today’s presenters€¦ · 20-10-2017 · today’s presenters: ryan kriger, cipp/us office of...
TRANSCRIPT
![Page 1: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/1.jpg)
![Page 2: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/2.jpg)
Today’s presenters:
Ryan Kriger, CIPP/US
Office of the Vermont Attorney General
Assistant Attorney General, Public Protection Division
Bill Carrigan, CFE
Vermont Department of Financial Regulation
Deputy Commissioner, Securities Division
Investor Education Coordinator
Jonathan Rajewski, MS, CCE, EnCe, CISSP, CFE, TJFC
Champlain College
Founder & Director, the Senator Patrick Leahy Center for Digital Investigation
Associate Professor of Cyber Security and Digital Forensics
Sona Makker, CIPP/US and Claire Gartland
Facebook, Privacy and Public Policy
![Page 3: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/3.jpg)
Ryan Kriger, CIPP/US
Office of the Vermont Attorney General
Assistant Attorney General
Public Protection Division
![Page 4: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/4.jpg)
Data Security for
Small BusinessesRyan Kriger, CIPP/US
Assistant Attorney General, Public Protection Division
October 20, 2017
![Page 5: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/5.jpg)
Takeaways:
1. Know what laws affect you
2. Train your employees
3. Think data security before you get hit
4. Have response plan for after you get hit
5. Get Cyber Insurance
6. Vendors/Contractors/Cloud Providers
![Page 6: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/6.jpg)
Know What Laws You Have To Comply With
Consumer Protection Act: EVERYONE
Security Breach Notice Act: EVERYONE
SSN Protection Act: Do you Collect SSN
HIPAA: Do you do medical work?
FERPA: Do you work with schools/universities?
COPPA: Do you sell to kids under 13?
GLB: Do you work with financial institutions?
![Page 7: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/7.jpg)
Three Numbers
14Days: Time to Confidentially
Provide Preliminary Notice
of Breach to AG
45Days: Maximum Time to
Send Notice to Consumers
(It Can Often Be Sooner)
10,000 Dollars: Maximum Civil
Penalty Per Violation
![Page 8: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/8.jpg)
DON’T CLICK
THE LINK.
![Page 9: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/9.jpg)
What Sort of Data Should You Be Protecting?
Credit Card info
Social Security Numbers
Financial Information
Passwords
Anything sensitive that someone might not want
to fall into the wrong hands
![Page 10: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/10.jpg)
Have Data Collection Policies:
Don’t collect data you don’t need
Only keep data as long as you need it
Consider using a 3rd party vendor to handle
sensitive data
![Page 11: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/11.jpg)
Technology Suggestions
Credit Cards:
Search your systems to make sure you’re not
storing data
Search for key loggers
Frequent system scans
Watch your employees
Consider scanners that encrypt at swipe
NO web browsing on POS Systems
![Page 12: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/12.jpg)
Watch Out For Portable Data:
Cell Phones
Tablets
Laptops
External Hard Drives
Thumb Drives
Data In Transit (including E-Mail)
And Don’t Forget Back-up Tapes
![Page 13: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/13.jpg)
Protect Portable Data:
Password Protection
Remote Wipe Capability
Encryption
Ask yourself: Should this be in a portable medium?
![Page 14: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/14.jpg)
I’ve Had a Data Breach, What Next?
1. Secure Your Data
2. Contact Law Enforcement
3. Contact Cyber Insurance
4. Contact Entities From Which You Obtained the Data
5. Notify the Attorney General’s Office Of The Breach
6. Notify Consumers Of The Breach
7. Notify the Credit Reporting Agencies (if more than 1,000
consumers)
![Page 15: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/15.jpg)
Online Resources
VT Attorney General Site (ago.vermont.gov/focus/consumer-
info/privacy-and-data-security1.php)
OnGuardOnline.gov
business.ftc.gov
IAPP: www.privacyassociation.org
![Page 16: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/16.jpg)
CYBER INSURANCE
CYBER INSURANCE
CYBER INSURANCE.
![Page 18: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/18.jpg)
Bill Carrigan, CFE
Vermont Department of Financial Regulation
Deputy Commissioner, Securities Division
Investor Education Coordinator
![Page 19: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/19.jpg)
19 of 19 © 2014 Association of Certified Fraud Examiners, Inc.
DFR Overview
▪ Department is made up of four Divisions
• Banking, Insurance, Securities, Captive Ins.
▪ All Divisions may deal with different
aspects of fraudulent activity.
▪ The opinions and comments made today
are mine and are not the position of the
Department.
Vermont Department of Financial Regulation
![Page 20: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/20.jpg)
20 of 19 © 2014 Association of Certified Fraud Examiners, Inc.
Introduction
▪ Fraud, in all its forms, costs billions in
damage each year.
