Privacy and Cyber Risk Management. Preparing Your Organization for Current and Emerging Risks

Transcription

1 Privacy and Cyber Risk Management Preparing Your Organization for Current and Emerging Risks

2 Privacy and Cyber Risk Management Agenda: Recognize security risks Discover the top techniques used by hackers for public institutions Recognize the legal exposures related to cyber risk Privacy and records classification Social media risks Privacy and Cyber Risk insurance coverage

3 What s at Risk? Breach: Network Security Unauthorized Access: Sensitive Information 1 st & 3 rd 1 st Cyber Theft: Finances 1 st Each represents a potential loss to the organization

4 Internet Common Exposures Laptops, tablets, or smart phones Sensitive information storage, WI-FI, App spying Conduct on-line banking (ACH payments) Allow BYOD

5 Common Exposures Use thumb drives or portable external hard drives Lost or stolen Malware Give write access to computer hard drives Digital communication (including video) via webpage or Facebook

6 Common Exposures No comprehensive Cyber Risk Management Program Written Policies Training Supervision Believing that privacy and cyber risks are only an IT issue and limit your scopte to computer and network security! Employees!!!

7 What are hackers doing? Sensitive Information: Social security numbers Credit/debit card numbers Vendor portals/networks Healthcare information Remote access of computers Access to servers & websites Access to outside networks Theft of Finances: Unauthorized financial transactions Breach Network Security from: Vendors or employees Phishing / Spying Social engineering How easy is it?

8 Targeted Attacks Social engineering: Common themes are conferences, internal communications, employee reviews, surveys, meeting invitations and security updates. Context: The makes sense to an employee of that organization. Homework: Attackers do their research, collect employee addresses, and the From field is changed so it appears to come from someone known to the organization. Attachments/links: There is typically a malicious attachment (.doc,.xls,.pdf) that contains exploit code. Executable file attachments and links are also used.

9 Often missed risks: Social Media First Amendment Control over citizen speech on Facebook Control over employee Facebook and other posts From too vague or strict social media policies Title VI & VII Accessibility - ADA Discrimination Hiring Defamation Government communication on social media Open Meetings Act Board deliberations on social media Tennessee Public Records Act Digital request Data retention Social media is a part of your cyber network, whether your website is hosted on your servers, or you have a link to your Facebook site on your website, or allow people to post or send s, or if you use Twitter or text messaging to send alerts.

10 Why the concern? Malicious threats are not going anywhere Stealth hackers, extortionist, rouge contractors Malware Disgruntled employees Mistakes, budgets and shifting priorities You will always have employees No comprehensive privacy and risk management program IT only solution, poor communication and lack of training Failure to make this an organizational priority

11 Why the concern? Network operation & data sharing Increased points of failure due to outsourcing of needs: To whom do we outsource (business partners)? Do they have access to our network or data? What privacy and cyber security safeguards do they have in place? What safeguards do you have in place to prevent unauthorized access to your network by your business partners with login privileges? Do they have the proper privacy and cyber security coverages and are their levels of coverage adequate? Are we named as an additional insured?

12 Why the concern? Network operation & data sharing Dependencies and data-sharing between: Business partners Employees Do they need access?

13 YOUR CITY IS VULNERABLE!

14 Local Government Targets Why local government and public agencies? Often ill-prepared to defend against intruders or detect advanced persistent threat (APT) groups May have limited IT resources and no comprehensive privacy and cyber risk management program May have limited or infrequent employee cyber training Don t think it will happen to them

15 Breaches per Threat Action 1. Hacking 2. Malware 3. Social Engineering Verizon Report

16 Public Incidents 9% 12% Human Error 37% 16% 4% CRIMEWARE (12%) CYBER-ESPIONAGE (16%) EVERTYHING ELSE (4%) INSIDER MISUSE (13%) MISC ERRORS (37%) PHYSICAL THEFT/LOSS (9%) 37% 13% What does this information tell us?

17 Vulnerabilities Uninformed or negligent employees Rogue or dissatisfied employees Negligent entities We somewhat know what s out there, but what are we doing about it? Software patches / security updates Applications

18 Hacker Economics From worms with backdoors to stealthy command-and-control botnets, credential theft, and fraud Hackers use what works! Looking for financial gains Top 10 vulnerabilities = 85% success Operational vulnerability constraints impact risk

19 Legal Exposures Disclaimer: The following is only a summary (for illustrative purposes) of some of prevailing laws that may be applicable to your organization. Please consult your city attorney, MTAS, and/or your insurer for additional resources.

