POWERED BY:

#NPPROTGC

KEYNOTETwo Perspectives for

Cybersecurity Best Practices

Jane LeClair, PhdChief Operating Officer

National Cybersecurity Institute (NCI) at Excelsior College

Lisa LoriPartner

Klehr, Harrison, Harvey, Branzburg LLP

CYBERSECURITY:RISKS & RESPONSES

Lisa A. Lori, EsquireWilliam J. Clements, Esquire and CIPP/US[Certified Information Privacy Professional/United States]

Klehr Harrison Harvey Branzburg LLP

• 43% of companies experienced a data breach in 2014.

• 48% increase in cyberattacks from 2013.

• Size of data breaches is increasing.

• 80% of the breaches had a root cause in employee negligence.

NFP COMPANY ISSUES

• Same issues as for profit companies.

• With charitable giving exceeding $16 billion in 2014, NFPs are increasingly becoming targets of cyber attacks.

• Donors are becoming more concerned about the protection of their personal and financial information.

ANATOMY OF A DATA BREACH

1. Well-meaning insiders. The majority of data breaches caused by company employees who inadvertently violate data security policies.

Examples: – Employees, unaware of company policies, store, send or

copy sensitive information in an unencrypted manner. – Lost/stolen laptops.– Sending unencrypted confidential information in emails.– Sharing data with third party business partners (such as

401(k) plan information).

ANATOMY OF A DATA BREACH2. Targeted attacks. Targeted attacks are aimed at stealing information

primarily for the purpose of identity theft.

Examples: – Cyber-criminals using malicious code that can penetrate into an organization

undetected and export data to remote hacker sites.

– This is made possible by: (1) system vulnerabilities-- laptops, servers and desktops that do not have the most up-to-date security features; (2) improper credentials-- using default passwords that are easy to figure out and obtain by hackers; (3) targeted malware-- hackers using spam communications that are embedded with malware; (4)SQL injection—hackers analyze the URL syntax of targeted websites and are then able to embed instructions to upload spyware that gives the hackers remote access to the targeted servers.

ANATOMY OF A DATA BREACH

3. The malicious insider. This includes insiders who knowingly steal data.

– White collar criminals– Industrial espionage– Theft of trade secrets (employees who store

confidential information on their personal computers for use in subsequent employment or to compete).

RECENT CYBERSECURITY BREACHES• Cyber attack may have

compromised about 76 million households.

• Included customer names, addresses, phone numbers and email contact information.

• In addition, the breach affected about 7 million of J.P. Morgan’s small businesses customers.

• Overall, it may have been the biggest cyber attack in corporate history.

RECENT CYBERSECURITY BREACHES• Cyberthieves stole up to

60 million credit card numbers.

• The attacks went on for 5 months before discovered.

• The company said anyone who used a credit card to shop at Home Depot in the US or Canada over a 6 month period could have been a victim.

RECENT CYBERSECURITY BREACHES• Hackers accessed

personal information from as many as 110 million consumers.

• Costs associated with the hacking added up to about $148 million.

RECENT CYBERSECURITY BREACHES• Hackers broke into the

iCloud accounts of a number of Hollywood celebrities and made off with nude photos.

• Celebrities targeted included Jennifer Lawrence, Kate Upton and Kirsten Dunst.

RECENT CYBERSECURITY BREACHES• In late November 2014, thousands

of gigabytes of data were transferred out of Sony’s network undetected, including salary and bonus information of executives, unflattering comments about movie stars, health information about employees and copies of unreleased films.

• The attack began with email phishing that used programs that roamed unopposed and undetected through Sony’s network.

• This was an act of what some called “cyberterrorism” in opposition to the release of an upcoming Sony Picture's movie, The Interview.

• The hackers attempted to blackmail Sony and warned it not to release the film.

• Sony ultimately released the film.

July 9, 2015

Hackers 'stole data of over 21 million US government workersMore than 21 million Social Security

numbers were compromised in a breach that affected a database of sensitive information on federal employees held by the Office of Personnel Management.That number is in addition to the 4.2 million Social Security numbers that were compromised in another data breach at OPM that was made public in June. Officials have privately linked both intrusions to China. Of the 21.5 million records that were stolen, 19.7 million belonged to individuals who had undergone background investigations, OPM said. The remaining 1.8 million records belonged to other individuals, mostly applicants' families.The records that were compromised include detailed, sensitive background information, such as employment history, relatives, addresses, and past drug abuse or emotional disorders. OPM said 1.1 million of the compromised files included fingerprints.

