Daniel Cotter, attorney at Butler Rubin (http://www.butlerrubin.com/) examines the risk of cybersecurity and data theft by employees and contractors within an organization, and what you can do to prevent it, including:
What types of risks are presented by insiders and contractors?
How to effectively establish policies and procedures to decrease exposure to employee breaches and thefts?
How to effectively manage third party vendors and their access to your data?
How to design an effective privacy program?
How big a problem employees and contractors are to your data security?
For more information on Daniel Cotter, go to http://www.butlerrubin.com/attorneys/daniel-a-cotter/.
Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...
Insider Breaches and Data Theft by Employees and Contractors
1. Insider Breaches and
Data Theft by Employees
and Contractors
Clear Law Institute Webinar
October 27, 2016
Presenter:
Dan Cotter
dcotter@butlerrubin.com
312-696-4497
2. Agenda
Some Basic Numbers and Stats on Breaches
What Industries Impacted Most
Employees and Intentional/Unintentional
Contractors and Downstream Breaches
How to Minimize
Questions
3. Some Basics—Identity Theft Resource Center
http://www.idtheftcenter.org/2016databreaches.html
“The ITRC currently tracks seven categories of data loss
methods:
Insider Theft,
Hacking/Skimming/Phishing,
Data on the Move,
Subcontractor/Third Party/BA,
Employee error/Negligence/Improper disposal/Lost,
Accidental web/Internet Exposure, and
Physical Theft.”
4. Some sobering numbers from ITRC
2005 to October 14, 2016
Number of Breaches =
Number of Records =
5. Some sobering numbers from ITRC
2005 to October 14, 2016
Number of Breaches = 6,573
Number of Records =
6. Some sobering numbers from ITRC
2005 to October 14, 2016
Number of Breaches = 6,573
Number of Records = 880,651,559
7. Ponemon Institute LLC—Sixth Annual Benchmark Study on
Privacy & Security of Healthcare Data, May 2016
Figure 17. What was the root cause of the healthcare organization’s data
breach? More than one response permitted.
8. Industries Most Impacted by Breaches
2015 data (Baker Hostetler Data Security Incident
Response Report):
10. Headlines Abound
“Employees Are Leading Cause of Data Breaches”
Facility Executive, May 23, 2016
“Most government data breaches caused by employees, says
Verizon study”
Government Security News, April 25, 2014
“How To Prevent Employee-Caused Data Breaches”
Forbes Voices, KPMG, October 1, 2016
http://www.forbes.com/sites/kpmg/2016/10/01/how-to-prevent-
employee-caused-data-breaches/#746fe4244995
“Employee Negligence Biggest Cause of Data Breaches”
http://www.claimsjournal.com/news/national/2015/05/14/26334
8.htm
15. Basic Questions
Do you leave your home doors unlocked at night?
Does your organization leave its doors unlocked?
Do you have a key code, if car has one, that is 1234?
Do you make your valuables visible?
20. What Can You Do? PATPAT
(like point after touchdown in football):
PPolicies and Procedures
Password Protection
Physical Security
Access Rules (Internet, etc.)
BYOD
Suspicious Emails and Links
AAwareness
Share Samples of Phishing
Tabletop
21. PATPAT (cont’d)
TTraining
Periodic
In Person?
Testing
After training
Periodic exercises to learn about employee’s
knowledge, etc.
24. Poster Child for Vendor Chain
“HVAC vendor eyed as entry point for Target
breach”
http://money.cnn.com/2014/02/06/technology/secu
rity/target-breach-hvac/index.html
25. “Hackers Lurking in Vents and Soda Machines”
http://www.nytimes.com/2014/04/08/technology/the-
spy-in-the-soda-machine.html?_r=0
“‘We constantly run into situations where outside
service providers connected remotely have the
keys to the castle,’ said Vincent Berk, chief
executive of FlowTraq, a network security firm.”
“‘It’s generally suppliers you would never suspect,’
Ms. Hallawell said.”
“Watering hole”
26. IOE (Internet of Everything)
Clothing to Fitbit,
Cars to houses,
Appliances, etc.
31. “Ensuring Vendors Aren't The Weak Link In Your
Security Chain”
David Winters and Andy Foreman
(colleagues of mine)
Law360, New York (July 21, 2016, 11:31 AM ET)
Copy available at http://www.butlerrubin.com/wp-
content/uploads/Ensuring-Vendors-Arent-The-
Weak-Link-In-Your-Security-Chain.pdf
32. Comparison to Y2K
In late 1990s, Y2K GC for very large insurer
Spent $65 million on Y2K
Every contract had to be reviewed
Due diligence on vendor
Reps and warranties
Cyber?
