data breach and incident response...data breach and incident response 3 data breach remains one of...
TRANSCRIPT
Data Breach and Incident Response
February 9, 2017
Erin Sheppard, Partner, Dentons
Steve Kopeck, Assoc. Mng. Dir., Cyber Security
and Investigations, Kroll
Hayden McKaskle, Director, Cyber Security
and Data Breach Notification
Agenda
• Introductions
• Data Breach Statistics & Trends
• Data Breach Laws & Regulations
• Incident Response Planning
• Stakeholder coordination
• Key questions to consider
• Sample framework
• Questions
2
Data Breach and Incident Response
3
Data breach remains one of the single hottest issues at both State and
Federal levels.
Perfect storm of media, regulators
and legislators focused on this
issue that are substantially
amplifying the legal, economic and
reputational risks of harm that
companies face.
Class action lawyers have also picked up the scent and routinely file class
action litigations related to these breaches, especially in California where the
bar for surviving a Motion to Dismiss may be lower than elsewhere.
Data Breach and Incident Response
4
Some very scary facts:
There were 1,093 (known) Data Breaches recorded by the Identity
Theft Fraud Resource Center in 2016.
This is 40% more breaches than in 2015.
In 2016, the business sector had the highest percentage of breach
incidents (45%). The medical/healthcare second came in second (34%)
and the banking/credit/financial sector experienced the lowest
percentages (4.8%).
Source: "Data Breach Reports, Identity Theft Fraud Resource Center", Year End Report 2016
5
“There are only two types of companies: those that have
been hacked and those that will be.”
Fmr. U.S. Attorney General
Eric H. Holder, Jr.
The Costs of Data Breaches are On the Rise
Source: CSIdentity, Statistics, 2014 6
Average cost of a data breach is $6.53 M per
incident
$217 per record
In 2015, Gov't
Agencies accounted for 77.2 Million records lost
Recent High-Profile Breaches
7
• Multiple Major E-mail Providers
• 270 million e-mail user names and passwords from Yahoo, Hotmail, and G-mail
(discovered in May 2016)
• Yahoo announced a separate 500 million accounts compromised (September 2016)
• Government Agency Breaches
• In February 2016, the IRS announced that a breach announced in May 2015
affected over 700,000 tax payers. The incident is thought to have been caused by
Russian-based criminal operations
• Federal Deposit Insurance Corporation malware incident discovered during
investigation of 2015 breach (160,000 individuals affected)
• Healthcare Breaches
• MedStar Health, Inc. ransomware incident in March 2016
• 21st Century Oncology (2.2 M patients)
Source: IdentityForce Resource Center, The Biggest Data Breaches in 2016
• January 2017 cyber intrusion into the DC Police closed-circuit camera
network days before the Presidential Inauguration
• Two hackers from the U.K. are arrested
• August 2016 Cyber theft of NSA cyber tools
• Tools used by NSA for operational activities stolen and posted by hackers.
• July 2016 Democratic National Committee hack
• Countless emails released
• Discuss not the what, but how these and others are occurring:
• Intel, Intel, Intel
• Why try and break the door, when you can just take the key under the
mat
• 100% success in targeting the masses
8
High Profile Government & Government Contractor
Breaches
Company Sector
Cyber Security
Threats
(motivation)
Cyber Security
Breach Summary
Cyber Security
Breach ImpactMitigating Controls Focus
RetailPoint-of-Sales
Phishing Attack
70M customer records
and credit card
information exposed
• $200M Impact
• 10% Xmas Revenue
• 3% Sales Loss
•
Reputational/Lawsuits
• Anti Malware
• Penetration Testing
• Internet Filtering
• Security Awareness Zone
Malware Controls
Emerging Threats
Retail Point-of-Sales
Phishing Attack
Malware
1.1M customer records
and credit card
information exposed
• $10M Impact (to
date)
•
Reputational/Lawsuits
• Unreported $ Impact
• Remediation Cost
• Anti Malware
• Penetration Testing
• Internet Filtering
• Security Awareness Zone
TechnologyEmail Provider
Web App Exploit
Vulnerability
453K customer email
addresses compromised
due to unsecured server
• Reputational
• Unreported $ Impact
• Remediation Cost
• Web Application Scans
• Penetration Testing
• Vulnerability
Management
• Security Awareness Zone
Securities
Exchange
Web App Exploit
