Cybersecurity is a Company-Wide Issue

Similar documents
What is Cybersecurity?

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Data Compromise Notice Procedure Summary and Guide

Security Breaches: How to Prepare and Respond

Cyber Insurance: What is your bank doing to manage risk? presented by

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Cyber Risks in the Boardroom Conference

Keeping It Under Wraps: Personally Identifiable Information (PII)

Regulation P & GLBA Training

Cyber Security Issues

Breach Notifications: How to Handle Breaches Across Jurisdictions. Moderated by: Zach Warren, Editor-in-Chief, Legaltech News

Summary Comparison of Current Data Security and Breach Notification Bills

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

HIPAA & Privacy Compliance Update

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

DeMystifying Data Breaches and Information Security Compliance

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

The Impact of Cybersecurity, Data Privacy and Social Media

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Mastering Data Privacy, Social Media, & Cyber Law

What To Do When Your Data Winds Up Where It Shouldn t

When the Other Brother Steps Up: State Privacy Enforcement Actions

Putting It All Together:

Legal Aspects of Cybersecurity

Why you MUST protect your customer data

Navigating Regulatory Impacts of a Financial Services Data Breach

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW

Demonstrating Compliance in the Financial Services Industry with Veriato

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

2017 RIMS CYBER SURVEY

HIPAA-HITECH: Privacy & Security Updates for 2015

What to do if your business is the victim of a data or security breach?

Data Security: Public Contracts and the Cloud

University of North Texas System Administration Identity Theft Prevention Program

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Security and Privacy Breach Notification

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

Cybersecurity in Higher Ed

Data Breach Trends: What Local Government Lawyers Need to Know

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Cybersecurity and Nonprofit

Cybersecurity The Evolving Landscape

Introduction to Ethical Hacking. Chapter 1

Cyber Security Updates and Trends Affecting the Real Estate Industry

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

Security of Personal and Financial Information.

Presented by: Jason C. Gavejian Morristown Office

Red Flags/Identity Theft Prevention Policy: Purpose

ID Theft and Data Breach Mitigation

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Prevention of Identity Theft in Student Financial Transactions AP 5800

Cybersecurity and Hospitals: A Board Perspective

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

COMMENTARY. Information JONES DAY

HIPAA and HIPAA Compliance with PHI/PII in Research

SURVIVING THE CYBERPOCALYPSE. Craig Felty Vice President, Patient Care Services Hancock Regional Hospital

Protecting Health Information

The HIPAA Omnibus Rule

HIPAA Federal Security Rule H I P A A

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Taming the Data Breach Beast... because we all know it will happen. John Tomaszewski Seyfarth Shaw January 2015

Data Breaches and the Financial Services Industry

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

( Utility Name ) Identity Theft Prevention Program

Legal Considerations and Case Studies

Identity Theft: Enterprise-Wide Strategies for Prevention, Detection and Remediation

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Ouachita Baptist University. Identity Theft Policy and Program

Breach Notification Remember State Law

Helping Businesses Grow & Succeed

Employee Security Awareness Training Program

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

SECURITY STATE OF THE INDUSTRY

Dealing with the Reality of a Privacy Breach: Civil Litigation, Regulatory Response, and Minimizing Your Risks

INFORMATION SECURITY AND SECURITY BREACH NOTIFICATION GUIDANCE Preventing, Preparing for, and Responding to Breaches of Information Security

Post-Secondary Institution Data-Security Overview and Requirements

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Policy 24 Identity Theft Prevention Program IDENTITY THEFT PREVENTION PROGRAM OF WEBB CREEK UTILITY DISTRICT

HIPAA For Assisted Living WALA iii

The Relationship Between HIPAA Compliance and Business Associates

DATA BREACH NUTS AND BOLTS

Cybersecurity It Matters to SMB

University of Pittsburgh Security Assessment Questionnaire (v1.7)

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

Personal Cybersecurity

Electronic Communication of Personal Health Information

Tracking and Reporting

Transcription:

Cybersecurity is a Company-Wide Issue Cybersecurity issues often implicate (and are implicated by) multiple issues and areas within a company, both before and after an incident occurs Personnel Clients Vendors To manage the company s legal risk, attention should be paid to all of these implicated areas before an incident occurs, to ensure (as much as possible) that - Personnel know what to do, and are equipped to do it Clients are appropriately protected Vendors provide appropriate protection Privilege is applied Once an incident occurs, following the established plan can reduce time, expense and exposure 2

