Dealing Data Leaks: Creating Your Data Breach Response Plan

© benefitexpress 2016
Cyber Security and Data
Breaches
Larry Grudzien
Attorney at Law

Recent High-Profile Data Breaches
•Suspected North Korean hackers
•Data included personal information about Sony Pictures
employees and their families, e-mails between employees,
information about executive salaries at the company, copies of
unreleased Sony films, and other information.
•The hackers called themselves the “Guardians of Peace” and
demanded the cancellation of the planned release of the film The
Interview, a comedy about a plot to assassinate North Korean
leader Kim Jong-un.
Sony: November 2014

•Suspected Chinese hackers.
•Nation's second largest health insurer.
•Names, addresses, social security numbers, birth dates, and
other information from 80 million customers and employees.
•Thieves used information to rack up $40,000 in credit card
charges for some customers.
Anthem: January, 2015

•In June 2015, OPM announced that it had been the target of a
data breach targeting the records of as many as four million
people.
•Later, FBI Director James Comey estimated 18 million
•Breach has been described by federal officials as among the
largest breaches of government data in the history of the U.S.
Office of Personnel Management (U.S. Government): April, 2015

• Information targeted included SSNs, names, dates and places of birth, and
addresses
• Also likely involved the theft of detailed security-clearance-related
background information
• And even 5 million fingerprints
• On July 9, 2015, the estimate of the number of stolen records was increased
to 21.5 million
• Soon after, Katherine Archuleta, the director of OPM, and former National
Political Director for Barack Obama's 2012 reelection campaign, resigned
Office of Personnel Management (U.S. Government): April, 2015

•Suspected Russian hackers
•70 million customers
•Name, address, phone number and e-mail address.
•After the data breach was discovered, Target offered one year of
free credit monitoring and identity theft protection to all customers
who shopped in U.S. stores
•Access through 3rd party vendor (HVAC)
•Shows importance of 3rd party control as well
Target: December, 2013

High Level Technical Overview
•General Overview
•How do you approach advising your employer on
cybersecurity?
•What does the threat landscape look like now?
•What resources are out there to help you?
General Overview

Anywhere there is a device consisting of hardware
and software, typically with an internet connection
What can be hacked?

• Cyber Security: the protection of information systems from theft or damage to the
hardware, the software, and to the information on them, as well as from
disruption or misdirection of the services they provide
• Data Breach: the intentional or unintentional release of secure information to an
untrusted environment
• Cloud: the practice of using a network of remote servers hosted on the Internet to
store, manage, and process data, rather than a local server or a personal computer
• Phishing: the attempt to acquire sensitive information such as usernames,
passwords, and credit card details (and sometimes, indirectly, money), often for
malicious reasons, by masquerading as a trustworthy entity in an electronic
communication
Define Applicable Terms

• Encryption: the process of encoding messages or information in such a way that
only authorized parties can read it
• Botnet: (also known as a zombie army) a number of Internet computers that,
although their owners are unaware of it, have been set up to forward transmissions
(including spam or viruses) to other computers on the Internet
• Patch: a piece of software designed to update a computer program or its supporting
data, to fix or improve it. This includes fixing security vulnerabilities
• Two-Factor Authentication: a security process in which the user provides two
means of identification from separate categories of credentials; one is typically a
physical token, such as a card, and the other is typically something memorized,
such as a security code
Define Applicable Terms

• Federal Trade Commission, “Start with Security” guidance to businesses
(https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf).
This is generic guidance drawn from the FTC’s recent enforcement cases. It’s fairly simple
and written in non-technical language, but it provides some insight into what one group of
federal regulators are thinking is (or should be) the standard of care for a business.
• NIST Cybersecurity Framework (http://www.nist.gov/cyberframework/). This document
was developed through a lengthy consultation process with industry; it is meant to provide a
general approach to cybersecurity, and to point businesses toward the relevant existing
standards. In many industry contexts, it is becoming the de facto “standard of care.”
• NIST Recommendations (http://csrc.nist.gov/publications/PubsSPs.html). These
documents are more detailed and technical recommendations developed through the NIST
collaborative process with industry. The “800” series are particularly important in
cybersecurity. The documents are designed for use by IT professionals responsible for
implementing a company’s cybersecurity program.
Additional Resources on Cyber Security and Data Breach Topics

• Verizon Data Breach Report (DBIR) (http://www.verizonenterprise.com/DBIR/) is
annual analysis of cyber threats as reflected in actual data breaches and security
incidents. The report looks at anonymized data submitted by a broad range of law
enforcement agencies, private companies, and cybersecurity providers.
• Steptoe & Johnson Cyberlaw Podcast (http://www.dhs.gov/topic/cybersecurity-
information-sharing). Weekly podcast put out by a group of lawyers at Steptoe.
They provide a good summary of case law, policy developments, and legislation
relating to cyber, data breach, privacy, national security, etc.
• DHS Information Sharing resources: DHS supports a number of information
sharing initiatives. You can find summary information here:
http://www.dhs.gov/topic/cybersecurity-information-sharing.
Additional Resources on Cyber Security and Data Breach Topics

100% Prevention is Not Possible
•Lose credibility if you state (or think) otherwise
•Critical to recognize the reality
•Three kinds of entities:
Have been hacked
Will be hacked
Have been or will be, but just don’t know it (or don’t admit it)

Standard of Care
A standard of care is developing:
NIST
DOJ Guidelines
Homeland Security
Critical to be – and stay – ahead of the curve

