Cyber Intrusions and Security Breaches

Download Report

Transcript Cyber Intrusions and Security Breaches

SPEAKER INTRODUCTION
Josh M. Kantrow is a Partner at Lewis Brisbois who advises clients
on how to protect their intellectual property, trade secrets and
proprietary information from security breaches. Josh litigates a wide
variety of high-exposure, complex cyber, technology, computer-related
and professional liability matters throughout the United States.
Josh is an AV® Preeminent™ peer review rated lawyer by MartindaleHubbell, reflecting the highest peer recognition for both ethical
standards and legal ability, is a Chicago Top Rated Lawyer, and a
current Illinois “Leading Lawyer” for Commercial Litigation, Insurance
Law and Professional Liability.
Josh is active is pro-Israel causes and the Chicago Jewish Community
and has visited Israel many times. Josh co-founded and co-chaired
the American Israel Public Affairs Committee’s (AIPAC) Young
Leadership Council in Chicago. Over the past 12 years, the Young
Leadership Council has produced thousands of pro-Israel activists in
the Chicago area.
So You Want to Do Business in the United States:
Protecting Your Intellectual Property, Bottom Line and
Reputation from Cyber Intrusions and Security
Breaches
Josh Kantrow
Lewis Brisbois Bisgaard & Smith LLP
312.463.3445
[email protected]
OVERVIEW
• Background re digital risk explosion.
• What are the enterprise risks caused by internet
connectivity?
• What are the legal risks in the United States caused by
internet connectivity?
• What you can do to protect your bottom line and
reputation (or the bottom line and reputation of
companies in which you invest that do business in the
U.S.)?
BACKGROUND: DIGITAL RISK
EXPLOSION
• 99.9% of new information is stored digitally.
• Facebook collects an average of 15 TB of data every
day or 5000+ TB per year.
– That’s equivalent to the amount of paper stored in
the beds of 15 pickup trucks per day.
• Privacy breaches are occurring more often - more than
once a day.
– The average rate of publicly reported privacy
breaches has grown from about 5 per month in 2005
to a peak of about 60 per month in 2008.
– By 2009 the 5 year average was about 40 per
month.
BACKGROUND: OFTEN
OVERLOOKED SOURCES OF DATA
•
•
•
•
•
•
Photocopiers
Shredding machines
Flash drives
Smart phones
Tablets
Cloud storage
(Google Drive, DropBox, eDiscovery Systems, etc)
• Court Reporters - Audio/Video Tapes, Transcripts
BACKGROUND:
HOW DO BREACHES HAPPEN
•
Traditional “Hacking” – only one type of breach
– Number of Attacks Increasing & Sophistication of Attacks
Increasing
•
China (in some cases, state sponsored; recently China
Hackers hit big U.S. Media like the Wall Street Journal and
New York Times)
•
Eastern Europe
•
Africa
– The security firm Mandiant estimated that 80 major U.S. law
firms were hacked in 2011.
– Action Items:
•
Improve Network Security Policies/Procedures
•
Encryption of Sensitive Information
•
Penetration Testing
•
Breach Response Plan and Testing
ENTERPRISE RISKS: OVERVIEW
•
•
•
•
•
•
•
Theft of IP/Proprietary information/business secrets
Stolen customer information
Negligence
Social media/e-publishing
Bad technology and software
Business interruption
Vendor negligence or fault
ENTERPRISE RISKS: THEFT OF IP
• Data breaches where there is theft of IP, proprietary
data, confidential business secrets, etc.
• China and other countries actively stealing and
attempting to steal such information.
• IP can be stolen not just from hacking into the target
company’s computer systems but via the vendors (i.e.
professional service providers like law firms, accounting
firms, etc.) that do work for them.
• In fact, it’s often easier to do it this way.
ENTERPRISE RISKS:
STOLEN CUSTOMER INFORMATION
• Data breaches, where customers personal information
(health, financial, employment records, social security
numbers, credit card information, etc.) is stolen.
ENTERPRISE RISKS:
DATA BREACHES VIA NEGLIGENCE
• Data breaches via negligence (i.e. leaving a laptop or a
smart phone in a coffee shop or on a bus).
• In fact, negligence is responsible for about 70% of all
breaches, while network hacking or a malicious breach
only responsible for 30%.
ENTERPRISE RISKS: SOCIAL MEDIA
• Many employers and their employees engage in social media of
some sort – a corporate blog, Twitter, Facebook, LinkedIn, etc.
• Employer use of social media can lead to privacy defamation,
trade libel, trademark infringement, and copyright infringement
claims.
• Recent study shows that only 40% of corporate directors and
general counsel at public companies believe their company has
a good handle on the risks associated with social media.
• Only 39% of companies even have a social media policy.
• If properly tied to an overall internet and email policy, a
comprehensive social media policy can be used to help reduce
defamation, trade libel, trademark infringement, and copyright
infringement claims.
ENTERPRISE RISKS: BUSINESS
INTERRUPTION
• Technology/Systems/software that don't work as
planned
• Computer malfunction or attack
• Can lead to massive business interruption claims
ENTERPRISE RISKS:
VENDOR/BUSINESS PARTNER ISSUES
• 30-40% of all breaches are caused by vendors
(litigation support, offsite storage, disaster recovery,
mail room, shredding service, cleaning service).
