In this presentation, Mr. Fleck provides an introduction to the cybersecurity, data protection, and good governance issues you must consider if your company collects any data from employees or customers.
1. Get your
CyberEbola Vaccine NOW!
It’s no longer IF your customer or employee data will be hacked; it’s WHEN.
While you are waiting for the program to begin,
Take the 5-minute pre-quiz!!
You can find it in the attached materials.
2. David L. Fleck, Esq.
• White Collar Crime Prosecutor
• 10 Years
• Los Angeles District Attorney’s Ofc.
• 53 jury trials
• Private Practice
• Fraud and Cybersecurity
• Prevention and Litigation
• Key Expertise
• Communicating complex material to
students, juries, and clients
• College Professor – Civil Litigation
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 2
3. AGENDA: Preparing for a Cyber Attack
Part 1
State of CyberSecurity in Business Today
Part 2
Case Studies and the Law
Part 3
Action Items
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 3
4. 1) State of Cyber Security
in Business Today
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929
5. Top Hacks of 2015
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 5
6. HackMaggeddon.com
72
69
87
80
73
91
85
70
87
89
58
74
0 10 20 30 40 50 60 70 80 90 100
Aug-14
Sep-14
Oct-14
Nov-14
Dec-14
Jan-15
Feb-15
Mar-15
Apr-15
May-15
Jun-15
Jul-15
Known Breaches Per Month
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929
935 known
data
breaches in
12 month
period
6
7. Affect on Breached Companies
US$3,800,000.00*
US$154.00 per stolen record
*Does not include megabreaches like Target ($148M).
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 7
8. Exception: Healthcare Companies
• Average cost per stolen record: US$363
• Medical records are most valuable
• Easy to get – many hospitals use old software
• Used to create fake profiles to:
• Buy medical equipment for resale
• File false claims with Medicare
• Long shelf life – can’t replace like credit card
• Bundle of 10 medical records – US$4700
• Utah Medical Group: 1000s of attempts/week
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 8
9. Direct Costs of Breach
• Investigating the cause of the breach
• Fixing the breach
• Setting up hotlines for customers
• Free credit monitoring for victims
• Legal costs
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 9
10. Indirect Costs of Breach
• Loss of business because of wary customers
• Loss of reputation and customer loyalty
• Marketing expenses to redevelop goodwill
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 10
11. 2) Case Studies
And the Law
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929
12. The Houstonian Hotel
• Luxury hotel in Houston, Texas
• George HW Bush used Hotel as his
voting residence in 1980s
• By founder of Browning-Ferris
Industries
• Marketed as destination “for
business executives trying to shed
pounds and rediscover their inner
velociraptor.”
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 12
13. The Breach
• Lasted 6 months
• Possibly affected 10,000 customers;
actual number unknown
• Credit card POS devices
• NOT detected by hotel
• Notified by Secret Service
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 13
14. Impact
• Customers angry about delayed
notice
• Direct costs
• “forensic investigators”
• New POS system
• Credit monitoring
• No lawsuit (yet?)
• 10,000 X $154 = $1,540,000
• Marketing
• Rebuild trust
• Rebuild brand loyalty
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 14
15. Lessons Learned from Houstonian Breach
1. CIO/CISO must develop a strategy to detect data
breaches.
• If caught early, less damage.
2. Give notice to affected customers as soon as possible.
• Possible reasons for delay
Criminal investigation
Want to develop strategy before announcing breach
• Anticipate breach and plan ahead
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 15
16. PNI Digital Media
• Founded in 1995
• Operates on-line photo websites
• Operates photo centers in:
• Walmart Canada
• Sam’s Club
• CVS
• Costco
• Rite Aid
• Owned by Staples since 2014
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 16
17. The Breach
• Third-party vendor breach
• Data includes
• Names
• Addresses
• Email Addresses
• Phone Numbers
• Credit Card Numbers & Verif. Codes
• Passwords
• “Breach Window” - July & Aug. 2015
• Number of Customers Unknown
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 17
18. Impact
• Loss of All Major Clients
• Probably Enough to Destroy
Company
• But it gets worse…
• CLASS ACTION LAWSUIT!!
• The Settlement will be
Six Figures At least
• Plus attorney’s fees
• Even a weak case will cost at least
US$1,000,000.00!
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 18
19. Lessons Learned from PNI Media Breach
1. Do you Cyber Due Diligence on the data security strategies of your
3rd Party Vendors.
2. Do you Cyber Due Diligence on the data security strategies of
companies you acquire. (Consider: Experian)
3. Troubles don’t end when you fix the breach
4. Your breach strategy should include plans for business continuity
after breach
5. Data Breaches are expensive
Will PNI survive?
