Cybersecurity is a Company-Wide Issue Cybersecurity issues often implicate (and are implicated by) multiple issues and areas within a company, both before and after an incident occurs Personnel Clients Vendors To manage the company s legal risk, attention should be paid to all of these implicated areas before an incident occurs, to ensure (as much as possible) that - Personnel know what to do, and are equipped to do it Clients are appropriately protected Vendors provide appropriate protection Privilege is applied Once an incident occurs, following the established plan can reduce time, expense and exposure 2
How Do We Prepare? Awareness of the Issues Implementation of Appropriate Measures Diligence with Your Program 3
1) Awareness: Realities and Requirements Realities How Does It Move? What kind of information do you have? How does it move (including entry, landing, and exit)? Client Information Personnel Information Company Information Requirements How Should It Move? Who should have access to the information? How should information be stored and transmitted? What proactive protections are required (e.g. HIPAA)? What happens if those fail (what reactive requirements apply)? How should other parties handle this information? 4
Proactive Protections ( Before ) Federal laws/regulations may apply to a type of information protected and/or industry: Health Insurance Portability and Accountability Act (HIPAA) Administrative, Physical, and Technical Safeguards required for covered entities (e.g. hospitals/health plans) and business associates Gramm-Leach-Bliley Act (GLBA) Sarbanes-Oxley (SOX) Additional requirements from particular agencies (FTC) State laws may also require Before steps Coverage is based upon the state of residency of the individual affected Laws may also apply depending upon state of licensure (NYDFS) 5
Proactive Example: HIPAA/HITECH Preventive Safeguards Required for Covered Entities/Business Associates Administrative, Physical, and Technical Safeguards Risk analysis/assessment, Policies and Procedures, Responsible Individual Appropriate agreements with Business Associates Penalty Examples Catholic Health Care Service of the Archdiocese of Philadelphia Theft of an unencrypted smartphone lack of appropriate policies $650,000 Penalty North Memorial Health Care of Minnesota Lack of a Business Associate Agreement/Risk Analysis $1.55MM Penalty 6
Reactive Requirements There is no comprehensive federal data breach law covering all types of personal information (HIPAA => PHI) Most states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have data security breach laws Various definitions of breach and personal information; notice requirements may vary (e.g. timing, content) Generally enforceable by Attorneys General; may require AG and/or credit bureau notification Generally no minimum number of records to trigger notice July 2017 NYAG settled with CoPilot Provider Support Services; $130,000 penalty + changes to policies, procedures and training 7
Reactive Example: Oklahoma Data Breach Law Security Breach Notification Act, 24 O.S. 161 et seq. Generally requires notification as soon as practicable following discovery to a resident whose unencrypted/unredacted personal information was/is reasonably believed to have been accessed and acquired by an unauthorized person and there is a reasonable belief that identity theft/other fraud to the resident might occur. Defines personal information as first name or initial and last name combined with SS#, driver license number, and financial account number, or credit card or debit card, in combination with any security code/access code/ password that would permit access to accounts of a resident Other Requirements: A breach must be disclosed if encrypted information is accessed in an unencrypted form or the breach involves a person with access to the encryption key and there is a reasonable belief that identity theft or other fraud to any resident of the state might occur. Does not require notification if information is encrypted or redacted, unless data acquired in an unencrypted form or the breach involves a person with an encryption key NOTE: There is no de minimis for exclusion from coverage; Oklahoma has an effects test which not all states do. Some states also permit a private right of action. 8
2) Implementation: Awareness In Action Develop Consistent Processes Internal Information Classifications and Required Security May include risk assessment, training, and other safeguards Data Access (Hard vs. Soft Access) Who can get it? Example restrictions on sharing information from secured systems Acceptable Use How are data/systems accessed and used? E-mail/Bring Your Own Device (BYOD) Who can transport data? Incident Response What if things go wrong? Provide Training/Verification Training topics General issues/specific requirements Information and its value Legal/regulatory/policy/contractual responsibilities Tactics of hackers and sound practices to reduce their risk of success, and what can happen if they succeed Verify through performance reviews/social engineering 9