▪ Fraud involves taking something from
someone else through deception or
concealment.
▪ Occupational frauds are those committed
in connection with the fraudster’s
occupation.
![Page 21: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/21.jpg)
21 of 19 © 2014 Association of Certified Fraud Examiners, Inc.
Examples of Occupational Fraud
▪ Stealing money or inventory
▪ Claiming overtime for hours not worked
▪ Filing fraudulent expense reports
▪ Giving friends or relatives unauthorized
discounts on company merchandise or
services
▪ Adding ghost employees to the payroll
![Page 22: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/22.jpg)
22 of 19 © 2014 Association of Certified Fraud Examiners, Inc.
Types of Fraud
Asset Misappropriation: schemes in which the
employee steals or misuses an organization’s
assets
▪ Skimming cash receipts
▪ Falsifying voids and refunds
▪ Tampering with company checks
▪ Overstating expenses
![Page 23: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/23.jpg)
23 of 19 © 2014 Association of Certified Fraud Examiners, Inc.
Types of Fraud
Corruption: schemes in which a fraudster
wrongfully uses his influence in a business
transaction for the purpose of obtaining a
benefit for himself or another person
▪ Conflicts of interest
▪ Illegal gratuities
▪ Bribery
![Page 24: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/24.jpg)
24 of 19 © 2014 Association of Certified Fraud Examiners, Inc.
Types of Fraud
Fraudulent statements: fraud schemes
involving the intentional misreporting of an
organization’s financial information with the
intent to mislead others
▪ Creating fictitious revenues
▪ Concealing liabilities or revenues
![Page 25: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/25.jpg)
25 of 19 © 2014 Association of Certified Fraud Examiners, Inc.
Common Frauds by Employees
▪ Stealing incoming cash
▪ Fraudulent disbursements
• Check tampering
• Register disbursement
• Billing
• Expense reimbursement
• Payroll
▪ Inventory fraud schemes
![Page 26: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/26.jpg)
26 of 19 © 2014 Association of Certified Fraud Examiners, Inc.
Common Frauds by Vendors
▪ Bid-rigging
▪ Price-fixing
▪ Overbilling
▪ Kickbacks
▪ Shell companies
![Page 27: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/27.jpg)
27 of 19 © 2014 Association of Certified Fraud Examiners, Inc.
What Causes People to Commit Fraud?
![Page 28: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/28.jpg)
28 of 19 © 2014 Association of Certified Fraud Examiners, Inc.
What Causes People to Commit Fraud?
Pressure
▪ A gambling or drug
habit
▪ Personal debt or poor
credit
▪ A significant financial
loss
▪ Peer or family
pressure to succeed
![Page 29: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/29.jpg)
29 of 19 © 2014 Association of Certified Fraud Examiners, Inc.
What Causes People to Commit Fraud?
Opportunity
▪ Lack of supervision
▪ Poor internal controls
▪ Poor record keeping
▪ Extreme trust in a single individual
▪ Lack of disciplinary action for previous frauds
![Page 30: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/30.jpg)
30 of 19 © 2014 Association of Certified Fraud Examiners, Inc.
What Causes People to Commit Fraud?
Rationalization
▪ I was only “borrowing” the money and planned to repay it.
▪ The company won’t even realize this amount is gone; it’s not
that much.
▪ My boss does it all the time.
![Page 31: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/31.jpg)
31 of 19 © 2014 Association of Certified Fraud Examiners, Inc.
What Causes People to Commit Fraud?
Rationalization
▪ I’ve been working with the company for 15 years. They owe it
to me.
▪ I’ll stop once I pay off my debts.
▪ I deserved this after the way the company has treated me.
![Page 32: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/32.jpg)
32 of 19 © 2014 Association of Certified Fraud Examiners, Inc.
How Fraud Affects You and
Your Organization
▪ Fewer pay increases
▪ Increased layoffs
▪ Greater pressure to increase sales and
revenue
▪ Decreases in employee benefits
▪ Low employee morale
▪ Negative publicity for the company
![Page 33: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/33.jpg)
33 of 19 © 2014 Association of Certified Fraud Examiners, Inc.
Red Flags of Fraud
▪ Living beyond means
▪ Financial difficulties
▪ Serious addiction to
drugs, alcohol, or
gambling
![Page 34: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/34.jpg)
34 of 19 © 2014 Association of Certified Fraud Examiners, Inc.
Other Warning Signs of Fraud
▪ An unwillingness to share duties
▪ A refusal to take vacations
▪ A close personal relationship with vendors or
customers
▪ Complaints about low pay
▪ Family problems
▪ Excessive pressure within the company
▪ Rule breakers
![Page 35: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/35.jpg)
35 of 19 © 2014 Association of Certified Fraud Examiners, Inc.
