Avoiding Cyber Liability Pitfalls:
Lessons Learned from
Risk Managers, Insurance,
Legal and Forensic Experts
Recording of this session via any media type is strictly prohibited.
Page 1
Introduction of Speakers
Katherine Keefe, Esq. – Beazley
Ted Kobus, Esq. – Baker Hostetler
Steve Visser – Navigant
Jim Morley – John Deere
Recording of this session via any media type is strictly prohibited.
Page 2
Cyber Liability – Introduction
•
Attention grabbing news headlines
•
Breaches increasing in frequency by many accounts
•
Nature of security threats changing
•
Many types of organizations are at risk
•
Evolving response requirements
Recording of this session via any media type is strictly prohibited.
Page 3
Types of Incidents Observed
Recording of this session via any media type is strictly prohibited.
Page 4
Types of Information Security Incidents:
Healthcare
• Phishing - Attempted Payroll Diversions Remote email box access
• Snooping into patient records
• Lost/stolen computing devices
• Inappropriate access to patient or provider
records with fraudulent tax return preparation
• Malware
Recording of this session via any media type is strictly prohibited.
Page 5
Types of Information Security Incidents: Higher
Education
• Malware
• Hacking
• Inadvertent exposure of information to the
internet
Recording of this session via any media type is strictly prohibited.
Page 6
Types of Information Security Incidents:
Financial Services
• Malware with command and control capability
• Lost or stolen computing devices
Recording of this session via any media type is strictly prohibited.
Page 7
Types of Breaches
Statistics from Navigant Research
Adapted from Navigant’s Information Security & Data Breach Report: March 2014 Update
FQA includes Q3 2012 – Q2 2013, July 1, 2012 – June 30, 2013.
Recording of this session via any media type is strictly prohibited.
Page 8
Types of Breaches
Breaches by Type of Entity
Adapted from Navigant’s Information Security & Data Breach Report: March 2014 Update
FQA includes Q3 2012 – Q2 2013, July 1, 2012 – June 30, 2013.
Recording of this session via any media type is strictly prohibited.
Page 9
Types of Breaches
Breakout of Corporate Breaches by Industry Group
Industry Group
Q4 2013
Q3 2013
FQA
Services
41%
35%
36%
Retail & Wholesale 27%
Trade
Insurance & Finance 23%
0%
17%
35%
21%
Transportation,
Utilities, & Public
Services
Manufacturing
5%
10%
9%
4%
20%
17%
Adapted from Navigant’s Information Security & Data Breach Report: March 2014 Update
FQA includes Q3 2012 – Q2 2013, July 1, 2012 – June 30, 2013.
Recording of this session via any media type is strictly prohibited.
Page 10
How Information Security Incidents
are Discovered
• Reported by an internal person
o (e.g.- employee)
• Reported by an external entity
o (e.g.- law enforcement or business partner)
Recording of this session via any media type is strictly prohibited.
Page 11
Where are the threats coming from?
Legal Perspective
• Inside threats
– Employee negligence
• Security failures
• Lost mobile devices
– Employee ignorance
• Improper disposal of
personal information
(dumpsters)
• Lack of education and
awareness
– Malicious employees
• Outside threats
– Hackers
• Malware
• Phishing and Spear
Phishing
– Thieves (including Social
Engineering Tools)
– Vendors
Recording of this session via any media type is strictly prohibited.
Page 12
Breach Causes:
Beazley Breach Response Services– Q1 2014
Payment Card
2%
Unknown
3%
Insider
10%
Stationary Device
1%
Physical Loss
26%
Portable Device
11%
Other
12%
Unintended
Disclosure
22%
Hack or Malware
13%
Recording of this session via any media type is strictly prohibited.
Page 13
Industries Impacted by Data Incidents:
Beazley Breach Response Services– Q1 2014
Education
6%
Retail
6%
Financial
9%
Healthcare
67%
Other
12%
Recording of this session via any media type is strictly prohibited.
