LEO CYBER SECURITY REFERENCE DESK 2017 · LEO1. Seth Jaffe - General Counsel and VP, Incident...
Transcript of LEO CYBER SECURITY REFERENCE DESK 2017 · LEO1. Seth Jaffe - General Counsel and VP, Incident...
W W W . L E O C Y B E R S E C U R I T Y . C O M
2017
LEO
CYBER SECURITY
REFERENCE DESK
LEO1
Seth Jaffe - General Counsel and VP, Incident Response
David Tompkins - SVP of Client Services
David Deering - Founder and Client Executive
CONTACTS
Designed to accompany LEO’s Cyber Security Law Conferences, this compilation of documents is
intended to provide useful references to pressing cyber security issues. The information contained
in this compilation is for informational purposes only, and is not intended to be legal advice.
SUMMARY
LEO CYBER SECURITY REFERENCE DESK
2017
LEO2
Page1of4
Sample Questions a Board of Directors May Want to Ask the
Information Security Group In today’s environment, certain fiduciary duties imposed on corporate directors applies to information security. These duties must be discharged in good faith and in a manner the director reasonably believes to be in the best interests of the company. In the wake of major data breaches, courts and experts have weighed in on the board of directors’ cyber security duties.1 The following questions are intended to serve as example queries for the board to put to the information security department. They are purposefully fashioned not to be yes/no questions to better elicit dialog between Infosec and the board. Certain questions may beget complex answers, so it may make sense for a technical member of the board or a chartered committee to pose the questions. Goal 01 – Identify Information Assets Actionable risk assessments depend on accurate inventory of company information. This starts with thorough data mapping, taking into account not only where data resides, but what kind of data it is, along with its potential value on the dark web. Board Questions:
1. What tools and processes did we use for asset and data discovery? 2. What assets have the most value to cyber criminals? 3. How many assets did we discover that we were unaware of?
Red Flag(s): No new assets discovered. No clear defined classification of assets and controls sets specified based on classification. Uncontrolled data and use of Cloud applications. Goal 02 – Identify Risks to the Information Assets Once assets are catalogued, assess risks associated with those assets. This includes identification of the potential threats to the assets, the likelihood of those threats finding their target, and the subsequent damage if those threats do materialize. Board Questions:
1. Describe the last three tests we have completed outside of penetration tests. 2. Identify the top two threats by likelihood of attack and by damage to the
company. 1 For a legal interpretation of court opinions, see Thomas J. Smedinghoff, Addressing Director Responsibilities for Data Security, available from the author. https://www.lockelord.com/professionals/s/smedinghoff-thomas-j
LEO3
Page2of4
Red Flag: Lack of risk assessments outside of generic pen tests. Goal 03 – Establish a Written Information Security Plan (WISP) Various laws, regulations, and guidelines require adoption of an information security program commensurate with the risks presented. An integral part of that program is the adoption of a WISP, the contents of which should evolve to meet the dynamic cyber threat landscape. Board Questions:
1. When was the last time our WISP was updated and what change does the update reflect?
2. How does our WISP handle third party management? 3. What modifications do we plan to make to the WISP in accordance with our 1, 3,
5-year strategy? Red Flag: Lack of, or stagnant, WISP. Goal 04 – Implement the Security Program Failing to implement responsive security measures may put board members in the crosshairs of a shareholder derivative suit. Board Questions:
1. What is the status of our security program deployment? 2. What are the last three security measures that were deployed to meet our WISP. 3. What is the most difficult part of implementing this plan? 4. What are the next three actions you plan to take?
Red Flag: Lack of clear direction or dedicated resources to drive the program. Goal 05 – Monitor the Effectiveness of the Security Program Security programs must adapt as the threats do, and this requires periodic assessments of their effectiveness. Board Questions:
1. Describe the three most difficult parts of your daily cyber security operations. 2. Name your two tools that require the most time for day to day operations. 3. Who manages those tools?
Red Flag: Inability to provide insight metrics, dashboard, key performance indicators about the program’s improvement and success.
LEO4
Page3of4
Goal 06 – Reassess and Update Security Program When program effectiveness wanes, changes should be implemented to modernize and maintain. This could occur because of changes in the threat landscape, changes to operations or the technology used in the business, or discovery of better security solutions on the market. Board Questions:
1. When was the last time a third party assessed our cyber security program in operations, who was it, and what were the findings?
2. What recent material business changes may have opened us to new threats? 3. When was the last time we conducted a review of cybersecurity solutions and
what were the findings? Red flag: Little to no demonstrable action has been taken since last assessment. Goal 07 – Employee Cyber Security Training Security programs are only as strong as their weakest link. Participation from employees is paramount to program success, and that begins with training and education. Board Questions:
1. What is our cyber security employee training and education plan? 2. What were the last three initiatives undertaken in that area? 3. Specifically describe to me how we educate users around phishing or
spearphishing attacks. Red flag: Inability to measure the effectiveness of the program and improvement of the employees. Goal 08 – Imposing Security Obligations on Third Party Partners As demonstrated in some of the more notable breaches of late, outsourcing does not absolve companies of their security obligations. In fact, companies have a duty not only to contractually require vendors to implement and maintain appropriate security measures, but to periodically verify compliance. Board Questions:
1. Describe our third party cyber security ratings and risk monitoring process. 2. Do we have a vendor risk management program in place? 3. Show me sample security provisions imposed on third parties.
Red Flag: Not having a formalized third-party program and a clear inventory of vendors. No defined security audit program.
LEO5
Page4of4
Goal 09 – Implement a Robust Incident Response Program Modern responses to cyber security incidents occur in public view, and companies cannot afford to haphazardly hash together a plan as the incident occurs. Programs should include detailed run books, well-trained teams, and pre-coordinated partnerships.2 Board Questions:
1. Provide the written incident response plan. 2. Highlight the executable parts of the plan. 3. What type of personnel certification program is in place? 4. Describe the event elevation protocols, including how executives/board members
are notified. Red Flag: No training has been provided to senior management related to incident response. Simulations/Table Top exercises are infrequent or of low fidelity.
2 For more information on incident response programs, see http://leocybersecurity.com/service/executive-risk-cyber-crisis-management/
LEO6
Page 1 of 2
C-Level Questionnaire
1. Would you describe your Security Program as reactive or proactive and why? 2. When you have your next event/breach are you most likely to find it yourself (i.e. by the
organization’s IT/Security staff) or be informed about it from an external party like the FBI?
3. Who is your most senior dedicated security person? Who do they report to? How many levels down are they from the C-Suite?
4. How often is the C-Suite and Board briefed on security? 5. What is the Board’s and C-Suite’s risk tolerance with regards to security? Has that been
communicated down to the organization/IT/security groups? 6. Is your 1/3/5 year Security Roadmap in line with the risk tolerance set by the Board and
C-Suite? Are those goals adequately funded? 7. What is your budgeted security spend as a percentage of IT? Dedicated resource
allocation? How do you match up with your competitors? 8. How do you evaluate the return of investment (ROI) of your IT Security spend? What
metrics, key performance indicators, and dashboards do you receive from the IT and/or Security Team?
9. What is your security strategy for the Internet of Things (IOT)? 10. What are your critical business systems/data (i.e. if lost or compromised would
end/disrupt the business/revenue)? What extra security controls are in place around those systems? What is the cost to the organization if those systems are down? How quickly can you restore them?
11. How would you know if you had a threat moving laterally through your network? Is your internal network considered trusted?
12. How do you know when your critical data is leaving your controlled environments? 13. How would you recognize an insider threat? 14. When was the last time you tested your Incident Response (IR) Plan? What were the
results and lessons learned? Do you run tabletop exercises or employ Red Teams? 15. From a security perspective, how do you evaluate your vendors, suppliers, and other
third parties with whom you may interact? What type of access do you allow them to have to your environment?
16. How do you verify your users when they log in to your systems? How do you filter for bad actors with compromised credentials? Where do you use multi-factors?
17. How have you prepared for ransomware? Can you recover? Do you pay? 18. Who would you call if you have a breach? Do you have an IR retainer? 19. Who monitors your privilege users and super users? How many do you have? 20. How much data/IP/PII etc., do you have in the cloud? How do you control the movement
of that data? 21. How do you review and approve Software as a Service platforms (SaaS) like Salesforce,
Concur, Box, Amazon Web Services, etc.? What are your defined Security Requirements for those solutions?
LEO7
Page 2 of 2
22. If you have an European Union (EU) presence, what steps have you taken to be compliant with General Data Protection Regulation(GDPR) by May 25, 2018?
23. When presented with a new threat/breach/hack/etc. a. Has this threat impacted organizations of similar size, geography, line of
business, and customer profile? b. Has this threat been weaponized/automated and is it ‘in the wild’ right now? c. Do our existing mitigating controls (e.g. firewall, antivirus, architecture)
acceptably decrease our organization’s susceptibility to this threat?
LEO8
Page1of3
SampleSecurityControlsMatrixTacticsforNegotiatingSecurityProvisions
DisclaimerThisdocumentisacasestudyofahypotheticalcompany.Thematrixbelowrepresentsahypotheticalcompany’spostureas
itrelatestoaparticularstandard—inthiscase,CIS20.Thistypeofmatrixcanbepreparedforotherstandards,suchasISO
27002,NIST800-53,etc.Bearinmind,however,thatthematrixisspecifictoaparticularcompanyand,insomecases,toa
particularventure.Thisdocumentisnotintendedtobeusedasagenericreference,butrather,itisanexampledocumentof
thetypeofdeliverablethatcanassisttransactionalattorneysinnegotiatingsecurityprovisions.
