Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Data Breach! Hacking! Corporate Espionage! Are you listening yet???

Shawn Tuma's presentation on data breach, hacking, corporate espionage, misappropriation of trade secrets, and other legal issues to the Corporate Counsel Section of the Collin County Bar Association.

Shawn Tuma

on 15 May 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Data Breach! Hacking! Corporate Espionage! Are you listening yet???

Anatomy of a Data Breach -
Why should I care
about data breach?

Shawn E. Tuma
d. 469.635.1335
m. 214.726.2808
Copyright 2014
Data Breach!
Are you listening yet???
not a question of if, but of when
Data is the currency of the 21st Century
Everybody wants it

Google, Facebook, $.99 Apps ... seriously?

Big Data, Reward Cards, Surveys, etc.
How is data wrongfully obtained?
Spear phishing
insider data theft
computer worms
Trojan horses
brute force attacks
denial of service attacks
gsm devices
The "Dark Net"
The black market of the Internet
what can you find for sale?
human beings
military weapons - the real ones like army tanks and rocket launchers
fake identification documents
illegal drugs
stolen money
prostitution and gambling
How does the Dark Net work
for stolen data?
Dark Net uses the "Tor network" which allows for concealed identity (i.e., IP Addresses) and anonymous transfers of money

Stolen data is packaged in bulk and sold in a single "dump" without knowing what it is or how valuable it may be
Like sales of bad debt, written off loans, collection files, etc.

Bulk sales mean all data has some value
Who is doing this?
State Sponsored Front Organizations
Chinese, Russia, Iran, Former Eastern Bloc Countries

Organized crime

"Cause" Hacking groups (Anon, LuzSec)

Individuals (i.e., kids in their parents' basements)
How do they make
money from it?
Why are they doing it?
Why am I telling you all of this?
Every organization -- especially smaller organizations --
think ...
it won't happen to me
my organization is too small to be worth it
the data my organization has it not that important to be valuable
we have anti-virus software and a firewall
we have a good IT staff
data breaches only happen to organizations that are careless
Percentage of businesses that suffered at least one act of computer fraud last year
(Ponemon Institute, Dec. 2012)
It is
a matter of
What data are they usually going after?
Financial data
Personal data
Medical data
Intellectual property (especially corporate trade secrets)
This means having an understanding of what is required
Agency Rules & Regulations
Industry Standards
Consequences of a data breach
compromise and loss of data
lost productivity, administrative burden, distraction
loss of trust
bad publicity
reporting and notification costs and burdens
credit monitoring and remediation
claims and lawsuits from the data subjects
fines and penalties from governments, agencies, industry groups
increased scrutiny of data security practices
Cybercrime isn't the only cause of data breach
mobile devices, tablets, laptops
thumb drives
stolen servers
improperly decommissioned hardware
employee theft
employee negligence
General Data Breach Laws and Rules
International laws vary

No Federal general breach notification law (yet)

Texas law
Notification Required Following Breach of Security of Computerized Data (Tex. Bus. Comm. Code sec. 521.053)

State laws
47 States have general breach notification laws (not AL, NM, SD)
Massachusetts is an oddball
45 day response (FL, OH, VT, WI) or expeditious without unreasonable delay
Consumers + State Attorney General
TX patient moves to MA = MA law applies

Industry standards (FINRA, PCI, Merchant Bank)
Texas Notification Required Following Breach of Security of Computerized Data
applies to
most Texas businesses
, including healthcare providers and requires use of reasonable procedures to protect "sensitive personal information" (SPI)

compromise of computerized data
that is SPI is a "breach of system security" and requires notification to all consumer data subjects

breach means
taking, accessing, or compromising
confidentiality or integrity

SPI means
“an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name in the items are not encrypted”
Social Security number, driver’s license number or other government issued identification number, account or card numbers combined with the required access or security codes
Also included is information that at that identifies an individual and is related to their health condition, provision of healthcare, or payment for healthcare

The notification must be given to
all individual data subjects
as quickly as possible after it has been determined that an individual’s sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person (exceptions for restore system integrity and LE)

