Cyber Liability 2015: Your Data Risks and Obligations

Transcription

1 Cyber Liability 2015: Your Data Risks and Obligations Tedrick Housh, CIPP/US Co-Chair, Data Privacy & Security Group Lathrop & Gage, LLP 1

2 EMERGING TECHNOLOGIES The Internet of Things The Internet of Everything Wearable Electronics Cloud Storage Tablet and Phone Platforms Smaller, Faster, Better? 2

3 No Industry or Data Retention Method is Safe from Attack 2014 saw over 1,500 data breaches compromising nearly 1 billion data records, according to the security firm Gemalto. This was a 49% increase in breaches from 2013, and an increase of 78% in compromised data records. Anthem Sony Home Depot Community Health Systems JP Morgan 3

4 Beware: Sophisticated and Gov t Sponsored Hackers 4

5 Beware: the Rising Cost of a Data Breach 2014 Verizon Data Breach Investigations Report 1,367 confirmed data breaches 63,437 security incidents Finance (34%), Public (13%), Retail (11%), Accommodation (10%) 94% of breaches follow nine basic patterns 2014 Javelin Identity Fraud Report 1 in 3 data breach letter recipients will become identity fraud victims 62% of breach notifications to victims stemmed from compromised payment card data 5

6 Prepare & Prevent: How to Plan for a Data Breach Why incident response planning is important How to develop an incident response plan 6

7 Prepare & Prevent: Immediate To Do List Incident Response Planning Checklist Assess Data Risks and Policies Develop an Incident Response Team and Written Plan Conduct Employee Training Perform Vulnerability and Penetration Testing Execute IRP Drills Manage and Transfer Risk Contractual Indemnity/Liability Provisions. Review your contracts with those who maintain or own data that you process. Insurance. According to the Experian 2015 Annual Data Breach Industry forecast, adoption of Cyber Insurance policies more than doubled from 10 percent in 2013 to 26 percent in

8 Cyber Insurance Basic Types of Cyber Insurance First Party Coverage For direct losses of a company s assets. It can include insurance to respond to regulatory costs associated with the release of personally identifiable information (PII) and personal health information (PHI). Third Party Coverage Covers company s liability for causing a loss to another party. Often required by contract and almost exclusively offered on a claims-made basis. Expect that insurer will want to play key role in response decisions, as it is likely paying for them. 8

9 Prepare & Prevent: Assess Data Risks Perform a Data Risk Assessment to identify information assets as well as the risks to those assets. What information is (or should be) protected? What constitutes an event or incident The signs of events likely to occur The impact and probability of an incident type What constitutes a breach 9

10 Prepare & Prevent: Assess Policies regarding Data Do you have an internal firm-wide privacy policy? Do you authenticate the identity of persons who access data? Do you have a security plan to protect data from accidental or unauthorized disclosure? Do you track updates to antivirus and security software? Do you monitor employee computer or telephone use? Do you have a written protocol for responding to security intrusions? Do you have a document retention and destruction policy? Are you familiar with the legal requirements in event of a security breach? Have you obtained third-party privacy certification? Do you have a documented disaster recovery process? Do you have a Chief Privacy Officer and/or Information Security leader? Who is responsible for your data? 10

11 Prepare & Prevent: Define Your Team IT Legal Compliance HR/Employee Communications PR/Client Communications Marketing Privacy Finance Security Professionals (internal and external) Management Executive (incl. Risk Management) & Departmental 11

12 Prepare & Prevent: Internal and External Resources Know how to contact suppliers likely to be needed (ex: ISP, hardware, forensics, DR/BC resources, etc.) Include building facility contact information (after-hours access, A/C, etc.) Have access to baselines and backup configuration files. Have the ability to quickly modify configurations for Firewalls Databases Backups Routers IDS/IPS Log files 12

13 Prepare & Prevent: Assign Team Responsibilities Define who is responsible for: Reporting potential events Responsibility, guidelines and reporting mechanisms should be implemented and communicated Penalties for non-compliance Evaluating reported information and declaring an incident Activating the full Incident Response Team ( IRT ) Leading, overseeing, communicating and reporting Organizing an after-action briefing Creating and maintaining an incident response plan 13

