Cybersecurity Session Sponsor - CACM PPt.… · Theft of Target’s third party HVAC ... on...
Transcript of Cybersecurity Session Sponsor - CACM PPt.… · Theft of Target’s third party HVAC ... on...
Cybersecurity
copy 2017 CACM Law Seminar
Session Sponsor
2017 CACM Law Seminar 1
Cybersecurityfor Management Businesses and
Independently-Managed Associations
ModeratorCecilia Brennan Esq
PanelistsRobb Etnyre CAMEx CCAM
Aneacute Agostini CIC CRMMeredith Bennett
Welcome
2017 CACM Law Seminar 2
Panelists
Aneacute Agostini CEO CID Insurance Programs Inc
Robb Etnyre General Manager
(On-site) Tahoe Donner
Meredith Bennett Second VP National Tech and Cyber Practice Leader USLI
Moderator Cecilia N Brennan Esq
AGENDA
I Legal Basics
II Network Security and Privacy BreachesExposures
III Real-Life Application ndash On-site Managerrsquos Perspective
IV Prevention and Take-Aways Liability and Risk Transfer
V Q amp A
VI Additional Resources
VII Close
I
Legal Basics
2017 CACM Law Seminar 3
bull If you store collect manage andor protect
consumer data you MUST KEEP IT SAFE
bull A series of overlapping federal and state laws
govern cybersecurity and data privacy in the
United States
o Primarily enforced by the Federal Trade
Commission Department of Health and Human
Services and statesrsquo Attorneys General
Federal Statutes and Efforts on Cybersecurity
ndash Highlights
Cybersecurity Act of 2015
Cybersecurity Enhancement Act of 2014
National Cybersecurity Protection Act of 2014
Federal Information Security Modernization Act of 2014
Cybersecurity Workforce Assessment Act
Cybersecurity Strategy and Implementation Plan for the Federal Civilian Government
Memorandum on Fiscal Year 2015-2016 Guidance on Federal Information Security and Privacy Management Requirements
National Institute of Standards and Technologyrsquos (NIST) Cybersecurity Framework
Federal Statutes and Regulations on Data
Privacy - Highlights
Federal Trade Commission Act
Financial Services Modernization Act
Health Insurance Portability and Accountability Act (HIPAA)
Fair Credit Reporting Act
Fair and Accurate Credit Transactions Act
Electronic Communications Privacy Act
Various FCC Regulations and Rules
2017 CACM Law Seminar 4
State-Based Data Breach Statutes
47 states and Washington DC have data breach laws
Exceptions are Alabama New Mexico and South Dakota
Applicable state breach law depends on state of domicile of the consumer not the location of the affected business
Encryption is a safe harbor
Massachusetts now requires the posting of reports of breaches online
Californiarsquos Key Breach Statute
California Civil Code Section 1798 et seq
Codified July 1 2003 (amended effective 112017)
Requires notification of any California resident whose
unencrypted personal information was or is reasonably
believed to have been breached
Effective January 1 2017 - requires notification of any
California resident whose encrypted information that was
breached (along with identifying encryption keys or
credentials)
II
Network Security and Privacy
Breaches
2017 CACM Law Seminar 5
Audience Poll Q 1
What is your top concern about
cybersecurity
Social Engineering An Illustration
(Mr Robot)
2017 CACM Law Seminar 6
Key Sources of Cyber Breaches amp
Extortion Hackers (social engineering)
VirusMalware
Staff Error
Rogue Employee
LostStolen Mobile Devices
Business Banking Services
Business online banking regulations
Business banking crime does happen
Association Financials vs Bank
Statements
Electronic Vendor Services
Third-party vendor cyber exposures
Theft of Targetrsquos third party HVAC vendorrsquos credentials
Management CompanyCommunity Association vendor services Types of services assessment payment services
electronic check signing services data storage providers payroll services etc
2017 CACM Law Seminar 7
Vendor Services Management Company
v Community Association
Who should be the responsible
party
Who has access to what data
What is your contractual agreement
with these vendors
Website amp Email Security
Compromised or infected websites-malware attacks
Distributed Denial of Service (DDoS) attacks
Ransomware attacks
Proprietary information extortion attacks
(Websites with links to service providers)
Cloud-Based Information Storage
One large data storage source providing technology services
Who is responsible if you are part of a large-scale cyber breach
Encryption of data stored and strong vendor agreements
2017 CACM Law Seminar 8
III
Real-life Application
On-site Managerrsquos Perspective
Business Online Banking
Policy on Internal vs External Fund
Transfer
Best Practice Two Token Verification for
External Fund TransferFrom Jeff Bonzon [mailtoverizon10mbme]Sent Tuesday October 04 2016 925 AMTo Michael SalmonSubject Re available
I need you to take care of a transfer
Thank youJeff Bonzon
Private Information of Members
and Employees
Phishing email to Director of Human Resources ldquofromrdquo
board president requesting a copy of all 2015 company W-2s
Company HRPayroll database assigning employee ID numbers based on last 4-6 numbers of Social Security Number
Company holiday party invite list private information on one Excel file
Point of Sale system (POS) has many users with no internal system for forensic examination of system user activity Any POS employee can access membership database
2017 CACM Law Seminar 9
Site content security breach - Malware introduced (WordPress exploit)
Creates false content on website and Malware is detected by internet search engines like GoogleAssociation website is blocked by Google Chrome Search Engine Even after Malware is removed the World Wide Web page restoration process with search engine can take days to validate company website authenticity
Management Company or
Association Websites
IV
Best Practices and Take-Aways
Liability amp Risk
TransferPrevention
Audience Poll Q 2
Do you have any experience with
employee-related issues - vulnerability
with current and ex-employees
disgruntled employees etc
2017 CACM Law Seminar 10
Source NetDiligence 2014 Claims Study
Prevention and Response Plans
REMEMBER
People should be the biggest defense not
the biggest security vulnerability
There are 3 different ways that staff can
harm a business
IntentionalMalicious Acts
Negligence
Accidental Acts
2017 CACM Law Seminar 11
IntentionalMalicious Acts
How can you prevent against the ldquoroguerdquo employee
Background Checks Do they include a credit check
Limiting Access Donrsquot give employees access to files or information if they donrsquot need it
Negligence
Training
Encryption
Security
Accidental Acts
Human error ndash itrsquos going to happen
2017 CACM Law Seminar 12
Audience Poll Q 3
Are you and your employees regularly
trained on cybersecurity defense
Audience Poll Q 4
Do you have an incident response
plan in the event of a breach
What If You Have a Breach
Incident response plan
Location
Updated
Testedcommunicated with all involved
Insurance
Claims Examiner Breach Coach
2017 CACM Law Seminar 13
Company-Wide Sample Policies
Q amp A
Additional Resources
Commission on Enhancing National Cybersecurity
httpswwwwhitehousegovthe-press-
office20160209executive-order-commission-
enhancing-national-cybersecurity
Federal Trade Commission
httpswwwftcgovsystemfilesdocumentsplain-
languagepdf0205-startwithsecuritypdf
2017 CACM Law Seminar 14
Additional Resources Contrsquod
Department of Homeland Security
httpswwwdhsgovxlibraryassetsprivacydhs-privacy-
safeguardingsensitivepiihandbook-march2012pdf
California Office of Attorney General
httpsoagcagovsitesallfilesagwebpdfsdbr2016-
data-breach-reportpdf
Additional Resources Contrsquod
Federal State and Local Chambers of Commerce
httpadvocacycalchambercomwp-
contentuploadspolicyCybersecurityReportpdf
Other CompaniesOrganizations
httpswwwexperiancomassetsdata-
