Daniel Cotter, attorney at Butler Rubin (http://www.butlerrubin.com/) examines the risk of cybersecurity and data theft by employees and contractors within an organization, and what you can do to prevent it, including: What types of risks are presented by insiders and contractors? How to effectively establish policies and procedures to decrease exposure to employee breaches and thefts? How to effectively manage third party vendors and their access to your data? How to design an effective privacy program? How big a problem employees and contractors are to your data security? For more information on Daniel Cotter, go to http://www.butlerrubin.com/attorneys/daniel-a-cotter/.

1. Insider Breaches and
Data Theft by Employees
and Contractors
Clear Law Institute Webinar
October 27, 2016
Presenter:
Dan Cotter
dcotter@butlerrubin.com
312-696-4497

2. Agenda
 Some Basic Numbers and Stats on Breaches
 What Industries Impacted Most
 Employees and Intentional/Unintentional
 Contractors and Downstream Breaches
 How to Minimize
 Questions

3. Some Basics—Identity Theft Resource Center
http://www.idtheftcenter.org/2016databreaches.html
“The ITRC currently tracks seven categories of data loss
methods:
 Insider Theft,
 Hacking/Skimming/Phishing,
 Data on the Move,
 Subcontractor/Third Party/BA,
 Employee error/Negligence/Improper disposal/Lost,
 Accidental web/Internet Exposure, and
 Physical Theft.”

4. Some sobering numbers from ITRC
 2005 to October 14, 2016
 Number of Breaches =
 Number of Records =

5. Some sobering numbers from ITRC
 2005 to October 14, 2016
 Number of Breaches = 6,573
 Number of Records =

6. Some sobering numbers from ITRC
 2005 to October 14, 2016
 Number of Breaches = 6,573
 Number of Records = 880,651,559

7. Ponemon Institute LLC—Sixth Annual Benchmark Study on
Privacy & Security of Healthcare Data, May 2016
 Figure 17. What was the root cause of the healthcare organization’s data
breach? More than one response permitted.

8. Industries Most Impacted by Breaches
 2015 data (Baker Hostetler Data Security Incident
Response Report):

9.  EMPLOYEES

10. Headlines Abound
 “Employees Are Leading Cause of Data Breaches”
 Facility Executive, May 23, 2016
 “Most government data breaches caused by employees, says
Verizon study”
 Government Security News, April 25, 2014
 “How To Prevent Employee-Caused Data Breaches”
 Forbes Voices, KPMG, October 1, 2016
http://www.forbes.com/sites/kpmg/2016/10/01/how-to-prevent-
employee-caused-data-breaches/#746fe4244995
 “Employee Negligence Biggest Cause of Data Breaches”
 http://www.claimsjournal.com/news/national/2015/05/14/26334
8.htm

11. You’re Only as Strong as Your….

13. Most Common Passwords

14. Passwords
http://www.telegraph.co.uk/technology/2016/01/26/most-common-passwords-
revealed---and-theyre-ridiculously-easy-to/

15. Basic Questions
 Do you leave your home doors unlocked at night?
 Does your organization leave its doors unlocked?
 Do you have a key code, if car has one, that is 1234?
 Do you make your valuables visible?

16. Phishing

17. Not easy to determine what is legit—Phishing

18. Another Example

19. Whale Phishing = Whaling

20. What Can You Do? PATPAT
(like point after touchdown in football):
 PPolicies and Procedures
 Password Protection
 Physical Security
 Access Rules (Internet, etc.)
 BYOD
 Suspicious Emails and Links
 AAwareness
 Share Samples of Phishing
 Tabletop

21. PATPAT (cont’d)
 TTraining
 Periodic
 In Person?
 Testing
 After training
 Periodic exercises to learn about employee’s
knowledge, etc.

22.  CONTRACTORS AND
DOWNSTREAM BREACHES

24. Poster Child for Vendor Chain
 “HVAC vendor eyed as entry point for Target
breach”
 http://money.cnn.com/2014/02/06/technology/secu
rity/target-breach-hvac/index.html

25. “Hackers Lurking in Vents and Soda Machines”
 http://www.nytimes.com/2014/04/08/technology/the-
spy-in-the-soda-machine.html?_r=0
 “‘We constantly run into situations where outside
service providers connected remotely have the
keys to the castle,’ said Vincent Berk, chief
executive of FlowTraq, a network security firm.”
 “‘It’s generally suppliers you would never suspect,’
Ms. Hallawell said.”
 “Watering hole”

26. IOE (Internet of Everything)
 Clothing to Fitbit,
 Cars to houses,
 Appliances, etc.

29. Redux: You’re Only as Strong as Your…

31.  “Ensuring Vendors Aren't The Weak Link In Your
Security Chain”
 David Winters and Andy Foreman
(colleagues of mine)
 Law360, New York (July 21, 2016, 11:31 AM ET)
 Copy available at http://www.butlerrubin.com/wp-
content/uploads/Ensuring-Vendors-Arent-The-
Weak-Link-In-Your-Security-Chain.pdf

32. Comparison to Y2K
 In late 1990s, Y2K GC for very large insurer
 Spent $65 million on Y2K
 Every contract had to be reviewed
 Due diligence on vendor
 Reps and warranties
 Cyber?

