The Latest on Cybersecurity, Data Loss Prevention and Data ...€¦ · The Security Rule requires...
Transcript of The Latest on Cybersecurity, Data Loss Prevention and Data ...€¦ · The Security Rule requires...
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. ebglaw.com
The Latest on Cybersecurity,Data Loss Prevention andData Breach/Privacy Litigation
August 17, 2016
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Presented by
Anthony J. Laura
Member of the Firm
973.639.8267
2
Brian G. Cesaratto
Member of the Firm
212.351.4921
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Agenda
3
1. Overview and State of Corporate Data Security
i. Statistics and Examples
ii. Anatomy of a Breach
2. Legal and Enforcement Overview
3. Litigation
4. Preparation
i. Auditing and Monitoring
ii. Education and Training
iii.Incident Response
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. ebglaw.com
Overview
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
The New Reality/Companies Under Attack
5
•https://www.youtube.com/watch?v=7vBHJ4E6nis PrivacyRights.org
• 899,587,955 records breached, from 4,973 data breaches made public since 2005
IBM’s and Ponemon Institute’s 2016 Cost of Data Breach Study
• U.S. companies pay an average of just over $7M for standard data breach
oStandard = fewer than 100,000 records compromised
o$221/record
• Malicious attacks most common cause/costly
Deloitte’s “Beneath the Surface of a Cyberattack: A Deeper Look atBusiness Impacts”
• 95% of cyberattack costs take place over 5 year period after attack
o Lost contract revenues and customer relationships > reimbursing and litigation
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
The New Reality/Social Engineering
6
•https://www.youtube.com/watch?v=7vBHJ4E6nis In November 2014, Sony was the victim of a cyber-attack, possibly related tothe production of a movie that parodied North Korean leader Kim Jong Un
• Hackers allegedly stole PII of at least 15,000 current and former employees andposted info online
• Plaintiffs claimed Sony failed to implement and maintain adequate securitymeasures to protect employees’ PII and improperly waited 3 weeks to notify
• Breach apparently resulted from social engineering- Phising/Passwords
Takeaways:
• Risk assessment: Companies must understand where sensitive data resides andwhat threats and vulnerabilities may exist to that data
• Must train employees to be responsible stewards of data
• Be prepared for when the breach happens
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
The New Reality/Physical Security
7
•https://www.youtube.com/watch?v=7vBHJ4E6nis Putative class action against Coca-Cola alleging between 2007-2013, anotheremployee stole 50+ laptops containing SSNs, DLNs, bank account info andother sensitive data on at least 74K employees at largest bottling operation
October 2015, court dismissed negligence, fraud and other similar claims,but found breach of contract, unjust enrichment and restitution claimssufficient
Unlike other cases where harm was speculative, named plaintiff sufferedpalpable harm, including alleged theft of funds from his bank accounts
Takeaways:
• Physical security
• Asset management
• Encryption
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Anatomy of a Breach/Verizon Breach Report
8
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Anatomy of a Breach/Why are PII Breaches Different?
• Security is relatively new for a lot of companies and they are all scrambling toprotect themselves
• Client HR systems are insecure
oMost, but not all PII, is stored in a central repository, such as PeopleSoft, whichdesigned to be relatively open and share information quickly, appropriatepermissions not set.
o In house developed systems that were designed without security in mind
– Many HR functions run off open file shares
oMore troubling are the systems that individuals create, that the Company maynot be aware of.
– Managers and supervisors possess PII about which companies do not know
• HR lacks the IS resources, program maturity/ processes
• Paper programs with no operational effectiveness
oThe HR cabinet needs to go
9
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Education & Training
Historical delta between IT and Legal, Compliance, and HR)
• Weak understanding of the IT world and risks
• Little ability to “speak the language”
• Weak processes to keep legal decision makers informed
10
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Education and Training
Paper legal and compliance programs
• Template compliance policies that are totally removed from company operation
• Operational policies and processes that violate the law
Employee training
• Nearly every major breach has had some form of social engineering
• Employees are not prepared by compliance training to respond effectively
Little Ability to Respond to Emergencies
• Common fact patterns involve weeks of delay before forensics or incidentresponse team triggered
11
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Education & Training
Economic Consequences
• Credit monitoring
• Legal fees/Litigation
• Employee time
Lost business opportunities
• Hard to get business
• Hard to sell business
Reputational Damages
• Public relations “nightmare”
• Lost client confidence
• Increased Regulatory Scrutiny
12
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. ebglaw.com
Legal and EnforcementOverview
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Overview
14
HumanResources
PrivacyRule
SecurityRule
StateLaw
FTC
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Overview/LegalHIPAA Privacy Rule:The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other protected healthinformation. The Rule requires appropriate safeguards to protect the privacy of protected health information, and sets limits andconditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also givespatients rights over their health information, including rights to examine and obtain a copy of their health records, and to requestcorrections.
