Data Breach and Incident Response

Transcription

1 Data Breach and Incident Response Erin Sheppard, Partner, Dentons Steve Kopeck, Assoc. Mng. Dir., Cyber Security and Investigations, Kroll Hayden McKaskle, Director, Cyber Security and Data Breach Notification February 9, 2017

2 Agenda Introductions Data Breach Statistics & Trends Data Breach Laws & Regulations Incident Response Planning Stakeholder coordination Key questions to consider Sample framework Questions 2

3 Data Breach and Incident Response Data breach remains one of the single hottest issues at both State and Federal levels. Perfect storm of media, regulators and legislators focused on this issue that are substantially amplifying the legal, economic and reputational risks of harm that companies face. Class action lawyers have also picked up the scent and routinely file class action litigations related to these breaches, especially in California where the bar for surviving a Motion to Dismiss may be lower than elsewhere. 3

4 Data Breach and Incident Response Some very scary facts: There were 1,093 (known) Data Breaches recorded by the Identity Theft Fraud Resource Center in This is 40% more breaches than in In 2016, the business sector had the highest percentage of breach incidents (45%). The medical/healthcare second came in second (34%) and the banking/credit/financial sector experienced the lowest percentages (4.8%). Source: "Data Breach Reports, Identity Theft Fraud Resource Center", Year End Report

5 There are only two types of companies: those that have been hacked and those that will be. Fmr. U.S. Attorney General Eric H. Holder, Jr. 5

6 The Costs of Data Breaches are On the Rise $217 per record Average cost of a data breach is $6.53 M per incident In 2015, Gov't Agencies accounted for 77.2 Million records lost Source: CSIdentity, Statistics,

7 Recent High-Profile Breaches Multiple Major Providers 270 million user names and passwords from Yahoo, Hotmail, and G-mail (discovered in May 2016) Yahoo announced a separate 500 million accounts compromised (September 2016) Government Agency Breaches In February 2016, the IRS announced that a breach announced in May 2015 affected over 700,000 tax payers. The incident is thought to have been caused by Russian-based criminal operations Federal Deposit Insurance Corporation malware incident discovered during investigation of 2015 breach (160,000 individuals affected) Healthcare Breaches MedStar Health, Inc. ransomware incident in March st Century Oncology (2.2 M patients) Source: IdentityForce Resource Center, The Biggest Data Breaches in

8 High Profile Government & Government Contractor Breaches January 2017 cyber intrusion into the DC Police closed-circuit camera network days before the Presidential Inauguration Two hackers from the U.K. are arrested August 2016 Cyber theft of NSA cyber tools Tools used by NSA for operational activities stolen and posted by hackers. July 2016 Democratic National Committee hack Countless s released Discuss not the what, but how these and others are occurring: Intel, Intel, Intel Why try and break the door, when you can just take the key under the mat 100% success in targeting the masses 8

9 Company Sector Threats (motivation) Cyber Security Breach Summary Cyber Security Breach Impact Mitigating Controls Focus Retail Point-of-Sales Phishing Attack 70M customer records and credit card information exposed $200M Impact 10% Xmas Revenue 3% Sales Loss Reputational/Lawsuits Anti Malware Penetration Testing Internet Filtering Security Awareness Zone Malware Controls Emerging Threats Retail Point-of-Sales Phishing Attack Malware 1.1M customer records and credit card information exposed $10M Impact (to date) Reputational/Lawsuits Unreported $ Impact Remediation Cost Anti Malware Penetration Testing Internet Filtering Security Awareness Zone Technology Provider Web App Exploit Vulnerability 453K customer addresses compromised due to unsecured server Reputational Unreported $ Impact Remediation Cost Web Application Scans Penetration Testing Vulnerability Management Security Awareness Zone Securities Exchange Web App Exploit Network Breach Attackers gained direct access to company directors systems and performed virtualinsider trading Reputational Unreported $ Impact Remediation Cost Web Application Scans Penetration Testing Intrusion Detection Security Awareness Zone Network Security Government Data Disclosure Authorized user with inappropriate level of access to Top Secret data Worst Leak in History Unknown $ Impact Unknown Life Impact Background Checks Re-Authorization Data Loss Prevention (DLP) User De-Provisioning Auth. Access Control Financial Data Disclosure Unencrypted laptop with over 200K confidential customer records was stolen from employees car $4M Impact (approx) Remediation Cost Reputational/Lawsuits Encrypted Mobile Devices Gap Assessment Metrics Security Awareness Zone Banking Online Banking Denial-of- Service (DDOS) Online banking website experienced high internet traffic that intermittently disabled website Reputational Unreported $ Impact Remediation Cost Intrusion Detection Firewall Connection Drop

10 Cybersecurity Threats and Actors Financial Theft or Fraud Theft of Intellectual Property or Strategic Plans Business Disruption Destruction of Critical Infrastructure Reputation Damage Threats to Life and Safety Legal and Regulatory Organized Criminals Hacktivists Nation States Insiders Third Parties Rogue Hackers Recent Cyber Attacks Very High High Moderate Low 10

11 State Data Breach Laws are Expanding Broadened definition of personal information States such as California, Florida, Nevada, Wyoming and Rhode Island now include usernames and passwords as personal information that requires notification if compromised 26 states introduced or considered expanding existing security breach laws in 2016 Notification and reporting rules California passed legislation requiring any business that owns or licenses computerized data to disclose breaches of the security of that data Illinois amended and added additional reportable categories to Personal Information Protection Act Tennessee redefined the time period within which a business must notify a consumer of their personal information was accessed (reduces from immediate notification) Only three states-- Alabama, New Mexico, and South Dakota-- do not currently have a law requiring consumer notification of security breaches involving personal information 11

