data breach and incident response...data breach and incident response 3 data breach remains one of...

Data Breach and Incident Response

February 9, 2017

Erin Sheppard, Partner, Dentons

Steve Kopeck, Assoc. Mng. Dir., Cyber Security

and Investigations, Kroll

Hayden McKaskle, Director, Cyber Security

and Data Breach Notification

Agenda

• Introductions

• Data Breach Statistics & Trends

• Data Breach Laws & Regulations

• Incident Response Planning

• Stakeholder coordination

• Key questions to consider

• Sample framework

• Questions

2


3

Data breach remains one of the single hottest issues at both State and

Federal levels.

Perfect storm of media, regulators

and legislators focused on this

issue that are substantially

amplifying the legal, economic and

reputational risks of harm that

companies face.

Class action lawyers have also picked up the scent and routinely file class

action litigations related to these breaches, especially in California where the

bar for surviving a Motion to Dismiss may be lower than elsewhere.


4

Some very scary facts:

There were 1,093 (known) Data Breaches recorded by the Identity

Theft Fraud Resource Center in 2016.

This is 40% more breaches than in 2015.

In 2016, the business sector had the highest percentage of breach

incidents (45%). The medical/healthcare second came in second (34%)

and the banking/credit/financial sector experienced the lowest

percentages (4.8%).

Source: "Data Breach Reports, Identity Theft Fraud Resource Center", Year End Report 2016

5

“There are only two types of companies: those that have

been hacked and those that will be.”

Fmr. U.S. Attorney General

Eric H. Holder, Jr.

The Costs of Data Breaches are On the Rise

Source: CSIdentity, Statistics, 2014 6

Average cost of a data breach is $6.53 M per

incident

$217 per record

In 2015, Gov't

Agencies accounted for 77.2 Million records lost

Recent High-Profile Breaches

7

• Multiple Major E-mail Providers

• 270 million e-mail user names and passwords from Yahoo, Hotmail, and G-mail

(discovered in May 2016)

• Yahoo announced a separate 500 million accounts compromised (September 2016)

• Government Agency Breaches

• In February 2016, the IRS announced that a breach announced in May 2015

affected over 700,000 tax payers. The incident is thought to have been caused by

Russian-based criminal operations

• Federal Deposit Insurance Corporation malware incident discovered during

investigation of 2015 breach (160,000 individuals affected)

• Healthcare Breaches

• MedStar Health, Inc. ransomware incident in March 2016

• 21st Century Oncology (2.2 M patients)

Source: IdentityForce Resource Center, The Biggest Data Breaches in 2016

• January 2017 cyber intrusion into the DC Police closed-circuit camera

network days before the Presidential Inauguration

• Two hackers from the U.K. are arrested

• August 2016 Cyber theft of NSA cyber tools

• Tools used by NSA for operational activities stolen and posted by hackers.

• July 2016 Democratic National Committee hack

• Countless emails released

• Discuss not the what, but how these and others are occurring:

• Intel, Intel, Intel

• Why try and break the door, when you can just take the key under the

mat

• 100% success in targeting the masses

8

High Profile Government & Government Contractor

Breaches

Company Sector

Cyber Security

Threats

(motivation)

Cyber Security

Breach Summary

Cyber Security

Breach ImpactMitigating Controls Focus

RetailPoint-of-Sales

Phishing Attack

70M customer records

and credit card

information exposed

• $200M Impact

• 10% Xmas Revenue

• 3% Sales Loss

•

Reputational/Lawsuits

• Anti Malware

• Penetration Testing

• Internet Filtering

• Security Awareness Zone

Malware Controls

Emerging Threats

Retail Point-of-Sales

Phishing Attack

Malware

1.1M customer records

and credit card

information exposed

• $10M Impact (to

date)

•


• Unreported $ Impact

• Remediation Cost

• Anti Malware


• Internet Filtering


TechnologyEmail Provider

Web App Exploit

Vulnerability

453K customer email

addresses compromised

due to unsecured server

• Reputational



• Web Application Scans


• Vulnerability

Management


Securities

Exchange

Web App Exploit

Network Breach

Attackers gained direct

access to “company

directors” systems and

performed “virtual-

insider” trading

• Reputational



• Web Application Scans


• Intrusion Detection


Network Security

Government Data Disclosure

Authorized user with

inappropriate level of

access to Top Secret

data

• Worst Leak in

History

• Unknown $ Impact

• Unknown Life

Impact

• Background Checks

• Re-Authorization

• Data Loss Prevention

(DLP)

