thursday, may 28, 2015 after anthem: cybersecurity, data ......2. alert and activate everyone on the...
TRANSCRIPT
© Copyright 2015 by K&L Gates LLP. All rights reserved.
After Anthem: Cybersecurity, Data Privacy, and Cyber-Resilience for the Health Care Sector
Thursday, May 28, 2015
Moderator: Mary Beth F. Johnston (Partner, Research Triangle Park)
Presenters:Roberta D. Anderson (Partner, Pittsburgh)David P. Baghdassarian (Partner, Miami)David A. Bateman (Partner, Seattle)
AGENDA• Understanding Cyber Risks and
Security Options (1:30-2:10 p.m.) Identifying cyber risks, including new and
emerging threats Improving internet safety and network security
• Cybersecurity in Health Care(2:10-2:50 p.m.) Regulatory framework, including HIPAA Performing a risk assessment Risks of using a cloud service provider Security of medical devices and mobile
devices
• Managing the Consequences of a Data Breach (2:50-3:30 p.m.) Preparing for the inevitable breach The first 24 hours Notice requirements Civil litigation issues and trends
• Break (3:30-3:45 p.m.)• Managing and Mitigating Cyber
Risks (3:45-4:25 p.m.) Pro-active management at the Board level Adequate training and internal procedures Vendor contracting and business associate
agreements
• Insuring Against Cyber Risks (4:25-5:05 p.m.)
klgates.com 1
Understanding Cyber Risks and Security Options
The Spectrum of Cyber Attacks• Advanced Persistent Threats (“APT”)• Cybercriminals, Exploits and Malware• Denial of Service attacks (“DDoS”)• Domain name hijacking • Corporate impersonation and Phishing• Employee mobility and disgruntled
employees• Lost or stolen laptops and mobile devices• Inadequate security and systems: third-
party vendors
Advanced Persistent Threats
• targeted, persistent, evasive and advanced• nation state sponsored
P.L.A. Unit 61398“Comment Crew”
Advanced Persistent Threats
• United States Cyber Command and director of the National Security Agency, Gen. Keith B. Alexander, has said the attacks have resulted in the “greatest transfer of wealth in history.”
Source: New York Times, June 1, 2013.
Advanced Persistent Threats
• Penetration:– 67% of organizations admit that their current
security activities are insufficient to stop a targeted attack.*
• Duration:– average = 356 days**
• Discovery: External Alerts– 55 percent are not even aware of intrusions*
*Source: Trend Micro, USA. http://www.trendmicro.com/us/enterprise/challeng
es/advance-targeted-attacks/index.html
**Source: Mandiant, “APT1, Exposing One of China’s Cyber Espionage Units”
Advanced Persistent Threats: Penetration
• Spear Phishing
• Watering Hole Attackrely on insecurity of frequently visited
websites
• Infected Thumb Drive*Source: Trend Micro, USA.
http://www.trendmicro.com/us/enterprise/challenges/advance-targeted-attacks/index.html
**Source: Mandiant, “APT1, Exposing One of China’s Cyber Espionage Units”
Advanced Persistent Threats: Penetration
Employee Theft
Inadequate security and systems: third-party vendors
• Vendors with client data• Vendors with password access• Vendors with direct system integration
– Point-of-sale
Cloud Computing Risks
• Exporting security function and control• Geographical uncertainty creates
exposure to civil and criminal legal standards
• Risk of collateral damage
Source: Ponemon Institute 2014 Cost of Data Breach Study – Global
PREPARING FOR THE INEVITABLE BREACH
klgates.com 14
Source: Ponemon Institute LLC
Cost of Data Breach Study:Global Analysis
(May 2014)
klgates.com 15
16
Source: Ponemon Institute LLCCost of Data Breach Study:Global Analysis(May 2014)
klgates.com 17
Security Tips1. Logging
- Centralize, retain 3-6 months, verbose2. Access Controls
- No shared admin rights accounts- Dual Factor Auth for sensitive data, admin accounts,
vpn access3. Manage BYODs
- group policies, require password, encryption, wipe4. Application Whitelisting5. Encrypt sensitive data
klgates.com
Cybersecurity in Health Care
CYBERSECURITY IN HEALTH CARE
DAVE BAGHDASSARIAN Regulatory framework, including HIPAA Performing a risk assessment Risks of using a cloud service provider Security of medical devices and mobile devices
klgates.com 20
Managing the Consequences of a Data Breach
klgates.com
THE FIRST 24 HOURS
• Don’t panic. Follow the plan.• Mobilize first-response team • Immediately call breach coach counsel• Forensics
• Investigate, isolate, contain, and secure systems / data• Preserve evidence• Document everything
• PR• Consider contacting law enforcement• Think notification
22
1. Record the date and time of discovery and time when response efforts begin
2. Alert and activate everyone on the response team, including external resources, to begin executing your preparedness plan
3. Investigate, while preserving evidence
4. Stem additional data loss5. Document everything known
about the breach
6. Interview those involved in discovering the breach and anyone else who may know about it
7. Consider notifying law enforcement after consulting with legal counsel
8. Revisit state and federal regulations governing your industry and the type of data lost
9. Determine all persons/entities to be notified, i.e. customers, employees, the media
10.Ensure all notifications occur within any mandated timeframes
Don’t Panic. Follow the plan.
