Cyber Security: Emerging Risks and Trends (and what you can do about it)

Size: px

Start display at page:

Download "Cyber Security: Emerging Risks and Trends (and what you can do about it)"

Lucy Logan
7 years ago
Views:

1 Cyber Security: Emerging Risks and Trends (and what you can do about it) UVU Business and Economic Forum May 19, 2016 Presented by: Daniel D. Hill, Esq. Christopher Droubay, Esq.

2 Risks and Trends Widely Known Global Problem Most Significant 2016 Business Risk 2016 Corporate Risk Survey, Kroll Top Regulatory Focus #7 on Government s Top 10 List KPMG, LLP Sample Government Agencies SEC FTC FCC CFPB Common Another Day, Another Breach Homeland Security (30,000 employees) Panama Papers (2.6 terabytes) California Hospital Target U of U Hospital

3 University of Utah Hospital Burglars stole back-up tapes containing highly confidential and sensitive medical records on 1.7 million patients recovered a month later, apparently not compromised Hospital s response: Third-party call center 2 million letters 11,000 calls from concerned patients Upgraded to more sophisticated encryption Costs: $3.3 million for breach notifications, credit monitoring fees, phone bank costs, and other expenses 6,632 personnel hours

4 Risks and Trends Not Widely Known Scope of the Problem Increased 48% since 2013 Daily attacks estimated at 117,339 In 2015 Alone: Exposed identities increased 23% to 429 million More than 430 million unique pieces of malware surfaced Spear-Phishing for Employees increased 55% Ransomware increased 35% 75% of businesses have vulnerable websites

5 How Your Clients Feel Risks and Trends Not Widely Known (cont.) 42% believe failure to protect their information is the biggest threat to your reputation 75% will take their business elsewhere if you re breached [July 2015 Study] Costs Avg Cost/Breach in 2014 = $6.5 MILLION Companies reporting losses in excess of $20 MILLION+ has increased by 92% Regulatory fines can be staggering (e.g. $25 MILLION for personal data of 280,000 people) More than a third of attacks target small business, 60% of those businesses go out of business in 6 months Insurance most CGL policies worthless

6 What is The Most Common Threat? Employees! Ex: Snowden 39% of IT professionals worldwide: employees worse than hackers 70% of HealthCare organizations identify employees as #1 threat 50% of breaches attributable to employee error What Employees C Suite IT Staff 32% gave out password vs. 19% other staff 41% believed it was fine to install unapproved applications vs. 27% others 28% admit accessing former employer vs 13% others 23% admitted would take data if it benefitted them

7 The Most Common Threat How Employees Create a Threat Internet browsing Downloading software Connecting unapproved devices Transmitting to private (e.g. Hillary!) Storage of personal information on business site Social media posts Accessing business site through unsecured wireless connections Phishing links (e.g., ransomware) Why Employees Create a Threat Do not understand the risk No fear of policy enforcement

8 Another Threat: Vendor and Supply Chains Most Notorious Example Target Recent Utah Example - doterra Risk Management Questionnaire; e.g. Audited? What use for a data center? What network security in place? What systems security in place? What antivirus tools in place? Security Clause in Contracts; e.g. Safeguards are and will be used Warrant the Risk Management Questionnaire Subject to review and audit

9 Relevant Laws State Laws 48 states have enacted data breach notification laws Utah Federal Laws Gramm-Leach-Bliley Act HIPAA Private Standards PCI-DSS

10 Utah State Law Obligation: notice provided as soon as practicable and without unreasonable delay But notice may be delayed for criminal investigations Key Terms: Breach of Security: unauthorized acquisition or use of unencrypted data with a substantial risk of identity theft or fraud Encrypted: transformation of data into a form that is difficult to decipher without a key Personal Information: first initial and last name combined with any one of the following: Social Security number driver s license number financial account number, or credit or debit card number