breachbrochuresresponse-guidepdf
httpsiapporgresourcesarticlesecurity-breach-
response-plan-toolkit
Thank You
- Cover
- Cybersecurity PPt
-
2017 CACM Law Seminar 1
Cybersecurityfor Management Businesses and
Independently-Managed Associations
ModeratorCecilia Brennan Esq
PanelistsRobb Etnyre CAMEx CCAM
Aneacute Agostini CIC CRMMeredith Bennett
Welcome
2017 CACM Law Seminar 2
Panelists
Aneacute Agostini CEO CID Insurance Programs Inc
Robb Etnyre General Manager
(On-site) Tahoe Donner
Meredith Bennett Second VP National Tech and Cyber Practice Leader USLI
Moderator Cecilia N Brennan Esq
AGENDA
I Legal Basics
II Network Security and Privacy BreachesExposures
III Real-Life Application ndash On-site Managerrsquos Perspective
IV Prevention and Take-Aways Liability and Risk Transfer
V Q amp A
VI Additional Resources
VII Close
I
Legal Basics
2017 CACM Law Seminar 3
bull If you store collect manage andor protect
consumer data you MUST KEEP IT SAFE
bull A series of overlapping federal and state laws
govern cybersecurity and data privacy in the
United States
o Primarily enforced by the Federal Trade
Commission Department of Health and Human
Services and statesrsquo Attorneys General
Federal Statutes and Efforts on Cybersecurity
ndash Highlights
Cybersecurity Act of 2015
Cybersecurity Enhancement Act of 2014
National Cybersecurity Protection Act of 2014
Federal Information Security Modernization Act of 2014
Cybersecurity Workforce Assessment Act
Cybersecurity Strategy and Implementation Plan for the Federal Civilian Government
Memorandum on Fiscal Year 2015-2016 Guidance on Federal Information Security and Privacy Management Requirements
National Institute of Standards and Technologyrsquos (NIST) Cybersecurity Framework
Federal Statutes and Regulations on Data
Privacy - Highlights
Federal Trade Commission Act
Financial Services Modernization Act
Health Insurance Portability and Accountability Act (HIPAA)
Fair Credit Reporting Act
Fair and Accurate Credit Transactions Act
Electronic Communications Privacy Act
Various FCC Regulations and Rules
2017 CACM Law Seminar 4
State-Based Data Breach Statutes
47 states and Washington DC have data breach laws
Exceptions are Alabama New Mexico and South Dakota
Applicable state breach law depends on state of domicile of the consumer not the location of the affected business
Encryption is a safe harbor
Massachusetts now requires the posting of reports of breaches online
Californiarsquos Key Breach Statute
California Civil Code Section 1798 et seq
Codified July 1 2003 (amended effective 112017)
Requires notification of any California resident whose
unencrypted personal information was or is reasonably
believed to have been breached
Effective January 1 2017 - requires notification of any
California resident whose encrypted information that was
breached (along with identifying encryption keys or
credentials)
II
Network Security and Privacy
Breaches
2017 CACM Law Seminar 5
Audience Poll Q 1
What is your top concern about
cybersecurity
Social Engineering An Illustration
(Mr Robot)
2017 CACM Law Seminar 6
Key Sources of Cyber Breaches amp
Extortion Hackers (social engineering)
VirusMalware
Staff Error
Rogue Employee
LostStolen Mobile Devices
Business Banking Services
Business online banking regulations
Business banking crime does happen
Association Financials vs Bank
Statements
Electronic Vendor Services
Third-party vendor cyber exposures
Theft of Targetrsquos third party HVAC vendorrsquos credentials
Management CompanyCommunity Association vendor services Types of services assessment payment services
electronic check signing services data storage providers payroll services etc
2017 CACM Law Seminar 7
Vendor Services Management Company
v Community Association
Who should be the responsible
party
Who has access to what data
What is your contractual agreement
with these vendors
Website amp Email Security
Compromised or infected websites-malware attacks
Distributed Denial of Service (DDoS) attacks
Ransomware attacks
Proprietary information extortion attacks
(Websites with links to service providers)
Cloud-Based Information Storage
One large data storage source providing technology services
Who is responsible if you are part of a large-scale cyber breach
Encryption of data stored and strong vendor agreements
2017 CACM Law Seminar 8
III
Real-life Application
On-site Managerrsquos Perspective
Business Online Banking
Policy on Internal vs External Fund
Transfer
Best Practice Two Token Verification for
External Fund TransferFrom Jeff Bonzon [mailtoverizon10mbme]Sent Tuesday October 04 2016 925 AMTo Michael SalmonSubject Re available
I need you to take care of a transfer
Thank youJeff Bonzon
Private Information of Members
and Employees
Phishing email to Director of Human Resources ldquofromrdquo
board president requesting a copy of all 2015 company W-2s
Company HRPayroll database assigning employee ID numbers based on last 4-6 numbers of Social Security Number
Company holiday party invite list private information on one Excel file
Point of Sale system (POS) has many users with no internal system for forensic examination of system user activity Any POS employee can access membership database
2017 CACM Law Seminar 9
Site content security breach - Malware introduced (WordPress exploit)
Creates false content on website and Malware is detected by internet search engines like GoogleAssociation website is blocked by Google Chrome Search Engine Even after Malware is removed the World Wide Web page restoration process with search engine can take days to validate company website authenticity
Management Company or
Association Websites
IV
Best Practices and Take-Aways
Liability amp Risk
TransferPrevention
Audience Poll Q 2
Do you have any experience with
employee-related issues - vulnerability
with current and ex-employees
disgruntled employees etc
2017 CACM Law Seminar 10
Source NetDiligence 2014 Claims Study
Prevention and Response Plans
REMEMBER
People should be the biggest defense not
the biggest security vulnerability
There are 3 different ways that staff can
harm a business
IntentionalMalicious Acts
Negligence
Accidental Acts
2017 CACM Law Seminar 11
IntentionalMalicious Acts
How can you prevent against the ldquoroguerdquo employee
Background Checks Do they include a credit check
Limiting Access Donrsquot give employees access to files or information if they donrsquot need it
Negligence
Training
Encryption
Security
Accidental Acts
Human error ndash itrsquos going to happen
2017 CACM Law Seminar 12
Audience Poll Q 3
Are you and your employees regularly
trained on cybersecurity defense
Audience Poll Q 4
Do you have an incident response
plan in the event of a breach
What If You Have a Breach
Incident response plan
Location
Updated
Testedcommunicated with all involved
Insurance
Claims Examiner Breach Coach
2017 CACM Law Seminar 13
Company-Wide Sample Policies
Q amp A
Additional Resources
Commission on Enhancing National Cybersecurity
httpswwwwhitehousegovthe-press-
office20160209executive-order-commission-
enhancing-national-cybersecurity
Federal Trade Commission
httpswwwftcgovsystemfilesdocumentsplain-
languagepdf0205-startwithsecuritypdf
2017 CACM Law Seminar 14
Additional Resources Contrsquod
Department of Homeland Security
httpswwwdhsgovxlibraryassetsprivacydhs-privacy-
safeguardingsensitivepiihandbook-march2012pdf
California Office of Attorney General
httpsoagcagovsitesallfilesagwebpdfsdbr2016-
data-breach-reportpdf
Additional Resources Contrsquod
Federal State and Local Chambers of Commerce
httpadvocacycalchambercomwp-
contentuploadspolicyCybersecurityReportpdf
Other CompaniesOrganizations
httpswwwexperiancomassetsdata-
breachbrochuresresponse-guidepdf
httpsiapporgresourcesarticlesecurity-breach-
response-plan-toolkit
