we earn our reputation from the companies we keep.® anatomy of a data breach march 12, 2014 lucie...
TRANSCRIPT
We Earn Our Reputation From The Companies We Keep.®
Anatomy of a Data Breach
March 12, 2014
Lucie HugerOfficer, Greensfelder, Hemker & Gale, P.C.
Jarrett KolthoffPresident, SpearTip
Joyce YeagerAssistant Attorney General, State of Missouri
We Earn Our Reputation From The Companies We Keep.®
“Information is the New Oil!”
Companies are collecting and storing mass amounts of data on a regular basis.
This data may include information about employees, customers, intellectual property/trade secrets and business operations.
This data has value to the companies producing/collecting it, to their competitors and to unknown third parties.
We Earn Our Reputation From The Companies We Keep.®
Everywhere
With the popularity of social media; conducting business on personal devices; and outsourcing certain business functions to third parties, data breaches are becoming more prevalent.
We Earn Our Reputation From The Companies We Keep.®
Possible Outcomes Affecting Business Operations Resulting From A Breach
Loss of customers
Damage to business reputation
Compliance obligations
Government investigations (federal and state)
Civil litigation
We Earn Our Reputation From The Companies We Keep.®
Common Causes of Data Breaches
Negligence
Malicious or criminal attacks (hacking or theft of electronic devices)
Corporate espionage/malfeasance
We Earn Our Reputation From The Companies We Keep.®
Anatomy of a Data Breach
1. Notify those within your organization of the incident who need to know: Not every incident constitutes a breach that would lawfully
require notification.
Internal communications could be discoverable, so be careful what you say and how you say it.
Note the date and time of the discovery of the incident.
We Earn Our Reputation From The Companies We Keep.®
Anatomy of a Data Breach
2. Assemble a response team, both internal and external:
The team should consist of: Key company stakeholders
Legal counsel: since civil litigation is possible, an attorney knowledgeable in breach issues can help to keep the process of working through a breach protected by privilege
Forensic IT firm
Communications expert
We Earn Our Reputation From The Companies We Keep.®
Anatomy of a Data Breach
3. Investigate the incident: What type of data is involved, what are the circumstances involved, how may persons are affected. Carefully plan/strategize the investigation before you
begin.
Keep language of the investigation easy to understand.
Interviews may be appropriate.
Document the steps and findings.
Involve law enforcement, as appropriate.
Involve insurers, as appropriate.
We Earn Our Reputation From The Companies We Keep.®
Anatomy of a Data Breach
4. Determine whether the incident constitutes a reportable breach: Look to applicable laws and determine whether there is there an exception.
Federal
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Gramm-Leach-Bliley Act (GLBA)
We Earn Our Reputation From The Companies We Keep.®
Anatomy of a Data Breach
State or States: Currently, there are 46 states that have enacted data breach laws. Some of these laws apply to businesses operating in the state, while others apply to affected residents of the state (multiple state laws may come into play in a single breach). It will be necessary to determine which state(s) law(s) apply. Some states have different definitions for what data constitutes “personal
information.”
Some state laws require notification of residents based upon “unauthorized access.”
Certain states require a risk of harm analysis to determine whether notification is required.
Certain state laws protect electronic records, not paper records.
Many states require notice to the State Attorney General.
States generally require notice within a defined timeframe, but these timeframes can vary.
We Earn Our Reputation From The Companies We Keep.®
Anatomy of a Data Breach
5. Contain the breach and mitigate harm, to the extent possible.
Is it possible to retrieve the lost/stolen device?
Is it possible to “wipe” the data from the lost/stolen device?
Is it possible to arrange for the return of the data erroneously disclosed?
Is it possible to enter into a non-disclosure agreement/attestation for return of data?
We Earn Our Reputation From The Companies We Keep.®
Anatomy of a Data Breach
6. Notify
Affected persons It takes time to find up to date
addresses
Law enforcement State Attorneys General
Government Department of Health and Human
Services
Media As required under federal or state law
We Earn Our Reputation From The Companies We Keep.®
Anatomy of a Data Breach
7. Respond to inquiries.
Do you need to establish a toll free number for inquiries?
