Anatomy of a Data Breach
March 12, 2014
Lucie Huger
Officer, Greensfelder, Hemker & Gale, P.C.
Jarrett Kolthoff
President, SpearTip
Joyce Yeager
Assistant Attorney General, State of Missouri
We Earn Our Reputation From The Companies We Keep.®
“Information is the New Oil!”
 Companies are collecting and storing mass amounts of
data on a regular basis.
 This data may include information about employees,
customers, intellectual property/trade secrets and
business operations.
 This data has value to the
companies producing/collecting
it, to their competitors and to
unknown third parties.
We Earn Our Reputation From The Companies We Keep.®
Everywhere
 With the popularity of social media; conducting
business on personal devices; and outsourcing
certain business functions to third parties, data
breaches are becoming more prevalent.
We Earn Our Reputation From The Companies We Keep.®
Possible Outcomes Affecting Business
Operations Resulting From A Breach
 Loss of customers
 Damage to business reputation
 Compliance obligations
 Government investigations
(federal and state)
 Civil litigation
We Earn Our Reputation From The Companies We Keep.®
Common Causes of Data Breaches
 Negligence
 Malicious or criminal attacks (hacking or theft of
electronic devices)
 Corporate espionage/malfeasance
We Earn Our Reputation From The Companies We Keep.®
Anatomy of a Data Breach
1. Notify those within your organization of the
incident who need to know:
 Not every incident constitutes a breach that would lawfully
require notification.
 Internal communications could be discoverable, so be
careful what you say and how you say it.
 Note the date and time of the discovery of the incident.
We Earn Our Reputation From The Companies We Keep.®
Anatomy of a Data Breach
2. Assemble a response team, both internal and
external:
 The team should consist of:
 Key company stakeholders
 Legal counsel: since civil litigation is possible, an attorney
knowledgeable in breach issues can help to keep the
process of working through a breach protected by privilege
 Forensic IT firm
 Communications expert
We Earn Our Reputation From The Companies We Keep.®
Anatomy of a Data Breach
3. Investigate the incident: What type of data is
involved, what are the circumstances involved,
how may persons are affected.
 Carefully plan/strategize the investigation before you
begin.
 Keep language of the investigation easy to understand.
 Interviews may be appropriate.
 Document the steps and findings.
 Involve law enforcement, as appropriate.
 Involve insurers, as appropriate.
We Earn Our Reputation From The Companies We Keep.®
Anatomy of a Data Breach
4. Determine whether the incident constitutes a reportable
breach: Look to applicable laws and determine whether
there is there an exception.
 Federal
 Health Insurance Portability and Accountability Act of 1996
(HIPAA)
 Gramm-Leach-Bliley Act (GLBA)
We Earn Our Reputation From The Companies We Keep.®
Anatomy of a Data Breach
 State or States: Currently, there are 46 states that have enacted data
breach laws. Some of these laws apply to businesses operating in the
state, while others apply to affected residents of the state (multiple
state laws may come into play in a single breach). It will be necessary
to determine which state(s) law(s) apply.
 Some states have different definitions for what data constitutes “personal
information.”
 Some state laws require notification of residents based upon “unauthorized
access.”
 Certain states require a risk of harm analysis to determine whether notification is
required.
 Certain state laws protect electronic records, not paper records.
 Many states require notice to the State Attorney General.
 States generally require notice within a defined timeframe, but these timeframes
can vary.
We Earn Our Reputation From The Companies We Keep.®
Anatomy of a Data Breach
5. Contain the breach and mitigate harm, to the extent
possible.
 Is it possible to retrieve the lost/stolen device?
 Is it possible to “wipe” the data from the lost/stolen device?
 Is it possible to arrange for the
return of the data erroneously
disclosed?
 Is it possible to enter into a nondisclosure agreement/attestation
for return of data?
We Earn Our Reputation From The Companies We Keep.®
Anatomy of a Data Breach
6. Notify
 Affected persons
 It takes time to find up to date
addresses
 Law enforcement
 State Attorneys General
 Government
 Department of Health and Human
Services
 Media
 As required under federal or state law
We Earn Our Reputation From The Companies We Keep.®
Anatomy of a Data Breach
7. Respond to inquiries.
 Do you need to establish a toll
free number for inquiries?