How Do We Prepare? Awareness of the Issues Implementation of Appropriate Measures Diligence with Your Program 3

1) Awareness: Realities and Requirements Realities How Does It Move? What kind of information do you have? How does it move (including entry, landing, and exit)? Client Information Personnel Information Company Information Requirements How Should It Move? Who should have access to the information? How should information be stored and transmitted? What proactive protections are required (e.g. HIPAA)? What happens if those fail (what reactive requirements apply)? How should other parties handle this information? 4

Proactive Protections ( Before ) Federal laws/regulations may apply to a type of information protected and/or industry: Health Insurance Portability and Accountability Act (HIPAA) Administrative, Physical, and Technical Safeguards required for covered entities (e.g. hospitals/health plans) and business associates Gramm-Leach-Bliley Act (GLBA) Sarbanes-Oxley (SOX) Additional requirements from particular agencies (FTC) State laws may also require Before steps Coverage is based upon the state of residency of the individual affected Laws may also apply depending upon state of licensure (NYDFS) 5

Proactive Example: HIPAA/HITECH Preventive Safeguards Required for Covered Entities/Business Associates Administrative, Physical, and Technical Safeguards Risk analysis/assessment, Policies and Procedures, Responsible Individual Appropriate agreements with Business Associates Penalty Examples Catholic Health Care Service of the Archdiocese of Philadelphia Theft of an unencrypted smartphone lack of appropriate policies $650,000 Penalty North Memorial Health Care of Minnesota Lack of a Business Associate Agreement/Risk Analysis $1.55MM Penalty 6

Reactive Requirements There is no comprehensive federal data breach law covering all types of personal information (HIPAA => PHI) Most states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have data security breach laws Various definitions of breach and personal information; notice requirements may vary (e.g. timing, content) Generally enforceable by Attorneys General; may require AG and/or credit bureau notification Generally no minimum number of records to trigger notice July 2017 NYAG settled with CoPilot Provider Support Services; $130,000 penalty + changes to policies, procedures and training 7

Reactive Example: Oklahoma Data Breach Law Security Breach Notification Act, 24 O.S. 161 et seq. Generally requires notification as soon as practicable following discovery to a resident whose unencrypted/unredacted personal information was/is reasonably believed to have been accessed and acquired by an unauthorized person and there is a reasonable belief that identity theft/other fraud to the resident might occur. Defines personal information as first name or initial and last name combined with SS#, driver license number, and financial account number, or credit card or debit card, in combination with any security code/access code/ password that would permit access to accounts of a resident Other Requirements: A breach must be disclosed if encrypted information is accessed in an unencrypted form or the breach involves a person with access to the encryption key and there is a reasonable belief that identity theft or other fraud to any resident of the state might occur. Does not require notification if information is encrypted or redacted, unless data acquired in an unencrypted form or the breach involves a person with an encryption key NOTE: There is no de minimis for exclusion from coverage; Oklahoma has an effects test which not all states do. Some states also permit a private right of action. 8

2) Implementation: Awareness In Action Develop Consistent Processes Internal Information Classifications and Required Security May include risk assessment, training, and other safeguards Data Access (Hard vs. Soft Access) Who can get it? Example restrictions on sharing information from secured systems Acceptable Use How are data/systems accessed and used? E-mail/Bring Your Own Device (BYOD) Who can transport data? Incident Response What if things go wrong? Provide Training/Verification Training topics General issues/specific requirements Information and its value Legal/regulatory/policy/contractual responsibilities Tactics of hackers and sound practices to reduce their risk of success, and what can happen if they succeed Verify through performance reviews/social engineering 9

What Value Does Information Have? Personal Information -> Healthcare ~ 20% of US GDP, with approximately 35 million hospital admissions per year; many times that in outpatient encounters 10X more valuable than credit card information on black market (~$20@) Patient ID, billing records, clinical information to support billing often targeted From Cybersecurity in the Healthcare Industry: Ransomware Company Information Inside Information (use of actual information) August 2015 SEC announced fraud charges re: hackers using nonpublic information to generate >$100 million in trading profits From Sex, Money and Cybersecurity Reminders for Public Companies October 2016 DOJ charged three individuals for hacking into law firms for nonpublic information; ~$4 million in profits generated Stock Manipulation (dissemination of false information) May 2017 SEC announced charges regarding false tender offer used to inflate Fitbit stock prices; $3,100 in profits generated 10

