Legal Aspects of Cybersecurity

Transcription

1 Legal Aspects of Cybersecurity John W. Mashni Taylor A. Gast (517) (517) Alexander A. Ayar (248)

2 Risks Data loss or theft Ransomware Phishing Regulatory compliance Internal risks 55% of incidents are due to threats from within the organization Denial of Service Hacktivism Cybercrime represents the 2 nd most reported economic crime, affecting 32% of organizations in $30: Average cost to purchase a Social Security Number Only 37% of businesses have a cyber incident response plan. 2

3 Anthem Breach Hackers infiltrated the second largest health insurance company, which operates insurance plans across the country. Malware retrieved the login credentials of an Anthem employee. The login was used to make database queries and collect Social Security numbers, birth dates, names and addresses, employment and income information, and contact addresses. 80 million past and current customers affected 3

4 Zaxby s Breach Restaurant chain was notified that many of its locations had been identified as common points of fraudulent charges. Forensic investigation found malware at more than 100 of its 560 locations in 10 states that extracted names, payment information. Corporate required all licensees to use a payment compliance service to install enhanced firewalls, system monitoring, and provide compliance services. 4

5 Scenario 1 Executive was on vacation and traveling in areas with limited cell service. On a Friday afternoon he checked his and found an urgent from the CEO asking for a document that included a list of all of the organization s employees and their personal information. He quickly replied to the and attached the document. After hitting send, he realized that something seemed wrong. He attempted to stop the , but he could not. He immediately followed up and learned that the CEO had not ed him. Someone has spoofed the CEO s . 5

6 Scenario 1 Issues Breach analysis Notification requirements Employees in multiple states Attorney General offices Credit reporting agencies Credit monitoring services requirement? Reputational harm Recourse against perpetrator? Employee? 6

7 Scenario 2 The owner of a small, but successful husband and wife design company arrived at the office on a Monday to find all of the files on their server inaccessible, with a.wallet extension. Upon attempting to open any file, a message popped up stating that their files would not open unless a ransom was paid in bitcoin. The message included an address to contact about the ransom and stated that the ransom would go up every day that the couple did not contact the ransomer. The couple had paid an IT provider to secure backups of their entire server, but the couple discovered that the backup software failed due to the IT-provider s incompetence. Furthermore, the services agreement with the IT provider did not allow for recourse against the provider. Virtually of the business s files were inaccessible and lost unless the ransom was paid. 7

8 Scenario 2 Issues Breach analysis Notice requirements? Unsettled legal issues Is the breach ongoing? How do you know who to give notice to? Pay the ransom? Remedy against the IT provider? Insurance 8

9 Scenario 3 Vendor and supplier have a supply contract for vendor to provide large mechanical parts to supplier. Supplier has paid vendor by check since the beginning of the relationship. Supplier receives from accounts payable individual at supplier and stating that checks will no longer be accepted as a form of payment only bank transfers will be accepted. Vendor s provides new bank wire information for future payments. Accounts payable individual accepts this as fact, and seeks approval for wire transfer of $500,000 for next payment. Two weeks later, vendor calls supplier and asks why the latest invoice has not been paid. Vendor refuses to ship any more products until invoice is paid. Supplier responds by stating that $500,000 was wired to vendor s new bank account. Vendor and supplier learn that was hacked and that $500,000 payment was never received by Vendor. 9

10 Scenario 3 Issues Breach analysis spoofing Who bears risk of loss? What law governs? Apparent authority Wire transfer protocols and policies 10

11 Proactive Steps Employee Training Policies and Procedures Assemble a Breach Response Team Practice Insurance Credit Monitoring and Service Contracts 11

12 Final Thoughts An incident will happen. We can help before and after. Build your team. Develop policies. Contact the proper service providers. Do not panic. 12

13 Thank you! Contact us anytime. John W. Mashni Taylor A. Gast (517) (517) Alexander A. Ayar (248)