 Do you need to establish a call
center?
 Have you established a triage
team to address unique
customer concerns?
 Have you established a system
for addressing press inquiries?
We Earn Our Reputation From The Companies We Keep.®
Anatomy of a Data Breach
8. Improve processes to avoid future data breaches.
 Have you considered a third party audit to review your
company’s policies/compliance efforts as well as its
technical infrastructure?
We Earn Our Reputation From The Companies We Keep.®
Which Data Breaches
are being Litigated?
 Probability of a lawsuit is positively correlated with the number
of records lost.
 Probability of a lawsuit is positively correlated with the
presence of actual harm (financial loss, emotional distress) and
negatively correlated with credit monitoring being offered.
 Lawsuits are more likely to occur from breaches caused by
improper disclosure of information, as opposed to a computer
hack, for example.
 Probability of a lawsuit is positively correlated with the
compromise of personal information requiring a heightened
level of protection by individuals affected.
Romanosky, S., Hoffman, D., Acquisti, A. (2013). Empirical Analysis of Data Breach Litigation. iConference 2013 Proceedings
We Earn Our Reputation From The Companies We Keep.®
Proactive Approach
Create a Preparedness Plan, now:
 Identify persons within your organization who are/will be responsible for data
management.
 Identify compliance requirements according to applicable laws.
 Identify the types of data your organization collects/ processes/ develops.
 Create a risk assessment plan and mitigation plan.
 Develop policies and educate all staff.
 Have a reporting mechanism that is well publicized and encouraged.
 Procure insurance to cover data breaches (cyber policy).
 Review vendor contracts.
We Earn Our Reputation From The Companies We Keep.®
Lucie F. Huger
314/345-4725
E-mail: lfh@greensfelder.com
We Earn Our Reputation From The Companies We Keep.®
SpearTip
Cyber Counterintelligence
Jarrett Kolthoff
President & CEO
SpearTip, LLC
Saint Louis, Missouri
Forrester Research – Value of Corp Secrets
•
•
Current Data Security Strategies
̶
Identify the Most Valuable Information Assets
̶
Create a “Risk Register” – Compliance / Corporate Secrets
̶
Assess Balance Between Compliance & Protecting Secrets
Establish Baseline
̶
Reprioritize Enterprise Security Investment
̶
Increase 3rd Party Vigilance
̶
Measure Effective – Key Performance Indicators (KPIs) and
“Audit the Auditor”
19
National Defense Magazine, Sep 2002
“Just over a decade ago, intelligence collection
efforts still focused primarily upon military assets.
Now, these have largely shifted to concentrate
upon technology, manufacturing processes, and
other trade secrets that sometimes have dual use
but often only civilian applications.”
David M. Keithly and Stephen P. Ferris, National
Defense Magazine, US Companies Exposed
to Industrial Espionage, Sep 2002
Authorized for legal subscribers to
SPYPEDIATM
20
Cyber Warfare – New Types of Soldiers
• Taking on new missions
• Theft of processing power
• Theft of customer data and financial
information
• Theft of research
• Destruction of research data
• Hacktivism
• Using active memory manipulation to foil static
analysis and avoid signature based AV solutions
• In some cases, being used in conjunction with
human operatives in the theft of company IP
21
Method of Attacks
•
PayPal phishing scam temping users to click “Resolution Center” link.
22
Cyber Warfare – Phishing Scams
• The first suspicious part of this
phishing email is the email domain.
• The second suspicious piece to this
email is the URL hidden behind the
“Resolution Center” link.
23
Cyber Warfare – APT
• Advanced Persistent Threat (APT) is considered a cyber attack
launched by a group of sophisticated, determined and coordinated
attackers that have been systematically compromising a specific
target’s machine or entity’s networks for prolonged period of time.