“Goodwill Data Breach: Even Charities Are Susceptible to Cyber Criminals”August 2014

Goodwill Industries had suffered an apparent breach that led to the theft of customer credit and debit card data.

330 Goodwill locations affected.

Cyberintrusion took place over 18 months.

Breach was blamed on a third party payment processor.

Cybertheives stole mag stripe data from customers’ credit cards.

868,000 credit cards were compromised.

FUTURE CYBERSECURITY BREACHES?

BIGGEST THREATS ARE THE ONES THAT ARE UNKNOWN AND NOT YET DISCOVERED

WHAT TO DO ABOUT IT

“The cyberworld is like the wild wild west.” Barack Obama

APPROACHES TO CYBERSECURITY

• Cybersecurity does not fit into one box.

• Requires collaboration between the government and the private sector.

• Requires collaboration between IT professionals and legal professionals.

CYBERLAW

• In its infancy.

• There is no overarching federal law that deals with cyberactivity.

• Cyberlaw is influenced by some existing laws.

PRIVACY LAW AND DATA SECURITY• Most, if not all, laws regarding cybersecurity or data security have their

origins in protecting privacy.• This is an evolving field.• Regulates the relationship between the Data Subject, the Data Controller

and the Data Processor.• However, laws and regulations relating to data security typically address

the following areas:

1. Notice2. Consent (Opt In/Opt Out)3. Access4. Correct/Update5. Information Security

DATA PROTECTION MODELS

• COMPREHENSIVE MODEL (EU)• SECTORAL MODEL (US AND JAPAN)• CO-REGULATORY MODEL (AUSTRALIA AND NZ)• “HABEAS DATA” (SOUTH AMERICA)

US HEALTH DATA PROTECTION LAWS

• HIPPA—HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996

• HITECH—HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT

• GINA—GENETIC INFORMATION NON-DISCRIMINATION ACT OF 2008

US FINANCIAL DATA PROTECTION LAWS

• FCRA—FAIR CREDIT REPORTING ACT OF 1970

• FACTA—FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003

• GLBA—GRAMM-LEACH-BLILEY ACT OF 1999

OTHER US DATA PROTECTION LAWS

• PRIVACY ACT OF 1974 (GOVERNMENT SECTOR)• FERPA—FAMILY EDUCATION RIGHTS AND PRIVACY ACT OF 1974

(EDUCATION SECTOR)• PPRA—PROTECT OF PUPIL RIGHTS AMENDMENT OF 1978 (EDUCATION

SECTOR)• NO CHILD LEFT BEHIND ACT OF 2001 (EDUCATION SECTOR)• TELECOMMUNICATIONS ACT OF 1995 (TELECOMMUNICATIONS SECTOR)• CABLE TELEVISION PRIVACY ACT OF 1984 (TELECOMMUNICATIONS

SECTOR)• VPPA—VIDEO PRIVACY PROTECTION ACT OF 1988

(TELECOMMUNICATIONS SECTOR)• COPPA—CHILDREN’S ONLINE PRIVACY PROTECTION ACT OF 1988

(INTERNET)

FEDERAL TRADE COMMISSION

• Section 5 of the FTC Act gives the FTC jurisdiction to take action to prevent unfair and deceptive business practices affecting commerce, including conducting investigations.

• The FTC has been the most active regulatory authority with respect to policing data breaches.

FTC ENFORCEMENT ACTIONS

• FAILURE TO IMPLEMENT ADEQUATE SECURITY SAFEGUARDS FOR CUSTOMER’S PERSONAL DATA IS AN UNFAIR BUSINESS PRACTICE.

• FAILURE TO COMPLY WITH PRIVACY NOTICE GIVEN TO CUSTOMER IS A DECEPTIVE BUSINESS PRACTICE

RESULTS?

• Violations have resulted in multi-million settlements with the FTC.

As of early 2014, 50 settlements reached.

• The FTC also requires violators to sign consent decrees, which may last for years and require, among other things, hiring of data protection/privacy officer.

FTC v. Wyndham Worldwide Corp., et al.

FTC’s Allegations

• Wyndham Group required all franchisees to use a designated computer system, known as the Property Management System.

• The Property Management System was centrally administered and maintained by Wyndham Group.

• The Property Management System contained customers’ personal data, both as to identification and credit/debit card numbers.

FTC’s Allegations

• Between April 2008 and January 2010, intruders (most likely Russian hackers) gained access to the Property Management System three times.