Network Breach
Attackers gained direct
access to “company
directors” systems and
performed “virtual-
insider” trading
• Reputational
• Unreported $ Impact
• Remediation Cost
• Web Application Scans
• Penetration Testing
• Intrusion Detection
• Security Awareness Zone
Network Security
Government Data Disclosure
Authorized user with
inappropriate level of
access to Top Secret
data
• Worst Leak in
History
• Unknown $ Impact
• Unknown Life
Impact
• Background Checks
• Re-Authorization
• Data Loss Prevention
(DLP)
• User De-Provisioning
Auth. Access
Control
Financial Data Disclosure
Unencrypted laptop with
over 200K confidential
customer records was
stolen from employees
car
• $4M Impact
(approx)
• Remediation Cost
•
Reputational/Lawsuits
• Encrypted Mobile
Devices
• Gap Assessment Metrics
• Security Awareness Zone
Banking
Online Banking
Denial-of-
Service
(DDOS)
Online banking website
experienced high
internet traffic that
intermittently disabled
website
• Reputational
• Unreported $ Impact
• Remediation Cost
• Intrusion Detection
• Firewall – Connection
Drop
Cybersecurity Threats and Actors
10
Financial Theft or
Fraud
Theft of Intellectual Property or
Strategic Plans
Business Disruption
Destruction of Critical
Infrastructure
Reputation Damage
Threats to Life and Safety
Legal and Regulatory
OrganizedCriminals
Hacktivists
Nation States
Insiders
Third Parties
Rogue Hackers
Recent CyberAttacks
Very High High Moderate Low
State Data Breach Laws are Expanding
11
• Broadened definition of personal information
• States such as California, Florida, Nevada, Wyoming and Rhode Island now include
usernames and passwords as personal information that requires notification if
compromised
• 26 states introduced or considered expanding existing security breach laws in 2016
• Notification and reporting rules
• California passed legislation requiring any business that owns or licenses
computerized data to disclose breaches of the security of that data
• Illinois amended and added additional reportable categories to Personal
Information Protection Act
• Tennessee redefined the time period within which a business must notify a
consumer of their personal information was accessed (reduces from immediate
notification)
• Only three states-- Alabama, New Mexico, and South Dakota-- do
not currently have a law requiring consumer notification of security
breaches involving personal information
• October 2016 Final DFARS Rule Reporting Obligations
• FAR Basic Safeguarding Requirements (Effective June 2016)
• FAR Privacy Training Rule (Jan. 2017)
• NIST SP 800-171 (Rev. 1) (Dec. 2016)
• Section H requirements
• DHS Privacy Training and Information Safeguarding Proposed Rules
(Jan. 2017)
• OMB Memorandum M-17-12, Preparing for and Responding to a Breach
of Personally Identifiable Information (Jan. 2017)
• Other non-binding federal guidance includes:
• FTC Data Breach Response Guidance
12
Government Contracts Regulatory & Contractual
Requirements Continue to Expand
Multi-stakeholder Coordination Always Required
Consider conducting a RASCI exercise amongst stakeholders to
align on roles and responsibilities:
R: RESPONSBILE
A: ACCOUNTABLE
S: ESCALATED
C: CONSULTED
I : INFORMED
13
Data Breach and Incident Response
14
Incident Response Program Discussion:
• What type of information should be covered by the Program?
• How can we more clearly define roles and responsibilities?
• When should outside Forensics be sourced and by whom?
• What reporting should there be internally and externally?
• How can we assure all legal/regulatory requirements are met
during an Incident?
Meeting Legal/Regulatory Requirements
15
• The primary legal/regulatory requirements arise out of state breach
notification statutes
• Timely notification of regulators and affected individuals
• Content and form requirements
• Addressing these issues requires:
• Prompt engagement of outside counsel and third party forensic investigators
• Diligent investigation and conclusions
• Drafting of notification letters or communications
• Regulators expect information on shorter timelines, creating tension with
thorough investigation
• Most states still rely on a "reasonability" standard for notification
• States starting to implement strict deadlines -- Florida's new law is 30 days
from the determination of or reason to believe that a breach occurred.