14 Prepare & Prevent: Technical and Other Readiness Current inventory of PII & PHI Log data (otherwise, you will not have it when you need it) Active protocols, ports and services DHCP assignments Authorized applications Baselines Administrator or privileged account usage Security reports (anti-virus definition updates, anti-virus scan reports, tripwire, etc.) Pre-authorize financial resources Have relevant contracts available Have relevant third-party provider SLA and contact information 14

15 Prepare & Prevent: Spotting a Data Security Event Attempts to gain unauthorized access to a system or its data Disruption of business processes and services Website compromise Lost or stolen mobile device/laptop Theft, loss or exposure of protected data Changes to system hardware, firmware, or software without proper authorization and change control Theft of IP or client materials by departing or disgruntled employee Large volume of data being uploaded to a cloud storage service (Dropbox or Box, etc.) Unusually large number of tweets Virus, worm, etc. that is unable to be contained by routine measures 15

16 Prepare & Prevent: Testing, Auditing and Updating Are you sure? How do you know? Test Audit/Sample after implementation What worked last year may not work in the current environment Change control is an important mechanism to reduce unintended consequences 16

17 Prepare & Prevent: IRP Testing Test the plan s efficacy under scenarios such as A Trojan may have been introduced into the network A worm may have infected the network Cyber extortion An external party accuses the company of sending malicious A laptop is lost An employee inadvertently sends unencrypted PI via to an unauthorized individual DDoS/DoS attack Unknown wireless access point is discovered An employee who terminates takes IP or client files The marketing Twitter account is hacked 17

18 Respond & Recover: An Overview Verify the apparent incident Document and notify counsel, insurers & others Consider internal threat exposure Collect volatile data first Determine containment plan Disconnect affected systems Assess the nature and extent of damage Research current attack intelligence Form eradication and recovery plan 18

19 Respond & Recover: Discussions with Counsel Notification to criminal enforcement authorities (FBI, DOJ, Police) Notify Insurers and Vendors Internal and External Announcements Data Owner and Data Maintainer Notification Obligations Determination of Remediation Offers Regulator Notification Data Subject Notification Call Center and Response Management Response Evaluation 19

20 Respond & Recover: Documentation of the Event Make sure documentation is contemporaneous, thorough, accurate and objective. It should include How the breach occurred Date and time Methods, tools and technologies used and results Point of compromise Date and time of each response effort Who did what and when objective only Nature, extent, format and volume of the information exposed Whether the information was encrypted Financial impact to the business (for insurance purposes) 20

21 Respond & Recover: Documentation Considerations Other than official documentation, verbal communications may be preferable; avoid communicating speculative information in written format Preserve documentation in original format when available Consider forensic technology and a formal chain of custody documentation for events with potential legal or regulatory implications 21

22 Where will you centralize incident response operations? A room and equipment Secure communication (not your system) Enforce maximum working hours and minimum sleep hours Respond & Recover: Logistics 22

23 Respond & Recover: Catch Your Breath, then Evaluate exposure Data type and volume Continue to engage legal evidence requirements compliance with state, local, federal laws contractual requirements maintaining legal privilege for certain communications Communicate requirements to the IRT Do not communicate to the press, to the impacted individuals or to employees outside of the IRT without confirmation by legal/compliance that the message meets all legal requirements Engage PR/Communications to minimize attrition Review and determine insurance coverage provisions and the necessity of making notification to the company s insurance company(s) 23

24 Breach notification laws are required in 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands Notification time frames vary by state Notification requirements to other parties vary by state Federal laws such as HIPAA, COPPA, and GLBA also may apply Respond & Recover: Notification 24

25 Respond & Recover: International Obligations EU US 25

26 Respond & Recover: After the Storm Back up data (if not also compromised) Leverage disaster recovery and business continuity resources 26

27 Respond & Recover: Debrief and Reinforce After each testing event or incident response event, the actions taken and results observed should be reviewed by the IRT What went well? What could have been done faster or with more accurate results? What resource(s) would have made the response faster or more accurate? What changes to the plan would benefit future IR teams? What alerts or precursors should be added to the detection system? What preventative actions or systems would be beneficial? 27

28 Questions Thank you! 28