And Security Risks in the Digital World - Webinars€¦ · • Notification to individual,...
Transcript of And Security Risks in the Digital World - Webinars€¦ · • Notification to individual,...
Managing Employee Data And
Security Risks in the Digital World
January 29, 2014
Your Cooperation is Needed
Please mute your phone *6
To ask questions and open your line *6
This will help all of our friends!
PSAB’s Blended Training
Webinars
Traditional Classroom Sessions
One-on-One Assistance
Upcoming Training
Webinars
Co-STARS Cooperative Purchasing Program* Feb. 5
Parliamentary Procedures Feb. 10
Dealing with Past Practice Claims Feb. 12
Sign Management* Feb. 13
Understanding the Sunshine Act Feb. 26
* Free to PSAB members
3
Upcoming Classroom Training
The Course in Community Planning The Course in Zoning
The Course in Subdivision & Land Development Review Newly Elected Municipal Officials Training
The Course in Zoning Administration
Basic Municipal Budgeting
Confined Space Training
PSAB Annual Conference April 6-9, 2014
www.classes.boroughs.org/
www.duanemorris.com
©2013 Duane Morris LLP. All Rights Reserved. Duane Morris is a registered service mark of Duane Morris LLP.
Duane Morris – Firm and Affiliate Offices | New York | London | Singapore | Los Angeles | Chicago | Houston | Hanoi | Philadelphia | San Diego | San Francisco | Palo Alto | Baltimore | Boston | Washington, D.C.
Las Vegas | Atlanta | Miami | Pittsburgh | Newark | Boca Raton | Wilmington | Cherry Hill | Lake Tahoe | Ho Chi Minh City | Duane Morris LLP – A Delaware limited liability partnership
Preventing a Security Breach: Managing Data and Security Risks
in the Digital World
DM1\3812708.4
Sandra A. Jeskie
●www.duanemorris.com
Data Breaches Get The Headlines
6
●www.duanemorris.com
Identity Theft Resource Center
2013 Data Breach Stats
7
●www.duanemorris.com
Cost of a Breach
• $194 per compromised customer record
• Average total per-incident costs - $5.4 million
• Lost business costs - $3.03 million
» Data from Ponemon Institute 2013 report
(does not include organizations that had
data breaches in excess of 100,000
because it is not representative)
8
●www.duanemorris.com
Privacy and Security
• Privacy and security are the dominant high
profile issues in the U.S. today.
●www.duanemorris.com
Privacy in the United States
• Federal, state and local statutes, as well as
Constitutional and common law rights
• Protects discreet categories of sensitive,
personal information
●www.duanemorris.com
Privacy Laws
• No privacy authority whole sole job is
enforcement of privacy laws
●www.duanemorris.com
Federal Trade Commission (“FTC”)
• Enforces laws that prohibit business practices
that are anti-competitive, deceptive, or unfair
to consumers
• Section 5(a) of the FTC Act provides that
“unfair or deceptive acts or practices in or
affecting commerce are declared unlawful.”
15 U.S.C. Sec 45 (a)(1)
●www.duanemorris.com
Protected Information
• Personally Identifiable Information (PII)
– Consumers
– Employees
13
●www.duanemorris.com
Laws Relating to Personally Identifiable
Information (“PII”)
• Financial Services
• Health Care (PHI)
• Education
• Telecommunications
• Children
• Miscellaneous (drivers license, video rental, etc.)
14
●www.duanemorris.com
Federal Laws Relating to Security
• Regulated entities: obligation to secure sensitive
information
– GLB Safeguards Rule
– HIPAA Security Rule
– FACT Act Consumer Records Disposal Rules
15
●www.duanemorris.com
GLBA Safeguards Rule
• Requires a comprehensive written security
plan to protect customer information.
– Appropriate to the size and complexity of the
business, nature and scope of activities and the
sensitivity of the customer information handled
16
●www.duanemorris.com
State Laws
• 46 states, the District of Columbia, Puerto Rico and the Virgin Islands
have enacted breach notification laws
– Texas encompasses all states
• 29 states have data disposal laws relating to PII
17
●www.duanemorris.com
What is “Personal Information”?
Pennsylvania
an individual’s first name or first initial and last name in combination with
and linked to any one or more of the following data elements when the
data elements are not encrypted or redacted:
(i) Social Security number;
(ii) Driver’s license number of State ID;
(iii) Financial account number, credit or debit card number in combination
with any required security code, access code or password
18
●www.duanemorris.com
“Personal Information,” continued
Other state laws cover additional data elements:
– Account number by itself, rather than in combination with
any required security code or password that would permit
access to an individual’s financial account
– Date of birth
– Mother’s maiden name
– Employer identification number
– Identification number assigned by an employer
– Digitized or electronic signature
– Biometric data
– Health Care Information
19
●www.duanemorris.com
How is a Breach Defined in PA?
