cybersecurity what you needto know for your business · • step 3: get ready for a...

© 2018 All Rights Reserved

Reinhart Boerner Van Deuren s.c.1

CYBERSECURITY:WHAT YOU NEED TO KNOW

FOR YOUR BUSINESS

Martin J. McLaughlin414-298-8219

[email protected]

Reinhart Boerner Van Deuren s.c.1000 North Water Street, Suite 1700, Milwaukee, WI 53202

www.reinhartlaw.com

Sarah Sargent414-298-8338

[email protected]



Agenda

• Types of data that must be protected

• Laws governing data privacy and security

• Top Five "Cyber" Best Practices

� Engage leadership

� Assess risk and develop risk management strategy

� Prepare for breach

� Manage vendor/customer contracts

� Educate



What "Data" Must be Protected?

• PII: Typically, state laws define personally identifiable

information (PII) as an individual's first name or initial with last

name, and one or more of the following (unencrypted) data

elements:� Social Security number

� Driver's license number or state or military identification card number

� Financial account, credit card or debit card number, in combination with any required

security code, access code or password that permits access to an individual's account

• However, some states define PII more broadly to include:� Medical information

� Health insurance information

� A user name or e-mail address, in combination with a password or security question and

answer that permits access to an online or financial account or resource

� Credit or debit card number without security information

� Biometric information (such as fingerprints or facial measurements)



Laws Governing Data

• State data breach and privacy laws

� Beware the data security requirements in some state laws

• New York Financial Services Regulation (23 NYCRR 500)

• Health Information Portability and Accountability Act (HIPAA)

� PHI: Protected Health Information

• Fair Credit Reporting Act

• Gramm-Leach-Bliley Act (GLBA)

� Financial institutions

• Children's Online Privacy Protection Act (COPPA)

• Foreign Laws: EU's General Data Protection Regulation (GDPR);

APEC Privacy Framework; China's data security law; Canda's

Federal Personal Information Protection and Electronic Documents

Act (PIPEDA)



Top Five Cybersecurity Best Practices to Implement

• Step 1: Take It to the Top (Engage Leadership)

• Step 2: Assess and Manage Risk (Rinse and Repeat)

• Step 3: Get Ready for a Breach…It's Coming (Soon?)

• Step 4: Contract Responsibly

• Step 5: Get the Message Out



Step 1: Take It to the Top(Engage Leadership)



Involved Leadership

• Exposure to and education concerning budgets and risks related to

data security

• Review and approve policies on privacy and IT security risks

• Consider having someone with security expertise on staff and/or

consider retaining outside experts

• Emphasize that data security is not just an IT problem

• Treat data security as an enterprise risk

• Build a culture of data security by emphasizing its importance to

leadership



Allocation of Risk ManagementFunction Govern

(ongoing)

Respond

(incident and breach)

Contain

(damages and liabilities)

Board of directors Set standard of care

Periodically evaluate

cybersecurity risk assessment

Oversee management's

cybersecurity approach

Monitor breach notifications and

governance process and updates

Re-evaluate cybersecurity risk

Re-evaluate standard of care

Executive management Identify critical assets

Prepare cyber risk assessment

Approve incident response plan

Categorize and assess incidents Develop short-term and long-

term remedial actions

Conduct "lessons learned"

session with team

Legal Define and oversee ongoing

cybersecurity risk management

program

Develop cybersecurity risk legal

response strategy

Prepare and approve

cybersecurity breach response

program and incident response

plan

Draft policies

Review vendor contracts

Monitor breach and

cybersecurity risk trends and

measure risk management

execution

Execute breach communications

plan

Contract with forensic vendors

and notification vendors

Determine legal obligations

Notify data subjects

Evaluate effectiveness of

cybersecurity breach response

and technology risk

management

Perform cybersecurity liability

evaluation

Monitor programs and best

practices

Information security Build threat mitigation program

Establish incident, investigation,

and forensics response programs

Conduct tests

Define and restrict access

Prepare incident response plan

Detect and respond to incident

Execute investigation plans

Assess effectiveness of

cybersecurity incident response

Execute incident remediation

plan



Step 2: Assess and Manage Risk (Rinse and Repeat)



Assess and Manage Risk

Steps to Take• Know your data

• Know your vulnerabilities

• Develop and revise plans and

policies

• Consider established

frameworks as a roadmap

• Testing

Guidelines to Remember• Security is a journey, not a

destination

• Consider role of attorney-

client privilege

• Continuous quality

improvement is key



Know Your Data

• Know your data:

� What kind(s) do you collect?

� Why is it collected?

� Where is it stored and for how long?

� Who has access (and who should have access)?

� How is it used?

� How is it secured?

• Review, assess policies and practices for data:

� Collection, storage, use, disclosure, protection, destruction

� Consent for collection

• Scale down

� Collect only what you need

� Restrict access

� Keep only as long as you need it



Know Your Vulnerabilities

• Employees

• Third-party service providers (e.g., cloud service providers,

payroll, plan administrators, etc.)

• Physical environment

� Firewalls, network infrastructure, Wi-Fi

� Outward facing interfaces (webpages, portals, etc.)