OverviewTheintentofthisdocumentistopresentacasestudybaseduponafictitiousorganization—inthisscenarioasoftwareasa
service(SaaS)provider(“SaaSCorp”)—targetingmid-sizetolargecompanies.Asitisawardedcontracts,SaaSCorp’s
customersimposecertainsecurityprovisionsbywayofaMasterSaaSAgreement.Oneoftheprovisionsstipulatesthat
SaaSCorprepresentandwarrantthatadministrative,physical,andtechnicalsafeguardsareinplacethatarenolessrigorous
thanthosesetoutintheCIS20standard.
1
SaaSCorp’sattorneyisconcernedaboutwhetherSaaSCorpcanmakethoserepresentations,asshedoesnotwishforher
organizationtobeinbreachimmediatelyuponexecutionofthecontract.Forthisreason,sheengagesacybersecurity
companytoassessSaaSCorp’scyberprogramagainsttheCIS20standard(andothersecurityprovisionrequirements)for
thistypeofindustry/ventureforthepurposeofbuildingamatrixshecanuseinthisandsubsequentcontractnegotiations.
NegotiationTacticsOftentimessecuritystandardsarenegotiatedinanallornothingfashion,butSaaSCorp’sattorneyrecognizesthatshemay
beabletobreakupastandardcontrolbycontrol,forgranularnegotiations.Hernegotiationtacticsincludethefollowing
strategies
1. Determinewhichcontrols/itemshavealreadybeencompletedsothatshecanacceptthemoutright
2. Identifythosecontrols/itemsthatcouldbecompletedwithlowtomoderatedifficultyandatreasonablecost
3. Negotiateoutcontrols/itemsthatarenotapplicabletoSaaSCorp’ssecurityprogramrequirementsforthis
engagement
4. Defer,foraperiodoftime,certaincontrols/itemsthatareconsidereddifficulttoimplementorarecostly
5. Offer,asanalternative,aliabilitysupercapinlieuofcompletingacontrol/item
6. Putinplace,asanalternative,additionalinsurancecoverageinlieuofcompletingacontrol/item
7. Shiftbacktothecustomer,forapricediscount,responsibilityforacontrol/item
1 CIS20wasselectedinthisexerciseinpartbecauseofitsdivisionofsecuritycontrolsinto20definedcategories.
LEO9
SecurityControlsMatrix- CaseStudy&SampleControlsMatrix
Page2of3
Requirement/Control
Description StatusDifficulty CapEx OpEx
NotesEasy Medium Hard $ $$ $$$ $ $$ $$$
SANSCIS20SecurityControls
1.InventoryofAuthorizedandUnauthorizedDevices Complete X X SaaSCorphasprocessesinplacetoperform&maintaincurrenthardware
inventories,andcandemonstratehavingmetthisrequirement.
2.InventoryofAuthorizedandUnauthorizedSoftware Complete X X SaaSCorphasprocessesinplacetoperform&maintaincurrentsoftware
inventories,andcandemonstratehavingmetthisrequirement.
3.SecureConfigurationsforHardwareandSoftware Tactic2:Cancomplete X X X ThemajorityoftheexpenditurewouldbeinOpXbecausesecuringsystems
canbecompletedwithSaaSCorp’sexistinginformationsecurityteam.
4.ContinuousVulnerabilityAssessmentandRemediation Tactic2:Cancomplete X X X
SaaSCorphasalreadycompletedavulnerabilityassessment.Uponexecutionofthisagreement,SaaSCorpwillcontractwithathirdpartytosatisfythiscontrol.
5.ControlledUseofAdministrativePrivileges Complete X X SaaSCorphasprocessesandtechnologyinplacetoprovidethiscapability,
andcandemonstratehavingmetthisrequirement.
6.Maintenance,Monitoring,andAnalysisofAuditLogs Tactic2:Cancomplete X X X
SaaSCorpwillneedtoimplementtechnologysolutionstosupportthisrequirement,andwillcontractwitha3rdpartyforsupportandmonitoringservicestominimizeoperationalcosts.
7.EmailandWebBrowserProtections Tactic2:Cancomplete X X X
SaaSCorphasbasicemailsecuritytechnologiesinplace;however,theexistingprogramdoesnotaddresswebbrowsingdefenses.
Addressingthisissuewillberelativelyeasy,butwillrequirethepurchaseanddeploymentofadditionaltechnologysolutions.
8.MalwareDefenses Complete X X SaaSCorphaspurchased&implementedcurrentanti-malwaretechnology,andcandemonstratehavingmetthisrequirement
9.LimitationandControlofNetworkPorts Complete X X SaaSCorphasnetworkconfigurationstandards&processesinplaceto
addressthis,andcandemonstratehavingmetthisrequirement
10.DataRecoveryCapability Tactic7:Shifttocustomer NotApplicable Customerisacloudserviceprovider,sothiscontrolcanbepushedtothecustomerinnegotiation,perhapswithapriceshift.
11.SecureConfigurationsforNetworkDevices Complete X X X SaaSCorphasdevelopedabasicdevicesecuritymanagementprocess,,and
candemonstratehavingmetthisrequirement
LEO10
SecurityControlsMatrix- CaseStudy&SampleControlMatrix
Disclaimer: This document represents a hypothetical case study involving a fictitious organization, for educational purposes, and does not refer to any specific or actual organization
Requirement/ControlDescription Status
Difficulty CapEx OpExNotes
Easy Medium Hard $ $$ $$$ $ $$ $$$
12.BoundaryDefense Complete X X SaaSCorphasboundarycontrolssuchasfirewallsandintrusiondetectionsystemsinplace,andcandemonstratehavingmetthisrequirement.
13.DataProtection Tactic5:Supercap X X X
SaaSCorpdoesnotcurrentlyhavetheabilitytoencryptdata,butreliesonothercontrolsandaspectsofitscybersecurityprogramtoprotectcustomerdata.Untilsuchencryptioncanberolledout,SaaSCorpmayofferasupercapinthelimitationofliabilityforthiscontrol.Asanalternative,SaaSCorpcanoffertoattainadditionalcybersecurityinsurance.
14.ControlledAccessBasedontheNeedtoKnow Complete X X SaaSCorphasdefinedpolicyrequirements&processestolimitaccessbased
onrole,andcandemonstratehavingmetthisrequirement.
15.WirelessAccessControl Tactic3:N/A NotApplicable SaaSCorppreventswirelessnetworkingbypolicyanddoesnotemploywirelessnetworks.
16.AccountMonitoringandControl Tactic6:Insurance X X
SaaSCorpcanmonitorwhenusersareloggingin,buthaslimitedinsightintoaccountusagedetails.Untiltechnologysolutionsareputinplace,SaaSCorpcanoffertoattainadditionalcybersecurityinsuranceandnameCustomerasabeneficiary.
17.SecuritySkillsAssessment&AppropriateTrainingtoFillGaps Tactic2:QuickWin X X SaaSCorpcanmeetthisrequirementwithrelativeeasebyleveraging3rd
partysolutionstoassessexistingsecurityskillsandprovidetrainingcourses.18.ApplicationSoftwareSecurity Complete X X SaaSCorphasadocumentedsecuresoftwaredevelopmentprocessinplace,
andcandemonstratehavingmetthisrequirement.
19.IncidentResponseandManagement Tactic4:Deferforoneyear X X
WhileSaaSCorphasagenericincidentresponseplan,theattorneyisconcernedthatitisnotactionableandmaynotwithstandscrutiny.SaaSCorpwillconveyitsplanstoemployarecognizedincidentresponseprogramandwillnegotiateoneyeartocomply.
20.PenetrationTestsandRedTeamExercises Complete X X SaaSCorphasperformedapenetrationtestwithintheprior12months,and
candemonstratehavingmetthisrequirement.
LEO11
DOCUMENTS SUGGESTING CYBER SECURITY PROGRAMS October 27, 2017
Seth Jaffe – [email protected]
https://www.linkedin.com/in/sethejaffe/
1
INSTITUTION TITLE DATE Excerpt American Bar Association
Formal Opinion 477 May 11, 2017 A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or
unauthorized access to, information relating to the representation of a client.
Association of Corporate Counsel
Model Information Protection and Security Controls for Outside
Counsel Possessing Company Confidential Information
2017 “Outside Counsel shall have in place appropriate organizational
and technical measures to protect Company Confidential
Information or other information of a similar nature”
Board of Governors of the Federal Reserve
System
Guidance Concerning the Reporting of Computer-Related Crimes by Financial Institutions
Nov. 6, 1997 “A financial institution should report on a SAR any activity that
appears to be violative of 18 U.S.C. § 1030 (Fraud and related
activity in connection with computers).
California DOJ California Data Breach Report Feb 2016 “California’s information security statute requires businesses to
use “reasonable security procedures and practices...to
protect personal information from unauthorized, access,
destruction, use, modi cation, or disclosure.”
LEO12
DOCUMENTS SUGGESTING CYBER SECURITY PROGRAMS October 27, 2017
Seth Jaffe – [email protected]
https://www.linkedin.com/in/sethejaffe/
2
Colorado 3 Colo. Code Regs. §§ 704-1:51-4.8(A), 704-1:51-4.14(A)
May 15, 2017 “A broker-dealer must establish and maintain written procedures reasonably designed to ensure
cybersecurity.” Dept. of Treasury
(FinCEN) FinCEN Advisory Oct. 25, 2016 “If a financial institution knows,
suspects, or has reason to suspect that a cyberevent was intended, in whole or in part, to conduct, facilitate, or affect a
transaction or a series of transactions, it should be
considered part of an attempt to conduct a suspicious transaction
or series of transactions.”
