IDENTIFYING AND RESPONDING TO DATA BREACHES Michael P. Hindelang Honigman Miller Schwartz and Cohn LLP October 14, 2015 Merit Security Summit
DATA SECURITY RISKS, THREATS & REAL WORLD EXAMPLES
OVERVIEW What is a data breach? Is this a real risk for my organization? What is the worst that can happen? What does cybersecurity mean today? 3
WHAT IS AT RISK Information and systems needed to run your business Competitive information Controls for machines Information about your business Financial information Information belonging to others Customers Employees Third Parties 4
YOUR INFORMATION HAS VALUE All three categories Regardless of industry In ways that it may be more valuable to others 5
WHAT CAUSES BREACHES? Hackers/criminals Employees/insiders System failures All of the above 6
STATISTICS Recent studies have shown that breaches were caused by: Hackers or malware 47-49% System issues 20-31% 85% of those were from third-party services Negligent employees 19-30% Including lost devices 7
HOW HARD IS IT? Does your information have value? Hackers can compromise some systems within minutes Do you ever have computer glitches? Do your employees have access to any part of your IT system? 8
THERE ARE NUMEROUS AREAS OF VULNERABILITY Mobile and remote access Online presence Traditional systems Insiders 9
INDUSTRIES WITH UNIQUE OR ADDITIONAL RISKS Health Care Financial Services Technology Manufacturing Anyone who handles payment cards 10
REPERCUSSIONS Business interruption Property loss Reputational risk Legal risk 11
LEGAL RISKS Employment issues Regulatory issues Civil liability Consumer class actions Business partner litigation 12
IDENTIFYING THE BREACH AND CONTAINING IT
HOW DO YOU KNOW YOU HAVE A PROBLEM? IT discovers an issue Direct evidence Indirect evidence Business unit discovers an issue Suspicious emails Missing money Notified by a third-party Business partners Media Notified by law enforcement 14
IS IT REALLY A DATA SECURITY ISSUE? Determining what is actually going on When do you move from an IT issue to a data breach response situation? Counsel Preservation of information 15
INDICIA OF A BREACH Responses to emails that your personnel did not send Financial transactions your personnel did not authorize Creation or discovery of unauthorized accounts Especially administrative accounts Unusual network activity Large number of failed logins 16
IT S A BREACH! Now what? Call a lawyer Privilege Legal ramifications of many early decisions 17
PRELIMINARY CONCERNS IN CONTAINING A DATA BREACH Speed Protecting your systems vs. hampering investigation Capabilities IT Legal Scope of access Location of data 18
SPEED Natural tendency is to run scans, test settings, etc. Risk trampling the digital footprints a forensic analyst could preserve May notify the hacker Law enforcement considerations May be necessary 19
CONFIDENTIALITY AND PRIVILEGE The role of counsel Who is involved? Risks of disclosure Capabilities of members of the team 20
DETERMINING THE SCOPE OF ACCESS What systems are affected What those systems connect to Security protocols What data is on the affected systems 21
DETERMINING WHO IS INVOLVED There is a human element to many data breaches Are employees involved? Who can you rely on? Is the information sensitive? Can you bring in consultants? 22
INVESTIGATING THE BREACH Interviews Technical analysis Employment considerations Law enforcement considerations 23
USING FORENSIC ANALYSTS Capabilities How to engage them Who they report to Translating tech-speak to management-speak Limitations 24
HANDLING LAW ENFORCEMENT When to involve them When they involve themselves Providing access to your systems Seeking prosecution of bad actors 25
DISCLOSING AND REMEDIATING THE BREACH
REMEDIATION ISSUES You can t fix what you can t find What if there is not a clear technical issue? You can t fix what you don t control You can t fix what you don t understand 27
IDENTIFYING THE BREACH VS IDENTIFYING WHAT TO FIX Knowing what was taken does not necessarily tell you how it was taken Can you determine the means of access? Can you determine that there were no other points of access? Can you determine how to address the problems? Can you test your fixes? 28
OTHER REMEDIATION CONSIDERATIONS Do you control the affected systems? Collateral effects of technical changes Business interruption De facto disclosure of the breach 29
DISCLOSURE ISSUES Insurance Publicity Consumer notification laws Regulatory notifications SEC filings Litigation Timing 30
CYBERINSURANCE Do you have a cyberinsurance policy? What does it cover? Can you choose your professionals? When are you required to notify them? What else do you need to do for coverage? 31
PUBLICITY Can you keep the breach confidential? What happens if you do? What happens if you don t? Reputational issues Planning for the media attention 32
CONSUMER NOTIFICATION 47 different state laws Plus municipal laws And different countries Timing Content What must be offered 33
REGULATORY NOTIFICATIONS State attorneys general FTC Industry regulators Local law enforcement Federal law enforcement 34
SEC FILINGS For public companies Cybersecurity risk factors Effect of breaches Potential for lawsuits 35
POTENTIAL LITIGATION Consumer class actions Employment Securities FTC and state attorneys general 36
TIMING How do these work together? Law enforcement Insurance Consumer notifications Reasons to delay Reasons to expedite 37
ADDITIONAL STEPS Security audits Policy reviews Contract reviews 38
Michael P. Hindelang Honigman Miller Schwartz and Cohn LLP mhindelang@honigman.com (313) 465-7412 39
WWW.HONIGMAN.COM