should immediately be denied access.

klgates.com

NIST Cybersecurity Framework

46

NIST Unveils Cybersecurity Framework, http://www.klgates.com/nist-unveils-cybersecurity-framework-02-17-2014/

85% of security budgetscurrently go here

According to Gartner:By 2020, 75% of security budgets will go towards detection and response

PCI DSS

“PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.”

47

Ten Tips for Cyber Security Protection and Risk Mitigation

5. Education and Training for the “Human Element” Every company has a cyber defense weak spot in its

own employees. An adequate defense system protecting a company

from cyber attacks should not only have the relevant defenses and policies in place, but staff must be trained on the relevant policies.

klgates.com

Ten Tips for Cyber Security Protection and Risk Mitigation

6. Protect Work with Attorney Privileges Protection for discovery of weaknesses Protection for testing events Protection for data breach analysis and response Retention of vendors for legal exercise

klgates.com

Ten Tips for Cyber Security Protection and Risk Mitigation

7. Third-Party Vendor and Access Review Know your vendors and data access Create a risk classification based on data type and

disclosure risk. Review contract details. Incorporate vendor event into breach planning.

klgates.com

Ten Tips for Cyber Security Protection and Risk Mitigation

8. Review mobile computing and BYOD policies 52% of mobile users store sensitive files online 24% of mobile users store work and personal info in

same account 21% of mobile users share logins with families Mobile malware: apps Insufficient mobile platform security

klgates.com

Ten Tips for Cyber Security Protection and Risk Mitigation

9. Cyber Insurance Review

klgates.com

Ten Tips for Cyber Security Protection and Risk Mitigation

10. Ongoing Management Planning and analysis of risk serves no purpose unless

a company also properly implements its findings. As cybercrime evolves over time, companies must

constantly monitor the adequacy of their cyber defenses and re-evaluate the threats pertinent to their business.

klgates.com

DOJ “Best Practices”

klgates.com 54

Insuring Against Cyber Risks

“[A]ppropriate disclosures may include”: “Discussion of aspects of the registrant's business or operations that give rise to

material cybersecurity risks and the potential costs and consequences”;

“To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks”;

“Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences”;

“Risks related to cyber incidents that may remain undetected for an extended period”; and

“Description of relevant insurance coverage.”

Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target, http://media.klgates.com/klgatesmedia/epubs/GBR_July2014/

INSURING AGAINST CYBER RISKS

klgates.com 56

“We note that your network-security insurance coverage is subject to a $10 million deductible. Please tell us whether this coverage has any other significant limitations. In addition, please describe for us the 'certain other coverage' that may reduce your exposure to Data Breach losses.”

Target Form 10-K (March 2014)

INSURING AGAINST CYBER RISKS

klgates.com 57

• Directors' and Officers' (D&O)

• Errors and Omissions (E&O)/Professional Liability

• Employment Practices Liability (EPL)

• Fiduciary Liability

• Crime Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821

(6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy)

• Property

• Commercial General Liability (CGL)

INSURING AGAINST CYBER RISKS

klgates.com 58

• Coverage B Provides Coverage for Damages Because of “Personal and Advertising Injury”

• “Personal and Advertising Injury”: “[o]ral or written publication, in any manner, of material that violates a person's right of privacy”

• What is a “Person’s Right of Privacy”?

• What is a “Publication”?• Does the Insured Have to “Do” Anything Affirmative and Intentional to Get

Coverage?

INSURING AGAINST CYBER RISKS

klgates.com 59

• Coverage A Provides Coverage for Damages Because of “Property Damage”

• “Property Damage”: “Loss of use of tangible property that is not physically injured”

INSURING AGAINST CYBER RISKS

klgates.com 60

POTENTIAL LIMITATIONS OF “LEGACY” COVERAGE

klgates.com 61

POTENTIAL LIMITATIONS OF “LEGACY” COVERAGE

klgates.com 62

ISO states that “when this endorsement isattached, it will result in a reduction ofcoverage due to the deletion of anexception with respect to damagesbecause of bodily injury arising out of lossof, loss of use of, damage to, corruption of,inability to access, or inability to manipulateelectronic data.”

POTENTIAL LIMITATIONS OF “LEGACY” COVERAGE

klgates.com 63

POTENTIAL LIMITATIONS OF “LEGACY” COVERAGE

klgates.com 64

– Zurich American Insurance Co. v. Sony Corp. of America et al.