European Union GDPR – General Data Protection Regulation
Apr. 27, 2016 “controller and the processor shall implement appropriate technical and organisational
measures to ensure a level of security appropriate to the risk”
European Union NIS (Network and Information
Systems) Directive July 6, 2016 “Each Member State shall adopt
a national strategy on the security of network and information systems”
LEO13
DOCUMENTS SUGGESTING CYBER SECURITY PROGRAMS October 27, 2017
Seth Jaffe – [email protected]
https://www.linkedin.com/in/sethejaffe/
3
Federal Reserve, FDIC, Office of the Comptroller
of the Currency
Enhanced Cyber Risk Management Standards (Proposed Rule)
2016 “Agencies are considering standards under the cyber risk
governance category that would be similar to the governance
standards generally expected for large, complex financial
organizations.” FDIC Suspicious Activity Reporting (FIL-
124-97)
Dec. 5, 1997 “A financial institution should report on a SAR any activity that
appears to be violative of 18 U.S.C. § 1030 (Fraud and related
activity in connection with computers).
Gramm-Leach-Bliley Act 15 U.S.C. § 6827(4)(a); 15 U.S.C. § 6801(b)(1)-(3)
July 21, 2010 “Establish appropriate standards…to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated
threats or hazards to the security or integrity of such records; and
(3) to protect against unauthorized access to or use of
such records or information which could result in substantial harm or inconvenience to any
customer. IANS Tackling NYSDFS Cybersecurity
Regulations
July 20, 2017
LEO14
DOCUMENTS SUGGESTING CYBER SECURITY PROGRAMS October 27, 2017
Seth Jaffe – [email protected]
https://www.linkedin.com/in/sethejaffe/
4
Kentucky Proposed KRS CHAPTER 61 10/26/17 “An agency or nonaffiliated third party that maintains or otherwise possesses personal information, regardless of the form in which
the personal information is maintained, shall implement, maintain, and update security
procedures and practices” Massachusetts 201 CMR 17.00: Standards for the
Protection of Personal Information of Residents of the Commonwealth
Mar. 1, 2010 “Every person that owns or licenses personal information
about a resident of the Commonwealth shall develop,
implement, and maintain a comprehensive information
security program” Nat’l Credit Union
Administration (NCUA) Guidance for Reporting Computer-Related Crimes (97-RA-12)
Dec. 5, 1997 “A financial institution should report on a SAR any activity that
appears to be violative of 18 U.S.C. § 1030 (Fraud and related
activity in connection with computers).
NY Dept Financial Services
General Information Request Mar 2015 “Management of cyber security issues, including the interaction
between information security and core business functions, written information security policies and
procedures, and the periodic reevaluation of such policies and
LEO15
DOCUMENTS SUGGESTING CYBER SECURITY PROGRAMS October 27, 2017
Seth Jaffe – [email protected]
https://www.linkedin.com/in/sethejaffe/
5
procedures in light of changing risks; “
NY State Cybersecurity Reqs for Financial Svcs Companies
Feb 2017 “Section 500.02 Cybersecurity Program
Each Covered Entity shall maintain a cybersecurity
program designed to protect the confidentiality, integrity and availability of the Covered
Entity’s Information Systems.” Office of Inspector
General CFPB Evaluation Report 2017-SR-
C-011 May 15, 2017 Recommends physical and
electronic access control, operational procedures for
handling sensitive information.
Office of the Comptroller of the Currency
OCC Bulletin (OCC 2000-14) May 15, 2000 “Senior management and the board of directors are
responsible for overseeing the development and
implementation of their bank’s security strategy and plan”
Rhode Island Rhode Island Identity Theft Protection Act of 2015
July 2, 2016 “implement and maintain a risk-based information security
program [that] contains reasonable security procedures
and practices” Vermont Vermont Securities Regulations
S-2016-01 (Rev.) May 15, 2017 “A securities professional must
establish and maintain written
LEO16
DOCUMENTS SUGGESTING CYBER SECURITY PROGRAMS October 27, 2017
Seth Jaffe – [email protected]
https://www.linkedin.com/in/sethejaffe/
6
procedures reasonably designed to ensure cybersecurity.”
U.S. Congress Internet of Things (IoT) Cybersecurity Improvement Act of
2017
Aug. 1, 2017 “requires the contractor providing the Internet-connected device to provide written certification that the device…does not contain…
any known security vulnerabilities or defects.”
U.S. Congress Proposed Main Street Cybersecurity Act of 2017
NIST Small Business Cybersecurity Act
2017 NIST Director “shall disseminate clear and concise resources for small business concerns to help reduce their cybersecurity risks.”
U.S. DoD, NASA, GSA 48 CFR 52.204-21 May 16, 2016 Contractor shall apply, at a minimum, 15 information security
controls. U.S. Gov’t Cybersecurity Enhancement Act of
2014 15 U.S.C. 7451
Dec. 11, 2014 NIST Director shall coordinate with private sector personnel to
identify “information security measures and controls, that may be voluntarily adopted by owners
and operators of critical infrastructure to help them
identify, assess, and manage cyber risks”
LEO17
DOCUMENTS SUGGESTING INCIDENT RESPONSE PLANS August 7, 2017
Seth Jaffe – [email protected]
https://www.linkedin.com/in/sethejaffe/
1
INSTITUTION TITLE DATE Excerpt California DOJ California Data Breach Report Feb 2016 “The 20 controls in the Center for
Internet Security’s Critical Security
Controls identify a minimum level of
information security that all
organizations that collect or
maintain personal information
should meet. The failure to
implement all the Controls that
apply to an organization’s
environment constitutes a lack of
reasonable security. Control 19:
Incident Response and
Management”
Dept. of Justice Best Practices for Victim Response
and Reporting of Cyber Incidents
April 2015 “Organizations should have a plan
in place for handling computer
intrusions before an intrusion
occurs.”
European Union GDPR April 27, 2016 “In the case of a personal data
breach, the controller shall without
undue delay and, where feasible,
not later than 72 hours after having
become aware of it, notify the
personal data breach to the
supervisory authority”
LEO18
DOCUMENTS SUGGESTING INCIDENT RESPONSE PLANS August 7, 2017
Seth Jaffe – [email protected]
https://www.linkedin.com/in/sethejaffe/
2
European Union NIS Directive July 6, 2016 “Each Member State shall
designate one or more Computer
Security Incident Response Teams”
EY Path to Cyber Resilience 2016-17 “Cyber resilience is a subset of
business resilience; it is focused on
how resilient an organization is to
cyber threats. [Step 3 is] “React,”
[which includes] need to be ready to
deal with the disruption, ready with
incident response capabilities and
ready to manage the crisis.”
FCC Consent Order – Cox Communications Nov 2015 Consent orders related to breaches
almost always require an Incident
Response Plan: “Within one
hundred and twenty (120) calendar
days after the Effective Date, Cox
shall review, revise and maintain its
Incident Response Plan to ensure
that it is reasonable,
comprehensive, and enables Cox to
detect, respond to, and provide
timely notification….”
Federal Reserve, FDIC,
Office of the Comptroller of
the Currency
Enhanced Cyber Risk Management
Standards (Proposed Rule)
2016 “The agencies are considering a
requirement that covered entities
establish and maintain effective
incident response and cyber
resilience governance, strategies,
LEO19
DOCUMENTS SUGGESTING INCIDENT RESPONSE PLANS August 7, 2017
Seth Jaffe – [email protected]
https://www.linkedin.com/in/sethejaffe/
3
and capacities that enable the
organizations to anticipate,
withstand, contain, and rapidly
recover from a disruption caused by
a significant cyber event.”
FFIEC Cyber Attacks Compromising
Credentials
Mar 2015 “The Federal Financial Institutions
Examination Council (FFIEC)…is
issuing this statement to notify
financial institutions of the growing
trend of cyber attacks…and to
recommend risk mitigation
techniques. Financial institutions
should address this threat by
reviewing their risk management
practices and controls over
information technology (IT)
networks and authentication,
authorization, fraud detection, and
response management systems
and processes.”
FFIEC Destructive Malware Mar 2015 “In accordance with regulatory
requirements and FFIEC guidance,
financial institutions should consider
taking the following steps. Review,
update, and test incident response
and business continuity plans.”
LEO20
DOCUMENTS SUGGESTING INCIDENT RESPONSE PLANS August 7, 2017
Seth Jaffe – [email protected]
https://www.linkedin.com/in/sethejaffe/
4
FFIEC CAT CEO Board Overview Jun 2015 “The role of the chief executive
officer (CEO), with management’s
support, may include the
responsibility to do the following:
• Develop a plan to conduct the
Assessment.”
FFIEC CAT Jun 2015 “Domain 5: Cyber Incident
Management and Resilience”
includes an incident response team
as the baseline.
FTC FTC Business Alert on GLBA
Safeguards Rule
May 2002 “According to the Safeguards Rule,
financial institutions must develop a
written information security plan that
describes their program to protect
customer information. Experts
suggest security management,
including the prevention, detection
and response to attacks, intrusions
or other system failures.”
HHS Quick Response Checklist June 9, 2017 In the event of a cyber-attack or similar emergency an entity must execute its response and mitigation procedures and contingency plans.
ICC – International
Chamber of Commerce
Cyber Security Guide for Business No date “In order to minimize business
impact of cyber security incidents,
enterprises must develop
organizational response plans in
LEO21
DOCUMENTS SUGGESTING INCIDENT RESPONSE PLANS August 7, 2017
Seth Jaffe – [email protected]
https://www.linkedin.com/in/sethejaffe/
5
addition to technical response
measures.”
