CYBERSECURITY: Proactively Protecting Data and Responding to … · Title: CYBERSECURITY: Proactively Protecting Data and Responding to Data Breaches Author: bjalston Created Date:

© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®

CYBERSECURITY: Proactively Protecting Data and

Responding to Data Breaches

Lisa Pierce Reisz

614.464.8353 | [email protected]

Brian J. Donato

614.464.8207 | [email protected]

Presented By:

Vorys, Sater, Seymour and Pease LLP


Agenda Today

› Making the business case for breach

prevention.

› What we can learn from history?

› Basic controls to protect data.

› What to do if a breach happens.


MAKING THE BUSINESS CASE


Data Security is a Mission-Critical Priority

Data breach prevention and mitigation is a

C-Suite issue, not just an IT issue.

4


Government Agencies are NOT

Immune to Data Breaches

› South Carolina Department of Revenue

› Georgia Secretary of State

› California Department of Social Services

› Utah Department of Health

› California Department of Child Support Services

› United States Bureau of Justice Statistics

› City of Springfield

› United States Navy & DHS

› Wisconsin Department of Revenue

› NASA

› New Hampshire Department of Corrections

› Department of Veterans Affairs

› Arizona Department of Public Safety

› U.S. Office of Personnel Management

› U.S. Postal Service

› National Oceanic and Atmospheric Administration

› U.S. State Department

› Montana Department of Health and Human Service


10 Things To Know About Cyber

Risks in Public Entities

1. The per capita cost of a data breach to the

public sector is $172.00 per record.

-- “2014 Cost of Data Breach Study: United States,” Ponemon Institute



Risks in Public Entities (cont’d)

2. Public sector entities have the highest

estimated probability of having a data breach,

(which could be attributed to the amount of

confidential and sensitive information they

store and collect).

-- “2014 Cost of Data Breach Study: United States,” Ponemon Institute




3. Government is the second highest industry to

report data breaches in 2012. Factors

include:

Employee errors.

Malicious insider attacks.

Outside attacks, including hacktivism

and cyberespionage.

-- “Data Breaches in the Government Sector,” Rapid7




4. The average annualized cost of cybercrime to

the public sector was $8.5 million in 2014.

-- “2014 Cost of Cybercrime: United States,” Ponemon Institute




5. At least 47 states, the District of Columbia,

Puerto Rico and the Virgin Islands have

enacted breach notification statutes and

regulations.

-- Insurance Information Institute’s 2014 Cyber Risk Report




6. Educational organizations had 3.2 million

records exposed and accounted for 9 percent

of the 614 publicly disclosed data breaches in

2013.

-- Insurance Information Institute’s 2014 Cyber Risk Report




7. Data breaches in the government/military

sector accounted for 11.7 percent of U.S.

breach incidents in 2013.

-- Identity Theft Resource Center




8. Only 10 percent of current public sector

clients add cyber protection to existing

insurance policies.

-- Travelers Public Sector Services




9. More than 94 million records containing PII

were exposed by breach incidents in

government agencies between January 2009

and May 2012.

-- “Data Breaches in the Government Sector,” Rapid7




10. A 2014 survey of public risk managers and

other public officials found that only 40

percent of the 236 survey participants said

their public entity had purchased cyber

liability insurance. Twenty-five percent

were unsure if their public entity has cyber

liability insurance.

-- Travelers Public Sector Services


Don’t Repeat the Mistakes of the Past . . .


A Few Notable Breaches in

Government Space


South Carolina

› September 2012

› Department of Revenue

› Initial cause of breach – Phishing Campaign

› Incomplete encryption practices


Oregon

› February 2014 – Secretary of State.

› Hackers breached website.

› Accessed business registry and campaign

finance records.

› Site down for multiple weeks while

remediation steps investigated.


Georgia

› October 2015 – Secretary of State.

› SSN and DL # inadvertently added to public

voter file.

› File was regularly distributed via CD to

multiple public sources.


Office of Personnel Management

› 2015, or earlier.

› Nation State, perhaps the same group who

hacked Anthem.

› Issues with maturity of security staff.

› Lack of data inventory.

› Remote access issues.

› Advance persistent threat not detected.


Basic Controls to Protect Data


NIST and Controls

› NIST SP 800-53.

› Families of controls which can be tailored to

size and complexity of IT environment.


Process for Risk Assessment

› Asset inventory

› Data classification

› Understanding of potential threats,

vulnerabilities and mitigations

› Formal vulnerability scanning


Data Security

“Data Security” (or information security) is

generally defined as:

“the protection of information from a wide range

of threats in order to ensure business continuity,

minimize business risk, and maximize return on

investments and business opportunities.”

