Jefferson Glassie, FASAE Whiteford, Taylor & Preston
2
* 3
PII = An individuals first name and last name or first initial and last name in combination with any one or more of the following data elements that related to such individual: (a) Social Security Number; (b) driver s license number or stateissued identification number; or (c) financial account number, or credit or debit card number, with or without any required security code, accesscode, personal identification number or password, that would permit access to an individual's account. CA takes that def. and adds username and passwords for online accounts. Connecticut ups the ante with an expansive definition for certain categories, namely: PII + Information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver s license number, a state identification card number, a financial account number, a credit or debit card number (with or without any required security code, accesscode, personal identification number or password), a passport number, an alien registration number, or a health insurance identification number, unique biometric data. * 4
Unintentional security incidents (29.4% of incidents 2014 Verizon Report); HR director loses a USB drive on the metro Email or letter with PII sent to the wrong employee or customer AMS vendor forgets to deploy SSL security at online store At request of CEO, employee gives member list to fake email Opportunistic insiders Help desk employee gathers sensitive HR data + attempts extortion IT director downloads health information of 10,000+ disabled customers Malicious outsiders Laptop stolen from car Hacktivist takes over website + uploads PII of 30,000 to Pirate Bay Fraudster uses association credentials in phishing emails to spread Zeus botnet to more than 12 million computers Malware embedded in website * 5
International Law EU Other government laws U.S. Federal Law Privacy statues, but no broad cyber law State Laws Laws that Impose Security Requirements, such as Written Information Security Plan/Policy Breach Notification Laws Retention/Destruction Requirements * 6
U.S. States: California: expanded PII to include online user name/password California, NH + Oregon: new laws to protect PII of Grade K to 12 students by operators of website, online service or online/mobile app with actual knowledge that such (a) was designed + marketed for, and (b) is used primarily for K-12 school purposes Mandates reasonable security procedures Prohibits: (a) targeted ads when based on Covered Info + unique identifiers; (b) use of info. to amass a profile; (c) sale, lease, rent or trade of student info. Connecticut: expanded PII to include biometrics; 90 day notice; now mandates free ID theft protection; imposes data security requirements on insurers + contractors who receive PII from state agencies Massachusetts: Requires WISP Montana: expanded PII to include medical info. and IRS numbers Nevada: expanded PII to include online user name/password, medical/health insurance ID + driver s authorization card Washington: now only 45 days to provide notice of a breach Wyoming: expanded PII to include online account credentials, biometric data, birth and marriage certificates, tokens used for security purposes, tax ID numbers * 7
Private Lawsuits (individual or class action) Money Damages Injunctive Relief Government Enforcement Actions (e.g., State AG) Civil Penalties Criminal Penalties Post-Settlement Audit Obligations Contract Enforcement Actions, such as PCI Card Brand audits + penalties Business, Financial and Reputational Risks Bad PR/Damage to your Brand Angry Members, Certificants, Donors Business Downtime Expert Fees: Legal, Forensic + PR Consultants Executives Resign/Fired * 8
Average cost of a U.S. data security breach? Depends who you ask for example for 2014: *$201/record (Ponemon Institute) *$0.58/record (2014 Verizon Report) Where does the money go? *Remediation *Cybersecurity + forensic experts *Communications experts *Lawyers *Breach compliance *Credit monitoring + other customer/member freebies *Litigation *Lost business * 9
Know Thyself (due diligence) Take a Selfie Audit: Data, Records, IP and Systems Map + Classify Data Physical, Technical + Administrative Safeguards Treat Customer/Member/Donor data as both an asset AND a liability Draft + Implement a WISP Practice an Incident Response Plan or IRP Comply with applicable state, federal and foreign laws Train Employees Periodically REPEAT the above steps *Top Five Lessons Learned 10
Complete C-Level Buy-in is a fundamental requirement. Need to work in multi-disciplinary teams * Lawyers who understand data security * CTO and other C-level Execs * Consultants who specialize in cybersecurity Internal IT teams sometimes not equipped to handle cybersecurity The common denominator across the top four [attack] patterns accounting for nearly 90% of all incidents is people. (2014 Verizon report) *Top Five Lessons Learned 11
*63% of breaches linked to a third-party component of IT system administration (2013 Trustwave Global Security Report on 450 global data breach investigations) *Vendors increase the cyber attack surface, and make mistakes *Some vendors need or are given privileged access *State (e.g., Mass. + Maryland) and federal (e.g., HIPAA + GLBA) laws require organizations to flow-down data security to vendors *Include requirements in vendor contracts * Top Five Lessons Learned
* Choose a security standard and get audited by a credentialed 3 rd party SOC2, type II or SOC3 FISMA * Ensure that your overall security framework is consistent with the NIST Cyber Framework Identify Protect Detect Respond Recover Security as an afterthought is a mistake in fact, security can be a differentiating business factor Critical to successful defense of claims of negligence, unfair/deceptive trade practices or noncompliance * Top Five Lessons Learned
*Insurance can be an important risk mitigation tool *But policies require very careful scrutiny *Should have coverage for breach of privacy claims *And also first party costs of addressing breach * Top Five Lessons Learned
Implement Incident Response Plan (an IRP ) o Make initial assessment of nature (accidental, internal or external?), source (point of origin), affected resources (what + whose data and/or systems are at risk?), severity (how sensitive are the data/systems?) + scope (are vendors, donors or customers involved?) o Communicate incident to: o previously-established, internal, multi-disciplinary IR team o insurer o Engage independent third party forensic expert to: o Identify nature, source, affected resources + scope with particularity o Contain damage + minimize further risk (if possible, without alerting attacker) o Protect + preserve evidence o Recover data and systems o Act as expert witness, if needed *
Implement Incident Response Plan (cont.) owork with legal counsel to: o Hire the forensic expert (to protect communications as privileged) o Review applicable laws + contracts, and determine notice duties (to affected individuals, banks and other vendors, and state/federal agencies) o Draft + review notices/communications with internal parties + third parties oconduct a post-incident review + implement needed changes/updates *
*This is an area that must be addressed in advance *Plan to Fail Well! * 17
* Jeff Glassie Partner Whiteford, Taylor & Preston jglassie@wtplaw.com 202-689-3156