& present The Practical Realities of Cybersecurity Best practices for crafting policies and procedures to protect your company Andrew Morentz, Member Telecommunications Law Professionals PLLC email amorentz@telecomlawpros.com phone (202) 789-3115 *This presentation is not intended to be, nor does it constitute, legal advice to you, and is intended only as an informational presentation of current issues and best practices. Should you have specific questions that require legal advice, please contact an attorney.
Intro to Cybersecurity: Where do the risks arise? Cybersecurity is not simply having a password on your company email account, it involves a number of data breach risks, including Active hacking or outside attacks According to a 2013 Center for International & Strategic Studies report: 90% of successful attacks required only the most basic techniques 85% of breaches took months to be detected (5 months on average) 96% of successful attacks could have been avoided simple or intermediate cybersecurity protocols Un-secure disposal of documents, computers or electronics Point-of-sale security, including employee theft of consumer data Email security, either hacked servers or accidentally mis-routed emails A simple Whoops! lost/stolen laptops, tablets, hard drives, devices, etc. Malware downloaded through the Internet Employee sharing of protected information over social media Vulnerabilities from a third-party vendor or cloud computing provider for all of the exact same reasons listed above 2
Intro to Cybersecurity: Where do the risks arise? Risks also arise from not fully understanding cybersecurity weakness and prevention best practices For example, CSIS estimates that 75% of attacks use publicly-known vulnerabilities in commercial software attacks that could be prevented by regularly patching and updating software Another study found that antivirus software missed as much as 95% of malware within a few days of its introduction without such software being updated Many companies also have an incomplete understanding of what constitutes an effective cybersecurity program 45% of companies surveyed believed they employed adequate protections, while a follow-on review showed that only 10% were actually doing so Only 50% of companies use automated intrusion detection tools While only 33% of companies use robust identity and account management systems 3
Beyond the Politics: Why should cybersecurity matter to me? Most industry stakeholders are well aware of the current debates raging on in Congress and in administrative agencies, including at the FCC What constitutes critical infrastructure? Are communications networks included? FCC cybersecurity interest Executive Order on cybersecurity Political and policy debates are interesting and important, but provide few near-term incentives for companies to act Beneath the high-level debates lies the practical reality: cybersecurity risks exist, and laws and regulations, at both the state and federal level, are being enforced against companies right now. Companies should be aware of the laws as they exist today, and would be well-served have comprehensive policies in place to protect against cybersecurity risks 4
Beyond the Politics: Why does cybersecurity matter to me? Federal Agencies Have Been Active in Cybersecurity Issues FCC An FCC working group recently issued a report on how the NSA s cybersecurity controls should apply to communications companies, but could not reach consensus; however the FCC remains actively engaged Customer Proprietary Network Information (CPNI) Telephone Consumer Protection Act (TCPA) FTC Has enforced cybersecurity breaches using its authority to regulate unfair or deceptive trade practices under Section 5 of the FTC Act Most investigations end in consent decrees that require the adoption of expansive cybersecurity policies These consent decrees can last as long as twenty years (see In re: HTC America, Inc.) FTC s authority to bring such actions is currently subject to challenge (FTC v. Wyndham Worldwide Corporation, et al.; motion to dismiss briefed in June with oral argument requested) 5
Beyond the Politics: Why does cybersecurity matter to me? Federal Agencies (cont.) SEC Issued non-binding guidance in October 2011 Detailed six areas where reporting of cybersecurity risks and incidents may be appropriate in SEC filings Companies have taken varied approaches to risk and incident reporting Although this is SEC guidance only, it demonstrates that the agency is engaged Senator Rockefeller sent a letter in May 2013 urging the SEC to update its cybersecurity guidance, and the SEC is considering the request. HHS HHS has been active in enforcement actions for the release of healthrelated information under its HIPAA authority. Less important for communications providers, but displays the general federal government trend of engagement and enforcement 6
Beyond the Politics: Why does cybersecurity matter to me? State Agencies and Attorneys General State Notification Requirements States require varying degrees of notice regarding the intentional or unintentional release of Personal Identifying Information ( PII ) Under most state laws, PII usually includes: Social security number Driver s license number Financial account or credit card number However, under some broader state laws PII can also include: Email address Any information allowing access to financial resources Certain health information Wide-ranging Massachusetts law (201 CMR 17.00) requires compliance if a company is storing PII of even one Massachusetts resident! Companies should be aware of the laws for each state in which they operate or have customers 7
Beyond the Politics: Why does cybersecurity matter to me? Civil Litigation Plaintiffs have been successful at bringing claims for statutory damages against companies under federal and state cybersecurity statutes, including Telephone Consumer Protection Act Electronic Communications Privacy Act Video Privacy Protection Act Children s Online Privacy Protection Act Class Action Litigation There has also been a rise in class action litigation against companies by groups of plaintiffs seeking to recover for alleged data breaches and violation of alleged consumer privacy rights Resnick, et al. v. AvMed, Inc. In re: Sony Gaming Networks and Customer Data Security Breach Litigation 8