FIPA, Section 501.171(4)(a)
• Final DFARS rule – 252.204-7012 – Safeguarding Covered Defense
Information and Cyber Incident Reporting (Oct. 2016)
• All “covered defense information”
• Unclassified controlled technical information or other information, as describedin the Controlled
Unclassifed Information (CUI) registry that requires safeguarding or dissemination controls pursuiant
to and consistent with law and is marked or otherwise identified or developed, collected, received,
transmitted, used, or stored on behalf of the contractor in support of performance.
• Rapid reporting requirement (252.204-7012(c))
• Investigation requirement– review for evidence of compromise
• Provide any detected malicious software to contracting officer
• Imaging requirements– must preserve and protect images of all known affected
information systems
• FAR 52.204-2– Security Requirements– NISPOM reporting obligations
• Review of applicable contracts is critical:
• Many agencies have incident reporting obligations (e.g., NASA incident
reporting requirements in a number of different NASA supplements)
16
Meeting Legal/Regulatory Requirements (Continued)
Protecting the Company and Applying the Facts
Data breach is an issue that every company deals with, many for both
customer and employee information.
Things toep in mind:
• Third-party forensics, if performed, should be engaged and directed through
Counsel to preserve your ability to assert privilege in subsequent litigation.
• Understand that even if analyses are protected under privilege, underlying facts
will not be.
• Determining data breach notification requirements is a very fact-specific
exercise -- be careful not to make assumptions.
• Reading and understanding reporting obligations under existing contracts and
during the proposal stage of new contracts is absolutely critical.
All but a few states have enacted data breach notification legislation, but
there is substantial diversity amongst and between them.
-----> Make sure you are applying the right law to the right facts!17
Sustainable Data Security Crisis Management
The key to sustainability is process integrity!
All Privacy Emergencies (or potential Emergencies) should flow through a
Response Framework: a funnel that engages key stakeholders and ensures
seamless end-to-end management of an issue.
End-to-end management includes resolution, post-mortem and remediation,
as well as ongoing monitoring and reporting.
Legal plays a critical role in determining what actions must be taken in
response to a Privacy Crisis, both in planning and in execution of a
response plan.
18
The Role of Legal in Crisis Management
19
• Identifying sources of legal/regulatory risk
• Guiding incident response processes and ensuring compliance with applicable
laws and regulations
• Regulator or enforcement authority investigations
• Class action lawsuits
• Breach of contract claims/litigation from vendors, banks, customers
• Managing risk
• Using outside counsel effectively to maximize scope of privilege
• Reviewing messaging and communications with outside parties to prevent
negative legal consequences of unintended "admissions"
• Advising on remediation, program improvements, employee discipline, and
ongoing legal/regulatory risks
Example Incident Response
Framework
Develop Policies
and ProceduresTraining Monitor Systems
Test Incident
Response Plan
All DGC IRT BAT
Coordinate
Response
Assess and
Categorize
Incident
Report Incidents
to IT Service
Desk
Collect and
Document
Evidence
Eradicate Threat
Restore Systems
Validate and
Monitor Affected
Systems
Contain Threat
Prepare
Breach Pre-
Assessment/
Refer to Full-BAT
Identify/
Detect
Evaluate Incident
for Reporting
Requirements
Evaluate Incident
for Breach Notice
Requirements
Plan Notification
Strategy
Report to
Appropriate
Regulators
Notify Affected
Residents
Document
Incident
Identify and
Communicate
Lessons Learned
Modify and
Revise Incident
Policies and
Procedures
Modify and
Revise Breach
Policies and
Procedures
Contain/
Eradicate
Recover
Follow-up Breach
Reporting and
Notification
Common Mistakes in Responding to a Breach
21
• Lack of Preparation
• Figuring it out as you go along creates confusion, delay, and risk
• Established decision framework mitigates risks inherent in time-sensitive,
high-stress decisions
• Discovering your obligations at this late stage precludes compliance
• Delayed Response
• Regulators frequently challenge the timeline of notification
• Must move diligently to drive investigations to conclusion
• Incident Response plan and third party relationships should be pre-
established
• Making Assumptions
• Initial evaluations are frequently wrong or, at minimum, incomplete
• Critically evaluate the basis for conclusions, verify underlying facts and
identify gaps or information that could change your analyses
Questions?
22
Erin Sheppard
(202) 496-7533
Stephen Kopeck
(240) 660-1221
Hayden McKaskle
(615) 577-6758