320 likes | 339 Views
Erin Fonté Partner, Hunton Andrews Kurth LLP (Austin Office). “We’ve Been Hacked – Now What?” Data Breach Response for companies Tuesday April 16, 2019 11:30 am to 1:00 pm Houston Bar Association - Corporate Counsel Section. Overview. Current Landscape
E N D
Erin Fonté • Partner, Hunton Andrews Kurth LLP (Austin Office) “We’ve Been Hacked – Now What?”Data Breach Response for companiesTuesday April 16, 201911:30 am to 1:00 pmHouston Bar Association - Corporate Counsel Section
Overview • Current Landscape • Sources of Financial and other Privacy Laws • Data Breach Response Plan • Insurance Issues
Main Threat Paradigms • Corporate espionage and insider information – not identify theft • White Hat Hackers • Hacktavists • Short Sellers • Multichannel • Online, mobile, connecteddevices
Cyber Threats • Criminal • Insider • Vendor • Nation State • Cyber Terrorism • Cyber Warfare
The Attraction and the Impact • Fund Managers and Private Equity firms hold hacker gold • Financial information is extremely valuable in the underground market • Wide array of companies and their information • Why spend time hacking multiple victims • when you can get it all in one place? • Reputational damage is long lasting • Severe regulatory and compliance fines • Litigation and remediation costs continue to grow
Trends in the near term • Outsourcing IT • Hacktivism in the Middle East • Wireless Payment Systems • Rapid Connectivity Growth in Developing Nations • Bring Your Own Device / Telecommuting • Internet of Things
Most Common Breaches / Attacks • Ransomware (expect new variations) • Business Email Compromise • Office365 Compromise • Point of Sale • Employee Created Vulnerabilities (mobile as well) • W-2 and Human Resource Data • Vendor Vulnerabilities • “Cloudjacking” • Software update supply chain attacks
Ransomware • Distinct from other malware • Attempts to deny access to a user’s data • After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker in order to receive a decryption key • May also destroy or exfiltrate data • Install additional backdoors and tool sets • Multitudes of variants often run by organized crime overseas • Companies are beginning to buy bitcoins in order to be able to pay a ransom
U.S. Industry Privacy Laws • Gramm-Leach-Bliley Act (GLBA) • Fair Credit Reporting Act (FCRA) and Fair and Accurate Transactions Act (FACTA) • FFIEC and functional regulator cybersecurity guidance • Healthcare Insurance Portability And Accountability Act (HIPAA)
State Law Developments 2018 Data Security/Breach Legislation • Alabama (50th State with Data Breach Notification Law); D.C., Guam, Puerto Rico and the Virgin Islands also have breach disclosure statutes. Side note on new California privacy law – California Consumer Privacy Act 2018 • EU GDPR style law; originally signed June 28, 2018 • Had to be amended almost immediately (effective 9/23/18) to address problems, most notably no carve out for biz already subject to federal privacy laws (GLBA, HIPPA, etc.)
Key Dates Under New York’s Cybersecurity Regulation March 1, 2017 – Effective date of 23 NYCRR Part 500. August 28, 2017 – End of 180-day transitional period. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified. September 27, 2017 – End of initial 30-day period for filing Notices of Exemption under 23 NYCRR 500.19(e). Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date. February 15, 2018 - Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date. March 1, 2018 – 1-year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500. September 3, 2018 – End of18-month transitional period. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500. March 1, 2019 – End of 2-year transitional period. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11 (third party vendor cert).
Industry Groups and Third Parties • Payment Card Industry Data Security Standard (PCI DSS) • Applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. • For smaller merchants, PCI DSS requires annual self-assessments. • PCI DSS requires external third-party audits conducted by a “Qualified Security Assessor” for those merchants that process more than 1 million card transactions in a given year • Third Parties • Financial Institutions must be mindful that their agreements with customers or vendors may specify privacy requirements (especially if subject to NY DFS Cybersecurity Regulation)
European Privacy Laws: GDPR • Passed April 2016 – Deadline for Compliance is May 25, 2018 • Uniform across all EU members • “Personal Data”: “any information relating to an identified or identifiable natural person” • Information notices more detailed • Accountability for onward transfer • Privacy by Design required • Increased data subject rights & accountability • “Clear” and “unambiguous” consent • Penalties: €20M or 4% global revenue • Foreign Customers? (EU and other “me too on GDPR countries – Canada, Asia, Latin America, Australia)
Data Breach Response Plan (cont’d) • Creating Response Team (internal and external) • Practicing Your Data Breach Response Plan • Responding to a Data Breach • Auditing Your Plan
Data Breach Response: Creating Response Team • Incident Lead: • Typically a Chief Privacy Officer, or someone from internal or external legal • Determines when full response team needs to be activated for an incident • Manages/coordinates overall team, including establishing ownership of priority tasks and intermediary to C-Suite and external partners • Ensures proper documentation of incident response process and procedures • Executive Leaders: • Key decision makers for leadership, backing and resources to develop, deploy and test response plan and line of communication to Board and other stakeholders • Human Resources (HR): • Important if employees are involved in a breach, or employee data is involved • Development of internal employee communications, training, etc.