NAIC INSURANCE DATA SECURITY
MODEL LAW
Aug. 7, 2017 “each Licensee shall establish a
written incident response plan
designed to promptly respond to,
and recover from, any
Cybersecurity Event that
compromises the confidentiality,
integrity or availability of Nonpublic
Information”
NC State Protiviti Executive Perspectives on Top Risks
for 2015
2015 “Larger organizations may have
invested in developing and testing
crisis management plans and now
all other organizations are realizing
their need for similar investments
despite their smaller size and more
limited resources.”
NIST Framework Improving Critical
Infrastructure Cybersecurity
Ver 1.0 – Feb
2014
“PR.IP-9: Response plans (Incident
Response and Business Continuity)
and recovery plans are in place and
managed.”
NIST Supply Chain Risk MGMT-Pub 800-
161
Apr 2015 “Implement a robust incident
management program to
successfully identify, respond to,
and mitigate security incidents. This
program should be capable of
identifying causes of security
LEO22
DOCUMENTS SUGGESTING INCIDENT RESPONSE PLANS August 7, 2017
Seth Jaffe – [email protected]
https://www.linkedin.com/in/sethejaffe/
6
incidents, including those
originating from the ICT supply
chain.”
NIST Guide Cybersecurity Event Recovery Dec 2016 “While this document is primarily
focused on recovering from a
cybersecurity event, it is important
to understand that a Cyber Incident
Response Plan (CIRP) should be
developed as part of a larger
Business Continuity Plan (BCP).”
NY Dept Financial
Services
General Information Request Mar 2015 “Describe the extent to which
information security is incorporated
into your institution's business
continuity and disaster recovery
plan, the way in which that plan is
tested, how often the plan is tested,
and the results of the most recent
test;”
NY State Cybersecurity Reqs for Financial Svcs
Companies
Feb 2017 “Section 500.16 Incident Response Plan.
(a) As part of its cybersecurity
program, each Covered Entity shall
establish a written incident
response plan designed to promptly
respond to, and recover from, any
Cybersecurity Event materially
affecting the confidentiality, integrity
LEO23
DOCUMENTS SUGGESTING INCIDENT RESPONSE PLANS August 7, 2017
Seth Jaffe – [email protected]
https://www.linkedin.com/in/sethejaffe/
7
or availability of the Covered
Entity’s Information Systems or the
continuing functionality of any
aspect of the Covered Entity’s
business or operations.”
Office of the President of
the United States
Presidential Policy Directive – PPD-41 July 2016 “effective incident response efforts
will help support an open,
interoperable, secure, and reliable
information and communications
infrastructure that promotes trade
and commerce, strengthens
international security, fosters free
expression, and reinforces the
privacy and security of our citizens”
OMB Memo on Preparing and Responding
to a Breach
Jan 2017 “This Memorandum sets forth the
policy for Federal agencies to
prepare for and respond to a breach
of personally identifiable information
(PII).” Section VII details the
Breach Response Plan.
Paloalto - NSYE Navigating Digital Age Oct 2015 “Boards should require that
management implement an
enterprise-wide cybersecurity risk
management plan.”
PCI-SSC Requirements and Security
Assessment Procedures
V3.1 – Apr 2015 PCI DSS Requirement 12.10:
“Implement an incident response
LEO24
DOCUMENTS SUGGESTING INCIDENT RESPONSE PLANS August 7, 2017
Seth Jaffe – [email protected]
https://www.linkedin.com/in/sethejaffe/
8
plan. Be prepared to respond
immediately to a system breach.”
Ponemon Cost of a Data Breach Study June 2016 “Incident response plans,
appointment of a CISO, employee
training and awareness programs
and a business continuity
management strategy continue to
result in cost savings.”
SANS Institute Incident Response Capabilities in 2016 June 2016 “87% reported incidents in the past
12 months, and these incidents
resulted in actual breaches 59% of
the time.”
SEC: OCIE – Office of
Compliance Inspections
and Examinations
2015 Cybersecurity Examination
Initiative
September 2015 “Incident Response: Examiners
may assess whether firms have
established policies, assigned roles,
assessed system vulnerabilities,
and developed plans to address
possible future events.”
Verizon PCI Compliance Report 2015 “Organizations often give incident
response little attention until
a crisis occurs and they are forced
to try to regain control.”
World Energy Council The Road to Resilience 2016 INSURANCE PROVIDERS FOCUS
ON FIVE KEY QUESTIONS WHEN
ASSESSING CYBER RISKS: Does
the company have organizational
and technical controls in place to
LEO25
DOCUMENTS SUGGESTING INCIDENT RESPONSE PLANS August 7, 2017
Seth Jaffe – [email protected]
https://www.linkedin.com/in/sethejaffe/
9
detect, respond, and react to a
cyber-attack in good time, including
cross-functional incident response
structures and processes?
LEO26
Page 1 of 3
Cyber Security for Law Firms1 Law firms are particularly high value cyber security targets because 1) they hold highly sensitive information in forms less voluminous than their clients, and 2) they are more likely to employee safeguards that are more easily defeated than those of their clients. In 2017, the American Bar Association issued formal opinion 477 discussing cyber security obligations of attorneys. Lawyer Duties
1. Duty of Competence: A lawyer should maintain a basic understanding of technology relevant in the field. The ABA Commission has commented that provision of competent legal services includes command of the benefits and risks associated with technology employed by the attorney or client in furtherance of the engagement.
2. Duty of Confidentiality: “A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.”2 While this may not impose specific security measures, the ABA believes it to require a process of assessing risks, identifying and implementing appropriate security protocols, verifying they are effective, and maintaining updates in view of new developments.
3. Duty to Communicate: Upon reasonable belief that highly sensitive confidential client information may be transmitted, a lawyer has a duty to inform the client about the risks involved, and discuss with the client means for adequate protection of the information. This includes adhering to special security measures requested by the client.
Model Rules Rule 1.1 To maintain the requisite knowledge and skill, a lawyer should keep
abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
Rule 1.4 Reasonably consult with client about client’s objectives, which may include discussing security safeguards and expectations.
1 The contents of this document are informational in nature and do not constitute legal advice. 2 MODEL RULES OF PROF’L CONDUCT R. 1.6(c)
LEO27
Page 2 of 3
Rule 1.6 “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Rule 5.1 Supervisory attorney will take reasonable measures to ensure that employee lawyers adhere to the rules of professional conduct, including that they maintain security safeguards.
Rule 5.3 Supervisory attorney will take reasonable measures to ensure that conduct of non-lawyer assistants is compatible with the professional obligations of the attorney. This includes establishing policies on technology and information security, training assistants, supervising to ensure requirements are met, and updating policies as needed.
Association of Corporate Counsel Model Security Provisions
1. Policies – Outside counsel shall have in place an overarching information security policy, with subsets encompassing organization of security, asset management, human resources security, physical security, communications and operations management, access control, infosec systems acquisition and maintenance, incident management, business continuity management, personnel training, and compliance.
2. Document Retention – Outside counsel shall retain client confidential information for only so long as specified by the client, or as long as necessary for the purpose, or as directed by law. With limited exceptions, at the conclusion of the engagement, outside counsel shall return, delete, or destroy said information. Outside counsel should certify destruction within a pre-coordinated amount of time.
3. Data Handling – Communications of client confidential information will be encrypted according to client’s specifications. Confidential information in possession of the law firm will be encrypted at rest, including information stored on portable devices and removable media.
4. Data Breach Reporting – Any actual or suspected breach involving client confidential information will be communicated to the client within 24 hours of discovery. Outside counsel will designate a point of contact with authority over the breach and access to outside counsel networks and the incident response team. Outside counsel will fully cooperate with client.
5. Physical Security – Outside counsel will maintain reasonable physical security measures including access control, ID badges, security guards, alarm system, enhanced access control for server rooms, secure backups, procedures and logs.
6. Logical Access Controls – Outside counsel shall install and maintain electronic controls designed to restrict access to confidential information on a least privilege and need-to-know basis. This includes a revocation process for invalid logins.
LEO28
Page 3 of 3
7. Monitoring – Outside counsel will continuously monitor networks, employees, contractors, and contingent workers for malicious activity.
8. Risk and Vulnerability Assessments – Periodically, outside counsel will perform penetration tests on all systems where confidential information resides. In addition, outside counsel will maintain application security software development controls.
9. System Security – Outside counsel will implement and maintain controls at least as rigorous as prescribed industry standards (such as NIST, ISO, CIS, etc.). Systems will include vulnerability detection and management applications, antivirus, infrastructure patching, network security controls such as firewalls, DMZ, intrusion detection and prevention.
10. Auditing – Outside counsel will allow client to inspect, examine, and review its processes, systems, policies, and facilities.
11. Industry Certification – Outside counsel will complete and maintain an ISO 27001 certification and will supply a SOC audit upon request.
12. Background Checks – Outside counsel will conduct background screening on all of its employees, contractors, and contingent workers.
13. Cyber Liability Insurance – Outside counsel will maintain in force a cyber insurance policy having a minimum credit rating of A- with a coverage level of at least $10 million.
14. Contractors and Vendors – Where outside counsel contracts any of its security obligations to a third party, it will impose upon the third-party obligations at least as rigorous as those set out in these security provisions.