HIPAA Security Rule:The HIPAA Security Rule establishes national standards to protect individuals’ electronic protected health information that iscreated, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical andtechnical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
State Law:Forty-seven states have enacted legislation requiring private or government entities to notify individuals of security breaches ofinformation involving personally identifiable information. Security breach laws typically have provisions regarding who must complywith the law (e.g., businesses, data/ information brokers, government entities, etc.); definitions of “personal information” (e.g.,name combined with SSN, drivers license or state ID, account numbers, medical information etc.); what constitutes a breach (e.g.,unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions(e.g., for encrypted information).
FTC:The Federal Trade Commission has the authority under Section 5 of the FTC Act to enforce against entities engaged in unfair ordeceptive practices. Recently, the FTC has used this authority to bring enforcement actions against entities who violate consumerprivacy rights or fail to maintain appropriate security for private consumer information, including health care entities. The FTC alsoenforces against entities who do not obey their own stated privacy or security policies.
15
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. ebglaw.com
Litigation
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
High Profile Data Breaches in recent years
• Sony PlayStation, affecting up to 102,000,000 users
• TD Bank, affecting up to 1,400,000 customers
• LinkedIn, affecting 6,500,000 users
• Living Social, affecting up to 50,000,000 customers
• Target, affecting up to 70,000,000 customers
• eBay, affecting up to 145,000,000 users
• AOL, affecting up to 2,400,000 customers
• Home Depot, affecting up to 56,000,000 customers
• JP Morgan Chase, affecting up to 76,000,000 customers
• Anthem, affecting up to 80,000,000 customers
What result do most of these breaches, and those less notable, have in common?……..
Litigation Consequences of a Data Breach
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Litigation or Governmental Investigations
• In re Sony Gaming Networks And Customer Data Security Breach Litigation, MDLNo. 2268, concluded with $15 million settlement approved Jul. 10, 2014
• TD Bank - Investigations by, and settlements with, NY and MA Attorneys Generalfor a total payout of $1,675,000 plus remedial measures
• Wright v. LinkedIn Corp., Case No. 12-cv-03088-EJD (N.D. Cal.), $1.25 millionsettlement granted preliminary approval on Jan. 29, 2015
• LivingSocial – Investigations by CT and MD Attorneys General
• In re Target Corp. Customer Data Security Breach Litigation, MDL No. 2522, with$10 million settlement granted preliminary approval on Mar. 19, 2015
• Green v. eBay, Inc. , No. 2:14-cv-01688 (E.D. La.) – Motion to Dismiss pending
• In re The Home Depot, Inc. Customer Data Security Breach Litigation, MDL No.2583, with Rule 12(b) motions due to be filed by May 2015
• D’Angelo v. Anthem, Inc., 1:15-cv-00371 (N.D. Ga.) (one of at least 8 pending suits)
Litigation Consequences of a Data BreachContinued
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Data breach litigation and government enforcement actions have been goingon for more than a decade. You may remember….
• BJ’s Wholesale Club
oFTC enforcement action in 2005
oCredit card issuer cases followed suit (by BankNorth and Sovereign)
• TJX Companies in 2006
o30 state AGs and the FTC pursued investigations
oConsumer class actions in the D. Mass.
oMass. Banking Assn. pursued claims on behalf of its constituents
• An empirical analysis of data breach litigation published in 2012 reported thatfrom 2005 to 2011, 230 such actions were initiated in US federal courts alone (plusan untold number of state court suits)
Litigation Consequences of a Data BreachContinued
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
The primary claims of consumer Plaintiffs:
• Violation of state consumer protection/UDAP statutes
• Violation of state data privacy statutes
• Violation of federal statutes – FCRA, Video Privacy Protection Act
• Negligence
• Invasion of Privacy
• Breach of express (Privacy Policy) or implied contract to safeguard information
• Negligent or Intentional Misrepresentation (viz. published “Commitment to DataSecurity” or “Protecting Your Personal Information” statements)
• Negligent Bailment of electronic data
What avenues of defense to these claims exist?
