You’ve Been Hacked… South... · 2015-01-14 · The Data Breach Epidemic in the News ......

Usama Kahf, Esq. [email protected]

(949) 798-2118

You’ve Been Hacked… Now What?

November 4, 2014

© 2014 Fisher & Phillips LLP

The Data Breach Epidemic in the News Why Is Data Privacy Important? Notice requirements and potential liability

in the event of a data breach Best practices for safeguarding sensitive

data / preventing data breach Drafting a policy to comprehensively

address BYOD and use of company devices


Target’s Black Friday Theft

40 million customers victimized

$61 million in 4Q expenses

CIO resigned


38% increase in

incidents of loss, theft and exposure of personally identifiable information over the past year

Source: IBM Analytics


55% of C-Suite Executives Surveyed Believe Malicious or Negligent Insider/Employees Are The Primary Cause of Data Breach

Source: IBM Analytics


Data breach notification is a significant compliance risk for most businesses.

A data security breach can disrupt business operations, damage brand reputation and customer relationships, and attract government investigations.

Not to mention class action lawsuits! Employee data can also be a trade secret,

valuable in the hands of competitors.


Major data breaches by identity thieves

RSA Security (March 2011)

▪ Possibly 40 million employee records stolen by hackers

Even a small breach of employee data can affect a business

Departing employee takes personnel info and uses it to recruit top talent to work for competitor

Cannot “unring” the bell once certain private info is leaked (e.g., medical conditions)


46 states have enacted data privacy laws requiring businesses to safeguard certain types of employee and consumer information and to notify affected individuals in case of a data security breach.

Federal laws and regulatory schemes in the healthcare and financial industries also impose data privacy protections.

Contractual obligations.


Current disgruntled employees Employees about to compete with you or go

to work for competitors Competitors Vendors/suppliers Government agencies Criminal gangs / cartels Identity theft rings Medical fraud rings


Losses from intellectual property theft are up to $150 billion a year

The average employee embezzlement costs about $25,000 per incident

Average computer-assisted employee embezzlement runs $430,000 per incident


According to ASIS More than 3 of every

4 thieves are employees or contractors

Another 6% or more are domestic competitors

Only 7% steal secrets on behalf of foreign companies or governments


File Cabinets Rolodexes Personnel Files Computer Workstations Internet E-Mail High-Tech Surveillance Equipment Off-Site Login Cell Phones Fax Machines Garbage


Personally Identifiable Information (“PII”) is information which can be used to distinguish or trace an individual’s identity (such as their name, social security number, demographic records), alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (such as date and place of birth, mother’s maiden name, etc.).


Personal Health Information (“PHI”) is Health Information that identifies, or there is a reasonable basis to believe it can be used to identify, the individual.

Health Information includes any information

relating to the physical or mental health or condition of an individual, the health care provided to an individual, or payment for health care provided to an individual. PHI does not include employment records held by the employer in its role as employer.


NOT TO MENTION

TRADE SECRETS (e.g., customer lists / info; pricing and cost; financial data; R&D work; M&A plans; non-

public product specs / prototypes)


INVESTIGATE AND SECURE YOUR DATA When there is a suspected breach, you must

investigate and lock down data. The company might be required to

demonstrate reasonable efforts to secure its confidential information

Evaluated by a reasonable third-person

Effectiveness


Identify applicable state and federal laws Determine if a “breach” has occurred as

defined by applicable laws Determine if notification is required under

applicable laws

Who should be notified?

When to notify?

Contents of notice

Follow-up risk mitigation steps


State laws vary in 6 areas:

1. Scope of Covered PII

2. Trigger for Notification Obligation

3. Recipients of Notice

4. Content of Notice

5. Timing of Notice

6. Enforcement


HIPAA, as amended by the HITECH Act, and regulations adopted by US Dept. of HHS.

Covered entities are healthcare-related entities and their “business associates”

Contractual obligations to comply with HIPAA

Gramm-Leach-Bliley Act ("GLBA") and banking industry regulations

Federal Trade Commission Securities & Exchange Commission


A breach is defined as the unauthorized access, use, acquisition or disclosure of PHI that compromises the security of PHI.

Security is compromised if there is a substantial risk of financial, reputational, or other harm to the individual who is the subject of the PHI.


Breach triggers notice obligation Must notify affected individuals, Dept. of

Health & Human Services, and the media (if more than 500 persons in a state are affected)

But there is a Safe Harbor!


