CYBERSECURITY: Proactively Protecting Data and Responding to … · Title: CYBERSECURITY:...
Transcript of CYBERSECURITY: Proactively Protecting Data and Responding to … · Title: CYBERSECURITY:...
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
CYBERSECURITY: Proactively Protecting Data and
Responding to Data Breaches
Lisa Pierce Reisz
614.464.8353 | [email protected]
Brian J. Donato
614.464.8207 | [email protected]
Presented By:
Vorys, Sater, Seymour and Pease LLP
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Agenda Today
› Making the business case for breach
prevention.
› What we can learn from history?
› Basic controls to protect data.
› What to do if a breach happens.
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
MAKING THE BUSINESS CASE
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Data Security is a Mission-Critical Priority
Data breach prevention and mitigation is a
C-Suite issue, not just an IT issue.
4
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Government Agencies are NOT
Immune to Data Breaches
› South Carolina Department of Revenue
› Georgia Secretary of State
› California Department of Social Services
› Utah Department of Health
› California Department of Child Support Services
› United States Bureau of Justice Statistics
› City of Springfield
› United States Navy & DHS
› Wisconsin Department of Revenue
› NASA
› New Hampshire Department of Corrections
› Department of Veterans Affairs
› Arizona Department of Public Safety
› U.S. Office of Personnel Management
› U.S. Postal Service
› National Oceanic and Atmospheric Administration
› U.S. State Department
› Montana Department of Health and Human Service
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
10 Things To Know About Cyber
Risks in Public Entities
1. The per capita cost of a data breach to the
public sector is $172.00 per record.
-- “2014 Cost of Data Breach Study: United States,” Ponemon Institute
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
10 Things To Know About Cyber
Risks in Public Entities (cont’d)
2. Public sector entities have the highest
estimated probability of having a data breach,
(which could be attributed to the amount of
confidential and sensitive information they
store and collect).
-- “2014 Cost of Data Breach Study: United States,” Ponemon Institute
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
10 Things To Know About Cyber
Risks in Public Entities (cont’d)
3. Government is the second highest industry to
report data breaches in 2012. Factors
include:
Employee errors.
Malicious insider attacks.
Outside attacks, including hacktivism
and cyberespionage.
-- “Data Breaches in the Government Sector,” Rapid7
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
10 Things To Know About Cyber
Risks in Public Entities (cont’d)
4. The average annualized cost of cybercrime to
the public sector was $8.5 million in 2014.
-- “2014 Cost of Cybercrime: United States,” Ponemon Institute
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
10 Things To Know About Cyber
Risks in Public Entities (cont’d)
5. At least 47 states, the District of Columbia,
Puerto Rico and the Virgin Islands have
enacted breach notification statutes and
regulations.
-- Insurance Information Institute’s 2014 Cyber Risk Report
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
10 Things To Know About Cyber
Risks in Public Entities (cont’d)
6. Educational organizations had 3.2 million
records exposed and accounted for 9 percent
of the 614 publicly disclosed data breaches in
2013.
-- Insurance Information Institute’s 2014 Cyber Risk Report
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
10 Things To Know About Cyber
Risks in Public Entities (cont’d)
7. Data breaches in the government/military
sector accounted for 11.7 percent of U.S.
breach incidents in 2013.
-- Identity Theft Resource Center
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
10 Things To Know About Cyber
Risks in Public Entities (cont’d)
8. Only 10 percent of current public sector
clients add cyber protection to existing
insurance policies.
-- Travelers Public Sector Services
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
10 Things To Know About Cyber
Risks in Public Entities (cont’d)
9. More than 94 million records containing PII
were exposed by breach incidents in
government agencies between January 2009
and May 2012.
-- “Data Breaches in the Government Sector,” Rapid7
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
10 Things To Know About Cyber
Risks in Public Entities (cont’d)
10. A 2014 survey of public risk managers and
other public officials found that only 40
percent of the 236 survey participants said
their public entity had purchased cyber
liability insurance. Twenty-five percent
were unsure if their public entity has cyber
liability insurance.
-- Travelers Public Sector Services
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Don’t Repeat the Mistakes of the Past . . .
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
A Few Notable Breaches in
Government Space
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
South Carolina
› September 2012
› Department of Revenue
› Initial cause of breach – Phishing Campaign
› Incomplete encryption practices
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Oregon
› February 2014 – Secretary of State.
› Hackers breached website.
› Accessed business registry and campaign
finance records.
› Site down for multiple weeks while
remediation steps investigated.
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Georgia
› October 2015 – Secretary of State.
› SSN and DL # inadvertently added to public
voter file.
› File was regularly distributed via CD to
multiple public sources.
