cybersecurity and data privacy - alaska bar
TRANSCRIPT
Perkins Coie LLP | PerkinsCoie.com
Cybersecurity and Data Privacy:Mitigating Employee, Vendor and Third Party RisksMay 2, 2018
Overview
Part 1 – Cyber Risks
Part 2 - Legal and Regulatory Landscape
Part 3 - Ways to Mitigate or Prevent Threats
Cyber Risks
Part 1
Diverse Threat ActorsNation-state actors
• Highly resourced & sophisticated
• Target critical infrastructure, ISPs, large corporations, gov. contractors
• Propaganda & information value
• Advanced Persistent Threats *
Criminals• Personal Identifiable Information, credit cards, data
• Black market for stolen data – Dark Web
• Examples = Target, Home Depot, Uber
Hacktivists
Disgruntled Employees
6
March 16, 2018
7
DHS and FBI characterize this activity as a multi-stage
intrusion campaign by Russian government cyber actors
who targeted small commercial facilities’ networks where
they staged malware, conducted spear phishing, and
gained remote access into energy sector networks. After
obtaining access, the Russian government cyber actors
conducted network reconnaissance, moved laterally, and
collected information pertaining to Industrial Control Systems (ICS).
This alert provides information on Russian government
actions targeting U.S. Government entities as well as
organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.
Kevin Feldis
The Nature of the Threat
• In Chinese intrusion cases (coming from China) handled by Mandiant, 94% of the victim companies didn't realize their networks had been breached until someone else told them.
• On average, companies' networks had been breached for 416 days before the intrusion was detected.
"Nation-states willing to spend unlimited amounts of money for technology, intelligence gathering, and bribery can overcome just about any defense."
-- Alan Paller, Director of Research, SANS Institute
Diverse Threat ActorsHuman Element
• Poor Cyber Hygiene
• Poorly Trained Employees
• Lack of Understanding
• Cannot catch everything
10
10
11
11
12
12
13
Internet usage increasing• 4.16 billion Internet users (54.4% world)
• Reaching far corners of the earth
Device usage increasing• 12 billion internet-connected devices worldwide (20 billion by 2020)
• Average American owns 4 internet-connected devices
More diverse & data rich services offered• Medical, Financial, Personal Fitness
• Children (Facebook’s Messenger Kids)
• IoT, Smart Homes, Wearables
• Artificial Intelligence (AI)
Connectivity and Data Collection
14
16
16
CloudPets“Smart” Toys
Wi Fi/Bluetooth enabled audio messages through toys
CloudPets company was hacked exposing data of
800,000 customers and 2 million voice messages from
“smart” teddy bears (February 2017)
20
20
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
21
22
23
New corporate focus on risks and costs• Last 10 years about growth, next 10 years will be about security
• Companies accepting responsibility
Public concerns• Honeymoon over
• People waking up
• Privacy concerns
U.S. Government concerns• Federal, state and local governments waking up
• Political concerns
• National Security concerns
Connectivity and Data Collection
24
25
26
The Cyber Legal and Regulatory Landscape
Part 2
Increasing U.S. Regulations and Enforcement
27
• State Attorneys General / Local Authorities• Increasingly active
• Federal Trade Commission• Consumer privacy protections
• Securities & Exchange Commission• Specialized cyber unit
• New SEC Guidance on Cybersecurity Disclosures (February 26, 2018)
• “As companies’ exposure to and reliance on networked systems and the Internet has increased, the attendant risks and frequency of cybersecurity incidents also have increased”
• Inform investors about material cybersecurity risks and incidents in timely fashion
• Maintain comprehensive policies and procedures for cybersecurity risks an incidents
• Disclose the risks associated with cybersecurity, including those connected to acquisitions
U.S. Data Security Laws and Standards
28
• State Laws• Nearly all states have data breach regulations
• Many states: commercially reasonable measures
• Federal Laws• FTC § 5, HIPAA, FERPA, GLBA (Gramm-Leach-Bliley Act)
• SEC cyber guidance
• EU General Data Protection Regulation (GDPR)• May 2018
29
U.S. Data Security Regulations
30
• Government Contracts• Defense contractors and subcontractors
• DFARS 252.204.7012 Safeguarding Covered Defense Information (CDI) and Cyber Incident Reporting (December 31, 2017)
• Multi-factor authentication
• Encryption
• Breach notification (w/in 72 hours through portal)
• FAR 52.204-21 Basic Safeguarding of Contractor Information Systems that process, store or transmit federal contract information (June 2016)
• 15 basic security controls for the systems (controls access, virus scans)
• Federal contract information = information provided or generated for the Government under a contract to develop or deliver a product or service
Increasing Private Litigation
31
• Growing class of plaintiffs• Consumers, shareholders, financial institutions, third-parties
• Class action lawsuits (failure to protect)
Industry standards• PCI (payment card industry) , NERC (North American Electric Reliability
Corporation) CIP (critical infrastructure protection)
• Trends• Increase interest in private litigation/attorney specialists
• Fewer claims dismissed for standing
• Increased Regulation and Enforcement
• Higher industry standards
• Common law court decisions: Rising standard of care
32
New Law as of March 2018
33
1. U.S. Companies required to turn over evidence/data wherever it is located (including overseas), if they control it.
• Search Warrant or Grand Jury Subpoena still required
• Address issue in the Microsoft Litigation
• Amends Stored Communications Act
2. Permits providers to make disclosures directly to foreign governments
• Increases international law enforcement cooperation
• Limited to countries who enter into executive agreements with the U.S.
Clarifying Lawful Overseas Use of Data Act
33
34
Minimizing Cyber Risks
Part 3
Perkins Coie LLP | PerkinsCoie.com
Immediate Steps:
Review your current Data Security Program• Have some with experience review & update it• Get the buy-in and budgeting necessary from the top• Schedule and conduct training & stress testing
Conduct a Cyber Compliance Review• Are you complying with industry standards, government contract
requirements (FAR, DFARS), and regulations/laws
Update your Incident Response Plan• Dust it off, have someone with cyber experience review it, update it.
• Test it – table top and simulated
Develop procedures for limiting third-party risks• Determine the level or risk that is appropriate for your business before
you outsource or share any data
• Develop a third-party due diligence process and follow-it
35
Limit Third-Party Cyber Risks
36
Conduct Due Diligence
37
• Ask to review cyber risk assessments
• Look for external certifications
• Review cyber/data protection policies
• Do they have a dedicated CISO and/or other
cyber professionals
• Do they have a cyber incident response plan
• Any history of cyber breaches
38
Include Cyber Security Provisions in Contracts
39
• Define cybersecurity terms
• Require cybersecurity safeguards and audits
• Subcontracting limits/considerations
• Breach notifications provisions
• Certifications about prior breaches
• Indemnification/remedies
40
Minimize Human Element Risks
41
• Policies and Procedures
• Wireless, data protection, BYOD
• Training
• Network & end-point security
• Identify Key data and protect
• Back-up systems
• Track compliance
• Conduct assessments
42
Perkins Coie LLP | PerkinsCoie.com
Kevin FeldisPerkins Coie - Partner907-263-6955 desk907-529-1599 [email protected]
www.perkinscoie.com/KFeldis
Admitted in Alaska, Illinois and Washington DC