dealing data leaks: creating your data breach response plan
TRANSCRIPT
© benefitexpress 2016
Cyber Security and Data Breaches
Larry GrudzienAttorney at Law
© benefitexpress 2016
Recent High-Profile Data Breaches
•Suspected North Korean hackers
•Data included personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of unreleased Sony films, and other information.
•The hackers called themselves the “Guardians of Peace” and demanded the cancellation of the planned release of the film The Interview, a comedy about a plot to assassinate North Korean leader Kim Jong-un.
Sony: November 2014
© benefitexpress 2016
Recent High-Profile Data Breaches
•Suspected Chinese hackers.
•Nation's second largest health insurer.
•Names, addresses, social security numbers, birth dates, and other information from 80 million customers and employees.
•Thieves used information to rack up $40,000 in credit card charges for some customers.
Anthem: January, 2015
© benefitexpress 2016
Recent High-Profile Data Breaches
• In June 2015, OPM announced that it had been the target of a data breach targeting the records of as many as four million people.
•Later, FBI Director James Comey estimated 18 million
•Breach has been described by federal officials as among the largest breaches of government data in the history of the U.S.
Office of Personnel Management (U.S. Government): April, 2015
© benefitexpress 2016
Recent High-Profile Data Breaches
• Information targeted included SSNs, names, dates and places of birth, and addresses
• Also likely involved the theft of detailed security-clearance-related background information
• And even 5 million fingerprints
• On July 9, 2015, the estimate of the number of stolen records was increased to 21.5 million
• Soon after, Katherine Archuleta, the director of OPM, and former National Political Director for Barack Obama's 2012 reelection campaign, resigned
Office of Personnel Management (U.S. Government): April, 2015
© benefitexpress 2016
Recent High-Profile Data Breaches
•Suspected Russian hackers
•70 million customers
•Name, address, phone number and e-mail address.
•After the data breach was discovered, Target offered one year of free credit monitoring and identity theft protection to all customers who shopped in U.S. stores
•Access through 3rd party vendor (HVAC)
•Shows importance of 3rd party control as well
Target: December, 2013
© benefitexpress 2016
High Level Technical Overview
•General Overview•How do you approach advising your employer on cybersecurity?
•What does the threat landscape look like now?•What resources are out there to help you?
General Overview
© benefitexpress 2016
High Level Technical Overview
Anywhere there is a device consisting of hardware and software, typically with an internet connection
What can be hacked?
© benefitexpress 2016
High Level Technical Overview
• Cyber Security: the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide
• Data Breach: the intentional or unintentional release of secure information to an untrusted environment
• Cloud: the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer
• Phishing: the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication
Define Applicable Terms
© benefitexpress 2016
High Level Technical Overview
• Encryption: the process of encoding messages or information in such a way that only authorized parties can read it
• Botnet: (also known as a zombie army) a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet
• Patch: a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities
• Two-Factor Authentication: a security process in which the user provides two means of identification from separate categories of credentials; one is typically a physical token, such as a card, and the other is typically something memorized, such as a security code
Define Applicable Terms
© benefitexpress 2016
High Level Technical Overview
• Federal Trade Commission, “Start with Security” guidance to businesses (https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf). This is generic guidance drawn from the FTC’s recent enforcement cases. It’s fairly simple and written in non-technical language, but it provides some insight into what one group of federal regulators are thinking is (or should be) the standard of care for a business.
• NIST Cybersecurity Framework (http://www.nist.gov/cyberframework/). This document was developed through a lengthy consultation process with industry; it is meant to provide a general approach to cybersecurity, and to point businesses toward the relevant existing standards. In many industry contexts, it is becoming the de facto “standard of care.”
• NIST Recommendations (http://csrc.nist.gov/publications/PubsSPs.html). These documents are more detailed and technical recommendations developed through the NIST collaborative process with industry. The “800” series are particularly important in cybersecurity. The documents are designed for use by IT professionals responsible for implementing a company’s cybersecurity program.
Additional Resources on Cyber Security and Data Breach Topics
© benefitexpress 2016
High Level Technical Overview
• Verizon Data Breach Report (DBIR) (http://www.verizonenterprise.com/DBIR/) is annual analysis of cyber threats as reflected in actual data breaches and security incidents. The report looks at anonymized data submitted by a broad range of law enforcement agencies, private companies, and cybersecurity providers.
• Steptoe & Johnson Cyberlaw Podcast (http://www.dhs.gov/topic/cybersecurity-information-sharing). Weekly podcast put out by a group of lawyers at Steptoe. They provide a good summary of case law, policy developments, and legislation relating to cyber, data breach, privacy, national security, etc.
• DHS Information Sharing resources: DHS supports a number of information sharing initiatives. You can find summary information here: http://www.dhs.gov/topic/cybersecurity-information-sharing.
