and security risks in the digital world - webinars€¦ · • notification to individual,...

Managing Employee Data And

Security Risks in the Digital World

January 29, 2014

Your Cooperation is Needed

Please mute your phone *6

To ask questions and open your line *6

This will help all of our friends!

PSAB’s Blended Training

Webinars

Traditional Classroom Sessions

One-on-One Assistance

Upcoming Training

Webinars

Co-STARS Cooperative Purchasing Program* Feb. 5

Parliamentary Procedures Feb. 10

Dealing with Past Practice Claims Feb. 12

Sign Management* Feb. 13

Understanding the Sunshine Act Feb. 26

* Free to PSAB members

3

Upcoming Classroom Training

The Course in Community Planning The Course in Zoning

The Course in Subdivision & Land Development Review Newly Elected Municipal Officials Training

The Course in Zoning Administration

Basic Municipal Budgeting

Confined Space Training

PSAB Annual Conference April 6-9, 2014

www.classes.boroughs.org/

●www.duanemorris.com

Data Breaches Get The Headlines

6


Identity Theft Resource Center

2013 Data Breach Stats

7


Cost of a Breach

• $194 per compromised customer record

• Average total per-incident costs - $5.4 million

• Lost business costs - $3.03 million

» Data from Ponemon Institute 2013 report

(does not include organizations that had

data breaches in excess of 100,000

because it is not representative)

8


Privacy and Security

• Privacy and security are the dominant high

profile issues in the U.S. today.


Privacy in the United States

• Federal, state and local statutes, as well as

Constitutional and common law rights

• Protects discreet categories of sensitive,

personal information


Privacy Laws

• No privacy authority whole sole job is

enforcement of privacy laws


Federal Trade Commission (“FTC”)

• Enforces laws that prohibit business practices

that are anti-competitive, deceptive, or unfair

to consumers

• Section 5(a) of the FTC Act provides that

“unfair or deceptive acts or practices in or

affecting commerce are declared unlawful.”

15 U.S.C. Sec 45 (a)(1)


Protected Information

• Personally Identifiable Information (PII)

– Consumers

– Employees

13


Laws Relating to Personally Identifiable

Information (“PII”)

• Financial Services

• Health Care (PHI)

• Education

• Telecommunications

• Children

• Miscellaneous (drivers license, video rental, etc.)

14


Federal Laws Relating to Security

• Regulated entities: obligation to secure sensitive

information

– GLB Safeguards Rule

– HIPAA Security Rule

– FACT Act Consumer Records Disposal Rules

15


GLBA Safeguards Rule

• Requires a comprehensive written security

plan to protect customer information.

– Appropriate to the size and complexity of the

business, nature and scope of activities and the

sensitivity of the customer information handled

16


State Laws

• 46 states, the District of Columbia, Puerto Rico and the Virgin Islands

have enacted breach notification laws

– Texas encompasses all states

• 29 states have data disposal laws relating to PII

17


What is “Personal Information”?

Pennsylvania

an individual’s first name or first initial and last name in combination with

and linked to any one or more of the following data elements when the

data elements are not encrypted or redacted:

(i) Social Security number;

(ii) Driver’s license number of State ID;

(iii) Financial account number, credit or debit card number in combination

with any required security code, access code or password

18


“Personal Information,” continued

Other state laws cover additional data elements:

– Account number by itself, rather than in combination with

any required security code or password that would permit

access to an individual’s financial account

– Date of birth

– Mother’s maiden name

– Employer identification number

– Identification number assigned by an employer

– Digitized or electronic signature

– Biometric data

– Health Care Information

19


How is a Breach Defined in PA?

• "Breach of the security of the system." The unauthorized access and

acquisition of computerized data that materially compromises the

security or confidentiality of personal information maintained by the

entity and that causes or the entity reasonably believes has caused or

will cause loss or injury to any resident of this Commonwealth.

