A CYBER SECURITY PRIMER FOR LAWYERS Tuesday, September 10, 2013: 9:00 – 10:30 a.m.
Aug 23, 2014
A CYBER SECURITY PRIMER FOR LAWYERS
Tuesday, September 10, 2013: 9:00 – 10:30 a.m.
Today’s Speakers Moderator: Paul Knapp, President and CEO, Space Center Ventures, (612) 710-1203, [email protected] Presenters: Scott Larson, President, Larson Security, LLC (612) 360-9982, [email protected], 13 years’ experience as Supervisory Special Agent with the Federal Bureau of Investigations, led the FBI’s Computer Investigations and Infrastructure Protection Program; 10 years civil, regulatory and criminal engagement management, digital forensics, cyber security and electronic discovery. Rick Ostrom, President, WayPoint, Inc. (651) 702-0138, [email protected], 26 years’ experience as a Special Agent and Supervisor with the Federal Bureau of Investigation; former 3M Corporate Security & Business Risk Mitigation
Agenda 1. What does Cyber Security Encompass?
2. Two Big Current Issues: Big Data and Devices
3. What can you and your Clients do Proactively?
4. Regulatory Compliance Issues
5. Contractual Compliance Issues 6. Incidence Response and Cyber Security
7. Conclusions
ly
What does Cyber Security Encompass?
Internal Threats Data Theft Accidental data loss or data leakage Employment Matters
External Threats Random malware and botnets Client-specific threats (e.g. Hacktivism – DDoS) APT & economic espionage
Regularly Compliance HIPAA, GLBA Online behavioral advertising issues
Non-U.S. requirements: EU draft data protection regs and “cookie” directive
Contractual Compliance NDA M&A SLA/Disclosure
What does Cyber Security Encompass?
Internal Threats Data Theft Accidental data loss or data leakage
WSJ.COM
BBC.COM
What does Cyber Security Encompass?
External Threats Random malware and botnets Client-specific threats (e.g. Hacktivism/DDoS) APT & Economic espionage
What does Cyber Security Encompass?
External Threats – APT Patch Mgmt, Active Directory, Configuration
RSA Blog
What does Cyber Security Encompass?
Regularly Compliance HIPAA, GLBA Online behavioral advertising issues Non-U.S. requirements: EU draft data protection regs
and “cookie” directive
What does Cyber Security Encompass?
Contractual Compliance NDA M&A SLA/Disclosure
Hot Topics: Big Data and Devices • Big Data Issues
─ Notice/consent ─ Secondary purposes ─ De – identification, pseudo anonymization ─ Automated decision making ─ Roles and contractual obligations
• Devices ─ BYOD: iPads, Phones, etc. ─ Mobile Apps ─ Ownership and MDMs/MAMs
Amazon AWS
What Can You & Your Clients do Proactively?
Maintain a Secure Network: Defense-in-depth & Segment High $ Data Bolster Identity and Access Management (IAM) System Perform Security Assessments/Privacy Analysis/Penetration Tests Encryption (Email & Cloud) Conduct Training and Table-Top Exercises Have an incident response policy: know who you will engage internally
and externally Check insurance coverage
Build and Maintain A Secure Network Maintain a Configuration Management Program
Maintain an Information Security Policy
Incident Response Plan
13
• To reduce accidental loss of data • To reduce theft
• To control roles
• To reduce risk
14
Bolster Identity and Access
Management (IAM) Systems
Perform Security Assessments • SSAE 16 Audits (formerly SAS-70) • Advanced Persistent Threat (APT)
─ Spear phishing ─ Network vulnerability assessments ─ Web App VA and code review (SQL injection attacks)
• Custom & Commercial Tools • SDI & Read Only Domain Controllers • Patch Management & Configuration • The Cloud: dark “public” clouds, light “private” clouds • Your client’s failure to remediate security risks identified in a security
assessment may be damaging and discoverable “smoking gun” in security breach litigation
15
Perform Penetration Testing
• “White hat” consultants • “Red Teaming” • Regularly Monitor and Test Networks
– Internal Teams – Automated Tools – Remote Forensics
16
Conduct Training & Exercises • User security awareness training
• Board, Audit (or IT Risk Management) Committee, CTO, CISO, CIO, and
their employees, and don’t forget vendors including law firms
• Persons involved with M&A, Divestitures, Employee Misconduct, Trade Secrets and Intellectual Property must all be educated and sensitized to cyber security issues
17
Regulatory Compliance
A panoply of state and federal and international regulations, most notably: HIPAA, PCIDSS, State Data Breach Laws
(http://www.hhs.gov/ocr/privacy/hipaa/understanding/) (https://www.pcisecuritystandards.org/security_standards/)
Online behavioral advertising/FTC and state AGs (http://www.ftc.gov/news-events/press-releases/2009/02/ftc-staff-revises-online-behavioral-advertising-principles)
Securities Regulations (e.g. SOX, GLBA) (http://www.sec.gov/info/smallbus/404guide/intro.shtml) (http://www.business.ftc.gov/privacy-and-security/gramm-leach-bliley-act)
Foreign Corrupt Practices Act (FCPA) (http://www.justice.gov/criminal/fraud/fcpa/)
EU Data Protection Directives (http://ec.europa.eu/justice/data-protection/index_en.htm)
Children’s Online Privacy Protection Act http://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule)
Extends to mobile apps and online technologies Regs cover “personal information” collected including
cookies, etc.
