What is Cybersecurity? Protection against unauthorized access to or use of assets via electronic means Not limited to what we think of as Hacking : Fraud Prevention Misuse of Appropriate Access Important in Personal and Professional Contexts Personal/Professional Distinction May Blur 2
Protection Against What? Phishing using a fraudulent request or website to defraud someone Spearphishing a type of phishing that uses particular information about the individual target Spoofing sending an e-mail that appears to be from one site but is actually from another Hacked e-mails from legitimate addresses Loss or theft due to inside actors (e.g. employees) NOT ALL REQUIRE HACKS JUST HELP! 3
Protection Against What? (cont d) Ransomware a malicious program that encrypts files on a system It may lock a user out of a device or block access to files, requiring a ransom be paid Many variants with different capabilities Some may post files to the internet if ransom not paid More ransoms paid in Bitcoin No guarantee of file decryption if ransom paid From Cybersecurity in the Healthcare Industry: Ransomware 4
What s the Goal? Commercial Value Personal Information Company Information Personal Satisfaction Social Outrage Individual Embarrassment Ashley Madison NOTE: Don t rely solely on firewalls 5
Where s the Value? Personal Information -> Healthcare ~ 20% of US GDP, with approximately 35 million hospital admissions per year; many times that in outpatient encounters Result unprecedented amount of data 10X more valuable than credit card information on black market (~$20@) Patient ID, billing records, clinical information to support billing often targeted From Cybersecurity in the Healthcare Industry: Ransomware Company Information -> Nonpublic Deals August 2015 SEC announced fraud charges re: hackers using nonpublic information to generate >$100 million in trading profits From Sex, Money and Cybersecurity Reminders for Public Companies October 2016 DOJ charged three individuals for hacking into law firms for nonpublic information; ~$4 million in profits generated 6
Environment: Breaches More Common & More Costly Resulting from Automatic and Targeted Attacks Data breaches are occurring with significant costs in terms of responding to a data breach and loss of business and in many forms Yahoo - $350 million reduction in purchase price, GC resigned without severance, no annual bonus/stock award for CEO Walgreens - $1.4 million; 1 patient involved Nationwide Plaintiffs found to standing to sue based on increased risk of harm and expense of mitigating possible future damage 7
Increased Risks = Increased Requirements Before Laws governing data security and privacy are wideranging and exist both on the federal and state levels Federal laws/regulations may apply to a type of information protected and/or industry: Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA) State laws may also require Before steps NOTE: Coverage is based upon the state of residency of the individual affected, not where the breached company is 8
Before Examples HIPAA/HITECH Preventive Safeguards Required for Business Associates Administrative, Physical, and Technical Safeguards Risk analysis/assessment, Policies and Procedures, Responsible Individual 2016 - Penalty Levied Against Business Associate Began with the theft of an unencrypted smartphone Lack of policies cited, including no risk analysis/response plan Result - $650,000 penalty Massachusetts Requirements Similar to HIPAA Broader Category of Information of Massachusetts Residents Covered 9
Increased Requirements After There is no federal data breach law Most states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have data security breach laws Various definitions of breach and personal information and different notice requirements Generally enforceable by Attorneys General; may require AG notification Some require notification of credit bureaus Generally no minimum number of records to trigger notice 10
After Example: Oklahoma Data Breach Law Security Breach Notification Act, 24 O.S. 161 et seq. Defines breach of the security system as the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or of personal information maintained as part of a database and that causes or will cause, identity theft or other fraud to any resident of this state (emphasis added). Generally requires notification as soon as practicable following discovery to any resident whose unencrypted/unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person when there is a reasonable belief that identity theft or other fraud to any resident of the state might occur. NOTE: There is no de minimis for exclusion from coverage; Oklahoma has an effects test which not all states do 11
OK Data Breach Law (cont d) Other Requirements: A breach must be disclosed if encrypted information is accessed in an unencrypted form or the breach involves a person with access to the encryption key and there is a reasonable belief that identity theft or other fraud to any resident of the state might occur. Does not require notification if information is encrypted or redacted, unless data acquired in an unencrypted form or the breach involves a person with an encryption key. Defines personal information as first name or initial and last name combined with any one or more of the following: SS#, driver license number, and financial account number, or credit card or debit card, in combination with any security code/access code/ password that would permit access to financial accounts of a resident. NOTE: One of the state-to-state variances Texas includes healthcare information 12
Ways to Address Risks Awareness Implementation Personal Practices 13
Awareness: Realities and Requirements Realities - Know the Flow What kind of information do you have? How does it move (including entry, landing, and exit)? Goals: Security, Integrity, Access Requirements (Internal) How Should It Move? Who should have access to the information? How should information be stored and transmitted? What affirmative protections are required? HIPAA GLBA What happens if those protections fail? How should other parties handle this information? Implement, Don t Idealize 14
Implementation: Awareness In Action Develop Consistent Processes Internal Information Classifications and Required Security May include risk assessment, training, and other safeguards Data Access (Hard vs. Soft Access) Who can get it? Example restrictions on sharing information from secured systems Acceptable Use How are data/systems accessed and used? E-mail/Bring Your Own Device (BYOD) Who can transport data? Provide Training/Verification Training topics General issues/specific requirements Legal/regulatory/policy/contractual Sound practices: computer, mobile device, email or other IT uses Verify through performance reviews/social engineering 15
Implementation (cont d) Establish and Communicate Third Party Responsibilities Contract Provisions Establish Ownership and Limitations on Disclosure/Usage Require Particular Security Elements/Safeguards Breach processes, including communication responsibilities Rights at Termination Information Security Representations e.g. Certifications Know Your Responsibilities Prepare an Incident Response Plan Everyone should know what to do and who to call Centralize communications Don t assume or indicate that something equals a breach Ensure access to and training on disaster recovery plan Involve counsel as soon as possible Know who to tell and how customers, authorities, vendors (insurance) 16
Addressing Risks: Personal Practices Personal Practices can Implement or Undermine Other Efforts Choose strong passwords and keep them secure (i.e., never share passwords or place written passwords on desks) Shut down computers at least once a week to ensure any automatic updates are applied Do not click random links online or in emails, either from unknown individuals, with strange subject lines, or containing errors Do not download software from the internet without review Turn off Wifi unless needed to avoid automatically connecting Do not upload information from external hard drives/thumb drives without first pre-scanning Wipe all sensitive information when no longer needed on devices 17
Personal Practices (cont d) Also Important for Hard Copy Information Do not leave sensitive information out/easily visible Do not leave documents or information visible in vehicles Destroy hard copy documents as soon as they are no longer of use Securely shred all documents with personal or nonpublic information 18