Common Law Duties Restatement (Third) of The Law Governing Lawyers §§ 16(3), 60 (2000): “the lawyer must take steps reasonable in the circumstances to protect confidential client information against impermissible use or disclosure by the lawyer’s associates or agents that may adversely affect a material interest of the client or otherwise than as instructed by the client.” References American Bar Association: Formal Opinion 477, available at https://www.americanbar.org/content/dam/aba/administrative/law_national_security/ABA%20Formal%20Opinion%20477.authcheckdam.pdf Association of Corporate Counsel: Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information, available at http://www.acc.com/advocacy/upload/Model-Information-Protection-and-Security-Controls-for-Outside-Counsel-Jan2017.pdf
LEO29
OKLAHOMA CITY • TULSA
WILLIAMS CENTER TOWER IITWO W. SECOND STREET • SUITE 1100 • TULSA, OK 74103(918) 587-0000 • FAX (918) 599-9317www.mcafeetaft.com
Key Data Security Issues to Consider and Address in Client Engagement Letter
• Definitions: Have you identified what constitutes confidential, sensitive, protected data? Have you considered state and federal privacy laws and regulations that define and mandate protection of certain data? For example, 48 states define protected personal information under their security breach notification laws, and HIPAA defines electronic protected health information.
• Data security representations and warranties: Does either party have formal data security policies and procedures? Are the parties’ data security controls commensurate? Do the firm’s data security controls satisfy applicable state and federal privacy laws and regulations?
• Notification obligations: Have you considered notification (when, to whom, and timing) if confidential, sensitive, protected data has potentially or actually been viewed, accessed, or used by someone unauthorized to do so? Have you considered state and federal privacy laws and regulations that require notifying consumer and government agencies if certain protected data has been viewed, accessed, or used by someone without authorization to do so? For example, 48 states have security breach notification laws that require notification under certain circumstances.
• Audit right: Have you considered confirming compliance with required data security controls?
• Data location: Where is confidential, sensitive, protected data stored? Is data stored on mobile devices?
• Data storage: Have you considered encrypting confidential, sensitive, protected data? Have you considered that HIPAA requires encryption at rest or in transit when “reasonable and appropriate,” and the ABA believes “the use of unencrypted routine email generally remains an acceptable method of lawyer-client communication” when “the lawyer has implemented basic and reasonably available methods of common electronic security measures?”
• Data access and usage: Who has access to where confidential, sensitive, protected stored?
• Data retention: How long will confidential, sensitive, protected data be stored? Have you considered state and federal privacy laws and regulations that require specified retention periods? For example, the Gramm-Leach-Bliley Act specifies retention requirements for protected financial information/records held by financial institutions.
• Data destruction: How will confidential, sensitive, protected data be destroyed? Have you considered state and federal privacy laws and regulations that specify the method(s) of destruction? For example, the Payment Card Industry Data Security Standards identifies disposal techniques for protected, stored credit cardholder data.
LEO30
1.101 IRT INITIALIZATION (COMPANY IRP – PROCEDURE BREAKOUT)
Version1.2 COMPANYCONFIDENTIAL–DRAFT–01/01/17 PAGE1of3Verifythatthisisthecorrectversionbeforeuse.
GC STEP 1: ATTORNEY-CLIENT PROTOCOLS 1.1: Review with IRT the reasons for att-cl privilege 1.2: Review att-client protocols with IRT RULE GC101 1.3: Advise disciplines to check with GC prior to discussing incident with a third party 1.4: Advise disciplines not to engage any third party without IRT approval RULE GC102
IRT STEP 2: RECON INCIDENT IS 2.1: Overview of incident (what happened)
2.2: Acquire information about data 2.2.1: Affected systems
2.2.1.1: What systems are (potentially) affected 2.2.1.2: Potential impact, if any, on business 2.2.1.3: Status of containment, including steps taken 2.2.1.4: Preservation of systems
2.2.1.4.1: Are images necessary 2.2.1.4.2: Status of logging and SIEM 2.2.1.4.3: Additional forensics employed or completed
2.2.2: Potential accessed data 2.2.1.1: What data have been potentially accessed (PHI, PII, contracts) 2.2.1.2: Extent (number of affected persons)
2.2.2: How was the data accessed 2.2.3: Determine the associated technology owner
IRT 2.2.4: Demographic information for affected persons IS 2.3: Initial Remediation
2.3.1: Brief IRT on the timeline to remediate RULE IS301 GC 2.3.2: Initialize preservation, if required – STEP 10 IRT STEP 3: POST RECON ACTIONS 3.1: Reassess IRT members and add stakeholders to the briefing, if required GC 3.2: Engage third party assistance, if required – GC 3.102 Procedure IRT 3.3: Advise on communications with industry associations, if desired RULE GC110
3.4: Queue directors of cross-divisional crisis management programs, if desired IRT STEP 4: DISCIPLINE COORDINATION
4.1: Inform disciplines to trigger internal notification bulletins, if desired DIS 4.2: Determine internal stakeholders
4.3: Add stakeholders to [DIS] Notification Bulletin GC 4.4: Clear language with GC
4.5: Initiate [DIS] Notification Bulletins Decide on period and fidelity based on severity of incident
IRT STEP 5: EXECUTIVE COORDINATION 5.1: Obtain executive briefing material from relevant disciplines 5.2: Determine executive notification format and frequency RULE IR110
LEO31
1.101 IRT INITIALIZATION (COMPANY IRP – PROCEDURE BREAKOUT)
Version1.2 COMPANYCONFIDENTIAL–DRAFT–01/01/17 PAGE2of3Verifythatthisisthecorrectversionbeforeuse.
GC 5.3: Clear language with GC IRT 5.4: Initiate Executive Notification Bulletins IRT STEP 6: DIVISIONAL COORDINATION
6.1: Assess impact to cross-divisional crisis management programs 6.1.1: Crisis Management 6.1.2: Business Continuity 6.1.3: Disaster Recovery
6.2: Prepare statement to cross-divisional team GC 6.3: Verify language with GC IRT 6.4: Initiate cross-divisional notification protocols RULE IR130
IRT STEP 7: LAW ENFORCEMENT NOTIFICATION ASSESSMENT NOTE: this step may be delayed depending on the nature of the incident, and whether Law Enforcement might delay the notification obligations.
7.1: Review law enforcement guidelines RULE GC103 7.2: Coordinate meeting with stakeholders
IR Director, GC, Corporate Security, PR 7.3: Facilitate decision on engagement
7.3.1: Which enforcement agency 7.3.2: When to notify 7.3.3: What level of fidelity
7.4: Prepare recommendation for executive committee, if desired 7.5: Consult with executive committee, if desired 7.6: Obtain GO from IRT to notify law enforcement
GC/CS 7.7: Notify law enforcement per Rule GC103 RULE GC103
IRT STEP 8: NOTIFICATION OBLIGATION ASSESSMENT GC 8.1: GC to assess breach notification laws in view of incident – GC 3.110 Procedure IRT 8.2: Brief notification stakeholders that assessment is in work
8.2.1: Insurance 8.2.2: Finance
GC 8.3: GC to brief IRT re applicable laws 8.1.1: State Laws – See GC Data File DF515GC 8.1.2: DoD Laws – See National Industrial Security Program Operating Manual 8.1.3: Financial Laws – See GC Data File DF516GC 8.1.4: International Laws – See GC Data File DF517GC 8.1.5: Industry Specific Laws – See GC Data File DF518GC 8.1.6: Advisory Councils – See PCI Council guidelines RULE GC121
8.1.6.1: Confer with Finance Department on PCI 8.1.7: Contractual – Review contract database GC Data File DF510GC
IRT 8.4: Poll team for breach declaration recommendation RULE IR111
LEO32
1.101 IRT INITIALIZATION (COMPANY IRP – PROCEDURE BREAKOUT)
Version1.2 COMPANYCONFIDENTIAL–DRAFT–01/01/17 PAGE3of3Verifythatthisisthecorrectversionbeforeuse.
IRT STEP 9: EXECUTIVE COORDINATION 9.1: Prepare Executive Notification Bulletin on breach notification assessment 9.2: Schedule meeting with executive steering committee 9.3: Deliver breach notification recommendation
EX 9.4: Obtain executive direction on breach notification RULE IR111 IRT 9.5: Inform IRT
GC STEP 10: PRESERVATION IRT 10.1: Identify internal and external stakeholders with potential important information
10.3: Notify stakeholders of preservation obligations RULE GC115 10.3.1: Engage external e-discovery vendor, if desired – GC 3.102 Procedure 10.3.2: Prepare litigation hold notice
IRT 10.3.3: Identify management personnel to deliver hold notice GC 10.4: Initiate lock down protocols
10.4.1: Engage e-discovery team to lock down stakeholders’ assets 10.4.2: Verify assets are locked down
IRT 10.5: Deliver litigation hold notices
IRT STEP 11: BREACH NOTIFICATION IRT 11.1: Obtain GO from IRT to declare notification obligation RULE IR140
11.2: Assign Tiger Team RULE IR141 GC 11.2: Run GC3.111 Procedure
11.3: GC to verify complete and inform IRD
IRT STEP 12: POST INCIDENT 12.1: Inform IRT of its post-incident duties RULE IR900 12.2: Remediation vendor
12.2.1: Address the need for external remediation recommendations and/or forensic report 12.2.2: Structure vendor engagement to preserve privilege – GC 3.102 Procedure
12.3: GC to advise team on privilege for cross-functional post-incident activities DIS 12.4: Disciplines to run internal post-incident procedure – DIS X.900 IRT 12.5: Hold IRT post-incident meeting
12.6: Implement data retention plan 12.7: Update policies, procedures, and rules, as appropriate 12.8: Ensure incident is properly closed
LEO33
COMPANY
INCIDENTRESPONSEDIRECTIVES
Version1.1 COMPANYCONFIDENTIAL–DRAFT–01/01/17 PAGE1of1VERIFYTHATTHISISTHECORRECTVERSIONBEFOREUSE.
TEMPLATEONLY.COMPANYSHOULDCONSULTOUTSIDECOUNSELONLEGALMATTERS.