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Office of Personnel Management
› 2015, or earlier.
› Nation State, perhaps the same group who
hacked Anthem.
› Issues with maturity of security staff.
› Lack of data inventory.
› Remote access issues.
› Advance persistent threat not detected.
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Basic Controls to Protect Data
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
NIST and Controls
› NIST SP 800-53.
› Families of controls which can be tailored to
size and complexity of IT environment.
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Process for Risk Assessment
› Asset inventory
› Data classification
› Understanding of potential threats,
vulnerabilities and mitigations
› Formal vulnerability scanning
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Data Security
“Data Security” (or information security) is
generally defined as:
“the protection of information from a wide range
of threats in order to ensure business continuity,
minimize business risk, and maximize return on
investments and business opportunities.”
– ISO/IEC 27002:2005, Information Technology –
Security Techniques – Code of Practice or
Information Security Management (June 2005)
25
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Identification and Authentication
› Unique credentials for each user
› Multifactor authentication
› Restrictions on remote access
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Access Control
› Approval process for access to systems
› Least privilege access
› Method for removing access no longer needed.
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Configuration Management
› Ensure consistent security controls are in
place on all machines.
› Management of patching.
› Baseline configurations for a variety of
situations.
› Restricted rights – local administration.
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Media Protection
› Restricted access.
› Policy, practices on encryption.
› Secure destruction, reuse.
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Security Assessment and Authorization
› Penetration testing.
› External/internal audits.
› Evaluation and remediation of control
effectiveness.
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Awareness and Training
› Both initial and ongoing training.
› Information on detecting and responding to
current threats.
› Re-enforcement of policies and procedures.
› Especially important – phishing.
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Audit and Accountability
› Right devices are auditing and logging right
events.
› Right eyeballs are reviewing audit results
and logs.
› Protected from tampering.
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Incident Response Planning
› Creation of a plan/process that includes:
• preparation,
• detection and analysis,
• containment,
• eradication,
• recovery.
› Should consider a wide variety of incidents.
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Breach Response
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Data Breach
Just ask Target . . .
Data breaches should be treated as a “when,”
not an “if” proposition.
35
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Goals of Breach Response Plan
1. To reduce the risk of unauthorized data
access; and
2. To mitigate the damage caused if a breach
occurs.
36
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Incident Happens –
Immediate/Simultaneous Demands
› Customers/Employees
› Containment/Remediation
› Payment Card Brands
› News Media/Bloggers
› Forensic Investigators
› Major Stakeholders
› Class Action Lawsuits
› Risk Management
› Training/Re-Training
37
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Target Breach
38
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Timeline of Incident
39
12/18/13
Containment;
Krebs breaks
story
12/12/13
Target gets call
from the feds of
suspicious activity
11/27/13
Hackers
start
capturing
data through
malware
12/15/13
Target
confirms
internally
12/19/13
Target works until 3 am &
issues press release at 7 am.
40 million payment cards
(indicates no PINs stolen)
Seven class action lawsuits
filed (40 by year end)
November December January 2014 February 2014
1/13/14
Target issues
a full apology
12/24/13
Target learns encrypted
PINs also stolen; issues
press release
12/26/13
Wait time for
call center is
45 minutes
1/10/14
Target issues
press release on
the 70 million
Two months
earlier
Target
certified
PCI DSS
compliant
2/4/14
Target’s CFO
testifies before
Congress
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Coordinating Response
40
Internal Investigation | Containment | Involvement of EMRT
Class Actions | AG & Regulatory Investigations
PR | Other External Communications | Call Centers
0 1 year
1st 24 Hours 24 - 72 Hours 1st Month 1st Year Beyond
Contractual External Notifications
Calls to Payment Card Associations | Negotiation of Assessments
Forensic Review
Testify before Congress
Remediation
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Define target
Research target Infrastructure/
Employees or Vendors to Obtain Legitimate
Credentials
Build or Acquire Tools
Identify Weaknesses in
Applications and Architecture
Test for Detection
Deployment Initial
Intrusion
Establish Backdoor
Move Laterally to Expand
Access
Exfiltrate Data
Cover Tracks and Remain Undetected
Advanced
Persistent
Threat
Types of Breaches
41
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Phase One
42
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
The First 24 Hours
› Core Team determines if this is an Event or
Incident
› Activate your Incident Response processes
› Determine form and type of data, source of
data, potential size of incident
› Containment of breach and preservation of
forensic evidence
43
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Identification of Incident
› Importance of Incident Response Processes
• Escalation is key
• Containment and preservation of forensic evidence
› Fine-tune criteria for “Incident”
› Update network diagrams, including
• Types of data
• Where remote access is possible
• Touchpoint with POS network
44
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
The First 24 Hours
› Start Advising Internally
• Members outside of Core Team and others
