Fighting Fraud and Cyber Crime: WTF ... "Where's the Fraud"
2_CyberSecurity_2d_ARMA_IG_Panel_7-14-15
1. New World Cyber Threats – Having a
Good IG Foundation Can Help
ARMA & IBM IG Track – Panel # 2 – July 14, 2015
Discussion Leader:
Robert D. Brownstone Fenwick & West LLP
Panelists:
Cary Calderone SandHill Law
Sylvia Johnson Wells Fargo
Tyler Newby Fenwick & West LLP
James Schellhase IBM
July 13-14, 2015 San Francisco- Hyatt Regency
1
2. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
Outline/
Agenda
INTRODUCTION –Anthem & Sony Post-Mortems
I. Liability Risks
II. Proactive Preventative Measures
III. Frameworks/Resources
IV. Reactive Remediation (Incident-Response)
CONCLUSION/Questions
2
3. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
INTRODUCTION – Anthem
& Sony Post-Mortems
Breach Prevalence
• “Chronology of Data Breaches” for 4/20/05 – 6/4/15
(≈ 816 M records; > 4,500 incidents)
• “Office of Inadequate Security”
• PricewaterhouseCoopers LLP (pwc), U.S. Secret
Service al., US cybercrime: Rising risks, reduced
readiness: Key findings from the 2014 US State of
Cybercrime Survey (June 2014)
• Ponemon Inst. o/b/o HP Enterprise Security, Cyber
Crime Costs Continue to Grow (2014)
3
4. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
INTRO (c’t’d) – Anthem
& Sony Post-Mortems
Diagnoses of Causes of:
• Anthem Breach
Eduard Kovacs, Industry Reactions to
Anthem Data Breach (Security Week 2/6/15)
Joseph Conn, Legal liabilities in recent data breach
extend far beyond Anthem, ModernHealthcare (2/23/15)
• Sony Pictures Hack
Overview at below Slides 5-9
Sources at Slide 10 4
5. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
INTRO (c’t’d) –
Sony Breach
WHEN?
• Started over a year before Dec ’14
WHO?
• Might be combination . . .
• Likely not nation-state (North Korea)
• Attackers only latched onto “The
Interview” after the media did (Rogers)
• Skilled hackers use proxy machines and
false IP addresses to cover their tracks
or plant false clues inside their malware
• Noisy announcement of themselves,
including image of blazing skeleton
posted to infected computers 5
6. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
INTRO (c’t’d) –
Sony (c’t’d)
WHO (c’t’d)?
• Likely hacktivists:
• One theory is that disgruntled
former employees were involved;
• Alternate theories of outsiders
who disagreed with company’s
policies and practices
• Data dumped (posted to Pastebin,
unofficial cloud repository of hackers)
rather than IP sold or $ stolen from
financial accounts . . .
• VERY savvy re: web & social media 6
7. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
INTRO (c’t’d) –
Sony (c’t’d)
WHAT (in addition to emails)?
• PII and PHI (SSN’s, DOB’s, medical conditions, etc.)
• Lots of documents exfiltrated
List of employee salaries and bonuses
HR – employee performance reviews, criminal
background checks and termination records
IP (script; films)
• Twitter accounts taken over
• Data destroyed (overwritten) by malware
Some wiped via commercially available product (RawDisk)
7
8. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
INTRO (c’t’d) –
Sony Breach
HOW?
• Phishing?
• Website vulnerabilities exploited
• Means to achieve ends:
Hundreds of employees’ usernames and passwords
RSA SecurID tokens and certificates
Sensitive info. about network architecture
Masset list mapping the location of the company’s databases
and servers around the world
List of routers, switches and load balancers and usernames
and passwords administrators used to manage them
8
9. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
INTRO (c’t’d) –
Sony Breach
HOW (c’t’d)?
• Inability of traditional AntiVirus to detect bespoke malware
• Whatever Data Loss Prevention (DLP) solution Sony used missed
transfers of terabytes of data out of the network
• On-premise perimeter security appliances missed:
huge anomalies in network traffic, machine usage & host relationships
Sony’s own edge being hijacked and used as public
bittorrent servers aiding the exfiltration of data?
WHAT NOW?
