the hackers want accountants’ info: protecting your firm ... · the hackers want accountants’...
TRANSCRIPT
The Hackers Want Accountants’ Info:
Protecting Your Firm and Clients
© 2015
Presentation Objectives
• Age of the Internet and Hackers
• Why You Are The Perfect Target
• Legal Risks and Exposures
• Practical Steps Before and After a Breach
• Cyber Insurance
YOU THINK YOU ARE PREPARED
• You have:
– Firewalls
– Antivirus
– Malware
– IT Support
– Outside/3rd Party Support/Server Redundancy
YOU THINK YOU ARE PREPARED
You may have– Firewalls
– Antivirus
– Malware Protection
– In House IT Support
– Cloud Based Data Storage
– Server Redundancy
NEWS FLASH: TODAY’S HACK
• Breaches hit the news each day
• But, many breaches don’t make the news...
Why Do Hackers Do It?
• Financial Gain $ Sell info on the dark web
• Revenge Ex employee
• Political Sony
• Damage Company’s Reputation
• Embarrass Ashley Madison
• Cyber Espionage Steal corporate info (client lists, buying
patterns, client reports, legal strategies, etc)
How Do They Do It?
• Vulnerabilities
• Phishing scams
• Ransomware
• Social Engineering scams
• Human error
Network Vulnerabilities
Do I really need those stinking Patches?
Biggest Problem: Outdated software and vulnerabilities to a widely known
attack.
• 99% of the exploited vulnerabilities were compromised more than a
year after the vulnerability was published.
• When updated by IT Vendor, failed to check implementation
Cyber Crime: Phishing Scams
• 23% of recipients opened phishing emails (malware is installed)
• 50% open emails and click on links within the first hour
• A campaign of just 10 emails yields a 90% chance that at least one person will fall prey
• 60% of cases the attackers are able to compromise an organization within minutes
• 70% of attacks where the motive is know was focused on a secondary victim
• 75% of attacks were spread from victim 1 to victim 2 with 24 hours (40% hit the second victim in less than an hour)
Cyber Crime: Ransomware
Biggest threat: Human Error
Common denominator accounting for 90% of incidents is Employee ActionExample: Lost laptop/ Crimeware / Insider Misuse/ Mis-delivery of info / capacity shortage / paper document disposal error / programing error / POS Intrusions / Web app attacks / Cyber espionage / physical theft / payment card skimmers
Most Common Examples – (Bread and Butter claims seen by carriers):
“D’oh”: Sensitive info reaching incorrect recipients – 30% of incidents
“My Bad”: Publishing Non public data to public web servers – 17% of incidents
“oops”: Insecure disposal of personal and medical data – 12% of incidents
(Stats from 2015 Data Breach Investigations Report)
Types of “Cyber” Losses
• Unintended disclosure - Sensitive information posted publicly on a website, mishandled or sent to
the wrong party via email, fax or mail.
• Hacking or malware - Electronic entry by an outside party, malware and spyware.
• Payment Card Fraud - Fraud involving debit and credit cards that is not accomplished via hacking.
For example, skimming devices at point-of-service terminals.
• Insider - Someone with legitimate access intentionally breaches information - such as an
employee or contractor.
• Portable device - Lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD,
hard drive, data tape, etc
• Stationary device - Lost, discarded or stolen stationary electronic device such as a computer
Are You Prepared?
• Business Owner
• Smart / Driven / Successful
• Hardworking
– Could you loss it all?
– Do you have extra $$$ saved to handle recovery after an incident?
– How important is your Reputation/Brand?
Not Me!
• “I am not TARGET”
• “I am not a target”
• “I am too small”
• “I don’t have any data they
want”
• “I must have already have a
policy that covers this”
• SME’s are the favorite target of
hackers (easier than large co.
with more IT resources)
• You have employee data
(Personal, SSN, Health, Financial,
Corp Secrets)
Not me! Yes, You!
• Why not you?
– You are the perfect target!
• You are
– Unsuspecting
– Unprepared
– Untrained
• You have
– No plan
– No resources or risk management
in place
• Yes YOU!
• You are the perfect target and they are
coming (if not already here...)
Why You Are The Perfect Target:Common Business Owner Misconceptions
• I’m too small
• I’m protected by:
– Firewalls/Antivirus
– Outside IT Vendor
– 3rd Party CC Processor
• I don’t have data worth stealing
• I haven’t assumed any liabilities of others for this (or have I?)
• I’m covered by another policy (General Liability/Crime Policies?)
The Perfect Target: What Hackers Know
• You Are Perfect Size – 71% of companies hacked in 2015 had less than 100 ee’s (up from 60% in 2014)
• You Think You Are Protected:
– Antivirus/Firewalls are base line efforts- “Anything networked can be hacked” Rod Beckstrom former Director US National Cybersecurity Center
– IT Vendor could be the cause of the breach – Do they have E&O coverage?
– 3rd Party CC Processor – You are data holder – Your customers will sue you!
The Perfect Target: What Hackers Know
• You Have Data Worth $$ - The 4 P’s – PII, PHI, PCI & Paper
– Name, Address, DL #, Email Address, SSN, Banking Details, DOB, CC Details, Photo,
Fingerprints, Credit History, Medical Records
• You Have A Small IT Budget – 83% of companies hacked had no measures
to prevent
• You Have Assumed Liabilities of Others – purchase orders, business
agreements
The Perfect Target: What Hackers Know
• You Have No Dedicated IT Support – 78% of attacks are unsophisticated
• Your Employees Have Had No Cyber Security Training
• You Have No Breach Response Plan
• You Have No Cyber Insurance – General Liability & Crime policies not
intended to cover Cyber Exposures
• YOU THINK “NOT ME”
Traditional Theories of Liability
• Liability for breach of Personally Identifiable Information (“PII”) & Protected Health Info. (“PHI”)
– Violation of privacy laws and common law rights
– Breach of contract
– Negligence: 11/11/14, Connecticut Supreme Court held that HIPAA may provide applicable standard of care
for negligence claim.