• The term “persistence” is also expanded to the acts of the attackers of
persistently launching spear-phishing attacks against the targets
24
Cyber Warfare – Stages of Compromise
• Stage-0 Loader
• Usually a small application (.exe)
• Application normally with limited behavior
• “Droppers”
• May be found on disk
• Stage-1 Loader
• Normally memory-resident
• Usually utilizes process injection or process replacement
• Normally not hard-coded, allowing for flexibility
• May seek to uninstall AV solutions
25
Cyber Warfare – Stages of Compromise
• Follow-on Modules
• These will also be primarily, memory resident
• May seek out and destroy other malware
• Will often initiate C2 communications for data exfiltration
and propagation
• May also log keystrokes and interfere with AV solutions
26
Cyber Warfare – Malware Characteristics
• Initial infection vector
• Propagation mechanism
• Persistence mechanism
• Artifacts
27
Cyber Counterespionage – Case Studies
• Romanian Hack Team – Credit card fraud
•
Arrested by INTERPOL
• Chinese Foreign National – APT – Pre Patent
theft
•
Identified SUBJECT/Source and remediated malware
• Identified Anonymous – STL
•
Arrested by FBI
• Critical Infrastructure – SCADA
•
Secured SCADA systems and continuous
monitoring for cyber threats
• International Wire Fraud – $6.9MM
•
Recovered $6.9MM wired to Russia and defended bankers
bank from lawsuit
General Counsel’s Response to the Breach
Plan For the “When”, Not the “If”
• “Own” the response to the breach
• Validate with Legal interpretation
• Breach Notification Policies
• Balancing Legal with Reputational Risks
• Table-Top Exercises
• Continually updating policies/procedures
• Consultant to the Board
29
Engagement Strategies – Paradigm Shift
• Multi-national corporate espionage is a reality!
• Corporations have a responsibility to protect their intellectual property.
• Un-conflicted Advisory Services
• Board Level optics
• Traditional Audits / Penetration Testing
• Advanced Malware Capabilities
Protect Your
Corporate Assets!
• Consultant to the Board
Make a Plan!
30
STATE LAW
REGULATORY
PRINCIPLES
B. Joyce Yeager, Esq., CIPP
Assistant Attorney General
The statements and content of this
presentation are personal statements
and opinions of Joyce Yeager, CIPP,
and are not the statements or opinions
of the Office of the Attorney General of
the State of Missouri, and are not the
statements or opinions of Attorney
General Chris Koster.
PRIVACY IS MORE THAN THE DATA BREACH IN THE PRESS
State Privacy topics
General
Chapter 115
RSMo
Chapter 313
RSMo
Election
Election Authorities and Conduct of Elections
Gambling and
biometrics
Licensed Gaming Activities - patrons shall not be required to provide fingerprints, retinal
scans, biometric forms of identification, any type of patron-tracking cards, or other types
of identification prior to being permitted to enter the area where gambling is being
conducted
362.422 RSMo
Financial Records
Disclosure of nonpublic personal information; nonaffiliated third parties (State law parallel
to federal Gramm-Leach-Bliley Financial Modernization Act of 1999, “GLBA”)
407.1355 RSMo
Social Security
numbers
Missouri Right to
Financial Privacy
Privileges
Social Security numbers, prohibited actions involving…a state or local agency
408.675 to
408.700 RSMo
491.060 RSMo
565.084 RSMo
Tampering with a
judicial officer, penalty
565.225 RSMo
565.252 and
565.253 RSMo
569.095 to
569.099 RSMo
Crime of stalking
Crime of invasion of
privacy
Tampering with
computer
Employment
There are provisions throughout the Code and in federal law pertaining to credit
information, credit rating information, and credit reporting
Persons incompetent to testify--exceptions, children in certain cases (child testimony;
privileges for attorney, minister, physician communication)
Photography/film
There are statutes throughout the Missouri Code protecting records pertaining to
educators, public employees, as well as military members and their families
Communication
407.1070 to
407.1110
RSMo
407.1135 to
407.1141
RSMo
542.400 to
542.422 RSMo
Telephone
Telemarketing Practices (phone solicitation)
Unsolicited
E-mail
Unsolicited Commercial E-Mail prohibited
Wiretaps
Wiretaps (common carrier switching station
communications)
Health
167.183 RSMo
Chapter 188
RSMo
191.656 to
191.703 RSMo
Health
Regulation of
Abortions
AIDS (Acquired
Immunodeficiency
Syndrome)
191.918 RSMo Breast-feeding
375.1300 to
Genetic
375.1312 RSMo Information and
Domestic Violence
Medical and
Pharmaceutical
Immunization records, disclosure, to whom-disclosure for unauthorized purpose, liability
Breach of Confidentiality prohibited
Confidentiality of HIV records
Breast-feeding in public permitted
Genetic information cannot be used by employers or
insurers to discriminate against individuals
There are provisions throughout the Code and in
federal law pertaining to medical and pharmaceutical
information. For examples of medical records
protections, see the web page for the Office of Civil
Rights of Health and Human Services (“HIPAA” and
“HITECH”). For information pertaining to the safety
of records pertaining to the Affordable Care Act, see
the web page for the Federal Trade Commission.
