Data Security Compliance and Responding To a Data Breach...
Transcript of Data Security Compliance and Responding To a Data Breach...
![Page 1: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/1.jpg)
Data Security Compliance and Responding
To a Data Breach: Lessons for Corporate
Counsel After Equifax
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.
TUESDAY, JANUARY 23, 2018
Presenting a live 90-minute webinar with interactive Q&A
Robert D. Brownstone, Technology & eDiscovery Counsel, Fenwick & West,
Mountain View, Calif.
Brent E. Kidwell, Partner, Jenner & Block, Chicago
![Page 2: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/2.jpg)
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-961-8499 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can address
the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
![Page 3: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/3.jpg)
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 2.
FOR LIVE EVENT ONLY
![Page 4: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/4.jpg)
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
![Page 5: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/5.jpg)
I. The Big Picture A. Breaches’ Prevalence B. Liability Risks & Data Leakage– Big 3 C. Modern Threats II. US. & International Law – Overview
A. Different Premises in U.S. & EU B. Scattershot U.S. Privacy Protections C. Potential Liability for Data Breaches D. International Law – Summary E. Contracts’ Ability to Reallocate Risks
Agenda
5
![Page 6: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/6.jpg)
Agenda
III. Proactive Prevention Introduction A. Data Protection Overview
B. Protecting Data at Rest & in Transit C. 10 Specific Steps
IV. Reactive-Remedies/Incident-Response
• TOP Ten
Q&A/Conclusion
6
![Page 7: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/7.jpg)
I. The Big Picture
A. Breaches’ Prevalence • Should only retailers be worried? NO • 1/1/05 to 12/28/17:
• > 7,800 breaches; > 10 Billion records • E.g. Yahoo!, Anthem, Target, Verizon & Neiman
• 2017 alone: • 550 breaches; ≈ 2 Billion records
• E.g. Equifax, T-Mobile, Dunn & Bradstreet, Arby’s, Boeing, Stanford U., Oklahoma HHS & UNC Health Care Systems
• . . . per Privacy Rights Clearinghouse, DATA BREACHES (last visited 1/18/18) (searchable/filterable)
7
![Page 8: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/8.jpg)
• Cyber Crime Costs in FY ’16 (237 cos. surveyed across 8 countries):
• $17.36M average in US alone
• 2 largest costs (on average):
• information loss: 39 percent
• business disruption: 36 percent
• . . . per Ponemon Inst. o/b/o HP Enterprise Security,
2016 Cost of Cyber Crime Study (2016)
A. Breaches’ Prevalence
8
I. The Big Picture
![Page 9: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/9.jpg)
B. Leakage Risks – Big 3
1. Intentionally Harmful Intentional Disclosures
2. Inadvertently Harmful Intentional Disclosures (“Netiquette”; Loose Lips; Social-Media; Sock-Puppeting; P2P)
3. Unintentional Losses of Sensitive Info. = primary focus here
9
I. The Big Picture
![Page 10: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/10.jpg)
C. Modern Threats
• Biggest ones?
• Social Engineering [including (Spear-) phishing and Ransomware)]
10
I. The Big Picture
![Page 11: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/11.jpg)
• Phishing :
• W-2 Scam
Adapted from screenshot at <http://www.linkstechnology.com/blog/its-baaack-the-form-w-2-email-scam>
• IRS warning (1/25/17)
• Cinthia Motley10 Ways to Avoid W-2 Phishing Schemes (LTN 3/20/17) (including “Pick up the phone”)
C. Modern Threats
11
I. The Big Picture
![Page 12: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/12.jpg)
• Phishing – Training:
• When in doubt:
• do not click on a link or open an attachment; and
• forward the message as an attachment to InfoSec or IT department
• If you are suspicious about the purported sender
• place a call to (or meet with) purported sender to confirm message is legit
C. Modern Threats
12
I. The Big Picture
![Page 13: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/13.jpg)
A. Default in U.S. & EU
• U.S. Perspective
• Data presumptively not protected unless
rendered otherwise by specific rule of law
• Many rules are sector-based
• EU Perspective
• Data presumptively “personal” and thus private,
even in employer/employee setting . . .