Page 14
Developing an Effective Incident
Response Plan (“IRP”)
Recording of this session via any media type is strictly prohibited.
Page 15
Objectives for a Data Breach
Incident Response Plan
• “Living Document”
– Routinely updated to keep current
• Clear and easy to use in the midst of a crisis incident
– Succinct
– Organized by sections
• Not a “phone book” but not a “leaflet”
– Background information on regulations and laws
– Detailed procedures and steps on incident management
– Contact details of the Incident Response Team (IRT)
• Document all discoveries for evidentiary needs
Recording of this session via any media type is strictly prohibited.
16 Page 16
Anatomy of the IRP
• Incident Response Team
– Roles & Responsibilities
– Internal Members of the IRT
– External Members of the IRT
– Contact Information of Members of the IRT
– Define “Threat Levels” to Members of the IRT
Recording of this session via any media type is strictly prohibited.
17 Page 17
Anatomy of the IRP (Continued)
• Incident Triaging
–
–
–
–
Threat level defined to trigger appropriate members of the IRT
Insurance carrier need to be advised?
Privacy counsel needed?
Investigation needed?
• Forensics
• Traditional
• Both
– Electronic data? Paper-based data? Both?
– Is a 3rd party involved? Or the cause?
– Law enforcement needed?
• FBI? Secret Service? State/Local?
• Police Report needed? (Theft involved?)
– PR/Crisis management needed? Media involved (yet)?
Recording of this session via any media type is strictly prohibited.
18 Page 18
Anatomy of the IRP (Continued)
• Breach Response Methodology
– Notification Procedures
• Define timing strategy of all communications
• Police report needed? (if theft involved)
• Affected individuals’ notification fulfillment needed?
– Draft notification letters
» Description of what happened and when (if permitted)
» Description of data types involved
» Steps to protect oneself
» What entity is going to investigate and mitigate harm. Remedy? (credit monitoring)
» Contact details for questions
» Apology
– Obtain corporate logo and signature image
• Affected individuals’ call center needed?
– Establish escalation contacts
– Draft FAQs
– Draft scripts
Recording of this session via any media type is strictly prohibited.
19 Page 19
Anatomy of the IRP (Continued)
• Breach Response Methodology
– Notification Procedures
• Government agencies / attorneys general
– Draft notification letters - federal, state, local (where applicable)
• Press releases
– Draft press releases and scripts for media
• Internal communications
– Draft internal memos
– General workforce, management, board of directors
• Website
– HITECH substitute notice (if applicable)
– Public posting
– Require separate phone # from notification #
• Assess need for localization (multiple languages)
• Accompanying remedy with notice
– Credit monitoring / credit reports
– Identity theft resolution
» Credit-related fraud restoration
» Healthcare record fraud restoration
Recording of this session via any media type is strictly prohibited.
20 Page 20
Anatomy of the IRP (Continued)
• Mitigation and Remediation
– Recovery
• Eradicate vulnerabilities
• Reinstate repaired/hardened systems
– Review – Lessons Learned
• Log/Record incident in an incident database for trending/historical
analytics
• Review with incident response team
– Review information security systems, policies and procedures, workflows
– Review physical security systems, policies and procedures, workflows
– Update training program accordingly
• Update incident response plan
Recording of this session via any media type is strictly prohibited.
21 Page 21
From a Forensic Investigation Perspective,
What are We Preparing to Do?
•
•
•
•
•
•
•
•
•
•
Varies from incident to incident, but there are common activities to prepare
for
Evaluation of whether data egress occurred
Identification and evaluation of contents of missing computing devices
Analysis of system access records to evaluate what individuals did in systems
Analysis of data traffic to assess whether ex-filtration occurred
Evaluation of what happened as a result of malware
Evaluation of what is in e-mail boxes
Evaluation of whether there are artifacts of information access
Support a risk of harm assessment
Examples; not a comprehensive list above
Recording of this session via any media type is strictly prohibited.
