Top Banner

Click here to load reader

Minnesota CLE Cyber Security Primer for Lawyers v2.1r

Aug 23, 2014

ReportDownload

Law

Minnesota Continuing Legal Education (MINNCLE) Cyber Security Primer for Lawyers moderated by Paul Knapp, Scott Larson (Larson Security LLC) & Richard Ostrom (WayPoint, Inc) Presenters. Topics covered include HIPAA, Business Associates (BA) requirements under HIPAA/HITECH Act, PCIDSS, state data breach laws, SOX, GLBA, Advanced Persistent Threat (APT), Security & Vulnerability Assessments, custom tools, law firm information security, computer forensics, and cyber crime response. Slide Deck Only. MINNCLE has archived online viewing for paying customers. September 04, 2013

  • A CYBER SECURITY PRIMER FOR LAWYERS Tuesday, September 10, 2013: 9:00 10:30 a.m.
  • Todays Speakers Moderator: Paul Knapp, President and CEO, Space Center Ventures, (612) 710-1203, [email protected] Presenters: Scott Larson, President, Larson Security, LLC (612) 360-9982, [email protected], 13 years experience as Supervisory Special Agent with the Federal Bureau of Investigations, led the FBIs Computer Investigations and Infrastructure Protection Program; 10 years civil, regulatory and criminal engagement management, digital forensics, cyber security and electronic discovery. Rick Ostrom, President, WayPoint, Inc. (651) 702-0138, [email protected], 26 years experience as a Special Agent and Supervisor with the Federal Bureau of Investigation; former 3M Corporate Security & Business Risk Mitigation
  • Agenda 1. What does Cyber Security Encompass? 2. Two Big Current Issues: Big Data and Devices 3. What can you and your Clients do Proactively? 4. Regulatory Compliance Issues 5. Contractual Compliance Issues 6. Incidence Response and Cyber Security 7. Conclusions ly
  • What does Cyber Security Encompass? Internal Threats Data Theft Accidental data loss or data leakage Employment Matters External Threats Random malware and botnets Client-specific threats (e.g. Hacktivism DDoS) APT & economic espionage Regularly Compliance HIPAA, GLBA Online behavioral advertising issues Non-U.S. requirements: EU draft data protection regs and cookie directive Contractual Compliance NDA M&A SLA/Disclosure
  • What does Cyber Security Encompass? Internal Threats Data Theft Accidental data loss or data leakage WSJ.COM BBC.COM
  • What does Cyber Security Encompass? External Threats Random malware and botnets Client-specific threats (e.g. Hacktivism/DDoS) APT & Economic espionage
  • What does Cyber Security Encompass? External Threats APT Patch Mgmt, Active Directory, Configuration RSA Blog
  • What does Cyber Security Encompass? Regularly Compliance HIPAA, GLBA Online behavioral advertising issues Non-U.S. requirements: EU draft data protection regs and cookie directive
  • What does Cyber Security Encompass? Contractual Compliance NDA M&A SLA/Disclosure
  • Hot Topics: Big Data and Devices Big Data Issues Notice/consent Secondary purposes De identification, pseudo anonymization Automated decision making Roles and contractual obligations Devices BYOD: iPads, Phones, etc. Mobile Apps Ownership and MDMs/MAMs Amazon AWS
  • What Can You & Your Clients do Proactively? Maintain a Secure Network: Defense-in-depth & Segment High $ Data Bolster Identity and Access Management (IAM) System Perform Security Assessments/Privacy Analysis/Penetration Tests Encryption (Email & Cloud) Conduct Training and Table-Top Exercises Have an incident response policy: know who you will engage internally and externally Check insurance coverage
  • Build and Maintain A Secure Network Maintain a Configuration Management Program Maintain an Information Security Policy Incident Response Plan 13
  • To reduce accidental loss of data To reduce theft To control roles To reduce risk 14 Bolster Identity and Access Management (IAM) Systems
  • Perform Security Assessments SSAE 16 Audits (formerly SAS-70) Advanced Persistent Threat (APT) Spear phishing Network vulnerability assessments Web App VA and code review (SQL injection attacks) Custom & Commercial Tools SDI & Read Only Domain Controllers Patch Management & Configuration The Cloud: dark public clouds, light private clouds Your clients failure to remediate security risks identified in a security assessment may be damaging and discoverable smoking gun in security breach litigation 15