Penalty for failing to comply with this notification requirement is a civil penalty of up to
$100.00 per individual per day
for the delayed time but is
not to exceed $250,000
for a single breach

if the SPI is
there is no breach unless the person breaching has the decryption key
Responding to a Breach -- Execute the Response Plan
Contact attorney (privilege)
Assemble the Response Team
Contact Merchant Bank (if payment card)
Contact forensics
Contact notification vendor
Investigate breach
Remediate responsible vulnerabilities
Reporting and notification
Law enforcement
Individuals, AGs, Sec. of HHS, agencies, indust. groups, credit reporting
Preparing For A Breach
Breach Response Plan.
When a breach occurs, you do not have time to figure out what to do. A well designed Plan allows you to immediately begin executing -- instead of worrying and guessing. You want key personnel involved in preparing the plan and aware of its existence and their responsibilities. Should cover basic who, what, where, when, and how -- and should be led by an attorney for privilege matters because when a breach happens, you should immediately anticipate litigation.

Risk Analysis.

Conduct a risk analysis to determine what specific risks your organization faces by examining the circumstances that leave it open to unauthorized access. Should include penetration testing and a security audit.

Due Diligence of Business Associates.
In accordance with the SEC and FTC guidelines, conduct due diligence of all business associates with access to company systems by investigating, obligating, and verifying they are adequately protecting data.

Security Analysis.
Conduct a security analysis to determine what security measures are already in place or could reasonably be put into place to minimize the risk of unauthorized access and disclosure of ePHI maintained by your practice.

Gap Analysis.

Conduct a gap analysis to determine inadequacies in your privacy, security, and notification response policies and your business associate agreements to determine what policies, procedures, and agreements you need to update or implement in light of the changes mandated by the Omnibus Rule as well as the changes in technology.

Implement and update the security measures, policies, agreements, and procedures that have been identified through the 3 stages of analysis discussed above.

Document Decisions.
The rationale for decisions to implement or not implement certain security measures, policies, agreements, procedures and solutions that have been identified as needed must be documented.

Compliance Audit.
For companies in regulated industries this is very important, especially to show diligence should a breach occur.

Cyber Insurance.
You definitely want to look into it.
Software and systems updates

Remediate vulnerabilities discovered

Implement Compliance steps from Audit

Encrypt all Protected Health Information (PHI) and Sensitive Personal Information (SPI) at rest and in motion

System and data surveillance and IT alerts

cyber counter-intelligence / counter-espionage
Tech Preparation Steps
"An ounce of prevention is cheaper than the first day of litigation [or reporting to individuals, the AGs, the media, SEC, HHS, DOL, FTC ..."
Cost of Data Breach in 2012

$188.00 per lost record

$188.00 x "X" = $$$$$$$

"an ounce of prevention ... "
Cost of a Data Breach!
Defensive Response
Offensive Response
Computer Fraud and Abuse Act
18 U.S.C. § 1030
Primary law for misuse of computers

What is a computer?
"Everything has a computer in it nowadays." -Steve Jobs
CFAA prohibits access to a protected computer that is
without authorization

exceeds authorized access
where the person accessing
obtains information
commits a fraud
obtains something of value
transmits damaging information
causes damage
traffics in passwords
commits extortion
originally a criminal statute
limited civil remedy
$5,000 loss

more civil than criminal

used in virtually every insider trade secrets case

3 interpretations of "access"
Agency Theory
Intended-Use Theory
Strict Access Theory
Other Federal Laws for Combating Fraud 2.0
Electronic Communications Privacy Act 18 USC § 2510
Wiretap Act (in transit)
Stored Communications Act (at rest)

Fraud with Access Devices 18 USC § 1029
devices to obtain passwords, phishing, counterfeit devices, scanning receivers, drive through swipe cards

Identity Theft 18 USC § 1028
Texas Laws for Combatting Fraud 2.0
Breach of Computer Security Act (Tx. Penal Code § 33.02)
knowingly access a computer without effective consent of owner

Fraudulent Use or Possession of Identifying Info (TPC § 32.51)

Unlawful Interception, Use, or Disclosure of Wire, Oral or Electronic Communications (TPC § 16.02)

Unlawful Access to Stored Communications (TPC § 16.04)

Identity Theft Enforcement and Protection Act (BCC § 48.001)

Consumer Protection Against Computer Spyware Act (BCC § 48.051)

