www.bgdlegal.com
CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF YOUR DATA
John McCauley, Partner, CIPP/US/E
January 9, 2019
www.bgdlegal.comwww.bgdlegal.com
Protect Your Data From
Regulatory Penalties Third-Party Vendors Contractual Disputes Cyberattacks Inadvertent Breach
www.bgdlegal.comwww.bgdlegal.com
US DATA PRIVACY REGIMESThe “Sectoral” Approach to Privacy
Health Information Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act (GLBA) Federal Trade Commission Enforcement Children’s Online Privacy Protection Act (COPPA) Contract Law/Self-Regulation
PCI-DSS
State Breach Notification Laws State Privacy Laws
Illinois Biometric Information Privacy Act (BIPA) California Consumer Privacy Act
Tort Law/Common Law
www.bgdlegal.comwww.bgdlegal.com
GENERAL DATA PROTECTION REGULATIONThe “Omnibus” Approach to Privacy
Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to data processing in most cases Requires Data Protection Impact Assessments for new products and services Agreements between all parties sharing data Mandates “right to erasure” 72-Hour Breach Notification Rule Penalties up to €20 Million or 4% of global revenue - whichever is higher
www.bgdlegal.comwww.bgdlegal.com
California Consumer Privacy Act• GDPR-like• Consumers may demand deletion of data• Consumer must have right to opt-out of selling of personal data• Statutory Damages for Breach ($100-$750 per user)• Applies to Companies with > $25 million in revenue or has consumer
info of > 50,000 consumers• January 1, 2020
State Attorneys General Actions Federal Legislation
RECENT DEVELOPMENTS
www.bgdlegal.comwww.bgdlegal.com
www.bgdlegal.comwww.bgdlegal.com
www.bgdlegal.comwww.bgdlegal.com
www.bgdlegal.comwww.bgdlegal.com
Data between companies shared according to contracts Contract disputes lead to litigation or settlements Data Licenses will outline permissible and impermissible use Recent trends:
• Sweeping indemnification provisions• Disgorgement of profits• Ownership interest in product• Enforcement of auditing provisions
THIRD-PARTY MANAGEMENT
www.bgdlegal.com
Cyber-Crime Trends
“Amateurs hack computers, professionals hack people.”
- Some Hacker
www.bgdlegal.comwww.bgdlegal.com
The Year of the Breach
www.bgdlegal.comwww.bgdlegal.com
Visualized Breaches
www.bgdlegal.comwww.bgdlegal.com
WHAT IS THE WEAKEST LINK IN OUR CYBERSECURITY?
1) Hackers?2) Old Equipment?3) Software Vulnerabilities?4) The Internet?5) Employees?
www.bgdlegal.comwww.bgdlegal.com
www.bgdlegal.com
www.bgdlegal.comwww.bgdlegal.com
EMPLOYEES, EMPLOYEES, EMPLOYEES
THE VERY WEAKEST LINK IS EMPLOYEES. 93% OF SECURITY INCIDENTS INVOLVE SOME TYPE OF EMPLOYEE LACK OF AWARENESS
SHARING CREDENTIALS SHOULDER SURFING DUAL USE AND SHARED DEVICES LOST OR STOLEN DEVICES INFECTED HOME COMPUTERS PUBLIC WIFI - - MOUSE JACKING - - JUICE JACKING
www.bgdlegal.comwww.bgdlegal.com
MUST TRAIN ON SECURITY AWARENESS BECAUSE. . . Anti-virus and anti-malware are only 70% effective because of the rate that new malware
is developed. One million new strains of malware every day. The programs cannot always identify new strains of malware because it does not
recognize them.
www.bgdlegal.com
Malicious Insiders
www.bgdlegal.comwww.bgdlegal.com
INSIDER THREAT VECTOR MOST CYBERSECURITY FOCUSES ON EXTERNAL THREATS –
PERIMETER FOCUSED DISGRUNTLED EMPLOYEES, FORMER EMPLOYEES, CLUELESS
EMPLOYEES 4 METHODS TO CONTROL INSIDER ATTACKS SECURITY AWARENESS TRAINING NETWORK MONITORING ACCESS CONTROL MANAGEMENT HONEY POTS
www.bgdlegal.comwww.bgdlegal.com
HOW DO WE PROTECT INFORMATION?Threat Vectors & Discovery Delays Phishing, Spear Phishing, Whaling Attack Ransomware Social Media Watering holes or drive bys Social Engineering
Average 205 days from security incident to discovery 70% of the time security incident discovered by somebody else
www.bgdlegal.comwww.bgdlegal.com
PREVENTION METHODS
Effective Password Policies
www.bgdlegal.comwww.bgdlegal.com
PREVENTION METHODS
Effective Password PoliciesEncryptionTwo-Factor Authentication
www.bgdlegal.comwww.bgdlegal.com
ADDITIONAL PROTECTION STEPS
WHITELISTING MINIMIZING PERMISSION
LEAST PRIVILEGE ACCOUNT SEPARATION
PATCH MANAGEMENT WATCH YOUR DATA FLOW CONDUCT PERIODIC RISK ASSESSMENTS
POLICY REVIEWS PENETRATION TESTING
www.bgdlegal.com
Ransomware
www.bgdlegal.com
Ransomware
Use regular, out-of-band backups.
Do not open email messages or attachments from unknown individuals.
Implement technical safeguards.
www.bgdlegal.comwww.bgdlegal.com
SCAREWARE
• Tricks the user into using malware infested sites.
• These appear to be legitimate warnings from anti-virus software companies, and they claim your computer has been infected.
• Users are frightened into paying a fee to purchase software to fix the problem.
• Actually, the user is downloading fake anti-virus software, whish is really malware.
• Scammers are also perpetrating this by phone.
www.bgdlegal.comwww.bgdlegal.com
LET’S GO PHISHING
www.bgdlegal.comwww.bgdlegal.com
PHISHING – DON’T GET HOOKED
PHISHING IS AN ATTACK THAT TRICKS YOU INTO OPENING A LINK OR ATTACHMENT
JUST READING AN E-MAIL WILL NOT TRIGGER AN ATTACK YOU HAVE TO PERFORM SOME TYPE OF ACTION MOST COMMON PHISHING ATTACKS # 1 -- LinkedIn # 2 -- BANK ACCOUNTS/CREDIT CARD COPANIES # 3 -- AMAZON
www.bgdlegal.comwww.bgdlegal.com
COMMON SIGNS OF PHISHING The email demands immediate action before something happens like closing your
account or subjecting you to fines. You receive an email that entices you to open an attachment such as a letter from the
IRS threatening prosecution or details of unannounced layoffs at your company. The email is supposedly coming from an official organization but uses a personal email
address such as @yahoo.com or @gmail.com. The email, which is supposed to be from a business or government organization,
contains spelling errors or bad grammar. The link in the email appears to take you to another site not connected to the
organization. You receive a message from someone you know, but it does not sound like them and
contains a strange link.
www.bgdlegal.com