who may be necessary
• Advise appropriate Board Members
• General Counsel has a Special Role
• Communications
• Information Owner (e.g. Marketing, HR)
› Start Internal Investigation
45
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
The First 24 Hours – Internal
Communications
› Educate on Privilege/Non-Privilege Issues
› Train to the Incident Response Processes to
establish consistency in response
• Coordinate to avoid silo mentality
› Refine Post-Incident Review Process
› Start with an inventory of critical systems
and sensitive data applications
46
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
47
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Phase Two
48
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
The First 24-72 Hours
› Make initial notifications as required (i.e. Payment Card Associations, credit card processor and acquiring bank if PCI is involved)
› Contact U.S. Secret Service
› Select and Activate PFI Investigator
› Activate Independent Forensic Investigator
› Submit Standardized Initial Report to Payment Card Associations
49
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Preparing to Respond to
Payment Card Association Processes
› Have contact information readily available for credit card processor, acquiring bank and Payment Card Associations and determine who is responsible for making the contact
› Enter into MSA now with two PCI Forensic Investigators for prompt activation later
› Legal selects and negotiates MSA now with Independent Forensic Investigator
• Outside counsel will engage when Incident occurs
50
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Preparing for Vendor Issues
› Collect/review all contractual relationships
with vendors having remote access to any
portion of Client’s network
• Review data security obligations
• FTC imposes liability for actions of vendors
• Review “reasonableness” of selection process,
contractual requirements and monitoring of
vendors
51
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
52
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Phase Three
53
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
First Month –
External Communications
› Statutory Notifications
› Press Releases
› FAQs Across all Media – Websites and Social
Media Pages
› Risk Management – Insurance
› Daily Calls with Payment Card Associations
54
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
First Month –
Internal Communications
› Immediately before initial external communication:
• Notify Client’s associates and include “Help Line” number for questions
• Consider notification to major shareholders
› Prepare scripting for customer calls to Call Center
› Prepare scripting for associate calls to Help Line
55
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
First Month – External
Communications
We learn from others’ experiences
› First and most important: Protect the Customer
and make them whole
• Ensure communications are accurate, timely and
focus on protecting the customer
› Protecting the customer protects the brand
› Balance timely against avoiding premature notice
• Target’s Facebook page: “You all lied again!!! Was
70 million. Wow.”
56
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
External Communications
• Determine who will be the “Face” of the
Company and prepare messages
› Target’s Facebook page: “I love Target and
know this can happen anywhere, but it’s nice
that he finally said ‘sorry’.”
› Assign responsibility for monitoring
comments on social media pages and possible
response
57
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
How We Prepare for
Other Communications
› Prepare management for interviews:
Financial Media, Popular Media, Congress
› Prepare now for early release of story by
blogger
› Determine use of external or internal call
center
58
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
First Month –
Investigations/Lawsuits/Remediation
› FTC/CFPB Investigations Commence.
• Was there “reasonable” security?
• What was the business purpose for collecting or retaining the data?
› Office of Civil Rights (Health and Human Services) if PHI involved.
› Securities and Exchange Commission.
› State AG Investigations Commence.
› Class action lawsuits filed.
› Remediation plans must be started.
59
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
How We Prepare for Investigations
› Start creating a document now of the
“reasonable” security measures Client uses
› Consider known hacker attacks and
measures currently taken to address those
› Review timing and content of notifications to
consumers to avoid AG claim of failure to
timely notify
› Determine Client’s status as covered entity
under HIPAA
60
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
61
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Phase Four
62
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
First Year and Beyond: More to Come
› Review and finalize Forensic Report to
Payment Card Associations (3-9 months)
• Works with PFI Investigator on results and
wording, in order to insulate Client
• Independent Forensic Investigator is an
integral part of negotiating result
• Remediation plan is to be submitted within 5
business days of the final Forensic Report
63
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
First Year and Beyond:
More to Come (cont’d)
› Ongoing negotiations of assessments with
Payment Card Associations (1-2 years)
› Responding to document demands and
inquiries from regulatory investigations;
meetings and negotiations (1-2 years)
› Addressing class actions
64
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Immediate Recommendations
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Immediate Recommendations
› Negotiate forensic investigator contracts
› Refine Incident Response Processes
› Evaluate imperatives of external communications
› Prepare “reasonable” security measures to document now and regularly update
› Determine call center expansion issues and negotiate contracts, if that is the determination
› Plan awareness training at all levels
› Implement regular tabletop exercises for Core Team and some of expanded team
• Plan method and content of internal communications
66
© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
QUESTIONS
67