data breaches prevention and response strategies · and response strategies milada r. goturi ......
TRANSCRIPT
Data Breaches – Prevention
and Response Strategies
Milada R. Goturi
Thompson Coburn LLP
Troy D. Cahill
LaserShip, Inc.
Commonly Targeted Industries
▪ Financial Services
▪ Retail
▪ Healthcare
▪ Education
▪ Manufacturing
▪ IT Services
▪ Business Services
▪ Government
▪ Media
3
Recently Reported Data Breaches
▪ University of Idaho (2017)
• 257 records with employee personal
information compromised in phishing
attack
▪ Glastonbury School District (2017)
• W-2 records of 1,600 employees released in
e-mail scam
▪ Ellwood Thompson’s Local Market (2017)
• Personal information of 360 employees
released in e-mail scam
4
MultiCare breach allows access to personal
records for 1,200 patients
“TACOMA, Wash. – A data breach in November 2016 at MultiCare Health System allowed access to 1,200 patients’ personal records, the non-profit reported Thursday.
An unauthorized person may have gained access to an employee’s email account on Nov. 27, 2016. The account may have contained personal patient information, including name, date of birth, address, gender, date of service, account balance, and diagnosis and treatment information.
When MultiCare learned of the breach, they secured the email account, change the password, and investigated the incident.”
http://www.king5.com/news/health/multicare-breach-allows-access-to-personal-records-for-1200-patients/393722371
5
Theft of Unencrypted Laptop Exposes
Wonderful Health and Wellness Patients’ ePHI
POSTED BY HIPAA JOURNAL / JAN. 24, 2017
“Los Angeles-based Wonderful Health and Wellness has notified patents that their
electronic protected health information (ePHI) was exposed in early December,
2016 when an unencrypted laptop computer was stolen from the company’s
Wonderful Center for Health Innovation.
The laptop contained a range of protected health information including patients’
names along with their home addresses, telephone numbers, dates of birth, email
addresses, clinical account numbers, medical conditions, treatment information,
treatment dates, and test results. No Social Security numbers or financial
information were stored on the device.
While the laptop computer was not encrypted, software had been installed which
allows data on the device to be remotely deleted, although only if the laptop is
used to connect to the Internet. Wonderful Health and Wellness has programmed
the software to delete all sensitive data on the device the next time the device
connects.”
6
Hacker impersonates Sunrun CEO, nabs
employee W-2 tax forms
By David R. Baker, Friday, January 27, 2017
“A hacker posing as Sunrun CEO Lynn Jurich obtained the W-2
tax forms—including Social Security numbers and salary details—
for many employees of the San Francisco solar firm, the company said Friday.
Someone pretending to be Jurich sent Sunrun’s payroll department an email on
Jan. 20 requesting employee W-2 forms, which companies typically send their
employees this month.
‘Unfortunately, the phishing email wasn’t recognized for what it was—a scam—
and employee W-2s for 2016 were disclosed externally,’ the real Jurich wrote to
Sunrun employees in a memo this week.”
http://www.sfgate.com/business/article/Sunrun-hack-nabs-employee-W-2-tax-
forms-10889441.php
7
Common Causes of Data Breaches
▪ Lost or stolen devices
▪ Malware/Ransomware
▪ Unsecured website login systems
▪ Use of unapproved, insecure software
▪ Insecure IT infrastructure
▪ Phishing/e-mail scam
▪ Employees mishandling data
▪ Human factor/negligence
8
Goals of a Breach?
▪ Money
▪ Theft of personal information• Purchase of goods with stolen credit
card information
• Filing of fraudulent tax returns
• Opening of fraudulent loans
▪ Sale of personal information
▪ Disgruntled employee use of information
9
Consequences of a Data Breach
▪ Reputation threat
▪ Substantial costs in breach response
▪ Contractual obligations
▪ Governmental fines
▪ Private lawsuits
10
A reputation that took decades to build can be threatened by a single event.
Statistics
▪ 2016 Cost of Data Breach Study: US
• Average organizational cost = $7M
• Up 29.8% since 2013
• Per compromised record cost = $221
• Up 17.6% since 2013
http://ibm.co/2b771w7
11
Key Enforcers
▪ State Attorney General Office
• State data breach laws
▪ US Department of Health and Human Services, Office of Civil Rights (OCR)
• HIPAA, HITECH
▪ Federal Trade Commission (FTC)
• Section 5(a) of FTC Act – prohibits unfair or deceptive acts or practices in or affecting commerce
▪ Private lawsuits
12
What is a Data Breach?