Under HIPAA and laws in some states, notice is NOT required if company conducts investigation and determines risk of harm has been mitigated

Where data was returned or wiped

Where person who acquired data is incapable of unencrypting or “re-identifying” data


Content of notice:

Description of breach incident

Types of PHI involved

Steps individual should take to protect from harm

Steps taken to investigate breach, mitigate losses, and protect against further breaches

Contact procedures for affected individuals, including toll-free number


Implement security procedures tailored to your business needs: Personnel Documentation IT Infrastructure Communication Response / Investigation


Documentation: Workplace Policies Restrictive Covenants Agreements Job Descriptions


Documentation: Workplace Policies: ▪ Computer Systems Use ▪ Authorized Electronically Stored Information Usage ▪ VOIP Usage ▪ Confidentiality and Non-Disclosure ▪ Ethical Conduct Policy ▪ Return of Corporate Property ▪ Bring Your Own Devices?


Documentation: Restrictive Covenants Agreements ▪ Confidentiality and Non-Disclosure ▪ Non-Solicitation of Customers, Clients and Patients ▪ Non-Recruitment of Personnel ▪ Non-Competition

Most States Allow You To Protect Customer information; trade secrets; Confidential business information; existing customer relationships


Documentation: Leverage The Obligation To Protect Where Your Business Requires The Protection of Customer or Third Party Information, Make Sure Documentation Reflects That This Is A Business

Interest That Must Be Protected


Mark protected documents, computer programs, file cabinets and restricted areas using designation such as “Confidential – Property of (Your Company)”

Limit access to protected material based on “need to know”

Utilize physical controls – restrict areas by locking offices and file cabinets


Control third-party access – vendors, customers, independent contractors, plant and facility tours, etc.

Limit copying and removal of sensitive information

Shred confidential discarded documents, erase tapes thoroughly


Set up fire walls Data encryption Regular back-ups Utilize network, not local hard

drive, space


Set up passwords with multiple characters (including numbers and letters)

Change access codes Record or log who had access to computers

and subfiles and when


Safe data destruction practices

Some laws require that when data is destroyed it should be destroyed in a particular manner

Utilize and vet vendors properly

▪ Due diligence (industry certification)

Ensure forensically sound “wiping” of electronic devices (when there is no duty to preserve)


“Bring Your Own Device” is the practice of allowing employees to bring their own mobile devices to work for use with company systems, software, networks, or information.


BYOD can provide key benefits, such as increased productivity, reduced IT costs, and better mobility for employees.

BYOD, however, increases risk of data breaches and liability from such breaches.

BYOD also increases risk of spoliation of evidence and makes preservation more difficult to manage and enforce.


Employee-owned devices may be lost or stolen, putting company data and networks at risk.

In 2012, US gov issued a BYOD toolkit for federal agencies, which noted risk that operating system may be compromised by malware or device misuse.


IBM adopted a BYOD policy in 2010 In 2012, IBM banned employees from using

certain apps, including Dropbox and Siri, because of a “tremendous lack of awareness” about security risk and the company’s inability to control these apps.


In e-discovery, data has to be available if requested, and it is more complicated to preserve, locate and retrieve data when it is stored on employee-owned devices.

BYOD policy should make clear that, in the event of a legal or regulatory investigation, the password will be required and that any personal data that is on the device will be searched, along with anything that is relevant to the company.


A strong BYOD policy is the first step towards managing the increased risk of data breach.

BYOD policy should address:

the goals of the BYOD program

which employees can bring their own devices

which devices will be supported

access levels that employees are granted when using personal devices


Once a BYOD policy is adopted, maintaining BYOD security depends on how well employees are trained on BYOD best practices, implementation of effective device management and support, and enforcement of the BYOD policy.


Use password protected access controls Control wireless network and service

connectivity Control application access and permissions Keep Operating System, firmware, software,

and applications up-to-date Back up device data


Enroll in “Find my Device” and remote wipe services

Never store personal financial data on a device Beware of free apps Run mobile antivirus software or scanning tools Use Mobile Device Management (MDM)

software as recommended by IT

Usama Kahf, Esq. [email protected]

(949) 798-2118

You’ve Been Hacked… South... · 2015-01-14 · The Data Breach Epidemic in the News ......

Documents

Transcript of You’ve Been Hacked… South... · 2015-01-14 · The Data Breach Epidemic in the News ......