Litigation Consequences of a Data BreachContinued
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
• Lack of StandingoSpeculative future harm is insufficient under Article III
oBolstered by SCOTUS in Clapper v. Amnesty Int’l, 133 S.Ct 1138 (2013)(reiterating Art. III standing requires “certainly impending” injury)
oArticulated well in the data breach context by In re SAIC Backup Tape DataTheft Litigation, MDL No. 2360 (D.D.C . May 9, 2014)
– Mere loss of data without evidence of misuse is insufficient– Allegation that plaintiffs were 9.5 times more likely to suffer misuse is
irrelevant– the inquiry is whether injury is certainly impending– What role did the circumstances of the breach (car break-in) play in the
decision?
o Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (pre-Clapper and Spokeo).– Rejecting claims of future identity theft as too speculative and hypothetical
Litigation Consequences of a Data BreachContinued
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
oThe first and only Circuit Court to tackle standing in the data breach contextand find in Plaintiffs’ favor is the 7th Circuit in Remijas v. Neiman MarcusGroup, LLC, 794 F. 3d 688 (7th Cir. 2015).
oWhat injuries were alleged there?
– Costs incurred in resolving fraudulent charges and protecting againstfuture loss
– Increased risk of future fraudulent charges and identity theft
oCourt used Neiman’s remedial measures as a sword
– Neiman offered one year free credit monitoring and identity theftprotection services, leading court to note that Neiman must believe someof the injuries are concrete
– Neiman’s actions “adequately raise the plaintiffs’ right to relief above thespeculative level.”
22
Litigation Consequences of a Data BreachContinued
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
• The 7th Circuit followed its own lead in deciding Lewert v. PF Chang’s China Bistro,No. 14-3700 (7th Cir. Apr. 14, 2016)
oAgain found standing based upon costs and efforts undertaken to reverse orfurther prevent fraudulent charges
oFound imminent threat of identity theft by virtue of PF Chang’s own statementto its customers to monitor their credit reports
o Interesting precursor to 7th Circuit’s current position: Pisciotta v. Old Nat.Bancorp., 499 F.3d 629 (7° Cir. 2007)– finding that threat of future identitytheft was sufficient ‘injury’ to warrant standing, but dismissing case on themerits because ‘credit monitoring’ was not then a recognized cause of actionunder Indiana law
Number of other Circuits since Clapper to analyze standing in pure data breachcases-- 0
23
Litigation Consequences of a Data BreachContinued
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
• Circuits since Clapper that have analyzed Standing in Data Privacy context
oSterk v. Redbox Automated Retail, LLC, 770 F.3d 618, 623 (7th Cir. 2014)
o In re Google Inc. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125(3d Cir. 2015)
o In re Nickelodeon Consumer Privacy Litigation, No. 15-1441 (Jun. 27, 2016)
oCarlsen v. Gamestop Inc., No. 15-2453 (8th Cir. Aug. 16, 2016)
• Impact of Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016)oBoth sides claim some measure of victory.o Language in opinion helps both sides.oArt. III injury must be “concrete” and “particularized” (good for defendants),
but can be also be “intangible” (good for plaintiffs).oTension still exists- is the intangible risk of future harm by way of identity theft
or other misuse of data sufficient? No direct answer from SCOTUS.o Interesting to note about Gamestop – Majority makes no reference to Spokeo,
and dissent says it is dispositive of standing argument.