• The data breaches compromised 619,000 payment card numbers.

• The data breach resulted in $10.6 million in fraudulent charges.

FTC’s Allegations

• Wyndham Group failed to require use of “strong passwords.”

• Wyndham Group had no inventory of its computers and other hardware, making it difficult to timely discovery where and how the system was compromised.

• Wyndham Group failed to limit access to the computer system under “least privilege” principles.

FTC’s Allegations

• Wyndham Group failed to adequately address the first breach by patching its system, which allowed the subsequent breaches.

• Wyndham Group failed to use firewalls to segregate portions of the Property Management System, so a single breach allowed access to the entire system.

• Wyndham Group committed consumer fraud by falsely promising customers, via “Privacy Notices” on its various websites, that data they provided was kept safe and secure.

Wyndham Group’s Defenses

• FTC has no authority to bring “unfairness” or “deception” claims for breaches of data security.

• There are no rules or regulations articulating—and giving a defendant notice—as to what data security practices must be implemented, so the FTC’s claim violates due process.

• Despite the $10.6 million in aggregate fraudulent charges, there was no “substantial harm” to consumers that could not be avoided (another requirement for the FTC to have jurisdiction), as each consumer’s loss was limited to $50 or less by law.

Trial Court’s Ruling• As to jurisdiction, FTC has broad latitude in regulating unfair business

practices; since these practices evolve constantly, especially with new technologies, FTC can regulate these practices even if its “rulemaking” has not caught up.

• As to notice, Wyndam had fair notice that it could be held liable under the FTC Act, just as it could be held liable under ordinary tort principles of negligence (unreasonably exposed consumers to harm by negligently handling confidential data). And, FTC’s publications provided adequate notice.

• As to “substantial harm,” small amount of harm to large amount of individuals can constitute “substantial harm,” and consumers have no way of avoiding the harm caused by Wyndham Group failing to protect their sensitive personal information.

• Case is on appeal in the Third Circuit.

What Data Security Measures Should Be Taken?

• Wyndam’s argument was, to a certain extent, true: there is no rule or regulation setting out, with specificity, every best practice for safeguarding data.

• To the extent addressed in statutes, such as GLBA and FACTA, laws require that “reasonable safeguards” be taken.

• Until rules and regulations are adopted, what is “reasonable” is typically determined on a case-by-case basis.

Economic Model

• Risk—overall adverse impact from potential event.

• Threat—event such as hacking attack or human error.

• Vulnerability—weakness in system that can be exploited.RISK = THREAT * VULNERABILITY * EXPECTED LOSS

“Reasonableness” Factors

• Type of personal information maintained.• Size, complexity and capability of the entity.• Technical infrastructure, hardware and

software.• Costs of security measures.• Probability and magnitude of potential risks to

sensitive personal information.

BASIC SAFEGUARDS

• Physical• Administrative • Technical

COMPONENTS

• Access control.• Segregation of duties.• Least privilege.• Accountability.• Authentication.• Password management.• System monitoring.• Firewalls/Virtual Servers• Anti-virus software.

INCIDENT MANAGEMENT • Have a written incident management and response plan in place.

• Employ a “defense in depth” strategy to secure a network.1. Identify information and resources that need to be protected.2. Specify security goals and policies for securing those resources.3. Deploy mechanisms that are configured to enforce those policies.

• Consider the following key principles when employing a “defense in depth” strategy:1. Don’t keep what you don’t need.

2. Patch software.3. Close unused ports.4. Create and implement security policies.5. Protect the network with security software.6. Conduct periodic network audits, including penetration tests.

Red Flags

• Numerous failed log-in attempts; “brute force” attack.

• Sudden use of idle or dormant account.• Use of computer systems during off or unusual

hours.• Presence of new or unauthorized user

account.• Weak user passwords.

Red Flags

• Unexplained elevation in user privileges.• Changes in file permissions.• Presence of unknown devices connected to

the network (data storage devices).• Gaps or deletions from system logs.• Alerts from anti-virus or anti-intrusion

software.

Red Flags

• Loss or theft of hardware.• Mismatch of inventories of hardware and

equipment.• Customer complaints.

Actions

• Once a breach is recognized, contain it.1. Shut down accounts.2. Revoke user access.3. Make sure laptops and hand held

devices have installed on them remote wipe technology; deactivate laptops and devices.

4. determine the scope of the breach.• Implement notification requirements.

GET CYBERSECURITY INSURANCE