cybersecurity and data breach best...

Cybersecurity and Data

Breach Best Practices

CONTACT: Ari Schwartz

Managing Director of Cybersecurity Services

[email protected] | 202.344.4711

Ariel Wolf

Associate, eCommerce, Privacy, Data

Security


Thursday, May 5th, 2016

Agenda

I. Overview

II. Risks and Threats

III. Legal Obligations

IV. Best Practices

V. Breach Response and Recovery

| Cybersecurity Risk Management Services 2


Cybersecurity Overview

Cybersecurity v. Data Security

• Cybersecurity and data security are related concepts

• Cybersecurity focuses on protecting networks and infrastructure from attacks

and bad actors and can include personal information

• Electrical grid, communications backbone, financial systems, etc.

• Data security focuses on securing personal information (e.g., names, payment

card numbers, Social Security number, etc.) from being accessed and/or

acquired by unauthorized individuals

• Consumer data breaches, lost laptops, etc.

• Different agencies and laws regulate different types of incidents, often with

overlapping interests


Privacy v. Data Security

• Privacy – Focused on rules governing deliberate acts of “pushing” personal

information out of an organization, typically in connection with acquiring or

retaining customers

• For example: renting of customer lists or sharing of customer information

with corporate affiliates

• Data Security – Focused on rules aimed at protecting personal information

from being “pulled” out of an organization

• For example: external hacking or theft by an employee

• Europeans collapse both concepts under the rubric of “data protection”



Risks and Threats


1. Context 2. Threat Landscape Should Dictate Policy 3. Intelligence Community Briefer Motto:

“If I don’t get to sleep at night, why should you?”

Why do all Cybersecurity talks start with threats?


Cyber Threat Actors

• Hacktivists

• Fraud and Organized Crime

• Nation States

Cyber Threat Characteristics

• Motivation: financial vs. espionage

• Vector: POS vs. social vs. credential

Time it takes hackers to compromise a system is beating time it takes to detect intrusion


Increase in Data Breaches

Source: 2016 Data Breach Investigations Report, Verizon (2016), available at http://www.verizonenterprise.com/DBIR/2016/

Year Security Incidents Confirmed Data Breaches

2015 100,000+ 3,141

2014 79,790 2,122

2013 63,437 1,367


Types of Data Targeted

• Personal data

• Personally identifiable information

• Payment card or account data

• Health information

• Intelligence

• Intellectual property

• Attorney-client confidences

• Research and development

• Military secrets

• Other

• Destruction/disruption/leaks


Most Affected Industries

Source: 2016 Data Breach Investigations Report, Verizon (2016), available at http://www.verizonenterprise.com/DBIR/2016/

Sector Incidents Confirmed Data Loss

Public/ Government

47,237 193

Entertainment 2,707 38

Financial Services

1,368 795


Cost of a Data Breach

• Many factors contribute to total costs:

• Breach response efforts

• Delivering notices, credit monitoring, legal costs, etc.

• Reputational Costs

• Customer and employee goodwill, media scrutiny

• Litigation Costs

• Cases typically filed for negligence, etc.

• Regulatory Defense Costs

• Investigations, consent decrees

• Projected average cost of a breach:

• 1,000 records: $52,000 - $87,000

• 100,000 records: $366,500 - $614,600

• 10 Million records: $2,100,000 - $5,200,000

• 100 Million records: $5,016,200 - $15,622,700


Data Breach Costs

• Average cost: $35 million per incident

• Average cost per record: $201 in the U.S.

• Customer post-breach loyalty is decreasing

• 42% of breaches caused by a “malicious or criminal attack”

Top Drivers of Cyber Insurance Expenses

• Forensics

• Legal guidance

• Breach notification

• Credit monitoring


Cyber Espionage – in focus

• Defined: Infiltration of system or network by external actor

in search of sensitive internal data and trade secrets

• 2015: 247 total security incidents with 155 confirmed data

disclosures

• Top victims: Public/Government Sector, Manufacturing,

and Professional Services

• Attack Vectors: Hacking, Malware, Phishing, Credentials


Recent Cyber Incidents: Nation States • The White House (announced in Oct. 2014)

─ Obtained access to unclassified email system

─ Compromised emails from the President and data on his schedule

• U.S. Postal Service (announced in Nov. 2014)

─ Obtained access to data servers

─ 800,000 employees affected: SSNs, addresses, medical records, etc.

─ 2.9 million customers affected: Names, addresses, phone numbers, etc.

