We Earn Our Reputation From The Companies We Keep.® Anatomy of a Data Breach March 12, 2014 Lucie Huger Officer, Greensfelder, Hemker & Gale, P.C. Jarrett.

We Earn Our Reputation From The Companies We Keep.®

Anatomy of a Data Breach

March 12, 2014

Lucie HugerOfficer, Greensfelder, Hemker & Gale, P.C.

Jarrett KolthoffPresident, SpearTip

Joyce YeagerAssistant Attorney General, State of Missouri


“Information is the New Oil!”

Companies are collecting and storing mass amounts of data on a regular basis.

This data may include information about employees, customers, intellectual property/trade secrets and business operations.

This data has value to the companies producing/collecting it, to their competitors and to unknown third parties.


Everywhere

With the popularity of social media; conducting business on personal devices; and outsourcing certain business functions to third parties, data breaches are becoming more prevalent.


Possible Outcomes Affecting Business Operations Resulting From A Breach

Loss of customers

Damage to business reputation

Compliance obligations

Government investigations (federal and state)

Civil litigation


Common Causes of Data Breaches

Negligence

Malicious or criminal attacks (hacking or theft of electronic devices)

Corporate espionage/malfeasance



1. Notify those within your organization of the incident who need to know: Not every incident constitutes a breach that would lawfully

require notification.

Internal communications could be discoverable, so be careful what you say and how you say it.

Note the date and time of the discovery of the incident.



2. Assemble a response team, both internal and external:

The team should consist of: Key company stakeholders

Legal counsel: since civil litigation is possible, an attorney knowledgeable in breach issues can help to keep the process of working through a breach protected by privilege

Forensic IT firm

Communications expert



3. Investigate the incident: What type of data is involved, what are the circumstances involved, how may persons are affected. Carefully plan/strategize the investigation before you

begin.

Keep language of the investigation easy to understand.

Interviews may be appropriate.

Document the steps and findings.

Involve law enforcement, as appropriate.

Involve insurers, as appropriate.



4. Determine whether the incident constitutes a reportable breach: Look to applicable laws and determine whether there is there an exception.

Federal

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Gramm-Leach-Bliley Act (GLBA)



State or States: Currently, there are 46 states that have enacted data breach laws. Some of these laws apply to businesses operating in the state, while others apply to affected residents of the state (multiple state laws may come into play in a single breach). It will be necessary to determine which state(s) law(s) apply. Some states have different definitions for what data constitutes “personal

information.”

Some state laws require notification of residents based upon “unauthorized access.”

Certain states require a risk of harm analysis to determine whether notification is required.

Certain state laws protect electronic records, not paper records.

Many states require notice to the State Attorney General.

States generally require notice within a defined timeframe, but these timeframes can vary.



5. Contain the breach and mitigate harm, to the extent possible.

Is it possible to retrieve the lost/stolen device?

Is it possible to “wipe” the data from the lost/stolen device?

Is it possible to arrange for the return of the data erroneously disclosed?

Is it possible to enter into a non-disclosure agreement/attestation for return of data?



6. Notify

Affected persons It takes time to find up to date

addresses

Law enforcement State Attorneys General

Government Department of Health and Human

Services

Media As required under federal or state law



7. Respond to inquiries.

Do you need to establish a toll free number for inquiries?

Do you need to establish a call center?

Have you established a triage team to address unique customer concerns?

Have you established a system for addressing press inquiries?



8. Improve processes to avoid future data breaches.

Have you considered a third party audit to review your company’s policies/compliance efforts as well as its technical infrastructure?


Which Data Breaches are being Litigated?

Probability of a lawsuit is positively correlated with the number of records lost.

Probability of a lawsuit is positively correlated with the presence of actual harm (financial loss, emotional distress) and negatively correlated with credit monitoring being offered.

Lawsuits are more likely to occur from breaches caused by improper disclosure of information, as opposed to a computer hack, for example.

Probability of a lawsuit is positively correlated with the compromise of personal information requiring a heightened level of protection by individuals affected.

Romanosky, S., Hoffman, D., Acquisti, A. (2013). Empirical Analysis of Data Breach Litigation. iConference 2013 Proceedings


Proactive Approach

Create a Preparedness Plan, now:

Identify persons within your organization who are/will be responsible for data management.

Identify compliance requirements according to applicable laws.

Identify the types of data your organization collects/ processes/ develops.

Create a risk assessment plan and mitigation plan.

Develop policies and educate all staff.

Have a reporting mechanism that is well publicized and encouraged.

Procure insurance to cover data breaches (cyber policy).

Review vendor contracts.