24
Litigation Consequences of a Data BreachContinued
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Additional Defenses
oEconomic Loss Doctrine
– No recovery for purely economic loss in negligence and negligentmisrepresentation claims – In re Michaels Stores, 830 F. Supp. 2d 518,(N.D. Ill. 2011)
– Applicable in some states but not in others (some have exceptions basedupon “independent duty”)- see In Re Target, MDL No. 2522 (Dec. 18,2014)
25
Litigation Consequences of a Data BreachContinued
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
• Preemption
o Industry specific preemption arguments– Pro (Financial Services Industry): Willey v. JP Morgan Chase, 09-cv-1397
(S.D.N.Y. Jul. 7, 2009) (OCC regulations regarding data security under FCRApreempts state law claims regarding disposal of customer data)
– Contra (Health Care Industry): Byrne v. Avery Center for Obstetrics andGynecology, P.C. (Conn. Nov. 11, 2014) (Claims of negligent disclosure ofPHI by medical practice not preempted by HIPPA, which has no privateright of action)
o Most proposed federal data breach legislation contains preemption provisions
26
Litigation Consequences of a Data BreachContinued
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Primary claims of non-consumer Plaintiffs (Banks and Credit Card Issuersthat refund/cover consumer losses)
• Negligence
oDuties arise from foreseeability of harm and from privacy laws
• Negligent or Intentional Misrepresentation
• Breach of Contract (Direct and/or as Third Party Beneficiary)
• Violation of state consumer protection/UDAP statutes
• Violation of state data privacy statutes
• See In re Target
27
Litigation Consequences of a Data BreachContinued
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Principal defenses to non-consumer Plaintiff claims
• No duty to third party bank/credit card issuer in absence of “special relationship”
• No reasonable reliance by bank/credit card issuer on “privacy protection”statements made to consumers
• No standing for bank/credit card issuer to recover under consumer protectionlaws
• Contributory negligence in alleged lax security across credit card network
28
Litigation Consequences of a Data BreachContinued
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Can Investor and Shareholder Derivative Claims Be Far Behind?
• Consequences of data breach resulted in decrease in stock price
• Company’s Board breached its fiduciary duty by failing to take sufficientprecautions to prevent or mitigate data breach
• Company’s public statements on its cybersecurity policies and procedures werefalse or misleading
• Corporate waste or gross mismanagement claims
“[B]oards that choose to ignore, or minimize, the importance of cybersecurityresponsibility do so at their own peril.” SEC Commissioner Luis A. Aguilar, Boards ofDirectors, Corporate Governance and Cyber-Risks: Sharpening the Focus, Speech atthe New York Stock Exchange (June 10, 2014).
29
Litigation Consequences of a Data BreachContinued
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
What do these data breaches cost?
Estimates are:
• $1 per customer notification
• $10 per credit monitoring (accepted by roughly 15% of customers)
• $3 per new card issued
• Costs of investigatory/remediation efforts, business interruption, legal fees andsettlement amounts are widely variant
Aon Survey – average cost of data breach is $7 mm
• 80% of data breaches result in < $1 mm in costs
• 15% of data breaches cost between $1 mm - $20 mm
• 5% of data breaches cost > $20 mm
30
Litigation Consequences of a Data BreachContinued
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
“Who pays for all this?” (aside from 3d party indemn.)o Insurance
– Cybersecurity Policy
» Typically cafeteria style coverage
» First-party coverage (business interruption/response)
» Third-party coverage, aka “security and privacy liability” coverage,covers defense costs and adverse outcome
» Usually requires cyber audit by underwriters
– Traditional CGL Policy
» May be triggered under third party “Property Damage” and “Personaland Advertising Injury” coverages
» Recent NY case holds no coverage under standard CGL policy (ZurichAm. Ins. Co. v. Sony Corp. of Am., No. 651982/2011 (N.Y. Sup. 2/21/14)
» As of May 1, 2014, ISO form CGL policies now contain cyber exclusionendorsement CG 21 06 05 14
31
Litigation Consequences of a Data BreachContinued
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
State and Federal Statutes Governing Data Breaches
Federal statutes
• In a 2013 Report to Congress, the Congressional Research Service reported thatmore than 50 federal statutes address various aspects of cybersecurity eitherdirectly or indirectly, but there is no overarching framework legislation in place.
oThe Famous Ones:
– Gramm-Leach-Bliley –mandating investigation, determination of possiblemisuse and resulting notification to affected customers
– HIPAA and HITECH – safeguarding PHI
oThe Not So Famous Ones typically pertain to federal agencies’ ownimplementation of cybersecurity, not to securing customer info
• FTC has successfully asserted jurisdiction over cybersecurity breaches underSection 5 of the FTCA, which prohibits unfair and deceptive practices
oSee FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (2015)
32
Litigation Consequences of a Data BreachContinued
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
State and Federal Statutes Governing Data Breaches, cont.
