Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Combating Corporate Espionage - Data Breach! (and the law)

Presentation for Combating Corporate Espionage - Protecting Your Organization From "hackers, insiders & fraudsters" that was sponsored by SpearTip, CI Centre, and BrittonTuma. It is focused on Shawn Tuma's digital information law segment on #fraud20

Shawn Tuma

on 2 May 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Combating Corporate Espionage - Data Breach! (and the law)

Anatomy of a Data Breach -
Why should I care
about data breach?

Shawn E. Tuma
d. 469.635.1335
m. 214.726.2808
Copyright 2013
Combating Corporate Espionage
Data Breach!
(and the law)
sponsored by

presented by
Shawn E. Tuma
not a question of if, but of when
2011 - The Story of the Year
Data Breach
Identity Theft

Data is the currency of choice for the 21st Century
Everybody wants it
Google, Facebook, $.99 Apps ... seriously?
Big Data, Reward Cards, Surveys, etc.
NSA / Edward Snowden / Julian Assange
Data is more valuable than money
Data is more valuable for both honest and dishonest "business"

Let's focus on dishonest

Fraud 2.0 = computers are the most efficient tools for fraud ("old crimes committed in new ways)

How is the data obtained?

Spear phishing, hacking, data theft, computer worms, key-loggers, Trojan horses, malware, denial of service attacks
The "Dark Net"
The black market of the Internet
what can you find for sale?
military weapons - the real ones like army tanks and rocket launchers
fake identification documents
illegal drugs
stolen money
prostitution and gambling
How does the Dark Net work
for stolen data?
Dark Net uses the "Tor network" which allows for concealed identity (i.e., IP Addresses) and anonymous transfers of money
Stolen data is packaged in bulk and sold in a single "dump" without knowing what it is or how valuable it may be
Like sales of bad debt, written off loans, collection files, etc.
Bulk sales mean all data has some value
Who is doing this?
Chinese, Russia, Former Eastern Bloc Countries (individual and govt agts)

Organized crime - mostly

Hacking groups (Anon, LuzSec)


Kids in their parents' basements
How do they do it?
Why are they doing it?
Why am I telling you all of this?
Every organization -- especially smaller organizations --
think ...
it won't happen to me
my organization is too small to be worth it
the data my organization has it not that important to be valuable
we have anti-virus software and a firewall
we have a good IT staff
data breaches only happen to organizations that are careless
Percentage of businesses that suffered at least one act of computer fraud last year
(Ponemon Institute, Dec. 2012)
It is
a matter of
Supply and demand means you will be attacked
Cybercrime is one of the fastest growing enterprises -- especially for organized crime

From 2011 to 2012 there was a 42% increase internationally in targeting smaller businesses over larger (Symantec)

relatively, a higher value of data, and

lack of adequate security practices and infrastructure
What are they usually going after?
Financial data
Personal data
Intellectual property
Business information
Customer information
Why Should I Care about data breach?
This means having an understanding of what is required
Industry Standards
Consequences of a data breach
compromise and loss of data
lost productivity, administrative burden, distraction
loss of trust
bad publicity
reporting and notification costs and burdens
credit monitoring and remediation
claims and lawsuits from the data subjects
fines and penalties from governments, agencies, industry groups
increased scrutiny of data security practices
Cybercrime isn't the only cause of data breach
mobile devices, tablets, laptops
thumb drives
stolen servers
improperly decommissioned hardware
employee theft
employee negligence
General Data Breach Laws and Rules
International laws vary

No Federal general breach notification law (yet)

Texas law
Notification Required Following Breach of Security of Computerized Data (Tex. Bus. Comm. Code sec. 521.053)
amended by SB 1610 (eff. 6/14/13)

State laws
46 States have general breach notification laws (not AL, KY, NM, SD)
Massachusetts is an oddball
45 day response (FL, OH, VT, WI) or expeditious without unreasonable delay
Consumers + State Attorney General
TX patient moves to MA = MA law applies

Industry standards (FINRA, PCI)
Notification Required Following Breach of Security of Computerized Data
applies to
most Texas businesses
, including healthcare providers and requires use of reasonable procedures to protect "sensitive personal information" (SPI)

compromise of computerized data
that is SPI is a "breach of system security" and requires notification to all consumer data subjects

breach means
taking, accessing, or compromising
confidentiality or integrity

SPI means
“an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name in the items are not encrypted”
Social Security number, driver’s license number or other government issued identification number, account or card numbers combined with the required access or security codes
Also included is information that at that identifies an individual and is related to their health condition, provision of healthcare, or payment for healthcare

