Cybersecurity and Data Breach Best...
Transcript of Cybersecurity and Data Breach Best...
Cybersecurity and Data
Breach Best Practices
CONTACT: Ari Schwartz
Managing Director of Cybersecurity Services
[email protected] | 202.344.4711
Ariel Wolf
Associate, eCommerce, Privacy, Data
Security
[email protected] | 202.344.4464
Thursday, May 5th, 2016
Agenda
I. Overview
II. Risks and Threats
III. Legal Obligations
IV. Best Practices
V. Breach Response and Recovery
| Cybersecurity Risk Management Services 2
Cybersecurity v. Data Security
• Cybersecurity and data security are related concepts
• Cybersecurity focuses on protecting networks and infrastructure from attacks
and bad actors and can include personal information
• Electrical grid, communications backbone, financial systems, etc.
• Data security focuses on securing personal information (e.g., names, payment
card numbers, Social Security number, etc.) from being accessed and/or
acquired by unauthorized individuals
• Consumer data breaches, lost laptops, etc.
• Different agencies and laws regulate different types of incidents, often with
overlapping interests
| Cybersecurity Risk Management Services 4
Privacy v. Data Security
• Privacy – Focused on rules governing deliberate acts of “pushing” personal
information out of an organization, typically in connection with acquiring or
retaining customers
• For example: renting of customer lists or sharing of customer information
with corporate affiliates
• Data Security – Focused on rules aimed at protecting personal information
from being “pulled” out of an organization
• For example: external hacking or theft by an employee
• Europeans collapse both concepts under the rubric of “data protection”
| Cybersecurity Risk Management Services 5
| Cybersecurity Risk Management Services 7
1. Context 2. Threat Landscape Should Dictate Policy 3. Intelligence Community Briefer Motto:
“If I don’t get to sleep at night, why should you?”
Why do all Cybersecurity talks start with threats?
| Cybersecurity Risk Management Services 8
Cyber Threat Actors
• Hacktivists
• Fraud and Organized Crime
• Nation States
Cyber Threat Characteristics
• Motivation: financial vs. espionage
• Vector: POS vs. social vs. credential
Time it takes hackers to compromise a system is beating time it takes to detect intrusion
| Cybersecurity Risk Management Services 9
Increase in Data Breaches
Source: 2016 Data Breach Investigations Report, Verizon (2016), available at http://www.verizonenterprise.com/DBIR/2016/
Year Security Incidents Confirmed Data Breaches
2015 100,000+ 3,141
2014 79,790 2,122
2013 63,437 1,367
| Cybersecurity Risk Management Services 10
Types of Data Targeted
• Personal data
• Personally identifiable information
• Payment card or account data
• Health information
• Intelligence
• Intellectual property
• Attorney-client confidences
• Research and development
• Military secrets
• Other
• Destruction/disruption/leaks
| Cybersecurity Risk Management Services 11
Most Affected Industries
Source: 2016 Data Breach Investigations Report, Verizon (2016), available at http://www.verizonenterprise.com/DBIR/2016/
Sector Incidents Confirmed Data Loss
Public/ Government
47,237 193
Entertainment 2,707 38
Financial Services
1,368 795
| Cybersecurity Risk Management Services 12
Cost of a Data Breach
• Many factors contribute to total costs:
• Breach response efforts
• Delivering notices, credit monitoring, legal costs, etc.
• Reputational Costs
• Customer and employee goodwill, media scrutiny
• Litigation Costs
• Cases typically filed for negligence, etc.
• Regulatory Defense Costs
• Investigations, consent decrees
• Projected average cost of a breach:
• 1,000 records: $52,000 - $87,000
• 100,000 records: $366,500 - $614,600
• 10 Million records: $2,100,000 - $5,200,000
• 100 Million records: $5,016,200 - $15,622,700
| Cybersecurity Risk Management Services 13
Data Breach Costs
• Average cost: $35 million per incident
• Average cost per record: $201 in the U.S.
• Customer post-breach loyalty is decreasing
• 42% of breaches caused by a “malicious or criminal attack”
Top Drivers of Cyber Insurance Expenses
• Forensics
• Legal guidance
• Breach notification
• Credit monitoring
| Cybersecurity Risk Management Services 14
Cyber Espionage – in focus
• Defined: Infiltration of system or network by external actor
in search of sensitive internal data and trade secrets
• 2015: 247 total security incidents with 155 confirmed data
disclosures
• Top victims: Public/Government Sector, Manufacturing,
and Professional Services
• Attack Vectors: Hacking, Malware, Phishing, Credentials
| Cybersecurity Risk Management Services 15
Recent Cyber Incidents: Nation States • The White House (announced in Oct. 2014)
─ Obtained access to unclassified email system
─ Compromised emails from the President and data on his schedule
• U.S. Postal Service (announced in Nov. 2014)
─ Obtained access to data servers
─ 800,000 employees affected: SSNs, addresses, medical records, etc.