13
I. The Big Picture
![Page 14: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/14.jpg)
• Federal law sector examples:
• Health/medical = HIPAA (60 days notice) • covered entities and business associates
• HITECH ACT expansion Jan. ’09
• HHS Final Regs. Sep. ‘13
• Financial services = Gramm-Leach-Bliley
• Consumer credit reports, etc. = FCRA/FACTA
B. Scattershot U.S. Laws
II. U.S. & International Law
14
![Page 15: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/15.jpg)
• Potential Liability
consumer and/or employee class actions re: PII (PHI)
corporate customer suits
shareholder derivative suits
bad press and/or blog buzz
reputational hit
B. U.S. Rules
15
II. U.S. & International Law
![Page 16: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/16.jpg)
• Specific combo of elements – expanded in, e.g., California multiple times in Civ. Code § 1798.82 et al. . . .
• Trigger usually automatic (as in Cal.) rather than risk-based
• Notice requirements
• If > X no. of people affected, tell AG
• Might have to describe circumstances
B. Notice-of-Breach Laws
16
II. U.S. & International Law
![Page 17: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/17.jpg)
B. Health Info (PHI)
• Protecting Individuals’ PHI
• HIPAA Final HHS Regs (9/23/13)
• HHS active under HIPAA
• > 10 states:
• AR, CA, FL, MO, ND, NV, TX, VA
• WY (state agencies only)
• CT (regs.) & NJ re: insurers
17
II. U.S. & International Law
![Page 18: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/18.jpg)
B. U.S. Rules • Potential Liability
• Difficulty in proving “injury” (damages): • Even CFAA claim in suit against hacker
• “loss” hard to show
• remediation and down-time?
• “Standing” (”Injury”) difficult to show based on mere concern data will be used:
• trade secrets damages theory
• identity-theft theory, including theft decisions re: Cal. Medical Info. Act (CMIA) – Cal. Civ. Code 56.36 . . .
18
II. U.S. & International Law
![Page 19: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/19.jpg)
• Newer Case Law:
• Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (injury must be concrete and not “abstract” to satisfy U.S. Const. Article III, but intangible injuries can be concrete)
• Post-Spokeo (examples) . . .
• Beck v. McDonald, 848 F.3d 262 (4th Cir. 2/6/17) (allegations of increased risk of identity theft: NOT substantial risk of harm)
B. U.S. Rules
19
II. U.S. & International Law
![Page 20: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/20.jpg)
C. Typical Breach Exposure Items
• Aside from viability of legal theories, custom and usage has been . . . • Potential monetary liability for breach of
unsecured personally identifiable information (PII) estimated at $221 per affected person • Ponemon Institute, 2016 Cost of Data Breach Study:
Global Analysis, Ponemon Institute LLC (June 2016)
• Data breach cost calculators <http://www.privacyrisksadvisors.com/data-breach-toolkit/data-breach-calculators/>
<http://cyberscout.com/expensecalc/start.aspx>
<https://eriskhub.com/mini-dbcc>
20
II. U.S. & International Law
![Page 21: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/21.jpg)
• Custom/usage
• Sample set of expense items (from here)
• Internal Investigation
• Cybercrime consulting
• Attorney Fees
• Notification/Crisis Management
• Customer notification
• Call center support
• Crisis management consulting
C. Typical Breach Exposure
• Regulatory/Compliance
• Credit monitoring for affected customers
• Regulatory investigation defense
• State/Federal fines or fees
21
II. U.S. & International Law
![Page 22: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/22.jpg)
D. International Summary • Privacy protected more e.g.
• Europe:
• EU: France/Germany/Italy
• UK (post-Brexit)
• Elsewhere:
• Brazil
• Constitution
• “Marco Civil”
• Israel 22
II. U.S. & International Law
![Page 23: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/23.jpg)
D. Laws Overseas • DATA-BREACH NOTIFICATION LAWS
• less diffused, broader in scope & often shorter/clearer deadlines than U.S. . . . e.g.
• Australia (Feb. ’18)
• Canada
• India
• Israel (Mar. ’18)
• Mexico
• South Korea
23
II. U.S. & International Law
![Page 24: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/24.jpg)
• EU, Directive 95/46/EC (1995)
• PLUS laws of individual EU countries
• BROAD definitions of “personal data,” “processing” and “transfer”
• Being replaced 5/25/18 by General Data Protection Regulation (GDPR)
• Stricter
• Penalties tied to worldwide revenue
• Notice of breach – timing, etc.
