Imran Ahmad Cassels Brock & Blackwell LLP

Combating Cyber Threats: Mitigating the Impacts of a Cyber Incident

slide | ‹#›

Agenda

1 •  Lay of the land

2 •  Legal issues

3 •  Governance and best practices

3 •  Anatomy of the Target breach

5 •  Anatomy of the Anthem breach

slide | ‹#›

What is Cybersecurity?

DEFINITIONS ●  The process of protecting information by preventing, detecting, and

responding to attacks. Source: National Institute of Standards and Technology. US Department of Homeland Security

●  Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user's assets.

Source: International Telecommunication Union

●  From a law practice standpoint, “Cybersecurity” is an umbrella term that encompasses multiple areas of the law, including privacy, insurance, litigation, financial, regulatory, and labour & employment.

slide | ‹#›

Types of Cyber Attacks

Advanced Persistent

Threats (“APT”)

Cybercriminals, Exploits and

Malware Denial of Service Attacks (“DDoS”)

Domain name hijacking

Corporate impersonation and phishing

Employee mobility and disgruntled employees

Lost or stolen laptops and

mobile devices

Inadequate security and

systems; third party vendors

slide | ‹#›

Recent High Profile Cyber Attacks

U.S. Office of Personnel Management (government) What was stolen: 4.2M records of government employees, 19.7M records from people who went through background checks and 5.6 million sets of fingerprints stolen Result: Director Katherine Archuleta resigned in July, 2015

Ukraine Power Suppliers (infrastructure) What was stolen: sensitive access information for the networks of at least 6 local power companies in a coordinated attack Result: power loss for <200,000 customers’ homes for 6 hours

Home Depot (retailer/cross border) • What was stolen: 56M credit card

and debit card data stolen • Result:

• Costs to date exceed $232 million • Cyber insurance policy only

covered $100 million

Target (retailer/cross border) • What was stolen: Personal information

from over 70M shoppers and the credit card information of 40M • Hackers sold the data for $53.7 million

by selling the credit card information on the black market

• Result: • Costs to December 31, 2014 >$162

million • CEO Gregg Steinhafel was fired

slide | ‹#›

• Exposed personal information of 15 million customers who applied for credit checks between Sept 2013 – Sept 2015

• June 2014-July 2015 • Credit card details of 60,000 customers compromised

• October 2014 • Compromised 1.16 million credit cards

• June 2014 • Personal information of 4.5 million hospital patients stolen by Chinese hacking group

• June 2015 • Russian hackers opposed to Canada’s sanctions against Russia

Recent Cyber Attacks

• November 2014 • Forced Sony Pictures to refrain from releasing The Interview in US theatres

• September 2015 • Personal information of 33-36 million users exposed

• February 2015 • 80 million records of current and former customers and employees

• February 2014 • Account and contact information of 233 million customers stolen

• August 2014 • Security improvements to cost $250 million per year

October 28, 2015

slide | ‹#›

Cyber Threats are on the rise

Source: Key Findings from the PwC Global State of Information Security Survey, published 2015, at pp.24-25

slide | ‹#›

Cost of Cyber Attacks by Industry

Source: Ponemon Institute 2015 Global Report on the Cost of Cyber Crime, published October 2015, at page 10.

slide | ‹#›

The Global State of Information Security Survey 2016

slide | ‹#›

Areas of Risk and Sources of Attack: Main Cyber Adversaries

Source: PricewaterhouseCoopers. Jason Green, Best Practices for Data Security and Data Breach Protocol, ed (2015).

slide | ‹#›

The Accidental Insider

Source: PricewaterhouseCoopers. Jason Green, Best Practices for Data Security and Data Breach Protocol, ed (2015).

slide | ‹#›

Data Breach Statistics

•  Over 246 million data records were compromised globally in the first half of 2015

Gemalto, September 9, 2015

•  348M identities exposed as a result of data breaches in 2014 Symantec, April 2015

•  Hope for the best but prepare for the worst •  Having a plan in place and a team capable of implementing it can

be of crucial importance

slide | ‹#›

Canadian Legal Landscape

slide | ‹#›

Canadian Legal Landscape

slide | ‹#›

Canadian Legal Landscape

●  Personal Information Protection and Electronic Documents Act (“PIPEDA”)

●  Provincial Legislation

●  Alberta – Personal Information Protection Act

●  British Columbia – Personal Information Protection Act

●  Quebec – An Act Respecting the Protection of Personal Information in the Private Sector (Quebec Privacy Act)

slide | ‹#›

PIPEDA

•  “Personal Information” includes any factual or subjective information, recorded or not, about an identifiable individual

•  Includes age, name, ID numbers, income, ethnic origin, medical records, credit records, etc.