• "Breach of the security of the system." The unauthorized access and
acquisition of computerized data that materially compromises the
security or confidentiality of personal information maintained by the
entity and that causes or the entity reasonably believes has caused or
will cause loss or injury to any resident of this Commonwealth.
• Good faith acquisition of personal information by an employee or
agent of the entity for the purposes of the entity is not a breach of the
security of the system if the personal information is not used for a
purpose other than the lawful purpose of the entity and is not subject
to further unauthorized disclosure.
20
●www.duanemorris.com
Notification by State Agency – SB 114
• If a State agency is the subject of a breach of security of the system,
the State agency shall provide notice of the breach of security of the
system within seven days following discovery of the breach.
• Notification shall be provided to the Office of Attorney General within
three business days following discovery of the breach.
• A State agency under the Governor’s jurisdiction shall also provide
notice of a breach of its security system to the Governor’s Office of
Administration within three business days following the discovery of
the breach.
21
●www.duanemorris.com
Notification by PA County, School District or
Municipality – SB 114
• If a county, school district or municipality is the subject of a
breach of security of the system, the county, school district
or municipality shall provide notice of the breach of
security of the system required within seven days following
discovery of the breach.
• Notification shall be provided to the district attorney in the
county in which the breach occurred within three business
days following discovery of the breach.
22
●www.duanemorris.com
Policy Development on “Storage” – SB
114 • Goal is to “reduce the risk of future breaches of security of the system”
• Requires Office of Administration to develop a policy to govern the
proper storage by stated agencies of data, including PII.
• Policy must address identifying, collecting, maintaining, displaying and
transferring PII, using PII in test environments, remediating PII stored
on legacy systems and other relevant issues
• Policy must be reviewed annually and updated as necessary.
23
●www.duanemorris.com
State Breach Notification Law Differences
• Definition of “personal information” or PII
• Trigger for notification – access or acquisition
– materially compromises
• Notice requirements – Who to notify
– Time frame for notification
– Content of notice
• Encryption safe harbor
• Inclusion of paper records and electronic records
• Private cause of action
24
●www.duanemorris.com
Data Disposal Laws Generally
• Must take “reasonable measures” to protect against unauthorized
access or use of personal information:
– Implementing and monitoring compliance with policies/procedures for burning,
pulverizing or shredding papers or destruction/erasure of electronic media; and
– Describing procedures relating to destruction as “official policy in the writings of the
business”
• May enter into a written contract for destruction after due diligence
which should include one of more of the following:
– Independent audit;
– Several references;
– Review and evaluation of information security policies or other measures to
determine competency; or
– and integrity of business.
• May be subject to treble damages if negligent in training, supervision
or monitoring of employees 25
●www.duanemorris.com
Massachusetts Data Security Regulations
• 201 CMR 17.00
• Develop, implement and maintain a
comprehensive written information security
program
– Administrative safeguards
– Physical safeguards
– Technical safeguards
26
●www.duanemorris.com
Massachusetts Data Security Regulations
• Oversee service providers
– Selection
– Contractual provisions
• Restrict access to records
• Encrypt personal information
– public networks
– wireless transmission
– laptops and portable devices
• Education and training 27
●www.duanemorris.com
The Greatest Common Demoninator
28
●www.duanemorris.com
How to prevent a security breach…
29
●www.duanemorris.com
Breach Statistics
Root cause of security breach
41% Malicious or criminal attack ($277) malware infections, criminal insiders,
phishing/social engineering and SQL injection
33% Human factor ($159)
26% System glitch ($174)
» Ponemon Institute 2013 report
30
●www.duanemorris.com
Factors Influencing the Cost
Increases the Cost
• Data lost due to third party error (+$43)
• Breach involved lost or stolen devices (+$10)
• Quick notification to breach victims (+$37)
31
●www.duanemorris.com
Factors Influencing the Cost
Decreases the Cost
• Incident response planning (-$42)
• Strong security posture (-$34)
• CISO with overall responsibility for enterprise
data protection (-$23)
• Use of consultants (-$13)
32
●www.duanemorris.com
Employee Threats
• Inadvertent disclosures
• Use of unapproved devices
• Carelessness
• Lack of training
• Theft
33
●www.duanemorris.com
“BYOD” – Bring Your Own Device
34
●www.duanemorris.com
Other Risks to Business
• New storage media – Cyberbling
– MP3
– Smart phones
– Wireless/Bluetooth connectivity
• New business models – Cloud computing
– Outsourcing
– Cross border transfer
– Competitive Intelligence
35
●www.duanemorris.com
Consequences of Breaches in the U.S.