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 19
20. Settlements
AvMed 1 Million Records
SSNs and Medical Records
$3.1M
Stanford University 20,000
Medical Records
$4.1M
Schnucks (grocery) 2.4 Million
Credit Cards
$2.1M
Vendini (ticketing system) 3 Million
Credit Cards
$3M
Sony (PlayStation) 77 Million
Login Credentials, Credit Cards
$5M
LinkedIn 6.4 Million
Login Credentials
$1.25M
Sony Pictures 50,000 $8M
Target 40 Million
Credit Cards
$67M
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 20
21. • Causes of Action: sets of facts sufficient to
justify a right to sue
1. Negligence
2. Breach of Implied Contract
3. Breach of Contract
4. Bailment
5. Violation of State Statute About Privacy
6. Unjust Enrichment
T.A.N., an individual
v.
PNI Digital Media, Inc.
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 21
22. NEGLIGENCE:
Requires a Duty to Act/Not Act
• Duty to exercise reasonable care in
safeguarding/protecting info.
• Duty to design, maintain, and test
security systems and take other
reasonable security measures to
secure personal information
• Duty to implement processes to
detect breaches
• Duty to make timely disclosure of
breach
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 22
23. SOURCES OF DUTY (Part One)
• COMMON LAW
• Reasonable Care: the degree of
caution an ordinarily prudent and
rational person would.
• Consider:
1. Foreseeable likelihood of breach
2. Foreseeable severity of harm
3. Burden of taking precautions
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 23
24. SOURCES OF DUTY (Part Two)
• State Statutes
• PNI – Georgia
• Sony – California & Virginia
• US Statutes
• HIPAA – Medical Data
• COPPA – Children’s Data
• International Agreements
• US-EU Safe Harbor Frameworks
• APEC Privacy Framework
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 24
25. Examples of Negligence from Lawsuits
• Failure to develop and implement adequate security protections
• Ignoring recommendations of employees and consultants
• Misleading consumers about level of security
• Not having or not following cybersecurity protocol
• Executives and Board Members uninformed on issue of
cybersecurity
• Taking too long to give notice to customers about breach
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 25
26. 3) Action Items
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929
27. Personally Identifiable
Information (PII)
“Information that can be used on its
own or with other information to
identify, contact, or locate a single
person, or to identify an individual in
context.”
• First name or initial plus last name
and any of the following:
• SSN
• Date of Birth
• Financial Numbers
• Medical Record
• Definition varies from state to state
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 27
28. STEP 1:
Survey Your Employees
• Data Landscape in Your Company
• What data does your company collect from employees, customers, vendors,
etc.?
• How is the data used?
• Security Measures
• What security measures and procedures
are in place?
• Who has access to the data?
• What security measures do your
competitors, affiliates and vendors have
in place?
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 28
29. STEP 1:
Survey Your Employees
• Weak Points
• Employee Access?
• Who has access to the data?
• Who needs access to the data?
• How do you verify the ID of the employee
before they access the data/
• External Threats
• Hackers
• Dumpster Divers
• Third-Parties
• Vendors
• Acquired Companies
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 29
30. STEP 2:
Survey the Law
• Which Privacy Statutes Apply to your Industry?
• Medical Record Statutes – Health Insurance Portability and Accountability Act
(HIPAA), Medical Information Privacy and Security Act (MIPSA)
• Financial Privacy Laws – Right to Financial Privacy Act, Dodd-Frank Act,
Gramm-Leach-Bliley Act
• Privacy of Children – Children’s Online Privacy Protection Act (COPPA)
• Consumer Privacy Laws
• Statutes in your State or Country
• International Statutes and Agreements
• What requirements do the statutes impose on your company?
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 30
31. STEP 3:
Develop your Company Policies
• Before a Breach
• Provide Notice to Customers of Privacy Protections (if required
by law)
• Implement multi-layered strategy to prevent breach
• Establish procedures to detect data breaches
• Purchase CyberInsurance
• Look first at your Commercial General Liability (CGL) policy
• If CGL has data breach exclusions, perchase “cyber” insurance as needed.
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 31
32. STEP 3:
Develop your Company Policies
• In Preparation for a Breach
• Draft a Data Breach Response Manual
• Develop Breach Chain of Command and Crisis Communication Channels
• Create Plan to Document details of the breach and its discovery
• Develop Plan to preserve documentation
• Develop a relationship with law enforcement
• Develop plan for giving notice to customers whose data was affected
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 32
33. 1. A data breach is almost
inevitable in today’s
business world
2. The cost can be devastating
3. Preparation can:
1. Reduce the likelihood of
breach
2. Reduce your liability
3. Ensure that your company
continues to exist
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 33
3Q14
July 2014 – Total Bank, The Houstonian Hotel (10,000 customers), PharmaNet (1600, health data), NASDAQ, MyCause.Com.Au (Australian charity, 12,000), Lask0 (metal products, waited 3 yrs to report)
Aug 2014 – bitcoin, USIS (US Defense Contractor), Vibram (3rd Party Hosting), TheNaturalOnline.com, Community Health Systems (4.5 million – health info), UPS (7 months long), Otto Pizza in Portland, OR, Dairy Queen, Fappening
Sept. 2014 – Home Depot (56 Million), Bartell Hotels (45,000), Cal State University, Yandy.com (women’s clothing), Japan Airlines (750,000), Grady High School (Atlanta),