Thank You
- Cover
- Cybersecurity PPt
-
2017 CACM Law Seminar 2
Panelists
Aneacute Agostini CEO CID Insurance Programs Inc
Robb Etnyre General Manager
(On-site) Tahoe Donner
Meredith Bennett Second VP National Tech and Cyber Practice Leader USLI
Moderator Cecilia N Brennan Esq
AGENDA
I Legal Basics
II Network Security and Privacy BreachesExposures
III Real-Life Application ndash On-site Managerrsquos Perspective
IV Prevention and Take-Aways Liability and Risk Transfer
V Q amp A
VI Additional Resources
VII Close
I
Legal Basics
2017 CACM Law Seminar 3
bull If you store collect manage andor protect
consumer data you MUST KEEP IT SAFE
bull A series of overlapping federal and state laws
govern cybersecurity and data privacy in the
United States
o Primarily enforced by the Federal Trade
Commission Department of Health and Human
Services and statesrsquo Attorneys General
Federal Statutes and Efforts on Cybersecurity
ndash Highlights
Cybersecurity Act of 2015
Cybersecurity Enhancement Act of 2014
National Cybersecurity Protection Act of 2014
Federal Information Security Modernization Act of 2014
Cybersecurity Workforce Assessment Act
Cybersecurity Strategy and Implementation Plan for the Federal Civilian Government
Memorandum on Fiscal Year 2015-2016 Guidance on Federal Information Security and Privacy Management Requirements
National Institute of Standards and Technologyrsquos (NIST) Cybersecurity Framework
Federal Statutes and Regulations on Data
Privacy - Highlights
Federal Trade Commission Act
Financial Services Modernization Act
Health Insurance Portability and Accountability Act (HIPAA)
Fair Credit Reporting Act
Fair and Accurate Credit Transactions Act
Electronic Communications Privacy Act
Various FCC Regulations and Rules
2017 CACM Law Seminar 4
State-Based Data Breach Statutes
47 states and Washington DC have data breach laws
Exceptions are Alabama New Mexico and South Dakota
Applicable state breach law depends on state of domicile of the consumer not the location of the affected business
Encryption is a safe harbor
Massachusetts now requires the posting of reports of breaches online
Californiarsquos Key Breach Statute
California Civil Code Section 1798 et seq
Codified July 1 2003 (amended effective 112017)
Requires notification of any California resident whose
unencrypted personal information was or is reasonably
believed to have been breached
Effective January 1 2017 - requires notification of any
California resident whose encrypted information that was
breached (along with identifying encryption keys or
credentials)
II
Network Security and Privacy
Breaches
2017 CACM Law Seminar 5
Audience Poll Q 1
What is your top concern about
cybersecurity
Social Engineering An Illustration
(Mr Robot)
2017 CACM Law Seminar 6
Key Sources of Cyber Breaches amp
Extortion Hackers (social engineering)
VirusMalware
Staff Error
Rogue Employee
LostStolen Mobile Devices
Business Banking Services
Business online banking regulations
Business banking crime does happen
Association Financials vs Bank
Statements
Electronic Vendor Services
Third-party vendor cyber exposures
Theft of Targetrsquos third party HVAC vendorrsquos credentials
Management CompanyCommunity Association vendor services Types of services assessment payment services
electronic check signing services data storage providers payroll services etc
2017 CACM Law Seminar 7
Vendor Services Management Company
v Community Association
Who should be the responsible
party
Who has access to what data
What is your contractual agreement
with these vendors
Website amp Email Security
Compromised or infected websites-malware attacks
Distributed Denial of Service (DDoS) attacks
Ransomware attacks
Proprietary information extortion attacks
(Websites with links to service providers)
Cloud-Based Information Storage
One large data storage source providing technology services
Who is responsible if you are part of a large-scale cyber breach
Encryption of data stored and strong vendor agreements
2017 CACM Law Seminar 8
III
Real-life Application
On-site Managerrsquos Perspective
Business Online Banking
Policy on Internal vs External Fund
Transfer
Best Practice Two Token Verification for
External Fund TransferFrom Jeff Bonzon [mailtoverizon10mbme]Sent Tuesday October 04 2016 925 AMTo Michael SalmonSubject Re available
I need you to take care of a transfer
Thank youJeff Bonzon
Private Information of Members
and Employees
Phishing email to Director of Human Resources ldquofromrdquo
board president requesting a copy of all 2015 company W-2s
Company HRPayroll database assigning employee ID numbers based on last 4-6 numbers of Social Security Number
Company holiday party invite list private information on one Excel file
Point of Sale system (POS) has many users with no internal system for forensic examination of system user activity Any POS employee can access membership database
2017 CACM Law Seminar 9
Site content security breach - Malware introduced (WordPress exploit)
Creates false content on website and Malware is detected by internet search engines like GoogleAssociation website is blocked by Google Chrome Search Engine Even after Malware is removed the World Wide Web page restoration process with search engine can take days to validate company website authenticity
Management Company or
Association Websites
IV
Best Practices and Take-Aways
Liability amp Risk
TransferPrevention
Audience Poll Q 2
Do you have any experience with
employee-related issues - vulnerability
with current and ex-employees
disgruntled employees etc
2017 CACM Law Seminar 10
Source NetDiligence 2014 Claims Study
Prevention and Response Plans
REMEMBER
People should be the biggest defense not
the biggest security vulnerability
There are 3 different ways that staff can
harm a business
IntentionalMalicious Acts
Negligence
Accidental Acts
2017 CACM Law Seminar 11
IntentionalMalicious Acts
How can you prevent against the ldquoroguerdquo employee
Background Checks Do they include a credit check
Limiting Access Donrsquot give employees access to files or information if they donrsquot need it
Negligence
Training
Encryption
Security
Accidental Acts
Human error ndash itrsquos going to happen
2017 CACM Law Seminar 12
Audience Poll Q 3
Are you and your employees regularly
trained on cybersecurity defense
Audience Poll Q 4
Do you have an incident response
plan in the event of a breach
What If You Have a Breach
Incident response plan
Location
Updated
Testedcommunicated with all involved
Insurance
Claims Examiner Breach Coach
2017 CACM Law Seminar 13
Company-Wide Sample Policies
Q amp A
Additional Resources
Commission on Enhancing National Cybersecurity
httpswwwwhitehousegovthe-press-
office20160209executive-order-commission-
enhancing-national-cybersecurity
Federal Trade Commission
httpswwwftcgovsystemfilesdocumentsplain-
languagepdf0205-startwithsecuritypdf
2017 CACM Law Seminar 14
Additional Resources Contrsquod
Department of Homeland Security
httpswwwdhsgovxlibraryassetsprivacydhs-privacy-
safeguardingsensitivepiihandbook-march2012pdf
California Office of Attorney General
httpsoagcagovsitesallfilesagwebpdfsdbr2016-
data-breach-reportpdf
Additional Resources Contrsquod
Federal State and Local Chambers of Commerce
httpadvocacycalchambercomwp-
contentuploadspolicyCybersecurityReportpdf
Other CompaniesOrganizations
httpswwwexperiancomassetsdata-
breachbrochuresresponse-guidepdf
httpsiapporgresourcesarticlesecurity-breach-
response-plan-toolkit
Thank You
- Cover
- Cybersecurity PPt
-
2017 CACM Law Seminar 3
bull If you store collect manage andor protect
consumer data you MUST KEEP IT SAFE
bull A series of overlapping federal and state laws
govern cybersecurity and data privacy in the
United States
o Primarily enforced by the Federal Trade
Commission Department of Health and Human