Identity
570.223 RSMo Identity Theft
570.224 RSMo Trafficking in stolen
identities
570.380 RSMo Fake Identification
Crime if he or she knowingly and with the intent to
deceive or defraud obtains, possesses, transfers,
uses, or attempts to obtain, transfer or use, one or
more means of identification not lawfully issued for
his or her use
Crime if manufactures, sells, transfers, purchases,
or possesses, with intent to sell or transfer means
of identification ... for the purpose of committing
identity theft
Manufacture or possession of fictitious or forged
means of identification, intent to distribute,
violation
Records
43.542 RSMo
Criminal Records
182.815 and
182.817 RSMo
Library Records
Chapter 211
RSMo
Juvenile Records
Education Records
Approval of National Crime
Prevention and Privacy
Compact--execution of
compact (criminal history
records)
Disclosure of library
records not required—
exceptions
Juvenile Courts (privacy
protections throughout
Chapter)
Education records are
protected by federal statute
Types of
Privacy
Statutes
And
Regs
Typically
Found In
State
Laws
Arrest and Conviction
Records
Banks and Financial Records
Legal filings
Cable Television
Medical Records/Biological
information/Bioidentifiers
Pharmacy Records
Polygraphs in Employment
Computer crime
Credit Reporting and
Investigating
Criminal Justice Records
Mailing lists
Education Records
Privacy Statutes (such as the protection
of certain pictures)
Social Security numbers
Electronic Surveillance
State Constitutional guarantees
Employment Records
Sunshine Statutes
Government Information on
Persons
Identity Theft
Insurance Records
Tax Records
Library Records
Licensing Information
Tracking
Vehicle/Drivers Licenses
Telephone Services
Testing in employment
FDA Regulation/
HIPAA/HITECH
•
•
Section 201(b) of the Food, Drug, and
Cosmetic Act. Software is a medical
device.
HIPAA/HITECH and “Business
Associates”
All roads lead through Texas
on medical records privacy
http://www.jtexconsumerlaw.
com/MedicalPrivacy.pdf
Journal of Consumer &
Commercial Law
“I
Think
They
Mean
It”
By B. Joyce Yeager
Do Not Track
Section 22575 of the Business and Professions Code
of California
Compliance
with 201 CMR
17:00:
Standards for
the Protection
of Personal
Information of
Residents of
the
Commonwealth
of
Massachusetts
Any person that receives, stores, maintains, processes or otherwise has
access to personal information acquired in connection with employment
or with the provision of goods or services to a Massachusetts resident
has a duty to protect that information.
A "person," for purposes of the regulation, may be an individual,
corporation, association, partnership or other legal entity.
Personal information includes a surname, together with a first name or
initial, in combination with one or more of the following three data
elements pertaining to that person: Social Security Number; driver's
license or state-issued identification card number; or financial account or
credit or debit card number, with or without any other data element, such
as a code, password, or PIN, that would permit access to the person's
financial account.
The duty includes the requirement that the person develops and maintain
a comprehensive Written Information Security Program ("WISP") to
safeguard such information. If the person electronically stores or
transmits personal information, the WISP must include a security system
covering the person's computers and any portable and/or wireless
devices. Safeguards should be appropriate to the size, scope and type of
the person's business, to the person's available resources, to the amount
of stored data and to the need for security and confidentiality of
consumer and employee information. They must be consistent with
safeguards for the protection of personal information, and information of
a similar character, that are set out in any state or federal regulations that
apply to the person.
