Cybersecurity: Minimizing Risk & Responding to Breaches March 5, 2015 Andy Chambers Michael Kelly Jimmie Pursell Scope of Problem Data Breaches A Daily Phenomenon Anthem JP Morgan / Chase Sony Home Depot Target Neiman Marcus Healthcare.gov P.F. Chang s Community Health Services 1
Staggering Numbers Cyber crime has been estimated to cost the global economy between $400 - $575 billion each year At an estimated $100 billion, the U.S. takes largest hit The number of U.S. data breach incidents tracked since 2005 exceeded 5,000 reported data breach incidents, involving more than 675 million estimated records Only a small number of incidences are reported http://www.telegraph.co.uk/technology/internet-security/10886640/cyber-crime-costs-global-economy-445-bn-annually.html http://www.politico.com/story/2014/06/cybercrime-yearly-costs-107601.html http://www.idtheftcenter.org/itrc-surveys-studies/2014databreaches.html Reported Breaches on the Rise In 2014, the number of U.S. data breaches hit a record high of 783 Significant increase of 18.3 percent over the previous high of 662 breaches tracked in 2010 This represents a substantial hike of 27.5 percent over the number of breaches reported in 2013 Data records were lost or stolen at an alarming rate Average of 15 breaches per week in 2014 http://www.idtheftcenter.org/itrc-surveys-studies/2014databreaches.html Impact on Organizations by Category Banking/Credit Financial 43 breaches Business (retail, hospitality and tourism, professional, trade, transportation, utilities, etc.) 258 breaches Educational 57 breaches Government/Military 92 breaches Medical/Healthcare 333 breaches http://www.idtheftcenter.org/images/breach/databreachreports_2014.pdf 2
Impact on Public Companies In 2014, there were numerous incidents that affected public companies Ebay - 145 million accounts Home Depot 56 million accounts Shoppers who used credit and debit cards at its more than 2,000 U.S. and Canadian stores J.P. Morgan Chase 76 million households affected 2/3 of U.S. households Target estimated 110 million accounts http://www.idtheftcenter.org/images/breach/databreachreports_2014.pdf Cost of a Data Breach Average cost to a company in 2014 was $3.5 million 15 percent more than what it cost in 2013 For each breached record, the businesses spent an average of $201 The cost per compromised record is higher at U.S. companies than those in other countries http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis Closer to Home Not just affecting large national companies Bashas Sprouts Maricopa County Community Colleges 3
Types of Data and Entities at Risk Individuals Identity theft Banking and credit card information accessed Private or embarrassing info / photos Businesses Customer data System compromise Customer Data Mirrors the type of information vulnerable for an individual: Data that can harm your customer directly, e.g., credit card and bank account information Data that can harm make your customer more vulnerable to ID theft, e.g., social security numbers, DOB, etc., much of which is the subject of privacy regulations System Compromise Vandalism to websites Theft of company data, e.g., trade secrets System crashes DDoS Resulting reputational damage 4
Regulatory Requirements Overview of Privacy and Security Laws and Regulations No single comprehensive federal law Patchwork of Federal and state laws Regulations Government and industry group guidelines and best practices Additional Considerations Executive Order on Improving Critical Infrastructure Cybersecurity State requirements A myriad of privacy and breach notification laws 5
Additional Considerations (continued) Industry standards / best practices Are best practices / industry guidelines really voluntary? Insurance companies Plaintiffs lawyers FTC Act Prohibits unfair and deceptive acts or practices Failure to protect personal data Changing privacy policy without adequate notice Failure to comply pywith posted privacy ypolicy Ask yourself For what purpose will data be used? Do you have permission for that use? Gramm Leach Bliley Regulates collection, use and disclosure of financial information Financial Institutions 6
SEC Disclose material risks, vulnerabilities, and incidents Insufficient disclosures Using boilerplate language HIPAA Regulates medical information Can apply broadly to health care providers, data processors, pharmacies and other entities that come in contact with medical information Guidelines on how to de-identify data Common Threads in Privacy and Security Regulations Confidentiality Integrity Availability Informed Choice 7
Preparing for the Breach Conduct An Audit / Be Proactive Inventory your data How was it collected Do you have consents Appropriate and timely consents Where is it stored Keep only what you need Security measures Third party access / sharing with third parties Availability of internal and external resources Insurance What are the risks? First party damage vs. third-party liability Direct damages Breach detection Breach response System restoration Class-Action suits and claims for punitive damages Shareholder suits Regulatory fines Business disruption Reputational damage Lost business 8