• Good faith acquisition of personal information by an employee or

agent of the entity for the purposes of the entity is not a breach of the

security of the system if the personal information is not used for a

purpose other than the lawful purpose of the entity and is not subject

to further unauthorized disclosure.

20


Notification by State Agency – SB 114

• If a State agency is the subject of a breach of security of the system,

the State agency shall provide notice of the breach of security of the

system within seven days following discovery of the breach.

• Notification shall be provided to the Office of Attorney General within

three business days following discovery of the breach.

• A State agency under the Governor’s jurisdiction shall also provide

notice of a breach of its security system to the Governor’s Office of

Administration within three business days following the discovery of

the breach.

21


Notification by PA County, School District or

Municipality – SB 114

• If a county, school district or municipality is the subject of a

breach of security of the system, the county, school district

or municipality shall provide notice of the breach of

security of the system required within seven days following

discovery of the breach.

• Notification shall be provided to the district attorney in the

county in which the breach occurred within three business

days following discovery of the breach.

22


Policy Development on “Storage” – SB

114 • Goal is to “reduce the risk of future breaches of security of the system”

• Requires Office of Administration to develop a policy to govern the

proper storage by stated agencies of data, including PII.

• Policy must address identifying, collecting, maintaining, displaying and

transferring PII, using PII in test environments, remediating PII stored

on legacy systems and other relevant issues

• Policy must be reviewed annually and updated as necessary.

23


State Breach Notification Law Differences

• Definition of “personal information” or PII

• Trigger for notification – access or acquisition

– materially compromises

• Notice requirements – Who to notify

– Time frame for notification

– Content of notice

• Encryption safe harbor

• Inclusion of paper records and electronic records

• Private cause of action

24


Data Disposal Laws Generally

• Must take “reasonable measures” to protect against unauthorized

access or use of personal information:

– Implementing and monitoring compliance with policies/procedures for burning,

pulverizing or shredding papers or destruction/erasure of electronic media; and

– Describing procedures relating to destruction as “official policy in the writings of the

business”

• May enter into a written contract for destruction after due diligence

which should include one of more of the following:

– Independent audit;

– Several references;

– Review and evaluation of information security policies or other measures to

determine competency; or

– and integrity of business.

• May be subject to treble damages if negligent in training, supervision

or monitoring of employees 25


Massachusetts Data Security Regulations

• 201 CMR 17.00

• Develop, implement and maintain a

comprehensive written information security

program

– Administrative safeguards

– Physical safeguards

– Technical safeguards

26


Massachusetts Data Security Regulations

• Oversee service providers

– Selection

– Contractual provisions

• Restrict access to records

• Encrypt personal information

– public networks

– wireless transmission

– laptops and portable devices

• Education and training 27


The Greatest Common Demoninator

28


How to prevent a security breach…

29


Breach Statistics

Root cause of security breach

41% Malicious or criminal attack ($277) malware infections, criminal insiders,

phishing/social engineering and SQL injection

33% Human factor ($159)

26% System glitch ($174)

» Ponemon Institute 2013 report

30


Factors Influencing the Cost

Increases the Cost

• Data lost due to third party error (+$43)

• Breach involved lost or stolen devices (+$10)

• Quick notification to breach victims (+$37)

31


Factors Influencing the Cost

Decreases the Cost

• Incident response planning (-$42)

• Strong security posture (-$34)

• CISO with overall responsibility for enterprise

data protection (-$23)

• Use of consultants (-$13)

32


Employee Threats

• Inadvertent disclosures

• Use of unapproved devices

• Carelessness

• Lack of training

• Theft

33


“BYOD” – Bring Your Own Device

34


Other Risks to Business

• New storage media – Cyberbling

– MP3

– Smart phones

– Wireless/Bluetooth connectivity

• New business models – Cloud computing

– Outsourcing

– Cross border transfer

– Competitive Intelligence

35


Consequences of Breaches in the U.S.

• Notification to individual, regulators and/or media

• FTC actions

• Actions by other federal regulatory agencies

• State Attorney General actions based on “mini-FTC”

consumer protection laws.

