Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Combating Corporate Espionage - Data Breach! (and the law)
Transcript of Combating Corporate Espionage - Data Breach! (and the law)
Why should I care
about data breach?
Shawn E. Tuma
Combating Corporate Espionage
(and the law)
Shawn E. Tuma
not a question of if, but of when
2011 - The Story of the Year
Data is the currency of choice for the 21st Century
Everybody wants it
Google, Facebook, $.99 Apps ... seriously?
Big Data, Reward Cards, Surveys, etc.
NSA / Edward Snowden / Julian Assange
Data is more valuable than money
Data is more valuable for both honest and dishonest "business"
Let's focus on dishonest
Fraud 2.0 = computers are the most efficient tools for fraud ("old crimes committed in new ways)
How is the data obtained?
Spear phishing, hacking, data theft, computer worms, key-loggers, Trojan horses, malware, denial of service attacks
The "Dark Net"
The black market of the Internet
what can you find for sale?
military weapons - the real ones like army tanks and rocket launchers
fake identification documents
prostitution and gambling
How does the Dark Net work
for stolen data?
Dark Net uses the "Tor network" which allows for concealed identity (i.e., IP Addresses) and anonymous transfers of money
Stolen data is packaged in bulk and sold in a single "dump" without knowing what it is or how valuable it may be
Like sales of bad debt, written off loans, collection files, etc.
Bulk sales mean all data has some value
Who is doing this?
Chinese, Russia, Former Eastern Bloc Countries (individual and govt agts)
Organized crime - mostly
Hacking groups (Anon, LuzSec)
Kids in their parents' basements
How do they do it?
Why are they doing it?
Why am I telling you all of this?
Every organization -- especially smaller organizations --
it won't happen to me
my organization is too small to be worth it
the data my organization has it not that important to be valuable
we have anti-virus software and a firewall
we have a good IT staff
data breaches only happen to organizations that are careless
Percentage of businesses that suffered at least one act of computer fraud last year
(Ponemon Institute, Dec. 2012)
a matter of
Supply and demand means you will be attacked
Cybercrime is one of the fastest growing enterprises -- especially for organized crime
From 2011 to 2012 there was a 42% increase internationally in targeting smaller businesses over larger (Symantec)
relatively, a higher value of data, and
lack of adequate security practices and infrastructure
What are they usually going after?
Why Should I Care about data breach?
This means having an understanding of what is required
Consequences of a data breach
compromise and loss of data
lost productivity, administrative burden, distraction
loss of trust
reporting and notification costs and burdens
credit monitoring and remediation
claims and lawsuits from the data subjects
fines and penalties from governments, agencies, industry groups
increased scrutiny of data security practices
Cybercrime isn't the only cause of data breach
mobile devices, tablets, laptops
improperly decommissioned hardware
General Data Breach Laws and Rules
International laws vary
No Federal general breach notification law (yet)
Notification Required Following Breach of Security of Computerized Data (Tex. Bus. Comm. Code sec. 521.053)
amended by SB 1610 (eff. 6/14/13)
46 States have general breach notification laws (not AL, KY, NM, SD)
Massachusetts is an oddball
45 day response (FL, OH, VT, WI) or expeditious without unreasonable delay
Consumers + State Attorney General
TX patient moves to MA = MA law applies
Industry standards (FINRA, PCI)
Notification Required Following Breach of Security of Computerized Data
most Texas businesses
, including healthcare providers and requires use of reasonable procedures to protect "sensitive personal information" (SPI)
compromise of computerized data
that is SPI is a "breach of system security" and requires notification to all consumer data subjects
taking, accessing, or compromising
confidentiality or integrity
“an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name in the items are not encrypted”
Social Security number, driver’s license number or other government issued identification number, account or card numbers combined with the required access or security codes
Also included is information that at that identifies an individual and is related to their health condition, provision of healthcare, or payment for healthcare
The notification must be given to
all individual data subjects
as quickly as possible after it has been determined that an individual’s sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person (exceptions for restore system integrity and LE)
Penalty for failing to comply with this notification requirement is a civil penalty of up to
$100.00 per individual per day
for the delayed time but is
not to exceed $250,000
for a single breach
if the SPI is
there is no breach unless the person breaching has the decryption key
Responding to a Breach -- Execute the Response Plan
Contact attorney (privilege)
Assemble the Response Team
Contact notification vendor
Remediate responsible vulnerabilities
Reporting and notification
Individuals, AGs, Sec. of HHS, agencies, indust. groups, credit reporting
Preparing For A Breach
Breach Response Plan.