• Consent rules
D. EU Data Directive Compliance
24
II. U.S. & International Law
![Page 25: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/25.jpg)
D. EU Data Transfers • EU-U.S. Safe Harbor now replaced by the EU-U.S.
Privacy Shield Framework (same re: Swiss-U.S. . . . )
Must:
• Provide free & accessible dispute resolution
• Cooperate with Department of Commerce
• Ensure accountability for data transferred
to third parties (whether controllers or agents)
25
II. U.S. & International Law
![Page 26: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/26.jpg)
E. Contracts’ Ability to Reallocate Risk
• Defaults may be changeable based on:
• Relative sizes and bargaining power
• Industry of prospective customer
• Location of data (who stores/hosts it)
26
II. U.S. & International Law
![Page 27: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/27.jpg)
III. Proactive Prevention
Introduction
27
Divide the Universe, e.g., into:
1. Policies/practices applicable to all information,
including PII
2. Policies/practices applicable to personal
information as to non-employee individuals
3. Policies/practices applicable to PII collected from
employees
4. Data storage contracts with third-party hosts
(Cloud, etc.)
![Page 28: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/28.jpg)
http://blogs.rsa.com/wp-content/uploads/APT-chart1.jpg
Introduction – Example of Intrusion
III. Proactive Prevention
28
![Page 29: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/29.jpg)
A. Data Protection Overview – Strategy
People Process
Policy Technology
III. Proactive Prevention
29
![Page 30: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/30.jpg)
A. Data Protection – People
Executive leadership – security as an organizational
priority
Identified personnel with specific roles, accountability
and responsibility
Cross-disciplinary security or “information governance”
teams provide better vision into data/security protection
(and instill organizational ownership of security)
Improve communication and training about security with
all personnel
Human vectors continue to be key security exploit route
See, e.g., RSA breach resulting from phishing
III. Proactive Prevention
30
![Page 31: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/31.jpg)
Plan and document security procedures; for
example:
Identify the location and content of your data assets,
specifically PII or other “sensitive” collections
Routinize security assessments conducted by internal
and external experts
Employ incident response drills and training
Develop procedures for the ingestion, storage,
security and destruction of data
A. Data Protection – Process
III. Proactive Prevention
31
![Page 32: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/32.jpg)
Organizational security/data protection policies:
General security, confidentiality, acceptable use and information
governance policies
Special policies may be required for special data (e.g., HIPAA/PHI)
Incident response and breach notification policies
Records and information retention policies should be evaluated to
minimize retention of risky data
Establish a regular policy review cycle
Enforcement and consistent application of policies
Consider certifications, such as ISO 27001
A. Data Protection – Policies
III. Proactive Prevention
32
![Page 33: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/33.jpg)
Security of Existing Technology Base
Periodic re-examination of security posture of existing systems
recommended
Cloud-based systems require contractual protections and due diligence
Specialized Security/Data Protection Tools
Technology is not a security “silver bullet”
Even the best technology requires trained personnel to monitor,
analyze and address identified anomalies
More on this later . . . .
A. Data Protection – Technology
III. Proactive Prevention
33
![Page 34: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/34.jpg)
Perimeter Defenses (Incoming & Outgoing)
Firewall
IDS/IPS
Multi-Factor Authentication
Malware Filtering
Data Loss Prevention (DLP)
Advanced endpoint protection
Access Rights – “Need to Know” – See below
Electronic data destruction (anything with storage)
B. Protecting Data at Rest & in Transit – at Rest I
III. Proactive Prevention
34
![Page 35: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/35.jpg)
Logging and Analysis of Security Events Security Information and Event Management (SIEM)
Provides analytical view into organizational security using a
longer-term baseline for anomaly identification
Don’t Forget Paper Documents Appropriate destruction – shredding, PII bins, etc.
Clean desk policies
Locked offices, drawers and cabinets
Physical Security
B. Protecting Data at Rest II
III. Proactive Prevention
35
![Page 36: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/36.jpg)
Laptops (endpoints)
AV/Malware Detection
Firewall
Data Encryption (FDE)
Passwords, screensavers, etc.