OK, I get that it s scary out there. How do I manage my risk? Risk Mitigation Techniques Training, training, training. Social engineering the process of manipulating individuals into downloading malware or providing security information can often foil even the most robust IT security system. Train your employees regularly on how to spot these phishing-type scams, and ensure that they understand your core security principles Use application whitelisting for your networks to prevent unapproved programs from being downloaded and installed Eliminates the cat-and-mouse game of identifying malware Frequently patch operating systems and the most commonly used programs, like Adobe, MS Office and web browsers to mitigate security weaknesses Minimize the number of users with admin privileges Use traceable user accounts for all employees, and regularly monitor network use logs Limit the ability of employees to access or alter networks to a need-only basis Use best practices for passwords and user authentication 9
OK, I get that it s scary out there. How do I manage my risk? Risk Mitigation Techniques (cont.) Manage third-party vendor risk by: Having strong due diligence procedures in place Generate protocols for routine monitoring and auditing of third parties Obtain insurance against vendor liabilities Run regular cybersecurity event simulations If the practice becomes routine, your employees will be ready if and when a breach takes place Secure all of your networks, including WiFi networks, devices on mobile networks, and implement internal network controls, such as firewalls Maintain stringent physical access controls to electronic resources and data centers 10
Cybersecurity Best Practices How does my policy stack up? Do you have a comprehensive plan in place? This is the most important question to ask yourself Many companies have a series of varied and individual (and sometimes conflicting!) policies and procedures for IT and data security Make sure that you have a comprehensive, documented plan in place, or an overarching and easily-accessible policy that brings together and references all cybersecurity policies from across your company in a consistent manner What does a top-notch cybersecurity policy look like? While all cybersecurity policies will have some, if not many, elements in common, the first and most important step is to conduct an inventory of your business What type or types of data do you handle? Is some or all of the data you handle covered by statute? How is your data managed and protected? Who has access to the data when and how? Answering these high-level questions will provide you with the tent poles for the cybersecurity policy that will best fit your company 11
Cybersecurity Best Practices How does my policy stack up? What does a top-notch cybersecurity policy look like? (cont.) Once you have conducted an inventory of your business and determined the cybersecurity risks that you face, the next step is to implement policies to mitigate those risks A robust cybersecurity plan will typically include Privacy and data security policies Identify the data you collect Who has access? How is it secured? Procedures to protect against internal and external scams and fraud Network security External and internal networks Inward and outward facing website security Email security Mobile device security Keeping mobile devices free of malware What happens when your employee loses a device? 12
Cybersecurity Best Practices How does my policy stack up? What does a top-notch cybersecurity policy look like? (cont.) Physical and operational security Securing access to sites where data is stored Assess the information that cyber criminals may be able to obtain about the location of your data and your security protocols Protect payment information At the point-of-sale, whether in person or online Develop policies restricting access to payment information Thoroughly vet all employees and vendors Standardize the employee and vendor due diligence process Employ regular testing and auditing procedures Develop incident response and reporting protocols Establish clear roles and responsibilities for employees at all levels Have clear points of contact and guidelines to ensure seamless crossgroup collaboration during cybersecurity incidents Conduct a post-mortem meeting to learn from each incident 13
Cybersecurity Best Practices How does my policy stack up? Run regular simulations to test your policies in action Regular cybersecurity incident simulations allow you to find any break points in your policies before an incident occurs In the event that a true threat is identified and classified, employees will know who to contact, and teams will already be in place Employees will become familiar with the process and muscle memory will kick in during the chaos of a real cybersecurity incident Document the result of these simulations for discussion and study on how to improve your cybersecurity incident response Back up your data The simple step of backing up important data in a segregated area will allow your company to restore operations quickly in the event of critical data loss Engage in continuous risk monitoring Use automated dynamic monitoring technologies to analyze and mitigate risks in real time 14
Where do I go from here? Take stock of your current policies Develop any missing policies or protocols Ensure cohesiveness of all interlocking policies Run a cybersecurity incident simulation Analyze any weaknesses and improve 15
Questions? I am glad to answer any questions about how you can make your cybersecurity policies work for you and for your company Contact information: Andrew Morentz Telecommunications Law Professionals PLLC Email: amorentz@telecomlawpros.com Phone: (202) 789-3115 16