20 Privacy and Cyber Risk Management T.C.A Consumer Protection and Identity Theft Deterrence Any political subdivisions, that owns or licenses computerized data that includes personal information. Old law: Security Breach means unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality or integrity of personal information. Effective 07/01/2016: The definition of Security Breach will no longer include the word unencrypted. There are various legal interpretations on this, so seek guidance from legal or the Pool Claims department. In other parts of this (and other statutes), encryption still is used to determine if the breach materially compromises the security, confidentiality, or integrity of personal information, and if it does notification is required. This will require a legislative cleanup of the language or a test case.

21 Privacy and Cyber Risk Management T.C.A Consumer Protection and Identity Theft Deterrence Effective 07/01/2016: A definition for Unauthorized Person was added to the statute and include an employee of a covered entity who is discovered to have obtained personal information and intentionally used it for an unlawful purpose. Written or electronic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay... Effective 07/01/2016: Notice to affected residents must be made immediately but no later than forty-five (45) days following the discovery or notification to covered entity of a security breach (unless a longer time is required due to legitimate law enforcement needs).

22 Privacy and Cyber Risk Management T.C.A Consumer Protection and Identity Theft Deterrence Third Parties business partners who hold or have access to data: Effective 07/01/2016: Notice to covered entity must be made immediately but no later than forty-five (45) days from when the breach became known to third party recipient. (Should be added to or referenced in your agreement!) Effective 07/01/2016: A covered entity subject to HIPAA is exempt.

23 Privacy and Cyber Risk Management T.C.A Safeguards and procedures for ensuring that confidential information protected on laptop computers and other removable storage (b) All municipalities and counties shall create safeguards and procedures for ensuring that confidential information regarding citizens is securely protected on all laptop computers and other removable storage devices used by the municipality or county. What is meant by other removable storage devices? External hard-drives Portable hard-drives Thumb drives Tablets Smart phones CD/DVDs

24 Privacy and Cyber Risk Management T.C.A Safeguards and procedures for ensuring that confidential information protected on laptop computers and other removable storage (c) failure to comply with this section shall create a cause of action or claim for damages against the state, municipality, or county if a citizen of this state proves by clear and convincing evidence that the citizen was a victim of identity theft due to a failure to provide safeguards and procedures regarding that citizen's confidential information.

25 Privacy and Cyber Risk Management INTERNAL CONTROL MANUAL FOR LOCAL GOVERNMENTAL ENTITIES AND OTHER AUDITED ENTITIES IN TENNESSEE, COMPONENT 3 - CONTROL ACTIVITIES Management should design the entity s computerized information system and related control activities to achieve objectives and respond to risks. The external and internal security risks and the controls necessary to limit exposure to unauthorized access, corruption of data, or other misappropriation of information (e.g. personally identifiable information) The Comptroller wants municipal governments to identify and mitigate cyber risks!

26 Privacy and Cyber Risk Management Health Insurance Portability and Privacy Act/Health Information Technology for Economic and Clinical Health (HIPPA) of 1996 provides federal privacy protections for personal health information held by covered entities, regardless of its format (print or digital). The Revised Security Breach Notification Standard Increases the Risk of HIPAA Enforcement. The prior standard: Required notification only if an unauthorized use or disclosure of unencrypted PHI "posed a significant risk of financial, reputational or other harm" to the individual. Revised standard: any unauthorized use or disclosure of unencrypted PHI triggers a security breach notification obligation unless the employer can prove "a low probability that the [PHI] has been compromised based on a risk assessment."

27 Privacy and Cyber Risk Management Fair and Accurate Credit Transactions Act (FACTA) of 2003, which contains provisions designed to help reduce identity theft. Family Educational Rights and Privacy Act (FERPA), which requires schools receiving funds from the U.S. Department of Education to protect certain private records of students. Driver s Privacy Protection Act (DPPA) prohibits the release and use of certain personal information from state motor vehicle records.