Do you need to establish a call center?
Have you established a triage team to address unique customer concerns?
Have you established a system for addressing press inquiries?
We Earn Our Reputation From The Companies We Keep.®
Anatomy of a Data Breach
8. Improve processes to avoid future data breaches.
Have you considered a third party audit to review your company’s policies/compliance efforts as well as its technical infrastructure?
We Earn Our Reputation From The Companies We Keep.®
Which Data Breaches are being Litigated?
Probability of a lawsuit is positively correlated with the number of records lost.
Probability of a lawsuit is positively correlated with the presence of actual harm (financial loss, emotional distress) and negatively correlated with credit monitoring being offered.
Lawsuits are more likely to occur from breaches caused by improper disclosure of information, as opposed to a computer hack, for example.
Probability of a lawsuit is positively correlated with the compromise of personal information requiring a heightened level of protection by individuals affected.
Romanosky, S., Hoffman, D., Acquisti, A. (2013). Empirical Analysis of Data Breach Litigation. iConference 2013 Proceedings
We Earn Our Reputation From The Companies We Keep.®
Proactive Approach
Create a Preparedness Plan, now:
Identify persons within your organization who are/will be responsible for data management.
Identify compliance requirements according to applicable laws.
Identify the types of data your organization collects/ processes/ develops.
Create a risk assessment plan and mitigation plan.
Develop policies and educate all staff.
Have a reporting mechanism that is well publicized and encouraged.
Procure insurance to cover data breaches (cyber policy).
Review vendor contracts.
We Earn Our Reputation From The Companies We Keep.®
Lucie F. Huger314/345-4725
E-mail: [email protected]
Jarrett KolthoffPresident & CEOSpearTip, LLCSaint Louis, Missouri
SpearTipCyber Counterintelligence
19
• Current Data Security Strategies
� Identify the Most Valuable Information Assets
� Create a “Risk Register” – Compliance / Corporate Secrets
� Assess Balance Between Compliance & Protecting Secrets
• Establish Baseline
� Reprioritize Enterprise Security Investment
� Increase 3rd Party Vigilance
� Measure Effective – Key Performance Indicators (KPIs) and
“Audit the Auditor”
Forrester Research – Value of Corp Secrets
“Just over a decade ago, intelligence collection efforts still focused primarily upon military assets. Now, these have largely shifted to concentrate upon technology, manufacturing processes, and other trade secrets that sometimes have dual use but often only civilian applications.”
David M. Keithly and Stephen P. Ferris, National
Defense Magazine, US Companies Exposed to Industrial Espionage, Sep 2002
Authorized for legal subscribers to SPYPEDIATM 20
National Defense Magazine, Sep 2002
• Taking on new missions
• Theft of processing power
• Theft of customer data and financial information
• Theft of research
• Destruction of research data
• Hacktivism
• Using active memory manipulation to foil static analysis and avoid signature based AV solutions
• In some cases, being used in conjunction with human operatives in the theft of company IP
21
Cyber Warfare – New Types of Soldiers
Method of Attacks
• PayPal phishing scam temping users to click “Resolution Center” link.22
• The first suspicious part of
this phishing email is the
email domain.
• The second suspicious
piece to this email is the
URL hidden behind the
“Resolution Center” link.
23
Cyber Warfare – Phishing Scams
• Advanced Persistent Threat (APT) is considered a cyber
attack launched by a group of sophisticated, determined
and coordinated attackers that have been systematically
compromising a specific target’s machine or entity’s
networks for prolonged period of time.