The notification must be given to
all individual data subjects
as quickly as possible after it has been determined that an individual’s sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person (exceptions for restore system integrity and LE)

Penalty for failing to comply with this notification requirement is a civil penalty of up to
$100.00 per individual per day
for the delayed time but is
not to exceed $250,000
for a single breach

if the SPI is
there is no breach unless the person breaching has the decryption key
Responding to a Breach -- Execute the Response Plan
Contact attorney (privilege)
Assemble the Response Team
Contact forensics
Contact notification vendor
Investigate breach
Remediate responsible vulnerabilities
Reporting and notification
Law enforcement
Individuals, AGs, Sec. of HHS, agencies, indust. groups, credit reporting
Preparing For A Breach
Breach Response Plan.
When a breach occurs, you do not have time to figure out what to do. A well designed Plan allows you to immediately begin executing -- instead of worrying and guessing. You want key personnel involved in preparing the plan and aware of its existence and their responsibilities. Should cover basic who, what, where, when, and how -- and should be led by an attorney for privilege matters because when a breach happens, you should immediately anticipate litigation.

Risk Analysis.
Conduct a risk analysis to determine what specific risks your organization faces by examining the circumstances that leave it open to unauthorized access. Should include penetration testing and a security audit.

Security Analysis.
Conduct a security analysis to determine what security measures are already in place or could reasonably be put into place to minimize the risk of unauthorized access and disclosure of ePHI maintained by your practice.

Gap Analysis.
onduct a gap analysis to determine inadequacies in your privacy, security, and notification response policies and your business associate agreements to determine what policies, procedures, and agreements you need to update or implement in light of the changes mandated by the Omnibus Rule as well as the changes in technology.

Implement and update the security measures, policies, agreements, and procedures that have been identified through the 3 stages of analysis discussed above.

Document Decisions.
The rationale for decisions to implement or not implement certain security measures, policies, agreements, procedures and solutions that have been identified as needed must be documented.

Compliance Audit.
For companies in regulated industries this is very important, especially to show diligence should a breach occur.

Cyber Insurance.
You definitely want to look into it.
Software and systems updates

Remediate vulnerabilities discovered

Implement Compliance steps from Audit

Encrypt all PHI and SPI (at rest and in motion)

System and data surveillance and IT alerts

cyber counter-intelligence / counter-espionage

IT alerts
Tech Preparation Steps
"An ounce of prevention is cheaper than the first day of litigation [or reporting to individuals, the AGs, the media, SEC, HHS, DOL, FTC ..."
Cost of Data Breach in 2012

per lost record

$188.00 x "X" =

"an ounce of prevention ... "
Cost of a Data Breach!
Defensive Response
Offensive Response
(in the courts)
Computer Fraud and Abuse Act
18 U.S.C. § 1030
Primary law for misuse of computers

What is a computer?
"Everything has a computer in it nowadays." -Steve Jobs
CFAA prohibits access to a protected computer that is
without authorization

exceeds authorized access
where the person accessing
obtains information
commits a fraud
obtains something of value
transmits damaging information
causes damage
traffics in passwords
commits extortion
originally a criminal statute
limited civil remedy
$5,000 loss

more civil than criminal

used in virtually every insider trade secrets case

3 interpretations of "access"
Agency Theory
Intended-Use Theory
Strict Access Theory
Other Federal Laws for Combating Fraud 2.0
Electronic Communications Privacy Act 18 USC § 2510
Wiretap Act (in transit)
Stored Communications Act (at rest)

Fraud with Access Devices 18 USC § 1029
devices to obtain passwords, phishing, counterfeit devices, scanning receivers, drive through swipe cards

Identity Theft 18 USC § 1028
Texas Laws for Combatting Fraud 2.0
Breach of Computer Security Act (Tx. Penal Code § 33.02)
knowingly access a computer without effective consent of owner

Fraudulent Use or Possession of Identifying Info (TPC § 32.51)

Unlawful Interception, Use, or Disclosure of Wire, Oral or Electronic Communications (TPC § 16.02)

Unlawful Access to Stored Communications (TPC § 16.04)

Identity Theft Enforcement and Protection Act (BCC § 48.001)

Consumer Protection Against Computer Spyware Act (BCC § 48.051)

Anti-Phishing Act (BCC § 48.003)
Full transcript