• User De-Provisioning

Auth. Access

Control

Financial Data Disclosure

Unencrypted laptop with

over 200K confidential

customer records was

stolen from employees

car

• $4M Impact

(approx)


•


• Encrypted Mobile

Devices

• Gap Assessment Metrics


Banking

Online Banking

Denial-of-

Service

(DDOS)

Online banking website

experienced high

internet traffic that

intermittently disabled

website

• Reputational



• Intrusion Detection

• Firewall – Connection

Drop

Cybersecurity Threats and Actors

10

Financial Theft or

Fraud

Theft of Intellectual Property or

Strategic Plans

Business Disruption

Destruction of Critical

Infrastructure

Reputation Damage

Threats to Life and Safety

Legal and Regulatory

OrganizedCriminals

Hacktivists

Nation States

Insiders

Third Parties

Rogue Hackers

Recent CyberAttacks

Very High High Moderate Low

State Data Breach Laws are Expanding

11

• Broadened definition of personal information

• States such as California, Florida, Nevada, Wyoming and Rhode Island now include

usernames and passwords as personal information that requires notification if

compromised

• 26 states introduced or considered expanding existing security breach laws in 2016

• Notification and reporting rules

• California passed legislation requiring any business that owns or licenses

computerized data to disclose breaches of the security of that data

• Illinois amended and added additional reportable categories to Personal

Information Protection Act

• Tennessee redefined the time period within which a business must notify a

consumer of their personal information was accessed (reduces from immediate

notification)

• Only three states-- Alabama, New Mexico, and South Dakota-- do

not currently have a law requiring consumer notification of security

breaches involving personal information

• October 2016 Final DFARS Rule Reporting Obligations

• FAR Basic Safeguarding Requirements (Effective June 2016)

• FAR Privacy Training Rule (Jan. 2017)

• NIST SP 800-171 (Rev. 1) (Dec. 2016)

• Section H requirements

• DHS Privacy Training and Information Safeguarding Proposed Rules

(Jan. 2017)

• OMB Memorandum M-17-12, Preparing for and Responding to a Breach

of Personally Identifiable Information (Jan. 2017)

• Other non-binding federal guidance includes:

• FTC Data Breach Response Guidance

12

Government Contracts Regulatory & Contractual

Requirements Continue to Expand

Multi-stakeholder Coordination Always Required

Consider conducting a RASCI exercise amongst stakeholders to

align on roles and responsibilities:

R: RESPONSBILE

A: ACCOUNTABLE

S: ESCALATED

C: CONSULTED

I : INFORMED

13


14

Incident Response Program Discussion:

• What type of information should be covered by the Program?

• How can we more clearly define roles and responsibilities?

• When should outside Forensics be sourced and by whom?

• What reporting should there be internally and externally?

• How can we assure all legal/regulatory requirements are met

during an Incident?

Meeting Legal/Regulatory Requirements

15

• The primary legal/regulatory requirements arise out of state breach

notification statutes

• Timely notification of regulators and affected individuals

• Content and form requirements

• Addressing these issues requires:

• Prompt engagement of outside counsel and third party forensic investigators

• Diligent investigation and conclusions

• Drafting of notification letters or communications

• Regulators expect information on shorter timelines, creating tension with

thorough investigation

• Most states still rely on a "reasonability" standard for notification

• States starting to implement strict deadlines -- Florida's new law is 30 days

from the determination of or reason to believe that a breach occurred.

FIPA, Section 501.171(4)(a)

• Final DFARS rule – 252.204-7012 – Safeguarding Covered Defense

Information and Cyber Incident Reporting (Oct. 2016)

• All “covered defense information”

• Unclassified controlled technical information or other information, as describedin the Controlled

Unclassifed Information (CUI) registry that requires safeguarding or dissemination controls pursuiant

to and consistent with law and is marked or otherwise identified or developed, collected, received,

transmitted, used, or stored on behalf of the contractor in support of performance.