Services and statesrsquo Attorneys General
Federal Statutes and Efforts on Cybersecurity
ndash Highlights
Cybersecurity Act of 2015
Cybersecurity Enhancement Act of 2014
National Cybersecurity Protection Act of 2014
Federal Information Security Modernization Act of 2014
Cybersecurity Workforce Assessment Act
Cybersecurity Strategy and Implementation Plan for the Federal Civilian Government
Memorandum on Fiscal Year 2015-2016 Guidance on Federal Information Security and Privacy Management Requirements
National Institute of Standards and Technologyrsquos (NIST) Cybersecurity Framework
Federal Statutes and Regulations on Data
Privacy - Highlights
Federal Trade Commission Act
Financial Services Modernization Act
Health Insurance Portability and Accountability Act (HIPAA)
Fair Credit Reporting Act
Fair and Accurate Credit Transactions Act
Electronic Communications Privacy Act
Various FCC Regulations and Rules
2017 CACM Law Seminar 4
State-Based Data Breach Statutes
47 states and Washington DC have data breach laws
Exceptions are Alabama New Mexico and South Dakota
Applicable state breach law depends on state of domicile of the consumer not the location of the affected business
Encryption is a safe harbor
Massachusetts now requires the posting of reports of breaches online
Californiarsquos Key Breach Statute
California Civil Code Section 1798 et seq
Codified July 1 2003 (amended effective 112017)
Requires notification of any California resident whose
unencrypted personal information was or is reasonably
believed to have been breached
Effective January 1 2017 - requires notification of any
California resident whose encrypted information that was
breached (along with identifying encryption keys or
credentials)
II
Network Security and Privacy
Breaches
2017 CACM Law Seminar 5
Audience Poll Q 1
What is your top concern about
cybersecurity
Social Engineering An Illustration
(Mr Robot)
2017 CACM Law Seminar 6
Key Sources of Cyber Breaches amp
Extortion Hackers (social engineering)
VirusMalware
Staff Error
Rogue Employee
LostStolen Mobile Devices
Business Banking Services
Business online banking regulations
Business banking crime does happen
Association Financials vs Bank
Statements
Electronic Vendor Services
Third-party vendor cyber exposures
Theft of Targetrsquos third party HVAC vendorrsquos credentials
Management CompanyCommunity Association vendor services Types of services assessment payment services
electronic check signing services data storage providers payroll services etc
2017 CACM Law Seminar 7
Vendor Services Management Company
v Community Association
Who should be the responsible
party
Who has access to what data
What is your contractual agreement
with these vendors
Website amp Email Security
Compromised or infected websites-malware attacks
Distributed Denial of Service (DDoS) attacks
Ransomware attacks
Proprietary information extortion attacks
(Websites with links to service providers)
Cloud-Based Information Storage
One large data storage source providing technology services
Who is responsible if you are part of a large-scale cyber breach
Encryption of data stored and strong vendor agreements
2017 CACM Law Seminar 8
III
Real-life Application
On-site Managerrsquos Perspective
Business Online Banking
Policy on Internal vs External Fund
Transfer
Best Practice Two Token Verification for
External Fund TransferFrom Jeff Bonzon [mailtoverizon10mbme]Sent Tuesday October 04 2016 925 AMTo Michael SalmonSubject Re available
I need you to take care of a transfer
Thank youJeff Bonzon
Private Information of Members
and Employees
Phishing email to Director of Human Resources ldquofromrdquo
board president requesting a copy of all 2015 company W-2s
Company HRPayroll database assigning employee ID numbers based on last 4-6 numbers of Social Security Number
Company holiday party invite list private information on one Excel file
Point of Sale system (POS) has many users with no internal system for forensic examination of system user activity Any POS employee can access membership database
2017 CACM Law Seminar 9
Site content security breach - Malware introduced (WordPress exploit)
Creates false content on website and Malware is detected by internet search engines like GoogleAssociation website is blocked by Google Chrome Search Engine Even after Malware is removed the World Wide Web page restoration process with search engine can take days to validate company website authenticity
Management Company or
Association Websites
IV
Best Practices and Take-Aways
Liability amp Risk
TransferPrevention
Audience Poll Q 2
Do you have any experience with
employee-related issues - vulnerability
with current and ex-employees
disgruntled employees etc
2017 CACM Law Seminar 10
Source NetDiligence 2014 Claims Study
Prevention and Response Plans
REMEMBER
People should be the biggest defense not
the biggest security vulnerability
There are 3 different ways that staff can
harm a business
IntentionalMalicious Acts
Negligence
Accidental Acts
2017 CACM Law Seminar 11
IntentionalMalicious Acts
How can you prevent against the ldquoroguerdquo employee
Background Checks Do they include a credit check
Limiting Access Donrsquot give employees access to files or information if they donrsquot need it
Negligence
Training
Encryption
Security
Accidental Acts
Human error ndash itrsquos going to happen
2017 CACM Law Seminar 12
Audience Poll Q 3
Are you and your employees regularly
trained on cybersecurity defense
Audience Poll Q 4
Do you have an incident response
plan in the event of a breach
What If You Have a Breach
Incident response plan
Location
Updated
Testedcommunicated with all involved
Insurance
Claims Examiner Breach Coach
2017 CACM Law Seminar 13
Company-Wide Sample Policies
Q amp A
Additional Resources
Commission on Enhancing National Cybersecurity
httpswwwwhitehousegovthe-press-
office20160209executive-order-commission-
enhancing-national-cybersecurity
Federal Trade Commission
httpswwwftcgovsystemfilesdocumentsplain-
languagepdf0205-startwithsecuritypdf
2017 CACM Law Seminar 14
Additional Resources Contrsquod
Department of Homeland Security
httpswwwdhsgovxlibraryassetsprivacydhs-privacy-
safeguardingsensitivepiihandbook-march2012pdf
California Office of Attorney General
httpsoagcagovsitesallfilesagwebpdfsdbr2016-
data-breach-reportpdf
Additional Resources Contrsquod
Federal State and Local Chambers of Commerce
httpadvocacycalchambercomwp-
contentuploadspolicyCybersecurityReportpdf
Other CompaniesOrganizations
httpswwwexperiancomassetsdata-
breachbrochuresresponse-guidepdf
httpsiapporgresourcesarticlesecurity-breach-
response-plan-toolkit
Thank You
- Cover
- Cybersecurity PPt
-
2017 CACM Law Seminar 4
State-Based Data Breach Statutes
47 states and Washington DC have data breach laws
Exceptions are Alabama New Mexico and South Dakota
Applicable state breach law depends on state of domicile of the consumer not the location of the affected business
Encryption is a safe harbor
Massachusetts now requires the posting of reports of breaches online
Californiarsquos Key Breach Statute
California Civil Code Section 1798 et seq
Codified July 1 2003 (amended effective 112017)
Requires notification of any California resident whose
unencrypted personal information was or is reasonably
believed to have been breached
Effective January 1 2017 - requires notification of any
California resident whose encrypted information that was
breached (along with identifying encryption keys or
credentials)
II
Network Security and Privacy
Breaches
2017 CACM Law Seminar 5
Audience Poll Q 1
What is your top concern about
cybersecurity
Social Engineering An Illustration
(Mr Robot)
2017 CACM Law Seminar 6
Key Sources of Cyber Breaches amp
Extortion Hackers (social engineering)
VirusMalware