▪ Data Breach/Security Breach =
unauthorized access to, disclosure or
acquisition of personal information
▪ Definitions vary by state
▪ Must check applicable state law
13
State Data Breach Laws – Key Elements
▪ Personal information
▪ In unencrypted form (some laws also apply to
paper records)
▪ Accessed, acquired or improperly disclosed
▪ An unauthorized party
• Enacted by 48 states
• The holdouts – South Dakota, Alabama
• Some state laws contain a risk of harm threshold
• Updates/amendments common
14
What is Personal Information?
▪ “Personal Information” or “Personally
Identifying Information” (“PI” or “PII”):
• Individual’s name and one of the following:
• Social security number
• Account number with access # or PIN
• State identification/driver’s license number
• Credit card number
• Additional identifiers vary by state (e.g., health
information, insurance information)
15
State Breach Notification Requirements
▪ Requirements vary by state
• All states require notification to
the affected individuals
• Many states require notification
of the State’s Attorney General
or Credit Reporting Agencies
• Some states impose timeframe for notification
• Must check state law
16
Breach Notification Letters to State Residents
▪ Content requirements vary by state but generally need to include:
• What happened and when?
• What information was exposed?
• What the company is doing in response and to prevent it from reoccurring?
• Contact information to ask questions
▪ Free credit monitoring services requirement/consideration
▪ Beware of “form” letters
17
Multi State Breach Challenges
▪ Residents of multiple states affected
• Crafting breach notice letter
• Incident meets definition of Data Breach in
some but not all of the affected states – will you
notify all?
▪ Customers affected
▪ Employees affected
18
HIPAA Breach Notification Requirements
▪ Affects Covered Entities and Business Associates (i.e., vendors)
▪ Important terms to know:• PHI – protected health information
• Unsecured PHI
• Breach of Unsecured PHI
• Covered Entity
• Business Associate
• Security Rule
• Privacy Rule
• Breach Notification Rule
19
Who Must Comply With HIPAA?
▪ Covered Entities – covered healthcare providers,
health plans, and healthcare clearinghouses
• Consider: Do you have self-funded health plans, EAP,
flexible spending account?
▪ Business Associates – vendors that perform for or
on behalf of a covered entity a function or service
that involves access to PHI (e.g., IT company,
records storage company, delivery couriers,
consultants)
20
What is Protected Health Information?
▪ Protected Health Information:
• Medical information
• Demographic information
• Billing information
▪ Unsecured Protected Health
Information:
• Un-shredded paper records
• Unencrypted electronic information
21
What are Breach Notification Rules?
▪ HIPAA Breach Notification Rules require notice of Breach to the individual, OCR and (in some cases) media
▪ Business associates must notify Covered entities if a “Breach” occurs
▪ “Breach of Unsecured PHI” = acquisition, access, use or disclosure of Unsecured PHI not permitted under the Privacy Rules that compromise the security or privacy of PHI
▪ Risk assessment required
22
Breach Notification to Patients
▪ Without unreasonable delay
▪ In no event more than 60 days
after discovery of breach
▪ Business Associates must notify
covered entities within 60 days of
breach discovery (but often much shorter
timeframe specified in a business associate
agreement)
23
Breach Notification to OCR and Media
▪ Breach affecting 500 or more individuals = notify OCR without unreasonable delay and no later than 60 days following a breach
▪ Breach affecting fewer than 500 individuals = notify OCR no later than 60 days after the end of the calendar year in which the breach discovered• OCR investigates all breaches involving 500 or more
patients; increased investigation of smaller breaches expected
▪ Media notice required for breaches involving 500 or more state residents
24
HIPAA Enforcement Examples
▪ February 1, 2017 – Children’s Medical Center of Dallas paid $3.2 million to settle potential violations of the HIPAA and agreed to implement a corrective action plan• Loss of unencrypted blackberry with PHI of 3,800 patients in
airport; theft of unencrypted laptop from hospital premises
▪ November 22, 2016 – University of Massachusetts paid $650,000 to settle potential violations of HIPAA and agreed to implement a corrective action plan • Workstation affected by malware caused breach of 1,670 patients
▪ October 17, 2016 – St. Joseph Health agreed to pay $2,140,500 to settle potential violations of HIPAA and agreed to implement a corrective action plan • Files containing PHI were publicly accessible through internet
search engines from 2011 until 2012
25
FTC and AG Enforcement Examples
▪ Ashley Madison (December 14, 2016) • $1.6M settlement; comprehensive data security
plan required (FTC)
▪ Henry Schein Practice Solutions, Inc., In the Matter of (May 23, 2016) • Allegation of deceptive data encryption
• $250,000 payment under consent order (FTC)
▪ 2/2017 – Acer (December 2017)
• PII stored in unsecure format
• $115,000 settlement, required to improve security practices (NY Attorney General)
26
Legislative Developments
▪ February 23, 2017 – bill to enact Active
Cyber Defense Certainty Act
• “To amend Title 18, United States Code, to
provide a defense to prosecution for fraud and
related activity in connection with computers for
persons defending against unauthorized
intrusions into their computers”
• Active cyber defense measure = defense to
prosecution
27
Case Studies
• Stolen laptop
• Data files sent to incorrect recipient
• Un-shredded documents recycled
• Data sent to personal email
• Employee errors
• Disgruntled employee leaves with data
• Lost luggage
• Missing FedEx
• Malware
• Ransomware
• Community garage sale
Each incident must be evaluated on its own facts!
