DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE ACC-Charlotte February 4, 2015
THIS WILL NEVER HAPPEN TO ME! Death, Taxes & Data Breach Not just Home Depot, Target or Sony Do you employ the next Edward Snowden RDU Airport Shuttle (One Stop Parking) & Charlotte Airport (Park N Fly) January 17, 2015 Triangle Business Journal Card number, cardholder's name, billing address, card expiration date, CVV code Park 'N Fly passwords and telephone numbers they have not yet determined whether this information was obtained.
ARE YOU READY FOR THE INEVITABLE? Minimize Your Risk of Exposure Policies and Procedures What data do you have Where is that data stored Who has access to the data What data can be destroyed Proactively Monitor Your Data Compliance officer Periodic security testing
ARE YOU READY FOR THE INEVITABLE? Data Security Is Not An IT Issue, It Is A Company Issue IT may manage the nuts and bolts of network systems; however, all employees must be responsible for the use and protection of information Improper use or disclosure of information will impact the company, not IT What are your client or customer expectations Ignoring data security issues outside of IT is a recipe for disaster
ARE YOU READY FOR THE INEVITABLE? What Data Do You Have Employee data Personal information Addresses, phone numbers, social security Health related information Company sponsored wellness plan Customer data Financial Credit card numbers and security codes Proprietary
ARE YOU READY FOR THE INEVITABLE? Where Is Your Data Stored Computers Desktop or laptop Company or personal Servers Cloud Smartphones/Tablets Company or personal Third parties
ARE YOU READY FOR THE INEVITABLE? Who Has Access To Your Data Employees Educate, educate, educate Employee handbook Who owns the data Why data must be protected Simple steps to protect data Third party vendors Address the safeguarding of data
ARE YOU READY FOR THE INEVITABLE? What Are They After $ Potential areas where data could be breached Stolen or lost computer» Why stolen Was data encrypted Hacking incidents Payment card system hacking Password theft Theft of financial data Unknown intrusions
ARE YOU READY FOR THE INEVITABLE? Policies and Procedures Destruction of data If you don t need it, don t have it Case by case analysis of what data can be destroyed Must consider statutory and regulatory document preservation requirements Litigation considerations Statutory considerations N.C. Gen. Stat. 75-64
ARE YOU READY FOR THE INEVITABLE? Insurance Considerations What is your current insurance coverage Non-cyber policies Work closely with your insurance broker to determine what coverage you have and don t have Cyber-insurance First-party coverage Third-party coverage Remediation coverage Fines and penalties coverage Risk management services coverage
ARE YOU READY FOR THE INEVITABLE? Contract Considerations Allocation of risk Indemnification Who does data belong to Who is responsible for the safeguarding data Encryption Cyber security policies and procedures Should be consistent with your standards Access to information Ability to conduct audit of third party s compliance Insurance
ARE YOU READY FOR THE INEVITABLE? Third Party Forensic Companies Ethical hacking Penetration test Proactive attack of network Managed security testing Preventative technology Data loss prevention Data breach response 24 hour response teams Data recovery/remediation
THERE HAS BEEN A BREACH, NOW WHAT? Goals For Responding To A Data Breach Containment and recovery Assessment of ongoing risk Evaluation and response Notification of breach
THERE HAS BEEN A BREACH, NOW WHAT? Have A Go To Team In Place 24 Hour Access The clock starts ticking when the breach occurs Management IT Compliance/HR Attorney 3 rd Party/External consultant After a breach has occurred is not the time to begin preparing
THERE HAS BEEN A BREACH, NOW WHAT? Alert and activate everyone on the response team Management IT Compliance/HR Attorney 3 rd Party/External consultant Insurance Make sure the response team knows their roles and duties Make sure the response team has necessary contact information Cell phone, home phone, email
THERE HAS BEEN A BREACH, NOW WHAT? Secure the premises around the area where the data breach occurred to help preserve evidence Accident scene investigation Preservation of information Factual information Equipment Witnesses/participants Control access
THERE HAS BEEN A BREACH, NOW WHAT? Stop additional data loss Take affected machines offline Allow forensics team to analyze Do not attempt to analyze yourself Know whether you can or should shut down your system Will shutting down system cause loss of information» Spoliation issues
THERE HAS BEEN A BREACH, NOW WHAT? Document everything about the breach Who discovered it Who reported it To whom was it reported Who else knows about it What type of breach occurred What was stolen How was it stolen What systems are affected What devices are missing Allow counsel to direct the collection of information
THERE HAS BEEN A BREACH, NOW WHAT? Assess priorities and risks based on what you know about the breach. Bring in your forensics firm to begin an in-depth investigation. Analyze the immediate ramifications of the breach Evaluate and understand the cause of the incident Identify who was affected and what information compromised What is likely to happen to the compromised data Are other systems a possible target What are the possible legal implications Notification requirements Reporting requirements Litigation risks
THERE HAS BEEN A BREACH, NOW WHAT? Notify law enforcement After consulting with legal counsel and upper management Determine whether law enforcement or other agencies must be notified by law N.C. Gen. Stat. 75-65 Must notify the Consumer Protection Division of the Attorney General s office without unreasonable delay if notice is given to individuals Additional reporting requirements if notice is given to more than 1,000 individuals
THERE HAS BEEN A BREACH, NOW WHAT? Fix the Issue that Caused the Breach Rely on your forensics team to delete hacker tools Determine if you have other security gaps or risks Put clean machines online in place of affected ones Educate your employees Ensure same type of breach will not happen again Passwords Encryption of data If it happens once, you are now on notice if it happens again
THERE HAS BEEN A BREACH, NOW WHAT? Continue Working with Forensics Determine if any countermeasures were enabled when the compromise occurred Analyze backup, preserved or reconstructed data sources Ascertain the number of suspected people affected and type of information compromised Begin to align compromised data with customer names and addresses for notification.
THERE HAS BEEN A BREACH, NOW WHAT? Identify Legal Obligations Revisit state and federal regulations governing your industry and the type of data lost State or federal law HIPAA, the Fair Credit Reporting Act, etc Litigation considerations Class action litigation, consumer protection/unfair and deceptive acts, misrepresentation re security of data, negligence, invasion of privacy, breach of express or implied contract, etc
THERE HAS BEEN A BREACH, NOW WHAT? President Obama Initiatives To date 47 states have data breach notification laws The Personal Data Notification and Protection Act National Standards for Banks and Retailers to Respond to a Data Breach 30 days from day of breach Free Credit Scores for Consumers Consumer Privacy Bill of Rights What information is collected and used for Student Digital Privacy Act Limitations on information collected from students and then used in targeted advertising
Closing Thoughts Technology continues to evolve Everyday we gather more and more data If there is money to be made, those seeking to obtain the data will continue to evolve You must have an ongoing assessment of technology and data What works today may not work tomorrow Must adapt to emerging technology and threats
Fred Wood Charlotte Office 704.384.2646 fred.wood@smithmoorelaw.com Marc Tucker Raleigh Office 919.755.8713 marc.tucker@smithmoorelaw.com Brett Hanna Raleigh Office 919.838.3108 brett.hanna@smithmoorelaw.com DeeDee Lott Compass Group Patti Ramseur Greensboro, Charlotte Offices 336.378.5304 704.384.2654 patti.ramseur@smithmoorelaw.com