attorney directed...computer intrusions, insider attacks, malware outbreaks, internet fraud and...
TRANSCRIPT
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
ATTORNEY DIRECTED
INCIDENT RESPONSE
Jim Prendergast, Lewis Brisbois Bisgaard & Smith LLP
Tim Ryan, Kroll Cyber Investigations
Brian Lapidus, Kroll Identity Theft and Breach Notification
1
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015 2
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
TODAY’S SPEAKERS
Brian Lapidus is Managing Director and Practice Leader for the Identity Theft and Breach Notification group at Kroll. Former head of Strategic Development, Brian’s extensive background in the risk consulting industry includes organizational development, business process structure and performance management programs for offices within the federal government as well as private business.
Timothy P. Ryan is Managing Director and head of Kroll’s Cyber Investigations Practice based in New York. Prior to joining Kroll, Tim was a Supervisory Special Agent with the Federal Bureau of Investigation (FBI). He is an expert in cyber-crime and has led complex investigations into corporate espionage, advanced computer intrusions, insider attacks, malware outbreaks, Internet fraud and theft of trade secrets.
Jim Prendergast is a partner in the Lewis Brisbois Philadelphia area office. Jim’s practice is focused on representing clients who have experienced a data compromise and clients with data privacy issues. Jim has represented clients with high profile, national-exposure data compromises. Jim uses the legal skills and talents he developed over the past twenty-plus years as a prosecutor and trial attorney to assist his clients.
3
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
WHY THIS MATTERS
4
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
WHAT YOU WILL LEARN
1. Important trends requiring attorney directed incident response (IR)
2. How an ‘event’ is different than an ‘incident,’ and the types of incidents we commonly investigate
3. Why attorneys should direct the incident response investigation
4. What we mean by “direct the incident response” versus “run the incident response”
5. The phases of incident response
5
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
WHAT YOU WILL LEARN
6. The three ways that companies learn of a breach
7. The attorney’s role during a cyber incident investigation
8. What attorneys should be asking during different types of incidents
9. Key attributes of a good attorney IR leader
10. Points to remember when constructing an attorney directed IR process
6
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
IMPORTANT TRENDS REQUIRING ATTORNEY DIRECTED INCIDENT
RESPONSE
Plaintiff class action NOT dismissed
FTC enforcement action NOT dismissed
Victim corporation suing the card brand
7
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
TRENDS One Breach, Six Investigations
1. Internal Investigation
2. Shareholders v. Directors and Officers
3. Card Brand v. Company
4. Federal Government v. Company
5. State Government v. Company
6. Law Enforcement v. Attacker
8
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
AN EVENT OR AN INCIDENT?
An Event:
Any observable occurrence in a system or network.
An Incident:
NIST defines as “A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.”
Kroll refines to indicate that the threat involved an account or device that may have had access to PCI, PHI, PII or a specific sensitive asset.
NIST Special Publication 800-61 Computer Security Incident Handling Guide, Rev. 2.
9
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
TYPES OF INCIDENTS WE COMMONLY INVESTIGATE
Malware on endpoints e.g. Dyre, Zeus, Ransomware
Phishing attacks to obtain credentials
Lost devices
Sophisticated, persistent intrusions
Insiders stealing sensitive data (IP, PII)
Terminated employees returning to get or destroy data
Extortionate and threatening communications
10
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
ATTORNEY DIRECTED INCIDENT RESPONSE – WHY?
Litigation Target Class Action
Judge denies Target’s motion to dismiss, holding that banks established plausible allegation that failure to detect intrusion caused the financial institutions harm.
Regulatory Action HHS/OCR: Presbyterian Hospital & Columbia University (2014)
ePHI accessible through internet search engines related to 6,800 individuals.
OCR investigation found: hospital made no effort to assure the server was secure or contained appropriate software protections; no thorough risk analysis or risk management plan; failed to implement appropriate policies or to enforce those it did have in place.
$4.8 million settlement.
FTC: Wyndham Worldwide Corporation (2014) U.S. District Court for the District of N.J. denied Wyndham’s attempts to dismiss the complaint.
Court found FTC had authority to bring an unfairness claim in data security context.
Court warned “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.”
11
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
ATTORNEY DIRECTED INCIDENT RESPONSE – WHY?
SINGLE PLAINTIFF Identity theft
Privacy
GOVERNMENT ACTION Attorney General
FTC (Wyndham)
HHS (Hospice of North Idaho, Massachusetts Eye and Ear, Alaska Dept. of HHS)
SUBRO/INDEMNITY Contractual Issues
BANKS Cost of replacing credit cards
Reimbursement of fraudulent charges
Business interruption
CLASS ACTION Failure to protect data
Failure to properly notify
Failure to mitigate
Unjust enrichment
Violations of consumer protection
Statutory
Time
12
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
“DIRECT THE INCIDENT RESPONSE” VERSUS “RUN THE INCIDENT RESPONSE”
It is the difference between being the air traffic controller versus the pilot.
