Jefferson Glassie, FASAE Whiteford, Taylor & Preston

Similar documents
Cybersecurity: Protecting Your Business. March 11, 2015

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

Network Security & Privacy Landscape

Data Breach and Senior Living Communities May 29, 2015

Data Security Best Practices for In-House Counsel

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Law Firm Cyber Security & Compliance Risks

Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact. February 10, 2015

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

Information Security Addressing Your Advanced Threats

Why Lawyers? Why Now?

Privacy Rights Clearing House

3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

A Privacy and Cybersecurity Primer for Nonprofits

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

Managing Cyber & Privacy Risks

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Practical Lessons Learned: An Overview of Cybersecurity Law & Information Governance

How To Protect Yourself From A Hacker Attack

CYBER SECURITY A L E G A L P E R S P E C T I V E

Best Practices in Incident Response. SF ISACA April 1 st Kieran Norton, Senior Manager Deloitte & Touch LLP

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

Cyber Exposure for Credit Unions

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

How To Protect Yourself From Cyber Threats

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

October 24, Mitigating Legal and Business Risks of Cyber Breaches

THE HARTFORD ASSET MANAGEMENT CHOICE sm POLICY NETWORK

plantemoran.com What School Personnel Administrators Need to know

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

How To Buy Cyber Insurance

Are you prepared for a Data Breach

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

Page 1. Copyright MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.

The Matrix Reloaded: Cybersecurity and Data Protection for Employers. Jodi D. Taylor

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP

CYBER READINESS FOR FINANCIAL INSTITUTIONS

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

Privacy Law Basics and Best Practices

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

Cyber Liability. What School Districts Need to Know

Navigating the New MA Data Security Regulations

Updates on HITECH and State Breach Notification and Security Requirements Robin Campbell

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Cyber Risks in the Boardroom

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks

IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS. Boston, MA Richmond, Virginia Tel. (617) Tel. (804)

Data Privacy & Security: Essential Questions Every Business Must Ask

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Privacy & Data Security

The Cyber Attack and Hacking Epidemic A Legal and Business Survival Guide

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer?

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

The Practical Realities of Cybersecurity

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Cybercrime: Protecting Your Digital Assets in Today's Threat Landscape

AB 1149 Compliance: Data Security Best Practices

The SMB Cyber Security Survival Guide

Privilege Gone Wild: The State of Privileged Account Management in 2015

How-To Guide: Cyber Security. Content Provided by

Common Data Breach Threats Facing Financial Institutions

Data Privacy, Security, and Risk Management in the Cloud

Cyber Liability. AlaHA Annual Meeting 2013

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage

Network Security & Privacy Landscape

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

Preventing And Dealing With Cyber Attacks And Data Breaches. Arnold & Porter LLP Lockheed Martin WMACCA February 12, 2014

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Data Breach Response Planning: Laying the Right Foundation

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

ALM Virtual Corporate Counsel Managing Cybersecurity Risks and Mitigating Data Breach Damage

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Data Breach Lessons Learned. June 11, 2015

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

10 Smart Ideas for. Keeping Data Safe. From Hackers

Security and Privacy

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Legal Ethics in the Information Age: Unique Data Privacy Issues Faced by Law Firms. v , rev

Top Ten Technology Risks Facing Colleges and Universities

CSR Breach Reporting Service Frequently Asked Questions

Privilege Gone Wild: The State of Privileged Account Management in 2015

Transcription:

Jefferson Glassie, FASAE Whiteford, Taylor & Preston

2

* 3

PII = An individuals first name and last name or first initial and last name in combination with any one or more of the following data elements that related to such individual: (a) Social Security Number; (b) driver s license number or stateissued identification number; or (c) financial account number, or credit or debit card number, with or without any required security code, accesscode, personal identification number or password, that would permit access to an individual's account. CA takes that def. and adds username and passwords for online accounts. Connecticut ups the ante with an expansive definition for certain categories, namely: PII + Information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver s license number, a state identification card number, a financial account number, a credit or debit card number (with or without any required security code, accesscode, personal identification number or password), a passport number, an alien registration number, or a health insurance identification number, unique biometric data. * 4

Unintentional security incidents (29.4% of incidents 2014 Verizon Report); HR director loses a USB drive on the metro Email or letter with PII sent to the wrong employee or customer AMS vendor forgets to deploy SSL security at online store At request of CEO, employee gives member list to fake email Opportunistic insiders Help desk employee gathers sensitive HR data + attempts extortion IT director downloads health information of 10,000+ disabled customers Malicious outsiders Laptop stolen from car Hacktivist takes over website + uploads PII of 30,000 to Pirate Bay Fraudster uses association credentials in phishing emails to spread Zeus botnet to more than 12 million computers Malware embedded in website * 5