11 Utah State Law (cont d) Enforcement: States vary in enforcement efforts Fines in excess of $100,000 not uncommon

12 GLBA Gramm-Leach-Bliley Act Regulates institutions engaged in activities that are financial in nature This can include financial services, investment services, brokerage services, account services, insurance brokerages, and banks; however, the list is broad Financial institutions have an affirmative and continuing obligation to respect the privacy of [their] customers and to protect the security and confidentiality of those customers nonpublic personal information. 15 U.S.C. 6801(a)

13 GLBA (cont d) Gramm-Leach-Bliley Act (cont d) Organizations must develop an information security program that: Designates an employee to coordinate the program, Identifies reasonably foreseeable internal and external risks and assesses the sufficiency of current safeguards via risk assessment, Implements safeguards to manage identified risks, Oversees service providers, and Evaluates the security program in light of the risk assessment

14 GLBA (cont d) Gramm-Leach-Bliley Act (cont d) Penalties: Fines as high as $10,000,000 Audits that last for 20 years Breach Notification Must be disclosed as soon as possible if misuse of information about a customer has occurred or is reasonably possible Notification to federal regulator Example: The Payday Loan Store FTC alleged GLBA violations for failing to properly dispose of sensitive financial information Fine: $101,500; 20 years of audits Takeaway: make sure sound policies in place and that employees understand and are following them

15 HIPAA Regulates organizations that collect personal health information: information indicating someone received or sought health care Applies to covered entities: doctors, hospitals, health insurance brokers, companies with 50+ full-time employees, and business associates Covered entities must protect the confidentiality, integrity, and availability of personal health information Penalties: $100 to $50,000 per violation Continual audits from the Office of Civil Rights

16 HIPAA (cont d) Breach Notification Requirements Individual notice Without unreasonable delay, no later than 60-days after discovery of breach Description of breach, types of information involved, steps to protect those affected, investigation details, mitigation details, and future prevention details Media Notice (more than 500 residents of a state) Notice to HHS Secretary No private right of action

17 PCI-DSS For businesses that accept credit or debit cards Fee Structure for failing to comply with PCI-DSS standards Fees are tiered based on the number of transactions Range: $5,000 to $50,000 If you fail compliance once, you go straight to the highest tier for fees Costs of up to $3 to $25 per risk card

18 What Can You Do?

19 The Bottom Line Impenetrable Defense Not Required but must reasonably address cybersecurity The Cyber Security Team: Information Security: Perform vulnerability assessments, identify how to strengthen security, and locate technical solutions for cybersecurity risks Attorneys: Coordinate the data breach response and develop policies and procedures that comply with the law Management: Ensure that cybersecurity measures are compatible with your business Insurance: check with broker to ensure you re covered

20 Minimizing the Employee Threat Education Security Training Program; e.g. Browsing Rules Permissible Use Guidelines Use of Social Media Identify Common red flags

21 Minimizing the Employee Threat Establish Different User Roles BYOD Policies? Good policy? Use of unprotected networks Who owns/controls the data on the device? Obligation to reimburse staff? Minimum Requirement: Use of protected networks

22 Other Best Practices Password policies VPN access for remote devices Create a life-cycle for assets containing Personally Identifiable Information (PII) Encrypt assets containing PII Off-site or Remote storage so you can restore lost information Two Step Verification Processes (call backs/dual signatures) Perform a risk assessment/penetration tests

23 Cyber Liability Insurance

24 What if a breach does occur? Verify that a breach has occurred and the types of data affected Involve your attorney at the outset to ensure your investigation is protected Contain the breach Hire an Information Security Team Investigate the breach Contact law enforcement, regulatory authorities, etc. Notification Public relations Credit monitoring, call centers, etc. Post-notification Remediation

25 Thank You! Daniel D. Hill, Esq Christopher Droubay

Cybersecurity: Emerging Legal Risks

Cybersecurity: Emerging Legal Risks Data Breach Cyber Liability Seminar April 17, 2015 By: Tsutomu L. Johnson tj@scmlaw.com Overview of 2014 Data Breaches: JP Morgan, Home Depot, P.F. Chang s, Healthcare.gov,