Staff Error
Rogue Employee
LostStolen Mobile Devices
Business Banking Services
Business online banking regulations
Business banking crime does happen
Association Financials vs Bank
Statements
Electronic Vendor Services
Third-party vendor cyber exposures
Theft of Targetrsquos third party HVAC vendorrsquos credentials
Management CompanyCommunity Association vendor services Types of services assessment payment services
electronic check signing services data storage providers payroll services etc
2017 CACM Law Seminar 7
Vendor Services Management Company
v Community Association
Who should be the responsible
party
Who has access to what data
What is your contractual agreement
with these vendors
Website amp Email Security
Compromised or infected websites-malware attacks
Distributed Denial of Service (DDoS) attacks
Ransomware attacks
Proprietary information extortion attacks
(Websites with links to service providers)
Cloud-Based Information Storage
One large data storage source providing technology services
Who is responsible if you are part of a large-scale cyber breach
Encryption of data stored and strong vendor agreements
2017 CACM Law Seminar 8
III
Real-life Application
On-site Managerrsquos Perspective
Business Online Banking
Policy on Internal vs External Fund
Transfer
Best Practice Two Token Verification for
External Fund TransferFrom Jeff Bonzon [mailtoverizon10mbme]Sent Tuesday October 04 2016 925 AMTo Michael SalmonSubject Re available
I need you to take care of a transfer
Thank youJeff Bonzon
Private Information of Members
and Employees
Phishing email to Director of Human Resources ldquofromrdquo
board president requesting a copy of all 2015 company W-2s
Company HRPayroll database assigning employee ID numbers based on last 4-6 numbers of Social Security Number
Company holiday party invite list private information on one Excel file
Point of Sale system (POS) has many users with no internal system for forensic examination of system user activity Any POS employee can access membership database
2017 CACM Law Seminar 9
Site content security breach - Malware introduced (WordPress exploit)
Creates false content on website and Malware is detected by internet search engines like GoogleAssociation website is blocked by Google Chrome Search Engine Even after Malware is removed the World Wide Web page restoration process with search engine can take days to validate company website authenticity
Management Company or
Association Websites
IV
Best Practices and Take-Aways
Liability amp Risk
TransferPrevention
Audience Poll Q 2
Do you have any experience with
employee-related issues - vulnerability
with current and ex-employees
disgruntled employees etc
2017 CACM Law Seminar 10
Source NetDiligence 2014 Claims Study
Prevention and Response Plans
REMEMBER
People should be the biggest defense not
the biggest security vulnerability
There are 3 different ways that staff can
harm a business
IntentionalMalicious Acts
Negligence
Accidental Acts
2017 CACM Law Seminar 11
IntentionalMalicious Acts
How can you prevent against the ldquoroguerdquo employee
Background Checks Do they include a credit check
Limiting Access Donrsquot give employees access to files or information if they donrsquot need it
Negligence
Training
Encryption
Security
Accidental Acts
Human error ndash itrsquos going to happen
2017 CACM Law Seminar 12
Audience Poll Q 3
Are you and your employees regularly
trained on cybersecurity defense
Audience Poll Q 4
Do you have an incident response
plan in the event of a breach
What If You Have a Breach
Incident response plan
Location
Updated
Testedcommunicated with all involved
Insurance
Claims Examiner Breach Coach
2017 CACM Law Seminar 13
Company-Wide Sample Policies
Q amp A
Additional Resources
Commission on Enhancing National Cybersecurity
httpswwwwhitehousegovthe-press-
office20160209executive-order-commission-
enhancing-national-cybersecurity
Federal Trade Commission
httpswwwftcgovsystemfilesdocumentsplain-
languagepdf0205-startwithsecuritypdf
2017 CACM Law Seminar 14
Additional Resources Contrsquod
Department of Homeland Security
httpswwwdhsgovxlibraryassetsprivacydhs-privacy-
safeguardingsensitivepiihandbook-march2012pdf
California Office of Attorney General
httpsoagcagovsitesallfilesagwebpdfsdbr2016-
data-breach-reportpdf
Additional Resources Contrsquod
Federal State and Local Chambers of Commerce
httpadvocacycalchambercomwp-
contentuploadspolicyCybersecurityReportpdf
Other CompaniesOrganizations
httpswwwexperiancomassetsdata-
breachbrochuresresponse-guidepdf
httpsiapporgresourcesarticlesecurity-breach-
response-plan-toolkit
Thank You
- Cover
- Cybersecurity PPt
-
2017 CACM Law Seminar 5
Audience Poll Q 1
What is your top concern about
cybersecurity
Social Engineering An Illustration
(Mr Robot)
2017 CACM Law Seminar 6
Key Sources of Cyber Breaches amp
Extortion Hackers (social engineering)
VirusMalware
Staff Error
Rogue Employee
LostStolen Mobile Devices
Business Banking Services
Business online banking regulations
Business banking crime does happen
Association Financials vs Bank
Statements
Electronic Vendor Services
Third-party vendor cyber exposures
Theft of Targetrsquos third party HVAC vendorrsquos credentials
Management CompanyCommunity Association vendor services Types of services assessment payment services
electronic check signing services data storage providers payroll services etc
2017 CACM Law Seminar 7
Vendor Services Management Company
v Community Association
Who should be the responsible
party
Who has access to what data
What is your contractual agreement
with these vendors
Website amp Email Security
Compromised or infected websites-malware attacks
Distributed Denial of Service (DDoS) attacks
Ransomware attacks
Proprietary information extortion attacks
(Websites with links to service providers)
Cloud-Based Information Storage
One large data storage source providing technology services
Who is responsible if you are part of a large-scale cyber breach
Encryption of data stored and strong vendor agreements
2017 CACM Law Seminar 8
III
Real-life Application
On-site Managerrsquos Perspective
Business Online Banking
Policy on Internal vs External Fund
Transfer
Best Practice Two Token Verification for
External Fund TransferFrom Jeff Bonzon [mailtoverizon10mbme]Sent Tuesday October 04 2016 925 AMTo Michael SalmonSubject Re available
I need you to take care of a transfer
Thank youJeff Bonzon
Private Information of Members
and Employees
Phishing email to Director of Human Resources ldquofromrdquo
board president requesting a copy of all 2015 company W-2s
Company HRPayroll database assigning employee ID numbers based on last 4-6 numbers of Social Security Number
Company holiday party invite list private information on one Excel file
Point of Sale system (POS) has many users with no internal system for forensic examination of system user activity Any POS employee can access membership database
2017 CACM Law Seminar 9
Site content security breach - Malware introduced (WordPress exploit)
Creates false content on website and Malware is detected by internet search engines like GoogleAssociation website is blocked by Google Chrome Search Engine Even after Malware is removed the World Wide Web page restoration process with search engine can take days to validate company website authenticity
Management Company or
Association Websites
IV
Best Practices and Take-Aways
Liability amp Risk
TransferPrevention
Audience Poll Q 2
Do you have any experience with
employee-related issues - vulnerability
with current and ex-employees
disgruntled employees etc
2017 CACM Law Seminar 10
Source NetDiligence 2014 Claims Study
Prevention and Response Plans
REMEMBER
People should be the biggest defense not
the biggest security vulnerability