International Law EU Other government laws U.S. Federal Law Privacy statues, but no broad cyber law State Laws Laws that Impose Security Requirements, such as Written Information Security Plan/Policy Breach Notification Laws Retention/Destruction Requirements * 6

U.S. States: California: expanded PII to include online user name/password California, NH + Oregon: new laws to protect PII of Grade K to 12 students by operators of website, online service or online/mobile app with actual knowledge that such (a) was designed + marketed for, and (b) is used primarily for K-12 school purposes Mandates reasonable security procedures Prohibits: (a) targeted ads when based on Covered Info + unique identifiers; (b) use of info. to amass a profile; (c) sale, lease, rent or trade of student info. Connecticut: expanded PII to include biometrics; 90 day notice; now mandates free ID theft protection; imposes data security requirements on insurers + contractors who receive PII from state agencies Massachusetts: Requires WISP Montana: expanded PII to include medical info. and IRS numbers Nevada: expanded PII to include online user name/password, medical/health insurance ID + driver s authorization card Washington: now only 45 days to provide notice of a breach Wyoming: expanded PII to include online account credentials, biometric data, birth and marriage certificates, tokens used for security purposes, tax ID numbers * 7

Private Lawsuits (individual or class action) Money Damages Injunctive Relief Government Enforcement Actions (e.g., State AG) Civil Penalties Criminal Penalties Post-Settlement Audit Obligations Contract Enforcement Actions, such as PCI Card Brand audits + penalties Business, Financial and Reputational Risks Bad PR/Damage to your Brand Angry Members, Certificants, Donors Business Downtime Expert Fees: Legal, Forensic + PR Consultants Executives Resign/Fired * 8

Average cost of a U.S. data security breach? Depends who you ask for example for 2014: *$201/record (Ponemon Institute) *$0.58/record (2014 Verizon Report) Where does the money go? *Remediation *Cybersecurity + forensic experts *Communications experts *Lawyers *Breach compliance *Credit monitoring + other customer/member freebies *Litigation *Lost business * 9

Know Thyself (due diligence) Take a Selfie Audit: Data, Records, IP and Systems Map + Classify Data Physical, Technical + Administrative Safeguards Treat Customer/Member/Donor data as both an asset AND a liability Draft + Implement a WISP Practice an Incident Response Plan or IRP Comply with applicable state, federal and foreign laws Train Employees Periodically REPEAT the above steps *Top Five Lessons Learned 10

Complete C-Level Buy-in is a fundamental requirement. Need to work in multi-disciplinary teams * Lawyers who understand data security * CTO and other C-level Execs * Consultants who specialize in cybersecurity Internal IT teams sometimes not equipped to handle cybersecurity The common denominator across the top four [attack] patterns accounting for nearly 90% of all incidents is people. (2014 Verizon report) *Top Five Lessons Learned 11

*63% of breaches linked to a third-party component of IT system administration (2013 Trustwave Global Security Report on 450 global data breach investigations) *Vendors increase the cyber attack surface, and make mistakes *Some vendors need or are given privileged access *State (e.g., Mass. + Maryland) and federal (e.g., HIPAA + GLBA) laws require organizations to flow-down data security to vendors *Include requirements in vendor contracts * Top Five Lessons Learned

* Choose a security standard and get audited by a credentialed 3 rd party SOC2, type II or SOC3 FISMA * Ensure that your overall security framework is consistent with the NIST Cyber Framework Identify Protect Detect Respond Recover Security as an afterthought is a mistake in fact, security can be a differentiating business factor Critical to successful defense of claims of negligence, unfair/deceptive trade practices or noncompliance * Top Five Lessons Learned

*Insurance can be an important risk mitigation tool *But policies require very careful scrutiny *Should have coverage for breach of privacy claims *And also first party costs of addressing breach * Top Five Lessons Learned

Implement Incident Response Plan (an IRP ) o Make initial assessment of nature (accidental, internal or external?), source (point of origin), affected resources (what + whose data and/or systems are at risk?), severity (how sensitive are the data/systems?) + scope (are vendors, donors or customers involved?) o Communicate incident to: o previously-established, internal, multi-disciplinary IR team o insurer o Engage independent third party forensic expert to: o Identify nature, source, affected resources + scope with particularity o Contain damage + minimize further risk (if possible, without alerting attacker) o Protect + preserve evidence o Recover data and systems o Act as expert witness, if needed *

Implement Incident Response Plan (cont.) owork with legal counsel to: o Hire the forensic expert (to protect communications as privileged) o Review applicable laws + contracts, and determine notice duties (to affected individuals, banks and other vendors, and state/federal agencies) o Draft + review notices/communications with internal parties + third parties oconduct a post-incident review + implement needed changes/updates *

*This is an area that must be addressed in advance *Plan to Fail Well! * 17

* Jeff Glassie Partner Whiteford, Taylor & Preston jglassie@wtplaw.com 202-689-3156

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information