klgates.com
THE FIRST 24 HOURS
23
klgates.com
APT Response
6
Detect Impacted Systems- Firewall Logs- IDS Logs- Network Packet Captures- Lima Scans/Host-based Scanning - SEIM
Analysis- Host Forensics- Memory Analysis- Network Logs- Malware Analysis- Connections
Indicators of Compromise (IOC)- IP Addresses- Protocols- Registry Keys- Filenames- Hash Values
Client Provided• Logs• Reports• Notifications• Interviews• Malware
klgates.com
Source: Ponemon Institute LLCCost of Data Breach Study:Global Analysis(May 2014)
v
v
NOTICE REQUIREMENTS
25
• Industry-specific, e.g. HIPAA / HITECH• 47 different state notification laws• Others, e.g., Regulators, AGs, consumer reporting agencies, law
enforcement?• Media• Social media• SEC
klgates.com 26
NOTICE REQUIREMENTS
klgates.com
• Industry-specific, e.g. HIPAA / HITECH
vv
NOTICE REQUIREMENTS
27
NOTICE REQUIREMENTS
28klgates.com
• 47 different state notification laws, e.g., Pennsylvania
Any business or public entity that compiles or maintains computerized records that include personal information on behalf of another business or public entity shall notify that business or public entity, who shall notify its New Jersey customers, as provided in subsection a. of this section, of any breach of security of the computerized records immediately following discovery, if the personal information was, or is reasonably believed to have been, accessed by an unauthorized person.
NOTICE REQUIREMENTS
29klgates.com
• Business partners, e.g., New Jersey
NOTICE REQUIREMENTS
30klgates.com
MEDIA
klgates.com 31
SOCIAL MEDIA
klgates.com 32
33
CIVIL LITIGATION ISSUES AND TRENDS
klgates.com
34klgates.com
CIVIL LITIGATION ISSUES AND TRENDS
35klgates.com
CIVIL LITIGATION ISSUES AND TRENDS
36klgates.com
CIVIL LITIGATION ISSUES AND TRENDS
37klgates.com
CIVIL LITIGATION ISSUES AND TRENDS
38klgates.com
CIVIL LITIGATION ISSUES AND TRENDS
39klgates.com
CIVIL LITIGATION ISSUES AND TRENDS
40klgates.com
CIVIL LITIGATION ISSUES AND TRENDS
Managing and Mitigating Cyber Risks
Ten Tips for Cyber Security Protection and Risk Mitigation
1. Proactive management at Board Level Not an IT problem - board level support is required to
ensure that the resources both in time and capital are expended. Ensure that a cyber management policy is part of the
company’s governance framework and given the same level of attention as financial and other risk management regimes.
klgates.com
Ten Tips for Cyber Security Protection and Risk Mitigation
2. Know Your Data: data mapping what data you hold how sensitive the data is which systems control the management of key
information how critical is the information to the management of
the business purge unnecessary data
klgates.com
Ten Tips for Cyber Security Protection and Risk Mitigation
3. Plan for Data Breach Events “Not a question of IF, but WHEN” Create and implement a data breach response plan Designate core team for responses Interview and retain vendors Develop PR plan
klgates.com
Ten Tips for Cyber Security Protection and Risk Mitigation
4. Systems Security, Monitoring and Penetration Testing Monitor systems for unusual activity. Implement malware protection to all business areas
and produce a policy on dealing with any malwareissues. Install security patches Implement basic security controls on networks. Ex-
employees should immediately be denied access.
klgates.com
NIST Cybersecurity Framework
46
NIST Unveils Cybersecurity Framework, http://www.klgates.com/nist-unveils-cybersecurity-framework-02-17-2014/
85% of security budgetscurrently go here
According to Gartner:By 2020, 75% of security budgets will go towards detection and response
PCI DSS
“PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.”
