Dealing Data Leaks: Creating Your Data Breach Response Plan

© benefitexpress 2016

Cyber Security and Data Breaches

Larry GrudzienAttorney at Law


Recent High-Profile Data Breaches

•Suspected North Korean hackers

•Data included personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of unreleased Sony films, and other information.

•The hackers called themselves the “Guardians of Peace” and demanded the cancellation of the planned release of the film The Interview, a comedy about a plot to assassinate North Korean leader Kim Jong-un.

Sony: November 2014



•Suspected Chinese hackers.

•Nation's second largest health insurer.

•Names, addresses, social security numbers, birth dates, and other information from 80 million customers and employees.

•Thieves used information to rack up $40,000 in credit card charges for some customers.

Anthem: January, 2015



• In June 2015, OPM announced that it had been the target of a data breach targeting the records of as many as four million people.

•Later, FBI Director James Comey estimated 18 million

•Breach has been described by federal officials as among the largest breaches of government data in the history of the U.S.

Office of Personnel Management (U.S. Government): April, 2015



• Information targeted included SSNs, names, dates and places of birth, and addresses

• Also likely involved the theft of detailed security-clearance-related background information

• And even 5 million fingerprints

• On July 9, 2015, the estimate of the number of stolen records was increased to 21.5 million

• Soon after, Katherine Archuleta, the director of OPM, and former National Political Director for Barack Obama's 2012 reelection campaign, resigned

Office of Personnel Management (U.S. Government): April, 2015



•Suspected Russian hackers

•70 million customers

•Name, address, phone number and e-mail address.

•After the data breach was discovered, Target offered one year of free credit monitoring and identity theft protection to all customers who shopped in U.S. stores

•Access through 3rd party vendor (HVAC)

•Shows importance of 3rd party control as well

Target: December, 2013


High Level Technical Overview

•General Overview•How do you approach advising your employer on cybersecurity?

•What does the threat landscape look like now?•What resources are out there to help you?

General Overview



Anywhere there is a device consisting of hardware and software, typically with an internet connection

What can be hacked?



• Cyber Security: the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide

• Data Breach: the intentional or unintentional release of secure information to an untrusted environment

• Cloud: the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer

• Phishing: the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication

Define Applicable Terms



• Encryption: the process of encoding messages or information in such a way that only authorized parties can read it

• Botnet: (also known as a zombie army) a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet

• Patch: a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities

• Two-Factor Authentication: a security process in which the user provides two means of identification from separate categories of credentials; one is typically a physical token, such as a card, and the other is typically something memorized, such as a security code

Define Applicable Terms



• Federal Trade Commission, “Start with Security” guidance to businesses (https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf). This is generic guidance drawn from the FTC’s recent enforcement cases. It’s fairly simple and written in non-technical language, but it provides some insight into what one group of federal regulators are thinking is (or should be) the standard of care for a business.

• NIST Cybersecurity Framework (http://www.nist.gov/cyberframework/). This document was developed through a lengthy consultation process with industry; it is meant to provide a general approach to cybersecurity, and to point businesses toward the relevant existing standards. In many industry contexts, it is becoming the de facto “standard of care.”

• NIST Recommendations (http://csrc.nist.gov/publications/PubsSPs.html). These documents are more detailed and technical recommendations developed through the NIST collaborative process with industry. The “800” series are particularly important in cybersecurity. The documents are designed for use by IT professionals responsible for implementing a company’s cybersecurity program.

Additional Resources on Cyber Security and Data Breach Topics



• Verizon Data Breach Report (DBIR) (http://www.verizonenterprise.com/DBIR/) is annual analysis of cyber threats as reflected in actual data breaches and security incidents. The report looks at anonymized data submitted by a broad range of law enforcement agencies, private companies, and cybersecurity providers.

• Steptoe & Johnson Cyberlaw Podcast (http://www.dhs.gov/topic/cybersecurity-information-sharing). Weekly podcast put out by a group of lawyers at Steptoe. They provide a good summary of case law, policy developments, and legislation relating to cyber, data breach, privacy, national security, etc.

• DHS Information Sharing resources: DHS supports a number of information sharing initiatives. You can find summary information here: http://www.dhs.gov/topic/cybersecurity-information-sharing.

