1. Mini Law Lesson
Are You Prepared for a Data Breach?
Brian Heidelberger
bheidelb@winston.com
Twitter @briheidelberger
Info @ www.winston.com/bheidelberger
4. • Who does this?
92% outsiders
19% state-affiliated
• How do they do it?
52% hacking
76% stolen credentials
40% malware
29% leverage social attacks
Who Stealing Data and How?
5. • Trojan – malicious code surreptitiously inserted into
target computer to allow remote access/control by
unauthorized person
• Botnet – network of infected computers controlled
remotely
• Phishing – common infection technique involving
email that lures user to take action that unwittingly
downloads malicious code
• Drive-by infection – infection of internet sites so
that user clicking on button on web page unwittingly
downloads malware
• Backdoor – creation of means for unauthorized and
undetected access
• Keylogger – software tool that logs keystrokes
Tools of the Trade
9. Companies Are Re-Thinking
Their Data Security Programs
• “Data” – financial account info, SSN, ID no.’s,
credit card, DOB, health info, email addresses
and passwords, etc.
• “Cyberthreat will pose the greatest threat to
our country”
FBI Director, Robert Mueller
• Taking steps to mitigate potential exposure of
possibly millions of dollars
• Statistics show many breaches are avoidable
9
10. Assess Your Current Practices
• Data Mapping
What information do you have and where is it?
• Security Audit
How do you keep the information secure?
• Legal Compliance Assessment
Are you compliant with state laws and industry
standards
Do you have any holes in your security
• Include Physical Files
Many breaches arise out of paper docs
10
11. Implement Changes
• Fix any security lapses that you find
Collect only necessary info
Keep it as short as possible
Limit access and encrypt data
Create internal and vendor policies
• Robust passwords
• Laptops and mobile phones
• Secure disposal policy
Conduct training
Conduct audits of company and vendors
Update policies
Enhance security technologies
11
12. Implement Changes
• Modify existing practices to bring them in line with
legal obligations.
Create/Update Data Security/Protection Program
as Required by Law
• Mass law requires companies to have a data
• protection program in place to protect PII of its
residents and be prepared to attest to its use in
• the event of an investigation of a possible
compromise
• Fix security measures
• Conduct employee training
12
13. Implement Changes
• Create Data Breach Plan
Something will go wrong
Plan sets out how to respond when it does
Addresses both practical;
• How to investigate, who’s on the team, who
talks to the media, etc.
and legal requirements
• When we have to, and how to, notify
consumers/regulators, etc.
13
15. More Mini Law Lessons
youtube.com/AdAge.com
&
youtube.com/BrianHeidelberger
15
Editor's Notes
B
B/G
WSJ article this weekend, discussing malware attacking advertisements
-- Google took down over 400,000 malicious ads last year
-- secretly inserted into ads