• The term “persistence” is also expanded to the acts of the
attackers of persistently launching spear-phishing attacks
against the targets
24
Cyber Warfare – APT
• Stage-0 Loader
• Usually a small application (.exe)
• Application normally with limited behavior
• “Droppers”
• May be found on disk
• Stage-1 Loader
• Normally memory-resident
• Usually utilizes process injection or process replacement
• Normally not hard-coded, allowing for flexibility
• May seek to uninstall AV solutions
25
Cyber Warfare – Stages of Compromise
• Follow-on Modules
• These will also be primarily, memory resident
• May seek out and destroy other malware
• Will often initiate C2 communications for data exfiltration and propagation
• May also log keystrokes and interfere with AV solutions
26
Cyber Warfare – Stages of Compromise
• Initial infection vector
• Propagation mechanism
• Persistence mechanism
• Artifacts
27
Cyber Warfare – Malware Characteristics
• Romanian Hack Team – Credit card fraud• Arrested by INTERPOL
• Chinese Foreign National – APT – Pre Patent
theft• Identified SUBJECT/Source and remediated malware
• Identified Anonymous – STL• Arrested by FBI
• Critical Infrastructure – SCADA• Secured SCADA systems and continuous
monitoring for cyber threats
• International Wire Fraud – $6.9MM• Recovered $6.9MM wired to Russia and defended
bankers bank from lawsuit
Cyber Counterespionage – Case Studies
Plan For the “When”, Not the “If”Plan For the “When”, Not the “If”
• “Own” the response to the breach
• Validate with Legal interpretation
• Breach Notification Policies
• Balancing Legal with Reputational Risks
• Table-Top Exercises
• Continually updating policies/procedures
• Consultant to the Board
29
General Counsel’s Response to the Breach
• Multi-national corporate espionage is a reality!
• Corporations have a responsibility to protect their
intellectual property.
• Un-conflicted Advisory Services
• Board Level optics
• Traditional Audits / Penetration Testing
• Advanced Malware Capabilities
• Consultant to the Board
Protect Your Corporate
Assets!
Make a Plan!
Engagement Strategies – Paradigm Shift
30
STATE LAW STATE LAW REGULATORY REGULATORY PRINCIPLESPRINCIPLES
B. Joyce Yeager, Esq., CIPPAssistant Attorney General
The statements and content of this presentation are personal
statements and opinions of Joyce Yeager, CIPP, and are not the statements or opinions of the
Office of the Attorney General of the State of Missouri, and are not
the statements or opinions of Attorney General Chris Koster.
PRIVACY IS MORE THAN THE DATA BREACH IN THE PRESS
State Privacy topicsGeneral
Chapter 115 RSMo
Election
Election Authorities and Conduct of Elections
Chapter 313 RSMo
Gambling and biometrics
Licensed Gaming Activities - patrons shall not be required to provide fingerprints, retinal scans, biometric forms of identification, any type of patron-tracking cards, or other types of identification prior to being permitted to enter the area where gambling is being conducted
362.422 RSMo Financial Records
Disclosure of nonpublic personal information; nonaffiliated third parties (State law parallel to federal Gramm-Leach-Bliley Financial Modernization Act of 1999, “GLBA”)
407.1355 RSMo
Social Security numbers
Social Security numbers, prohibited actions involving…a state or local agency
408.675 to 408.700 RSMo
Missouri Right to Financial Privacy
There are provisions throughout the Code and in federal law pertaining to credit information, credit rating information, and credit reporting
491.060 RSMo Privileges Persons incompetent to testify--exceptions, children in certain cases (child testimony; privileges for attorney, minister, physician communication)
565.084 RSMo Tampering with a judicial officer, penalty
565.225 RSMo Crime of stalking 565.252 and 565.253 RSMo
Crime of invasion of privacy
Photography/film
569.095 to 569.099 RSMo
Tampering with computer
Employment There are statutes throughout the Missouri Code protecting records pertaining to educators, public employees, as well as military members and their families
Communication407.1070 to 407.1110 RSMo
Telephone Telemarketing Practices (phone solicitation)
407.1135 to 407.1141 RSMo
Unsolicited E-mail
Unsolicited Commercial E-Mail prohibited
542.400 to 542.422 RSMo
Wiretaps
Wiretaps (common carrier switching station communications)
Health167.183 RSMo
Health
Immunization records, disclosure, to whom--disclosure for unauthorized purpose, liability
Chapter 188 RSMo
Regulation of Abortions
Breach of Confidentiality prohibited
191.656 to 191.703 RSMo
AIDS (Acquired Immunodeficiency Syndrome)
Confidentiality of HIV records
191.918 RSMo
Breast-feeding Breast-feeding in public permitted
375.1300 to 375.1312 RSMo
Genetic Information and Domestic Violence
Genetic information cannot be used by employers or insurers to discriminate against individuals
Medical and Pharmaceutical
There are provisions throughout the Code and in federal law pertaining to medical and pharmaceutical information. For examples of medical records protections, see the web page for the Office of Civil Rights of Health and Human Services (“HIPAA” and “HITECH”). For information pertaining to the safety of records pertaining to the Affordable Care Act, see the web page for the Federal Trade Commission.