There are 3 different ways that staff can
harm a business
IntentionalMalicious Acts
Negligence
Accidental Acts
2017 CACM Law Seminar 11
IntentionalMalicious Acts
How can you prevent against the ldquoroguerdquo employee
Background Checks Do they include a credit check
Limiting Access Donrsquot give employees access to files or information if they donrsquot need it
Negligence
Training
Encryption
Security
Accidental Acts
Human error ndash itrsquos going to happen
2017 CACM Law Seminar 12
Audience Poll Q 3
Are you and your employees regularly
trained on cybersecurity defense
Audience Poll Q 4
Do you have an incident response
plan in the event of a breach
What If You Have a Breach
Incident response plan
Location
Updated
Testedcommunicated with all involved
Insurance
Claims Examiner Breach Coach
2017 CACM Law Seminar 13
Company-Wide Sample Policies
Q amp A
Additional Resources
Commission on Enhancing National Cybersecurity
httpswwwwhitehousegovthe-press-
office20160209executive-order-commission-
enhancing-national-cybersecurity
Federal Trade Commission
httpswwwftcgovsystemfilesdocumentsplain-
languagepdf0205-startwithsecuritypdf
2017 CACM Law Seminar 14
Additional Resources Contrsquod
Department of Homeland Security
httpswwwdhsgovxlibraryassetsprivacydhs-privacy-
safeguardingsensitivepiihandbook-march2012pdf
California Office of Attorney General
httpsoagcagovsitesallfilesagwebpdfsdbr2016-
data-breach-reportpdf
Additional Resources Contrsquod
Federal State and Local Chambers of Commerce
httpadvocacycalchambercomwp-
contentuploadspolicyCybersecurityReportpdf
Other CompaniesOrganizations
httpswwwexperiancomassetsdata-
breachbrochuresresponse-guidepdf
httpsiapporgresourcesarticlesecurity-breach-
response-plan-toolkit
Thank You
- Cover
- Cybersecurity PPt
-
2017 CACM Law Seminar 6
Key Sources of Cyber Breaches amp
Extortion Hackers (social engineering)
VirusMalware
Staff Error
Rogue Employee
LostStolen Mobile Devices
Business Banking Services
Business online banking regulations
Business banking crime does happen
Association Financials vs Bank
Statements
Electronic Vendor Services
Third-party vendor cyber exposures
Theft of Targetrsquos third party HVAC vendorrsquos credentials
Management CompanyCommunity Association vendor services Types of services assessment payment services
electronic check signing services data storage providers payroll services etc
2017 CACM Law Seminar 7
Vendor Services Management Company
v Community Association
Who should be the responsible
party
Who has access to what data
What is your contractual agreement
with these vendors
Website amp Email Security
Compromised or infected websites-malware attacks
Distributed Denial of Service (DDoS) attacks
Ransomware attacks
Proprietary information extortion attacks
(Websites with links to service providers)
Cloud-Based Information Storage
One large data storage source providing technology services
Who is responsible if you are part of a large-scale cyber breach
Encryption of data stored and strong vendor agreements
2017 CACM Law Seminar 8
III
Real-life Application
On-site Managerrsquos Perspective
Business Online Banking
Policy on Internal vs External Fund
Transfer
Best Practice Two Token Verification for
External Fund TransferFrom Jeff Bonzon [mailtoverizon10mbme]Sent Tuesday October 04 2016 925 AMTo Michael SalmonSubject Re available
I need you to take care of a transfer
Thank youJeff Bonzon
Private Information of Members
and Employees
Phishing email to Director of Human Resources ldquofromrdquo
board president requesting a copy of all 2015 company W-2s
Company HRPayroll database assigning employee ID numbers based on last 4-6 numbers of Social Security Number
Company holiday party invite list private information on one Excel file
Point of Sale system (POS) has many users with no internal system for forensic examination of system user activity Any POS employee can access membership database
2017 CACM Law Seminar 9
Site content security breach - Malware introduced (WordPress exploit)
Creates false content on website and Malware is detected by internet search engines like GoogleAssociation website is blocked by Google Chrome Search Engine Even after Malware is removed the World Wide Web page restoration process with search engine can take days to validate company website authenticity
Management Company or
Association Websites
IV
Best Practices and Take-Aways
Liability amp Risk
TransferPrevention
Audience Poll Q 2
Do you have any experience with
employee-related issues - vulnerability
with current and ex-employees
disgruntled employees etc
2017 CACM Law Seminar 10
Source NetDiligence 2014 Claims Study
Prevention and Response Plans
REMEMBER
People should be the biggest defense not
the biggest security vulnerability
There are 3 different ways that staff can
harm a business
IntentionalMalicious Acts
Negligence
Accidental Acts
2017 CACM Law Seminar 11
IntentionalMalicious Acts
How can you prevent against the ldquoroguerdquo employee
Background Checks Do they include a credit check
Limiting Access Donrsquot give employees access to files or information if they donrsquot need it
Negligence
Training
Encryption
Security
Accidental Acts
Human error ndash itrsquos going to happen
2017 CACM Law Seminar 12
Audience Poll Q 3
Are you and your employees regularly
trained on cybersecurity defense
Audience Poll Q 4
Do you have an incident response
plan in the event of a breach
What If You Have a Breach
Incident response plan
Location
Updated
Testedcommunicated with all involved
Insurance
Claims Examiner Breach Coach
2017 CACM Law Seminar 13
Company-Wide Sample Policies
Q amp A
Additional Resources
Commission on Enhancing National Cybersecurity
httpswwwwhitehousegovthe-press-
office20160209executive-order-commission-
enhancing-national-cybersecurity
Federal Trade Commission
httpswwwftcgovsystemfilesdocumentsplain-
languagepdf0205-startwithsecuritypdf
2017 CACM Law Seminar 14
Additional Resources Contrsquod
Department of Homeland Security
httpswwwdhsgovxlibraryassetsprivacydhs-privacy-
safeguardingsensitivepiihandbook-march2012pdf
California Office of Attorney General
httpsoagcagovsitesallfilesagwebpdfsdbr2016-
data-breach-reportpdf
Additional Resources Contrsquod
Federal State and Local Chambers of Commerce
httpadvocacycalchambercomwp-
contentuploadspolicyCybersecurityReportpdf
Other CompaniesOrganizations
httpswwwexperiancomassetsdata-
breachbrochuresresponse-guidepdf
httpsiapporgresourcesarticlesecurity-breach-
response-plan-toolkit
Thank You
- Cover
- Cybersecurity PPt
-
2017 CACM Law Seminar 7
Vendor Services Management Company
v Community Association
Who should be the responsible
party
Who has access to what data
What is your contractual agreement
with these vendors
Website amp Email Security
Compromised or infected websites-malware attacks
Distributed Denial of Service (DDoS) attacks
Ransomware attacks
Proprietary information extortion attacks
(Websites with links to service providers)
Cloud-Based Information Storage
One large data storage source providing technology services
Who is responsible if you are part of a large-scale cyber breach
Encryption of data stored and strong vendor agreements
2017 CACM Law Seminar 8
III
Real-life Application
On-site Managerrsquos Perspective
Business Online Banking
Policy on Internal vs External Fund
Transfer
Best Practice Two Token Verification for
External Fund TransferFrom Jeff Bonzon [mailtoverizon10mbme]Sent Tuesday October 04 2016 925 AMTo Michael SalmonSubject Re available
I need you to take care of a transfer
Thank youJeff Bonzon
Private Information of Members
and Employees
Phishing email to Director of Human Resources ldquofromrdquo
board president requesting a copy of all 2015 company W-2s
Company HRPayroll database assigning employee ID numbers based on last 4-6 numbers of Social Security Number