• Must have contracts that shift liability to vendor
(defense and indemnity).
ENTERPRISE RISKS: LACK OF
ACTION BY COMPANIES RE CYBER
EXPOSURE
• Recent studies show that data security was the number
one concern of directors and general counsel at public
companies.
• 33% of GCs believe their board is not effective at
managing cyber risk.
• Yet only 42% of companies had a crisis management
plan in place.
LEGAL RISKS
• Explanation of federalism system of government in the
U.S.: State v. Federal powers
• State government efforts: new laws and regulations
• Federal (U.S. government) efforts: new laws and
regulations
• Common law: class actions
• Trends
LEGAL RISKS: EXAMPLE
• Stolen IP and lack of digital risk management
safeguards can lead to large shareholder derivative
claims against directors and officers and other claims
for large companies.
• Cyber claims can put small companies out of business.
• Wall Street Journal ran a series last year about the
number of small companies who filed for bankruptcy or
suffered significant financial losses due to the costs of
responding to data breaches.
LEGAL RISKS: STATE LAW
• State Laws and Trends
– 46 States with Breach Notification Laws
– Attorney General/Other Agency Notification
LEGAL RISKS: FEDERAL LAWS
PROTECTING PERSONAL INFORMATION
•
F.A.C.T.A. “Red Flag” Rule: Rules that require financial institutions and
creditors to develop and implement written identity theft prevention programs.
•
H.I.P.A.A. Security Rule: Require appropriate administrative, physical and
technical safeguard to insure confidentiality, integrity and security of electronic
protected health information.
•
H.I.T.E.C.H. Law: Extends the scope of HIPAA requirements to the business
associates of covered entities. This also expands the regulations to include
mandatory breach notifications, heightened enforcement, increased penalties
and patient rights.
•
Gramm-Leach-Biley Act: Requires financial institutions to have in place
standards which protect the security of the their banking customers’ nonpublic
information.
•
I.T.E.R.A.: The Identity Theft Enforcement and Restitution Act amends the
federal criminal code to authorize criminal restitution orders in identity theft
cases.
LEGAL RISKS: FTC
ENFORCEMENT IS ON THE RISE
• Since 2005, the FTC has settled dozens of cases
against companies for issues ranging from failure to
safeguard private information to failure to comply with
their own privacy policies.
• Not even small “do good” firms escape the FTC’s reach.
LEGAL RISKS: COMMON LAW
CAUSES OF ACTION - OVERVIEW
• Malpractice
• Negligence
• Breach of fiduciary duty
• Fraud
LEGAL RISKS: DECEPTIVE TRADE
PRACTICES AND CONSUMER PROTECTION
LAWS
Violation of Deceptive Trade Practices or Consumer
Protection Laws:
• Communications/Web Site Privacy Policy or other
materials viewed or received by plaintiff caused
plaintiff to believe that his/her information would be
kept private.
• Plaintiff was misled, provided the information, and
was deceived because the information was not kept
private.
• Frequently sought because a prevailing plaintiff
recovers treble damages and attorneys’ fees.
LEGAL RISKS: FRAUD
• Material misrepresentation by defendant (that
information would be kept private) induced plaintiff to
provide private information, reasonably believing that it
would be kept private.
• Plaintiff was damaged because the information was not
kept private.
LEGAL RISKS: EU
PLANS NEW CYBERSECURITY RULES
• The Wall Street Journal recently reported that the EU is
considering enacting laws and regulations that would
require search engines, energy providers, banks, transit
hubs, stock exchanges and other companies must
report disruptions and breaches to government
authorities.
• The WSJ further reported that “In the U.S., a White
House backed bill, which would have established a
voluntary regime of cybersecurity standards developed
by private industry, was blocked by Republican
lawmakers in August.”
LEGAL RISKS: CYBER LITIGATION
TRENDS
– Privacy/Security Breaches
• Avoiding Spoliation
• Jurisdiction
• Motions to Dismiss
• Class Certification and Settlement
– Technology Errors & Omissions
• Vendor Contracts
– Cyber Media Liability
• Social Media
• Email Publishing
LEGAL RISKS: COST OF A
DATA BREACH: TANGIBLE
COSTS
Legal Fees
$100,000
Customer Notification
$10,000
Public Relations
$20,000
Credit Monitoring
$50,000
Customer Demands
• Reimbursement
$300,000
Forensic Investigation
$25,000
Total
$505,000
Insurable Costs
$505,000
(Less any applicable Deductible)
INTANGIBLE COSTS
• Loss of Customer Goodwill/Trust
• Loss of Future Revenues Due to Reputation Damage
• Employee Downtime
PROTECTING YOUR BOTTOM LINE AND
REPUTATION: STEPS FOR COMBATING
BREACHES
•
Technical Steps:
– Strong and complex passwords & encryption
– Monitoring software
– Bottom-up security approach – allowing employees access
to the required set of resources to perform their job function
– Regular Implementation of security patches and updates
– Threat assessments
a. Proactively look for potential risks
b. Review logs proactively
c. Intrusion / penetration testing
d. Independent testing of security protocols
PROTECTING YOUR BOTTOM LINE
AND REPUTATION: RISK MANAGEMENT STEPS
•
Risk Management Steps:
 Evaluate Breach Exposure as an Enterprise Risk
 What Policies/Procedures Protect Network and
Sensitive Information?