33. Ponemon Institute LLC—Sixth Annual Benchmark Study on
Privacy & Security of Healthcare Data, May 2016
Figure 17. What was the root cause of the healthcare organization’s data
breach? More than one response permitted.
34. What Should You Be Doing?
Baseline Inventory of contracts
Inventorying and storage system
Establish Contract Management Policy
Contract Authority Matrix
Contract Review Protocol
Due Diligence Process
Review and Oversight
Audit and Rights
Model Language provisions
35. What are the top things
you should be looking
for when negotiating
contracts?
Confidentiality
Indemnification
Reps and Warranties re
Privacy and Security
For consideration when appropriate:
Meeting Industry Standard Regulations
Publicity (Press); Business Rereferral Criteria
EU Data Transfer Mechanism
Responding to Data Subject Requests (EU)
Access to Data; Data Portability
End of Life / Data Destruction (with Attestation)
Responding to Legal Process
Personnel and Screening; Hiring Criteria
Personnel Removal from Engagement
Limits on Subcontractors
Limits on Outsourcing including Cloud Services
Information Security Program
Security or Privacy Officer
Security Minimum Bar
Specific Security Criteria: Encryption, Logging, Training
Incident Response (Program, Process, Visibility, Reporting)
Ongoing Monitoring
Third Party Certifications
Change Management
Audit
PCI
Remediation Obligation
Data Usage Limits
Data Analytics
36. Monitoring Vendor Performance
Vendor Management Program (with Documentation
for Vendors)
Vendor Performance Criteria
Data Classification
Options:
Attestation
Training Stats
Third Party Certification
Partial Audit
Full Audit
37. Laws to consider
US
EU
Additional Considerations When
Handling Consumer Information
38. Identifying Higher Risk Vendors
Sensitivity of Data
Documentation
Vendor Shell Companies
Market Reputation
Time in Business
Financial Health (Possible Criteria for Insurance)
Regulatory Findings
39. “Nth” party risk—3rd
, 4th
, 5th
party vendors
Some considerations and where does it end
Impose obligations on third parties to abide with
their subcontractors
Remember weakest link
40. Contractors
Look at healthcare industry chart
Consider the Target breach
The Chinese takeout link
The Coke machine
41. How do you effectively minimize risks? REFERREFER
RReputation evaluation
EEvaluate plans, policies and procedures of 3rd
parties
FFinancial assessment—financials, insurance, etc.
EEstablish clear expectations and contractual terms
RReview performance
43. First one California
Enacted 2002, effective 7/1/2003
47 states and District of Columbia
Alabama, New Mexico, South Carolina
Security Breach Notification Laws
45. The Health Information Technology for Economic and
Clinical Health Act (the “HITECH Act”)
Signed into law as part of the American Recovery
and Reinvestment Act of 2009
Expanded the scope of the Health Insurance
Portability and Accountability Act of 1996 and its
implementing regulations, including the Standards
for Privacy of Individually Identifiable Health
Information (the “Privacy Rule”) and Security
Standards (the “Security Rule”) (collectively,
“HIPAA”).
HIPAA/HITECH
46. HIPAA requires notification by a
Business Associate of certain
breaches of unsecured
Protected Health Information (“PHI”)
Protected Health Information (PHI) means
Individually Identifiable Health Information that is
transmitted by electronic media; maintained in
electronic media; or transmitted or maintained in
any other form or medium.
HIPAA/HITECH
47. Enacted
November 12, 1999
Applies to financial
institutions
Required privacy
notices:
Collected
Shared
How secured
Safeguards Rule
Written information security plan
Pretexting Protections
Gramm/Leach/Bliley Act
49. Generally, very limited privacy rights in using company
equipment
Exception: California
California Privacy Act
In penal code
willfully and without the consent of all parties . . .
reads or attempts . . . to learn the contents or
meaning of any . . . communication . . . in
transit . . . over any wire, line, or cable or is
being sent from, or received at any place within
this state . . . is punishable by . . . imprisonment
Workplace Privacy
50. Limited privacy:
BYOD
Computer/workstation
Email monitoring
Telephone
Audio/Visual
GPS
Mail (physical)
Social Media
Specific Workplace Areas
51. CONCLUDING THOUGHTS
Not if, but when
Employees and 3rd
party contractors
major source of breaches
PAT
REFER
Vigilance is key
Repeat it
Make it fun
Use real life situations to inform employees
53. Insider Breaches and Data Theft by
Employees and Contractors
Clear Law Institute Webinar
October 27, 2016
Presenter:
Dan Cotter
dcotter@butlerrubin.com
312-696-4497