Air traffic controller has a broader view on what is happening but the pilot is in the best position to
make tactical decisions.
The attorney directs the aircraft –
The technical team flies the aircraft.
13
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
NETWORK SECURITY / DATA RISK
Data Creates Duties
What data do you collect, and why?
Where is it?
How well is it protected?
Who can access it?
When do you purge it?
How do you purge it?
14
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
WHAT ARE THE MAIN RISKS U.S. COMPANIES FACE DURING A DATA
BREACH Malicious attack
Hackers in network, malware and viruses, phishing scams, physical theft of hardware and paper
Rogue employees
Employees Negligence related to use and storage of data, failure to follow or
learn policies and procedures, loss of portable devices, mis-mailing of paper, unencrypted emails to the wrong recipients
Business partners Any of the above can occur to a business partner with whom
data is shared
15
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
THE PHASES OF INCIDENT RESPONSE
Planning
Detection
Escalation
Containment
Reporting and Eradication
Recovery: Technical, Business, Legal
Lessons Learned Under Privilege
16
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
UNDERSTANDING THE THREE WAYS THAT COMPANIES LEARN OF A BREACH The same way you find out if you house is on fire:
You smell smoke
Smoke detector goes off
You see fire trucks at your house when you come home from the store
In terms of cyber incidents:
User and Help Desk
Network defenders and devices
Outside Party: law enforcement, banks 17
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
INTERNAL INSURED ISSUES Internal reporting Broker involvement SIR Management
EXPERTS Breach coach Forensics Public relations
INVESTIGATION—internal/forensic/criminal
How did it happen When did it happen Is it still happening Who did it happen to What was accessed/acquired (What wasn’t) Encrypted/protected
NOTICE OBLIGATIONS State Federal Other (i.e. PCI)
NOTICE METHODS Written Electronic Substitute Media
DEADLINES Can be from 48 hours to “without unreasonable delay”
INQUIRIES State regulators (i.e. AG, PD) Federal regulators (i.e. OCR) Federal agencies (i.e. SEC, FTC) Consumer reporting agencies Plaintiffs
WHAT IS THE ATTORNEY’S ROLE DURING A CYBER INCIDENT INVESTIGATION?
18
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
WHAT ATTORNEYS SHOULD BE ASKING DURING DIFFERENT TYPES OF
INCIDENTS Is the attacker still active inside the network?
What indicators of compromise have the investigative team found?
Is evidence being preserved and examined by qualified personnel?
Is there a real or appearance of a conflict of interest when handling this internally?
Is this being kept on a need to know basis?
How are the IR Responders tracking their work?
Has this happened before?
Is the investigation truly complete or is everyone just tired?
Conduct Lessons learned
19
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
KEY ATTRIBUTES OF A GOOD ATTORNEY-INCIDENT RESPONSE LEADER
Calm
Prioritizes corporate objectives over legalese
Understands their capabilities and limitations
Doesn’t pretend to be a forensic examiner unless they are
Isn’t shy about requiring IRT members explain their findings until the attorney understands them. This prevents obscurity through complexity.
Knows that protecting the enterprise is tough stuff and doesn’t assume that if the enterprise was breached that someone inside the company must be at fault.
Understands the inherent conflicts of interest that occur during breach investigations
20
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
KEY ATTRIBUTES CONTINUED
Understands realistic timeframes for analysis of data.
Helps the IRT understand the legal complexities of situations and why some records are created and others are not.
Meets with the IRT and CISO regularly so they have a strong working relationship prior to an incident.
Understands their reporting requirements and timeframes for the different types of data and jurisdictions.
21
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
WHAT CAN BE DONE? Proactive Risk Manager Steps
Empowered Senior Executive Talk to your IT Security folks. Gain an appreciation of the many
challenges Not many Firms can say: how many records they have; what type of data
is being collected, stored, shared, protected; where does all this data reside; when is it purged?
Assess & test your own staff and operations
Incident response plan Document your due care measures (training and enforcement)
Insurance Red Flags, data security and breach response plans – affirmative duties Service level agreements Repeat
22
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
POINTS TO REMEMBER WHEN CONSTRUCTING AN ATTORNEY DIRECTED
IR PROCESS
Communication flow and escalation is essential.
IT will naturally try to fix things for as long as possible.
Having concrete triggers that require escalation is important.
External notification should be routed through legal counsel.
23
Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015
Thank you!