POTENTIAL LIMITATIONS OF “LEGACY” COVERAGE

klgates.com 65

klgates.comback

REMEMBER THE SNOWFLAKE

klgates.com 67

• Privacy and Network Security– Generally Covers Third-Party Liability Arising from Data Breaches and Other Failures to

Protect Confidential, Protected Information, as well as Liability Arising from Security Threats to Networks, e.g., Transmission of Malicious Code

• Regulatory Liability– Generally Covers Amounts Payable in Connection with Administrative or Regulatory

Investigations

• PCI-DSS Liability– Generally Covers Amounts Payable in Connection with PCI Demands for Assessments,

Including Contractual Files and Penalties, for Alleged Non-compliance with PCI Data Security Standards

• Media Liability– Generally Covers Third-Party Liability Arising from Infringement of Copyright and Other

Intellectual Property Rights, and Torts Such as Libel, Slander, and Defamation Arising from the Insured's Media Activities, e.g., Broadcasting and Advertising

THIRD PARTY COVERAGE

klgates.com 68

• Crisis Management– Generally Covers “Crisis Management” Expenses That Typically Follow in the Wake of a

Breach Incident, e.g., Breach Notification Costs, Credit Monitoring, Call Center Services, Forensic Investigations, and Public Relations

• Network Interruption– Generally Covers First-Party Business Income Loss Associated with the Interruption of

the Insured's Business Caused by the Failure of Computer Systems

Digital Asset Generally Covers First-Party Cost Associated with Replacing, Recreating, Restoring and

Repairing Damaged or Destroyed Programs, Software or Electronic Data

Extortion Generally Covers Losses Resulting from Extortion, e.g., Payment of an Extortionist's

Demand to Prevent a Cybersecurity Incident

Reputational Harm

FIRST PARTY COVERAGE

klgates.com 69

• First-Party Property Damage and Business Interruption ~$350M• Third-Party Bodily Injury and Property Damage ~$100M

[T]his policy will drop down and pay Loss caused by a Security Failure [a failure or violation of the security of a Computer System that: (A) results in, facilitates or fails to including Electronic Data stored within that Computer System)]; and/ormitigate any: (i) unauthorized access or use; (ii) denial of service attack; or (iii) receipt, transmission or behavior of a malicious code] that would have been covered within an Underlying Policy, as of the inception date of this policy, had one or more of the following not applied:A. a Cyber Coverage Restriction [a limitation of coverage in an Underlying

Policy expressly concerning, in whole or in part, the security of a Computer System (

B. a Negligent Act Requirement [a requirement in an Underlying Policy that the event, action or conduct triggering coverage under such Underlying Policy result from a negligent act, error or omission].

DIC COVERAGE

klgates.com

AVOID THE TRAPS

klgates.com 71

POLICY EXAMPLE 1

72klgates.com

POLICY EXAMPLE 2

73klgates.com

POLICY EXAMPLE 2

74klgates.com

POLICY EXAMPLE 2

75klgates.com

klgates.com 76

POLICY EXAMPLE 1

77klgates.com

POLICY EXAMPLE 1

78klgates.com

POLICY EXAMPLE 1

79klgates.com

POLICY EXAMPLE 2

80klgates.com

POLICY EXAMPLE 2

81klgates.com

POLICY EXAMPLE 3

82klgates.com

POLICY EXAMPLE 3

83klgates.com

POLICY EXAMPLE 3

84klgates.com

klgates.com 85

POLICY EXAMPLE 1

86klgates.com

POLICY EXAMPLE 1

87klgates.com

POLICY EXAMPLE 2

88klgates.com

POLICY EXAMPLE 2

89klgates.com

POLICY EXAMPLE 2

90klgates.com

klgates.com 91

POLICY EXAMPLE

Any member of the “Control Group.” e.g., CEO, CFO ,RM, CRO, CIO, GC

92klgates.com

POLICY EXAMPLE 1

94klgates.com

POLICY EXAMPLE 2

95klgates.com

POLICY EXAMPLE 3

96klgates.com

Request a “Retroactive Date” of at Least a Year

klgates.com 97

klgates.com 98

BEWARETHE

FINE

PRINT

REMEMBER THE DEVIL IS IN THE DETAILS

“A well-drafted policy will reduce the likelihood that an insurer will be able to avoid or limit insurance

coverage in the event of a claim.”

Roberta D. Anderson, Partner, K&L Gates LLP (May 28, 2015)

klgates.com 99