What Value Does Information Have? Personal Information -> Healthcare ~ 20% of US GDP, with approximately 35 million hospital admissions per year; many times that in outpatient encounters 10X more valuable than credit card information on black market (~$20@) Patient ID, billing records, clinical information to support billing often targeted From Cybersecurity in the Healthcare Industry: Ransomware Company Information Inside Information (use of actual information) August 2015 SEC announced fraud charges re: hackers using nonpublic information to generate >$100 million in trading profits From Sex, Money and Cybersecurity Reminders for Public Companies October 2016 DOJ charged three individuals for hacking into law firms for nonpublic information; ~$4 million in profits generated Stock Manipulation (dissemination of false information) May 2017 SEC announced charges regarding false tender offer used to inflate Fitbit stock prices; $3,100 in profits generated 10
Tactics to Get That Information/$ Often used in concert with each other Phishing using a fraudulent request or website to defraud someone Spearphishing a type of phishing that uses particular information about the individual target (e.g. from social media) Spoofing sending an e-mail that appears to be from one site but is actually from another (often used to divert contractor payments) Hacked e-mails from legitimate addresses Loss or theft due to inside actors (e.g. employees) Ransomware a malicious program that encrypts files on a system and may publish or delete the files Other attacks to influence stock prices (e.g. false tender offers) Theft of physical devices and storage media NOT ALL REQUIRE HACKS JUST HELP! 11
What If They Succeed? Data breaches are occurring in many forms with different consequences Yahoo - $350 million reduction in purchase price, GC resigned without severance, no annual bonus/stock award for CEO Walgreens - $1.4 million; 1 patient involved Nationwide Plaintiffs found to have standing to sue based on increased risk of harm and expense of mitigating possible future damage Baku-Tbilisi-Ceyhan Pipeline hackers attacked pipeline control system; pipeline exploded and 30,000 barrels of oil spilled Turner Construction employee information (name, SSN, earnings, tax information) sent in response to spearphishing e-mail Whiting-Turner Contracting employee information compromised, resulting in fraudulent tax returns filed Equifax currently multiple lawsuits, seeking (in one case) $70 billion 12
2) Implementation (cont d) Establish and Communicate Third Party Responsibilities Contract Provisions Establish Ownership and Limitations on Disclosure/Usage Require Particular Security Elements/Safeguards Breach processes, including communication responsibilities Rights at Termination Know Your Responsibilities Prepare an Incident Response Plan Everyone should know what to do and who to call Centralize communications through an Incident Response Team (IRT) Don t assume or indicate that something equals a breach Know who to tell and how employees, customers, authorities, vendors Consider Additional Protections 13
2) Implementation (cont d) Maintain Privilege Throughout Your Process Ensure someone acting specifically as counsel Cleanest => Involve external counsel, both before (engagement of experts) and after (incident response) Assess and Monitor Vendors (including subcontractors) Initial assessment and ongoing monitoring of capabilities and security process Incorporate information into your overall risk profile Include in other considerations e.g. insurance coverage Update Your Process as Things Change 14
2) Implementation (cont d) Reinforce Appropriate Personal Practices They can Implement or Undermine Your Efforts Choose strong passwords and keep them secure (i.e., never share passwords or place written passwords on desks) Shut down computers at least once a week to ensure any automatic updates are applied Do not click random links online or in emails, either from unknown individuals, with strange subject lines, or containing errors Do not download software from the internet without review Turn off Wifi unless needed to avoid automatically connecting Do not upload information from external hard drives/thumb drives without first pre-scanning Wipe all sensitive information when no longer needed on devices 15
3) Diligence Enforce Your Efforts Follow Your Incident Response Plan Involve your Incident Response Team (IRT) include others who may be impacted Develop communication with everyone at the table Involve vendors if necessary Document details early detection date is important Don t Forget The Client s Perspective Make it easy, not hard, for them to contact you Toll free number no marketing messages! If posting on website make sure information is correct Keep messaging consistent in all notifications (to clients, vendors, law enforcement) 16
3) Diligence (cont d) Involve Counsel Internally and Externally Internally Identification of cause and impact of incident Personnel Process Federal and state law analysis Determination of breach status Externally Development of notification communications Consideration of parties to notify Review of agreements for responsibilities to counterparties Engagement of third parties Experian 17
3) Diligence (cont d) If a Vendor is Breached Get Involved Early and Often Confirm contractual responsibilities Notification do your clients know the vendor is involved? Liabilities/Expenses What is the vendor paying for? Centralize communications with vendor via IRT If a Client is Breached Make Sure the Company Knows Communicate internally to avoid spearfishing/fraud attempts Consider limiting any online access client may have had Review client agreement(s) to confirm allocation of responsibility 18
Additional Resources Federal Trade Commission www.identitytheft.gov Processes for identifying steps to take if information compromised and for reporting identity theft Better Business Bureau www.bbb.org Information on credit freezes/fraud alerts 19