Identity570.223 RSMo
Identity Theft Crime if he or she knowingly and with the intent to deceive or defraud obtains, possesses, transfers, uses, or attempts to obtain, transfer or use, one or more means of identification not lawfully issued for his or her use
570.224 RSMo
Trafficking in stolen identities
Crime if manufactures, sells, transfers, purchases, or possesses, with intent to sell or transfer means of identification ... for the purpose of committing identity theft
570.380 RSMo
Fake Identification
Manufacture or possession of fictitious or forged means of identification, intent to distribute, violation
Records43.542 RSMo Criminal Records Approval of National
Crime Prevention and Privacy Compact--execution of compact (criminal history records)
182.815 and 182.817 RSMo
Library Records Disclosure of library records not required—exceptions
Chapter 211 RSMo
Juvenile Records
Juvenile Courts (privacy protections throughout Chapter)
Education Records
Education records are protected by federal statute
Arrest and Conviction Records
Legal filings
Banks and Financial Records
Mailing lists
Cable Television Medical Records/Biological information/Bioidentifiers
Computer crime Pharmacy Records Credit Reporting and Investigating
Polygraphs in Employment
Criminal Justice Records Privacy Statutes (such as the protection of certain pictures)
Education Records Social Security numbers Electronic Surveillance State Constitutional guarantees Employment Records Sunshine Statutes Government Information on Persons
Tax Records
Identity Theft Telephone Services Insurance Records Testing in employment Library Records Tracking Licensing Information Vehicle/Drivers Licenses
Types Types of of
Privacy Privacy StatuteStatutes And s And Regs Regs
TypicalTypically ly
Found Found In In
State State LawsLaws
• Section 201(b) of the Food, Drug, and Cosmetic Act. Software is a medical device.
• HIPAA/HITECH and “Business Associates”
FDA Regulation/HIPAA/HITECH
All roads lead through Texas on medical records privacy http://www.jtexconsume
rlaw.com/MedicalPrivacy.pdf
Journal of Consumer Journal of Consumer & Commercial Law & Commercial Law
““IIThinkThinkTheyTheyMeanMean
It”It”
By B. Joyce YeagerBy B. Joyce Yeager
Do Not Track Section 22575 of the Business and Professions
Code of California
Compliance with 201 CMR
17:00: Standards for
the Protection of
Personal Information of Residents
of the Commonweal
thof
Massachusetts
Any person that receives, stores, maintains, processes or otherwise has access to personal information acquired in
connection with employment or with the provision of goods or services to a Massachusetts resident has a duty to protect that
information.
A "person," for purposes of the regulation, may be an individual, corporation, association, partnership or other legal entity.
Personal information includes a surname, together with a first name or initial, in combination with one or more of the following three data elements pertaining to that person: Social Security
Number; driver's license or state-issued identification card number; or financial account or credit or debit card number, with or without any other data element, such as a code, password, or PIN, that would permit access to the person's financial account.
