The Hackers Want Accountants’ Info:

Protecting Your Firm and Clients

© 2015

Presentation Objectives

• Age of the Internet and Hackers

• Why You Are The Perfect Target

• Legal Risks and Exposures

• Practical Steps Before and After a Breach

• Cyber Insurance

YOU THINK YOU ARE PREPARED

• You have:

– Firewalls

– Antivirus

– Malware

– IT Support

– Outside/3rd Party Support/Server Redundancy

YOU THINK YOU ARE PREPARED

You may have– Firewalls

– Antivirus

– Malware Protection

– In House IT Support

– Cloud Based Data Storage

– Server Redundancy

NEWS FLASH: TODAY’S HACK

• Breaches hit the news each day

• But, many breaches don’t make the news...

Why Do Hackers Do It?

• Financial Gain $ Sell info on the dark web

• Revenge Ex employee

• Political Sony

• Damage Company’s Reputation

• Embarrass Ashley Madison

• Cyber Espionage Steal corporate info (client lists, buying

patterns, client reports, legal strategies, etc)

How Do They Do It?

• Vulnerabilities

• Phishing scams

• Ransomware

• Social Engineering scams

• Human error

Network Vulnerabilities

Do I really need those stinking Patches?

Biggest Problem: Outdated software and vulnerabilities to a widely known

attack.

• 99% of the exploited vulnerabilities were compromised more than a

year after the vulnerability was published.

• When updated by IT Vendor, failed to check implementation

Cyber Crime: Phishing Scams

• 23% of recipients opened phishing emails (malware is installed)

• 50% open emails and click on links within the first hour

• A campaign of just 10 emails yields a 90% chance that at least one person will fall prey

• 60% of cases the attackers are able to compromise an organization within minutes

• 70% of attacks where the motive is know was focused on a secondary victim

• 75% of attacks were spread from victim 1 to victim 2 with 24 hours (40% hit the second victim in less than an hour)

Cyber Crime: Ransomware

Biggest threat: Human Error

Common denominator accounting for 90% of incidents is Employee ActionExample: Lost laptop/ Crimeware / Insider Misuse/ Mis-delivery of info / capacity shortage / paper document disposal error / programing error / POS Intrusions / Web app attacks / Cyber espionage / physical theft / payment card skimmers

Most Common Examples – (Bread and Butter claims seen by carriers):

“D’oh”: Sensitive info reaching incorrect recipients – 30% of incidents

“My Bad”: Publishing Non public data to public web servers – 17% of incidents

“oops”: Insecure disposal of personal and medical data – 12% of incidents

(Stats from 2015 Data Breach Investigations Report)

Types of “Cyber” Losses

• Unintended disclosure - Sensitive information posted publicly on a website, mishandled or sent to

the wrong party via email, fax or mail.

• Hacking or malware - Electronic entry by an outside party, malware and spyware.

• Payment Card Fraud - Fraud involving debit and credit cards that is not accomplished via hacking.

For example, skimming devices at point-of-service terminals.

• Insider - Someone with legitimate access intentionally breaches information - such as an

employee or contractor.

• Portable device - Lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD,

hard drive, data tape, etc

• Stationary device - Lost, discarded or stolen stationary electronic device such as a computer

Are You Prepared?

• Business Owner

• Smart / Driven / Successful

• Hardworking

– Could you loss it all?

– Do you have extra $$$ saved to handle recovery after an incident?

– How important is your Reputation/Brand?

Not Me!

• “I am not TARGET”

• “I am not a target”

• “I am too small”

• “I don’t have any data they

want”

• “I must have already have a

policy that covers this”

• SME’s are the favorite target of

hackers (easier than large co.

with more IT resources)

• You have employee data

(Personal, SSN, Health, Financial,

Corp Secrets)

Not me! Yes, You!

• Why not you?

– You are the perfect target!

• You are

– Unsuspecting

– Unprepared

– Untrained

• You have

– No plan

– No resources or risk management

in place

• Yes YOU!

• You are the perfect target and they are

coming (if not already here...)

Why You Are The Perfect Target:Common Business Owner Misconceptions

• I’m too small

• I’m protected by:

– Firewalls/Antivirus

– Outside IT Vendor

– 3rd Party CC Processor

• I don’t have data worth stealing

• I haven’t assumed any liabilities of others for this (or have I?)

• I’m covered by another policy (General Liability/Crime Policies?)

The Perfect Target: What Hackers Know

• You Are Perfect Size – 71% of companies hacked in 2015 had less than 100 ee’s (up from 60% in 2014)

• You Think You Are Protected:

– Antivirus/Firewalls are base line efforts- “Anything networked can be hacked” Rod Beckstrom former Director US National Cybersecurity Center

– IT Vendor could be the cause of the breach – Do they have E&O coverage?

– 3rd Party CC Processor – You are data holder – Your customers will sue you!

The Perfect Target: What Hackers Know

• You Have Data Worth $$ - The 4 P’s – PII, PHI, PCI & Paper

– Name, Address, DL #, Email Address, SSN, Banking Details, DOB, CC Details, Photo,

Fingerprints, Credit History, Medical Records

• You Have A Small IT Budget – 83% of companies hacked had no measures

to prevent

• You Have Assumed Liabilities of Others – purchase orders, business

agreements

The Perfect Target: What Hackers Know

• You Have No Dedicated IT Support – 78% of attacks are unsophisticated

• Your Employees Have Had No Cyber Security Training

• You Have No Breach Response Plan

• You Have No Cyber Insurance – General Liability & Crime policies not

intended to cover Cyber Exposures

• YOU THINK “NOT ME”

Traditional Theories of Liability

• Liability for breach of Personally Identifiable Information (“PII”) & Protected Health Info. (“PHI”)

– Violation of privacy laws and common law rights

– Breach of contract

– Negligence: 11/11/14, Connecticut Supreme Court held that HIPAA may provide applicable standard of care

for negligence claim.