─ 2.9 million customers affected: Names, addresses, phone numbers, etc.
• U.S. Department of State (announced in Nov. 2014)
─ Obtained access unclassified email system containing sensitive
information
• Office of Personnel Management (announced in June 2015)
─ Largest government data breach
─ 22.5 million individuals affected
─ Background investigation data stolen: SSNs, DOBs, addresses, etc.
• Joint Chiefs of Staff (announced in Aug. 2015)
─ Public mail server was taken offline for 2 weeks
| Cybersecurity Risk Management Services 16
Recent Cyber Incidents: Nation States
• Sands Casino (announced in Feb. 2014)
─ Estimated cost to Sands: $40 million
─ Network wiped; Hard drives, email servers, and phone systems shut down
─ Employee and consumer data: SSNs, names, email addresses, etc.
• Sony (announced in Nov. 2014)
─ 47,000 employees affected: SSNs, DOBs, addresses, etc.
─ 5 unreleased movies leaked
• Anthem (announced in Feb. 2015)
─ 80 million records: SSNs, DOBs, addresses, medical IDs, employment
information, etc. (data unencrypted)
─ Class action lawsuits, 10 states issued inquiries, Congressional inquiries,
CT proposed legislation
| Cybersecurity Risk Management Services 17
Recent Cyber Incidents: Organized Crime
• Target (announced in Dec. 2013)
─ 40 million credit/debit card accounts stolen
─ Estimated cost to Target: $252 million
─ Dozens of class action lawsuits filed on behalf of banks, consumers, and other
stakeholders
─ Settled a $10 million class action lawsuit with individual cardholders
• Home Depot (announced in Sep. 2014)
─ 56 million payment card breaches and 53 million email addresses stolen
─ Facing 44 lawsuits
─ Less than 2 weeks after announcement, estimated $62 million spent on breach-
related costs
• Internal Revenue Service (IRS) (announced in May 2015)
─ 600,000 taxpayers affected and facing potential identity theft
─ Facing class action lawsuit
| Cybersecurity Risk Management Services 20
Federal Data Security Obligations
• HIPAA Security Rule • Establishes detailed security requirements pertaining to the protection
of electronic protected health information (e-PHI).
• Safeguards Rule • Requires that financial institutions establish comprehensive information
security programs to protect the security of customer information.
• Federal Information Security Management Act of 2002 • Establishes requirements pertaining to the protection of information
held by the federal government.
| Cybersecurity Risk Management Services 21
FTC Best Practices: Reasonable Security
• Practices that the FTC has identified as factors in reasonable security:
• Minimizing the collection of personal information;
• Destroying records containing personal information when there is no
longer a legitimate business reason to retain them;
• Encrypting information in transit, in storage, and on portable media;
• Actively monitoring vulnerability reports from third parties;
• Performing security reviews during the design and testing of new products;
• Protecting against commonly known vulnerabilities;
• Providing security training to any employee responsible for testing,
designing, and reviewing security features;
• Appropriately overseeing the security procedures of any service providers.
| Cybersecurity Risk Management Services 22
State Data Security Obligations
• Reasonable Data Security • Nine States require that organizations implement sufficient policies and
procedures to maintain reasonable data security. • AR, CA, FL, CT, IN, MD, OR, TX, UT
• Massachusetts Standards for the Protection of Personal Information • MA has implemented more detailed data security requirements. • Requires the implementation of a written comprehensive information
security program. • Identifies specific requirements for the information security program.
• Establishes specific technical requirements for an organization’s security system.
• Data Disposal • Approximately 30 states impose legal obligations on organizations to
properly dispose of records that contain personal, financial, or health information.
| Cybersecurity Risk Management Services 23
EU Cyber and Data Security
General Data Protection Regulation: Contains a preamble and 92 articles:
Transparency
Choice
Right to be Forgotten
Eligibility Decisions
Data Security
Independent supervisory authorities (“one-stop shop” for consumers)
Corporate governance
Penalties
Cybersecurity Directive: first EU-wide cybersecurity law
Security and notification requirements for “DSPs” and “essential service
operators”
Cooperation mechanisms and national strategy requirement
Designation of authority among and within Member States
Extended time frame for implementation
| Cybersecurity Risk Management Services 24
EU-US Privacy Shield
European Commission announced a draft adequacy finding on the new EU-U.S.