The duty includes the requirement that the person develops and maintain a comprehensive Written Information Security Program
("WISP") to safeguard such information. If the person electronically stores or transmits personal information, the WISP must include a security system covering the person's computers and any portable and/or wireless devices. Safeguards should be appropriate to the size, scope and type of the person's business, to the person's available resources, to the amount of stored data and to the need for security and confidentiality of consumer and employee information. They must be consistent with safeguards for the protection of personal information, and information of a
similar character, that are set out in any state or federal regulations that apply to the person.
MISSOURI AS AN EXAMPLE OF MEDICAL INFORMATION NOTICES AND HEALTH
INFORMATION NOTICESMissouri Revised Statutes
Chapter 407 Merchandising Practices
Section 407.1500
August 28, 2013
Definitions--notice to consumer for breach of security, procedure--attorney general may bring action for damages.
407.1500. 1. As used in this section, the following terms mean:
(1) "Breach of security" or "breach", unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person
that compromises the security, confidentiality, or integrity of the personal information. Good faith acquisition of personal information by a person or that
person's employee or agent for a legitimate purpose of that person is not a breach of security, provided that the personal information is not used in
violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality, or integrity of the personal information;
(2) "Consumer", an individual who is a resident of this state; . . .
407.1500 cont’d
(5) “Health insurance information", an individual's health insurance policy number or subscriber identification number, any
unique identifier used by a health insurer to identify the individual;
(6) "Medical information", any information regarding an individual's medical history, mental or physical condition, or
medical treatment or diagnosis by a health care professional;
(7) "Owns or licenses" includes, but is not limited to, personal information that a business retains as part of the internal
customer account of the business or for the purpose of using the information in transactions with the person to whom the
information relates;
(8) "Person", any individual, corporation, business trust, estate, trust, partnership, limited liability company, association, joint
venture, government, governmental subdivision, governmental agency, governmental instrumentality, public corporation, or any
other legal or commercial entity; . . . .
407.1500 cont’d
(9) "Personal information", an individual's first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted,
redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable:
(a) Social Security number;
(b) Driver's license number or other unique identification number created or collected by a government body;
(c) Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password
that would permit access to an individual's financial account;
(d) Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access
to an individual's financial account;
(e) Medical information; or
(f) Health insurance information.
407.1500 cont’d
Subsection 2. (1) Any person that owns or licenses personal information of residents of
Missouri or any person that conducts business in Missouri that owns or licenses personal information in any form of a resident of Missouri shall provide notice to
the affected consumer that there has been a breach of security following discovery or notification of the breach. The disclosure notification shall be:
(a) Made without unreasonable delay;
(b) Consistent with the legitimate needs of law enforcement, as provided in this section; and
(c) Consistent with any measures necessary to determine sufficient contact information and to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
(2) Any person that maintains or possesses records or data containing personal information of residents of Missouri that the person does not own or license, or
any person that conducts business in Missouri that maintains or possesses records or data containing personal information of a resident of Missouri that the person does not own or license, shall notify the owner or licensee of the information of any breach of security immediately following discovery of the
breach, consistent with the legitimate needs of law enforcement as provided in this section.
NOTICE FOR PHI/PII
•SEC filings
•OCR/HHS
•State(s)
TRENDS
http://www.databreaches.net/netdiligence-2013-report-cyber-
liability-data-breach-insurance-claims/
https://www.allclearid.com/files/2613/8325/4119/CyberClaimsStudy-2013.pdf
http://www.slideshare.net/Bee_Ware/verizon-2014-pci-
compliance-report-31933261?utm_source=slideshow02&utm_medium=ssemail&utm_campaign=s
hare_slideshow
We feel that to reveal embarrassing or private things, we have given someone something, like a primitive person fearing that a photographer will steal her soul.
To identify our secrets, our past, and our blotches is to reveal our identity, our sense of self.
Revealing our habits or losses or deeds somehow makes one less of oneself.
Paraphrase, Dave Eggers, A Heartbreaking Work of Staggering Genius
But why?