What to Do if You Suspect Fraud
▪ Be aware of warning signs
▪ Report irregularities, specifically:
• If someone you work with asks you to do something that is illegal or
unethical
• If you suspect that someone— regardless of rank or position—is
committing fraud or abuse
![Page 36: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/36.jpg)
36 of 19 © 2014 Association of Certified Fraud Examiners, Inc.
How to Report Suspected Fraud
▪ Hotlines or other anonymous reporting
mechanism
▪ Anonymous letter to company official
▪ Share your concern with company’s internal
auditors or anti-fraud specialists
![Page 37: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/37.jpg)
37 of 19 © 2014 Association of Certified Fraud Examiners, Inc.
Conclusion
▪ Everyone in an organization is responsible for
fighting fraud.
▪ Be alert to potential fraud.
▪ Report any suspicions to your organization.
![Page 38: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/38.jpg)
Jonathan Rajewski, MS, CCE, EnCe, CISSP, CFE, TJFC
Champlain College
Associate Professor of Cyber Security and Digital
Forensics
Founder & Director
Senator Patrick Leahy Center for Digital Investigation
![Page 39: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/39.jpg)
s
"Behind this glass is incredible
talent and this country in
general and the FBI in particular
needs those folks,"
-FBI Director James
Comey
s
![Page 40: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/40.jpg)
![Page 41: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/41.jpg)
Do you think your data is safe?
databasesemailspreadsheetsdocumentspicturesvideos
laptops / tabletscomputersremovable devicesserverscloud
Personal Identifiable InformationProtected Health InformationPrivate / Sensitive Information
What Where Specifically
![Page 42: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/42.jpg)
Why isn't the data on
our networks secure?
SecurityUsability
SecurityUsability
![Page 43: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/43.jpg)
Total security is a myth
![Page 44: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/44.jpg)
Ask your IT staff two
questions…
When was the last time they experienced a data breach?
Are they currently breached?
![Page 45: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/45.jpg)
Executive Management
Our job is to manage
Security is both a legal
and IT problem
Legal
Our job is to shift liability
Security is a technical problem
Human Resources
Our job is to avoid trouble
Security is trouble
Information Technology
Our job is to make it work
Employee behavior is not
our problem
![Page 46: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/46.jpg)
Executive Management
Our job is to manage
Security is both a legal
and IT problem
Legal
Our job is to shift liability
Security is a technical problem
Human Resources
Our job is to avoid trouble
Security is trouble
Information Technology
Our job is to make it work
Employee behavior is not
our problem
Effective/Clear/Accountable Policy
![Page 47: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/47.jpg)
Demystify cyber security
![Page 48: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/48.jpg)
![Page 49: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/49.jpg)
![Page 50: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/50.jpg)
So how do we reduce the risk to a reasonable level?
![Page 51: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/51.jpg)
It’s not if you’re going to have a
cyber related event, it’s when
![Page 52: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/52.jpg)
https://techcrunch.com/2016/06/13/cyber-insurance-is-changing-the-way-we-look-at-risk/
Part of the plan should be
insurance...
![Page 53: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/53.jpg)
2016 Breach costs - $290 - $15MMCrisis services costs (forensics, notification, credit monitoring and legal counsel), Legal damages (defense and settlement), Business interruption costsFines (PCI and regulatory) by the type of data exposed
https://netdiligence.com/wp-content/uploads/2016/10/P02_NetDiligence-2016-Cyber-Claims-Study-ONLINE.pdf
2016 Average Claim $495,000
2016 Typical breach cost $5,822 - 1.6MM 80% - 10th-90th percentile
Part of the plan should be
insurance...
![Page 54: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/54.jpg)
https://netdiligence.com/wp-content/uploads/2016/10/P02_NetDiligence-2016-Cyber-Claims-Study-ONLINE.pdf
N=176
Part of the plan should be
insurance...
![Page 55: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/55.jpg)
https://netdiligence.com/wp-content/uploads/2016/10/P02_NetDiligence-2016-Cyber-Claims-Study-ONLINE.pdf
Part of the plan should be
insurance...
![Page 56: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/56.jpg)
It’s not just about shifting risk…
![Page 57: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/57.jpg)
Practical Takeaways
![Page 58: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/58.jpg)
![Page 59: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/59.jpg)
![Page 60: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/60.jpg)
Being proactive is smart
![Page 61: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/61.jpg)
People
Process Tools
Determine where you need helpWhere are your risks?
Budget accordingly
![Page 62: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/62.jpg)
Do you have mandatory trainings?
![Page 63: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/63.jpg)
Stop Drop and Roll
Look both ways before crossing
STOP THINK CONNECT ™
https://www.stopthinkconnect.org/
![Page 64: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/64.jpg)
PLEASE use a separate passphrase for work and
compartmentalize accordingly
https://www.pwnieexpress.com/hubfs/password_vs_passphrase.jpg
![Page 65: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/65.jpg)
https://www.lockdownyourlogin.org/strong-authentication/
Use Multifactor
Authentication
![Page 66: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/66.jpg)
![Page 67: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/67.jpg)
![Page 68: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/68.jpg)
“CEO fraud,” or “business email compromise.”