28
Breach Prevention Strategies
▪ Know your Data
• What data is collected?
• How is data stored?
• Where are backups?
• How are backups created?
• Is data encrypted?
• Who has access?
• How long do you maintain records?
▪ Consider Data Flow Chart
29
Breach Prevention Strategies
▪ Assess and address risks and vulnerabilities – do you: • Collect, store or transmit any PII or PHI?
• Transport PII or PHI on portable devices or paper files?
• Outsource computer network operations, data or network management?
• Share data with vendors?
• Allow remote access?
• Have data on mobile electronic devices?
• Allow use of personal devices?
• Have current intrusion detection software/protocol?
• Have a posted privacy policy that aligns with your internal data management practices?
30
Breach Prevention Strategies
▪ Establish solid data privacy and security policies and procedures• Access control
• Password requirements/selection guidelines
• Workstation use and security
• Data integrity/protection from malicious software
• Facility security
• Remote access
• Removal of data
• Transmission of data
• Data backup
• Data disposal
• Disaster recovery
• Vendor contracts
• Audit control
• Security incident reporting and management
• Sanctions
• Training
31
Breach Prevention Strategies
▪ Minimize personal information collected and retained
▪ Invest in encryption technology
▪ Require vendors to safeguard confidential information
• Vendor screening process
• Indemnity obligations
▪ Perform cybersecurity audits
▪ Penetration testing
▪ Vulnerability scanning
▪ Use available resources (e.g., NIST)
▪ Know applicable legal requirements
32
Breach Prevention Strategies
▪ Educate employees – cannot be overemphasized
• Limits the scope or frequency of breaches
• Reflects commitment to compliance
• Training = part of orientation, annual, periodic
• Document training
▪ Limit access to data based on job requirements
• Minimum Necessary Standard
▪ Enforce security and privacy policies
• Part of evaluation, sanctions for noncompliance
33
Breach Preparation – Insurance
Considerations
▪ General liability insurance
▪ Cybersecurity/breach insurance
• Is the policy appropriate for your organization?
• What are the carve outs?
• What are the limits and deductibles?
• Counsel and expert panels
34
Breach Preparation – Incident Response Plan
▪ Create an Incident Response Plan
• Will differ based on the company, structure and
the information handled
• Creates a blueprint of steps and responsibilities
following a breach
• Allows the company to assess the breach and
craft an efficient, timely response
▪ Test the plan!
• Tabletop exercises and drills
35
Incident Response Plan
▪ Identify the Incident Response Team and responsibilities
• Legal, IT, Human Resources, PRrepresentatives
▪ Create mechanism for employees to report security incidents and require reporting
▪ Outline procedure for assessing reported incidents
▪ Create internal notification program for notifying the Incident Response Team, insurers, etc.