1
GC-101 ATTORNEY-CLIENTPRIVILEGE
WHENCOMMUNICATINGABOUTTOPICSRELATINGTOANINCIDENTINVESTIGATION,IRTMEMBERSSHOULD:
A. INCLUDEPARTICIPATINGGCTEAMMEMBERSINTHECOMMUNICATIONS;
B. LIMITTHECONTENTOFCOMMUNICATIONSTOWHATISNEEDED.AVOIDUNNECESSARYCOMMENTARY,SPECULATION,ANDOPINIONS;
C. LIMITDISTRIBUTIONOFCOMMUNICATIONSABOUTTHEINVESTIGATIONSTORELEVANTIRTMEMBERS,GC,AND,IFDIRECTED,OUTSIDECOUNSEL;
D. LIMITCOMMUNICATIONSTOTHOSEWHOHAVEDIRECTKNOWLEDGEOFASPECIFICAREARELATINGTOTHEINCIDENTANDTHEINVESTIGATIONANDWHOSEINPUTANDINFORMATIONARENECESSARYTOTHEINVESTIGATION;
E. ADVISEANYEMPLOYEE,CONTRACTOR,ANDCONSULTANTINTERVIEWEDORINVOLVEDINANYPARTOFTHEINVESTIGATIONTHATALLDISCUSSIONS,ANALYSIS,NOTES,ANDDOCUMENTSPRODUCEDINCONNECTIONWITHTHEINVESTIGATIONARECONFIDENTIALANDSHOULDNOTBEDISCLOSEDTOANYOTHERPERSONWITHOUTGCAPPROVAL;
F. LABELEMAILS,NOTES,DRAFTANDFINALREPORTS,ANDOTHERCOMMUNICATIONSRELATEDTOTHEINVESTIGATIONS“COMPANYCONFIDENTIALANDATTORNEY-CLIENTPRIVILEGEDCOMMUNICATION—DONOTFORWARD”[COMPANYMAYWANTTOAPPENDTOINCLUDEINDICATOROFINCIDENT,FORE-DISCOVERYPURPOSES];
G. DISCUSSWITHTHEIRT(SPECIFICALLYGC)REPORTS,ANALYSES,OROTHERWORKPRODUCTTHATPURPORTTODRAWCONCLUSIONSREGARDINGTHEINCIDENTBEFOREFINALIZINGORSUBMITTINGSAIDREPORT,ANALYSIS,ORWORKPRODUCT;AND
H. DONOTMAKEVIDEOORAUDIORECORDINGSOFANYINTERVIEWS.NOTESRELATINGTOANYINTERVIEWSSHOULDBEINWRITING,SHOULDTAKETHEFORMOFSUMMARIES,ANDSHOULDBECLEARLYMARKEDAS“CONFIDENTIAL-ATTORNEY/CLIENTPRIVILEGED.”
[REF20170101-04]
COMPANYmaywanttoassertthatcommunicationsamongIRTmembersandGCorOutsideCounselshouldbeprotected,bytheattorney-clientprivilege,fromdisclosureinlitigationandregulatoryinvestigations.
MaintainingtheabilitytoasserttheprivilegeisimportanttoensurethattheIRTmembersandGCcommunicateopenlywithoneanotherwithoutconcernthattheircommunicationsmaybemisusedinlitigationorinaregulatoryinvestigation.
GClegaladvicewillbebasedinpartoninformationIRTmembersreportregardingtheirinvestigation.[REF20170101-04]
LEO34
COMPANY
INCIDENTRESPONSEDIRECTIVES
Version1.1 COMPANYCONFIDENTIAL–DRAFT–01/01/17 PAGE1of3VERIFYTHATTHISISTHECORRECTVERSIONBEFOREUSE.
TEMPLATEONLY.COMPANYSHOULDCONSULTOUTSIDECOUNSELONLEGALMATTERS
GC-103LAWENFORCEMENTNOTIFICATION
(A) INDETERMININGWHETHERTONOTIFYLAWENFORCEMENT,IRTSHALLASSESSTHEINCIDENT
UNDERTHEFOLLOWINGFACTORS,TAKINGINTOACCOUNTCOMPANY’SCURRENT
RELATIONSHIPWITHTHEAGENCY.GCANDCORPORATESECURITYSHALLLEADTHE
ASSESSMENT.[SOMECOMPANIESMAYWANTTOMAKETHISANEXECUTIVELEVELDECISION].
[XXXXXX-XXXXREFERENCESTATESWHENITWASLASTUPDATED]
Incertainsituations,partneringwithoneormorelawenforcementagenciescanbeuseful,buttherecanalsobedrawbacks.GeneralCounselshouldworkwiththeagencyrelationshippartner[CorporateSecurity]todeterminewhichagency,ifany,shouldbenotified.Themagnitudeofthecyberattackcarriesgreatweightinthedecision.Inaddition,IRTshouldconsiderthefollowingfactors:Benefits:
a) Lawenforcementmaybringtobearpriorexperiencewithsimilarincidentsinordertoassistthe
investigation, containment, remediation, ormitigation efforts. For example, law enforcement
may:
a. disclosethreatsignaturesandindicatorsofcompromise.
b. predictthescheduleofanattackbasedonsimilarvectorsagainstotherentities.
c. pointoutsubsequenttargetsoftheattack.
b) Lawenforcementcandrawupongovernmentinvestigativetools,suchasgrandjurysubpoenas,
searchwarrants,wiretaps,etc.
c) Lawenforcementhastheabilitytodelaynotificationobligationsforinvestigativepurposes,butit
rarelydoesso.
Drawbacks:a) Lawenforcementmayhaveitsownpublicrelationsinterests.
a. LawenforcementmaymakeannouncementsbeforeCOMPANYisready.
b. LawenforcementannouncementsmaynotfollowtheCOMPANYmessage.
b) Potentiallossofcontroloftheinvestigation,althoughlawenforcementisunlikelytotakecontrol
becausetheywouldlosecorporatepartnershipinthefuture.
c) Businessinterruption
a. Lawenforcementmayrequesttoremovehardwareforinvestigationpurposes,thoughit
willlikelyreturnthehardware.SeeSectionDbelow.
b. Lawenforcementmaywish toattachmonitoringdevices toCOMPANYnetworks. See
SectionEbelow.
d) Notificationdelaysmayrestrictreturntonormaloperations.
LEO35
COMPANY
INCIDENTRESPONSEDIRECTIVES
Version1.1 COMPANYCONFIDENTIAL–DRAFT–01/01/17 PAGE2of3VERIFYTHATTHISISTHECORRECTVERSIONBEFOREUSE.
TEMPLATEONLY.COMPANYSHOULDCONSULTOUTSIDECOUNSELONLEGALMATTERS
(B) IRTSHALLDETERMINEWHICHAGENCYTONOTIFYUPONCONSULTATIONWITHOUTSIDE
COUNSEL.
TheFBIandSecretServicearebothchargedwithcybercrimeenforcement.TheFBIisdefinedastheprimaryagencyundertheComputerFraudandAbuseAct(CFAA)(18U.S.C.§1030)foroffensesinvolvingespionage,foreigncounterintelligence,criticalinfrastructure,orothernationalsecuritymatters.TheSecretServicehasjurisdictiontoinvestigatefinancialcrimessuchascreditcardfraud,computerfraud,telecomfraud,andothercrimesaffectingfederallyinsuredfinancialinstitutions.TheInternalRevenueService,throughitsCriminalInvestigationsUnit,investigatesincidentsinvolvingreportsofunauthorizedaccesstotaxinformation.TheInternetCrimeComplaintCenter(“IC3”)isapartnershipbetweentheFBIandtheNationalWhiteCollarCrimeCenterthatreceives,develops,andreferscriminalcomplaintsregardingcybercrime.IC3providesacentralreferralmechanismforcomplaintsinvolvinginternetrelatedcrimes.[XXXXXX-XXXXreferencestateswhenitwaslastupdated]
(C) NOLAWENFORCEMENTCOMMUNICATIONWILLOCCURWITHOUTOUTSIDECOUNSEL
PARTICIPATION
Careshouldbetakennottodisrupttheattorney-clientprivilegeandwork-productprotection.Wheneverpossible,oralcommunicationispreferred.Disseminationofforensicreports,evenfactualreports,shouldonlybeconsideredafterconsultationwithlegalcounselduetothepotentialofthereportbeingmadepublicevenaccidentally.[XXXXXX-XXXXreferencestateswhenitwaslastupdated]
(D) NOCOMPANYHARDWAREWILLBETAKENINTOCUSTODYBYLAWENFORCEMENTUNTIL
INFOSECISCONSULTEDANDANIMAGEOFTHEDEVICEISMADE
LossofaccessofaCOMPANYdevicemayimpedeinternalforensicinvestigation.Therefore,animageofanydeviceshouldbemadepriortolossofaccess.Consultlegalcounselbeforearrangingtransferofanysuchhardware,monitordevicesoractivity.[XXXXXX-XXXXreferencestateswhenitwaslastupdated]
(E) PRIORTOALLOWINGLAWENFORCEMENTTOMONITORCOMPANYSYSTEMS,ENSURE
COMPANYWILLMAINTAINACCESSTOTHEINFORMATIONBEINGMONITORED
Lawenforcementmayrequestthatitbeallowedtotrackactivityforthepurposeofidentifyingthethreatactororbuildingacriminalcase.COMPANYdesiresthatanysuchlawenforcement
LEO36
COMPANY
INCIDENTRESPONSEDIRECTIVES
Version1.1 COMPANYCONFIDENTIAL–DRAFT–01/01/17 PAGE3of3VERIFYTHATTHISISTHECORRECTVERSIONBEFOREUSE.
