current risks in cybersecurity – protect the value of … · purports to cover any organization...

31
www.bgdlegal.com CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF YOUR DATA John McCauley, Partner, CIPP/US/E January 9, 2019

Upload: others

Post on 02-Jun-2020

0 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.com

CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF YOUR DATA

John McCauley, Partner, CIPP/US/E

January 9, 2019

Page 2: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

Protect Your Data From

Regulatory Penalties Third-Party Vendors Contractual Disputes Cyberattacks Inadvertent Breach

Page 3: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

US DATA PRIVACY REGIMESThe “Sectoral” Approach to Privacy

Health Information Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act (GLBA) Federal Trade Commission Enforcement Children’s Online Privacy Protection Act (COPPA) Contract Law/Self-Regulation

PCI-DSS

State Breach Notification Laws State Privacy Laws

Illinois Biometric Information Privacy Act (BIPA) California Consumer Privacy Act

Tort Law/Common Law

Page 4: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

GENERAL DATA PROTECTION REGULATIONThe “Omnibus” Approach to Privacy

Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to data processing in most cases Requires Data Protection Impact Assessments for new products and services Agreements between all parties sharing data Mandates “right to erasure” 72-Hour Breach Notification Rule Penalties up to €20 Million or 4% of global revenue - whichever is higher

Page 5: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

California Consumer Privacy Act• GDPR-like• Consumers may demand deletion of data• Consumer must have right to opt-out of selling of personal data• Statutory Damages for Breach ($100-$750 per user)• Applies to Companies with > $25 million in revenue or has consumer

info of > 50,000 consumers• January 1, 2020

State Attorneys General Actions Federal Legislation

RECENT DEVELOPMENTS

Page 6: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

Page 7: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

Page 8: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

Page 9: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

Data between companies shared according to contracts Contract disputes lead to litigation or settlements Data Licenses will outline permissible and impermissible use Recent trends:

• Sweeping indemnification provisions• Disgorgement of profits• Ownership interest in product• Enforcement of auditing provisions

THIRD-PARTY MANAGEMENT

Page 10: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.com

Cyber-Crime Trends

“Amateurs hack computers, professionals hack people.”

- Some Hacker

Page 11: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

The Year of the Breach

Page 12: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

Visualized Breaches

Page 13: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

WHAT IS THE WEAKEST LINK IN OUR CYBERSECURITY?

1) Hackers?2) Old Equipment?3) Software Vulnerabilities?4) The Internet?5) Employees?

Page 14: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

Page 15: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.com

Page 16: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

EMPLOYEES, EMPLOYEES, EMPLOYEES

THE VERY WEAKEST LINK IS EMPLOYEES. 93% OF SECURITY INCIDENTS INVOLVE SOME TYPE OF EMPLOYEE LACK OF AWARENESS

SHARING CREDENTIALS SHOULDER SURFING DUAL USE AND SHARED DEVICES LOST OR STOLEN DEVICES INFECTED HOME COMPUTERS PUBLIC WIFI - - MOUSE JACKING - - JUICE JACKING

Page 17: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

MUST TRAIN ON SECURITY AWARENESS BECAUSE. . . Anti-virus and anti-malware are only 70% effective because of the rate that new malware

is developed. One million new strains of malware every day. The programs cannot always identify new strains of malware because it does not

recognize them.

Page 18: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.com

Malicious Insiders

Page 19: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

INSIDER THREAT VECTOR MOST CYBERSECURITY FOCUSES ON EXTERNAL THREATS –

PERIMETER FOCUSED DISGRUNTLED EMPLOYEES, FORMER EMPLOYEES, CLUELESS

EMPLOYEES 4 METHODS TO CONTROL INSIDER ATTACKS SECURITY AWARENESS TRAINING NETWORK MONITORING ACCESS CONTROL MANAGEMENT HONEY POTS

Page 20: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

HOW DO WE PROTECT INFORMATION?Threat Vectors & Discovery Delays Phishing, Spear Phishing, Whaling Attack Ransomware Social Media Watering holes or drive bys Social Engineering

Average 205 days from security incident to discovery 70% of the time security incident discovered by somebody else

Page 21: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

PREVENTION METHODS

Effective Password Policies

Page 22: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

PREVENTION METHODS

Effective Password PoliciesEncryptionTwo-Factor Authentication

Page 23: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

ADDITIONAL PROTECTION STEPS

WHITELISTING MINIMIZING PERMISSION

LEAST PRIVILEGE ACCOUNT SEPARATION

PATCH MANAGEMENT WATCH YOUR DATA FLOW CONDUCT PERIODIC RISK ASSESSMENTS

POLICY REVIEWS PENETRATION TESTING

Page 24: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.com

Ransomware

Page 25: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.com

Ransomware

Use regular, out-of-band backups.

Do not open email messages or attachments from unknown individuals.

Implement technical safeguards.

Page 26: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

SCAREWARE

• Tricks the user into using malware infested sites.

• These appear to be legitimate warnings from anti-virus software companies, and they claim your computer has been infected.

• Users are frightened into paying a fee to purchase software to fix the problem.

• Actually, the user is downloading fake anti-virus software, whish is really malware.

• Scammers are also perpetrating this by phone.

Page 27: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

LET’S GO PHISHING

Page 28: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

PHISHING – DON’T GET HOOKED

PHISHING IS AN ATTACK THAT TRICKS YOU INTO OPENING A LINK OR ATTACHMENT

JUST READING AN E-MAIL WILL NOT TRIGGER AN ATTACK YOU HAVE TO PERFORM SOME TYPE OF ACTION MOST COMMON PHISHING ATTACKS # 1 -- LinkedIn # 2 -- BANK ACCOUNTS/CREDIT CARD COPANIES # 3 -- AMAZON

Page 29: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.comwww.bgdlegal.com

COMMON SIGNS OF PHISHING The email demands immediate action before something happens like closing your

account or subjecting you to fines. You receive an email that entices you to open an attachment such as a letter from the

IRS threatening prosecution or details of unannounced layoffs at your company. The email is supposedly coming from an official organization but uses a personal email

address such as @yahoo.com or @gmail.com. The email, which is supposed to be from a business or government organization,

contains spelling errors or bad grammar. The link in the email appears to take you to another site not connected to the

organization. You receive a message from someone you know, but it does not sound like them and

contains a strange link.

Page 30: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.com

Page 31: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to

www.bgdlegal.com

JOHN MCCAULEY, CIPP/US/E/BINGHAM GREENEBAUM DOLL LLP

[email protected]

Thank You