47
Ten Tips for Cyber Security Protection and Risk Mitigation
5. Education and Training for the “Human Element” Every company has a cyber defense weak spot in its
own employees. An adequate defense system protecting a company
from cyber attacks should not only have the relevant defenses and policies in place, but staff must be trained on the relevant policies.
klgates.com
Ten Tips for Cyber Security Protection and Risk Mitigation
6. Protect Work with Attorney Privileges Protection for discovery of weaknesses Protection for testing events Protection for data breach analysis and response Retention of vendors for legal exercise
klgates.com
Ten Tips for Cyber Security Protection and Risk Mitigation
7. Third-Party Vendor and Access Review Know your vendors and data access Create a risk classification based on data type and
disclosure risk. Review contract details. Incorporate vendor event into breach planning.
klgates.com
Ten Tips for Cyber Security Protection and Risk Mitigation
8. Review mobile computing and BYOD policies 52% of mobile users store sensitive files online 24% of mobile users store work and personal info in
same account 21% of mobile users share logins with families Mobile malware: apps Insufficient mobile platform security
klgates.com
Ten Tips for Cyber Security Protection and Risk Mitigation
9. Cyber Insurance Review
klgates.com
Ten Tips for Cyber Security Protection and Risk Mitigation
10. Ongoing Management Planning and analysis of risk serves no purpose unless
a company also properly implements its findings. As cybercrime evolves over time, companies must
constantly monitor the adequacy of their cyber defenses and re-evaluate the threats pertinent to their business.
klgates.com
DOJ “Best Practices”
klgates.com 54
Insuring Against Cyber Risks
“[A]ppropriate disclosures may include”: “Discussion of aspects of the registrant's business or operations that give rise to
material cybersecurity risks and the potential costs and consequences”;
“To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks”;
“Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences”;
“Risks related to cyber incidents that may remain undetected for an extended period”; and
“Description of relevant insurance coverage.”
Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target, http://media.klgates.com/klgatesmedia/epubs/GBR_July2014/
INSURING AGAINST CYBER RISKS
klgates.com 56
“We note that your network-security insurance coverage is subject to a $10 million deductible. Please tell us whether this coverage has any other significant limitations. In addition, please describe for us the 'certain other coverage' that may reduce your exposure to Data Breach losses.”
Target Form 10-K (March 2014)
INSURING AGAINST CYBER RISKS
klgates.com 57
• Directors' and Officers' (D&O)
• Errors and Omissions (E&O)/Professional Liability
• Employment Practices Liability (EPL)
• Fiduciary Liability
• Crime Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821
(6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy)
• Property
• Commercial General Liability (CGL)
INSURING AGAINST CYBER RISKS
klgates.com 58
• Coverage B Provides Coverage for Damages Because of “Personal and Advertising Injury”
• “Personal and Advertising Injury”: “[o]ral or written publication, in any manner, of material that violates a person's right of privacy”
• What is a “Person’s Right of Privacy”?
• What is a “Publication”?• Does the Insured Have to “Do” Anything Affirmative and Intentional to Get
Coverage?
INSURING AGAINST CYBER RISKS
klgates.com 59
• Coverage A Provides Coverage for Damages Because of “Property Damage”
• “Property Damage”: “Loss of use of tangible property that is not physically injured”
INSURING AGAINST CYBER RISKS
klgates.com 60
POTENTIAL LIMITATIONS OF “LEGACY” COVERAGE
klgates.com 61
POTENTIAL LIMITATIONS OF “LEGACY” COVERAGE
klgates.com 62
ISO states that “when this endorsement isattached, it will result in a reduction ofcoverage due to the deletion of anexception with respect to damagesbecause of bodily injury arising out of lossof, loss of use of, damage to, corruption of,inability to access, or inability to manipulateelectronic data.”
POTENTIAL LIMITATIONS OF “LEGACY” COVERAGE
klgates.com 63
POTENTIAL LIMITATIONS OF “LEGACY” COVERAGE
klgates.com 64
– Zurich American Insurance Co. v. Sony Corp. of America et al.