TEMPLATEONLY.COMPANYSHOULDCONSULTOUTSIDECOUNSELONLEGALMATTERS
accessdisruptCOMPANYoperationsaslittleaspossible.[XXXXXX-XXXXreferencestateswhenitwaslastupdated]
(F) LAWENFORCEMENTMAYDELAYNOTIFICATIONREQUIREMENTS.IRTWILLDOCUMENTANY
SUCHDIRECTIVE,IDENTIFYTHEPUBLICRELEASEDATE,ANDWILLCONTINUEPREPARATIONOF
NECESSARYNOTIFICATIONDOCUMENTSFORRELEASEATTHEEARLIESTOPPORTUNITY
Lawenforcementhasauthoritytodelayfederalandstatenotificationlawswhileitconductsorcompletesaliveinvestigation.IRTshouldinquirewhetherlawenforcementwishestoinvokethatauthority.Ifso,IRTwilldothefollowing:
1. Documenttherequestbylawenforcement;2. DeterminethedatelawenforcementwillallowCOMPANYtomakethenotificationpublic;3. Preparenotificationdocumentstobesentassoonaspossibleaftertherelease.
[XXXXXX-XXXXreferencestateswhenitwaslastupdated][NOTE:Thisisatemplateonly.COMPANYshouldworkwithitsdesignatedoutsidecounselon
mattersoflegaladvice.]
LEO37
LEO38
Page 1 of 2
AGuidetoSafePublicWi-Fi
Introduction…WithalltherecenthubbuboverpublicWi-Fi,andWi-Fisecurityingeneral,itcanbedifficulttoseeaclearpathforeffectivelyprotectingpersonalandcompanyinformationinamobileworld.Abitofguidanceandperspectivecanoftenbejustenoughtogetourfeetontherightpathandmakeinformeddecisionstomanagerisk.WhoThisIsWrittenFor(AndWhy)…SearcharoundabitonthewebforguidanceonsecureuseofpublicWi-Fi,andyouwillfindthatnearlyeverythingavailableatthetimeofthispublicationfallsintooneofafewcategories:
1. Deeptechnicalcontentrelatedtosecuringand/ortestingWi-Finetworks.2. Genericand/orgeneralizedtechnicalguidanceforaddingsecuritytohomeWi-Finetworks,withmanybeing
unfocusedandunactionable(andinsomecases,completelyoutdatedandineffective).3. Lotsofscarycontenttalkingabout,detailing,andevendemonstratingbadstuffwhichcanhappen.
Whatisn’treadilyavailableisclearguidanceforthenon-technicalbusinessuser,orstakeholder,thatcanbeusedtotakeasmartapproachtoprotectingyourselfandyourcompany’ssecuritywhileonthego.ThisprimerisaimedatprovidingactionableguidancefornavigatingtherisksassociatedwithpublicWi-Finetworks.
UnderstandtheRisks…Noteverybodyhasthesameriskperspectives,andthereareafewkeyitemsweshouldconsiderwhendeterminingourriskprofile.Forexample:
1. Whattypesofwebsitesandappsdoyouplanonusing?Company/email,banking,personal?Howsensitiveistheinformationyouusuallyaccess?
2. Fromwheredoyoutypicallyconnect?Homeoroffice?Airports,cafés,andeverythinginbetween?
3. Doyouhavesecurityfeaturesenabledandcurrentonyourdevice?Decidehowbaditwouldbeifahackerwasabletoeavesdroponwhateveryou’redoingonthatconnection,orworse–infectyoursystemwithmalware-andyou’llbegintoformanunderstandingofhowcarefulyoumustbe.
HowParanoidShouldWeBe?2017hasbeenabigyearinsecurity,particularlyintheworldofwirelessnetworking,andthethreatisdifferenttodaythanyesterday.ThebigthingtobeawareofhereisthatthemainWi-Fisecurityprotocol(WPA–“Wi-FiProtectedAccess”),isbroken(read:cracked),andforatleasttheforeseeablefuture,itwillbedifficultorevenimpossibletotrustthatanypublicorun-managedWi-Fiservicesaresafefrommaliciouseavesdroppers.Weneedtobeawarethatnotallwebsitesprotecteverythingbeingsentandreceived,withmanyonlyprotectingpartoftheconversationandpossiblyexposingotherinformation.Afinalpointhereisthatvarioustechnicalissuesexisttotripupnotonlytheunwary,butevensophisticatedtechnologyusers.Browsersessionscanbehijacked,dataandaccountscanbestolen,andwhileyoucanreaduponattackswithcoolsoundingnames,thesimplefactismostofthatinformationisoflittlepracticalvaluetomostusers.
LEO39
AGuidetoSafePublicWi-Fi
Page 2 of 2
HowCanWeProtectOurselves?So,nowthatwearereadytoeithersmashourmobiledevicesorjustswear-offusingWi-Fiforever,thegoodnewsisthere’sasmartapproachtomanagingthis,andwecanbreakitdownintofivekeypillars:
1) GrowSituationalAwarenessThemostimportantpillarinourapproachisawareness.Bygettingintothehabitofthinkingaboutthepossiblesensitivityofthewebsitesandinformationyouareaccessing,aswellaswhereyoumaybeatthetime,mostpeoplewilldevelopagutfeelforwhenadditionalcautionorconsiderationmaybewarranted.
2) ProtectYourEndpointDeviceProtectingyourendpointissomethingeveryonecando,andgoesalongwaytowardsprotectingmobiledevicesfromcommonthreats,malware,etc.Thismeans:
ü Makesureyourmobiledevicehasallthelatestsecurityupdatesinstalled.ü Makesurethatacurrentanti-malwareprogramisinstalled,running,anduptodate.ü TurnoffWi-Fi,NFC,andothercommunicationserviceswhennotinuse.
3) MakeInformedRiskDecisionsInordertomakeinformedriskdecisions,weneedtohavealittleunderstandingofwhatthreatsareoutthere.Forexample,weknowthat:
ü NumeroustechnicalvulnerabilitiesandattackvectorsexistforWi-Finetworks&webtraffic.
ü Wi-Fisecurityprotocolshavebeenbrokenandnounmanagednetworkscanbetrustedtohavepatchedthevulnerability.Whatthismeansisthatifunpatched,anattackermaybeableto,ataminimum,interceptandeavesdropontheallinvolvedWi-Ficonnections.
Withtheseconsiderationsinmind,wecanbebetterpreparedtodecidewhatmayormaynotbeappropriateusesofpublicWi-Fi.Forexample,ratherthaninteractwithsensitivewebsitesorapps(e.g.email,banking,etc.)overuntrustedpublicWi-Fi,wemaywishtoconsideralternativessuchas:
ü CellularDataNetworkorPersonalAccessPointü VirtualPrivateNetworkü Deferuntilatrustednetworkconnectionisavailable.
4) UseaPersonalAccessPointForbusinessorsecurity-conscioususersworkingremotely,saferWi-Fiaccesscanbeachievedusingpersonalaccesspoints.ThisoptionprovidesasimplealternativetothepublicWi-Fidilemma,andonlyrequiresmakingsurethatthepersonalaccesspoint(orhomewirelessrouter)isproperlyconfigured,andhasbeenupdatedtofixtheWi-Fiencryptionvulnerabilities.
5) VPN(VirtualPrivateNetwork)SolutionsFinally,fororganizationswithlargenumbersofusers,orindividualswhowantamoreflexibleoreconomicsolution,VPNtechnologiesoffermanyadvancedcapabilitiesandareoftenapreferredchoice,astheyprotectalltrafficwithinanotherlayerofstrongencryption,undertheassumptionthateverythingwillbetransmittedoveruntrustednetworks.BasicVPNservicesareavailableinaSoftwareasaServicemodel;OrganizationscanalsochoosetoleveragerobustsolutionssuchasPaloAlto’s“AlwaysOn”VPNfunctionality,whichwasdesignedtoprotectallendpointcommunicationsevenwhenconnectingtohostilenetworks.
LEO40
LevelRiskLevelEvaluation
Riskcharacter TypicallevelofresponseLabelTheissuesexperiencedoranticipatedhavethepotentialtohaltallcriticaloperationsandprocessesforanextendedperiodoftime.
1 Strategic
Boardlevelinvolvement.Coordinationwithappropriategovernmentagencies.ImplementationofDRBCPlan.
2 Severe
3 Elevated
Thereislikelytobeameasureableimpactoninternaloperationsandprocesses,buttherisktosharevalueorreputationisconsideredlow.
CXOinvolvement.Re-readanddiscussionofDRBCPlan.CoordinationwithPRteam.Policeinvolvementonlyifappropriate.Nomediacontactmade.
Thereislikelytobeanobservabledegradationofkeyservicesoroperationswiththepotentialtoaffectsharevalueorreputation.
Operational
Thereisunlikelytobeanymeasureableimpactoninternaloperationsorprocessesandnoimpactonsharevalueorreputationisanticipated.
AppropriateC-levelinvolvementorreporting.Departmentalleveloperationalresponsesandcontainment.Normalbusinessprocessescontinue.
Boardlevelinvolvement.PossiblecoordinationwithPolice/other.ReviewofDRBCPlan.ExecutionofMediaandSocialMediaplans.