Insurance (continued) Aren t these risks already covered under my CGL, D&O, or property policy? Answer: Probably not. If so, coverage will be limited. Insurers are writing-in express exclusions for these types of losses and liabilities. Insurance (continued) Types of cyber-specific products Commercial crime Cyber crime Service bureau operations Data breach coverage (1st party and 3rd party) Cyber extortion Individual identity theft protection Insurance vs. Security What Should You Do? 9
Before a Data Breach Occurs Perform a privacy & security assessment Review and assess network security policies and procedures Develop a written Incident Response Plan Establish critical vendor relationships Review / revise record retention policies Review contracts with business partners Train employees Privacy notices Review insurance coverage Policies and Procedures Relative to Data Security Typical polices to have in place: Privacy Policies Identity Theft Prevention Policies Record Retention Policies Network Security Policies Train employees and staff Policies are of no assistance if no one knows of them to knows what they require Digital Safeguards in a Digital Environment Trade secret law requires reasonable measures Adapt practices to take new technologies into account Tools: electronically yprogrammable access cards, computer firewalls, frequent changes and multiple levels of passwords, digital watermarks and secure intranets Countermeasures: spoofing, phishing, and dusting 10
Digital Safeguards in a Digital Environment (continued) Use secure intranet or password-protected FTP server for frequent information exchanges with trusted business partners Failure to use commonplace security measures included in mass-market software applications may constitute failure to take reasonable measures to protect trade secrets Before disclosing your confidential information, consider using a due diligence questionnaire to inquire about the disclosee s own use of digital security measures Physical Security Proliferation of personal devices for generating, recording, storing and transmitting digital data Cameras in cell phones, USB drives and mp3 players Restrict personal devices in highly secure areas on company property Beware stealth selfies Monitor and restrict the amount of data employees can transfer using company servers Physical Security (continued) Reconfigure or eliminate USB ports except on designated company computers Reasonable measures may require privacy screens for traveling employees U.S. Customs can seize travelers laptops without probable cause (U.S. v Arnold, 523 F.3d 941 (9 th Cir. 2008) Replace fully loaded hard drives with a clean hard drive or authorized USB drive for a specific business trip 11
Cultural Security Courts cite the use of training programs (e.g., threat awareness, safe blogging) as evidence of reasonable precautions Avoid using a fixed period of time (e.g., two years ) when limiting disclosure in NDA s Company had not taken reasonable measures to maintain secrecy by requiring distributors and customers to keep schematic and programming information confidential for 2 or 3 years. Silicon Image, Inc. v. Analogix Semiconductor, Inc (N.D. Cal. 2008) Departing IT administrators and security staff pose special risks Best Practices Reasonable measures may include System Monitoring Tools Best Practices (continued) Present Web Interface/Dashboard to IT and beyond Consider configuring critical alarms to trigger cybersecurity alert Proactive ethical hacking for penetration testing, intrusion testing and red teaming Wholesale delegation of cybersecurity to IT personnel may not be appropriate 12
Other Non-Data Breach Concerns Due diligence in M & A / other transactions Cybersecurity is a critical component of due diligence which must be examined / investigated When you buy a company, you are buying its data and any associated security issues After a Breach Incident response checklist Mobilize necessary personnel Legal / Breach Response Coach IT Forensics Communications / PR Containment and analysis Stop the bleeding Secure the network Preserve evidence Identify the source and scope of the attack After a Breach (continued) Incident response checklist (cont d) Notification Evaluate breach notification laws Coordinate with law enforcement / regulators Develop corporate communication / PR strategy Eradication and prevention Post clean up review Remediate security gap Revise policies and procedures Litigation defense 13
Additional Resources National Institute of Standards and Technology (NIST) Publications, e.g. Computer Security Incident Handling Guide Experian s Data Breach Response Guide Debix Data Breach Response Workbook DOJ Incident Response Procedures for Data Breaches Questions? 14