LIGC-ACC Presentation November 9, 2015

Transcription

1 Bryan Frank, DDIS Info Sec Corp, panelist Jennifer M. Mone, Deputy General Counsel, Hofstra University, panelist Keith J. Frank, Partner, Forchelli, Curto, Deegan, Schwartz, Mineo & Terrana,. LLP, moderator LIGC-ACC Presentation November 9, 2015

2 What you can do to protect against identity theft and how technology exposes your clients to identity theft. Attendees will be able to identify types of cyber attacks. Attendees will understand industry cyber security standards. What to do if you believe that you've suffered a data breach. Attendees will be able to develop a more secure IT network and be prepared for a cyber incident. 2

3 One person, using information gathered from some source, takes on the identity of another person without permission and conducts a variety of activities using that identity. The intent is to use that identity for personal gain, generally with the intent to defraud others 3

4 Impersonates another by communicating over the internet, a website or other electronic means with the intent to obtain a benefit or injure or defraud another. 4

5 When he or she knowingly possesses a person`s financial information: 1. account number or code, savings account number or code, checking account number or code; 2. brokerage account number or code, credit card account number or code; 3. debit card number or code, automated teller machine number or code, personal identification number; 4. mother`s maiden name, computer system password; 5. electronic signature or unique biometric data that is a fingerprint, voice print, retinal image or iris image of another; 6. person knowing such information is intended to be used in furtherance of the commission of a crime defined in this chapter. 5

6 Knowingly transfer or use, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law. Established the Federal Trade Commission (FTC) as the Federal Government s one central point of contact. Increased criminal penalties for identity theft and fraud 15 years imprisonment and substantial fines. 6

7 Target Neiman Marcus Chase Home Depot Anthem TJ Maxx 7

8 In 2012, direct and indirect identity theft losses totaled $24.7 billion in the United States, a figure that exceeded the losses in all other categories of property crime combined. 8

9 Hacker Admits Sabotaging Long Island Company LI's Uncle Giuseppe's Marketplace reports computer data breach - Newsday 9

10 Financial industry continues to be a target of cyber attacks. Social, political and economic reasons. Significant increase in data breaches and cyber attacks over the past 10 years. Cyber attacks are increasingly funded or supported by foreign states. Small business has greater risk from internal threat. 10

11 HIPPA The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)." HITECH imposes data breach notification requirements for unauthorized uses and disclosures of "unsecured PHI." These notification requirements are similar to many state data breach laws related to personally identifiable financial information (e.g. banking and credit card data). 11

12 Under the Safeguards Rule, financial institutions must protect the consumer information they collect. 12

13 Businesses "significantly engaged in providing financial products or services, for example: 1. check-cashing businesses 2. payday lenders 3. mortgage brokers 4. nonbank lenders 5. personal property or real estate appraisers 6. professional tax preparers 7. courier services 13

14 April 15 th 2014 memorandum on cyber security 1. Guidance on the protection of confidential information by financial institutions. 2. Establishing clear guidelines on cyber security policy. 3. Expect organizations to follow industry best practices. 14

15 Breaches exposed 22.8 million personal records of New Yorkers between 2006 and Hacking attacks are driven primarily by the black-market value of personal information, which can fetch up to $45 per record. NEW YORK STATE INFORMATION SECURITY BREACH AND NOTIFICATION ACT 15

16 16

17 The term hacker has evolved from describing the curious computer enthusiast to malevolent cyber criminal. Monetary Gain Organized Crime Ego/street creds Political Activism Military/Nation State Not all hackers are evil, white hats 17

18 18

19 1. Documents in the trash 2. Receipts from purchases 3. Lost or stolen wallets or purses 4. Online phishing for personal data 5. Mail from mailboxes 6. Through hacking getting lists of PII NCPC 19

20 Open credit card and other accounts Try to create false ID cards License Social Security State ID cards IRS returns Use these IDs to then open other accounts 20

21 Computers desktops, laptops, tablets, mobile phones, smart watches Servers, clients and the cloud Thumb drives, portable hard drives, Tape backups Wi-Fi 21

22 Internal Threats 1. Malicious behavior by employee or ex-employee. 2. Inadvertent mistakes by employees. Outside attack less of a threat 22

23 Laptop, mobile devices, increase the level of unauthorized access to your material. The use of thumb drives allows for the possible introduction of virus and removal of proprietary information. An Employee/user may unknowingly infect the network by using an infected device. Malicious downloads, infected files, corrupted images and other threats can easily be spread via portable devices. 23

24 s compromised and used to redirect funds that are then wired to another location or bank. Perpetrator inserts themselves into the chain. 24

25 HACKING NET EXTORTION DENIAL OF SERVICE ATTACK VIRUS DISSEMINATION SOFTWARE PIRACY PORNOGRAPHY 25

26 CREDIT CARD FRAUD PHISHING SPOOFING CYBER STALKING CYBER DEFAMATION THREATENING 26

27 National Crime Prevention Council 27

28 Companies should not ask for personal and financial information through this type of . If unsure about an , verify the correspondence through another method. 28

29 29

30 The business could be held liable if personal identifiable information is released and there were few safeguards in place. Expectation of following best practices. 30

31 C- level down Culture of security Employees should be responsible for maintaining security. 31

32 Computer Usage Policy Password Policy BYOD Policy Cyber Incident Response Plan Employee training 32

33 Strong Passwords Updated operating systems and patches Firewalls Anti-virus software Training 33

34 There is evidence that you have been hacked. Priority is to stop the intrusion Isolate the areas the have exposed Mitigate the damage Law enforcement/ag notification? Was PII stolen? 34

35 How to conduct business after a breach. How to conduct business after a natural event. 35

36 Identity Theft will continue to grow as more personal information is put online. Financial Institutions should be using best practices to secure their infrastructure. 36