BYOD Issues
Endpoint protection
Storage Devices/Tools
Encryption – flash drives, DVDs, etc.
Restrictions on use of cloud
storage services (Dropbox, etc.)
B. Protecting Data in Motion I
III. Proactive Prevention
36
![Page 37: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/37.jpg)
Handheld Devices
Encryption
Remote Wiping
Mobile Device Management (e.g., Mobile Iron, Airwatch)
BYOD Issues
Backup Tapes
Email encryption
Metadata Scrubbing Tools
Proper Redaction Tools/Methods
B. Protecting Data in Motion II
III. Proactive Prevention
37
![Page 38: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/38.jpg)
C. 10 Specific Steps – 1. Policies
III. Proactive Prevention
38
Train managers and staff about access, nondisclosure and
safeguarding
Review pertinent segments of employee policies, e.g.:
Code of Conduct
Confidentiality Policy
Technology Acceptable Use
Privacy (No Expectation of Privacy?)
Social media policies
BYOD (Mobile Devices)
Separating / off-boarding employee procedures (related
checklist(s) from IT, HR, etc.)
![Page 39: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/39.jpg)
C. Steps – 2. Training
III. Proactive Prevention
39
[Spear-]Phishing & Ransomware
Use tests (Wombat, etc.)
Capture metrics
Encourage vigilance
![Page 40: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/40.jpg)
C. Steps – 3. Passwords
III. Proactive Prevention
40
Passwords
Lockout . . . No sharing . . .
Two factor authentication
Common password practices:
Minimum 8 (or 12) characters complex
Reuse restriction
90 day expiration
But see new NIST SP 800-63: Digital Identity
Guidelines (6/22/17) and this Aug. ’17 NIST
paper/bulletin
![Page 41: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/41.jpg)
C. Steps – 4. Access - RBAC
III. Proactive Prevention
41
“Least Privileged Access" approach [“role-based
access control (RBAC)”]
Data and physical
Ideal default is "deny all” – i.e., cannot gain
access unless affirmative need shown; and
specifically authorized
For lawyers: “ 'Need to Know' Security” (LTN
4/24/17) (LEXIS login/password needed)
Central vs. Local Storage
Digital Rights Management (DRM)?
![Page 42: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/42.jpg)
C. Steps – 5. Encryption of ESI
III. Proactive Prevention
42
Especially PII & Mobile Data
At rest and in transit . . .
Email – TLS
Forced
Opportunistic
Laptops
Bitlocker
FileVault
![Page 43: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/43.jpg)
C(5). Encryption of ESI
III. Proactive Prevention
1. Website & Extranet Servers (> SSL)
2. Virtual Private Network (VPN) Software
3. Cloud: Secure file transfer protocol (.ftp) sites (Citrix ShareFile; and OneHub, e.g.)
4. Email Messages and Attachments [Transport Layer Security (TLS)]
5. End-user devices
• Desktop PC’s and Laptops
• Tablets and Smartphones
• Mobile Devices and Portable Media
43
![Page 44: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/44.jpg)
C. Steps – 6. Commuting / Travel
III. Proactive Prevention
44
Use privacy screen/filter
Security When Traveling
Avoid using shared computers in cyber cafes,
public areas or hotel business centers
If must use public/hotel WiFi, use a VPN
(VMware Horizon or Cisco AnyConnect, e.g.)
Avoid public hotspots unless use, e.g., iPass
Borrow/buy MiFi device?
Do not use devices belonging to other travelers,
colleagues or friends
![Page 45: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/45.jpg)
C(6). Commuting / Travel
III. Proactive Prevention
45
International Travel Tips:
Recommended: change passwords before
leaving abroad and again when return
Do not take regular laptop,
tablet or phone to China
Potentially same re: EU travels
Avoid sending sensitive email messages
Beware: U.S. Customs & Border Protection has
increased scrutiny of laptops, devices, etc.
![Page 46: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/46.jpg)
III. Proactive Prevention
46
Upon returning to the States, CBP asking for passwords,
including to social-media
Darlene Storm, NASA scientist detained at U.S. border
until handing over PIN to unlock his phone,
Computerworld (2/13/17)
Sen. Ron Wyden (OR), letter to then HHS Secretary Kelly
(2/20/17)
Assert attorney-client privilege (or another basis for
confidentiality such as privacy?)