• 47 states have some version of cybersecurity/privacy/data breach laws
oThey differ in a number of ways, including:
– Defining the protected data
– When notification is required (to public and state govt.)
» Unauthorized access trigger
» Risk of Harm trigger
– Whether they permit a private right of action
– Time period within which notification is required
– Whether there is a safe harbor (typ. based upon encryption)
» NY AG recently announced intention to introduce legislation providing asafe harbor presumption based upon meeting certain securitystandards
33
Litigation Consequences of a Data BreachContinued
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. ebglaw.com
Auditing andMonitoring: Conductingthe Risk Assessment
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
What is a Risk Assessment
The Risk Assessment is the foundational step in any security managementprocess.
Requires regulated entities to conduct an accurate and thorough assessmentof the potential risks and vulnerabilities to the confidentiality, integrity, andavailability of sensitive information held by the entity.
Implement security measures sufficient to reduce risks and vulnerabilities toa reasonable and appropriate level.
Risk Assessments can be conducted using many different methodologies.
What is appropriate depends of the organization (HIMSS, NIST, Custom)
What you put in is what you get out
Physical, Technical, and Administrative
35
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Risk Assessment Process
NIST 800-301. Scope the Assessment2. Gather Information3. Identify Realistic Threats4. Identify Potential
Vulnerabilities5. Assess Current Security
Controls6. Determine Likelihood and
Impact of Threat7. Determine the Level of Risk8. Recommend Security Controls9. Document Results
36
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Risk Assessment Process
Scoping the Assessment
Identify where sensitive information is created, received, maintained,processed and transmitted
• Physical boundaries, technical environment, end user machines, paper storage,etc…
Goal: Understand where sensitive information and systems reside
Gather Information
Identify how sensitive information is created, received, maintained andprocessed
• Determine security controls in place to protect
Goal: Find hidden repositories of sensitive information or business processoutside of secure environment
37
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Risk Assessment Process
Identify Realistic Threats
Identify potential threat sources to your sensitive information or systems
• Ex., Social engineering attacks on the rise in my industry
• Don’t forget about physical and environmental
Identify Potential Vulnerabilities Based on Threats
After identifying threats, document vulnerabilities that could be exploited bythe threats
• Ex., Employees have not been trained on social engineering
Assess Current Security Controls
Based on the threats and vulnerabilities, determine whether current securitycontrols are adequate to protect sensitive information
• Technical testing needed
38
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Risk Assessment Process
Determine Likelihood and Impact of a Threat Exercising a Vulnerability
Prioritize the impact levels associated with a compromise based on aqualitative and quantitative assessment of the sensitivity and criticality ofthose assets
• Confidentiality, Integrity, Availability
• For example, could be harmed because of a loss of availability? Are denial ofservice attacks common?
Determine Risk
Operationalizes previous step by analyzing the likelihood of a threatoccurrence and the resulting impact
• If someone could be harmed because of a loss of availability, and denial of serviceattacks are common, then High threat likelihood and High impact
39
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Risk Assessment Process
Recommend Security Controls
Based on the risk to the organization, recommend controls to reduce thelevel of risk to the IT systems and data to an acceptable level
It is not possible to implement all recommended security controls. Use a costbenefit analysis to demonstrate that the costs of implementing the controlscan be justified by the reduction in the level of risk
Document and Mitigate
Cyclical- process of mitigating and testing
40
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Practical Considerations
Identify Realistic Threats and Vulnerabilities Not an exercise in one’s imagination Be careful of vendor chosen- get samples of product, mitigation plans
Don’t Create “Bad Paper” Attorney-Client Privilege Legal: applying fact to law
Not a Paper Process To understand technical risk, vulnerability and likely penetration testing
needed
Perform on a Regular Basis Choose your interval and document in policy Perform anytime change in environment: acquisitions, new infrastructure,
new business partner
41
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. ebglaw.com
Training
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Practical Consideration/Training and Risk Mitigation
Many of the most damaging breaches have resulted from social engineeringor employees with their own processes or data repositories
• Organizations must assess whether their current training protects organization
• Identify employees with processes outside of workflow
Practice Tips
• Understand what company information is available to con artists (social media,org charts etc.)