Page 22
Preparation for Forensic Incident Investigations
Recommendations to help make future investigations effective
1. Prepare a data map, including:
 List of all data systems
 System characteristics, data format, system architecture
 System subject matter experts
 Assess how data can be extracted from each system
 Review and update quarterly
2. Assess and improve (if needed) log retention and
accessibility
Recording of this session via any media type is strictly prohibited.
Adapted from Source: ©Teacher & Educational Development, University of New Mexico School of Medicine, 2005
Page 23
Preparation for Forensic Incident Investigations
Recommendations to help make a future investigation effective
2. Assess and improve log retention and accessibility
(if needed)
3. Identify service providers and agree to contract terms in
advance
Recording of this session via any media type is strictly prohibited.
Adapted from Source: ©Teacher & Educational Development, University of New Mexico School of Medicine, 2005
Page 24
Preparation for Forensic Incident Investigations
Recommendations to help make a future investigation effective
4. Engage in response planning
 Division of roles and responsibilities for each common type
of information security incident
 Response steps planning (e.g.- data enrichment for names
and addresses required for notification)
5. Identify formats/patterns/ranges of key identification
numbers
 Identification numbers for individuals your business interacts
with
Recording of this session via any media type is strictly prohibited.
Adapted from Source: ©Teacher & Educational Development, University of New Mexico School of Medicine, 2005
Page 25
Risk Management and Prevention
Recording of this session via any media type is strictly prohibited.
Page 26
How Do We Protect Ourselves?
• Vendor Management
• Security Awareness/Education
• Basic Data Security Good Practices
• Risk Assessment
• Policies and Procedures
• Consistent Enforcement of Policies & Procedures
• Practice breach response initiative
• Delete data when no longer needed
Recording of this session via any media type is strictly prohibited.
Page 27
Document Retention / Destruction
• How do you control document retention?
– By policy? Oversight & enforcement?
• How long do you need to store data? Why?
• Where do you store old data?
– Backup tapes stored offsite? How secured?
• Do vendors return data or do they keep it?
Recording of this session via any media type is strictly prohibited.
Page 28
Security Awareness & Education
• Initial training at time of hiring
– How do employees spot security problems?
– What is the reporting procedure?
– Are supervisors trained to handle reports from staff (e.g. is a gag order
appropriate)?
• Regular and continued training and awareness
– What does your training program include for security issues and
procedures? Annual?
– Formal online training course vs. in-person?
– Monthly staff meetings?
– Newsletters?
• ePlace resources
Recording of this session via any media type is strictly prohibited.
Page 29
Risk Assessment
• Periodic Review of Administrative Safeguards
• Periodic Review of Physical Safeguards
• Periodic Review of Technical Safeguards
• Periodic Review of the information you are
handling – has it changed?
Recording of this session via any media type is strictly prohibited.
Page 30
Policies & Procedures
• Incident and Breach Response Plan
• Social Media Policy
• Information Security and User Policies
– What users can and must do to use network and organization's computer
equipment
– Define limitations on users to keep the network secure (password policies,
use of proprietary information, internet usage, system use, remote access
• IT Policies
–
–
–
–
–
–
–
Virus incident and security incident
Logs
Backup policies
Server configuration, patch update, modification policies
Firewall policies
Wireless, VPN, router, and switch security
Email retention
Recording of this session via any media type is strictly prohibited.
Page 31
Policies & Procedures (cont.)
• General Policies
– Program Policy
– Crisis Management Plan
– Disaster Recovery
•
•
•
•
•
•
Server Recovery
Data Recovery
End-user Recovery
Phone system recovery
Emergency response plan
Workplace recovery
Recording of this session via any media type is strictly prohibited.
Page 32
Vendor Management
• Service providers
– Mail
– Cleaning
– Security
– Off-site storage/shredding
– Data processing/storage
• Benefits
• Banking
Recording of this session via any media type is strictly prohibited.