 Form Breach Response Team
• Stakeholders
• Internal Communication
• External Communication
• Compliance
• Brand/Reputation Protection
 Periodically Test Breach Response and Revise as
Warranted
PROTECTING YOUR BOTTOM LINE AND
REPUTATION: RISK MANAGEMENT STEPS
Pre-Breach
Response
Planning
• Identify
Stakeholders
• Establish
Analysis and
Communication
Protocols
• Evaluate
Vendor Needs
Remediation
and Recovery
Procedures
• Human
Resource
Involvement
• Testing (DRP)
Incident
Analysis
• Breach
Containment
• Damage
Determination
• Legal Analysis
• Communication
Incident
Disclosure
• Analyze
Requirements
(State and Fed
Considerations)
• Consider All
Notification
Methods
• Third Party
Vendors for
Notification and
PR(?)
• Roll Out
Notifications
Over Time
Loss
Mitigation
• Insurance
Remedies
• Credit
Monitoring
• Public
Relations
• Customer
Retention
Plans
• Implementation
of IT Upgrades
Communication
&
Remediation
• Public
Relations
• Ongoing
Marketing
Efforts
• IT as part of
the Ongoing
Solution
• HR
Involvement
TBD
PROTECTING YOUR BOTTOM LINE AND
REPUTATION: RISK MANAGEMENT STEPS
•
Before the Data Security Incident
–
–
–
–
–
–
•
During the Incident (Conducting an Investigation)
–
–
–
–
–
•
Plan and prepare
Recognize that regulators expect compliance
Incident response plan
Workforce security awareness training
Annual privacy/security risk assessment
Identify resources needed to respond to an incident
Implement incident response plan
Document everything
Manage internal and external communications (Know who to notify)
Mitigate harm to affected persons
Work cooperatively with regulators
After the Investigation Concludes
–
–
–
–
GAP analysis
Fix identified problems
Update the incident response plan based on lessons learned
Incorporate lessons learned into training
PROTECTING YOUR BOTTOM LINE:
EVOLUTION OF CYBER INSURANCE
Past
Present
Future
Internet and
e-commerce
Identity Theft and
Privacy Regulations
Social Media,
Cloud
Computing,
Expanded BI,
Additional
Regulation
February 21, 2013
31
PROTECTING YOUR BOTTOM LINE AND
REPUTATION: CYBER LIABILITY MARKETPLACE
• Evolution of Cyber Insurance
• Some companies offer business interruption cover:
positive development
• Who is in the Hot Seat?
• Risk Management and Underwriting Considerations
PROTECTING YOUR BOTTOM LINE: OUR EXISTING
INSURANCE PROVIDES ENOUGH COVERAGE−ARE YOU
SURE?
• Ok for existing limits to be eroded by a data breach?
− If you aren’t purchasing more than you need, a data
breach claim could leave you bare if you have the
type of claim for which the coverage was purchased.
PROTECTING YOUR BOTTOM LINE: OUR EXISTING
INSURANCE PROVIDES ENOUGH COVERAGE−ARE YOU
SURE?
•
What isn’t covered by traditional policies?
− Non-client claims, including claims stemming from bots, spyware
and other malware on your system without your authorization.
−Responding to regulatory inquiries.
−Complying with state breach notification laws, including providing
notice to regulators and potentially impacted individuals.
−Credit monitoring.
−Public relations costs incurred in connection with a breach response.
−Correcting risk control deficiencies that may have contributed to a
breach.
−Managing relationships with privacy regulatory/law enforcement
authorities.
−Your vicarious liability for your vendor’s breach.
−Theft of laptops, Blackberries, iPhones, USB drives etc.
PROTECTING YOUR BOTTOM LINE:
OUR EXISTING INSURANCE PROVIDES ENOUGH
COVERAGE−ARE YOU SURE? COST OF A DATA BREACH
• Reputational damage−lost client trust/loyalty
Symantec study results:
−85% would only want to do business with companies
that haven’t had a breach.
−82% would warn others not to do business with a
company that had a breach.
PROTECTING YOUR BOTTOM LINE AND
REPUTATION: RISK MANAGEMENT AND
UNDERWRITING CONSIDERATIONS
• Target of Choice or Opportunity?
• Facebook and LinkedIn
• Smart phones: Health care providers/PHI; Business/Proprietary
Info
• Basic Issues
– Employee awareness and training
– Password security − Administrator too!
– Avoid using/keeping PII and PHI absent need
– Limit use of PII to only those who need it
– Paper records
– Adopt defenses to known attack methods
– Coverage gaps in traditional policies
• Media: Does coverage follow you where you publish?
QUESTIONS?
Josh M. Kantrow
Lewis Brisbois Bisgaard & Smith LLP
312.463.3445
[email protected]