Company holiday party invite list private information on one Excel file
Point of Sale system (POS) has many users with no internal system for forensic examination of system user activity Any POS employee can access membership database
2017 CACM Law Seminar 9
Site content security breach - Malware introduced (WordPress exploit)
Creates false content on website and Malware is detected by internet search engines like GoogleAssociation website is blocked by Google Chrome Search Engine Even after Malware is removed the World Wide Web page restoration process with search engine can take days to validate company website authenticity
Management Company or
Association Websites
IV
Best Practices and Take-Aways
Liability amp Risk
TransferPrevention
Audience Poll Q 2
Do you have any experience with
employee-related issues - vulnerability
with current and ex-employees
disgruntled employees etc
2017 CACM Law Seminar 10
Source NetDiligence 2014 Claims Study
Prevention and Response Plans
REMEMBER
People should be the biggest defense not
the biggest security vulnerability
There are 3 different ways that staff can
harm a business
IntentionalMalicious Acts
Negligence
Accidental Acts
2017 CACM Law Seminar 11
IntentionalMalicious Acts
How can you prevent against the ldquoroguerdquo employee
Background Checks Do they include a credit check
Limiting Access Donrsquot give employees access to files or information if they donrsquot need it
Negligence
Training
Encryption
Security
Accidental Acts
Human error ndash itrsquos going to happen
2017 CACM Law Seminar 12
Audience Poll Q 3
Are you and your employees regularly
trained on cybersecurity defense
Audience Poll Q 4
Do you have an incident response
plan in the event of a breach
What If You Have a Breach
Incident response plan
Location
Updated
Testedcommunicated with all involved
Insurance
Claims Examiner Breach Coach
2017 CACM Law Seminar 13
Company-Wide Sample Policies
Q amp A
Additional Resources
Commission on Enhancing National Cybersecurity
httpswwwwhitehousegovthe-press-
office20160209executive-order-commission-
enhancing-national-cybersecurity
Federal Trade Commission
httpswwwftcgovsystemfilesdocumentsplain-
languagepdf0205-startwithsecuritypdf
2017 CACM Law Seminar 14
Additional Resources Contrsquod
Department of Homeland Security
httpswwwdhsgovxlibraryassetsprivacydhs-privacy-
safeguardingsensitivepiihandbook-march2012pdf
California Office of Attorney General
httpsoagcagovsitesallfilesagwebpdfsdbr2016-
data-breach-reportpdf
Additional Resources Contrsquod
Federal State and Local Chambers of Commerce
httpadvocacycalchambercomwp-
contentuploadspolicyCybersecurityReportpdf
Other CompaniesOrganizations
httpswwwexperiancomassetsdata-
breachbrochuresresponse-guidepdf
httpsiapporgresourcesarticlesecurity-breach-
response-plan-toolkit
Thank You
- Cover
- Cybersecurity PPt
-
2017 CACM Law Seminar 8
III
Real-life Application
On-site Managerrsquos Perspective
Business Online Banking
Policy on Internal vs External Fund
Transfer
Best Practice Two Token Verification for
External Fund TransferFrom Jeff Bonzon [mailtoverizon10mbme]Sent Tuesday October 04 2016 925 AMTo Michael SalmonSubject Re available
I need you to take care of a transfer
Thank youJeff Bonzon
Private Information of Members
and Employees
Phishing email to Director of Human Resources ldquofromrdquo
board president requesting a copy of all 2015 company W-2s
Company HRPayroll database assigning employee ID numbers based on last 4-6 numbers of Social Security Number
Company holiday party invite list private information on one Excel file
Point of Sale system (POS) has many users with no internal system for forensic examination of system user activity Any POS employee can access membership database
2017 CACM Law Seminar 9
Site content security breach - Malware introduced (WordPress exploit)
Creates false content on website and Malware is detected by internet search engines like GoogleAssociation website is blocked by Google Chrome Search Engine Even after Malware is removed the World Wide Web page restoration process with search engine can take days to validate company website authenticity
Management Company or
Association Websites
IV
Best Practices and Take-Aways
Liability amp Risk
TransferPrevention
Audience Poll Q 2
Do you have any experience with
employee-related issues - vulnerability
with current and ex-employees
disgruntled employees etc
2017 CACM Law Seminar 10
Source NetDiligence 2014 Claims Study
Prevention and Response Plans
REMEMBER
People should be the biggest defense not
the biggest security vulnerability
There are 3 different ways that staff can
harm a business
IntentionalMalicious Acts
Negligence
Accidental Acts
2017 CACM Law Seminar 11
IntentionalMalicious Acts
How can you prevent against the ldquoroguerdquo employee
Background Checks Do they include a credit check
Limiting Access Donrsquot give employees access to files or information if they donrsquot need it
Negligence
Training
Encryption
Security
Accidental Acts
Human error ndash itrsquos going to happen
2017 CACM Law Seminar 12
Audience Poll Q 3
Are you and your employees regularly
trained on cybersecurity defense
Audience Poll Q 4
Do you have an incident response
plan in the event of a breach
What If You Have a Breach
Incident response plan
Location
Updated
Testedcommunicated with all involved
Insurance
Claims Examiner Breach Coach
2017 CACM Law Seminar 13
Company-Wide Sample Policies
Q amp A
Additional Resources
Commission on Enhancing National Cybersecurity
httpswwwwhitehousegovthe-press-
office20160209executive-order-commission-
enhancing-national-cybersecurity
Federal Trade Commission
httpswwwftcgovsystemfilesdocumentsplain-
languagepdf0205-startwithsecuritypdf
2017 CACM Law Seminar 14
Additional Resources Contrsquod
Department of Homeland Security
httpswwwdhsgovxlibraryassetsprivacydhs-privacy-
safeguardingsensitivepiihandbook-march2012pdf
California Office of Attorney General
httpsoagcagovsitesallfilesagwebpdfsdbr2016-
data-breach-reportpdf
Additional Resources Contrsquod
Federal State and Local Chambers of Commerce
httpadvocacycalchambercomwp-
contentuploadspolicyCybersecurityReportpdf
Other CompaniesOrganizations
httpswwwexperiancomassetsdata-
breachbrochuresresponse-guidepdf
httpsiapporgresourcesarticlesecurity-breach-
response-plan-toolkit
Thank You
- Cover
- Cybersecurity PPt
-
2017 CACM Law Seminar 9
Site content security breach - Malware introduced (WordPress exploit)
Creates false content on website and Malware is detected by internet search engines like GoogleAssociation website is blocked by Google Chrome Search Engine Even after Malware is removed the World Wide Web page restoration process with search engine can take days to validate company website authenticity
Management Company or
Association Websites
IV
Best Practices and Take-Aways
Liability amp Risk
TransferPrevention
Audience Poll Q 2
Do you have any experience with
employee-related issues - vulnerability
with current and ex-employees
disgruntled employees etc
2017 CACM Law Seminar 10
Source NetDiligence 2014 Claims Study
Prevention and Response Plans
REMEMBER
People should be the biggest defense not
the biggest security vulnerability
There are 3 different ways that staff can
harm a business
IntentionalMalicious Acts
Negligence
Accidental Acts
2017 CACM Law Seminar 11
IntentionalMalicious Acts
How can you prevent against the ldquoroguerdquo employee
Background Checks Do they include a credit check
Limiting Access Donrsquot give employees access to files or information if they donrsquot need it
Negligence
Training
Encryption
Security
Accidental Acts
Human error ndash itrsquos going to happen
2017 CACM Law Seminar 12
Audience Poll Q 3
Are you and your employees regularly