Lucie F. Huger314/345-4725

E-mail: [email protected]

Jarrett KolthoffPresident & CEOSpearTip, LLCSaint Louis, Missouri

SpearTipCyber Counterintelligence

19

• Current Data Security Strategies

� Identify the Most Valuable Information Assets

� Create a “Risk Register” – Compliance / Corporate Secrets

� Assess Balance Between Compliance & Protecting Secrets

• Establish Baseline

� Reprioritize Enterprise Security Investment

� Increase 3rd Party Vigilance

� Measure Effective – Key Performance Indicators (KPIs) and

“Audit the Auditor”

Forrester Research – Value of Corp Secrets

“Just over a decade ago, intelligence collection efforts still focused primarily upon military assets. Now, these have largely shifted to concentrate upon technology, manufacturing processes, and other trade secrets that sometimes have dual use but often only civilian applications.”

David M. Keithly and Stephen P. Ferris, National

Defense Magazine, US Companies Exposed to Industrial Espionage, Sep 2002

Authorized for legal subscribers to SPYPEDIATM 20

National Defense Magazine, Sep 2002

• Taking on new missions

• Theft of processing power

• Theft of customer data and financial information

• Theft of research

• Destruction of research data

• Hacktivism

• Using active memory manipulation to foil static analysis and avoid signature based AV solutions

• In some cases, being used in conjunction with human operatives in the theft of company IP

21

Cyber Warfare – New Types of Soldiers

Method of Attacks

• PayPal phishing scam temping users to click “Resolution Center” link.22

• The first suspicious part of

this phishing email is the

email domain.

• The second suspicious

piece to this email is the

URL hidden behind the

“Resolution Center” link.

23

Cyber Warfare – Phishing Scams

• Advanced Persistent Threat (APT) is considered a cyber

attack launched by a group of sophisticated, determined

and coordinated attackers that have been systematically

compromising a specific target’s machine or entity’s

networks for prolonged period of time.

• The term “persistence” is also expanded to the acts of the

attackers of persistently launching spear-phishing attacks

against the targets

24

Cyber Warfare – APT

• Stage-0 Loader

• Usually a small application (.exe)

• Application normally with limited behavior

• “Droppers”

• May be found on disk

• Stage-1 Loader

• Normally memory-resident

• Usually utilizes process injection or process replacement

• Normally not hard-coded, allowing for flexibility

• May seek to uninstall AV solutions

25

Cyber Warfare – Stages of Compromise

• Follow-on Modules

• These will also be primarily, memory resident

• May seek out and destroy other malware

• Will often initiate C2 communications for data exfiltration and propagation

• May also log keystrokes and interfere with AV solutions

26

Cyber Warfare – Stages of Compromise

• Initial infection vector

• Propagation mechanism

• Persistence mechanism

• Artifacts

27

Cyber Warfare – Malware Characteristics

• Romanian Hack Team – Credit card fraud• Arrested by INTERPOL

• Chinese Foreign National – APT – Pre Patent

theft• Identified SUBJECT/Source and remediated malware

• Identified Anonymous – STL• Arrested by FBI

• Critical Infrastructure – SCADA• Secured SCADA systems and continuous

monitoring for cyber threats

• International Wire Fraud – $6.9MM• Recovered $6.9MM wired to Russia and defended

bankers bank from lawsuit

Cyber Counterespionage – Case Studies

Plan For the “When”, Not the “If”Plan For the “When”, Not the “If”

• “Own” the response to the breach

• Validate with Legal interpretation

• Breach Notification Policies

• Balancing Legal with Reputational Risks

• Table-Top Exercises

• Continually updating policies/procedures

• Consultant to the Board

29

General Counsel’s Response to the Breach

• Multi-national corporate espionage is a reality!

• Corporations have a responsibility to protect their

intellectual property.

• Un-conflicted Advisory Services

• Board Level optics

• Traditional Audits / Penetration Testing

• Advanced Malware Capabilities

• Consultant to the Board

Protect Your Corporate

Assets!

Make a Plan!

Engagement Strategies – Paradigm Shift

30

STATE LAW STATE LAW REGULATORY REGULATORY PRINCIPLESPRINCIPLES

B. Joyce Yeager, Esq., CIPPAssistant Attorney General

The statements and content of this presentation are personal

statements and opinions of Joyce Yeager, CIPP, and are not the statements or opinions of the

Office of the Attorney General of the State of Missouri, and are not

the statements or opinions of Attorney General Chris Koster.