  • Perform Penetration Testing White hat consultants Red Teaming Regularly Monitor and Test Networks Internal Teams Automated Tools Remote Forensics 16
  • Conduct Training & Exercises User security awareness training Board, Audit (or IT Risk Management) Committee, CTO, CISO, CIO, and their employees, and dont forget vendors including law firms Persons involved with M&A, Divestitures, Employee Misconduct, Trade Secrets and Intellectual Property must all be educated and sensitized to cyber security issues 17
  • Regulatory Compliance A panoply of state and federal and international regulations, most notably: HIPAA, PCIDSS, State Data Breach Laws (http://www.hhs.gov/ocr/privacy/hipaa/understanding/) (https://www.pcisecuritystandards.org/security_standards/) Online behavioral advertising/FTC and state AGs (http://www.ftc.gov/news-events/press-releases/2009/02/ftc-staff-revises-online-behavioral-advertising-principles) Securities Regulations (e.g. SOX, GLBA) (http://www.sec.gov/info/smallbus/404guide/intro.shtml) (http://www.business.ftc.gov/privacy-and-security/gramm-leach-bliley-act) Foreign Corrupt Practices Act (FCPA) (http://www.justice.gov/criminal/fraud/fcpa/) EU Data Protection Directives (http://ec.europa.eu/justice/data-protection/index_en.htm) Childrens Online Privacy Protection Act http://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule) Extends to mobile apps and online technologies Regs cover personal information collected including cookies, etc.
  • Contractual Compliance NDAs and Notice of Breach clauses M&A transaction confidentiality before and after transaction PCI Compliance
  • At any given moment, there is a certain percentage of the population thats up to no good.
  • Ernst & Young 13th Global Fraud Survey Increasing acceptance of unethical behavior Bribery and corruption Misstate financial performance Control environment not strong enough Mixed messages from top failure to penalize Independent view on compliance demanded Need to manage third parties Lack of due diligence Acquisitions Lack of pre-acquisitions
  • Summary of the Final Omnibus HIPAA/HITECH Rules Business Associates
  • Why The Concern? Effective March 26, 2013 Compliance Deadline of September 23, 2013 CMS Audit will begin again after September 23, 2013
  • Biggest Change for Business Associates Provides direct liability for Business Associates and their subcontractors Includes entities that create, receive, maintain, or transmit PHI on behalf of a covered entity Law Firms Accountants Person that provides data transmission services for PHI Many Others
  • Business Associates Must Comply with the terms of a Business Associate agreement related to the use and disclosure of PHI Provide PHI to the Secretary upon demand Provide an electronic copy of PHI to an individual patient upon request Make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose Enter into Business Associate agreements with subcontractors that create or receive PHI
  • Best Practice Business Associates are not required to have written policies and procedures Recommend highly for BAs Written Policies and Procedures Conduct Security Review and Provide Written Assessment Consider Encryption
  • Covered Entity To Do Identify and Document Business Associates Business Associates Identify and Document subcontractors Business Associates need new policies for new requirements Review and Amend Existing Business Associate Agreements Update Breach Notification Compliance Plan Confirm Business Associates have written contracts with subcontractors and vendors and they are HIPAA Compliant
  • Business Associates To Do Assign Information Security Officer Implement Privacy Policies Implement Security Policies Physical & IT Establish written contracts for all subcontractors or vendors you delegate a function, activity or service Implement Breach Notification Compliance Plan Implement HIPAA Privacy and Security Awareness Training Program Annual Training Conduct Security Review
  • Incident Response & Reactive Cyber Security Crisis Management! Engage incident response policy and plans Engage pre-determined internal personnel and external consultants Include legal and technical experts early on upon escalation of incident Litigation Support