© Sheppard Mullin Richter & Hampton LLP 2016

Cybersecurity Update 2016The Latest on Treats, Laws and Best

Practices for Retailers

Laura Jehl

Overview

The Threat

What’s new in 2016?

The Risk

The Law

The Preparation

The Cost

The Help

2

The Threat

What’s your digital nightmare?

Theft of data?

– Credit card numbers

– Personally identifiable information (employee/customer)

– Confidential company information

– IP/Trade secrets/corporate espionage

– Email

Ransomware?

– Systems encrypted, disabled, ransom demanded

DDoS (Distributed Denial of Service) Attack?

– Website or other host overwhelmed and disabled

All of the Above?

3

The Threat

Threats exist in every connected system:– Network/enterprise systems

– Wireless networks

– Social media

– “Internet of things”

– Point of sale machines

– Employee devices (“BYOD”)

The “Vectors”– Collaborative tools

– File sharing applications

– Finance & Accounting software/application

The Spoils– Customer Data

– Intellectual Property

– Financial Data

– Money

4

What’s New? Carbanak Group 2.0

Operates out of Russia and China

Attacked banks by sending “spearphishing” emails to

their employees and customers.

– Clicking on the email attachments downloads malware onto their

computers

– Malware lurks for a long time, learning about the behavior of the

user or processes at the bank

Steals money by emulating legitimate employee or

customer activities, such as normal-looking online

banking transactions.

– Able to avoid detection and fraud monitoring

5

What’s New? Carbanak Group 2.0

(cont’d) 2.0 now targeting corporate finance and accounting

departments, moves money to what looks like legitimate

corporate accounts

Group “GCMAN” sends spearphishing emails with

malware attachments that look like Word documents

– Once inside, uses legitimate penetration testing tools to move

around and finds a way to transfer money from the bank to digital

currency

– One case sent $200 a minute

– Can lurk in a victim's network for a year and a half before

activating a theft

6

The Threat: What’s New?

Source and Nature of Attacks:

Ransomware

– Malware disables systems or encrypts data and demands a

payment to unlock them

– New variants combine ransomware with scraper and DDoS

capabilities

– FBI predicts total ransomware costs >$1 billion in 2016

– Phishing emails containing ransomware up 789% in Q1 2016

7

The Threat: What’s New

Source and Nature of Attacks:

Fraudulent Financial or Data Transfers

– Fake “CEO” emails requesting employee W2 data

– Fake “CFO” emails requesting fraudulent wire

transfers

– Hackers interact with targeted employees, answer

questions

– “Epidemic” of these attacks in 2016

Hacktivism

– The “Panama Papers”

8

The Threat: What’s Not New?

“Phishing”/”Spearfishing”

– Not new, but increasingly sophisticated and

interactive

– “Phishing” emails contain links that look legitimate

(Word docs); intended to steal credentials

– “Spearfishing” emails contain malware

– 93% of spam now contains ransomware

– Still the best and most effective mode of attack

Hostile Foreign States

Insider Threats

9

Financial gain

Ideology/terrorism

Espionage

Fame/ego/self-

image/recognition

Divided loyalties

Revenge/disgruntlement

Adventure/thrill

Vulnerability to blackmail

Compulsive or destructive

behavior

Negligence

Or all of the above (e.g.,

Sony)

The Threat

10

Motivations for Cyber Attacks

The Threat

The “Human” Element

– Research shows that >50%, and possibly >90% of all data

breaches include an aspect of employee ignorance, negligence,

or malice

Employee Training is Key

– Index to past experiences and threat intelligence

– Tailor to meet staff abilities and roles

– Interactive training with participation

– Lather . . . Rinse . . . Repeat

11

The Threat

Valuable Personal Data:

Names

Addresses

Birthdates

Credit Card Numbers

Financial Account Numbers

Financial Account Balances

Social Security Numbers

Foreign Tax ID Numbers

Passport Issuers/ Numbers

Valuable Company Data:

Intellectual Property

Company Financials

Email/Communications

HR Information

. . . And money

The Threat

12

The Risk

Retail in hacker crosshairs:

– One-third of retail IT professionals say a breach has occurred at

their company

– Retail largest share of breaches over last 4 years; 25% of

breaches, 42% of records breached (CA AG Data Breach Report

2016)

Shopper attitudes:

– 75% of shoppers hold retailers responsible for keeping their

information secure

– 50% believe retailers could avoid breaches by installing better

technology

– But . . . 64% accept risk breaches as part of shopping process

(Interactions study)

13

Payment Card Industry Data Security Standard (PCI DSS)