Privacy Shield on February 29, 2016 to replace the previous Safe Harbor
Principles: Notice
Choice
Security
Data Integrity and Purpose Limitation
Access
Accountability for Onward Transfer
Recourse, Enforcement and Liability
Article 29 Working Group has released an advisory opinion assessing the
Privacy Shield and other mechanisms for EU-U.S. data transfers
| Cybersecurity Risk Management Services 25
Data Breach Litigation • Most litigation focuses on issues involving plaintiffs’ standing to sue.
• Courts have rejected standing on the basis of mere loss of personal information
• Courts have found standing where plaintiffs have alleged that they have suffered:
• fraudulent charges on a payment card; • restricted access to a bank account; • an inability to pay bills; • Late payment fees; • Unauthorized resource consumption; • Overpayment for a product or service.
• Courts are split on whether a statutory right of action can create standing.
• The Supreme Court may resolve this issue in Spokeo v. Robins. • Courts are split on whether a risk of future harm is sufficient to establish standing.
• Risk of identity theft not sufficiently imminent to confer standing • Allegations of a “credible threat” sufficient to create standing following a data breach
| Cybersecurity Risk Management Services 26
What Should I Do?
Legal Risk Management
Legal Assessment
Legal Risk
• Sector-Specific Enforcement (e.g., energy, financial services, health
care, advertising, retail, etc.)
• Federal Trade
Commission/Consumer Protection
Actions
• Congressional Investigations
• State Attorney General Enforcement
• Class Action Lawsuits
• Policies/Procedures
• Governance
• Incident Response Plan
• Vendor Selection and Contracts
• Training
• Data Mapping
• Reporting and Decision
Making
• Legal and Regulatory
Compliance Framework
| Cybersecurity Risk Management Services 29
Congress
Cybersecurity Act of 2015
• Enacted December 2015 as part of Omnibus Spending Bill
• Liability protection for voluntary information sharing of
“cyber threat indicators” and “defensive measures”
• Entities must remove PII “not directly related to a
cybersecurity threat.”
• DHS plays a central though not exclusive role
• Sunsets in 10 years
| Cybersecurity Risk Management Services 30
Congress: Pending Legislation
Data Breach
• Data breach legislation remains under consideration but
elusive
• Proposed legislation would grant the FTC data security
authority, as well as:
• Require reasonable security measures on a nationwide
basis
• Establish a national breach notification standard
• Preempt state laws on these topics
| Cybersecurity Risk Management Services 31
Agency Developments
Data Breach
• SEC to expand data security examinations
• Will focus on 6 key areas
• FTC authority to enforce under attack
• Wyndham Worldwide Corp. settlement
• LabMD administrative decision
• FCC proposing rule on privacy and data security
• NPRM would establish data security regime for
telecom and other data
| Cybersecurity Risk Management Services 32
FTC Policy Workshops and Reports
“Big Data: A Tool for Inclusion or Exclusion?” (Report, 2016)
Cross-Device Tracking (Workshop, 2015)
Alternative Scoring Products (Workshop, 2014)
Mobile Device Tracking (Workshop, 2014)
“Paper, Plastic… or Mobile?” (Report, 2013)
Also notable: Federal Communications Commission 2015 order on
telemarketing (including marketing and informational SMS
messages)
| Cybersecurity Risk Management Services 34
Cybersecurity Framework
1. Identify
2. Protect
3. Detect
4. Respond
5. Recover
| Cybersecurity Risk Management Services 35
Managing Risk
• Identify. • Asset management
• Data government policies
• Risk assessments and vendor review
• Protect. • Information protection and backup procedure reviews
• Cybersecurity training
• Access controls and identity management
• Incident detection and prevention technologies
• Detect. • Penetration testing
• Continuous monitoring
• Information sharing strategies and technologies
• Vulnerability disclosure programs
• Respond. • Incident response plan
• Setting up a security operations center
• Mitigation
• Recover. • Recovery planning
• Incident response and recovery exercises
| Cybersecurity Risk Management Services 36
• Perform an enterprise-wide vulnerability assessment;
• Inventory devices that are connected to the corporate network;
• Identify those parts of the network that should be segmented;
• Implement a comprehensive information security program that addresses any
identified vulnerabilities;
• Periodically review and update the information security program
• Implement appropriate data security policies;
• Data Classification Policy
• Password Strength Policy
• Access Control Policy
• Encryption Policy
• Data Disposal Policy
• Patch Management Policy
• Implement intrusion detection software and data loss prevention software;
• Implement an Incident Response Plan.