Data Breach Response: Creating Response Team • Information Technology (IT): • IT and Security key in catching and stopping the breach (but should not conduct forensics on a breach event without outside forensics partner) • Will identify top security risks to bank that should be incorporated into response plan • Train personnel in data breach response, including securing physical premises, safely taking infected machines offline, and preserving evidence • Working with forensics firm to identify the compromised data and delete hacker tools without compromising evidence and progress • Legal (internal and external): • Internal legal, privacy and compliance experts are an important part of the plan and establish relationships with external breach response counsel • External data breach response counsel is critical for maintaining attorney/client privilege over forensics and other consultants • Legal team should have final sign-off on all written materials and documentation related to the incident
Data Breach Response: Creating Response Team • Public Relations: • Necessary to handle fall out from notification to individuals and/or media alerts • Can identify the best notification and crisis management tactics before a breach ever occurs • Can track and analyze media coverage and quickly respond to negative press • Crafting consumer-facing materials related to an incident (website copy, media statements, etc.) • Customer Care: • Important to keep this group in the loop as they and their teams will be on the front lines to answer questions from customers and affected individuals • Responsible for developing and assisting with phone/call center scripts • Tracking and logging call volume and to questions and concerns by callers (along with an escalation process when needed)
Data Breach Response: Creating Response Team • External Breach Response Partners: • Data Breach Resolution Provider: can coordinate all aspects of account management and notification, including printing, mailing and emailing notification letters (NOTE: legal should always have final approval of notification letter content). May offer credit monitoring or similar products. • Forensics: • Critical they be external to your IT team for investigation and remediation purposes • Must have the ability to clearly translate technical investigations into what the enterprise risk implications are to bank • Will advise on how to stop data loss, secure evidence and prevent further harm • Preserve evidence and manage the chain of custody, minimizing chance that evidence will be altered, destroyed or rendered inadmissible in court • Communications: • Outside partners will help develop public-facing materials • Provide advice on how to best position incident to key audiences and media
Data Breach Response: Creating Response Team • External Breach Response Partners (cont’d): • Outside legal counsel should have data breach response experience and should serve as an overall breach coach with a strong understanding of what is needed for technical investigations, as well as potential implications of legal decisions on trust and reputation • Should be capable of advising on what to disclose that will avoid creating unnecessary litigation risks based on latest enforcement trends and case law • Advise on process to help ensure anything recorded and documented balances need for transparency and detail while minimizing legal risk • Should be familiar with local regulatory entities (local boots on the ground in key jurisdictions, like EU if needed) • Consider retaining other partners via outside counsel for attorney-client privilege • Choice may be dictated by your insurance provider (more below)
Data Breach Response: Creating Response Team • Regulators and Law Enforcement: • Law Enforcement: • Some breaches require involvement from law enforcement • Meeting local FBI cyber security office ahead of time to establish a relationship will serve you well • Also collect appropriate contact information so you can act quickly to involve law enforcement when faced with an incident • Can help to look for evidence that crime was committed • Sometimes law enforcement actually informs you that you or your customers are involved in a breach incident • Federal Functional Regulators and State Regulators (for state-chartered entities): • Informing when required, providing additional information if requested, and explaining in next exam • State Attorneys General: • Majority of state data breach notice laws require notifying state AG, along with timeframes for notice to the AG
Engagement with LAW ENFORCEMENT? • FBI • Criminal and National Security Authorities • Investigation, Attribution, Disruption, Prosecution • USSS • Criminal Authorities • Investigation, Attribution, Disruption, Prosecution • DHS • Protection and Remediation • NSA/DOD • National Defense