– Fraud
– Unfair trade practices
• Recovery
– Compensatory damages
– Treble damages
– Attorneys’ fees
– Punitive damages, Statutory Fines
The New Litigation Frontier:Derivative Actions Against Boards
• Derivative: Filed on Behalf of the Company
• Directors Can Be Held Personally Liable.– Plaintiffs will claim breaches of fiduciary duties.
– Potential breaches:
• Failures to protect the company.
• Failures to disclose risks.
• Failures to address risks – especially detected risks.
• Defense: Business Judgment Rule– Courts defer if directors acted in good faith and reasonably believed that actions were
in company’s best interests.
– BUT: No defense if directors failed to address known risks.
– No shield for gross negligence.
Playing Defense: Prepare Well!
• Prioritize Data Based On Risks
• Comprehensive Data-Governance
Plan
• Incident Response Plan
• Policies– Access, Use, Transmission
– Mobile, Laptops, Tablets
– Social Media
• Communication
• Implementation: Stewards
• Training
• Metrics
Implement Compliant Corporate Policies
• Access, Use, Transmission
– User ID and Passwords
– Access Protocols
– Third-Party Access
– Employee Screening
– Dedicated Devices
– Device Management
– Remote Access
– Laptop Restrictions
– Business Uses
– Non-Disclosure
– Software Restrictions
– Data Backups
– Encryption
Implement Compliant Corporate Policies
– Primarily for Business and Permissible Content
– Confidential or Proprietary Data Secured and Encrypted
– No Clicking on Suspicious Emails, Docs, and/or Links
– Retained if Business Record
– Compliance With Statutory or Regulatory Requirements
– No Expectation of Privacy
Implement Compliant Corporate Policies
• Mobile / BYOD
– Acceptable Use Only
– No Access of Non-Work Websites
– Permitted and Prohibited Apps
– Permitted Operating Systems
– No Direct Connections to Network
– Proper and Authorized IT Support and Maintenance
– Strong Password Protected
– Automatic Locks
– Remotely Wiped if Lost, Employee Terminated, or Breach
Data Management is Key:Reduce and Destroy Bad Data
– Must be part of document
retention/destruction policy.
• Avoid Creating Smoking Guns
• Routine Destruction Programs
• Attorney-Client Privilege
• Outside Counsel
• Protect Self-Critical Analyses,
Investigations
• Preemptive Data Security
• APTs
• Social Media – New and Leading Cause
of Malware
Best Practices
• How do you protect your customers and your firm?
– E-Mail Encryption
– Password Protection – Change Frequently
– Construct and Maintain an Appropriate Firewall
– Back-up your Data
– Avoid Public Wi-Fi
– Understand how to wipe your smartphone
– Educate your clients
– Be Proactive - Constantly review and
– update your systems
Best Practices
Are your vendors secure?
– Due diligence may be mandatory (GLB,
HIPAA)
– Questionnaires are required at minimum
– May need to visit and verify if high risk
–
-Components to review and assess:
Data leakage protection
Monitoring, alerting, and enforcement
Forensics/Investigations
External device control
Encryption
Management and support
Reporting and compliance
Identity management
Company profile
Typical Post-Data Breach Event Sequence
• Breach
• Initial Investigation (Need Protection)
• Notification
• Additional Investigation/Litigation and/or Regulatory Action (Need Protection)
Model Data Breach Response Investigative Team
Outside Counsel/IHC
Insured’s Internal Incident Response Team
Management, IT, Public Affairs, Media Relations, Risk Management, Finance, audit,
HR
External ContractorsInfo Analysts, SIEM, Forensics, PR, Crisis
Management
When & Why to Engage Outside Counsel?
• Early
• Why
– Increased Flexibility to uncover root cause of breach
– Avoid careless creation of documents
– Litigation hold notices /preserve existing documents
– Restrict circulation of investigation materials
TIPS
• RETAIN Outside Counsel ASAP to Quarterback Investigation
• DEVELOP Clear/Articulable Legal Purpose
• COMMUNICATE Legal Purpose & Label
• EDUCATE Leadership, Employees, & Vendors
• PRESERVE key information & documents
Cyber Insurance: What It Covers
• Breach Coach
• Network Security & Privacy Liability (first party and third party claims)
• Breach Notification costs (letters, call center for clients/employee, PR, credit
monitoring)
• Regulatory Investigations, Fines & Penalties (OCR, FTC, SEC)
• Cyber Extortion (cyber crime)
• Cyber Business Interruption
Cyber Insurance: What It Covers
Suits brought against you by others
– Failure to:
• Protect data – employee/customer/vendor
• Secure network
• Mitigate unauthorized access
• Disclose breach
• Provide tech/internet services as promised
– Theft of customer/client data
– Transmission of virus to another system
Cyber Insurance: What It Doesn’t Cover
• Not meant to cover everything
– Circumstances known at inception
– Collection of data without consent
• Policies and Coverages Vary Widely
• Your broker and you need to compare options
Need Help
Free ½ Hour Legal / Technical
Consultation Appointment
Contact
Hillard Sterling 312-985-5600
Alan Heyman 914.455.0600 x101
Q & A
Hillard M. [email protected]
312-985-5600
Alan H. [email protected]
(914) 455-0600
(914) 455-0600