Data Security Best Practices
| Cybersecurity Risk Management Services 37
• Client Perspective: Clients have an obligation to select and oversee service
providers with reasonable security
• Adequate cyber insurance
• Consistent contract provisions with clients related to security and breach
response
• Insurance
• Indemnification
• Notifying client of breach
• External notifications
• In the event of a breach affecting multiple clients, good preparation is key to
managing the response
Best Practices for Service Providers
| Cybersecurity Risk Management Services 38
Responses from the Regulators on Cybersecurity
“I don’t know if there’s going to be regulation or standards, or what that’s going to
look like, but I don’t think there’s any question that we have to get action on
cybersecurity this year.”
– Mark Rosekind, Administrator, NHTSA (January 19, 2016 | source)
“We’re looking for compliance, not enforcement.”
– Michael Huerta, Administrator, FAA (October, 27, 2014 | source)
“This threat [cyber threat] will continue to evolve and it is something that needs to be
at the forefront of our thinking.”
– Michael Huerta, Administrator, FAA (April 16, 2015 | source)
National Highway Traffic Safety Administration (NHTSA)
Federal Aviation Administration (FAA)
Securities and Exchange Commission (SEC)
”SEC’s formal jurisdiction over cybersecurity is directly focused on the integrity of our
market systems, customer data protection, and disclosure of material information. But
it is incumbent on every government agency to be informed on the full range of
cybersecurity risks and actively engage to combat those risks in our respective spheres
of responsibility.”
– Mary Jo White, Chairwoman, SEC (March 26, 2014 | source)
| Cybersecurity Risk Management Services 39
Responses from the Regulators on Cybersecurity (cont.) Federal Trade Commission (FTC)
“We’re trying to ensure that companies are making truthful representations about their
data practices and their privacy practices. And we’re working to make sure that
companies are taking reasonable actions to include security in the earliest stages of
product development.”
– Edith Ramirez, Chairwoman, FTC (September 13, 2015 | source)
Nuclear Regulatory Commission (NRC)
“The NRC and the industry both have been proactive and vigilant when it comes to
addressing cyber threats. A recent joint meeting between the Commission and the
Federal Energy Regulatory Commission highlighted the strong work done in this area by
both the NRC and industry. However, efforts are likely to increase as time goes on, not
decrease as work is accomplished.”
– Stephen Burns, Chairman, NRC (November 3, 2015 | source)
Federal Energy Regulatory Commission (FERC)
“…The reliability of the grid is a primary responsibility for the Commission. This
encompasses not only the everyday responsibility over Reliability Standards, including
physical security and cybersecurity, but it also includes gas-electric coordination issues.
While the Commission’s reliability authority is limited, it will continue to use what
authority it has in a conscientious manner. In my view, it is important for utilities to push
beyond the requirements of the standards to implement best practices on cybersecurity.”
– Norman C. Bay, Chairman, NRC (December 1, 2015 | source)
| Cybersecurity Risk Management Services 41
• Speed of Breach
• In 60% of attacks, the attackers were able to compromise an organization
in minutes.
• In 75% of attacks, the attack spread from Victim 0 to Victim 1 within 24
hours.
• In 40% of attacks, the attack spread to a second organization in less than
an hour.
Responding to a Data Breach
| Cybersecurity Risk Management Services 42
• Elements of an Incident Response Plan
• Procedures for reporting and escalation of suspected incidents;
• Procedures for conducting an initial investigation;
• Procedures for the preservation of evidence;
• Identification of and contact information for the members of the Incident
Response Team;
• Identification of and contact information for any third parties that may be
needed following a breach (e.g. forensic investigator, public relations
advisor, outside counsel);
• Identification of responsibilities with respect to investigating the breach,
preparing notifications, coordinating with law enforcement, etc.
Developing an Incident Response Plan
| Cybersecurity Risk Management Services 43
Breach Response : Sprinting a Marathon
Forensic Analysis
Contact Client, FBI or Secret Service, PCI, Vendors, Insurance
Legal Analysis
Adjust Team
Triage
Identify Consumers
Arrange Credit Monitoring
Hire Mailing Service
Hire Call Center Support
Draft Letter and Scripts
Print and Mail Letters
| Cybersecurity Risk Management Services 44
Threats of the Future
• Chip Card Implementation
─ Moves more fraud to card not present transactions
─ Makes payment processors a larger target
• Internet of Things
─ Increase of networked devices increases ability to enter into a
network
| Cybersecurity Risk Management Services 45
A Final Message to Remember
1. You need an incident response plan 2. Exercise!! 3. Conduct 3rd Party assessments to help define your priorities
DON’T BE AFRAID TO LOOK!
| Cybersecurity Risk Management Services 46
Thank You
Ari Schwartz Managing Director of Cybersecurity Services
[email protected] | 202.344.4711
Ariel Wolf Associate, eCommerce, Privacy, and Data Security
[email protected] | 202.344.4464