Taming the Data Breach Beast... because we all know it will happen. John Tomaszewski Seyfarth Shaw January 2015

Transcription

1 Taming the Data Breach Beast... because we all know it will happen John Tomaszewski Seyfarth Shaw January 2015

2 Data Breaches Scope of the Problem 2015 Seyfarth Shaw LLP 2

3 What Causes Breaches? Glitch or Vulnerability Service Provider 26% 33% 44% Criminal/Malicious Includes intentional employee conduct Denial of Service Malicious Insider Virus Laptops/Devices: Theft/Loss Employee Negligence Sending information to wrong person Improper destruction 2015 Seyfarth Shaw LLP 3

4 Creating the Foundation for a Good Security Governance Structure Safeguards Administrative Technical Procedural 4

5 Defense In Depth InfoSec Layers Prevention What most people focus on Avoids the compromise in the first place Detection Prevention will NOT be 100% effective Catch early, catch often A high false positive rate isn t necessarily a bad thing Verification This is to ensure the two functions above are working Response Stop the bleeding Fix the underlying problem 5

6 Breach Management - What do you need? Incident Management Plan (Security protocol ) Identify if a Breach happened Determine Scope Determine Cause Develop Remediation Provide Notice (if needed) Manage Communication/PR Resources People Tech Platform Executive Management Support 6

7 Resources (You can t run a plan without them) People Incident Manager Impacted Line-of-Business representative IT Admin resources IT Security resources (not the same as above) Legal Senior Management (able to make decisions but NOT the CEO) Corporate Communications Technical Log analyzers Database query tools IDS/IPS reporting Packet tracing tools etc. Platform Always-open conference bridge Operations Center 7

8 Strategic - How To Identify a Breach You know you will have one, but will you know when you have one? Compromise the Security Confidentiality, or Integrity Personal Information SSN, Driver s License Number, or other unique identifier First name or initial with last name financial account number Protected Health Information etc. 8

9 Tactical - How To Identify a Breach Where has the data gone? Somewhere it shouldn t? Any data (not just personal data) Process trigger should be low (e.g. FAA mid air collision rule) Any format (not just server/ network intrusion) Laptop lost USB memory stick lost Smartphone stolen Paper files thrown out Uploaded to wrong database ed to wrong client Somewhere in the wrong way? Plaintext HTTP headers with account numbers Unencrypted file transfers 9

10 Tactical Is it a Security Breach? What kind of data? Personal data Trade secret data Confidential information (financials, contract negotiations, etc.) Who got it? Wrong employee Wrong client Wrong vendor Bad guy Where did it go? Wrong database Wrong transmission medium (e.g. ) 10

11 Tactical Is it a Security Breach? Is there a law requiring notice? 46 State security breach notice laws (Plus D.C. and most protectorates) Gramm-Leach-Bliley HIPAA International Law What triggers the law? Harm v. Access statutes Definition of Personal Information Encryption safe harbors Good Faith acquisition by employees or agents Non-Legal, Reputational Risk If event is on the front page of the WSJ or NYT 11

12 Scope of Breach Parallel Inquiry What kind of data? (Personal, sensitive, health, etc.) Who got It? What laws apply? Often needed to determine who you have legal obligations to 12

13 Cause of Breach Caused by Company? Error an incorrectly designed process operating as designed Mistake a correctly designed process incorrectly operated Caused by Someone Else? Hack third party bad guy (but don t forget the malicious insider) Vendor mistake/error Determining cause Generally highly technical Takes time Takes resources 13

14 Taming the beast Step 1 1. Fix the problem Both stop the bleeding and root cause analysis Correct errors Mitigate possibility of mistakes Action steps: Identify impacted systems & processes Communicate, Communicate, Communicate Identify impacted data Inventory controls Implement countermeasures Redesign for errors Training for employees (usually the weakest link), address mistakes All this requires budget and prioritization 14

15 Taming the beast Step 2 2. Provide notice Determine who to notify each will have a different analysis Law Enforcement Part of the investigative process May need support to pursue bad guys Timing should be based on purpose of notice (legally required or engaged in prosecution) Impacted individuals Communicate scope and cause clearly Show Company s steps to protect the individual Avoid sky is falling legalese Make sure all the facts are straight Clients Similar to individuals Generally more immediate (they want to be a part of the management process) Opportunity to mitigate risk 15

16 Step 2. Providing notice continued Timing of notice Law enforcement during investigation Data subjects or clients after investigation (maybe after remediation) Content of notice Some state laws have requirements Corporate Communications input control the story 16

17 Taming the beast Step 3 3. Post Mortem Risk assessment Avoid future breaches Identify unmitigated risks Justify budget 17

18 Questions? John Tomaszewski, Senior Counsel Houston (713)