Additional Resources on Cyber Security and Data Breach Topics
© benefitexpress 2016
100% Prevention is Not Possible
•Lose credibility if you state (or think) otherwise•Critical to recognize the reality•Three kinds of entities:
Have been hackedWill be hackedHave been or will be, but just don’t know it (or don’t admit it)
© benefitexpress 2016
Standard of Care
A standard of care is developing:NISTDOJ GuidelinesHomeland Security
Critical to be – and stay – ahead of the curve
© benefitexpress 2016
Government Involvement
•FBI: FBI InfraGard•U.S. Secret Service: Electronic Crimes Task Force (ECTF)
•Entities organized by state or local authorities
Federal Law Enforcement
© benefitexpress 2016
Government Involvement
•SEC•DOJ•FTC•Homeland Security
Federal Agencies
© benefitexpress 2016
Government Involvement
• US Congress passed the Cybersecurity Act of 2015, and President Barack Obama signed the measure into law on December 18, 2015
• The Act of 2015 aims to defend against cyberattacks by creating a framework for the voluntary sharing of cyber threat information between private entities and the federal government, as well as within agencies of the federal government
• The legislation also aims to protect individuals’ privacy rights by ensuring that personal information is not unnecessarily divulged
• Companies are permitted to monitor and operate defensive measures on both their own information systems as well as those of others with written authorization
Federal Legislation
© benefitexpress 2016
Government Involvement
• Entities are encouraged to implement and utilize security controls to protect against unauthorized access to or acquisition of cyber threat indicators or defensive measures
• Companies may share threat indicators and defensive measures with the federal government, but they must institute appropriate security controls and remove personal information not directly related to the reported cybersecurity threat
• Liability protections are available for companies choosing to share information provided they implement the proper controls
• Private entities may also share threat indicators and defensive measures with other private entities; again, personal information must be removed and security controls should be in place
Federal Legislation
© benefitexpress 2016
Government Involvement
•49 states
•Different definitions of “breach”
•Different requirements re notification of government officials, law enforcement, etc.
•Different requirements re notification of customers
•Different requirements as to what data elements must be disclosed in notifications
State Regulations
© benefitexpress 2016
Government Involvement
Federal: NIST Framework, Exec. Order effect on regulatory agencies.
Specific agency interestSECFTCFCCSector agencies
Report on Status of Regulatory Rulemaking
© benefitexpress 2016
Information Sharing Among Stakeholders, Government Agencies, Etc.
Report on general status
Government contractors and subcontractors have different obligations than other entities
© benefitexpress 2016
3rd Party Vulnerability and Efforts to Control
•Target Breach Was Through an HVAC Vendor•Questionnaires/Interviews re Data Security Practices•Audits re Same
© benefitexpress 2016
Who are the Hackers?
•Nation States (North Korea, China, Russia, other?)•Criminal Groups•“Patriotic hackers”•Terrorists/ISIL•Even Teenagers
© benefitexpress 2016
What are Their Motivations?
Money is the usual driverBut not always See Ashley Madison (morality was the driver?)
Ransom scams are common
© benefitexpress 2016
Data Breach Litigation
•Recent General Counsel article predicting “Wave of data breach litigation”
•Recent 7th Circuit case re Standing in Data Breach cases. (Remijas v. Neiman Marcus Group, 794 F.3d 688 (2015))
•Class Action Cases Against Target, Anthem, Sony, etc.
© benefitexpress 2016
Commercially Available Products and Services
High level, publically available discussion of prior work for DOD and Intelligence Community:
Booz Allen Hamilton Verizon Communications
Cyber products and services available from Booz Allen Hamilton: Threat analyses (pre-breach): vulnerability testing and recommendations for mediation. Cyber4Sight® Services: Predictive intelligence service help clients prepare for future
attacks – information/reports on threat-actor activities and trends. Post-cyber incident threat mitigation Workforce skills assessment and cyber training. Analytics of risks, threats, and opportunities for companies, government, and executive
clients.
© benefitexpress 2016
Commercially Available Products and Services
Products and services available from Verizon:Managed Security ServicesForensic ResponseRapid Response RetainersGovernment partnerships (ECS)
© benefitexpress 2016
Suggested Best Practices
Critical for: Post-breach litigation Government inquiries/investigations (SEC, DOJ, FTC, state regulators, etc.) Response to media inquiries/public opinion/ investors/corporate executives
Plan should include: Identify and protect critical assets (not necessarily “everything”) Experienced external counsel and forensic experts retained in advance: No delay for conflict checks Expert advice to help develop the plan (make sure have backup of critical data and ability
to log event traffic) Expert advice available as soon as breach is detected After hours/weekend response already negotiated
Must have a carefully constructed response plan in place BEFORE the crisis hits
© benefitexpress 2016
Suggested Best Practices
Law enforcement contacts developed in advance:FBI InfraGardUSSS ECTFOthers
Media Response Plan:Single point of contactRecognize investigation and recovery takes time – OPM, etc.
© benefitexpress 2016
Suggested Best Practices
• Dissemination of Information to Board of Directors: Critical – Boards are beginning to be held accountable Boards need to understand that this is no longer just a low level IT issue Boards need to understand the extent and importance of efforts to prevent, monitor,
detect and mitigate
• Dissemination of Information to Investors Critical that Investor Relations Dept. understands and is prepared for investor inquiries
and notifications post-breach
• Notification of Customers: Currently governed by 49 different state laws Plus a host of international rules and regulations for global customers
© benefitexpress 2016
Suggested Best Practices
•War Games/Simulations: Good practice for the real thing Also shows awareness, seriousness and taking responsibility in advance
of a breach
•Engage “White Hat” Hackers: Run “Bug Bounty” programs
• Insurance products: Liability coverage may not cover these breaches May have obtain separate insurance policy
Questions?
© benefitexpress 2016
Contact
Larry GrudzienAttorney at Law
708-717-9638
larrygrudzien.com