Tactics to Get That Information/$ Often used in concert with each other Phishing using a fraudulent request or website to defraud someone Spearphishing a type of phishing that uses particular information about the individual target (e.g. from social media) Spoofing sending an e-mail that appears to be from one site but is actually from another (often used to divert contractor payments) Hacked e-mails from legitimate addresses Loss or theft due to inside actors (e.g. employees) Ransomware a malicious program that encrypts files on a system and may publish or delete the files Other attacks to influence stock prices (e.g. false tender offers) Theft of physical devices and storage media NOT ALL REQUIRE HACKS JUST HELP! 11

What If They Succeed? Data breaches are occurring in many forms with different consequences Yahoo - $350 million reduction in purchase price, GC resigned without severance, no annual bonus/stock award for CEO Walgreens - $1.4 million; 1 patient involved Nationwide Plaintiffs found to have standing to sue based on increased risk of harm and expense of mitigating possible future damage Baku-Tbilisi-Ceyhan Pipeline hackers attacked pipeline control system; pipeline exploded and 30,000 barrels of oil spilled Turner Construction employee information (name, SSN, earnings, tax information) sent in response to spearphishing e-mail Whiting-Turner Contracting employee information compromised, resulting in fraudulent tax returns filed Equifax currently multiple lawsuits, seeking (in one case) $70 billion 12

2) Implementation (cont d) Establish and Communicate Third Party Responsibilities Contract Provisions Establish Ownership and Limitations on Disclosure/Usage Require Particular Security Elements/Safeguards Breach processes, including communication responsibilities Rights at Termination Know Your Responsibilities Prepare an Incident Response Plan Everyone should know what to do and who to call Centralize communications through an Incident Response Team (IRT) Don t assume or indicate that something equals a breach Know who to tell and how employees, customers, authorities, vendors Consider Additional Protections 13

2) Implementation (cont d) Maintain Privilege Throughout Your Process Ensure someone acting specifically as counsel Cleanest => Involve external counsel, both before (engagement of experts) and after (incident response) Assess and Monitor Vendors (including subcontractors) Initial assessment and ongoing monitoring of capabilities and security process Incorporate information into your overall risk profile Include in other considerations e.g. insurance coverage Update Your Process as Things Change 14

2) Implementation (cont d) Reinforce Appropriate Personal Practices They can Implement or Undermine Your Efforts Choose strong passwords and keep them secure (i.e., never share passwords or place written passwords on desks) Shut down computers at least once a week to ensure any automatic updates are applied Do not click random links online or in emails, either from unknown individuals, with strange subject lines, or containing errors Do not download software from the internet without review Turn off Wifi unless needed to avoid automatically connecting Do not upload information from external hard drives/thumb drives without first pre-scanning Wipe all sensitive information when no longer needed on devices 15

3) Diligence Enforce Your Efforts Follow Your Incident Response Plan Involve your Incident Response Team (IRT) include others who may be impacted Develop communication with everyone at the table Involve vendors if necessary Document details early detection date is important Don t Forget The Client s Perspective Make it easy, not hard, for them to contact you Toll free number no marketing messages! If posting on website make sure information is correct Keep messaging consistent in all notifications (to clients, vendors, law enforcement) 16

3) Diligence (cont d) Involve Counsel Internally and Externally Internally Identification of cause and impact of incident Personnel Process Federal and state law analysis Determination of breach status Externally Development of notification communications Consideration of parties to notify Review of agreements for responsibilities to counterparties Engagement of third parties Experian 17

3) Diligence (cont d) If a Vendor is Breached Get Involved Early and Often Confirm contractual responsibilities Notification do your clients know the vendor is involved? Liabilities/Expenses What is the vendor paying for? Centralize communications with vendor via IRT If a Client is Breached Make Sure the Company Knows Communicate internally to avoid spearfishing/fraud attempts Consider limiting any online access client may have had Review client agreement(s) to confirm allocation of responsibility 18

Additional Resources Federal Trade Commission www.identitytheft.gov Processes for identifying steps to take if information compromised and for reporting identity theft Better Business Bureau www.bbb.org Information on credit freezes/fraud alerts 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback