Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Data Breach! Hacking! Corporate Espionage! Are you listening yet???
Transcript of Data Breach! Hacking! Corporate Espionage! Are you listening yet???
Why should I care
about data breach?
Shawn E. Tuma
Are you listening yet???
not a question of if, but of when
Data is the currency of the 21st Century
Everybody wants it
Google, Facebook, $.99 Apps ... seriously?
Big Data, Reward Cards, Surveys, etc.
How is data wrongfully obtained?
insider data theft
brute force attacks
denial of service attacks
The "Dark Net"
The black market of the Internet
what can you find for sale?
military weapons - the real ones like army tanks and rocket launchers
fake identification documents
prostitution and gambling
How does the Dark Net work
for stolen data?
Dark Net uses the "Tor network" which allows for concealed identity (i.e., IP Addresses) and anonymous transfers of money
Stolen data is packaged in bulk and sold in a single "dump" without knowing what it is or how valuable it may be
Like sales of bad debt, written off loans, collection files, etc.
Bulk sales mean all data has some value
Who is doing this?
State Sponsored Front Organizations
Chinese, Russia, Iran, Former Eastern Bloc Countries
"Cause" Hacking groups (Anon, LuzSec)
Individuals (i.e., kids in their parents' basements)
How do they make
money from it?
Why are they doing it?
Why am I telling you all of this?
Every organization -- especially smaller organizations --
it won't happen to me
my organization is too small to be worth it
the data my organization has it not that important to be valuable
we have anti-virus software and a firewall
we have a good IT staff
data breaches only happen to organizations that are careless
Percentage of businesses that suffered at least one act of computer fraud last year
(Ponemon Institute, Dec. 2012)
a matter of
What data are they usually going after?
Intellectual property (especially corporate trade secrets)
This means having an understanding of what is required
Agency Rules & Regulations
Consequences of a data breach
compromise and loss of data
lost productivity, administrative burden, distraction
loss of trust
reporting and notification costs and burdens
credit monitoring and remediation
claims and lawsuits from the data subjects
fines and penalties from governments, agencies, industry groups
increased scrutiny of data security practices
Cybercrime isn't the only cause of data breach
mobile devices, tablets, laptops
improperly decommissioned hardware
General Data Breach Laws and Rules
International laws vary
No Federal general breach notification law (yet)
Notification Required Following Breach of Security of Computerized Data (Tex. Bus. Comm. Code sec. 521.053)
47 States have general breach notification laws (not AL, NM, SD)
Massachusetts is an oddball
45 day response (FL, OH, VT, WI) or expeditious without unreasonable delay
Consumers + State Attorney General
TX patient moves to MA = MA law applies
Industry standards (FINRA, PCI, Merchant Bank)
Texas Notification Required Following Breach of Security of Computerized Data
most Texas businesses
, including healthcare providers and requires use of reasonable procedures to protect "sensitive personal information" (SPI)
compromise of computerized data
that is SPI is a "breach of system security" and requires notification to all consumer data subjects
taking, accessing, or compromising
confidentiality or integrity
“an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name in the items are not encrypted”
Social Security number, driver’s license number or other government issued identification number, account or card numbers combined with the required access or security codes
Also included is information that at that identifies an individual and is related to their health condition, provision of healthcare, or payment for healthcare
The notification must be given to
all individual data subjects
as quickly as possible after it has been determined that an individual’s sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person (exceptions for restore system integrity and LE)
Penalty for failing to comply with this notification requirement is a civil penalty of up to
$100.00 per individual per day
for the delayed time but is
not to exceed $250,000
for a single breach
if the SPI is
there is no breach unless the person breaching has the decryption key
Responding to a Breach -- Execute the Response Plan
Contact attorney (privilege)
Assemble the Response Team
Contact Merchant Bank (if payment card)
Contact notification vendor
Remediate responsible vulnerabilities
Reporting and notification
Individuals, AGs, Sec. of HHS, agencies, indust. groups, credit reporting
Preparing For A Breach
Breach Response Plan.
When a breach occurs, you do not have time to figure out what to do. A well designed Plan allows you to immediately begin executing -- instead of worrying and guessing. You want key personnel involved in preparing the plan and aware of its existence and their responsibilities. Should cover basic who, what, where, when, and how -- and should be led by an attorney for privilege matters because when a breach happens, you should immediately anticipate litigation.
Conduct a risk analysis to determine what specific risks your organization faces by examining the circumstances that leave it open to unauthorized access. Should include penetration testing and a security audit.
Due Diligence of Business Associates.
In accordance with the SEC and FTC guidelines, conduct due diligence of all business associates with access to company systems by investigating, obligating, and verifying they are adequately protecting data.
Conduct a security analysis to determine what security measures are already in place or could reasonably be put into place to minimize the risk of unauthorized access and disclosure of ePHI maintained by your practice.
Conduct a gap analysis to determine inadequacies in your privacy, security, and notification response policies and your business associate agreements to determine what policies, procedures, and agreements you need to update or implement in light of the changes mandated by the Omnibus Rule as well as the changes in technology.
Implement and update the security measures, policies, agreements, and procedures that have been identified through the 3 stages of analysis discussed above.
The rationale for decisions to implement or not implement certain security measures, policies, agreements, procedures and solutions that have been identified as needed must be documented.
For companies in regulated industries this is very important, especially to show diligence should a breach occur.
You definitely want to look into it.
Software and systems updates
Remediate vulnerabilities discovered
Implement Compliance steps from Audit
Encrypt all Protected Health Information (PHI) and Sensitive Personal Information (SPI) at rest and in motion
System and data surveillance and IT alerts
cyber counter-intelligence / counter-espionage
Tech Preparation Steps
"An ounce of prevention is cheaper than the first day of litigation [or reporting to individuals, the AGs, the media, SEC, HHS, DOL, FTC ..."