33
Page 33
“Dusty Old Contract Provisions”
• Vendor dictates security requirements that
don't reflect current state of the laws
• Liability shifting
• Liquidated Damages
• Force Majeure
Recording of this session via any media type is strictly prohibited.
34
Page 34
Considerations for Incident Prevention/Control
(Forensic/Technical Perspective):
Encryption at rest, on devices, in transit, and of databases
Two-factor authorization
Effective malware detection and response
Employee access monitoring
Quality control in system implementations
– verification of system parameters
SIEM implementation
Recording of this session via any media type is strictly prohibited.
Adapted from Source: ©Teacher & Educational Development, University of New Mexico School of Medicine, 2005
Page 35
Considerations for Incident Prevention/Control
(Forensic/Technical Perspective):
Control email box size
Education of employees
Don’t email data within an organization
Perform data processing on a server or in a database
Control and limit data access (need to know)
Effective detection and monitoring
Recording of this session via any media type is strictly prohibited.
Adapted from Source: ©Teacher & Educational Development, University of New Mexico School of Medicine, 2005
Page 36
Regulatory and Legal
Considerations
Recording of this session via any media type is strictly prohibited.
Page 37
What Will You Encounter?
• Issuing banks advising
cardholders
• Forensic investigation
• Media & customer inquiries
• Regulatory inquiries
• Operational challenges
• Decisions on public
statements
• State breach notification law
analysis
•
•
•
•
Law enforcement
Consumer class actions
Issuing bank lawsuits
Card network
fines/assessments
• System remediation and
revalidation
• Reporting of impact
• Regaining customer trust
Recording of this session via any media type is strictly prohibited.
38 Page 38
What Do Regulators Expect?
• Transparency
• Prompt and thorough investigation
• Good attitude & cooperation: commitment to compliance and safeguarding PII
• Appropriate and prompt notification
• Corrective action: know the root cause and address it; staff training; awareness
program; technical safeguards; new policies/procedures/physical safeguards
• Remediation and mitigation
Recording of this session via any media type is strictly prohibited.
39 Page 39
Best Practices
•
•
•
•
•
•
•
Prepare and practice a
response plan
Respond quickly
Bring in the right team
Preserve evidence
Contain & remediate
Let the forensics drive the
decision-making
Law enforcement
•
•
•
•
Document analysis
Involve the C-suite
∙ Be guarded, consistent,
and honest in
communications
Plan for likely reaction of
customers, employees &
key stakeholders
Mitigate harm
Recording of this session via any media type is strictly prohibited.
Page 40
10 Questions You Might be Asked
1. Describe your network
environment.
2. Do you have a network
diagram?
3. Describe the data that
you process or store.
4. Describe the logs that
you maintain.
5. Are you preserving the
environment?
6. Are there critical 3rd
party vendors?
7. What IT resources do
you have?
8. Do you have a WISP or
breach response plan?
9. How did you detect the
intrusion?
10. What have you done so
far?
Recording of this session via any media type is strictly prohibited.
Page 41
What are regulators looking at?
•
•
•
•
•
•
•
•
•
•
•
•
Transparency
Risk assessments
Encryption
Business Associate Agreements (health care)/Vendor Agreements
Minimum necessary (health care)
Documentation of breaches
Policies and procedures
Old data
Prompt and thorough investigation
Good attitude & cooperation (commitment to compliance and safeguarding PII)
Appropriate and prompt notification
Remediation and Mitigation
•Regulators look beyond the breach incident and look at information security enterprise
wide.
Recording of this session via any media type is strictly prohibited.
42 Page 42
Regulatory Scrutiny
• FTC (section 5) – “unfair or deceptive acts or
practices in or affecting commerce”
• HHS OCR (HIPAA Privacy and Security Rules)
• Department of Education
• State Attorneys General
Recording of this session via any media type is strictly prohibited.