– ISO/IEC 27002:2005, Information Technology –

Security Techniques – Code of Practice or

Information Security Management (June 2005)

25


Identification and Authentication

› Unique credentials for each user

› Multifactor authentication

› Restrictions on remote access


Access Control

› Approval process for access to systems

› Least privilege access

› Method for removing access no longer needed.


Configuration Management

› Ensure consistent security controls are in

place on all machines.

› Management of patching.

› Baseline configurations for a variety of

situations.

› Restricted rights – local administration.


Media Protection

› Restricted access.

› Policy, practices on encryption.

› Secure destruction, reuse.


Security Assessment and Authorization

› Penetration testing.

› External/internal audits.

› Evaluation and remediation of control

effectiveness.


Awareness and Training

› Both initial and ongoing training.

› Information on detecting and responding to

current threats.

› Re-enforcement of policies and procedures.

› Especially important – phishing.


Audit and Accountability

› Right devices are auditing and logging right

events.

› Right eyeballs are reviewing audit results

and logs.

› Protected from tampering.


Incident Response Planning

› Creation of a plan/process that includes:

• preparation,

• detection and analysis,

• containment,

• eradication,

• recovery.

› Should consider a wide variety of incidents.


Breach Response


Data Breach

Just ask Target . . .

Data breaches should be treated as a “when,”

not an “if” proposition.

35


Goals of Breach Response Plan

1. To reduce the risk of unauthorized data

access; and

2. To mitigate the damage caused if a breach

occurs.

36


Incident Happens –

Immediate/Simultaneous Demands

› Customers/Employees

› Containment/Remediation

› Payment Card Brands

› News Media/Bloggers

› Forensic Investigators

› Major Stakeholders

› Class Action Lawsuits

› Risk Management

› Training/Re-Training

37


Target Breach

38


Timeline of Incident

39

12/18/13

Containment;

Krebs breaks

story

12/12/13

Target gets call

from the feds of

suspicious activity

11/27/13

Hackers

start

capturing

data through

malware

12/15/13

Target

confirms

internally

12/19/13

Target works until 3 am &

issues press release at 7 am.

40 million payment cards

(indicates no PINs stolen)

Seven class action lawsuits

filed (40 by year end)

November December January 2014 February 2014

1/13/14

Target issues

a full apology

12/24/13

Target learns encrypted

PINs also stolen; issues

press release

12/26/13

Wait time for

call center is

45 minutes

1/10/14

Target issues

press release on

the 70 million

Two months

earlier

Target

certified

PCI DSS

compliant

2/4/14

Target’s CFO

testifies before

Congress


Coordinating Response

40

Internal Investigation | Containment | Involvement of EMRT

Class Actions | AG & Regulatory Investigations

PR | Other External Communications | Call Centers

0 1 year

1st 24 Hours 24 - 72 Hours 1st Month 1st Year Beyond

Contractual External Notifications

Calls to Payment Card Associations | Negotiation of Assessments

Forensic Review

Testify before Congress

Remediation


Define target

Research target Infrastructure/

Employees or Vendors to Obtain Legitimate

Credentials

Build or Acquire Tools

Identify Weaknesses in

Applications and Architecture

Test for Detection

Deployment Initial

Intrusion

Establish Backdoor

Move Laterally to Expand

Access

Exfiltrate Data

Cover Tracks and Remain Undetected

Advanced

Persistent

Threat

Types of Breaches

41


Phase One

42


The First 24 Hours

› Core Team determines if this is an Event or

Incident

› Activate your Incident Response processes

› Determine form and type of data, source of

data, potential size of incident

› Containment of breach and preservation of

forensic evidence

43


Identification of Incident

› Importance of Incident Response Processes

• Escalation is key

• Containment and preservation of forensic evidence

› Fine-tune criteria for “Incident”

› Update network diagrams, including

• Types of data

• Where remote access is possible

• Touchpoint with POS network

44


The First 24 Hours

› Start Advising Internally

• Members outside of Core Team and others

who may be necessary

• Advise appropriate Board Members

• General Counsel has a Special Role

• Communications

• Information Owner (e.g. Marketing, HR)

› Start Internal Investigation

45


The First 24 Hours – Internal

Communications

› Educate on Privilege/Non-Privilege Issues

› Train to the Incident Response Processes to

establish consistency in response

• Coordinate to avoid silo mentality

› Refine Post-Incident Review Process

› Start with an inventory of critical systems

and sensitive data applications

46


47


Phase Two

48


The First 24-72 Hours

› Make initial notifications as required (i.e. Payment Card Associations, credit card processor and acquiring bank if PCI is involved)