Cost of Data Breach in 2012
$188.00 per lost record
$188.00 x "X" = $$$$$$$
"an ounce of prevention ... "
Cost of a Data Breach!
Computer Fraud and Abuse Act
18 U.S.C. § 1030
Primary law for misuse of computers
What is a computer?
"Everything has a computer in it nowadays." -Steve Jobs
CFAA prohibits access to a protected computer that is
exceeds authorized access
where the person accessing
commits a fraud
obtains something of value
transmits damaging information
traffics in passwords
originally a criminal statute
limited civil remedy
more civil than criminal
used in virtually every insider trade secrets case
3 interpretations of "access"
Strict Access Theory
Other Federal Laws for Combating Fraud 2.0
Electronic Communications Privacy Act 18 USC § 2510
Wiretap Act (in transit)
Stored Communications Act (at rest)
Fraud with Access Devices 18 USC § 1029
devices to obtain passwords, phishing, counterfeit devices, scanning receivers, drive through swipe cards
Identity Theft 18 USC § 1028
Texas Laws for Combatting Fraud 2.0
Breach of Computer Security Act (Tx. Penal Code § 33.02)
knowingly access a computer without effective consent of owner
Fraudulent Use or Possession of Identifying Info (TPC § 32.51)
Unlawful Interception, Use, or Disclosure of Wire, Oral or Electronic Communications (TPC § 16.02)
Unlawful Access to Stored Communications (TPC § 16.04)
Identity Theft Enforcement and Protection Act (BCC § 48.001)
Consumer Protection Against Computer Spyware Act (BCC § 48.051)
Anti-Phishing Act (BCC § 48.003)
Shawn Tuma, Partner
Shawn Tuma is a lawyer whose practice is focused on cutting-edge cyber and information law and includes issues like helping businesses defend their data and intellectual property against computer fraud, data breaches, hacking, corporate espionage, and insider theft. Shawn stays very active in the cyber and information law communities:
D Magazine's 2014 Best Lawyers in Dallas
Chair, Civil Litigation & Appellate Section, Collin County Bar Association
College of the State Bar of Texas
Privacy and Data Security Committee, State Bar of Texas
Computer and Technology, Litigation, Intellectual Property Law, and Business Sections, State Bar of Texas
Information Security Committee, American Bar Association
Social Media Committee, American Bar Association
Cybercrime Committee, North Texas Crime Commission
International Association of Privacy Professionals
The information provided is for educational purposes only, does not constitute legal advice, and no attorney-client relationship is created by this presentation
Are all data theft attacks random or are there targeted attacks?
employee planning departure to competitor
disloyal insider planted
Chinese Restaurant Menu
(competitors' directed theft of trade secrets)
Ready for Some Ethics?
Who knows where I am going with this?
What does lawyer ethics have to do with corporate espionage?
Ethics Opinion 384 (Sept. 1975)
Canon No. 4, Code of Professional Responsibility, states, "A lawyer should preserve the confidences and secrets of a client."
Disciplinary Rule (DR) 4-101 (A) states, "'Confidence' refers to information protected by the attorney-client privilege under applicable law," and "'
secret' refers to other information gained in the professional relationship that the client has requested be held inviolate or the disclosure of which would be embarrassing or would be likely to be detrimental to the client.
DR 4-101 (B) provides that, except when permitted under DR 4-101 (C) that a lawyer shall not knowingly reveal a "confidence" or "secret" of his client.
Lawyers' duty to preserve client confidences
What about email?
ABA Ethics Committee issued its Formal Opinion 11-459
"Whenever a lawyer communicates with a client by email, the lawyer must first consider whether, given the client's situation, there is a significant risk that third parties will have access to the communications. If so, the lawyer must take reasonable care to protect the confidentiality of the communications by giving appropriately tailored advice to the client."
2/15/14 New York Times: "Spying by N.S.A. Ally Entangled U.S. Law Firm"
Australian Signals Directorate spied on communications between Mayer Brown law firm and its client, the Indonesian government, regarding a trade dispute with the US
Offered to share info with the NSA
Want more on lawyer data security issues?
Collin County Bench Bar Conference
5/3/14 @ 11:45
can you get a more shameless plug?
Need another reason why your system may be attacked?
Sun Tzu - The Art of War
“In all fighting the direct method may be used for joining battle, but
indirect methods will be needed to secure victory
“You can be sure of succeeding in your attacks if you attack places which are
you were CEO of a world-wide company
breach impacting 110 million customers
$61 million in expenses alone
10% discount to all shoppers
$5 million investment in cybersecurity coalition
offer “free” identity theft and credit monitoring to all affected customers
Net earnings down 34.28%
Earnings per share down 44.60%
Non-cash losses up 487.71%
US sales down 6.60%
Lawsuits, possible enforcement actions, who knows?
and then you learn …
Have you heard of ...
all tell you what you must do following a breach
Recent agency advisory statements (Jan. 2014)
SEC: Indicates that the new standard of care for companies may require policies in place for:
to cyber attacks and data breaches,
IT training focused on security, and
Vendor access to company systems and vendor due diligence.
GMR Transcription Svcs
– FTC case – is requiring businesses to follow 3 steps when contracting with 3rd party service providers:
Investigate by exercising due diligence before hiring data service providers.
Obligate their data service providers to adhere to the appropriate level of data security protections through contractual agreements with provider.
Verify that the data service providers are adequately protecting data as required by the contractual standards.
Still Not Convinced?
What you must do!
What you may do - in the courts
The Ultimate Vulnerability?