PRIVACY IS MORE THAN THE DATA BREACH IN THE PRESS

State Privacy topicsGeneral

Chapter 115 RSMo

Election

Election Authorities and Conduct of Elections

Chapter 313 RSMo

Gambling and biometrics

Licensed Gaming Activities - patrons shall not be required to provide fingerprints, retinal scans, biometric forms of identification, any type of patron-tracking cards, or other types of identification prior to being permitted to enter the area where gambling is being conducted

362.422 RSMo Financial Records

Disclosure of nonpublic personal information; nonaffiliated third parties (State law parallel to federal Gramm-Leach-Bliley Financial Modernization Act of 1999, “GLBA”)

407.1355 RSMo

Social Security numbers

Social Security numbers, prohibited actions involving…a state or local agency

408.675 to 408.700 RSMo

Missouri Right to Financial Privacy

There are provisions throughout the Code and in federal law pertaining to credit information, credit rating information, and credit reporting

491.060 RSMo Privileges Persons incompetent to testify--exceptions, children in certain cases (child testimony; privileges for attorney, minister, physician communication)

565.084 RSMo Tampering with a judicial officer, penalty

565.225 RSMo Crime of stalking 565.252 and 565.253 RSMo

Crime of invasion of privacy

Photography/film

569.095 to 569.099 RSMo

Tampering with computer

Employment There are statutes throughout the Missouri Code protecting records pertaining to educators, public employees, as well as military members and their families

Communication407.1070 to 407.1110 RSMo

Telephone Telemarketing Practices (phone solicitation)

407.1135 to 407.1141 RSMo

Unsolicited E-mail

Unsolicited Commercial E-Mail prohibited

542.400 to 542.422 RSMo

Wiretaps

Wiretaps (common carrier switching station communications)

Health167.183 RSMo

Health

Immunization records, disclosure, to whom--disclosure for unauthorized purpose, liability

Chapter 188 RSMo

Regulation of Abortions

Breach of Confidentiality prohibited

191.656 to 191.703 RSMo

AIDS (Acquired Immunodeficiency Syndrome)

Confidentiality of HIV records

191.918 RSMo

Breast-feeding Breast-feeding in public permitted

375.1300 to 375.1312 RSMo

Genetic Information and Domestic Violence

Genetic information cannot be used by employers or insurers to discriminate against individuals

Medical and Pharmaceutical

There are provisions throughout the Code and in federal law pertaining to medical and pharmaceutical information. For examples of medical records protections, see the web page for the Office of Civil Rights of Health and Human Services (“HIPAA” and “HITECH”). For information pertaining to the safety of records pertaining to the Affordable Care Act, see the web page for the Federal Trade Commission.

Identity570.223 RSMo

Identity Theft Crime if he or she knowingly and with the intent to deceive or defraud obtains, possesses, transfers, uses, or attempts to obtain, transfer or use, one or more means of identification not lawfully issued for his or her use

570.224 RSMo

Trafficking in stolen identities

Crime if manufactures, sells, transfers, purchases, or possesses, with intent to sell or transfer means of identification ... for the purpose of committing identity theft

570.380 RSMo

Fake Identification

Manufacture or possession of fictitious or forged means of identification, intent to distribute, violation

Records43.542 RSMo Criminal Records Approval of National

Crime Prevention and Privacy Compact--execution of compact (criminal history records)

182.815 and 182.817 RSMo

Library Records Disclosure of library records not required—exceptions

Chapter 211 RSMo

Juvenile Records

Juvenile Courts (privacy protections throughout Chapter)

Education Records

Education records are protected by federal statute

Arrest and Conviction Records

Legal filings

Banks and Financial Records

Mailing lists

Cable Television Medical Records/Biological information/Bioidentifiers

Computer crime Pharmacy Records Credit Reporting and Investigating

Polygraphs in Employment

Criminal Justice Records Privacy Statutes (such as the protection of certain pictures)

Education Records Social Security numbers Electronic Surveillance State Constitutional guarantees Employment Records Sunshine Statutes Government Information on Persons

Tax Records

Identity Theft Telephone Services Insurance Records Testing in employment Library Records Tracking Licensing Information Vehicle/Drivers Licenses

Types Types of of

Privacy Privacy StatuteStatutes And s And Regs Regs

TypicalTypically ly

Found Found In In

State State LawsLaws

• Section 201(b) of the Food, Drug, and Cosmetic Act. Software is a medical device.

• HIPAA/HITECH and “Business Associates”

FDA Regulation/HIPAA/HITECH

All roads lead through Texas on medical records privacy http://www.jtexconsume

rlaw.com/MedicalPrivacy.pdf

Journal of Consumer Journal of Consumer & Commercial Law & Commercial Law

““IIThinkThinkTheyTheyMeanMean

It”It”

By B. Joyce YeagerBy B. Joyce Yeager

http://www.jtexconsumerlaw.com/MedicalPrivacy.pdf



Do Not Track Section 22575 of the Business and Professions

Code of California

Compliance with 201 CMR

17:00: Standards for

the Protection of

Personal Information of Residents

of the Commonweal

thof

Massachusetts

Any person that receives, stores, maintains, processes or otherwise has access to personal information acquired in

connection with employment or with the provision of goods or services to a Massachusetts resident has a duty to protect that

information.