• start over (every password key and certificate tainted)
From below Rogers article
9
10. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
INTRO (c’t’d) –
Sony Breach
Sources for the above slides 5-9:
• Zetter, Sony Got Hacked Hard: What We Know
and Don’t Know So Far, Wired (12/3/14)
• Sony Pictures, Dear SPR Employees (12/8/14) (letter
now posted on Cal. Attorney General’s website)
• Rogers, Why the Sony hack is unlikely to be the work
of North Korea, Marc’s Security Ramblings (12/18/14)
• Zetter, The Evidence That North Korea
Hacked Sony Is Flimsy, Wired (12/18/14)
• Wikipedia, Sony Pictures Entertainment hack (1/22/15) 10
11. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
I. Liability
Risks
Litigation is just one expense
• Business downtime
• Infrastructure replacement
• Loss of customer goodwill and contracts
• Outside forensics
• Notification costs
• Contractual indemnities
• Regulatory investigations
11
12. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
I. Liability
Risks
Response & remediation costs are
growing with size of breaches
• Sony Pictures: $100+ million
• Target: $138+ million
• eBay: Expenses affected operating
margin by 1.9%
• Home Depot: $43 million
• Sony PSN (2011): $171 million 12
13. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
I. Liability
Risks
Lawsuits – Consumer class actions
are just one of Hydra’s heads
• Consumer class action settlement agreement
with Target for $10 million, but . . .
• MasterCard, Target breach $19M
settlement agreement fell apart
• Lawyers for the banks did not think it was enough!
13
14. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
I. Liability
Risks (c’t’d)
Mastercard/Target (c’t’d)
• Lawyers for the banks have estimated the total losses at more than
$160 million, with approximately half that amount lost to fraud and
half to the cost of reissuing nearly 9 million credit cards
• In 2013, Target said the breach during the holiday shopping season
compromised at least 40 million credit cards and may have resulted in
the theft of personal information from as many as 110 million people
• Target is still negotiating with Visa Inc. over losses from the breach
Joseph Ax, MasterCard, Target data breach
settlement falls apart, Reuters (May 22, 2105)
14
15. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
I. Liability
Risks (c’t’d)
FTC Enforcement
• BJ’s Wholesale (FTC enforcement action): Companies with
customer or employee info have a general obligation to protect PII
with reasonable and appropriate security practices
• FTC v. Wyndham Worldwide Corp.: FTC has authority to bring an
enforcement action under Section 5 of the FTC Act
• LabMD:
FTC has authority to investigate data security with
investigative requests (Civil Investigative Demands)
FTC must share its standards with LabMD 15
16. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
I. Liability
Risks (c’t’d)
Plaintiffs suing for data breaches use
several different legal theories:
• negligence
• breach of express or implied contract
• breach of express or implied warranty
• unfair and deceptive trade practices act
• data breach notification laws
Many suits fail early because
plaintiffs cannot establish:
• standing to sue
• damages
• causation
16
17. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
II. Proactive Preventative/
Precautionary Measures
Access Restrictions
Passwords
Encryption
Written Policies AND Training
Network Monitoring & Pen(etration) Tests
Cyber-Insurance . . . .
17
18. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
II. Proactive
Measures (c’t’d)
18
Does your Commercial General Liability
(CGL) Policy have you covered?
• Probably not
• IBM case - Recall Total Information Management Inc. v.
Federal Insurance Co., 317 Conn. 46 (May 26, 2015)
• Sony PlayStation case - Zurich American Insurance Co.
v. Sony Corp. of America, 2014 WL 3253541 (Sup. Ct.
N.Y. Cty. Feb. 24, 2014), appeal withdrawn on
stipulation, 127 A.D. 3d 662 (Apr. 30, 2015)
19. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
Cyber-Insurance . . .
First Party Coverage? Third Party Coverage
(clients, vendors, employees, etc.)?
Covered by Prop. Ins. Policy? CGL Policy?
Covered by D&O and/or E&O?
If not, get separate/special coverage?
Depends at least in part on:
• Industry
• Data types and volumes 19
II. Proactive
Measures (c’t’d)
20. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
Lawyer’s Role in a Security Program
• Understand the program’s core elements
• Draft/review/update policies and procedures
• Develop training program
• Investigate potential policy violations and breaches
• Develop vendor and customer contract requirements
• Influence legislative and rulemaking processes
20
II. Proactive
Measures (c’t’d)
21. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
Lawyer’s Incident Response Playbook
• Preselect law firm(s) and forensic investigator(s)
(see insurer’s panel, PCI approved list)
• Preselect notification and call support vendor
• Engage law firm(s)
• Engage forensic investigator(s)
21
II. Proactive
Measures (c’t’d)
22. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
• APEC
APEC Privacy Framework
• COBIT 5 – ISACA
• ISO/IEC 27001 – “Information security management”
LegalSECTM – ILTA
• NIST, Framework for Improving Critical
Infrastructure Cybersecurity (2/12/14), per Pres.
