You’ve Been Hacked… South... · 2015-01-14 · The Data Breach Epidemic in the News ......

Usama Kahf, Esq. ukahf@laborlawyers.com

(949) 798-2118

You’ve Been Hacked… Now What?

November 4, 2014

The Data Breach Epidemic in the News Why Is Data Privacy Important? Notice requirements and potential liability

in the event of a data breach Best practices for safeguarding sensitive

data / preventing data breach Drafting a policy to comprehensively

address BYOD and use of company devices

Target’s Black Friday Theft

40 million customers victimized

$61 million in 4Q expenses

CIO resigned

38% increase in

incidents of loss, theft and exposure of personally identifiable information over the past year

Source: IBM Analytics

55% of C-Suite Executives Surveyed Believe Malicious or Negligent Insider/Employees Are The Primary Cause of Data Breach

Source: IBM Analytics

Data breach notification is a significant compliance risk for most businesses.

A data security breach can disrupt business operations, damage brand reputation and customer relationships, and attract government investigations.

Not to mention class action lawsuits! Employee data can also be a trade secret,

valuable in the hands of competitors.

Major data breaches by identity thieves

RSA Security (March 2011)

▪ Possibly 40 million employee records stolen by hackers

Even a small breach of employee data can affect a business

Departing employee takes personnel info and uses it to recruit top talent to work for competitor

Cannot “unring” the bell once certain private info is leaked (e.g., medical conditions)

46 states have enacted data privacy laws requiring businesses to safeguard certain types of employee and consumer information and to notify affected individuals in case of a data security breach.

Federal laws and regulatory schemes in the healthcare and financial industries also impose data privacy protections.

Contractual obligations.

Current disgruntled employees Employees about to compete with you or go

to work for competitors Competitors Vendors/suppliers Government agencies Criminal gangs / cartels Identity theft rings Medical fraud rings

Losses from intellectual property theft are up to $150 billion a year

The average employee embezzlement costs about $25,000 per incident

Average computer-assisted employee embezzlement runs $430,000 per incident

According to ASIS More than 3 of every

4 thieves are employees or contractors

Another 6% or more are domestic competitors

Only 7% steal secrets on behalf of foreign companies or governments

File Cabinets Rolodexes Personnel Files Computer Workstations Internet E-Mail High-Tech Surveillance Equipment Off-Site Login Cell Phones Fax Machines Garbage

Personally Identifiable Information (“PII”) is information which can be used to distinguish or trace an individual’s identity (such as their name, social security number, demographic records), alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (such as date and place of birth, mother’s maiden name, etc.).

Personal Health Information (“PHI”) is Health Information that identifies, or there is a reasonable basis to believe it can be used to identify, the individual.

Health Information includes any information

relating to the physical or mental health or condition of an individual, the health care provided to an individual, or payment for health care provided to an individual. PHI does not include employment records held by the employer in its role as employer.

NOT TO MENTION

TRADE SECRETS (e.g., customer lists / info; pricing and cost; financial data; R&D work; M&A plans; non-

public product specs / prototypes)

INVESTIGATE AND SECURE YOUR DATA When there is a suspected breach, you must

investigate and lock down data. The company might be required to

demonstrate reasonable efforts to secure its confidential information

Evaluated by a reasonable third-person

Effectiveness

Identify applicable state and federal laws Determine if a “breach” has occurred as

defined by applicable laws Determine if notification is required under

applicable laws

Who should be notified?

When to notify?

Contents of notice

Follow-up risk mitigation steps

State laws vary in 6 areas:

1. Scope of Covered PII

2. Trigger for Notification Obligation

3. Recipients of Notice

4. Content of Notice

5. Timing of Notice

6. Enforcement

HIPAA, as amended by the HITECH Act, and regulations adopted by US Dept. of HHS.

Covered entities are healthcare-related entities and their “business associates”

Contractual obligations to comply with HIPAA

Gramm-Leach-Bliley Act ("GLBA") and banking industry regulations

Federal Trade Commission Securities & Exchange Commission

A breach is defined as the unauthorized access, use, acquisition or disclosure of PHI that compromises the security of PHI.

Security is compromised if there is a substantial risk of financial, reputational, or other harm to the individual who is the subject of the PHI.

Breach triggers notice obligation Must notify affected individuals, Dept. of

Health & Human Services, and the media (if more than 500 persons in a state are affected)

But there is a Safe Harbor!

Under HIPAA and laws in some states, notice is NOT required if company conducts investigation and determines risk of harm has been mitigated

Where data was returned or wiped

Where person who acquired data is incapable of unencrypting or “re-identifying” data

Content of notice:

Description of breach incident

Types of PHI involved

Steps individual should take to protect from harm

Steps taken to investigate breach, mitigate losses, and protect against further breaches

Contact procedures for affected individuals, including toll-free number

Implement security procedures tailored to your business needs: Personnel Documentation IT Infrastructure Communication Response / Investigation

Documentation: Workplace Policies Restrictive Covenants Agreements Job Descriptions

Documentation: Workplace Policies: ▪ Computer Systems Use ▪ Authorized Electronically Stored Information Usage ▪ VOIP Usage ▪ Confidentiality and Non-Disclosure ▪ Ethical Conduct Policy ▪ Return of Corporate Property ▪ Bring Your Own Devices?

