Post on 05-Jul-2020
Perkins Coie LLP
Cybersecurity and Data Protection
What you need to know and how
to be prepared
December 2017
Kevin R. Feldis
Attorney Work Product
The Current Threat Environment
A Growing Risk of Cyber Attacksand Data Breaches
3
4
5
6
Internet usage increasing• 3.89 billion Internet users (50% world)
• Reaching far corners of the earth
Device usage increasing• 12 billion internet-connected devices
worldwide (21 billion by 2020)
• Average American owns 4 internet-connected devices
More diverse & data rich services offered• Medical, Financial, Personal Fitness
• Children (Facebook’s Messenger Kids)
• IoT, Smart Homes, Wearables
• Artificial Intelligence (AI)
The Internet Ecosystem andThe Ubiquity of Personal Information
CloudPets“Smart” Toys
Wi Fi/Bluetooth enabled audio messages through toys
CloudPets company was hacked exposing data of
800,000 customers and 2 million voice messages from
“smart” teddy bears (February 2017)
Diverse Threat Actors1. Nation-state actors
• Highly resourced & sophisticated
• Target critical infrastructure, ISPs, large corporations, gov. contractors
• Propaganda & information value
• Advanced Persistent Threats *
• Examples = Las Vegas Sands, Anthem, OPM, Sony, Equifax (?)
2. Organized Crime/Other Criminals• Personal Identifiable Information, credit cards, data
• Black market for stolen data – Dark Web
• Examples = Target, Home Depot, Uber
3. Hacktivists
4. Lone Wolves
The Nature of the Threat
• In Chinese intrusion cases (coming from China) handled by Mandiant, 94% of the victim companies didn't realize their networks had been breached until someone else told them.
• On average, companies' networks had been breached for 416 days before the intrusion was detected.
"Nation-states willing to spend unlimited amounts of money for technology, intelligence gathering, and bribery can overcome just about any defense."
-- Alan Paller, Director of Research, SANS Institute
15
15
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
IncreasedData Breaches
• Personal Information of 57 million customers and drivers• 3 potential class action lawsuits• Attorneys General investigations in three states• LA City Attorney lawsuit• Federal Trade Commission inquiry
18
19
20
The Cyber Legal and Regulatory Landscape
21
22
Increasing risk
of litigation and
regulation
Growing class of plaintiffs Consumers, shareholders, financial
institutions, third-parties
Class action lawsuits (failure to protect)
State Attorneys General Increasingly active (Uber)
Federal Trade Commission Consumer privacy protections
Trends Increased private litigation
Fewer claims dismissed for standing
More and higher settlements
Increased Enforcement
Additional Regulations
Increased Litigation & Regulatory Risk
Substantive Data Security Standards
23
• State Laws
• Nearly all states have data breach regulations
• Many states: commercially reasonable measures
• Federal Laws
• FTC § 5, HIPAA, FERPA, GLBA (Gramm-Leach-Bliley Act)
• SEC guidance
• Industry standards
• PCI (payment card industry) , NERC (North American Electric
Reliability Corporation) CIP (critical infrastructure protection)
• Common law standards: Rising standard of care
• EU and International Regulations
Substantive Data Security Standards
24
• Government Contracts
• Defense contractors and subcontractors
• DFARS 252.204.7012 Safeguarding Covered Defense
Information (CDI) and Cyber Incident Reporting (December 31,
2017)
• Multi-factor authentication
• Encryption
• Breach notification (w/in 72 hours through portal)
• FAR 52.204-21 Basic Safeguarding of Contractor
Information Systems that process, store or transmit
federal contract information (June 2016)
• 15 basic security controls for the systems (controls access, virus scans)
• Federal contract information = information provided or generated for the
Government under a contract to develop or deliver a product or service
• Must include in solicitations and contracts, and flow through to subs
State Data Breach Laws
25
26
Contractual Obligations
Contractual Provisions (Where to look)
• Confidentiality clauses
• Nondisclosure clauses
• Express security requirements
• Trade secret / proprietary information clauses
Highlights the need for assessing contract risks
and including cybersecurity provisions in contracts
27
How to Protect Your Business
Prevent AND Plan for Response
1. Implement a Company-wide Data Security Program• All stakeholders – IT alone can’t secure your data• High-level engagement across components and business lines• Written policies and practices • Train, test, and enforce
2. Consider What Data is Shared with Third-Parties• Conduct due diligence and risk analysis before sharing data• Contract terms and considerations/vendor risks• Encryption
3. Develop and Test your Incident Response Plan• Effective response to a data breach can reduce actual damage
and legal exposure
Avoid Common Mistakes
1. Data Security Program Mistakes• Too narrow or an out-of-date information security programs expose
you to legal, contractual and regulatory risks• Failure to stress test • Failure to enforce
2. Contract and Third-party Mistakes• Failure to assess the risks of sharing information• Failure to conduct due diligence• Failure to have continued oversight/update due diligence• Failure to know the scope of access and data being shared• Failure to clearly define rights and responsibilities in contracts
3. Incident Response Plan Mistakes• Failure to include cybersecurity in your IRP• Failure to appoint responsible senior officials, identify cybersecurity
vendors, and hire legal counsel to direct the response and preserve privileges.
• Failure to routinely assess, test and update the IRP
30
31
Immediate Steps:• Review your current Data Security Program
• Have some with experience review & update it• Get the buy-in and budgeting necessary from the top• Schedule and conduct training & stress testing
• Conduct a Cyber Compliance Review• Are you complying with industry standards, government contract
requirements (FAR, DFARS), and regulations/laws
• Develop procedures for limiting third-party risks• Determine the level or risk that is appropriate for your business
before you outsource or share any data• Develop a third-party due diligence process and follow-it
• Update your Incident Response Plan• Dust it off, have someone with cyber experience review it, update it. • Test it – table top and simulated
33
Perkins Coie LLP | PerkinsCoie.com
Kevin FeldisPerkins Coie - Partner907-263-6955 desk907-529-1599 mobilekfeldis@perkinscoie.com
www.perkinscoie.com/KFeldis
Admitted in Alaska, Illinois and Washington DC