Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies
-
Upload
shawn-tuma -
Category
Law
-
view
70 -
download
1
Transcript of Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies
![Page 1: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/1.jpg)
Cybersecurity MissionImpossible?
Shawn E. TumaScheef & Stone, LLP@shawnetuma
![Page 2: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/2.jpg)
Shawn TumaPartner, Scheef & Stone, L.L.P.
214.472.2135
@shawnetuma
blog: shawnetuma.com
web: solidcounsel.com
This information provided is for educational purposes only, does not constitute legal advice, and no attorney-client relationship is created by this presentation.
Shawn Tuma is a cyber lawyer business leaders trust to help solve problems with cutting-edge issues involving cybersecurity, data privacy, computer fraud, intellectual property, and social media law. He is a partner at Scheef & Stone, LLP, a full service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, throughout the world.
Texas SuperLawyers 2015
Best Lawyers in Dallas 2014 & 2015, D Magazine (Digital Information Law)
Chair, Collin County Bar Association Civil Litigation & Appellate Section
College of the State Bar of Texas
Privacy and Data Security Committee, Litigation, Intellectual Property Law, and Business Sections of the State Bar of Texas
Information Security Committee of the Section on Science & Technology Committee of the American Bar Association
Social Media Committee of the American Bar Association
North Texas Crime Commission, Cybercrime Committee
Infragard (FBI)
International Association of Privacy Professionals
Information Systems Security Association
Contributor, Norse DarkMatters Security Blog
Editor, Business Cyber Risk Law Blog
![Page 3: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/3.jpg)
#CCBBF@shawnetuma
![Page 4: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/4.jpg)
![Page 5: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/5.jpg)
“There are only two types of companies: those that have been hacked, and those that will be.” –Robert Mueller
![Page 6: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/6.jpg)
97% - Companies Tested – Breached in Prior 6 mos.
![Page 7: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/7.jpg)
Odds: Security @100% / Hacker @ 1
![Page 8: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/8.jpg)
![Page 9: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/9.jpg)
![Page 10: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/10.jpg)
![Page 11: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/11.jpg)
![Page 12: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/12.jpg)
![Page 13: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/13.jpg)
![Page 14: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/14.jpg)
![Page 15: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/15.jpg)
![Page 16: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/16.jpg)
![Page 17: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/17.jpg)
![Page 18: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/18.jpg)
•Stewardship
•Public Relations
•Legal
![Page 19: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/19.jpg)
Responding: Execute Breach Response Plan
• contact attorney
• assemble your Response Team
• notify Card Processor
• contact forensics
• contact notification vendor
• investigate breach
• remediate responsible vulnerabilities
• reporting & notification
![Page 20: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/20.jpg)
What does “reporting & notification” mean?
• Law Enforcement
• State Attorneys General
• pre-notice = VT (14 days), MD, NJ St. Police
• Federal Agencies
• FTC, SEC, HHS, etc.
• Consumers
• Fla, Ohio, Vermont = 45 days
• Industry Groups
• PCI, FINRA, FFIEC
• Credit Bureaus
• Professional Vendors & Suppliers
![Page 21: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/21.jpg)
www.solidcounsel.com
first name or
first initial
last name
SSN
DLN or
GovtID
data breach
first name or
first initial
last name
Acct or Card #
Access or
Security Code
data breach
Info that IDs Individual
Health-care, provided, or
paydata breach
Duty to notify when “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information …” Tx. Bus. Comm. Code § 521.053
CIVIL PENALTY $100.00 per individual per day for notification delay, not to exceed $250,000 for single breach § 521.151
![Page 22: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/22.jpg)
2013 Cost (pre-Target) $188.00 per record $5.4 million = total average cost paid by organizations
2014 Cost$201 per record
$5.9 million = total average cost paid by organizations
“The primary reason for the increase is the loss of customers following the data breach due to the additional expenses required to preserve the organization’s brand and reputation.” –Ponemon Institute 2014 Cost of Data Breach Study
Cost of a Data Breach
![Page 23: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/23.jpg)
![Page 24: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/24.jpg)
![Page 25: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/25.jpg)
Blocking & Tackling –Most Common Breaches
Theft
Lost
Passwords
Phishing
Websites
Basic IT
Case Stories
![Page 26: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/26.jpg)
Blocking & Tackling – Must Haves
Approved & DocumentedBasic IT Security
Basic Physical Security
Policies & Procedures Focused on Data Security Company
Workforce (Rajaee v. Design Tech Homes, Ltd.)
Network
Business Associates (Travelers Casualty v. Ignition Studio, Inc.)
Implementation & Training
Regular Reassessment & Update
![Page 27: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/27.jpg)
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
![Page 28: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/28.jpg)
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
![Page 29: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/29.jpg)
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
![Page 30: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/30.jpg)
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
![Page 31: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/31.jpg)
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
![Page 32: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/32.jpg)
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
![Page 33: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/33.jpg)
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
![Page 34: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/34.jpg)
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
![Page 35: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/35.jpg)
www.solidcounsel.com
• Login Credentials
• “You don’t drown from falling into the water”
• 25k v. 40m (T) / 56m (HD)
![Page 36: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/36.jpg)
![Page 37: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/37.jpg)
www.solidcounsel.com
Newspaper Research
Email Scheduling Lunch With
Client
Trial Exhibits
Draft of Plaintiff’s Original Petition
Personally Identifiable Information
(PII)
Protected Health
Information (PHI)
Formula for Coke
Let us think …
![Page 38: Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Strategies](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c3585dbb61eb3e1f8b463f/html5/thumbnails/38.jpg)
www.solidcounsel.com38
protecting misusing respondingdata
devices