Additional Resources on Cyber Security and Data Breach Topics


100% Prevention is Not Possible

•Lose credibility if you state (or think) otherwise•Critical to recognize the reality•Three kinds of entities:

Have been hackedWill be hackedHave been or will be, but just don’t know it (or don’t admit it)


Standard of Care

A standard of care is developing:NISTDOJ GuidelinesHomeland Security

Critical to be – and stay – ahead of the curve


Government Involvement

•FBI: FBI InfraGard•U.S. Secret Service: Electronic Crimes Task Force (ECTF)

•Entities organized by state or local authorities

Federal Law Enforcement



•SEC•DOJ•FTC•Homeland Security

Federal Agencies



• US Congress passed the Cybersecurity Act of 2015, and President Barack Obama signed the measure into law on December 18, 2015

• The Act of 2015 aims to defend against cyberattacks by creating a framework for the voluntary sharing of cyber threat information between private entities and the federal government, as well as within agencies of the federal government

• The legislation also aims to protect individuals’ privacy rights by ensuring that personal information is not unnecessarily divulged

• Companies are permitted to monitor and operate defensive measures on both their own information systems as well as those of others with written authorization

Federal Legislation



• Entities are encouraged to implement and utilize security controls to protect against unauthorized access to or acquisition of cyber threat indicators or defensive measures

• Companies may share threat indicators and defensive measures with the federal government, but they must institute appropriate security controls and remove personal information not directly related to the reported cybersecurity threat

• Liability protections are available for companies choosing to share information provided they implement the proper controls

• Private entities may also share threat indicators and defensive measures with other private entities; again, personal information must be removed and security controls should be in place

Federal Legislation



•49 states

•Different definitions of “breach”

•Different requirements re notification of government officials, law enforcement, etc.

•Different requirements re notification of customers

•Different requirements as to what data elements must be disclosed in notifications

State Regulations



Federal: NIST Framework, Exec. Order effect on regulatory agencies.

Specific agency interestSECFTCFCCSector agencies

Report on Status of Regulatory Rulemaking


Information Sharing Among Stakeholders, Government Agencies, Etc.

Report on general status

Government contractors and subcontractors have different obligations than other entities


3rd Party Vulnerability and Efforts to Control

•Target Breach Was Through an HVAC Vendor•Questionnaires/Interviews re Data Security Practices•Audits re Same


Who are the Hackers?

•Nation States (North Korea, China, Russia, other?)•Criminal Groups•“Patriotic hackers”•Terrorists/ISIL•Even Teenagers


What are Their Motivations?

Money is the usual driverBut not always See Ashley Madison (morality was the driver?)

Ransom scams are common


Data Breach Litigation

•Recent General Counsel article predicting “Wave of data breach litigation”

•Recent 7th Circuit case re Standing in Data Breach cases. (Remijas v. Neiman Marcus Group, 794 F.3d 688 (2015))

•Class Action Cases Against Target, Anthem, Sony, etc.


Commercially Available Products and Services

High level, publically available discussion of prior work for DOD and Intelligence Community:

Booz Allen Hamilton Verizon Communications

Cyber products and services available from Booz Allen Hamilton: Threat analyses (pre-breach): vulnerability testing and recommendations for mediation. Cyber4Sight® Services: Predictive intelligence service help clients prepare for future

attacks – information/reports on threat-actor activities and trends. Post-cyber incident threat mitigation Workforce skills assessment and cyber training. Analytics of risks, threats, and opportunities for companies, government, and executive

clients.


Commercially Available Products and Services

Products and services available from Verizon:Managed Security ServicesForensic ResponseRapid Response RetainersGovernment partnerships (ECS)


Suggested Best Practices

Critical for: Post-breach litigation Government inquiries/investigations (SEC, DOJ, FTC, state regulators, etc.) Response to media inquiries/public opinion/ investors/corporate executives

Plan should include: Identify and protect critical assets (not necessarily “everything”) Experienced external counsel and forensic experts retained in advance: No delay for conflict checks Expert advice to help develop the plan (make sure have backup of critical data and ability

to log event traffic) Expert advice available as soon as breach is detected After hours/weekend response already negotiated

Must have a carefully constructed response plan in place BEFORE the crisis hits



Law enforcement contacts developed in advance:FBI InfraGardUSSS ECTFOthers

Media Response Plan:Single point of contactRecognize investigation and recovery takes time – OPM, etc.



• Dissemination of Information to Board of Directors: Critical – Boards are beginning to be held accountable Boards need to understand that this is no longer just a low level IT issue Boards need to understand the extent and importance of efforts to prevent, monitor,

detect and mitigate

• Dissemination of Information to Investors Critical that Investor Relations Dept. understands and is prepared for investor inquiries

and notifications post-breach

• Notification of Customers: Currently governed by 49 different state laws Plus a host of international rules and regulations for global customers



•War Games/Simulations: Good practice for the real thing Also shows awareness, seriousness and taking responsibility in advance

of a breach

•Engage “White Hat” Hackers: Run “Bug Bounty” programs

• Insurance products: Liability coverage may not cover these breaches May have obtain separate insurance policy

Questions?


Contact

Larry GrudzienAttorney at Law

708-717-9638

[email protected]

larrygrudzien.com

Dealing Data Leaks: Creating Your Data Breach Response Plan

Data & Analytics

Transcript of Dealing Data Leaks: Creating Your Data Breach Response Plan