33. Ponemon Institute LLC—Sixth Annual Benchmark Study on
Privacy & Security of Healthcare Data, May 2016
 Figure 17. What was the root cause of the healthcare organization’s data
breach? More than one response permitted.

34. What Should You Be Doing?
 Baseline Inventory of contracts
 Inventorying and storage system
 Establish Contract Management Policy
 Contract Authority Matrix
 Contract Review Protocol
 Due Diligence Process
 Review and Oversight
 Audit and Rights
 Model Language provisions

35. What are the top things
you should be looking
for when negotiating
contracts?
 Confidentiality
 Indemnification
 Reps and Warranties re
Privacy and Security
For consideration when appropriate:
Meeting Industry Standard Regulations
Publicity (Press); Business Rereferral Criteria
EU Data Transfer Mechanism
Responding to Data Subject Requests (EU)
Access to Data; Data Portability
End of Life / Data Destruction (with Attestation)
Responding to Legal Process
Personnel and Screening; Hiring Criteria
Personnel Removal from Engagement
Limits on Subcontractors
Limits on Outsourcing including Cloud Services
Information Security Program
Security or Privacy Officer
Security Minimum Bar
Specific Security Criteria: Encryption, Logging, Training
Incident Response (Program, Process, Visibility, Reporting)
Ongoing Monitoring
Third Party Certifications
Change Management
Audit
PCI
Remediation Obligation
Data Usage Limits
Data Analytics

36. Monitoring Vendor Performance
 Vendor Management Program (with Documentation
for Vendors)
 Vendor Performance Criteria
 Data Classification
Options:
Attestation
Training Stats
Third Party Certification
Partial Audit
Full Audit

37.  Laws to consider
 US
 EU
Additional Considerations When
Handling Consumer Information

38. Identifying Higher Risk Vendors
 Sensitivity of Data
 Documentation
 Vendor Shell Companies
 Market Reputation
 Time in Business
 Financial Health (Possible Criteria for Insurance)
 Regulatory Findings

39. “Nth” party risk—3rd
, 4th
, 5th
party vendors
 Some considerations and where does it end
 Impose obligations on third parties to abide with
their subcontractors
 Remember weakest link

40. Contractors
 Look at healthcare industry chart
 Consider the Target breach
 The Chinese takeout link
 The Coke machine

41. How do you effectively minimize risks? REFERREFER
 RReputation evaluation
 EEvaluate plans, policies and procedures of 3rd
parties
 FFinancial assessment—financials, insurance, etc.
 EEstablish clear expectations and contractual terms
 RReview performance

42. What Happens If You Have a Breach?

43.  First one California
 Enacted 2002, effective 7/1/2003
 47 states and District of Columbia
 Alabama, New Mexico, South Carolina
Security Breach Notification Laws

44. Industry Specific
 Healthcare:

45.  The Health Information Technology for Economic and
Clinical Health Act (the “HITECH Act”)
 Signed into law as part of the American Recovery
and Reinvestment Act of 2009
 Expanded the scope of the Health Insurance
Portability and Accountability Act of 1996 and its
implementing regulations, including the Standards
for Privacy of Individually Identifiable Health
Information (the “Privacy Rule”) and Security
Standards (the “Security Rule”) (collectively,
“HIPAA”).
HIPAA/HITECH

46.  HIPAA requires notification by a
Business Associate of certain
breaches of unsecured
Protected Health Information (“PHI”)
 Protected Health Information (PHI) means
Individually Identifiable Health Information that is
transmitted by electronic media; maintained in
electronic media; or transmitted or maintained in
any other form or medium.
HIPAA/HITECH

47.  Enacted
November 12, 1999
 Applies to financial
institutions
 Required privacy
notices:
 Collected
 Shared
 How secured
 Safeguards Rule
 Written information security plan
 Pretexting Protections
Gramm/Leach/Bliley Act

48. HR and Privacy Laws

49.  Generally, very limited privacy rights in using company
equipment
 Exception: California
 California Privacy Act
 In penal code
 willfully and without the consent of all parties . . .
reads or attempts . . . to learn the contents or
meaning of any . . . communication . . . in
transit . . . over any wire, line, or cable or is
being sent from, or received at any place within
this state . . . is punishable by . . . imprisonment
Workplace Privacy

50. Limited privacy:
 BYOD
 Computer/workstation
 Email monitoring
 Telephone
 Audio/Visual
 GPS
 Mail (physical)
 Social Media
Specific Workplace Areas

51. CONCLUDING THOUGHTS
 Not if, but when
 Employees and 3rd
party contractors
major source of breaches
 PAT
 REFER
 Vigilance is key
 Repeat it
 Make it fun
 Use real life situations to inform employees

52. Questions
???????

53. Insider Breaches and Data Theft by
Employees and Contractors
Clear Law Institute Webinar
October 27, 2016
Presenter:
Dan Cotter
dcotter@butlerrubin.com
312-696-4497