Contractual Compliance
NDA’s and Notice of Breach clauses
M&A transaction confidentiality before and after transaction
PCI Compliance
“ At any given moment, there is a certain percentage of the population that’s up to no good.”
Ernst & Young 13th Global Fraud Survey
Increasing acceptance of unethical behavior • Bribery and corruption • Misstate financial performance
Control environment not strong enough • Mixed messages from top – failure to
penalize Independent view on compliance demanded Need to manage third parties
• Lack of due diligence Acquisitions
• Lack of pre-acquisitions
Summary of the Final Omnibus HIPAA/HITECH Rules
Business Associates
Why The Concern?
• Effective March 26, 2013 • Compliance Deadline of
September 23, 2013 • CMS Audit will begin again after
September 23, 2013
Biggest Change for Business Associates
• Provides direct liability for Business Associates and their subcontractors
• Includes entities that create, receive, maintain, or transmit PHI on behalf of a covered entity – Law Firms – Accountants – Person that provides data transmission
services for PHI – Many Others
Business Associates Must • Comply with the terms of a Business Associate
agreement related to the use and disclosure of PHI
• Provide PHI to the Secretary upon demand • Provide an electronic copy of PHI to an
individual patient upon request • Make reasonable efforts to limit PHI to the
minimum necessary to accomplish the intended purpose
• Enter into Business Associate agreements with subcontractors that create or receive PHI
Best Practice • Business Associates are not required to have
written policies and procedures
• Recommend highly for BA’s – Written Policies and Procedures – Conduct Security Review and Provide
Written Assessment – Consider Encryption
Covered Entity To Do • Identify and Document Business Associates • Business Associates Identify and Document
subcontractors • Business Associates need new policies for new
requirements • Review and Amend Existing Business Associate
Agreements • Update Breach Notification Compliance Plan • Confirm Business Associates have written contracts
with subcontractors and vendors and they are HIPAA Compliant
Business Associates To Do
• Assign Information Security Officer • Implement Privacy Policies • Implement Security Policies
– Physical & IT • Establish written contracts for all
subcontractors or vendors you delegate a function, activity or service
• Implement Breach Notification Compliance Plan
• Implement HIPAA Privacy and Security Awareness Training Program – Annual Training
• Conduct Security Review
Incident Response & Reactive Cyber Security
• Crisis Management! ─ Engage incident response policy and plans ─ Engage pre-determined internal personnel and external consultants ─ Include legal and technical experts early on upon escalation of incident
• Litigation Support ─ Forensics ─ Analytics
29
Conclusion
Build best defense possible
Be aware of regulatory and
contractual issues Have a plan to respond to
incidents Test and exercise plans,
crisis personnel and critical systems
Today’s Speakers Moderator: Paul Knapp, President and CEO, Space Center Ventures, (612) 710-1203, [email protected] Presenters: Scott Larson, President, Larson Security, LLC (612) 360-9982, [email protected], 13 years’ experience as Supervisory Special Agent with the Federal Bureau of Investigations, led the FBI’s Computer Investigations and Infrastructure Protection Program; 10 years civil, regulatory and criminal engagement management, digital forensics, cyber security and electronic discovery. Rick Ostrom, President, WayPoint, Inc. (651) 702-0138, [email protected], 26 years’ experience as a Special Agent and Supervisor with the Federal Bureau of Investigation; former 3M Corporate Security & Business Risk Mitigation