A common set of industry tools and measurements to

help ensure the safe handling of sensitive information

Provides an actionable framework for developing a robust

account data security process - including preventing,

detecting and reacting to security incidents

Applies to any entity that stores, processes and/or

transmits CHD

Version 3.1 released April 2015

The Risk

Bottom Line

If you take plastic, PCI applies to you

14

The Risk

PCI Forensic Investigation Program

Requires an entity to notify the affected card brand(s) in

the event of a compromise

Brands may/will require the compromised entity to

engage a PFI to conduct an independent forensic

investigation

– The affected company is responsible for all fees and expenses

but report goes directly to card company

– PFI is intended to seek out the truth – but not infallible

Bottom Line

PFIs are looking for your mistakes – get a second opinion

15

The Law

Duty to protect privacy and security of personally

identifiable information (“PII”) you collect

This means you must:

– Comply with applicable state and federal laws

– Comply with your own privacy statements (e.g.,

privacy policy)

– Clearly disclose what types of information you collect,

and how that information is used

16

The Law

A security breach can lead to liability, including under

the following laws:

FTC Act

Gramm-Leach-Bliley Act

FACTA (credit card number masking)

PII/Credit Card Collection laws (CA, MA and 16 other states)

Data Security Breach Notification laws (47 states)

Sarbanes-Oxley

Fair Credit Reporting Act

Electronic Signatures in Global and National Commerce Act

Federal Information Security Management Act

Homeland Security Act of 2002

SEC and DOJ Guidelines

17

The Law

Many different bodies enforce these laws:

– FTC, SEC, CFPB, State Attorneys General, DOJ, private Class

Action Litigation

Enforcement is getting tougher:– FTC is promising much stricter enforcement of federal privacy

laws; now has authority to regulate cybersecurity preparedness

– SEC just announced $1M fine of Morgan, Stanley for lax

cybersecurity

– State Attorneys General cracking down, with CA in the lead

– Class actions for data privacy violations are becoming much

more common, and are not being dismissed

– Court has repeatedly declined to dismiss Anthem MDL (@100

class actions consolidated in N.D. Ca)

18

The Preparation

Engage your Cyber Threat

team– Legal, IT, and HR critical

Third party experts– Communications

– Legal

– Cyber-Forensics

Map your Data – know what

you have

Understand regulatory

requirements

Legal and contractual

obligations

Required notifications?

Public relations plan

Executive and board

member roles

Contact information for law

enforcement

Review insurance coverage

Create an Information Security Incident Response Plan

19

The Preparation

Testing a Data and Information Security Plan

“Exercise your nightmare(s)” at different levels– Board

– C-Suite

– Cyber incident response team

Examine different scenarios – Ransomware

– Breach

– Hacktivism

Outside counsel should lead “table top” exercises– Protects privilege if vulnerabilities are identified

– Identifies legal risk at every step of process

– Allows the perspective of a third party

20

The Preparation

BE PREPARED

Review where critical data is located and implement

proper security controls (encrypt it, use access controls,

etc.)

ASSUME you will be breached

Have procedures to prevent breach by insiders as well

Utilize security monitoring mechanisms to detect early

red flags of potential breach

Don’t retain unnecessary data; securely destroy it!

For data that you do retain, constantly assess who has

access to it and how it can be accessed

21

The Cost of Cybersecurity

$$$

Data mapping, forensic security analysis, penetration testing by outside consultants (they may suggest remediation of some systems, which can be

costly)

$$

Preparation of incident response plans (varies with levels of customization)

$

Deterrence (train and test employees through “phishing campaigns,” institute two factor

authentication on all systems

22

The Cost

Impacts of a breach– Fraud ($$)

– Financial loss

– Brand damage/

– Embarrassment

– Data leak / Breach

– IP loss

– Identity theft

– Liability risk

23

Responding to a Cyber Incident

Call your lawyers & forensic experts

Follow the “First 30 Minutes” checklist

Follow your written, updated, and exercised ISIR plan

– Stop the bleeding

– Restore back-up version of data (if uncompromised)

Document whatever steps are taken and costs incurred

to mitigate the damage!

Assess both the nature and scope of the incident

– Intentional or Unintentional?

– Level of Access?

The Help

24

Goal should be security…not compliance

Know your business and your employees

Train your employees and test their response to

“phishing” campaigns

Baseline your systems’ “normal” to spot “abnormal”

Understand and moderate your data collection needs

Wall it off: Insist on limited access to PCI and PII data

Back it up: make sure data is securely backed up and

available when/if needed

Encrypt sensitive data

And…

Best Practices

25

Best Practices

“Ensure Your Legal Counsel is Familiar

with Technology and Cyber Incident

Management to Reduce Response Time

During an Incident”

As suggested by the DOJ…

~ Computer Crime & Intellectual Property Section

Criminal Division, U.S. Department of Justice

Best Practices for Victim Response and Reporting

of Cyber Incidents Version 1.0 (April 2015)

26

Questions?

Questions?

27