Anti-Phishing Act (BCC § 48.003)
Corporate Espionage!
Shawn Tuma, Partner
blog: shawnetuma.com
web: brittontuma.com

Shawn Tuma is a lawyer whose practice is focused on cutting-edge cyber and information law and includes issues like helping businesses defend their data and intellectual property against computer fraud, data breaches, hacking, corporate espionage, and insider theft. Shawn stays very active in the cyber and information law communities:

D Magazine's 2014 Best Lawyers in Dallas
Chair, Civil Litigation & Appellate Section, Collin County Bar Association
College of the State Bar of Texas
Privacy and Data Security Committee, State Bar of Texas
Computer and Technology, Litigation, Intellectual Property Law, and Business Sections, State Bar of Texas
Information Security Committee, American Bar Association
Social Media Committee, American Bar Association
Cybercrime Committee, North Texas Crime Commission
International Association of Privacy Professionals

The information provided is for educational purposes only, does not constitute legal advice, and no attorney-client relationship is created by this presentation
Are all data theft attacks random or are there targeted attacks?
Corporate Espionage
External Threats
Insider Threats
Blended Threats
employee planning departure to competitor
disloyal insider planted

Chinese Restaurant Menu
(competitors' directed theft of trade secrets)
Ready for Some Ethics?
Who knows where I am going with this?

What does lawyer ethics have to do with corporate espionage?
Ethics Opinion 384 (Sept. 1975)

Canon No. 4, Code of Professional Responsibility, states, "A lawyer should preserve the confidences and secrets of a client."

Disciplinary Rule (DR) 4-101 (A) states, "'Confidence' refers to information protected by the attorney-client privilege under applicable law," and "'
secret' refers to other information gained in the professional relationship that the client has requested be held inviolate or the disclosure of which would be embarrassing or would be likely to be detrimental to the client.

DR 4-101 (B) provides that, except when permitted under DR 4-101 (C) that a lawyer shall not knowingly reveal a "confidence" or "secret" of his client.

Lawyers' duty to preserve client confidences
What about email?
ABA Ethics Committee issued its Formal Opinion 11-459

"Whenever a lawyer communicates with a client by email, the lawyer must first consider whether, given the client's situation, there is a significant risk that third parties will have access to the communications. If so, the lawyer must take reasonable care to protect the confidentiality of the communications by giving appropriately tailored advice to the client."

2/15/14 New York Times: "Spying by N.S.A. Ally Entangled U.S. Law Firm"

Australian Signals Directorate spied on communications between Mayer Brown law firm and its client, the Indonesian government, regarding a trade dispute with the US

Offered to share info with the NSA
Want more on lawyer data security issues?
Collin County Bench Bar Conference

5/3/14 @ 11:45
can you get a more shameless plug?
Need another reason why your system may be attacked?
Sun Tzu - The Art of War
“In all fighting the direct method may be used for joining battle, but
indirect methods will be needed to secure victory

“You can be sure of succeeding in your attacks if you attack places which are
not defended

Story Time
you were CEO of a world-wide company
breach impacting 110 million customers
$61 million in expenses alone
10% discount to all shoppers
$5 million investment in cybersecurity coalition
offer “free” identity theft and credit monitoring to all affected customers
Net earnings down 34.28%
Earnings per share down 44.60%
Non-cash losses up 487.71%
US sales down 6.60%
Lawsuits, possible enforcement actions, who knows?
and then you learn …

Have you heard of ...
all tell you what you must do following a breach
Recent agency advisory statements (Jan. 2014)
SEC: Indicates that the new standard of care for companies may require policies in place for:
, and
to cyber attacks and data breaches,
IT training focused on security, and
Vendor access to company systems and vendor due diligence.

GMR Transcription Svcs
– FTC case – is requiring businesses to follow 3 steps when contracting with 3rd party service providers:
Investigate by exercising due diligence before hiring data service providers.
Obligate their data service providers to adhere to the appropriate level of data security protections through contractual agreements with provider.
Verify that the data service providers are adequately protecting data as required by the contractual standards.



Still Not Convinced?
What you must do!
What you may do - in the courts
The Ultimate Vulnerability?
18 mos.
Full transcript