• U.S. Department of State (announced in Nov. 2014)

─ Obtained access unclassified email system containing sensitive

information

• Office of Personnel Management (announced in June 2015)

─ Largest government data breach

─ 22.5 million individuals affected

─ Background investigation data stolen: SSNs, DOBs, addresses, etc.

• Joint Chiefs of Staff (announced in Aug. 2015)

─ Public mail server was taken offline for 2 weeks


Recent Cyber Incidents: Nation States

• Sands Casino (announced in Feb. 2014)

─ Estimated cost to Sands: $40 million

─ Network wiped; Hard drives, email servers, and phone systems shut down

─ Employee and consumer data: SSNs, names, email addresses, etc.

• Sony (announced in Nov. 2014)

─ 47,000 employees affected: SSNs, DOBs, addresses, etc.

─ 5 unreleased movies leaked

• Anthem (announced in Feb. 2015)

─ 80 million records: SSNs, DOBs, addresses, medical IDs, employment

information, etc. (data unencrypted)

─ Class action lawsuits, 10 states issued inquiries, Congressional inquiries,

CT proposed legislation


Recent Cyber Incidents: Organized Crime

• Target (announced in Dec. 2013)

─ 40 million credit/debit card accounts stolen

─ Estimated cost to Target: $252 million

─ Dozens of class action lawsuits filed on behalf of banks, consumers, and other

stakeholders

─ Settled a $10 million class action lawsuit with individual cardholders

• Home Depot (announced in Sep. 2014)

─ 56 million payment card breaches and 53 million email addresses stolen

─ Facing 44 lawsuits

─ Less than 2 weeks after announcement, estimated $62 million spent on breach-

related costs

• Internal Revenue Service (IRS) (announced in May 2015)

─ 600,000 taxpayers affected and facing potential identity theft

─ Facing class action lawsuit


Sector Performance


Legal Obligations


Federal Data Security Obligations

• HIPAA Security Rule • Establishes detailed security requirements pertaining to the protection

of electronic protected health information (e-PHI).

• Safeguards Rule • Requires that financial institutions establish comprehensive information

security programs to protect the security of customer information.

• Federal Information Security Management Act of 2002 • Establishes requirements pertaining to the protection of information

held by the federal government.


FTC Best Practices: Reasonable Security

• Practices that the FTC has identified as factors in reasonable security:

• Minimizing the collection of personal information;

• Destroying records containing personal information when there is no

longer a legitimate business reason to retain them;

• Encrypting information in transit, in storage, and on portable media;

• Actively monitoring vulnerability reports from third parties;

• Performing security reviews during the design and testing of new products;

• Protecting against commonly known vulnerabilities;

• Providing security training to any employee responsible for testing,

designing, and reviewing security features;

• Appropriately overseeing the security procedures of any service providers.


State Data Security Obligations

• Reasonable Data Security • Nine States require that organizations implement sufficient policies and

procedures to maintain reasonable data security. • AR, CA, FL, CT, IN, MD, OR, TX, UT

• Massachusetts Standards for the Protection of Personal Information • MA has implemented more detailed data security requirements. • Requires the implementation of a written comprehensive information

security program. • Identifies specific requirements for the information security program.

• Establishes specific technical requirements for an organization’s security system.

• Data Disposal • Approximately 30 states impose legal obligations on organizations to

properly dispose of records that contain personal, financial, or health information.


EU Cyber and Data Security

General Data Protection Regulation: Contains a preamble and 92 articles:

Transparency

Choice

Right to be Forgotten

Eligibility Decisions

Data Security

Independent supervisory authorities (“one-stop shop” for consumers)

Corporate governance

Penalties

Cybersecurity Directive: first EU-wide cybersecurity law

Security and notification requirements for “DSPs” and “essential service

operators”

Cooperation mechanisms and national strategy requirement

Designation of authority among and within Member States

Extended time frame for implementation


EU-US Privacy Shield

European Commission announced a draft adequacy finding on the new EU-U.S.

Privacy Shield on February 29, 2016 to replace the previous Safe Harbor

Principles: Notice

Choice

Security

Data Integrity and Purpose Limitation

Access

Accountability for Onward Transfer

Recourse, Enforcement and Liability

Article 29 Working Group has released an advisory opinion assessing the

Privacy Shield and other mechanisms for EU-U.S. data transfers


Data Breach Litigation • Most litigation focuses on issues involving plaintiffs’ standing to sue.