• Rapid reporting requirement (252.204-7012(c))

• Investigation requirement– review for evidence of compromise

• Provide any detected malicious software to contracting officer

• Imaging requirements– must preserve and protect images of all known affected

information systems

• FAR 52.204-2– Security Requirements– NISPOM reporting obligations

• Review of applicable contracts is critical:

• Many agencies have incident reporting obligations (e.g., NASA incident

reporting requirements in a number of different NASA supplements)

16

Meeting Legal/Regulatory Requirements (Continued)

Protecting the Company and Applying the Facts

Data breach is an issue that every company deals with, many for both

customer and employee information.

Things toep in mind:

• Third-party forensics, if performed, should be engaged and directed through

Counsel to preserve your ability to assert privilege in subsequent litigation.

• Understand that even if analyses are protected under privilege, underlying facts

will not be.

• Determining data breach notification requirements is a very fact-specific

exercise -- be careful not to make assumptions.

• Reading and understanding reporting obligations under existing contracts and

during the proposal stage of new contracts is absolutely critical.

All but a few states have enacted data breach notification legislation, but

there is substantial diversity amongst and between them.

-----> Make sure you are applying the right law to the right facts!17

Sustainable Data Security Crisis Management

The key to sustainability is process integrity!

All Privacy Emergencies (or potential Emergencies) should flow through a

Response Framework: a funnel that engages key stakeholders and ensures

seamless end-to-end management of an issue.

End-to-end management includes resolution, post-mortem and remediation,

as well as ongoing monitoring and reporting.

Legal plays a critical role in determining what actions must be taken in

response to a Privacy Crisis, both in planning and in execution of a

response plan.

18

The Role of Legal in Crisis Management

19

• Identifying sources of legal/regulatory risk

• Guiding incident response processes and ensuring compliance with applicable

laws and regulations

• Regulator or enforcement authority investigations

• Class action lawsuits

• Breach of contract claims/litigation from vendors, banks, customers

• Managing risk

• Using outside counsel effectively to maximize scope of privilege

• Reviewing messaging and communications with outside parties to prevent

negative legal consequences of unintended "admissions"

• Advising on remediation, program improvements, employee discipline, and

ongoing legal/regulatory risks

Example Incident Response

Framework

Develop Policies

and ProceduresTraining Monitor Systems

Test Incident

Response Plan

All DGC IRT BAT

Coordinate

Response

Assess and

Categorize

Incident

Report Incidents

to IT Service

Desk

Collect and

Document

Evidence

Eradicate Threat

Restore Systems

Validate and

Monitor Affected

Systems

Contain Threat

Prepare

Breach Pre-

Assessment/

Refer to Full-BAT

Identify/

Detect

Evaluate Incident

for Reporting

Requirements

Evaluate Incident

for Breach Notice

Requirements

Plan Notification

Strategy

Report to

Appropriate

Regulators

Notify Affected

Residents

Document

Incident

Identify and

Communicate

Lessons Learned

Modify and

Revise Incident

Policies and

Procedures

Modify and

Revise Breach

Policies and

Procedures

Contain/

Eradicate

Recover

Follow-up Breach

Reporting and

Notification

Common Mistakes in Responding to a Breach

21

• Lack of Preparation

• Figuring it out as you go along creates confusion, delay, and risk

• Established decision framework mitigates risks inherent in time-sensitive,

high-stress decisions

• Discovering your obligations at this late stage precludes compliance

• Delayed Response

• Regulators frequently challenge the timeline of notification

• Must move diligently to drive investigations to conclusion

• Incident Response plan and third party relationships should be pre-

established

• Making Assumptions

• Initial evaluations are frequently wrong or, at minimum, incomplete

• Critically evaluate the basis for conclusions, verify underlying facts and

identify gaps or information that could change your analyses

Questions?

22

Erin Sheppard

(202) 496-7533

[email protected]

Stephen Kopeck

(240) 660-1221

[email protected]

Hayden McKaskle

(615) 577-6758

[email protected]

data breach and incident response...data breach and incident response 3 data breach remains one of...

Documents