– Fraud

– Unfair trade practices

• Recovery

– Compensatory damages

– Treble damages

– Attorneys’ fees

– Punitive damages, Statutory Fines

The New Litigation Frontier:Derivative Actions Against Boards

• Derivative: Filed on Behalf of the Company

• Directors Can Be Held Personally Liable.– Plaintiffs will claim breaches of fiduciary duties.

– Potential breaches:

• Failures to protect the company.

• Failures to disclose risks.

• Failures to address risks – especially detected risks.

• Defense: Business Judgment Rule– Courts defer if directors acted in good faith and reasonably believed that actions were

in company’s best interests.

– BUT: No defense if directors failed to address known risks.

– No shield for gross negligence.

Playing Defense: Prepare Well!

• Prioritize Data Based On Risks

• Comprehensive Data-Governance

Plan

• Incident Response Plan

• Policies– Access, Use, Transmission

– Email

– Mobile, Laptops, Tablets

– Social Media

• Communication

• Implementation: Stewards

• Training

• Metrics

Implement Compliant Corporate Policies

• Access, Use, Transmission

– User ID and Passwords

– Access Protocols

– Third-Party Access

– Employee Screening

– Dedicated Devices

– Device Management

– Remote Access

– Laptop Restrictions

– Business Uses

– Non-Disclosure

– Software Restrictions

– Data Backups

– Encryption

Implement Compliant Corporate Policies

• Email

– Primarily for Business and Permissible Content

– Confidential or Proprietary Data Secured and Encrypted

– No Clicking on Suspicious Emails, Docs, and/or Links

– Retained if Business Record

– Compliance With Statutory or Regulatory Requirements

– No Expectation of Privacy

Implement Compliant Corporate Policies

• Mobile / BYOD

– Acceptable Use Only

– No Access of Non-Work Websites

– Permitted and Prohibited Apps

– Permitted Operating Systems

– No Direct Connections to Network

– Proper and Authorized IT Support and Maintenance

– Strong Password Protected

– Automatic Locks

– Remotely Wiped if Lost, Employee Terminated, or Breach

Data Management is Key:Reduce and Destroy Bad Data

• Email

– Must be part of document

retention/destruction policy.

• Avoid Creating Smoking Guns

• Routine Destruction Programs

• Attorney-Client Privilege

• Outside Counsel

• Protect Self-Critical Analyses,

Investigations

• Preemptive Data Security

• APTs

• Social Media – New and Leading Cause

of Malware

Best Practices

• How do you protect your customers and your firm?

– E-Mail Encryption

– Password Protection – Change Frequently

– Construct and Maintain an Appropriate Firewall

– Back-up your Data

– Avoid Public Wi-Fi

– Understand how to wipe your smartphone

– Educate your clients

– Be Proactive - Constantly review and

– update your systems

Best Practices

Are your vendors secure?

– Due diligence may be mandatory (GLB,

HIPAA)

– Questionnaires are required at minimum

– May need to visit and verify if high risk

–

-Components to review and assess:

Data leakage protection

Monitoring, alerting, and enforcement

Forensics/Investigations

External device control

Encryption

Management and support

Reporting and compliance

Identity management

Company profile

Typical Post-Data Breach Event Sequence

• Breach

• Initial Investigation (Need Protection)

• Notification

• Additional Investigation/Litigation and/or Regulatory Action (Need Protection)

Model Data Breach Response Investigative Team

Outside Counsel/IHC

Insured’s Internal Incident Response Team

Management, IT, Public Affairs, Media Relations, Risk Management, Finance, audit,

HR

External ContractorsInfo Analysts, SIEM, Forensics, PR, Crisis

Management

When & Why to Engage Outside Counsel?

• Early

• Why

– Increased Flexibility to uncover root cause of breach

– Avoid careless creation of documents

– Litigation hold notices /preserve existing documents

– Restrict circulation of investigation materials

TIPS

• RETAIN Outside Counsel ASAP to Quarterback Investigation

• DEVELOP Clear/Articulable Legal Purpose

• COMMUNICATE Legal Purpose & Label

• EDUCATE Leadership, Employees, & Vendors

• PRESERVE key information & documents

Cyber Insurance: What It Covers

• Breach Coach

• Network Security & Privacy Liability (first party and third party claims)

• Breach Notification costs (letters, call center for clients/employee, PR, credit

monitoring)

• Regulatory Investigations, Fines & Penalties (OCR, FTC, SEC)

• Cyber Extortion (cyber crime)

• Cyber Business Interruption

Cyber Insurance: What It Covers

Suits brought against you by others

– Failure to:

• Protect data – employee/customer/vendor

• Secure network

• Mitigate unauthorized access

• Disclose breach

• Provide tech/internet services as promised

– Theft of customer/client data

– Transmission of virus to another system

Cyber Insurance: What It Doesn’t Cover

• Not meant to cover everything

– Circumstances known at inception

– Collection of data without consent

• Policies and Coverages Vary Widely

• Your broker and you need to compare options

Need Help

Free ½ Hour Legal / Technical

Consultation Appointment

Contact

Hillard Sterling 312-985-5600

Sterling.h@wssllp.com

Alan Heyman 914.455.0600 x101

aheyman@smlrgroup.com

Q & A

Hillard M. SterlingSterling.H@WSSLLP.com

312-985-5600

Alan H. Heymanaheyman@smlrgroup.com

(914) 455-0600

Roy Hogsedrhogsed@smlrgroup.com

(914) 455-0600