When a breach occurs, you do not have time to figure out what to do. A well designed Plan allows you to immediately begin executing -- instead of worrying and guessing. You want key personnel involved in preparing the plan and aware of its existence and their responsibilities. Should cover basic who, what, where, when, and how -- and should be led by an attorney for privilege matters because when a breach happens, you should immediately anticipate litigation.
Conduct a risk analysis to determine what specific risks your organization faces by examining the circumstances that leave it open to unauthorized access. Should include penetration testing and a security audit.
Conduct a security analysis to determine what security measures are already in place or could reasonably be put into place to minimize the risk of unauthorized access and disclosure of ePHI maintained by your practice.
onduct a gap analysis to determine inadequacies in your privacy, security, and notification response policies and your business associate agreements to determine what policies, procedures, and agreements you need to update or implement in light of the changes mandated by the Omnibus Rule as well as the changes in technology.
Implement and update the security measures, policies, agreements, and procedures that have been identified through the 3 stages of analysis discussed above.
The rationale for decisions to implement or not implement certain security measures, policies, agreements, procedures and solutions that have been identified as needed must be documented.
For companies in regulated industries this is very important, especially to show diligence should a breach occur.
You definitely want to look into it.
Software and systems updates
Remediate vulnerabilities discovered
Implement Compliance steps from Audit
Encrypt all PHI and SPI (at rest and in motion)
System and data surveillance and IT alerts
cyber counter-intelligence / counter-espionage
Tech Preparation Steps
"An ounce of prevention is cheaper than the first day of litigation [or reporting to individuals, the AGs, the media, SEC, HHS, DOL, FTC ..."
Cost of Data Breach in 2012
per lost record
$188.00 x "X" =
"an ounce of prevention ... "
Cost of a Data Breach!
(in the courts)
Computer Fraud and Abuse Act
18 U.S.C. § 1030
Primary law for misuse of computers
What is a computer?
"Everything has a computer in it nowadays." -Steve Jobs
CFAA prohibits access to a protected computer that is
exceeds authorized access
where the person accessing
commits a fraud
obtains something of value
transmits damaging information
traffics in passwords
originally a criminal statute
limited civil remedy
more civil than criminal
used in virtually every insider trade secrets case
3 interpretations of "access"
Strict Access Theory
Other Federal Laws for Combating Fraud 2.0
Electronic Communications Privacy Act 18 USC § 2510
Wiretap Act (in transit)
Stored Communications Act (at rest)
Fraud with Access Devices 18 USC § 1029
devices to obtain passwords, phishing, counterfeit devices, scanning receivers, drive through swipe cards
Identity Theft 18 USC § 1028
Texas Laws for Combatting Fraud 2.0
Breach of Computer Security Act (Tx. Penal Code § 33.02)
knowingly access a computer without effective consent of owner
Fraudulent Use or Possession of Identifying Info (TPC § 32.51)
Unlawful Interception, Use, or Disclosure of Wire, Oral or Electronic Communications (TPC § 16.02)
Unlawful Access to Stored Communications (TPC § 16.04)
Identity Theft Enforcement and Protection Act (BCC § 48.001)
Consumer Protection Against Computer Spyware Act (BCC § 48.051)
Anti-Phishing Act (BCC § 48.003)