› Contact U.S. Secret Service

› Select and Activate PFI Investigator

› Activate Independent Forensic Investigator

› Submit Standardized Initial Report to Payment Card Associations

49


Preparing to Respond to

Payment Card Association Processes

› Have contact information readily available for credit card processor, acquiring bank and Payment Card Associations and determine who is responsible for making the contact

› Enter into MSA now with two PCI Forensic Investigators for prompt activation later

› Legal selects and negotiates MSA now with Independent Forensic Investigator

• Outside counsel will engage when Incident occurs

50


Preparing for Vendor Issues

› Collect/review all contractual relationships

with vendors having remote access to any

portion of Client’s network

• Review data security obligations

• FTC imposes liability for actions of vendors

• Review “reasonableness” of selection process,

contractual requirements and monitoring of

vendors

51


52

http://www.toondoo.com/cartoon/5435195


Phase Three

53


First Month –

External Communications

› Statutory Notifications

› Press Releases

› FAQs Across all Media – Websites and Social

Media Pages

› Risk Management – Insurance

› Daily Calls with Payment Card Associations

54


First Month –

Internal Communications

› Immediately before initial external communication:

• Notify Client’s associates and include “Help Line” number for questions

• Consider notification to major shareholders

› Prepare scripting for customer calls to Call Center

› Prepare scripting for associate calls to Help Line

55


First Month – External

Communications

We learn from others’ experiences

› First and most important: Protect the Customer

and make them whole

• Ensure communications are accurate, timely and

focus on protecting the customer

› Protecting the customer protects the brand

› Balance timely against avoiding premature notice

• Target’s Facebook page: “You all lied again!!! Was

70 million. Wow.”

56


External Communications

• Determine who will be the “Face” of the

Company and prepare messages

› Target’s Facebook page: “I love Target and

know this can happen anywhere, but it’s nice

that he finally said ‘sorry’.”

› Assign responsibility for monitoring

comments on social media pages and possible

response

57


How We Prepare for

Other Communications

› Prepare management for interviews:

Financial Media, Popular Media, Congress

› Prepare now for early release of story by

blogger

› Determine use of external or internal call

center

58


First Month –

Investigations/Lawsuits/Remediation

› FTC/CFPB Investigations Commence.

• Was there “reasonable” security?

• What was the business purpose for collecting or retaining the data?

› Office of Civil Rights (Health and Human Services) if PHI involved.

› Securities and Exchange Commission.

› State AG Investigations Commence.

› Class action lawsuits filed.

› Remediation plans must be started.

59


How We Prepare for Investigations

› Start creating a document now of the

“reasonable” security measures Client uses

› Consider known hacker attacks and

measures currently taken to address those

› Review timing and content of notifications to

consumers to avoid AG claim of failure to

timely notify

› Determine Client’s status as covered entity

under HIPAA

60


61


Phase Four

62


First Year and Beyond: More to Come

› Review and finalize Forensic Report to

Payment Card Associations (3-9 months)

• Works with PFI Investigator on results and

wording, in order to insulate Client

• Independent Forensic Investigator is an

integral part of negotiating result

• Remediation plan is to be submitted within 5

business days of the final Forensic Report

63


First Year and Beyond:

More to Come (cont’d)

› Ongoing negotiations of assessments with

Payment Card Associations (1-2 years)

› Responding to document demands and

inquiries from regulatory investigations;

meetings and negotiations (1-2 years)

› Addressing class actions

64


Immediate Recommendations


Immediate Recommendations

› Negotiate forensic investigator contracts

› Refine Incident Response Processes

› Evaluate imperatives of external communications

› Prepare “reasonable” security measures to document now and regularly update

› Determine call center expansion issues and negotiate contracts, if that is the determination

› Plan awareness training at all levels

› Implement regular tabletop exercises for Core Team and some of expanded team

• Plan method and content of internal communications

66


QUESTIONS

67

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiul7qgmJfNAhVMdlIKHe4xASUQjRwIBw&url=https://qeryz.com/blog/best-survey-questions/&bvm=bv.124088155,d.aXo&psig=AFQjCNGtWaZ0A5tYJuFo1B-oRAlJI1zTgQ&ust=1465432648763669

Documents

CYBERSECURITY: Proactively Protecting Data and Responding to … · Title: CYBERSECURITY: Proactively Protecting Data and Responding to Data Breaches Author: bjalston Created Date: