IDENTIFYING AND RESPONDING TO DATA BREACHES

Transcription

1 IDENTIFYING AND RESPONDING TO DATA BREACHES Michael P. Hindelang Honigman Miller Schwartz and Cohn LLP October 14, 2015 Merit Security Summit

2 DATA SECURITY RISKS, THREATS & REAL WORLD EXAMPLES

3 OVERVIEW What is a data breach? Is this a real risk for my organization? What is the worst that can happen? What does cybersecurity mean today? 3

4 WHAT IS AT RISK Information and systems needed to run your business Competitive information Controls for machines Information about your business Financial information Information belonging to others Customers Employees Third Parties 4

5 YOUR INFORMATION HAS VALUE All three categories Regardless of industry In ways that it may be more valuable to others 5

6 WHAT CAUSES BREACHES? Hackers/criminals Employees/insiders System failures All of the above 6

7 STATISTICS Recent studies have shown that breaches were caused by: Hackers or malware 47-49% System issues 20-31% 85% of those were from third-party services Negligent employees 19-30% Including lost devices 7

8 HOW HARD IS IT? Does your information have value? Hackers can compromise some systems within minutes Do you ever have computer glitches? Do your employees have access to any part of your IT system? 8

9 THERE ARE NUMEROUS AREAS OF VULNERABILITY Mobile and remote access Online presence Traditional systems Insiders 9

10 INDUSTRIES WITH UNIQUE OR ADDITIONAL RISKS Health Care Financial Services Technology Manufacturing Anyone who handles payment cards 10

11 REPERCUSSIONS Business interruption Property loss Reputational risk Legal risk 11

12 LEGAL RISKS Employment issues Regulatory issues Civil liability Consumer class actions Business partner litigation 12

13 IDENTIFYING THE BREACH AND CONTAINING IT

14 HOW DO YOU KNOW YOU HAVE A PROBLEM? IT discovers an issue Direct evidence Indirect evidence Business unit discovers an issue Suspicious s Missing money Notified by a third-party Business partners Media Notified by law enforcement 14

15 IS IT REALLY A DATA SECURITY ISSUE? Determining what is actually going on When do you move from an IT issue to a data breach response situation? Counsel Preservation of information 15

16 INDICIA OF A BREACH Responses to s that your personnel did not send Financial transactions your personnel did not authorize Creation or discovery of unauthorized accounts Especially administrative accounts Unusual network activity Large number of failed logins 16

17 IT S A BREACH! Now what? Call a lawyer Privilege Legal ramifications of many early decisions 17

18 PRELIMINARY CONCERNS IN CONTAINING A DATA BREACH Speed Protecting your systems vs. hampering investigation Capabilities IT Legal Scope of access Location of data 18

19 SPEED Natural tendency is to run scans, test settings, etc. Risk trampling the digital footprints a forensic analyst could preserve May notify the hacker Law enforcement considerations May be necessary 19

20 CONFIDENTIALITY AND PRIVILEGE The role of counsel Who is involved? Risks of disclosure Capabilities of members of the team 20

21 DETERMINING THE SCOPE OF ACCESS What systems are affected What those systems connect to Security protocols What data is on the affected systems 21

22 DETERMINING WHO IS INVOLVED There is a human element to many data breaches Are employees involved? Who can you rely on? Is the information sensitive? Can you bring in consultants? 22

23 INVESTIGATING THE BREACH Interviews Technical analysis Employment considerations Law enforcement considerations 23

24 USING FORENSIC ANALYSTS Capabilities How to engage them Who they report to Translating tech-speak to management-speak Limitations 24

25 HANDLING LAW ENFORCEMENT When to involve them When they involve themselves Providing access to your systems Seeking prosecution of bad actors 25

26 DISCLOSING AND REMEDIATING THE BREACH

27 REMEDIATION ISSUES You can t fix what you can t find What if there is not a clear technical issue? You can t fix what you don t control You can t fix what you don t understand 27

28 IDENTIFYING THE BREACH VS IDENTIFYING WHAT TO FIX Knowing what was taken does not necessarily tell you how it was taken Can you determine the means of access? Can you determine that there were no other points of access? Can you determine how to address the problems? Can you test your fixes? 28

29 OTHER REMEDIATION CONSIDERATIONS Do you control the affected systems? Collateral effects of technical changes Business interruption De facto disclosure of the breach 29

30 DISCLOSURE ISSUES Insurance Publicity Consumer notification laws Regulatory notifications SEC filings Litigation Timing 30

31 CYBERINSURANCE Do you have a cyberinsurance policy? What does it cover? Can you choose your professionals? When are you required to notify them? What else do you need to do for coverage? 31

32 PUBLICITY Can you keep the breach confidential? What happens if you do? What happens if you don t? Reputational issues Planning for the media attention 32

33 CONSUMER NOTIFICATION 47 different state laws Plus municipal laws And different countries Timing Content What must be offered 33

34 REGULATORY NOTIFICATIONS State attorneys general FTC Industry regulators Local law enforcement Federal law enforcement 34

35 SEC FILINGS For public companies Cybersecurity risk factors Effect of breaches Potential for lawsuits 35

36 POTENTIAL LITIGATION Consumer class actions Employment Securities FTC and state attorneys general 36

37 TIMING How do these work together? Law enforcement Insurance Consumer notifications Reasons to delay Reasons to expedite 37

38 ADDITIONAL STEPS Security audits Policy reviews Contract reviews 38

39 Michael P. Hindelang Honigman Miller Schwartz and Cohn LLP (313)

40