But don’t go so far as to get detained?
Recent guidance from CBP:
www.cbp.gov/sites/default/files/assets/documents/...
C(6). Commuting / Travel
![Page 47: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/47.jpg)
C. Steps – 7. Metadata
•Metadata and Redactions • Metadata – Goalkeeper Prompts in Workshare Protect – Example . . .
III. Proactive Prevention
47
![Page 48: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/48.jpg)
C(7). Metadata
III. Proactive Prevention
48
Metadata and Redactions
Workshare settings (incl. re: .pdf ’s)
Redactions
Do use Adobe Acrobat Pro
Don’ts:
Word: borders/shading or highlighter
Acrobat: text box or shapes-drawing tool
![Page 49: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/49.jpg)
III. Proactive Prevention
49
Social Media
Bcc’s
Emails to “All” (companywide)
Auto-complete
Reply All
C. Steps – 8. Netiquette
![Page 50: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/50.jpg)
C. Steps – 9. Network Monitoring & Pen Tests
III. Proactive Prevention
50
Firewall
Anti-Virus/Malware (incl. macros)/Spyware
Vulnerability Assessment / remediation
Spam filtering plus phishing protection (e.g.,
ProofPoint / Mimecast, including URL defense)
Periodic vulnerability assessments and
PENetration tests by independent consultant
![Page 51: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/51.jpg)
C. Steps – 10. Cyber-Insurance
III. Proactive Prevention
51
First Party Coverage? Third Party Coverage
(clients, vendors, employees,
etc.)?
Covered by Prop. Ins. Policy? CGL Policy?
Covered by D&O and/or E&O? Crimes?
If not, get separate/special coverage?
Get phishing endorsement?
Depends at least in part on:
Industry
Data types and volumes
![Page 52: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/52.jpg)
IV. Reactive Remediation – Incident Response
52
FOLLOW PROCESS . . .
Documented response plan / procedures
Document protocols / checklists
Internal team leaders members identified and
trained (e.g. InfoSec, Legal & Public Relations)
Outside contacts listed, e.g., Information-
Security consulting firm, Counsel, law
enforcement & Insurance carrier
Training – tabletop exercises, etc.
![Page 53: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/53.jpg)
IV. Incident Response
10. Big-Picture Process
53
Categories defined?
Data - and machine - handling protocol
Workflow/Communication chart re:
Discover / Assess / Contain
Remediate / Close / Mitigate
![Page 54: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/54.jpg)
IV. TOP TEN TIPS
FACT INTAKE . . . 4 W’s-plus
9. Who, what, where, when re: info.?
8. Encrypted?
7. If encrypted, key compromised?
54
![Page 55: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/55.jpg)
IV. TOP TEN TIPS
GET YOUR BEARINGS . . .
6. If a contractual relationship: • Look at the contract • Decide if will try to negotiate re: notice
5. If law enforcement is involved, open a dialogue 4. See if, under strictest statute, notice trigger(s) have kicked in
55
![Page 56: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/56.jpg)
IV. TOP TEN TIPS
TO GIVE NOTICE OR NOT TO GIVE NOTICE. . . 3. If MUST give notice, address required:
• Method and Contents • E.g., Cal. SB 24 (specifying some required contents
of notice of breach of PII or PHI under Cal. Civ. Code) • Recipients (might include an AG., e.g.) • Timing (might be OK, under law, to delay)
2. If COULD give notice, discuss customer-relations with C level 1. If WILL give notice, work with PR as to theme(s), timing & press release (if any)
56
![Page 57: Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23 · •Health/medical = HIPAA (60 days notice) •covered](https://reader034.fdocuments.us/reader034/viewer/2022043010/5fa02a318644d73ec7612ff7/html5/thumbnails/57.jpg)
Q&A/ Conclusion/ Resources . . .
Robert D. Brownstone, Esq.
Fenwick & West LLP
<tinyurl.com/Bob-Brownstone-Bio>
<www.ITLawToday.com>
Brent E. Kidwell, Esq.
Jenner & Block
<www.jenner.com/people/BrentKidwell>
57