• Courts have rejected standing on the basis of mere loss of personal information

• Courts have found standing where plaintiffs have alleged that they have suffered:

• fraudulent charges on a payment card; • restricted access to a bank account; • an inability to pay bills; • Late payment fees; • Unauthorized resource consumption; • Overpayment for a product or service.

• Courts are split on whether a statutory right of action can create standing.

• The Supreme Court may resolve this issue in Spokeo v. Robins. • Courts are split on whether a risk of future harm is sufficient to establish standing.

• Risk of identity theft not sufficiently imminent to confer standing • Allegations of a “credible threat” sufficient to create standing following a data breach


What Should I Do?

Legal Risk Management

Legal Assessment

Legal Risk

• Sector-Specific Enforcement (e.g., energy, financial services, health

care, advertising, retail, etc.)

• Federal Trade

Commission/Consumer Protection

Actions

• Congressional Investigations

• State Attorney General Enforcement

• Class Action Lawsuits

• Policies/Procedures

• Governance

• Incident Response Plan

• Vendor Selection and Contracts

• Training

• Data Mapping

• Reporting and Decision

Making

• Legal and Regulatory

Compliance Framework


Legal and Policy Landscape


White House Cybersecurity Initiatives


Congress

Cybersecurity Act of 2015

• Enacted December 2015 as part of Omnibus Spending Bill

• Liability protection for voluntary information sharing of

“cyber threat indicators” and “defensive measures”

• Entities must remove PII “not directly related to a

cybersecurity threat.”

• DHS plays a central though not exclusive role

• Sunsets in 10 years


Congress: Pending Legislation

Data Breach

• Data breach legislation remains under consideration but

elusive

• Proposed legislation would grant the FTC data security

authority, as well as:

• Require reasonable security measures on a nationwide

basis

• Establish a national breach notification standard

• Preempt state laws on these topics


Agency Developments

Data Breach

• SEC to expand data security examinations

• Will focus on 6 key areas

• FTC authority to enforce under attack

• Wyndham Worldwide Corp. settlement

• LabMD administrative decision

• FCC proposing rule on privacy and data security

• NPRM would establish data security regime for

telecom and other data


FTC Policy Workshops and Reports

“Big Data: A Tool for Inclusion or Exclusion?” (Report, 2016)

Cross-Device Tracking (Workshop, 2015)

Alternative Scoring Products (Workshop, 2014)

Mobile Device Tracking (Workshop, 2014)

“Paper, Plastic… or Mobile?” (Report, 2013)

Also notable: Federal Communications Commission 2015 order on

telemarketing (including marketing and informational SMS

messages)


Best Practices


Cybersecurity Framework

1. Identify

2. Protect

3. Detect

4. Respond

5. Recover


Managing Risk

• Identify. • Asset management

• Data government policies

• Risk assessments and vendor review

• Protect. • Information protection and backup procedure reviews

• Cybersecurity training

• Access controls and identity management

• Incident detection and prevention technologies

• Detect. • Penetration testing

• Continuous monitoring

• Information sharing strategies and technologies

• Vulnerability disclosure programs

• Respond. • Incident response plan

• Setting up a security operations center

• Mitigation

• Recover. • Recovery planning

• Incident response and recovery exercises


• Perform an enterprise-wide vulnerability assessment;

• Inventory devices that are connected to the corporate network;

• Identify those parts of the network that should be segmented;

• Implement a comprehensive information security program that addresses any

identified vulnerabilities;

• Periodically review and update the information security program

• Implement appropriate data security policies;

• Data Classification Policy

• Password Strength Policy

• Access Control Policy

• Encryption Policy

• Data Disposal Policy

• Patch Management Policy

• Implement intrusion detection software and data loss prevention software;

• Implement an Incident Response Plan.

Data Security Best Practices


• Client Perspective: Clients have an obligation to select and oversee service

providers with reasonable security

• Adequate cyber insurance

• Consistent contract provisions with clients related to security and breach

response

• Insurance

• Indemnification

• Notifying client of breach

• External notifications

• In the event of a breach affecting multiple clients, good preparation is key to

managing the response

Best Practices for Service Providers


Responses from the Regulators on Cybersecurity

“I don’t know if there’s going to be regulation or standards, or what that’s going to

look like, but I don’t think there’s any question that we have to get action on

cybersecurity this year.”

– Mark Rosekind, Administrator, NHTSA (January 19, 2016 | source)

“We’re looking for compliance, not enforcement.”