![Page 69: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/69.jpg)
![Page 70: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/70.jpg)
How to deal with ransomeware• Don’t click or open attachments/links that look
suspicious
• Be careful on social media - videos are not really videos etc…
• Backup your files! (cloud?) & TEST BACKUPS
• Call for help!
![Page 71: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/71.jpg)
How many of you have ever
connected to…
![Page 72: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/72.jpg)
So what can you do?
•Use your phone as a wifi
hotspot
•Ensure you trust which wifi
you are connecting to
•Use a Virtual Private Network
![Page 73: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/73.jpg)
Antivirus
It can be compared to the
flu shot…
![Page 74: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/74.jpg)
A current asset list and network map
Data classification - where do you have the crown jewels
General Cyber Security Tips IT professionals
![Page 75: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/75.jpg)
http://limpehft.blogspot.com/2013/10/why-choose-path-of-least-resistance.html
http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/5-14.png
General Cyber Security Tips IT professionals
![Page 76: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/76.jpg)
General Cyber Security Tips IT professionals
![Page 77: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/77.jpg)
Enable logging on internal and external systems
General Cyber Security Tips IT professionals
![Page 78: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/78.jpg)
Collect data that’s important to hunt for evil
System Event LogsProxy Logs
Firewall LogsIntrusion Detection Logs
Anti-Virus LogsFlow Data
DHCP LogsSMTP/Mail Logs
Remote Desktop/VPN LogsActive Directory Logs
Application LogsALL OF THE LOGS?
Data retention? Do you have time? Do you know what to look for?
General Cyber Security Tips IT professionals
![Page 79: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/79.jpg)
![Page 80: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/80.jpg)
![Page 81: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/81.jpg)
Know when it’s appropriate to call for help with security/responseHave an expert on retainer
BackupsConduct them but also test them
Explore regular penetration testing to test your security controls
General Cyber Security Tips IT professionals
![Page 82: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/82.jpg)
Sona Makker, CIPP/US
Claire Gartland
Facebook, Privacy and Public Policy
![Page 83: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/83.jpg)
![Page 84: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/84.jpg)
Privacy Best Practices
Claire Gartland & Sona Makker
Facebook Privacy and Public Policy Team
![Page 85: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/85.jpg)
PRIVACY it's good for business
![Page 86: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/86.jpg)
knowledge
control
security
![Page 87: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/87.jpg)
5 Practical Tips for Getting Privacy Right
![Page 88: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/88.jpg)
#1Designate a "Privacy Advocate"
![Page 89: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/89.jpg)
#2Conduct a Data Audit
![Page 90: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/90.jpg)
understand the
Who? What? When? Where?
Why? How?of your data practices
![Page 91: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/91.jpg)
#3Build Trust Through Transparency
![Page 92: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/92.jpg)
give people the right information at the right time to make the choices that are
right for them
![Page 93: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/93.jpg)
![Page 94: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/94.jpg)
Avoiding surprisesMake sure people understand the audience they’re posting to.
![Page 95: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/95.jpg)
#4Protect What You Collect
![Page 96: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/96.jpg)
put users in control
respect expectations
be proactive, not reactive
Privacy by Design
![Page 97: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/97.jpg)
![Page 98: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/98.jpg)
#5Create a Culture of Privacy
![Page 99: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/99.jpg)
Privacy by Design in Practice
![Page 100: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/100.jpg)
The scenario
Your company is developing "LeafSpotter"—a mobile app to crowdsourceleaf peeping locations
Leaf Spotter
![Page 101: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/101.jpg)
Your TaskDesign the privacy interface for Leaf SpotterIntroduce users to features in a way that’s usable, intuitive, and simple
![Page 102: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/102.jpg)
Considerationswho are your users?
what do people expect?what data do you collect?
be transparent. avoid surprises.
give people control.
![Page 103: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/103.jpg)
Leaf Spotter Data Flowprivacy considerations
who can see mybio?
who can see my posts?does this use my location?
is this public on Leaf Spotter?
![Page 104: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/104.jpg)
Discussion1. What were some of the challenges?
2. How can you implement privacy best practices to build trust for your business?
![Page 105: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/105.jpg)
Thank you!
![Page 106: Today’s presenters€¦ · 20-10-2017 · Today’s presenters: Ryan Kriger, CIPP/US Office of the Vermont Attorney General Assistant Attorney General, Public Protection Division](https://reader035.vdocument.in/reader035/viewer/2022081402/5f0ff7957e708231d446c734/html5/thumbnails/106.jpg)