Cybersecurity and Privacy Law

The Importance of Employee TrainingGerald Ferguson, Partner, BakerHostetler

Paul Horn, Chief Information Security OfficerHD Vest Financial Services

Where are the threats?

External Threats• Hackers

– Malware– Ransomware– Phishing / Spear Phishing

• Social Engineering• Corporate Espionage• Vendors• Political “Hacktivists”

Where are the threats?

Internal Threats• Employee Negligence

– Security failures– Lost mobile devices

• Employee Ignorance– Improper disposal of

personal information (dumpsters)

– Lack of education and awareness

• Malicious Employees

Causes of Data Security Incidents Across All Industries

BakerHostetler Data Security Incident Response Report 2016

Detection, Containment, Notification

BakerHostetler Data Security Incident Response Report 2016

Year of the Phish?

-

http://phishme.com/phishing-social-media-infographic

Social Engineering Trends

Source: Proofpoint, The Human Factor 2016, A Proofpoint Research Project (2016), www.proofpoint.com/threat-insight

Phishing Emails

What Messages Are Users Clicking?

Source: Proofpoint, The Human Factor 2015, A Proofpoint Research Project (2015), www.proofpoint.com/threat-insight

W-2 & wire transfer incidents• Scammers use emails from a target organization’s CEO, asking

human resources and accounting departments for employee W-2 information.

• Scammers last year also massively phished online payroll management account credentials used by corporate HR professionals.

Become “compromise–ready”

• Deploy prevention and detection tools;• Use threat intelligence services;• Train managers and employees;• Conduct risk assessments focused on

identifying and protecting sensitive data;

11

Become “compromise–ready” (cont’d)

• Manage the security of vendors;• Understand regulators’ “hot buttons”;• Develop, update, and practice incident

response plans; and• Evaluate your cyber liability insurance.

12

What are the Costs

• Disruption of business operations• Loss of confidential information• Forensic Investigations• Notification Costs• Regulatory Investigations• Class Actions• Harm to Commercial Relationships

What is the Legal Obligation

• Massachusetts Security Standards• FDIC Regulations and Guidance• HIPAA• Banking Regulations• FINRA Guidance• NAIC Guidance

Train managers and employees

• Recognize threats to different services and technologies, e.g., ACH transfers and mobile devices;

• Regularly discuss cybersecurity at Board and senior management meetings; and

• Regularly provide employee cybersecurity awareness and training.

15

Train managers and employees

Train (or hire) staff to provide continuous network security monitoring

– to respond to alerts from IDS/IPS, analytics, and endpoint protection tools; and

– to prevent exfiltration of data at one of the points on the “kill chain” when malware is found on the network.

16

Train managers and employees

• Initial Training at Time of Hiring– Spotting security problems– Avoiding inadvertent disclosures through mistaken

emails, faxes, and paper records mishandling– Reporting procedures– Supervisors trained to handle reports

• Regular and Continued Training– Formal online training vs. in person– Staff meetings– Newsletters– PhishMe or other anti-phishing training

17

Train managers and employeesHi, Sir/Madam,

For the company's network security, we have upgraded the Citrix Virtual Workplace System. Please login to the Citrix Virtual Workplace System to activate your Account. You should install the Citrix Secure Input IE ActiveX Control before you type in your password.

Citrix Login: https://poccitrix.[companyname].com/vpn/index.html

For more information, please contact me.

Best regards,

[Actual name][Correct title] Systems Administration Phone: [correct phone number]Email: [correct email address] Local Address: [correct address][Company name][Company address]

18

Train managers and employees

19

Proofpoint, The Human Factor 2015, 10

Train managers and employees

20

(Advanced Persistent Threats, i.e., sophisticated network attacks)

Source: Dept. of Homeland Security

Creating an Incident Response Plan

• Flexible, succinct, living plan• Defines the IR team and roles• Defines methodology of IR

- Prepare, Detect, Contain, Assess, Communicate, Remediate, Improve

• May contain protocols for types of incidents• Resources (e.g., contacts, templates)• Consider how it works with business

continuity plan

Practice incident response plans

Response Program Supervisory Guidance

• An incident response program should provide that the entity will: – Assess the nature and scope of the incident and what member

information is involved;– Notify applicable supervisory authority as soon as possible

after discovery of unauthorized access to or use of sensitive member information;

– Notify law enforcement and file a SAR if warranted;– Contain the incident; and– Notify affected individuals when warranted.

22

Practice incident response plans

Review your incident response plan and conduct tabletop exercises with the team that will respond to an incident, including your

– Forensic investigator;– Counsel; and– Crisis management firm.

23

Director and Officer Training

• Duties owed by Directors and Officers– Duty of oversight– Duty to protect organizational assets Extended to “digital assets”

• Known consequences– Easy to calculate?– Impact on stock price?– Direct costs: notification, litigation, regulatory

actions, remediation– Indirect costs: reputational harm, diminished

sales

AtlantaChicagoCincinnatiClevelandColumbusCosta MesaDenverHoustonLos AngelesNew YorkOrlandoPhiladelphiaSeattleWashington, DC

www.bakerlaw.com

These materials have been prepared by Baker & Hostetler LLP for informational purposes only and are not legal advice. The information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional counsel. You should consult a lawyer for individual advice regarding your own situation.