A "person," for purposes of the regulation, may be an individual, corporation, association, partnership or other legal entity.

Personal information includes a surname, together with a first name or initial, in combination with one or more of the following three data elements pertaining to that person: Social Security

Number; driver's license or state-issued identification card number; or financial account or credit or debit card number, with or without any other data element, such as a code, password, or PIN, that would permit access to the person's financial account.

The duty includes the requirement that the person develops and maintain a comprehensive Written Information Security Program

("WISP") to safeguard such information. If the person electronically stores or transmits personal information, the WISP must include a security system covering the person's computers and any portable and/or wireless devices. Safeguards should be appropriate to the size, scope and type of the person's business, to the person's available resources, to the amount of stored data and to the need for security and confidentiality of consumer and employee information. They must be consistent with safeguards for the protection of personal information, and information of a

similar character, that are set out in any state or federal regulations that apply to the person.

MISSOURI AS AN EXAMPLE OF MEDICAL INFORMATION NOTICES AND HEALTH

INFORMATION NOTICESMissouri Revised Statutes

Chapter 407 Merchandising Practices

Section 407.1500

August 28, 2013

Definitions--notice to consumer for breach of security, procedure--attorney general may bring action for damages.

407.1500. 1. As used in this section, the following terms mean:

(1) "Breach of security" or "breach", unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person

that compromises the security, confidentiality, or integrity of the personal information. Good faith acquisition of personal information by a person or that

person's employee or agent for a legitimate purpose of that person is not a breach of security, provided that the personal information is not used in

violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality, or integrity of the personal information;

(2) "Consumer", an individual who is a resident of this state; . . .

407.1500 cont’d

(5) “Health insurance information", an individual's health insurance policy number or subscriber identification number, any

unique identifier used by a health insurer to identify the individual;

(6) "Medical information", any information regarding an individual's medical history, mental or physical condition, or

medical treatment or diagnosis by a health care professional;

(7) "Owns or licenses" includes, but is not limited to, personal information that a business retains as part of the internal

customer account of the business or for the purpose of using the information in transactions with the person to whom the

information relates;

(8) "Person", any individual, corporation, business trust, estate, trust, partnership, limited liability company, association, joint

venture, government, governmental subdivision, governmental agency, governmental instrumentality, public corporation, or any

other legal or commercial entity; . . . .

407.1500 cont’d

(9) "Personal information", an individual's first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted,

redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable:

(a) Social Security number;

(b) Driver's license number or other unique identification number created or collected by a government body;

(c) Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password

that would permit access to an individual's financial account;

(d) Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access

to an individual's financial account;

(e) Medical information; or

(f) Health insurance information.

407.1500 cont’d

Subsection 2. (1) Any person that owns or licenses personal information of residents of

Missouri or any person that conducts business in Missouri that owns or licenses personal information in any form of a resident of Missouri shall provide notice to

the affected consumer that there has been a breach of security following discovery or notification of the breach. The disclosure notification shall be:

(a) Made without unreasonable delay;

(b) Consistent with the legitimate needs of law enforcement, as provided in this section; and

(c) Consistent with any measures necessary to determine sufficient contact information and to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.

(2) Any person that maintains or possesses records or data containing personal information of residents of Missouri that the person does not own or license, or

any person that conducts business in Missouri that maintains or possesses records or data containing personal information of a resident of Missouri that the person does not own or license, shall notify the owner or licensee of the information of any breach of security immediately following discovery of the

breach, consistent with the legitimate needs of law enforcement as provided in this section.

NOTICE FOR PHI/PII

•SEC filings

•OCR/HHS

•State(s)

TRENDS

http://www.databreaches.net/netdiligence-2013-report-cyber-

liability-data-breach-insurance-claims/

https://www.allclearid.com/files/2613/8325/4119/CyberClaimsStudy-2013.pdf

http://www.slideshare.net/Bee_Ware/verizon-2014-pci-

compliance-report-31933261?utm_source=slideshow02&utm_medium=ssemail&utm_campaign=s

hare_slideshow




We feel that to reveal embarrassing or private things, we have given someone something, like a primitive person fearing that a photographer will steal her soul.

To identify our secrets, our past, and our blotches is to reveal our identity, our sense of self.

Revealing our habits or losses or deeds somehow makes one less of oneself.

Paraphrase, Dave Eggers, A Heartbreaking Work of Staggering Genius

But why?

We Earn Our Reputation From The Companies We Keep.® Anatomy of a Data Breach March 12, 2014 Lucie Huger Officer, Greensfelder, Hemker & Gale, P.C. Jarrett.

Documents

data breach state

data breach laws

type of data

breach issues

reportable breach

companies producingcollecting

state of missouri slide

mass amounts of data