Data Breach Response: Practicing Your Plan • Recommended to conduct response exercises at least twice per year: • In addition to training, response exercises can demonstrate whether or not everyone is aligned on breach response • Responsibility of your team: • Ensuring employee training on privacy and data security at all levels • Ensuring breach response team members know and understand their roles • Responding to evolving threats and attack vectors • Implementing a simulation exercise: • Breach response plan cannot be a binder that sits on a shelf • Plans must be practiced – enlist outside facilitator; include everyone; schedule enough time; test multiple scenarios; debrief after test exercise; conduct drills every 6 months • Outside partners can help with testing plans
Attack Life CyclE Source: http://www.ritholtz.com/blog/wp-content/uploads/2013/02/attack-life-cycle.png
Data Breach Response: Responding to a Data Breach • FIRST 24 HOURS FOLLOWING BREACH ARE CRITICAL • **IMMEDIATELYcontact legal counsel and implement these 10 steps: • Record the moment of discovery, and mark the date/time your response begins • Alert and activate everyone on the team (including external partners) • Secure the premises and affected equipment/networks (secure and preserve) • Stop additional data loss (isolate affected machines and take them offline to cut off hacker access, but outside forensics needs to examine in detail) • Document everything (who discovered breach, who reported to whom, who else knows, type of breach) • Interview involved parties (who discovered it or may know about it) • Review notification protocols (teeing up who may need to be notified) • Assess priorities and risks (include those based on breach knowledge) • Bring in forensics (to begin in-depth investigation) • Notify law enforcement (if needed, and after consulting with legal counsel and upper management)
Data Breach Response: Responding to a Data Breach (cont’d) • After the first 24 hours, assess progress and continue with these additional steps: • Identify the root cause of breach incident (forensics must remove hacker tools and document how breach was contained) • Alert external partners if not alerted already (including data breach resolution vendor) • Continue working with forensics (determine what information was compromised, and if it was encrypted) • Identify legal obligations (identify state and federal regulations that may apply, which entities need to be notified, and meet all mandated timeframes) • Report to upper management (daily reports, and secure resources to resolve problems uncovered, risk priorities and progress) • Identify conflicting initiatives (will any upcoming IT or other initiatives clash with response efforts – e.g. core conversion. Postpone/reschedule?) • Evaluate response and educate employees (opportunity to retrain, especially on specifics of incident)
Data Breach Response: Responding to a Data Breach (cont’d) • Other Key Points: • Not all security incidents are “breaches” triggering notification (legal analysis is key) • Assume news of the incident will be leaked before you have all the facts, and have response communication plan in place • Establish traditional and social media monitoring to track external reactions (and respond where appropriate) • Consider FAQs or other information portal on your website when breach incident details are determined and confirmed • Communicate with appropriate regulators early and transparently • Train employees on where to route customer or media inquiries on incident • Take steps to establish and protect legal privilege and be deliberate and thoughtful in communications and documentation • Customer Care and Attention: notification communications, call center communications, decisions to offer credit monitoring or identity theft protection
Data Breach Response: Auditing Your Plan • Regular auditing and updating of your breach response plan is critical • Call Center (pulling together materials and scripts, crisis training) • Vendor Behavior (third party vendor management and oversight on data security) • Update Team Contact List (internal and external personnel changes) • Verify Your Plan is Comprehensive (major company changes, new LOBs, restructuring of departments) • Double Check Your Data Breach Partner Contracts (ensure contracts are in force, valid, and appropriate in scope) • Review Notification Guidelines (a constantly changing area, especially with state legislation (18 states with data breach notification legislation in 2018 so far) • Review Who Can Access Your Data (third party and fourth party access issues) • Evaluate IT Security (proper data access controls, proper updates and patch roll-out, offense on emerging threat landscape) • Review Employee Security Awareness (procedures and training on data security protocols, info/document retention and destruction, BYOD issues and mobile device security)
Cyber Liability Insurance • Insurance panel counsel (you may be required to use certain outside counsel) • Evaluate sufficiency of level of coverage – very different across providers • Evaluate and advise on evolving types of coverage available for data & cyber incidents
QUESTIONS? Erin F. Fonté Partner Co-Head, Financial Institutions Regulatory and Compliance Hunton Andrews Kurth 111 Congress Avenue, Suite 510Austin, Texas 78701 Direct: 512-542-5011efonte@HuntonAK.com @PaymentsLawyer Link me in: Erin Fonte