Government Involvement
•FBI: FBI InfraGard
•U.S. Secret Service: Electronic Crimes Task Force
(ECTF)
•Entities organized by state or local authorities
Federal Law Enforcement

•SEC
•DOJ
•FTC
•Homeland Security
Federal Agencies

• US Congress passed the Cybersecurity Act of 2015, and President Barack
Obama signed the measure into law on December 18, 2015
• The Act of 2015 aims to defend against cyberattacks by creating a
framework for the voluntary sharing of cyber threat information between
private entities and the federal government, as well as within agencies of the
federal government
• The legislation also aims to protect individuals’ privacy rights by ensuring that
personal information is not unnecessarily divulged
• Companies are permitted to monitor and operate defensive measures on
both their own information systems as well as those of others with written
authorization
Federal Legislation

• Entities are encouraged to implement and utilize security controls to protect against
unauthorized access to or acquisition of cyber threat indicators or defensive
measures
• Companies may share threat indicators and defensive measures with the federal
government, but they must institute appropriate security controls and remove
personal information not directly related to the reported cybersecurity threat
• Liability protections are available for companies choosing to share information
provided they implement the proper controls
• Private entities may also share threat indicators and defensive measures with other
private entities; again, personal information must be removed and security controls
should be in place
Federal Legislation

•49 states
•Different definitions of “breach”
•Different requirements re notification of government officials, law
enforcement, etc.
•Different requirements re notification of customers
•Different requirements as to what data elements must be
disclosed in notifications
State Regulations

Federal: NIST Framework, Exec. Order effect on
regulatory agencies.
Specific agency interest
SEC
FTC
FCC
Sector agencies
Report on Status of Regulatory Rulemaking

Information Sharing Among Stakeholders, Government Agencies, Etc.
Report on general status
Government contractors and subcontractors have different
obligations than other entities

3rd Party Vulnerability and Efforts to Control
•Target Breach Was Through an HVAC Vendor
•Questionnaires/Interviews re Data Security Practices
•Audits re Same

Who are the Hackers?
•Nation States (North Korea, China, Russia, other?)
•Criminal Groups
•“Patriotic hackers”
•Terrorists/ISIL
•Even Teenagers

What are Their Motivations?
Money is the usual driver
But not always
See Ashley Madison (morality was the driver?)
Ransom scams are common

Data Breach Litigation
•Recent General Counsel article predicting “Wave of data
breach litigation”
•Recent 7th Circuit case re Standing in Data Breach
cases. (Remijas v. Neiman Marcus Group, 794 F.3d 688
(2015))
•Class Action Cases Against Target, Anthem, Sony, etc.

Commercially Available Products and Services
High level, publically available discussion of prior work for DOD and
Intelligence Community:
 Booz Allen Hamilton
 Verizon Communications
Cyber products and services available from Booz Allen Hamilton:
 Threat analyses (pre-breach): vulnerability testing and recommendations for mediation.
 Cyber4Sight® Services: Predictive intelligence service help clients prepare for future
attacks – information/reports on threat-actor activities and trends.
 Post-cyber incident threat mitigation
 Workforce skills assessment and cyber training.
 Analytics of risks, threats, and opportunities for companies, government, and executive
clients.

Commercially Available Products and Services
Products and services available from Verizon:
Managed Security Services
Forensic Response
Rapid Response Retainers
Government partnerships (ECS)

Suggested Best Practices
Critical for:
 Post-breach litigation
 Government inquiries/investigations (SEC, DOJ, FTC, state regulators, etc.)
 Response to media inquiries/public opinion/ investors/corporate executives
Plan should include:
 Identify and protect critical assets (not necessarily “everything”)
 Experienced external counsel and forensic experts retained in advance:
 No delay for conflict checks
 Expert advice to help develop the plan (make sure have backup of critical data
and ability to log event traffic)
 Expert advice available as soon as breach is detected
 After hours/weekend response already negotiated
Must have a carefully constructed response plan in place BEFORE the crisis hits

Law enforcement contacts developed in advance:
FBI InfraGard
USSS ECTF
Others
Media Response Plan:
Single point of contact
Recognize investigation and recovery takes time – OPM, etc.

• Dissemination of Information to Board of Directors:
 Critical – Boards are beginning to be held accountable
 Boards need to understand that this is no longer just a low level IT issue
 Boards need to understand the extent and importance of efforts to prevent, monitor,
detect and mitigate
• Dissemination of Information to Investors
 Critical that Investor Relations Dept. understands and is prepared for investor inquiries
and notifications post-breach
• Notification of Customers:
 Currently governed by 49 different state laws
 Plus a host of international rules and regulations for global customers

•War Games/Simulations:
 Good practice for the real thing
 Also shows awareness, seriousness and taking responsibility in advance
of a breach
•Engage “White Hat” Hackers:
 Run “Bug Bounty” programs
•Insurance products:
 Liability coverage may not cover these breaches
 May have obtain separate insurance policy

Contact
Larry Grudzien
Attorney at Law
708-717-9638
larry@larrygrudzien.com
larrygrudzien.com

Dealing Data Leaks: Creating Your Data Breach Response Plan

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Dealing Data Leaks: Creating Your Data Breach Response Plan

Similar to Dealing Data Leaks: Creating Your Data Breach Response Plan (20)

More from benefitexpress

More from benefitexpress (20)

Recently uploaded

Recently uploaded (20)

Dealing Data Leaks: Creating Your Data Breach Response Plan