Perkins Coie LLP | PerkinsCoie.com

Cybersecurity and Data Privacy:Mitigating Employee, Vendor and Third Party RisksMay 2, 2018

Overview

Part 1 – Cyber Risks

Part 2 - Legal and Regulatory Landscape

Part 3 - Ways to Mitigate or Prevent Threats

Cyber Risks

Part 1

Diverse Threat ActorsNation-state actors

• Highly resourced & sophisticated

• Target critical infrastructure, ISPs, large corporations, gov. contractors

• Propaganda & information value

• Advanced Persistent Threats *

Criminals• Personal Identifiable Information, credit cards, data

• Black market for stolen data – Dark Web

• Examples = Target, Home Depot, Uber

Hacktivists

Disgruntled Employees

6

March 16, 2018

7

DHS and FBI characterize this activity as a multi-stage

intrusion campaign by Russian government cyber actors

who targeted small commercial facilities’ networks where

they staged malware, conducted spear phishing, and

gained remote access into energy sector networks. After

obtaining access, the Russian government cyber actors

conducted network reconnaissance, moved laterally, and

collected information pertaining to Industrial Control Systems (ICS).

This alert provides information on Russian government

actions targeting U.S. Government entities as well as

organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.

Kevin Feldis

The Nature of the Threat

• In Chinese intrusion cases (coming from China) handled by Mandiant, 94% of the victim companies didn't realize their networks had been breached until someone else told them.

• On average, companies' networks had been breached for 416 days before the intrusion was detected.

"Nation-states willing to spend unlimited amounts of money for technology, intelligence gathering, and bribery can overcome just about any defense."

-- Alan Paller, Director of Research, SANS Institute

Diverse Threat ActorsHuman Element

• Poor Cyber Hygiene

• Poorly Trained Employees

• Lack of Understanding

• Cannot catch everything

10

10

11

11

12

12

13

Internet usage increasing• 4.16 billion Internet users (54.4% world)

• Reaching far corners of the earth

Device usage increasing• 12 billion internet-connected devices worldwide (20 billion by 2020)

• Average American owns 4 internet-connected devices

More diverse & data rich services offered• Medical, Financial, Personal Fitness

• Children (Facebook’s Messenger Kids)

• IoT, Smart Homes, Wearables

• Artificial Intelligence (AI)

Connectivity and Data Collection

14

16

16

CloudPets“Smart” Toys

Wi Fi/Bluetooth enabled audio messages through toys

CloudPets company was hacked exposing data of

800,000 customers and 2 million voice messages from

“smart” teddy bears (February 2017)

20

20

Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

21

22

23

New corporate focus on risks and costs• Last 10 years about growth, next 10 years will be about security

• Companies accepting responsibility

Public concerns• Honeymoon over

• People waking up

• Privacy concerns

U.S. Government concerns• Federal, state and local governments waking up

• Political concerns

• National Security concerns

Connectivity and Data Collection

24

25

26

The Cyber Legal and Regulatory Landscape

Part 2

Increasing U.S. Regulations and Enforcement

27

• State Attorneys General / Local Authorities• Increasingly active

• Federal Trade Commission• Consumer privacy protections

• Securities & Exchange Commission• Specialized cyber unit

• New SEC Guidance on Cybersecurity Disclosures (February 26, 2018)

• “As companies’ exposure to and reliance on networked systems and the Internet has increased, the attendant risks and frequency of cybersecurity incidents also have increased”

• Inform investors about material cybersecurity risks and incidents in timely fashion

• Maintain comprehensive policies and procedures for cybersecurity risks an incidents

• Disclose the risks associated with cybersecurity, including those connected to acquisitions

U.S. Data Security Laws and Standards

28

• State Laws• Nearly all states have data breach regulations

• Many states: commercially reasonable measures

• Federal Laws• FTC § 5, HIPAA, FERPA, GLBA (Gramm-Leach-Bliley Act)

• SEC cyber guidance

• EU General Data Protection Regulation (GDPR)• May 2018

29

U.S. Data Security Regulations

30

• Government Contracts• Defense contractors and subcontractors

• DFARS 252.204.7012 Safeguarding Covered Defense Information (CDI) and Cyber Incident Reporting (December 31, 2017)

• Multi-factor authentication

• Encryption

• Breach notification (w/in 72 hours through portal)

• FAR 52.204-21 Basic Safeguarding of Contractor Information Systems that process, store or transmit federal contract information (June 2016)

• 15 basic security controls for the systems (controls access, virus scans)

• Federal contract information = information provided or generated for the Government under a contract to develop or deliver a product or service

Increasing Private Litigation

31

• Growing class of plaintiffs• Consumers, shareholders, financial institutions, third-parties

• Class action lawsuits (failure to protect)

Industry standards• PCI (payment card industry) , NERC (North American Electric Reliability

Corporation) CIP (critical infrastructure protection)

• Trends• Increase interest in private litigation/attorney specialists

• Fewer claims dismissed for standing

• Increased Regulation and Enforcement

• Higher industry standards

• Common law court decisions: Rising standard of care

32

New Law as of March 2018

33

1. U.S. Companies required to turn over evidence/data wherever it is located (including overseas), if they control it.

• Search Warrant or Grand Jury Subpoena still required

• Address issue in the Microsoft Litigation

• Amends Stored Communications Act

2. Permits providers to make disclosures directly to foreign governments

• Increases international law enforcement cooperation

• Limited to countries who enter into executive agreements with the U.S.

Clarifying Lawful Overseas Use of Data Act

33

34

Minimizing Cyber Risks

Part 3

Perkins Coie LLP | PerkinsCoie.com

Immediate Steps:

Review your current Data Security Program• Have some with experience review & update it• Get the buy-in and budgeting necessary from the top• Schedule and conduct training & stress testing

Conduct a Cyber Compliance Review• Are you complying with industry standards, government contract

requirements (FAR, DFARS), and regulations/laws

Update your Incident Response Plan• Dust it off, have someone with cyber experience review it, update it.

• Test it – table top and simulated

Develop procedures for limiting third-party risks• Determine the level or risk that is appropriate for your business before

you outsource or share any data

• Develop a third-party due diligence process and follow-it

35

Limit Third-Party Cyber Risks

36

Conduct Due Diligence

37

• Ask to review cyber risk assessments

• Look for external certifications

• Review cyber/data protection policies

• Do they have a dedicated CISO and/or other

cyber professionals

• Do they have a cyber incident response plan

• Any history of cyber breaches

38

Include Cyber Security Provisions in Contracts

39

• Define cybersecurity terms

• Require cybersecurity safeguards and audits

• Subcontracting limits/considerations

• Breach notifications provisions

• Certifications about prior breaches

• Indemnification/remedies

40

Minimize Human Element Risks

41

• Policies and Procedures

• Wireless, data protection, BYOD

• Training

• Network & end-point security

• Identify Key data and protect

• Back-up systems

• Track compliance

• Conduct assessments

42

Perkins Coie LLP | PerkinsCoie.com

Kevin FeldisPerkins Coie - Partner907-263-6955 desk907-529-1599 mobilekfeldis@perkinscoie.com

www.perkinscoie.com/KFeldis

Admitted in Alaska, Illinois and Washington DC