trained on cybersecurity defense
Audience Poll Q 4
Do you have an incident response
plan in the event of a breach
What If You Have a Breach
Incident response plan
Location
Updated
Testedcommunicated with all involved
Insurance
Claims Examiner Breach Coach
2017 CACM Law Seminar 13
Company-Wide Sample Policies
Q amp A
Additional Resources
Commission on Enhancing National Cybersecurity
httpswwwwhitehousegovthe-press-
office20160209executive-order-commission-
enhancing-national-cybersecurity
Federal Trade Commission
httpswwwftcgovsystemfilesdocumentsplain-
languagepdf0205-startwithsecuritypdf
2017 CACM Law Seminar 14
Additional Resources Contrsquod
Department of Homeland Security
httpswwwdhsgovxlibraryassetsprivacydhs-privacy-
safeguardingsensitivepiihandbook-march2012pdf
California Office of Attorney General
httpsoagcagovsitesallfilesagwebpdfsdbr2016-
data-breach-reportpdf
Additional Resources Contrsquod
Federal State and Local Chambers of Commerce
httpadvocacycalchambercomwp-
contentuploadspolicyCybersecurityReportpdf
Other CompaniesOrganizations
httpswwwexperiancomassetsdata-
breachbrochuresresponse-guidepdf
httpsiapporgresourcesarticlesecurity-breach-
response-plan-toolkit
Thank You
- Cover
- Cybersecurity PPt
-
2017 CACM Law Seminar 10
Source NetDiligence 2014 Claims Study
Prevention and Response Plans
REMEMBER
People should be the biggest defense not
the biggest security vulnerability
There are 3 different ways that staff can
harm a business
IntentionalMalicious Acts
Negligence
Accidental Acts
2017 CACM Law Seminar 11
IntentionalMalicious Acts
How can you prevent against the ldquoroguerdquo employee
Background Checks Do they include a credit check
Limiting Access Donrsquot give employees access to files or information if they donrsquot need it
Negligence
Training
Encryption
Security
Accidental Acts
Human error ndash itrsquos going to happen
2017 CACM Law Seminar 12
Audience Poll Q 3
Are you and your employees regularly
trained on cybersecurity defense
Audience Poll Q 4
Do you have an incident response
plan in the event of a breach
What If You Have a Breach
Incident response plan
Location
Updated
Testedcommunicated with all involved
Insurance
Claims Examiner Breach Coach
2017 CACM Law Seminar 13
Company-Wide Sample Policies
Q amp A
Additional Resources
Commission on Enhancing National Cybersecurity
httpswwwwhitehousegovthe-press-
office20160209executive-order-commission-
enhancing-national-cybersecurity
Federal Trade Commission
httpswwwftcgovsystemfilesdocumentsplain-
languagepdf0205-startwithsecuritypdf
2017 CACM Law Seminar 14
Additional Resources Contrsquod
Department of Homeland Security
httpswwwdhsgovxlibraryassetsprivacydhs-privacy-
safeguardingsensitivepiihandbook-march2012pdf
California Office of Attorney General
httpsoagcagovsitesallfilesagwebpdfsdbr2016-
data-breach-reportpdf
Additional Resources Contrsquod
Federal State and Local Chambers of Commerce
httpadvocacycalchambercomwp-
contentuploadspolicyCybersecurityReportpdf
Other CompaniesOrganizations
httpswwwexperiancomassetsdata-
breachbrochuresresponse-guidepdf
httpsiapporgresourcesarticlesecurity-breach-
response-plan-toolkit
Thank You
- Cover
- Cybersecurity PPt
-
2017 CACM Law Seminar 11
IntentionalMalicious Acts
How can you prevent against the ldquoroguerdquo employee
Background Checks Do they include a credit check
Limiting Access Donrsquot give employees access to files or information if they donrsquot need it
Negligence
Training
Encryption
Security
Accidental Acts
Human error ndash itrsquos going to happen
2017 CACM Law Seminar 12
Audience Poll Q 3
Are you and your employees regularly
trained on cybersecurity defense
Audience Poll Q 4
Do you have an incident response
plan in the event of a breach
What If You Have a Breach
Incident response plan
Location
Updated
Testedcommunicated with all involved
Insurance
Claims Examiner Breach Coach
2017 CACM Law Seminar 13
Company-Wide Sample Policies
Q amp A
Additional Resources
Commission on Enhancing National Cybersecurity
httpswwwwhitehousegovthe-press-
office20160209executive-order-commission-
enhancing-national-cybersecurity
Federal Trade Commission
httpswwwftcgovsystemfilesdocumentsplain-
languagepdf0205-startwithsecuritypdf
2017 CACM Law Seminar 14
Additional Resources Contrsquod
Department of Homeland Security
httpswwwdhsgovxlibraryassetsprivacydhs-privacy-
safeguardingsensitivepiihandbook-march2012pdf
California Office of Attorney General
httpsoagcagovsitesallfilesagwebpdfsdbr2016-
data-breach-reportpdf
Additional Resources Contrsquod
Federal State and Local Chambers of Commerce
httpadvocacycalchambercomwp-
contentuploadspolicyCybersecurityReportpdf
Other CompaniesOrganizations
httpswwwexperiancomassetsdata-
breachbrochuresresponse-guidepdf
httpsiapporgresourcesarticlesecurity-breach-
response-plan-toolkit
Thank You
- Cover
- Cybersecurity PPt
-
2017 CACM Law Seminar 12
Audience Poll Q 3
Are you and your employees regularly
trained on cybersecurity defense
Audience Poll Q 4
Do you have an incident response
plan in the event of a breach
What If You Have a Breach
Incident response plan
Location
Updated
Testedcommunicated with all involved
Insurance
Claims Examiner Breach Coach
2017 CACM Law Seminar 13
Company-Wide Sample Policies
Q amp A
Additional Resources
Commission on Enhancing National Cybersecurity
httpswwwwhitehousegovthe-press-
office20160209executive-order-commission-
enhancing-national-cybersecurity
Federal Trade Commission
httpswwwftcgovsystemfilesdocumentsplain-
languagepdf0205-startwithsecuritypdf
2017 CACM Law Seminar 14
Additional Resources Contrsquod
Department of Homeland Security
httpswwwdhsgovxlibraryassetsprivacydhs-privacy-
safeguardingsensitivepiihandbook-march2012pdf
California Office of Attorney General
httpsoagcagovsitesallfilesagwebpdfsdbr2016-
data-breach-reportpdf
Additional Resources Contrsquod
Federal State and Local Chambers of Commerce
httpadvocacycalchambercomwp-
contentuploadspolicyCybersecurityReportpdf
Other CompaniesOrganizations
httpswwwexperiancomassetsdata-
breachbrochuresresponse-guidepdf
httpsiapporgresourcesarticlesecurity-breach-
response-plan-toolkit
Thank You
- Cover
- Cybersecurity PPt
-
2017 CACM Law Seminar 13
Company-Wide Sample Policies
Q amp A
Additional Resources
Commission on Enhancing National Cybersecurity
httpswwwwhitehousegovthe-press-
office20160209executive-order-commission-
enhancing-national-cybersecurity
Federal Trade Commission
httpswwwftcgovsystemfilesdocumentsplain-
languagepdf0205-startwithsecuritypdf
2017 CACM Law Seminar 14
Additional Resources Contrsquod
Department of Homeland Security
httpswwwdhsgovxlibraryassetsprivacydhs-privacy-
safeguardingsensitivepiihandbook-march2012pdf
California Office of Attorney General
httpsoagcagovsitesallfilesagwebpdfsdbr2016-
data-breach-reportpdf
Additional Resources Contrsquod
Federal State and Local Chambers of Commerce
httpadvocacycalchambercomwp-
contentuploadspolicyCybersecurityReportpdf
Other CompaniesOrganizations
httpswwwexperiancomassetsdata-
breachbrochuresresponse-guidepdf
httpsiapporgresourcesarticlesecurity-breach-
response-plan-toolkit
Thank You
- Cover
- Cybersecurity PPt
-
2017 CACM Law Seminar 14
Additional Resources Contrsquod
Department of Homeland Security
httpswwwdhsgovxlibraryassetsprivacydhs-privacy-
safeguardingsensitivepiihandbook-march2012pdf
California Office of Attorney General
httpsoagcagovsitesallfilesagwebpdfsdbr2016-
data-breach-reportpdf
Additional Resources Contrsquod
Federal State and Local Chambers of Commerce
httpadvocacycalchambercomwp-
contentuploadspolicyCybersecurityReportpdf
Other CompaniesOrganizations
httpswwwexperiancomassetsdata-
breachbrochuresresponse-guidepdf
httpsiapporgresourcesarticlesecurity-breach-
response-plan-toolkit
Thank You
- Cover
- Cybersecurity PPt
-