▪ Outline process for bringing forensics experts into the response
36
Incident Response Plan
▪ Define a process for identifying and implementing remediation measures
▪ Identify the process for notifying impacted individuals
▪ Identify what process will be used to determine whether notification is appropriate where not legally required
▪ Create a process for concluding the incident and retaining documentation of the incident and the response
37
Continuously Assess Readiness
▪ Monitor compliance• Employees
• Organization
• Vendors
• Coordination between legal and IT
▪ Sign up for security issues alerts (e.g., NIST Computer Security Resource Center alerts http://csrc.nist.gov/; US CERT mailing list https://www.us-cert.gov/mailing-lists-and-feeds)• Share with IT and employees – periodic security reminders
▪ Hit refresh• Update policies
• Update Incident Response Plan
• Evaluate and update IT security
38
Response – Lifecycle of a Breach
Identification
Containment
Remediation
Notification
Contain and mitigate
Take steps to prevent reoccurrence
Provide notifications
Determine whether a breach has occurred
40
Response – Know Whom to Call
▪ Incident Response Team
▪ Management
▪ Legal counsel
▪ IT support
▪ Public relations
▪ Forensic support
▪ Insurance
▪ Consider contractual obligations
41
Identification – Determine if Breach Occurred
▪ Question: Is the incident a data breach?
▪ Investigate promptly• Consider relevant facts
• Inside or outside threat?
• Conduct interviews
• Analyze compromised systems
• Identify malware employed, if applicable
• Engage forensic experts, as appropriate
• Reconstruct the incident
• Analyze applicable legal standards
42
Identification – Determine if Breach Occurred
▪ Evaluate the nature, extent and scope of incident
• What information was improperly disclosed?
• Was the information recovered?
• When and how did the incident happen?
• How many individuals were affected?
• Does the incident involve residents of multiple states?
▪ Document the investigation findings, conclusion and rationale
▪ Consider attorney-client privilege
▪ What if the incident is not a breach?
43
Breach Response – Contain and Remediate
▪ Contain the breach
• E.g., identify and remove malware for analysis
• E.g., if theft of mobile device, inform law enforcement
• E.g., close unsecure website portal log in
▪ Prepare internal and external communications
▪ Strengthen data security policies
▪ Have a plan to prevent reoccurrence
▪ Provide additional training on data security
▪ Maintain documentation of actions
▪ Considerations for breaches caused by a vendor
44
Response – Provide Required Notices
▪ Notify impacted individuals
• Legally required vs business reasons for notification
• Prevents customers from finding out about the breach from someone other than the business
• Credit monitoring/identity monitoring
▪ Dedicate trained personnel to handle calls/call centers
▪ Consider address location issues/returned mail management
▪ Notify AG, OCR, etc. – if required
• Notices must be timely
• Must follow legal requirements
▪ Consider contractual notices and obligations
45
Expect an Investigation
▪ Attorney General, Office of Civil Rights, FTC
• Cooperate with investigators
• Provide prompt and accurate responses
• Do not withhold information
• Be prepared for on-site interviews
• Demonstrate data security policies and practices
• Demonstrate employee training
• Demonstrate actions taken in response to the breach
46
Questions?
Milada GoturiPartner
Thompson Coburn LLP
Washington D.C.
202-585-6051
Troy Cahill
General Counsel
Lasership, Inc.
Washington, D.C.
703-761-9030, ext. 8188
Milada Goturi
Milada is a Partner at Thompson Coburn practicing in the areas of Health Care and Cybersecurity. She advises clients on complex regulatory compliance matters and has significant experience in HIPAA compliance and data privacy and security. Milada has helped numerous healthcare and other clients establish privacy and security compliance programs, including developing privacy and security policies and conducting privacy and security training programs. Should any compliance concerns or data breach matters occur, Milada assists clients to manage the incident and ensure an appropriate response.
Milada also represents organizations faced with investigations by various government enforcement agencies, including the U.S. Department of Justice, U.S. Department of Health and Human Services, State Attorney General, Office of Civil Rights and others. She works closely with clients on developing appropriate responses and successfully negotiating timely and favorable outcomes.
48
Troy Cahill
Troy serves as General Counsel and Director of the Legal Department at LaserShip, Inc. In this capacity, he advises LaserShip’s management and Board of Directors on all legal affairs and issues that involve or relate to the company operations. In addition to his prior presentations relating to legal department management for the Association of Corporate Counsel, Troy has published and presented on a broad range of legal issues, with a particular emphasis on constitutional law and labor and employment law.
Prior to beginning work at LaserShip, Troy was in private practice in Washington, D.C. and, prior to that, served as Clerk’s Office Staff Counsel at the Supreme Court of the United States. He received his Juris Doctor with honors from the Wake Forest University School of Law.
49