43 Page 43
Litigation - Four Big Issues
•
•
•
•
Standing
Theories of harm on the merits
Class certification
Novel theories of liability
Recording of this session via any media type is strictly prohibited.
44 Page 44
Litigation - Standing
• Standing and pleading requirements continue to be significant
hurdles for plaintiffs
• Courts continue to be faced with questions such as:
– Whether the loss of personal information alone is an injury cognizable by law?
– Whether an increased risk of identity theft is sufficient injury?
– Whether unauthorized access to personal information alone causes real
harm?
• So far, most courts answer no
• Require some more tangible injury before a data breach lawsuit can
continue
Recording of this session via any media type is strictly prohibited.
45 Page 45
Litigation – Theories of Harm
•
•
•
•
•
•
•
•
•
•
•
•
Statutory damages
Increased risk of identity theft
Time and effort to monitor/fix credit
Emotional distress
Personal information as property
Invasion of privacy
Breach of contract
Breach of fiduciary duty
Negligence
Unfair, deceptive and unlawful business practices
Defamation, libel, and slander
Unjust enrichment
Recording of this session via any media type is strictly prohibited.
46 Page 46
Litigation – Damages
• The next big issue – even assuming standing, what
damages are recoverable?
• Defines the scope of the potential class and
defendant’s potential liability
• Damages without any identity theft/fraudulent charges
– are these “cognizable”? (No - Pisciotta)
• Some cases have taken a broader view of this, at least
where there has been identity theft/fraudulent charges
(Hannaford)
• If there are allegations of actual identity theft or
fraudulent charges, central issue becomes causation
(AvMed)
Recording of this session via any media type is strictly prohibited.
47 Page 47
Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (Feb. 26, 2013)
• Amendments to FISA
• Plaintiffs alleged communications being chilled, increased travel
expenses
• Second circuit: standing (objectively reasonable likelihood)
• Supreme Court – No standing, injury not “certainly impending”
• “[W]e have repeatedly reiterated that threatened injury must be
certainly impending to constitute injury in fact, and that allegations of
possible future injury are not sufficient.”
– The Court held plaintiffs also cannot “manufacture standing” by incurring
expenses to mitigate against non-imminent harm
• Clapper applied in data breach cases
– Polanco v. Omnicell (D.N.J.)
– In re Barnes & Noble (N.D. Ill.)
Recording of this session via any media type is strictly prohibited.
48 Page 48
Litigation – Theories of Liability
• Negligence
– Economic loss rule
– Impact rule – alleged emotional distress
• Breach of Implied Contract (Hannaford, Avmed)
• Breach of fiduciary duty
– Good body of case law holding no fiduciary duty to
safeguard information
• Invasion of privacy claims
• Consumer protection statutory claims
• Federal statutory claims – Stored Communications Act,
Fair Credit Reporting Act
Recording of this session via any media type is strictly prohibited.
49 Page 49
Litigation – Class Certification
• Limited case law on whether certification proper in the
privacy context
– Hannaford – No, but might statistical evidence suffice?
– Data collection cases have fared better, especially when
there are statutory damages at stake – E.g. comScore v.
Dunstan (N.D. Ill. 2013)
• Major issues in data breach class actions
– Predominance
• Causation – is this an individual question?
• Damages – can plaintiff prove them statistically?
– Superiority – what if the defendant offered relief?
Recording of this session via any media type is strictly prohibited.
50 Page 50
Case Study: Anatomy of a Breach
Recording of this session via any media type is strictly prohibited.
Page 51
Incident Background
•Lost Laptop
 Not encrypted
 Belonged to an employee that works with
sensitive data
 Reported five (5) days after the loss
 Occurred in another state while the employee
was traveling
Recording of this session via any media type is strictly prohibited.
Page 52
Initial Considerations for a Forensic Investigation
… What type of computer, size, operating
system did it have?
… Has the laptop been recovered?
… Is there a recent backup of the laptop?