� Endpoints (desktops, laptops, printers, cell phones)



Essential Policies and Procedures

• General information security policy

• Privacy policy

• Incident response plan

• Mobile device management

• Bring your own device policy

• Updated employee handbook

• Acceptable use policy

• Business continuity policy

• User agreements

• Website terms and conditions

• Disaster recovery policy



Develop Plans and Policies

• Develop a proactive, not reactive, information security plan and

team—an equal balance of individuals yelling fire and telling

everyone to calm down

• Know and minimize your attack surface

• Establish a baseline

• Enforce record retention and destruction policies



Factors to Consider

• Consider the entire life cycle of data and risks associated with each step

� Data collection, use, sharing, transfers, and destruction

• Analyze each division/department's specific cybersecurity requirements by

considering:

� Type and sensitivity of data handled or managed

� Applicable laws and standards

� Contractual commitments and internal policies and procedures

� Internal capabilities

� Flexibility needed with data security measures

� Cost/Benefit assessments



Cybersecurity Frameworks

• COBIT: Best practices for governance and control processes for information systems and technology, one aspect of which is the control of information

system and technology risk

• HIPAA: Provides a series of security standards and implementation specifications

• ISO: International, ISO/IEC 27001 and 27002 provide a comprehensive baseline set of controls that can be implemented by any type of

organization; healthcare-specific considerations are addressed in ISO/IEC

27799 (Expensive)

• NIST: Intended for federal agencies, the NIST SP 800-53 controls, and supporting 800-series publications provide, a comprehensive information

security risk management framework; healthcare-specific considerations

are addressed in NIST SP 800-66 (the bell cow among the frameworks)

• PCI: Intended for payment card information, but scope sufficiently comprehensive to provide a reasonable baseline for the protection of any

type of sensitive information

• HITRUST: Formed specifically to support the healthcare industry



Recommendations

Network• Encryption

• Intrusion detection/

• prevention

• Data loss prevention software

• Locked down firewalls

• Penetration testing

• Desktop modeling

User• Password protocols

• Multi-factor authentication

• Mobile device management

• Skills-based user education

(e.g., PhishMe)

• Social media monitoring

• Limited access



Best Practices for Testing

Consider retaining an

outside consultant to

perform tests of your

systems

• Vulnerability scanning

• Spear phishing

• Penetration testing

Internal exercises you

can perform

• Tabletop exercises

• Phishing tests



Step 3: Get Ready for a Breach…It's Coming



What Are the Risks to Your Business?

• Theft of trade secrets, intellectual

property, and sensitive business

information (such as customer lists

or product pricing) that can be

monetized

• Business email compromise-

targets executives

• Wire transfers (e.g., intercompany

transfers, title companies, deal

closings, payments to foreign

vendors)

• Access to financial systems to

execute unauthorized financial

transactions

Valued assets

Intellectual property

People information

Financial information

Business information



How Data Breaches Occur

1. Malicious Internet attacker/APT

2. User error

3. Loss/theft of device

4. Disgruntled employee

5. Third-party mistake

6. Network intrusion



2018 Verizon Data Breach Investigations Report

Verizon, 2018 Data Breach Investigations Report (11th ed. 2018).



Being attacked is unavoidable, so how prepared are you? Can you answer “yes” to these five key questions?

1. Do you know what you have that others may want?

2. Do you understand how these assets could be accessed or disrupted?

3. Would you know if you were being attacked and if your assets have been compromised?

4. Do you have a plan to react to an attack and minimize the harm caused?



Typical Incident Response Timeline

IBM Security, 2017 Cost of Data Breach Study: United States (2017).



Cost of a Breach

Data security breaches are major risk areas for businesses. A

business that suffers a data breach incident or reportable event

may incur significant expenses, including costs relating to:� Investigating and containing the breach

� Hiring third-party investigators

� Notifying affected individuals if the breach affects

individuals' PII

� Determining whether existing insurance policies cover the

breach

� Government fines and private lawsuits

� Reputational damage, lost customers, and lost business

� Potential lawsuits

� Contract liability and fees (Payment Card Industry fees)



Best Practices for Cyber Liability Insurance

• Review your policy and understand exactly what is

covered

• Check endorsements and coverage limitations (some

limit coverage for social engineering hacks)

• Review the policy with your information security team

• Does it cover hosted service providers failures?

• Does it cover external breaches only? Internal?

• Does it cover credit card expenses?

• What are the exceptions?



Step 4: Own Your Contracts



Vendor Contracts

• Identify the third parties your organization relies on to collect, access, process, disclose, transmit, or host sensitive or

confidential data (cloud service providers, plan administrators,

etc.)

• Vendor due diligence is a must

• With increasing frequency, clients are seeking security

representations and warranties in agreements

• Consider risk-based approach to managing vendor security

agreements/contract standards

• Vendor oversight and contract enforcement

• Maintain vendor contact information and ensure key vendors are

represented and included as part of incident response team



Vendor Contracts (cont.)

Review contracts with vendors that collect, provide, access, use, store,

disclose, or otherwise process PII

� Does vendor have resources to indemnify?

� Do your vendors have cyber liability insurance coverage? Do you have

coverage?

� Data breach clause essential:

� Indemnification provisions

� Notification process and timing

� Cooperation during investigation

�Who notifies affected parties?

�Who pays for notice?

� Clear delineation of responsibility

� Limitation of liability (double edge sword)

� Confidentiality



Step 5: Get the Message Out



Strengthen Your Weakest Link

• Education and training is key

� Employee education upon hire, at least annually thereafter,

notice of updates to procedures

� Document

• Update employee handbook and policies

� Keep information confidential

� Assignment of intellectual property

� Fair use for work and technology

• Well understood and publicized reporting procedures essential



Questions?

THANK YOU!