Protecting Your Company
From A Cyber Breach
Proactive Steps to Minimize Breach Risks & Impact
October 30, 2015
Presented By
Rebecca Perry, CIPP US/G
Jordan Lawrence
636.821.2251
rperry@jordanlawrence.com
© 2015 Fredrikson & Byron, P.A.
Ann Ladd
Fredrikson & Byron
612.492.7124
aladd@fredlaw.com
Sten-Erik Hoidal
Fredrikson & Byron
612.492.7334
shoidal@fredlaw.com
Overview- Elements of a Cyber
Security Program
– Identify
– Protect (policies, vendors, training,
practices, insurance)
– Detect
– Respond
– Recover
© 2015 Fredrikson & Byron, P.A.
Identify
•
•
•
•
Assets
Business Environment
Laws/Regulations/Contractual Obligations
Use Good Information Governance
© 2015 Fredrikson & Byron, P.A.
Locate your data.
Delete what you don’t need.
Improve policies and training.
© 2015 Fredrikson & Byron, P.A.
What’s Your Biggest Exposure?
# 1 Employee
Negligence
# 2 Hacking
# 3 Paper
What Keeps CIOs Up at Night?
Third party outsourcing of data
Migration to new mobile platforms
Temporary worker or contractor errors
34 %
56 %
59 %
Not knowing where sensitive or confidential data is
64 %
N=1587, Source: Ponemon Research, May 2014
The Cornerstone
RETENTION
WHAT
RECORDS
INVENTORY
SENSITIVITY
WHERE
BUSINESS
BUSINESS
BUSINESS
PROCESSES
PROCESSE
PROCESSES
S
https://www.ftc.gov/system/files/documents/plain-language/bus69-protecting-personal-information-guide-business_0.pdf
Engage The Business
Accident/Incident Records
Advertising Records
Benefit Records
Budget Records
Contracts & Agreements
Credit Approvals
Customer Orders
Customer Payment Records
Employee Medical Files
Engineering Records
Marketing Records
Research & Development
Sales Receipts
Understand Business Practices
1010100011
1001010011
0110100
1001011
0100110
1001101
10
0
010
01
Identify Requirements
BUSINESS NEEDS
SENSITIVITY
REQUIREMENTS
Corporate Sensitive
DOL
Customer Data
OSHA
Intellectual Property
SEC
PII
GLBA
Bio Metric
HIPAA
Patient Health Info.
PCI
Personal Financial
State Privacy Laws
Sensitive EU
Benefit Enrollment & Participation
 Distribution Centers
 HR - Benefits
Health
Information
Government
ID’s
Employee
Information
Beneficiary #
FMLA
Dates of Service
Patient Name
Patient Address
National ID Card #
Partial Social Security #
Social Security #
Employment ID
Employment Status
Handicapped Status
Medical Conditions
Best Practice Retention: 6 Years
 HR – Canada
 HR - Regional
Personal
Information
Financial
Information
Other
Age
Name
Email Address
Marriage Status
Physical Address
Telephone #
Insurance Information
Retirement Account
Corp - Legal Actions
EU - Health Status
after superseded 29 USC 1027
 HR – Compensation
 Store Operations
3rd Party, Cognos , Microsoft
Outlook, Microsoft SharePoint,
PDF
Applications
Archive, Desktop Hard Drive,
Email Inbox, Laptops, Printed
Hard Copies, Shared Drives
Email
Box Warehouse, Department
File Cabinet, Secure File Cabinet
Paper
CDDVD, Laptops, Shared Drives
Unstructured
Reporting Findings & Risks to
Senior Management
Case Study
122
Area
Representatives
17
Subject Matter
Experts
110
Departments
60,995
Data Points
45 Days
5
Countries
Lack of Critical Policy Awareness
Information Security
Policy
41%
Not
Aware
59%
Aware
Records Retention
Policy
37% Never
Dispose of
Records
69%
Aware
Only 44%
Trained
31%
Not
Aware
Redundancy Creates Risk
274
UNIQUE RECORD TYPES
1,302
DEPARTMENT VERSIONS
3,128
VERSIONS ACROSS MEDIA
[Paper, Email, File Shares, Applications]
47% TAGGED WITH
PERSONAL INFORMATION
84%Save
SavetotoFlash
Laptops
or Tablets
20%
Drives
or DVDs
18%
Save totoCloud
Storage
6%
Forward
Personal
Email
Over Retention Is a Substantial Cause
of Risk to Sensitive Information
Current Retention
Compared to Best Practice
In
Line
Shorter
No
BP
71%
Retained
Longer
48% Tagged with
Sensitive Information
Email
EMAIL STORAGE LOCATIONS
SHARED DRIVES
68%
ARCHIVE (PST, NSF)
62%
 20% ANNUAL GROWTH RATE
 CENTRAL ARCHIVE RETAINED INDEFINITELY
PRINTED HARD COPIES
62%
CONTENT MANAGEMENT SYSTEMS
26%
FLASH DRIVES
FORWARD TO PERSONAL EMAIL
17%
7%
 USERS CREATING PERSONAL ARCHIVES
Electronic Information on File Shares
[Word Documents, Power Points, PDFs, Excel Spreadsheets, Images, etc.]