12 Government Contracts Regulatory & Contractual Requirements Continue to Expand October 2016 Final DFARS Rule Reporting Obligations FAR Basic Safeguarding Requirements (Effective June 2016) FAR Privacy Training Rule (Jan. 2017) NIST SP (Rev. 1) (Dec. 2016) Section H requirements DHS Privacy Training and Information Safeguarding Proposed Rules (Jan. 2017) OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information (Jan. 2017) Other non-binding federal guidance includes: FTC Data Breach Response Guidance 12

13 Multi-stakeholder Coordination Always Required Consider conducting a RASCI exercise amongst stakeholders to align on roles and responsibilities: R: RESPONSBILE A: ACCOUNTABLE S: ESCALATED C: CONSULTED I : INFORMED 13

14 Data Breach and Incident Response Incident Response Program Discussion: What type of information should be covered by the Program? How can we more clearly define roles and responsibilities? When should outside Forensics be sourced and by whom? What reporting should there be internally and externally? How can we assure all legal/regulatory requirements are met during an Incident? 14

15 Meeting Legal/Regulatory Requirements The primary legal/regulatory requirements arise out of state breach notification statutes Timely notification of regulators and affected individuals Content and form requirements Addressing these issues requires: Prompt engagement of outside counsel and third party forensic investigators Diligent investigation and conclusions Drafting of notification letters or communications Regulators expect information on shorter timelines, creating tension with thorough investigation Most states still rely on a "reasonability" standard for notification States starting to implement strict deadlines -- Florida's new law is 30 days from the determination of or reason to believe that a breach occurred. FIPA, Section (4)(a) 15

16 Meeting Legal/Regulatory Requirements (Continued) Final DFARS rule Safeguarding Covered Defense Information and Cyber Incident Reporting (Oct. 2016) All covered defense information Unclassified controlled technical information or other information, as describedin the Controlled Unclassifed Information (CUI) registry that requires safeguarding or dissemination controls pursuiant to and consistent with law and is marked or otherwise identified or developed, collected, received, transmitted, used, or stored on behalf of the contractor in support of performance. Rapid reporting requirement ( (c)) Investigation requirement review for evidence of compromise Provide any detected malicious software to contracting officer Imaging requirements must preserve and protect images of all known affected information systems FAR Security Requirements NISPOM reporting obligations Review of applicable contracts is critical: Many agencies have incident reporting obligations (e.g., NASA incident reporting requirements in a number of different NASA supplements) 16

17 Protecting the Company and Applying the Facts Data breach is an issue that every company deals with, many for both customer and employee information. Things toep in mind: Third-party forensics, if performed, should be engaged and directed through Counsel to preserve your ability to assert privilege in subsequent litigation. Understand that even if analyses are protected under privilege, underlying facts will not be. Determining data breach notification requirements is a very fact-specific exercise -- be careful not to make assumptions. Reading and understanding reporting obligations under existing contracts and during the proposal stage of new contracts is absolutely critical. All but a few states have enacted data breach notification legislation, but there is substantial diversity amongst and between them > Make sure you are applying the right law to the right facts! 17

18 Sustainable Data Security Crisis Management The key to sustainability is process integrity! All Privacy Emergencies (or potential Emergencies) should flow through a Response Framework: a funnel that engages key stakeholders and ensures seamless end-to-end management of an issue. End-to-end management includes resolution, post-mortem and remediation, as well as ongoing monitoring and reporting. Legal plays a critical role in determining what actions must be taken in response to a Privacy Crisis, both in planning and in execution of a response plan. 18

19 The Role of Legal in Crisis Management Identifying sources of legal/regulatory risk Guiding incident response processes and ensuring compliance with applicable laws and regulations Regulator or enforcement authority investigations Class action lawsuits Breach of contract claims/litigation from vendors, banks, customers Managing risk Using outside counsel effectively to maximize scope of privilege Reviewing messaging and communications with outside parties to prevent negative legal consequences of unintended "admissions" Advising on remediation, program improvements, employee discipline, and ongoing legal/regulatory risks 19

20 Example Incident Response Framework All DGC IRT BAT Develop Policies and Procedures Training Monitor Systems Test Incident Response Plan Prepare Report Incidents to IT Service Desk Assess and Categorize Incident Coordinate Response Breach Pre- Assessment/ Refer to Full-BAT Identify/ Detect Evaluate Incident for Reporting Requirements Contain Threat Collect and Document Evidence Eradicate Threat Contain/ Eradicate Evaluate Incident for Breach Notice Requirements Plan Notification Strategy Restore Systems Validate and Monitor Affected Systems Recover Report to Appropriate Regulators Notify Affected Residents Document Incident Identify and Communicate Lessons Learned Modify and Revise Incident Policies and Procedures Modify and Revise Breach Policies and Procedures Follow-up Breach Reporting and Notification

21 Common Mistakes in Responding to a Breach Lack of Preparation Figuring it out as you go along creates confusion, delay, and risk Established decision framework mitigates risks inherent in time-sensitive, high-stress decisions Discovering your obligations at this late stage precludes compliance Delayed Response Regulators frequently challenge the timeline of notification Must move diligently to drive investigations to conclusion Incident Response plan and third party relationships should be preestablished Making Assumptions Initial evaluations are frequently wrong or, at minimum, incomplete Critically evaluate the basis for conclusions, verify underlying facts and identify gaps or information that could change your analyses 21

22 Questions? Erin Sheppard (202) Stephen Kopeck (240) Hayden McKaskle (615)