… What proxies exist that may indicate the data
on the lost laptop?
… Change user credentials
Recording of this session via any media type is strictly prohibited.
Page 53
Forensic Considerations for a Recovered Laptop
•
•
Prepare image of laptop
Has anyone logged onto the computer since it went missing?
•
•
•
•
•
•
If yes, by which user account and when?
Was the email software opened during the period it was
unaccounted for?
Were other files accessed?
DVD and USB usage?
What internet sites were connected to during the period it
was unaccounted for?
Assess file access dates
Recording of this session via any media type is strictly prohibited.
Page 54
Case Study: Anatomy of a Breach
Analysis Steps for Laptop Not Recovered
•Starting Point: Best available data source for
what was on the computer at the time of the
loss.
•Goal: Mine the data contents to identify the
files that contain PHI and/or PII and the
identifiers for the specific individuals contained
in such files.
Recording of this session via any media type is strictly prohibited.
Page 55
Case Study: Anatomy of a Breach
Analysis Steps for Laptop Not Recovered
•Solution: Forensic analysis tools and
sophisticated data mining.
•Next Step: Enrich the data to get names and
current addresses. This can usually be
accomplished by running a query against certain
systems in your organizations.
Recording of this session via any media type is strictly prohibited.
Page 56
Case Study: Anatomy of a Breach
After the Forensic Analysis
•
•
•
•
•
•
Select notification/call center vendor
Prepare notification letter
Prepare answers to frequently asked questions
Address going forward prevention steps
Determine “offering” to impacted individuals
Send notification letters out
Recording of this session via any media type is strictly prohibited.
Page 57
Insider Perspective - Client Risk
Management
•
•
•
•
Key Internal Relationships
IT (especially IT Security)
Legal
Security
Operating Units
Recording of this session via any media type is strictly prohibited.
Page 58
Insider Perspective - Client Risk Management
Processes to have in place
• Cyber-specific Incident Response Plan
•
Annual test
• External legal counsel and Forensics vendors hired
• Claims Dept. relationships with broker and primary
Cyber carrier
•
Leverage broker & carrier resources
• Contract input whenever network access involved
•
Cloud providers
• Re-visit exposures annually
Recording of this session via any media type is strictly prohibited.
Page 59
Insider Perspective - Closing Considerations
• Remember Watergate - It’s the cover-up not the crime that gets you
in the most trouble.
• Dealing with data breaches, many times the most substantive fall
out comes not from the breach itself but from the government and
plaintiffs' bar lifting the hood to see what your privacy practices
actually are.
• Infrastructure costs – Privacy by design is much cheaper in the long
run than privacy by government or class action fiat.
• Turn risk management into legal investment reputation preserving
and branding opportunity – Security as a value proposition to
customers, consumers, regulators and business partners
• Be forward thinking – Mobile, Cloud, BYOD
Recording of this session via any media type is strictly prohibited.
60 Page 60
Heartbleed
•
•
•
•
•
•
Vulnerability in OpenSSL Encryption Cryptographic Software
OpenSSL is used encrypt internet data traffic
OpenSSL is widely used by U.S. businesses
New version of OpenSSL is available
New version has been implemented by many companies
Before implementation of the fix, data traffic thought to have been
encrypted could have been exposed
• Other complex security considerations
• Potential exposure since December 2011
• Fix become available April 7th
Recording of this session via any media type is strictly prohibited.
Page 61
Contact Information
Ted Kobus, Esq. tkobus@bakerlaw.com
(212) 271-1504
Katherine Keefe, Esq. katherine.keefe@beazley.com
(215) 446-8421
Steve Visser svisser@navigant.com
(303) 383-7305
Jim Morley morleyjamesp@johndeere.com
(309) 765-5377
Recording of this session via any media type is strictly prohibited.
Page 62
EVALUATION/SURVEY
Please complete the session survey on the RIMS14 mobile application.
Recording of this session via any media type is strictly prohibited.
Page 63