50% of Information on File Shares
was Created in Last 3 Years
ACTIVE ENVIRONMENT
 20,000 GIGABYTES
 50% ANNUAL GROWTH RATE
20%
Older Than
5 Years
30%
3 to 5
Years Old
50%
Less Than 3
Years Old
PII ON SHARED DRIVES (2+ ELEMENTS IDENTIFIED)
 59 AREAS
 206 RECORD TYPE PROFILES
Protect
• Technical
• Physical
• Administrative -Training, Vendor
Management, Policies,
Insurance
© 2015 Fredrikson & Byron, P.A.
Technical and Physical Security
“Quick Hits”
• Encryption
• Patching
• Good passwords
• Secure shredding
• Wiping equipment
http://www.sans.org/critical-security-controls
http://www.sifma.org/issues/operations-andtechnology/cybersecurity/guidance-for-small-firms/
© 20__ Fredrikson & Byron, P.A.
Awareness and Training
Example topics
• Reasons, Risks, What is protected, and Why
• Overview of internal policies
• Highlight important areas of concern depending on your
needs:
– Physical security (space, documents, devices)
– Passwords and good log-in practices
– Internet tips/avoiding phishing and other scams
– Sending protected information (email practices, etc.)
– Storing protected information-special security
– Incident response – what to do if you suspect a problem
© 2015 Fredrikson & Byron, P.A.
Some examples- training doesn’t
have to be boring.
Can you guess this guys’ password?
© 2015 Fredrikson & Byron, P.A.
Vendor Management—
• Diligence- see example questions
• Contractual protections
– Require safeguards- consider third party certifications
– Control downstream transfers (sub contractors, hosts)
– Timely reports of /defined controls on response to incidents
– Termination rights
– Indemnification/Insurance
– Disaster recovery/contingencies
• Audit Rights
© 2015 Fredrikson & Byron, P.A.
Protect – Ensure The Right Policies
Are In Place
• Overall Security and Privacy Policy – High Level
• Acceptable Use
• BYOD / Mobile Device / Lost Device
• Security Practices
© 2015 Fredrikson & Byron, P.A.
Detect – Review Data Breach
Detection Capabilities
• Data loss prevention technologies
• IT Security Consultant/intrusion testing
• Understand baseline IT security operations
• Monitoring of information systems, device usage, and
personnel
© 2015 Fredrikson & Byron, P.A.
Respond
© 2015 Fredrikson & Byron, P.A.
Respond – Prepare in Advance!
© 2015 Fredrikson & Byron, P.A.
Respond – Develop, Practice, and
Follow A Data Breach Response Plan
• Written document(s) outlining the company’s strategy for
evaluating and responding to potential data breaches.
• Customized to the company’s processes, structure, and
goals.
• Tailored to the types of PII or sensitive information the
company has access to.
© 2015 Fredrikson & Byron, P.A.
Respond – Key Components For A
Data Breach Response Plan
1. Identify response team and outline roles and
responsibilities.
2. List strategic partners and explain process for
determining whether they need to be involved.
3. Diagram system, data flow, and infrastructure.
© 2015 Fredrikson & Byron, P.A.
Respond – Key Components (cont.)
4. Outline strategy for identifying a breach,
ascertaining its scope, and containing the breach.
5. Explain process for analyzing legal implications of
breach.
6. Outline how notice will be provided to potentially
injured parties (if necessary).
© 2015 Fredrikson & Byron, P.A.
Respond – Response Plan (cont.)
7. Develop and outline an internal communications
strategy.
8. Develop and outline and external communications
strategy.
9. Describe process for deciding whether to provide
assistance (e.g., credit or fraud monitoring) to
injured parties.
© 2015 Fredrikson & Byron, P.A.
Respond – Other Considerations
• Provide to insurer for feedback.
• Train, train, train….
• Follow it!
© 2015 Fredrikson & Byron, P.A.
Recover
• Self Assessment – Review and analyze the
company’s response to determine areas for
improvement. Revise incident response plan
accordingly.
• Recovery Planning – Develop a strategy to get the
company’s systems back on line in the event of a
breach.
© 2015 Fredrikson & Byron, P.A.
Questions?
© 2015 Fredrikson & Byron, P.A.