Obama’s Executive Order 13636 (2/12/13)
22
III. Frameworks/
Resources (in alpha order)
23. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
23
III. Frameworks/
Resources (c’t’d)
• NIST
Special Publication 800-53, Revision 4 – Security
and Privacy Controls for Federal Information
Systems and Organizations (maps to ISO 27K)
Special Publication 800-61, Revision 2 – Computer
Security Incident Handling Guide
• SOC 2® Report — “Report on Controls at a Service
Organization Relevant to Security, Availability,
Processing Integrity, Confidentiality or Privacy” (AICPA)
24. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
24
III. Frameworks/
Resources (c’t’d)
Other Resources (in alpha order) . . .
• Brownstone:
• Data Security Breaches: Proactive Prevention and Reactive
Remedies, AudioSolutionz Webinar slides (5/14/15)
• Using Analytics to Clean Out the ESI Garage, Today’s
General Counsel (Oct./Nov. 2014) (co-author)
• Heartbleed: It’s 10 PM; Do You Know Where
Your Data is? ITLawToday (5/6/14)
• Cloud Security Alliance
• Schneier on Security
25. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
Lawyer’s Incident Response Playbook (c’t’d)
• Understand types of data that were compromised
(e.g., customer data, proprietary data, employee data)
• Contact regulators that require:
early warning, even before a breach is confirmed
notification after a breach is confirmed
• Contact law enforcement if necessary or advisable
• Contact Risk Management or notify insurer 25
IV. Reactive Remediation
(Incident-Response)
26. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
Lawyer’s Incident Response Playbook (c’t’d)
• Draft any breach notice required by:
law
customer contracts
contract with a payment card acquiring bank
• Draft any required SEC material event disclosure
• Review external communications (press releases, press or
media standby statement, website content, social media) 26
IV. Incident-
Response (c’t’d)
27. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
Lawyer’s Incident Response Playbook (c’t’d)
• Attorney-Client Privilege and Attorney Work-Product
May not be appropriate for all / small incidents
The activity/assessment was initiated
for the purpose of providing legal advice
The privilege is being claimed in an
adversarial proceeding (not against a regulator)
Reports and communications are selectively distributed 27
IV. Incident-
Response (c’t’d)
28. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
Lawyer’s Incident Response Playbook (c’t’d)
• ACP & AWP (c’t’d)
An attorney or an attorney’s subordinate (e.g.,
Compliance) is involved in day-to-day
interactions (not sufficient to copy a lawyer)
The issue under review is selective and not
routine (because routine assessments are a
business function, not a legal function)
28
IV. Incident-
Response (c’t’d)
29. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
• ACP & AWP (c’t’d)
Create templates of self-executing instructions to
incident-response (IR) team and PR team that
investigation and public statements will be
managed by counsel for the purpose of providing
legal advice and protecting legal interests
Designate legal point person leading investigation
Forensic investigators (internal and external)
should report results to counsel
29
IV. Incident-
Response (c’t’d)
30. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
• ACP & AWP (c’t’d)
Templates of self-executing instructions (c’t’d)
External crisis management PR should be engaged
by counsel (in-house or outside) in a consulting role
Establish daily (or more frequently in early stages)
meetings attended by counsel for status reporting
PR strategy and statements should be
reviewed/approved by counsel
Consider creation of two forensic
incident reports 30
IV. Incident-
Response (c’t’d)
31. Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency
CONCLUSION/
Questions
Sylvia
Johnson
<Sylvia.Johnson@
wellsfargo.com>
Cary
Calderone
<cary@sandhilllaw.com>
Tyler
Newby
<tnewby@fenwick.com >
31
Robert D.
Brownstone
<rbrownstone@fenwick.com>
<tinyurl.com/Bob-Brownstone-Bio>
<www.ITLawToday.com>
James
Schellhase
<jaschell@us.ibm.com>
<ibmecmblog.com>
<@ibm_ecm>