4
• Proactivelyfoundor3rd partyprovided
• Securityteamdetermineshowpervasiveeventisbyproactivelyhuntingforinfections
• Analyzewhattheattackisdoing
• Classifytheeventperrisklevel¬ifyorganizationasappropriate
IdentifyanEvent
• Createoutofbandchannelsofcommunication
• Isolateinfectedenvironmentsfromrestofenterprise
• Collectdataasnecessary
• Takeforensicimages
Containment
• Mitigatethethreat:eithersurgicallyremove,reimagetheendpoint,orrebuildenvironmentasnecessary
• Validatethethreatisremovedandnotpervasiveorreturned
Eradicate
• Resumeactivethreathunting
• Determineoriginofattackandvulnerability
• Fixvulnerabilities
Recover&LessonsLearned
GeneralTimelineofInfosec IncidentResponse
1
LEO41
-SecurityOperationsteamwillnotifythe
appropriateteam(i.e.infrastructure,
applications,database,networketc.)toisolate
theaffectedenvironments
-TheSecurityOperationsteamwillthenwork
withtheotherteamstoremediatethe
environmentbydoingoneofthefollowing:Surgicallyremovethethreat,re-imagethe
environment,orrebuildtheenvironment.-CISOandSecurity
Operationswilldeterminerootcause
andmitigatevulnerabilities
associatedwiththeevent.
HowdoweIsolateandRemediate
-SecurityOperationswillanalyzetheevent’s
threatlevelbasedonthreathuntersandtheir
findings-Basedonevaluation
SecurityOperationswillclassifytheeventand
notifytheCISOasnecessary
-CISOwillnotifynecessaryparties
includinglegalandIRteam.
Forensicexpertswillusetheirtoolstocapturea
snapshotoftheenvironmentfor
investigationandlegal.
Whatdowiththeevent?
-ThreathunterturnsoverfindingstoSecurity
OperationsTeam-SecurityAnalystturnsoverfindingstoThreathuntersandSecurity
OperationsTeam-Notifiedpartyturns
overtoCISOorSecurityOperationsteamfor
investigation
Whowouldhandle?
-SecurityTeamThreathuntercouldfindtheinfectionproactively
-Companyownedtoolcouldprovideanalertto
SecurityAnalyst-Informedbyoutsideparty(i.e.FBI,Vendor,
Partner,etc.)usuallytoC-level,legal,orCISO
HowDidWeGetEvent?
2
LEO42
Page 1 of 2
List of Security Standards/Frameworks ISO/IEC 27001/2
International Organization for Standardization 2700X standard gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls, taking into consideration the organization's information security risk environment(s). ISO charges for access to this standard. https://www.iso.org/standard/54533.html
NIST 800-53/CSF
The National Institute of Standards and Technology’s (NIST) Special Publication 800-53 provides controls for federal information systems, but it can be employed by commercial entities. NIST offers the cybersecurity framework (CSF), which incorporates 800 and the Federal Information Processing Standard. There is no charge for access to the standard. https://nvd.nist.gov/800-53
CIS 20 The Center for Internet Security maintains a standard of 20 controls, originally developed by SANS. There is no charge for access to this standard. https://www.cisecurity.org/controls/
ISACA COBIT 5
The Information Systems Audit and Control Association offers the COBIT framework for information security. Represented to align with ISO 27000 series, Information Security Forum standard, and BMIS. There is a charge for access to the standard. http://www.isaca.org/COBIT/pages/default.aspx
ISF The Information Security Forum’s Standard of Good Practice provides controls and guidance on current and emerging security topics. The Standard and its corresponding ISF Benchmark align with ISO 27002, COBIT 5, CIS 20, NIST, and PCI-DSS. https://www.securityforum.org/tool/the-isf-standardrmation-security/
DISA The Defense Information Security Agency provides security standards including Control Correlation Identifiers (CCIs), Security Requirements Guides (SRGs), Security Technical Implementation Guides (STIGs), and mobile code. http://www.disa.mil/~/media/Files/DISA/News/Conference/2016/AFCEA-Symposium/3-McKinney_Security%20Standards.pdf
ITIL Maintained by Axelos, the Information Technology Infrastructure Library is directed to IT Service Management. Aligned with the ISO 20000 series, it is published as a series of five core volumes, each covering a different ITSM lifecycle stage. There is a charge for access to this standard. https://www.axelos.com/best-practice-solutions/itil/what-is-itil
PCI-DSS A joint venture by the major credit card companies, the Payment Card Industry security council’s Data Security Standard is a set of policies and procedures intended to improve the security of card transactions.
LEO43
Page 2 of 2
Compliance is mandated by the credit card companies. In addition, some state laws either refer to it, or mirror certain aspects of the standard. https://www.pcisecuritystandards.org/pci_security/
OWASP The Open Web Application Security Project offers a number of resources to improve the security of web applications, including the popular OWASP Top 10. There is no charge for access to the OWASP Top 10. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
BSIMM The Building Security in Maturity Model is directed to software security, and offers a framework used to organize a number of activities to help manage and measure enterprise security initiatives. There is no charge for access to the framework. https://www.bsimm.com/framework.html
CSA 4.0 The Cloud Security Alliance offers the Security Guidance for Critical Areas of Focus in Cloud Computing v4.0 for the purpose of improving security and mitigating risk in the adoption of cloud computing technologies. https://cloudsecurityalliance.org/guidance/#_overview
ILTA The International Legal Technology Association’s LegalSEC provides the legal community with guidelines for risk-based information security programs. Certain tools are available to the public at no charge. https://www.iltanet.org/resources/legalsec
LEO44
BRINGING YOUR INFORMATION SECURITY PROGRAM IN LINE LEOCYBER SECURITY LAW CONFERENCE 2017 WITH YOUR CONTRACTUAL PROMISES, OR VICE VERSA 1
{1755664;}© 2017 Gable & Gotwals, A Professional Corporation. This information constitutes legal education and not legal advice. An attorney-client relationship is not created by this information. You should consult an attorney before taking any action that has legal consequences.
Sample Template for Security Provisions Will Holland, Torchmark Corporation
Tom Vincent, GableGotwals
Concept Issues/Considerations Sample Provision(s) NOTE: Bolded terms relate to the questions provided – these may be removed and/or revised with appropriate mitigating controls/arrangements.
Confidentiality
Make sure definition of “Confidential Information” is complete and appropriate. x What sort of information will be shared? x How sensitive is the agreement itself? x Should certain information always
remain confidential (and not e.g. be subject to an exclusion)?
“Confidential Information” shall mean information in any form that a party owns or possesses, uses or that is potentially useful, that the respective party treats as proprietary, private, or confidential, and that is not generally known to or shared by the respective party with the public, or which either creates with respect to the [Transaction]. Each party’s Confidential Information includes, but is not limited to, all information relating to the party’s existing and contemplated business affairs, operating systems, facility components and technology, client, employee and vendor information (including without limitation any protected health information or personally-identifiable information), business operation and development strategies, relationships with third parties, communications, discussions and negotiations by each party concerning the [Transaction] (including any draft or final versions of any agreement contemplated by the [Transaction], whether or not finalized and/or executed), and financial information of any nature.
Make sure ownership is retained and doesn’t pass to a third party.
x What information may result from the third-party relationship?
[Third party] acknowledges and agrees that [Third party] neither has nor acquires because of this [Agreement] any ownership, right or interest in or with respect to [Customer]’s Confidential Information, including any information derived from [Customer]’s Confidential Information. NOTE: If any license is necessary for the Third party to provide services, include e.g. “other than as expressly provided in Section []”. Unless the parties otherwise agree in writing, all Confidential Information, along with all other documents, memoranda, notes and all other writings whatsoever prepared by either party based on or arising out of the Confidential Information, shall be (i) returned to the party upon whose Confidential Information the document was developed (without retaining any copies thereof) within [] days from receipt of a written demand therefore by the originating party; or (ii) destroyed, with certification of its destruction to the other party within the same time period.
LEO45
BRINGING YOUR INFORMATION SECURITY PROGRAM IN LINE LEOCYBER SECURITY LAW CONFERENCE 2017 WITH YOUR CONTRACTUAL PROMISES, OR VICE VERSA 2
{1755664;}© 2017 Gable & Gotwals, A Professional Corporation. This information constitutes legal education and not legal advice. An attorney-client relationship is not created by this information. You should consult an attorney before taking any action that has legal consequences.
Breach Response
Make sure you are notified in the event of a breach of confidential information. x How is breach defined? x What is the timeline for notification
from the third party? o When making this determination,
consider the timeline for notification to affected individuals and other parties.
[Third party] must (i) notify [Customer] within [] days of the detection of any unauthorized access to [Customer]’s Confidential Information, (ii) consult and cooperate with [Customer] regarding any investigations and the results of same (including any notices necessary in [Customer]’s sole discretion), and (iii) provide any information reasonably requested by [Customer].
Make sure that you can control the message. x What are the responsibilities of the third
party regarding cooperation with you in the event of a breach?
[Third party] agrees that [Customer] has sole control over the timing, content and method of any required or voluntary notification to [Customer]’s clients, vendors, and any other third parties who may be impacted by the unauthorized access and/or who, in [Customer]’s sole discretion, should receive notification.
Liability
Make sure that liability in the event of a breach is (i) appropriate based on the type and amount of information you’re providing and (ii) carved out from limitation of liability.
Notwithstanding the limitation of liability in Section [], [Third party] shall indemnify [Customer] from any damages and costs resulting from [Third party]’s breach of its confidentiality obligations, including without limitation (x) identity protection assistance and similar services, (y) reasonable attorneys’ and technical consultant fees and (z) costs for any notifications provided, whether made directly to affected individuals or otherwise (e.g. via the media).
Other considerations
If customer information is involved, how do you make sure that the way you’re sharing information is consistent with what your policies say?
[Third party] has been provided with a copy of [Customer]’s [Privacy Policy] and will comply with the limitations on sharing [Customer]’s Confidential Information contained therein.
Are there any other agreements that need to be referenced (e.g. a business associate agreement)?
The parties have separately entered into a Business Associate Agreement (“BAA”) providing for their respective rights and obligations arising under [HIPAA].
LEO46