Documentation: Restrictive Covenants Agreements ▪ Confidentiality and Non-Disclosure ▪ Non-Solicitation of Customers, Clients and Patients ▪ Non-Recruitment of Personnel ▪ Non-Competition

Most States Allow You To Protect Customer information; trade secrets; Confidential business information; existing customer relationships

Documentation: Leverage The Obligation To Protect Where Your Business Requires The Protection of Customer or Third Party Information, Make Sure Documentation Reflects That This Is A Business

Interest That Must Be Protected

Mark protected documents, computer programs, file cabinets and restricted areas using designation such as “Confidential – Property of (Your Company)”

Limit access to protected material based on “need to know”

Utilize physical controls – restrict areas by locking offices and file cabinets

Control third-party access – vendors, customers, independent contractors, plant and facility tours, etc.

Limit copying and removal of sensitive information

Shred confidential discarded documents, erase tapes thoroughly

Set up fire walls Data encryption Regular back-ups Utilize network, not local hard

drive, space

Set up passwords with multiple characters (including numbers and letters)

Change access codes Record or log who had access to computers

and subfiles and when

Safe data destruction practices

Some laws require that when data is destroyed it should be destroyed in a particular manner

Utilize and vet vendors properly

▪ Due diligence (industry certification)

Ensure forensically sound “wiping” of electronic devices (when there is no duty to preserve)

“Bring Your Own Device” is the practice of allowing employees to bring their own mobile devices to work for use with company systems, software, networks, or information.

BYOD can provide key benefits, such as increased productivity, reduced IT costs, and better mobility for employees.

BYOD, however, increases risk of data breaches and liability from such breaches.

BYOD also increases risk of spoliation of evidence and makes preservation more difficult to manage and enforce.

Employee-owned devices may be lost or stolen, putting company data and networks at risk.

In 2012, US gov issued a BYOD toolkit for federal agencies, which noted risk that operating system may be compromised by malware or device misuse.

IBM adopted a BYOD policy in 2010 In 2012, IBM banned employees from using

certain apps, including Dropbox and Siri, because of a “tremendous lack of awareness” about security risk and the company’s inability to control these apps.

In e-discovery, data has to be available if requested, and it is more complicated to preserve, locate and retrieve data when it is stored on employee-owned devices.

BYOD policy should make clear that, in the event of a legal or regulatory investigation, the password will be required and that any personal data that is on the device will be searched, along with anything that is relevant to the company.

A strong BYOD policy is the first step towards managing the increased risk of data breach.

BYOD policy should address:

the goals of the BYOD program

which employees can bring their own devices

which devices will be supported

access levels that employees are granted when using personal devices

Once a BYOD policy is adopted, maintaining BYOD security depends on how well employees are trained on BYOD best practices, implementation of effective device management and support, and enforcement of the BYOD policy.

Use password protected access controls Control wireless network and service

connectivity Control application access and permissions Keep Operating System, firmware, software,

and applications up-to-date Back up device data

Enroll in “Find my Device” and remote wipe services

Never store personal financial data on a device Beware of free apps Run mobile antivirus software or scanning tools Use Mobile Device Management (MDM)

software as recommended by IT

Usama Kahf, Esq. ukahf@laborlawyers.com

(949) 798-2118

You’ve Been Hacked… South... · 2015-01-14 · The Data Breach Epidemic in the News ......

Documents

Transcript of You’ve Been Hacked… South... · 2015-01-14 · The Data Breach Epidemic in the News ......

My Site Was Hacked!

Data Breach and Cybersecurity: What Happens If You or Your ......Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Linda Vincent, R.N., P.I., CITRMS Vincent

Hacked Off with Hackathons

How SingHealth’s database was hacked · Personal data of 1.5 million SingHealth patients was stolen in Singapore's largest data breach to date, where hackers in˜ltrated the healthcare

The Less Hacked Path

April 2015 — Hacked

Legend - Hacked By Foaad Pal | Hacked By Foaad Pal

2016 GPUG Summit Hacked

HackED - Community Partner

· 2020. 5. 4. · Peggy Noonan, WSJ, Oct. 2017. "Because all of their personal and financial information got hacked in the latest breach, because our country's real overlords are

Google Groups Assessment and Authorization – … data breach led to hackers taking tax returns Hacked toymaker leaked gigabytes’ worth of kids’ headshots and chat logs Major

When Macs Get Hacked

3 Hacked Chords

Evaluation Hacked Media

Bludgeoned, Hacked and Poleaxed

IPERS Account Takeover NCTR March 2018 (1) · 2018-05-18 · Account Takeover vs. Data Breach By definition, IPERS was not “hacked” • Criminals possessed Social Security numbers,

Sony gets hacked By: Bailey S, Ava K, Aidan H You have been hacked.

Http:// HACKED!!! Securing your Business Ankit Fadia Ethical Hacker fadia.ankit@gmail.com Hacked!!!

HACKED WEBSITE TREND REPORT

What is Bath: Hacked?