Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cyber security and fl data breach

360 views

Published on

Basic Cyber Security and the Florida Data Breach Law

Published in: Law
  • Be the first to comment

Cyber security and fl data breach

  1. 1. CYBER SECURITY & FLORIDA’S DATA BREACH LAW IT’S A BRAVE NEW WORLD
  2. 2. Who are these Geeks? Rob Jackson Randall Garner
  3. 3. Before We Get Started . . . Quick Survey
  4. 4. Outline of Presentation Cyber Security is an Oxymoron I’ve Been Hacked, Now What? What Can You Do
  5. 5. Cyber Security is an Oxymoron • Your kidding me right? • You and your data will never, EVER, be 100% guaranteed safe online. • If connected - vulnerable
  6. 6. Cyber Security is an Oxymoron • Huge, rapidly growing problem • Now No.1 Future Business Threat by CEO’s • 40% believe they are “unavoidable” • “Career ending” Risk
  7. 7. Number of Breaches & Records
  8. 8. Financial Damage from Attacks
  9. 9. School Attacks since 2016 356 since Jan 2016
  10. 10. Schools Not Immune
  11. 11. Even Your School . . .
  12. 12. Resources on Educational Attacks • https://k12cybersecure.com/ • https://www.databreaches.net/category/ breach-reports/education-sector/
  13. 13. Types of Attacks • Brute Force • DDOS • Ransomware • Phishing • Spear Phishing • Man in the Middle
  14. 14. Types of Attacks – Brute Force • Guess your password • Exhaustive Key Search • Don’t use “password” or “123456” • Longer Password – harder to break • Password = access = control
  15. 15. Types of Attacks – DDOS • Distributed Denial of Service • “Take down” a Target with massive Traffic • Relies on the way the internet works • Botnets through malware • Retailers primarily at risk • Education – reputational damage
  16. 16. DDOS attack Traffic to Overwhelm a Website. Best – slow Worse - down
  17. 17. Types of Attacks – Ransomware • Program that encrypts your files • Will send you the key for $$$$ • Encryption is unbreakable • Holding Your Own Data Hostage • Pay or Reinstall Data • Working Back Ups are Critical
  18. 18. Types of Attacks – Phishing • Fake Emails • Designed to Look Reputable • Logos, Language, etc • Get you to Click on a link • Download malware • Keylogger, Ransomware, Adware, etc. . .
  19. 19. Types of Attacks – Spear Phishing • Specifically Targeted Fake Email • Personalized to Victim • Some Prior Research (online) • Goal same - Get you to Click on a link • Download malware • Again, Password = access = control
  20. 20. Types of Attacks – Man in the Middle • Attacker in the “middle” of communications between two other people. Impersonation. • Can gather data or communications • Can watch and monitor, wait to take action • Dangerous - relies on trust • Financial Depts – Wire Fraud
  21. 21. Man in The Middle – Spear Phish
  22. 22. I’VE BEEN HACKED!!! NOW WHAT?
  23. 23. I’ve Been Hacked, Now What? • Incident Response Plan • DOE Reporting Requirements • Florida’s Data Breach Law • Civil Liability • Reputational Damage
  24. 24. Incident Response Plan • Contain the Breach • Identify Type and Scope • Preserve Evidence • Notify Authorities or Insurance as needed • Disclosure, if necessary • Lessons Learned and Training
  25. 25. Disclosure Requirements - Generally • Often Depends on if Data Accessed • Website Hack - doubtful • Ransomware - doubtful • Phishing . Spear phishing - depends • Server Breach - depends
  26. 26. DOE Reporting Requirements • FERPA does not require institutions to adopt specific security controls, it does require the use of “reasonable methods” to safeguard student records (34 CFR § 99.31) • No Disclosure Requirement . . For now
  27. 27. Florida’s Data Breach Law • Passed in 2014 • Florida Statute § 501.171 • Not well known • Protects Personal Information of FL Residents • Coverage includes Gov’t Entities
  28. 28. Personal Information includes: • first name or first initial and last name in combination with: • SSN • DL or ID card number issued by gov’t used to verify identity; • Financial account numbers in combination with any required security code, access code, or password for access • Medical history or Treatments • Health Ins Policy Number • Email in combination with a password or security question
  29. 29. PI Does NOT include: • Information Made Available to Public by a Gov’t Entity • Encrypted Info or Data • Deidentified Info
  30. 30. Florida’s Data Breach Law • Obligation to take “reasonable” measure to protect data • “Reasonable” measure to dispose of data • Fines by State for violations • No Private Cause of Action
  31. 31. Florida’s Data Breach Law - Notice Written Notice to Dept (Legal Affairs) if Breach affecting 500 or more not later than 30 days after discovery • Notice Includes: 1. Synopsis 2. Numbers of persons affected 3. Breach related protection being offered 4. Copy of Notice to Individuals, if required 5. POC
  32. 32. Florida’s Data Breach Law - Notice Must Also Provide to Dept Upon Request: 1. A police report, incident report, or computer forensics report. 2. A copy of the policies in place regarding breaches. 3. Steps that have been taken to rectify the breach.
  33. 33. Florida’s Data Breach Law - Notice • Notice to Individuals Who PI was Accessed Required • Seems to Apply to Even a Single Breach / Person • UNLESS: • after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed • Keep written records for 5 years • Notice to Dept still required if over 500
  34. 34. Florida’s Data Breach Law - Fines • Treated as Unfair or Deceptive Trade Practice • Action brought by AG’s Office • Fines not to exceed $500,000, per breach • $1000 / day for first 30 days • $50,000 every month thereafter • Lesson: DON’T DELAY Investigation and Notice
  35. 35. FL Data Breach Law – Bottom Line • Don’t Forget About This Statute • Detailed Reading of Statute Required To Ensure Compliance • Investigate Promptly and Provide Notice as Required • Maintain Appropriate Records of all Actions • No Case Law or AG Opinions Yet
  36. 36. I’ve Been Hacked, Now What? • Civil Liability • Reputational Damage
  37. 37. What Can You Do? • Good IT Department or Consultant • Buy Cyber Insurance • Back Ups – Test Often • Good Policies in Place • Wire Fraud, Financial, Sensitive Data • Employee Training – KnowBe4, others
  38. 38. Cyber Security & Data Breach Questions?

×