• Develop protocol for transmitting sensitive data or system credentials (e.g. IT willnever ask for this information)
• Train on identification of fraudulent communications
• Interview employees to determine whether secondary processes have beencreated
oEx., transmission, storage, and device
43
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Practical Consideration/Training on Paper
There are two types of breaches:
1) large scale cyber attacks, and
2) small scale identity theft
Unclear which is more damaging to an organization
• Well publicized well documented breaches are not a great target for ID theft butare costly to remediate
• Small scale paper breaches are a better vehicle for ID theft
oHR knowledge can be used for damaging reputations
oEasier to prove harm in small scale breaches
Must train employees on proper handling of paper:
• Storage, Disposal, Creation, and Use of HR data
44
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Practical Consideration/Culture of Compliance
Employees are your security perimeter: If you see something… say something!
• Consider an anonymous protocol for reporting violations
• Consider an FAQ document of common security questions posed
• Consider monthly security communications
• Consider town halls
• Praise employees (awards) who engage IS or compliance
Bottom line is that employees know before compliance
45
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. ebglaw.com
Incident Response
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
BIRP Plan/Mitigating Damage
Every organization will have a data breach. It’s not if...it’s when
The difference between a serious incident and a run-of-the-mill incident isoften the actions a Company takes immediately following the breach
• It is very difficult to effectively handle a breach on an ad hoc basis
• Some states have very short reporting timeline
Breach response should mirror disaster recovery and business continuityplans
• Contracts with potential vendors in place
• Test runs conducted
• Clear protocol for triggering response team
• Understand reporting obligations before needed
• Multidisciplinary- Must respond effectively while protecting organization
• Responsibility clearly defined
47
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Certifications/Mitigating Damage
There are an infinite number of ways an organization can be breached
Organizations however have finite resources and must engage in a costbenefit analysis when implementing security controls
• End result is an ad hoc system of controls
Ultimately, someone's decision on why a security control was notimplemented will be challenged
Organizations should move from ad hoc security management program to amore defensible prescriptive standard
• HITRUST, ISO, NIST CyberSecurity Framework
48
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Mobile Devices/Mitigating Damage
If a hacker can get physical access to a device it will be compromised
The most effective way to protect mobile devices is to encrypt them
• Windows and Macs come with encryption that can be turned on
There is no reason for users to have administrative access on companymachines
• Unknown software
• Disabling security features
Mobile Phones should be protected using a mobile device managementsolution
• Should wrap an encrypted container around company email
• Remote wipe should be available
49
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Data Classification/Mitigating Damage
If IT is aware of sensitive data it can protect it
Organizations should create classifications of data and design storagemethods that are appropriate for the data
• It can be as simple as: High, Medium, and Low
oHigh Classification: Company trade secret- mandated encryption, C-suite onlyaccess, all access logged
oMedium-: PII, mandated encryption, access to HR group policy setting, allaccess logged
o Low: Emails not containing PII, open access, tracking not enabled
50
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Reducing Attack Surface/Mitigating Damage
Breaches will happen. Organizations should therefore take steps to reducethe harm when a breach occurs
HR is full of PII that is no longer needed by the organization
Organizations should create a document retention and destruction plan
• Identify the legal retention requirements for each type of data they hold
• When no longer needed destroy
Conduct scans of known repositories of data to identify if data is notappropriately stored.
• Encrypt in place or destroy
51
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Asset Management/Mitigating Damage
In addition to applying appropriate security controls, organizations musttrack their IT assets from cradle to grave
Good asset management will help track when things go missing
Liability exists for information on old computers and devices withoutencrypted hard drives
• Printers and copiers are often leased
• Lots of closet machines that were never destroyed
• Every server room has a box of hard drives
A certificate of destruction using a approved destruction method should bekept
52
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. ebglaw.com
Thank you
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
This presentation has been provided for informational purposes only and is notintended and should not be construed to constitute legal advice. Pleaseconsult your attorneys in connection with any fact-specific situation underfederal, state, and/or local laws that may impose additional obligations on youand your company.
Attorney Advertising
54