28 Safeguards

29 Privacy and Cyber Risk Management T.C.A (a)(2)(A) Tennessee Public Records Act All municipal records shall at all times, during business hours be open for personal inspection by any citizen of Tennessee, and those in charge shall not refuse such right of inspection to any citizen, unless provided by law. Tennessee Code Annotated Section (d) The General Assembly directs the courts to interpret the provisions of the TPRA broadly so as to give the fullest possible access to public records. Do your employees know what isn t a public record?

30 Types of Data Protected Social security #, credit card #, health information, etc. Restricted Open police or personnel investigations, bid information, etc., restricted until completed Open All other documents, papers, letters, photos, video, sound recordings etc. not restricted by other state and/or federal law

31 Safeguard Sensitive Information Definition. Define sensitive information that is subject to protective measures. Location. Identify the sensitive information collected, how it is collected (print or digital), and its location (department). Protection. Implement administrative, physical, and digital safeguards to protect this information. Disposal. If the stored sensitive information is no longer needed, and is eligible for disposal as outlined by your Documents Retention Policy, then appropriate disposal methods should be employed.

32 Safeguard Digital and Physical Assets Digital Assets What and where are they? Computers, portable hard-drives, servers, printers, copiers, tablets, smartphones, thumb drives, etc. Protections Physical barriers, secured cabinets, paper shredder, anti-virus software, firewalls, egress filters, blocked communication ports, network monitoring, hard drive access, password cache, network intrusion detection system, etc.

33 Safeguard Staff Policies and Procedures Computer use Social media retention Should be a part of your larger data retention policy Protection of electronic mobile devices what s your policy? Data classification and sensitive information Training Have employees and elected officials been trained on these policies?

34 Safeguard Business Partners For any business partner who has access to your computers, network and/or sensitive data: Have a contract of expectations for network security Evaluate their network access least privilege Require a non-disclosure agreement Request certificates of insurance Request to be added as an additional insured on their policy

35 Social Media Risks

36 Social Media in Local Government Pros: Increased public participation and encouraging social activism Timely and cost effective communication Creating real-time public record of project information Garner support for municipal projects Publicize meetings and hearings Public safety information Networking and marketing

37 Social Media in Local Government Cons legal pitfalls: First amendment violations External Facebook and other forum comments Internal a) contacting elected officials: Facebook, s, text messaging. b) Personal Facebook, forum usage, or likes Title VI & VII Accessibility - ADA Discrimination Hiring Defamation Government communications on website or social media Open Meetings Act Board deliberations on social media Tennessee Public Records Act Digital request Data retention

38 Cost Containment Efforts If an actual loss occurs, other areas to address.

39 Coverage Issues Privacy and Network Liability Covers liability arising from the failure to properly handle, manage, store, destroy, or otherwise control information, an unintentional violation of your privacy policy that results in the violation of any privacy regulation, or a failure of network security. Data Breach Coverage Covers expenses that result from an information breach including computer forensics service, notification of affected parties, credit monitoring services, and expenses associated with coming into compliance with privacy regulations. (1 st party) Property & Crime Cyber theft of funds

40 Business Partner Coverage Professional Liability (E&O) Professional Liability insurance provides coverage caused by professional negligence or failure to perform professional duties. This often includes errors and omissions coverage, which results from the loss of client data, software or system failure, or claims of non-performance. Cyber Liability Coverage for when the firm is responsible for the security and privacy of a client s data stored on the IT firm s servers, introduction of malicious code or viruses, disclosure of confidential data, Loss of data or digital assets (malicious or accidental), etc. Employee Dishonesty coverage Provides coverage when an employee steals money, equipment or other assets from the client.

41 Plan for the Attack Create a cross-functional team including IT, Risk Management, Human Resources, Finance, Legal, and Law Enforcement Develop and implement a Cyber Risk Management Program Confirms everyone knows his/her roles and responsibilities and that all employees are trained pre/post event Reviews 3rd party contracts with legal, IT, and RM Insure adequate 3 rd party insurance (see previous slide) coverage and entity is named as an additional insured on business partner s policy

42 Plan for the Attack Review and assess the city s computer network, add safeguards as needed Keep a spreadsheet of digital assets, updates and patches Monitors the city s egress Backup daily and store offsite Develop a Recovery & Continuity Plan Work with banks on acceptable financial safeguards Token System Ensure sound financial controls: verification of transactions Confirmation via phone, text or before a major financial transaction

43 Questions? George Dalton, The Pool