• Private lawsuits, including class actions, based on various

statutory, tort and contract theories

36


Best Practices

• FTC “Privacy by Design”

– Build privacy and security issues into every

relevant portion of the business

data security

reasonable collection limits

sound retention and disposal practices

data accuracy

37


Best Practices - Planning

• Identify personally identifiable information,

trade secrets, and proprietary information – where located - who controls it

– how it moves - third party access

– what jurisdiction collects, processes and stores it

• Conduct a risk assessment

• Draft Policies

38


Best Practices - Policy Development

• Acceptable Use

• Data Security

• Incident Response

• Document Retention

39


Best Practices – Policies Should Consider

Problems Identified in FTC Actions

• Easy network access

• No breach detection

• Unnecessary storage

• Weak encryption/passwords

• Inadequate defense to known attacks

40


Best Practices - Policy Development

Consider Key Areas of System Risk:

• Transmission, storage, and disposal of computerized data, including data on laptops, disks and hard-drives

• Outsourcing/sub-contracted services that require data to be transmitted

• Storage and disposal of paper records

• Network monitoring, data loss prevention technology

Consider Key Areas of Process Risk:

• Purposes for which information is collected and used

• Access to sensitive files by employees and contractors

• Rules for transmission, storage, and disposal of data, including data contained on disks and hard-drives

41


Best Practices - continued

• Apply all policies and procedures to service

providers, outside consultants, as well as

employees

• Train employees

• Conduct regular audits

42


Issues When Retaining Service Providers

• Responsibility for security and privacy related

compliance cannot be outsourced to a service

provider

– Conduct appropriate due diligence and selection of

service providers

– Implement security standards through appropriate

contractual clauses

– Monitor performance of service providers to the

security standards


Security is Integral to Scope of Services

• The scope of services should include a framework of security and describe applicable security practices

– technical, organizational and administrative controls

used by the service provider to deliver the services


Other Provisions in Service Provider

Contracts • Change Management – process for reviewing and implementing any

changes to process or system

• Incident Plans – what will be done if the service provider experiences

a security breach, including disaster recovery and business continuity

plans

• Liability – allocation of risk/cost for security breaches

• Costs – what scope of security is included in the base price and what

may result in extra charges

• Insurance – may help fund liabilities related to security breaches


Incident Response

• Maintain Privilege if possible

• Assemble Core Team and determine whether to :

– activate full process

– notify loss reporting

– activate crisis management team


Incident Response

• Identify Incident Response Team

• Review Responsibilities

• Establish communication structure and guidelines for internal and external communications

• Engage technical consultant and outside counsel

• Identify risks and stakeholder analysis (internal and external)


Incident Response

• Contain breach (i.e. take down website etc.)

• Collect all relevant information

• Legal to identify relevant laws and notice

requirements

• Determine if notice to authorities necessary or

appropriate


Incident Response

• Determine initial response – Prepare letters to affected persons and others per

statute

– Contact credit bureaus

– Set up call center and prepare scripts

– Prepare press release

– Develop communications plan (press and website for breach)

– Credit monitoring

• Evaluate causes of breach and assess damages


Incident Response

• Identify what reports get issued and to whom

– Consider privilege issues

• Examine unintended consequences of breach

• Review effects on stakeholders

• Review action plan

• Take remedial actions


Incident Response

• Verify effectiveness of response plan

• Document lessons learned

• Assess remedial actions

• Disband Team


Resources

• Federal Trade Commission

– http://ftc.gov/

• Ponemon Institute

http://www.ponemon.org

• Privacy Rights Clearinghouse

– http://www.privacyrights.org/data-breach

• Electronic Privacy Information Center

– http://epic.org/

• National Institute of Standards and Technology (NIST)

– http://csrc.nist.gov/

52


Sandra A. Jeskie

Partner, Duane Morris LLP

Philadelphia, PA

[email protected]

215-979-1395

53


Questions?

54

and security risks in the digital world - webinars€¦ · • notification to individual,...

Documents