•  Does not include: employee’s name, title, business address, or phone number, use of information for personal purposes, information collected by federal or provincial government organizations under the Privacy Act, etc.

slide | ‹#›

Digital Privacy Act

•  Digital Privacy Act, came into force on June 18, 2015 and amends PIPEDA in important ways

•  Requires mandatory reporting of security breach by organizations

•  Maximum fines of CAD $100,000 for failure to report breach

•  Allows organization-to-organization disclosure of personal information for investigating breaches

•  Mandatory breach reporting regime is not yet in force

slide | ‹#›

Effects on Business

Loss of “Crown Jewels”, IP and trade

secrets

Compromise of customer information,

credit cards and Personally Identifiable

Information

Loss of web presence and online business

Loss of customer funds and

reimbursement of changes

Brand tarnishment and reputational harm

Legal and regulatory issues

slide | ‹#›

Governance

Source: NIST - National Institute Of Standards And Technology. Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, February 12, 2014.

slide | ‹#›

Governance

●  Who “owns” cyber security? Everyone. ●  Board of Directors:

● Oversee the risk management process ● Meet regularly to discuss policies, controls, etc. ● Meet regularly post-data breach

● Ensure that an Incident Response Plan is in place ● Review security program assessments and policies ● Push down compliance through the organization ● Manage the governance

● Set priorities ● Review budgets for privacy and Cyber Security ● Stay informed re: breaches and new risks

slide | ‹#›

Governance

●  In-house counsel should: ● Play a leadership role in providing cyber-security governance

and risk management guidance ● Stay informed on key cyber liability developments ● Ensure that contracts include cyber security and privacy

requirements ● Risk Management Department

● Not all organizations have one ●  The full Cyber Security Team should include experts in IT

corporate governance, reputational and crisis management, HR, legal and compliance

●  Employees: the human factor is everyone’s primary vulnerability.

slide | ‹#›

Best Practices Pre-Attack

• Application whitelisting • Assess risk profile • Identify “Crown Jewels”

Know where you stand

• Bring together right people (IT, HR, Legal) • Have a clear mandate

Build a Cyber Monitoring Team

• Assess effectiveness of current security • Consider whether to hire experts

Audit & Test Security

• Cyber hygiene • Develop and disseminate cyber policies • Refresh training

Educate and Train Staff

• Ensure your vendors have necessary security protocols in place • Consider including language that requires them to tell you about a breach • Consider indemnification clauses

Supply Chain Risk

• Plan should map out what to do in case of an attack • Key considerations: public relations, legal, internal communication, etc.

Cyber incident plan

• Not a perfect solution • Assess whether this is something that makes sense for business • Make sure you have the right coverage

Cyber Insurance

• Target may not know that it has been compromised • Requires forensic analysis • Feeds into negotiations (reps/warranties/indemnities etc.)

M&A Cyber Due Diligence

slide | ‹#›

Best Practices – During / Post-Breach

•  Team should diligently record all steps taken •  Include external legal counsel for privilege reasons Activate the Response

Team

•  Block unauthorized access to network •  Implement steps to recover and/or restore lost information/data •  Address weaknesses of the network

Containment & Assessment

•  Consider transferring information/data to sanitized systems •  Establish clear chain of custody of data

Preservation of Evidence

•  Consider whether to notify individuals whose information has been compromised

•  Notification requirements to regulators/privacy agency Notification

•  Consider retaining a public relations firm for external messaging •  Determine what information needs to be communicated to whom

internally Communication

slide | ‹#›

Anatomy of the Target Breach

slide | ‹#›

Anatomy of the Target Breach

slide | ‹#›

Anatomy of the Target Breach 30 Days of the Target Breach

26

Dec 18th Jan 10th Jan 15th Jan 17th

slide | ‹#›

Anatomy of the Target Breach

slide | ‹#›

Anatomy of the Target Breach

Cost ●  CEO resigned

●  Reputation damaged

●  Costs to December 31, 2014 exceeded $162 million

●  Only $63 million insurance coverage (25% of cost)

●  Class action against Target

slide | ‹#›

Anatomy of the Anthem Breach

slide | ‹#›

Anatomy of the Anthem Breach

1 • Hackers created bogus domain names based on the actual name of the company

and mimicking corporate services • Eg: We11point.com, based on WellPoint.com

2 • Hackers targeted Anthem employees with phishing emails that lured them to fake

sites, where they could collect logins and passwords to access the internal system.

3 • Anthem was not required legally to encrypt its data and had not done so.

4 • Once the hackers had system access, they could thus acquire and export customer

data such as social numbers, medical IDs, names, dates of birth etc.

slide | ‹#›

Anatomy of the Anthem Breach

slide | ‹#›

Anatomy of the Anthem Breach

Cost:

●  Pending class-action lawsuit from individuals who claim to be victims of fraud due to the breach

●  Anthem paid out ~$230 million in legal and consultant fees as of December 2015, partially covered by its cyber insurance policy, and now must pay a $25 million deductible for any future breaches.

© 2011–2015 CASSELS BROCK & BLACKWELL LLP. ALL RIGHTS RESERVED.

This document and the information in it is for illustration only and does not constitute legal advice. The information is subject to changes in the law and the interpretation thereof. This document is not a substitute for legal or other professional advice. Users should consult legal counsel for advice regarding the matters discussed herein.

Cassels Brock & Blackwell LLP Suite 2100, Scotia Plaza Suite 2200, HSBC Building 40 King Street West 885 West Georgia Street Toronto, ON Canada M5H 3C2 Vancouver, BC Canada V6C 3E8

Tel: 416 869 5300 Tel: 604 691 6100 Fax: 416 350 8877 Fax: 604 691 6120

Imran Ahmad E-mail: iahmad@casselsbrock.com Twitter: @imranvpf Cybersecurity blog: http://insidecybersecurityblog.casselsbrock.com