• Notification to individual, regulators and/or media
• FTC actions
• Actions by other federal regulatory agencies
• State Attorney General actions based on “mini-FTC”
consumer protection laws.
• Private lawsuits, including class actions, based on various
statutory, tort and contract theories
36
●www.duanemorris.com
Best Practices
• FTC “Privacy by Design”
– Build privacy and security issues into every
relevant portion of the business
data security
reasonable collection limits
sound retention and disposal practices
data accuracy
37
●www.duanemorris.com
Best Practices - Planning
• Identify personally identifiable information,
trade secrets, and proprietary information – where located - who controls it
– how it moves - third party access
– what jurisdiction collects, processes and stores it
• Conduct a risk assessment
• Draft Policies
38
●www.duanemorris.com
Best Practices - Policy Development
• Acceptable Use
• Data Security
• Incident Response
• Document Retention
39
●www.duanemorris.com
Best Practices – Policies Should Consider
Problems Identified in FTC Actions
• Easy network access
• No breach detection
• Unnecessary storage
• Weak encryption/passwords
• Inadequate defense to known attacks
40
●www.duanemorris.com
Best Practices - Policy Development
Consider Key Areas of System Risk:
• Transmission, storage, and disposal of computerized data, including data on laptops, disks and hard-drives
• Outsourcing/sub-contracted services that require data to be transmitted
• Storage and disposal of paper records
• Network monitoring, data loss prevention technology
Consider Key Areas of Process Risk:
• Purposes for which information is collected and used
• Access to sensitive files by employees and contractors
• Rules for transmission, storage, and disposal of data, including data contained on disks and hard-drives
41
●www.duanemorris.com
Best Practices - continued
• Apply all policies and procedures to service
providers, outside consultants, as well as
employees
• Train employees
• Conduct regular audits
42
●www.duanemorris.com
Issues When Retaining Service Providers
• Responsibility for security and privacy related
compliance cannot be outsourced to a service
provider
– Conduct appropriate due diligence and selection of
service providers
– Implement security standards through appropriate
contractual clauses
– Monitor performance of service providers to the
security standards
●www.duanemorris.com
Security is Integral to Scope of Services
• The scope of services should include a framework of security and describe applicable security practices
– technical, organizational and administrative controls
used by the service provider to deliver the services
●www.duanemorris.com
Other Provisions in Service Provider
Contracts • Change Management – process for reviewing and implementing any
changes to process or system
• Incident Plans – what will be done if the service provider experiences
a security breach, including disaster recovery and business continuity
plans
• Liability – allocation of risk/cost for security breaches
• Costs – what scope of security is included in the base price and what
may result in extra charges
• Insurance – may help fund liabilities related to security breaches
●www.duanemorris.com
Incident Response
• Maintain Privilege if possible
• Assemble Core Team and determine whether to :
– activate full process
– notify loss reporting
– activate crisis management team
●www.duanemorris.com
Incident Response
• Identify Incident Response Team
• Review Responsibilities
• Establish communication structure and guidelines for internal and external communications
• Engage technical consultant and outside counsel
• Identify risks and stakeholder analysis (internal and external)
●www.duanemorris.com
Incident Response
• Contain breach (i.e. take down website etc.)
• Collect all relevant information
• Legal to identify relevant laws and notice
requirements
• Determine if notice to authorities necessary or
appropriate
●www.duanemorris.com
Incident Response
• Determine initial response – Prepare letters to affected persons and others per
statute
– Contact credit bureaus
– Set up call center and prepare scripts
– Prepare press release
– Develop communications plan (press and website for breach)
– Credit monitoring
• Evaluate causes of breach and assess damages
●www.duanemorris.com
Incident Response
• Identify what reports get issued and to whom
– Consider privilege issues
• Examine unintended consequences of breach
• Review effects on stakeholders
• Review action plan
• Take remedial actions
●www.duanemorris.com
Incident Response
• Verify effectiveness of response plan
• Document lessons learned
• Assess remedial actions
• Disband Team
●www.duanemorris.com
Resources
• Federal Trade Commission
– http://ftc.gov/
• Ponemon Institute
http://www.ponemon.org
• Privacy Rights Clearinghouse
– http://www.privacyrights.org/data-breach
• Electronic Privacy Information Center
– http://epic.org/
• National Institute of Standards and Technology (NIST)
– http://csrc.nist.gov/
52
●www.duanemorris.com
Sandra A. Jeskie
Partner, Duane Morris LLP
Philadelphia, PA
215-979-1395
53
●www.duanemorris.com
Questions?
54