– Michael Huerta, Administrator, FAA (October, 27, 2014 | source)

“This threat [cyber threat] will continue to evolve and it is something that needs to be

at the forefront of our thinking.”

– Michael Huerta, Administrator, FAA (April 16, 2015 | source)

National Highway Traffic Safety Administration (NHTSA)

Federal Aviation Administration (FAA)

Securities and Exchange Commission (SEC)

”SEC’s formal jurisdiction over cybersecurity is directly focused on the integrity of our

market systems, customer data protection, and disclosure of material information. But

it is incumbent on every government agency to be informed on the full range of

cybersecurity risks and actively engage to combat those risks in our respective spheres

of responsibility.”

– Mary Jo White, Chairwoman, SEC (March 26, 2014 | source)

http://www.autonews.com/article/20160119/OEM06/160119727/nhtsa-chief-vows-action-this-year-on-cybersecurity

http://www.totallyunmanned.com/2014/10/27/uav-cyber-security/

https://www.hackread.com/planes-in-flight-wifi-hacking-gao/

http://www.sec.gov/News/PublicStmt/Detail/PublicStmt/1370541286468


Responses from the Regulators on Cybersecurity (cont.) Federal Trade Commission (FTC)

“We’re trying to ensure that companies are making truthful representations about their

data practices and their privacy practices. And we’re working to make sure that

companies are taking reasonable actions to include security in the earliest stages of

product development.”

– Edith Ramirez, Chairwoman, FTC (September 13, 2015 | source)

Nuclear Regulatory Commission (NRC)

“The NRC and the industry both have been proactive and vigilant when it comes to

addressing cyber threats. A recent joint meeting between the Commission and the

Federal Energy Regulatory Commission highlighted the strong work done in this area by

both the NRC and industry. However, efforts are likely to increase as time goes on, not

decrease as work is accomplished.”

– Stephen Burns, Chairman, NRC (November 3, 2015 | source)

Federal Energy Regulatory Commission (FERC)

“…The reliability of the grid is a primary responsibility for the Commission. This

encompasses not only the everyday responsibility over Reliability Standards, including

physical security and cybersecurity, but it also includes gas-electric coordination issues.

While the Commission’s reliability authority is limited, it will continue to use what

authority it has in a conscientious manner. In my view, it is important for utilities to push

beyond the requirements of the standards to implement best practices on cybersecurity.”

– Norman C. Bay, Chairman, NRC (December 1, 2015 | source)

http://recode.net/2015/09/13/ftc-chairwoman-to-the-valley-i-come-in-peace-and-to-keep-your-company-secure/

http://www.nrc.gov/reading-rm/doc-collections/commission/speeches/2015/s-15-008.pdf

https://www.ferc.gov/CalendarFiles/20151201095821-Bay-12-01-2015.pdf


Response and Recovery


• Speed of Breach

• In 60% of attacks, the attackers were able to compromise an organization

in minutes.

• In 75% of attacks, the attack spread from Victim 0 to Victim 1 within 24

hours.

• In 40% of attacks, the attack spread to a second organization in less than

an hour.

Responding to a Data Breach


• Elements of an Incident Response Plan

• Procedures for reporting and escalation of suspected incidents;

• Procedures for conducting an initial investigation;

• Procedures for the preservation of evidence;

• Identification of and contact information for the members of the Incident

Response Team;

• Identification of and contact information for any third parties that may be

needed following a breach (e.g. forensic investigator, public relations

advisor, outside counsel);

• Identification of responsibilities with respect to investigating the breach,

preparing notifications, coordinating with law enforcement, etc.

Developing an Incident Response Plan


Breach Response : Sprinting a Marathon

Forensic Analysis

Contact Client, FBI or Secret Service, PCI, Vendors, Insurance

Legal Analysis

Adjust Team

Triage

Identify Consumers

Arrange Credit Monitoring

Hire Mailing Service

Hire Call Center Support

Draft Letter and Scripts

Print and Mail Letters


Threats of the Future

• Chip Card Implementation

─ Moves more fraud to card not present transactions

─ Makes payment processors a larger target

• Internet of Things

─ Increase of networked devices increases ability to enter into a

network


A Final Message to Remember

1. You need an incident response plan 2. Exercise!! 3. Conduct 3rd Party assessments to help define your priorities

DON’T BE AFRAID TO LOOK!


Thank You

Ari Schwartz Managing Director of Cybersecurity Services


Ariel Wolf Associate, eCommerce, Privacy, and Data Security


cybersecurity and data breach best...

Documents