MISSOURI AS AN EXAMPLE OF MEDICAL INFORMATION
NOTICES AND HEALTH INFORMATION NOTICES
Missouri Revised Statutes
Chapter 407
Merchandising Practices
Section 407.1500
August 28, 2013
Definitions--notice to consumer for breach of security, procedure--attorney general may bring
action for damages.
407.1500. 1. As used in this section, the following terms mean:
(1) "Breach of security" or "breach", unauthorized access to and unauthorized acquisition of
personal information maintained in computerized form by a person that compromises the
security, confidentiality, or integrity of the personal information. Good faith acquisition of
personal information by a person or that person's employee or agent for a legitimate purpose of
that person is not a breach of security, provided that the personal information is not used in
violation of applicable law or in a manner that harms or poses an actual threat to the security,
confidentiality, or integrity of the personal information;
(2) "Consumer", an individual who is a resident of this state; . . .
407.1500 cont’d
(5) “Health insurance information", an individual's health insurance policy
number or subscriber identification number, any unique identifier used by a
health insurer to identify the individual;
(6) "Medical information", any information regarding an individual's medical
history, mental or physical condition, or medical treatment or diagnosis by a
health care professional;
(7) "Owns or licenses" includes, but is not limited to, personal information that
a business retains as part of the internal customer account of the business or
for the purpose of using the information in transactions with the person to
whom the information relates;
(8) "Person", any individual, corporation, business trust, estate, trust,
partnership, limited liability company, association, joint venture, government,
governmental subdivision, governmental agency, governmental
instrumentality, public corporation, or any other legal or commercial entity; . .
. .
407.1500 cont’d
(9) "Personal information", an individual's first name or first initial and last name in
combination with any one or more of the following data elements that relate to the
individual if any of the data elements are not encrypted, redacted, or otherwise altered by
any method or technology in such a manner that the name or data elements are
unreadable or unusable:
(a) Social Security number;
(b) Driver's license number or other unique identification number created or collected by a
government body;
(c) Financial account number, credit card number, or debit card number in combination
with any required security code, access code, or password that would permit access to an
individual's financial account;
(d) Unique electronic identifier or routing code, in combination with any required security
code, access code, or password that would permit access to an individual's financial
account;
(e) Medical information; or
(f) Health insurance information.
407.1500 cont’d
Subsection 2.
(1) Any person that owns or licenses personal information of residents of Missouri or any person
that conducts business in Missouri that owns or licenses personal information in any form of a
resident of Missouri shall provide notice to the affected consumer that there has been a breach of
security following discovery or notification of the breach. The disclosure notification shall be:
(a) Made without unreasonable delay;
(b) Consistent with the legitimate needs of law enforcement, as provided in this section; and
(c) Consistent with any measures necessary to determine sufficient contact information and to
determine the scope of the breach and restore the reasonable integrity, security, and
confidentiality of the data system.
(2) Any person that maintains or possesses records or data containing personal information of
residents of Missouri that the person does not own or license, or any person that conducts
business in Missouri that maintains or possesses records or data containing personal
information of a resident of Missouri that the person does not own or license, shall notify the
owner or licensee of the information of any breach of security immediately following discovery of
the breach, consistent with the legitimate needs of law enforcement as provided in this section.
NOTICE FOR PHI/PII
• SEC filings
• OCR/HHS
• State(s)
TRENDS
http://www.databreaches.net/netdilig https://www.allclearid.com/files/2613/
ence-2013-report-cyber-liability-data8325/4119/CyberClaimsStudybreach-insurance-claims/
2013.pdf
http://www.slideshare.net/Bee_Ware/veri
zon-2014-pci-compliance-report31933261?utm_source=slideshow02&ut
m_medium=ssemail&utm_campaign=sh
are_slideshow
But why?
We feel that to reveal embarrassing or private things, we
have given someone something, like a primitive person
fearing that a photographer will steal her soul.
To identify our secrets, our past, and our blotches is to reveal
our identity, our sense of self.
Revealing our habits or losses or deeds somehow makes one
less of oneself.
Paraphrase, Dave Eggers, A Heartbreaking Work of Staggering Genius