POTENTIAL LIMITATIONS OF “LEGACY” COVERAGE
klgates.com 65
klgates.comback
REMEMBER THE SNOWFLAKE
klgates.com 67
• Privacy and Network Security– Generally Covers Third-Party Liability Arising from Data Breaches and Other Failures to
Protect Confidential, Protected Information, as well as Liability Arising from Security Threats to Networks, e.g., Transmission of Malicious Code
• Regulatory Liability– Generally Covers Amounts Payable in Connection with Administrative or Regulatory
Investigations
• PCI-DSS Liability– Generally Covers Amounts Payable in Connection with PCI Demands for Assessments,
Including Contractual Files and Penalties, for Alleged Non-compliance with PCI Data Security Standards
• Media Liability– Generally Covers Third-Party Liability Arising from Infringement of Copyright and Other
Intellectual Property Rights, and Torts Such as Libel, Slander, and Defamation Arising from the Insured's Media Activities, e.g., Broadcasting and Advertising
THIRD PARTY COVERAGE
klgates.com 68
• Crisis Management– Generally Covers “Crisis Management” Expenses That Typically Follow in the Wake of a
Breach Incident, e.g., Breach Notification Costs, Credit Monitoring, Call Center Services, Forensic Investigations, and Public Relations
• Network Interruption– Generally Covers First-Party Business Income Loss Associated with the Interruption of
the Insured's Business Caused by the Failure of Computer Systems
Digital Asset Generally Covers First-Party Cost Associated with Replacing, Recreating, Restoring and
Repairing Damaged or Destroyed Programs, Software or Electronic Data
Extortion Generally Covers Losses Resulting from Extortion, e.g., Payment of an Extortionist's
Demand to Prevent a Cybersecurity Incident
Reputational Harm
FIRST PARTY COVERAGE
klgates.com 69
• First-Party Property Damage and Business Interruption ~$350M• Third-Party Bodily Injury and Property Damage ~$100M
[T]his policy will drop down and pay Loss caused by a Security Failure [a failure or violation of the security of a Computer System that: (A) results in, facilitates or fails to including Electronic Data stored within that Computer System)]; and/ormitigate any: (i) unauthorized access or use; (ii) denial of service attack; or (iii) receipt, transmission or behavior of a malicious code] that would have been covered within an Underlying Policy, as of the inception date of this policy, had one or more of the following not applied:A. a Cyber Coverage Restriction [a limitation of coverage in an Underlying
Policy expressly concerning, in whole or in part, the security of a Computer System (
B. a Negligent Act Requirement [a requirement in an Underlying Policy that the event, action or conduct triggering coverage under such Underlying Policy result from a negligent act, error or omission].
DIC COVERAGE
klgates.com
AVOID THE TRAPS
klgates.com 71
POLICY EXAMPLE 1
72klgates.com
POLICY EXAMPLE 2
73klgates.com
POLICY EXAMPLE 2
74klgates.com
POLICY EXAMPLE 2
75klgates.com
klgates.com 76
POLICY EXAMPLE 1
77klgates.com
POLICY EXAMPLE 1
78klgates.com
POLICY EXAMPLE 1
79klgates.com
POLICY EXAMPLE 2
80klgates.com
POLICY EXAMPLE 2
81klgates.com
POLICY EXAMPLE 3
82klgates.com
POLICY EXAMPLE 3
83klgates.com
POLICY EXAMPLE 3
84klgates.com
klgates.com 85
POLICY EXAMPLE 1
86klgates.com
POLICY EXAMPLE 1
87klgates.com
POLICY EXAMPLE 2
88klgates.com
POLICY EXAMPLE 2
89klgates.com
POLICY EXAMPLE 2
90klgates.com
klgates.com 91
POLICY EXAMPLE
Any member of the “Control Group.” e.g., CEO, CFO ,RM, CRO, CIO, GC
92klgates.com
POLICY EXAMPLE 1
94klgates.com
POLICY EXAMPLE 2
95klgates.com
POLICY EXAMPLE 3
96klgates.com
Request a “Retroactive Date” of at Least a Year
klgates.com 97
klgates.com 98
BEWARETHE
FINE
REMEMBER THE DEVIL IS IN THE DETAILS
“A well-drafted policy will reduce the likelihood that an insurer will be able to avoid or limit insurance
coverage in the event of a claim.”
Roberta D. Anderson, Partner, K&L Gates LLP (May 28, 2015)
klgates.com 99