cybersecurity: protecting your employees and benefit plans
TRANSCRIPT
Cybersecurity: Protecting Your Employees and Benefit Plans
2018 Edition
11161 E State Road 70 #110-213Lakewood Ranch, Florida 34202
www.lawpracticecle.com941-584-9833
LawPracticeCLE is a national continuing legal education company designed to provide education on current, trending issues in the legal world to judges, attorneys, paralegals and other interested business professionals. New to the playing field, LawPracticeCLE is a major contender with its offerings of Live Webinars, On-Demand Videos, and In-person Seminars. LawPracticeCLE believes in quali-ty education, exceptional customer service, long-lasting relationships and networking beyond the classroom. We cater to the needs
of three divisions within the legal realm: Pre-Law and Law Students, Paralegals and other support staff, and Attorneys.
At LawPracticeCLE, we partner with experienced attorneys and legal professionals from all over the country to bring hot topics and current content that are relevant in legal practice. We are always looking to welcome dynamic and accomplished lawyers to share their knowledge!
As a LawPracticeCLE Speaker, you receive a variety of benefits. In addition to CLE teaching credit attorneys earn for presenting, our presenters also receive complimentary tuition on LawPracticeCLE’s entire library of webinars and self-study courses.
LawPracticeCLE also affords expert professors unparalleled exposure on a national stage in addition to being featured in our Speakers catalog with your name, headshot, biography and link back to your personal website. Many of our courses accrue thousands of views, giving our speakers the chance to network with attorneys across the country. We also offer a host of ways for our team of speakers to promote their programs, including highlight clips, emails, and much more!
1. A Course Description2. 3-4 Learning Objectives or Key Topics3. A Detailed Agenda4. A Comprehensive PowerPoint Presentation
Bankruptcy LawBusiness LawCannabis LawConstruction LawCriminal LawEducation Law Employment LawEmployment LawEntertainment Law Estate Planning
Ethics, Bias and ProfessionalismFamily LawFederal LawFood and Beverage LawGun LawHealth LawImmigration LawImmigration LawInsurance LawNonprofit Law
Paralegal StudiesPersonal Injury LawPractice Management & Trial PrepReal Estate LawSocial Security LawSpecialized TopicsTax LawTax LawTechnology Law
LawPracticeCLE will seek approval of any CLE program where the registering attorney is primarily licensed and a single alternate state. The application is submitted at the time an attorney registers for a course, therefore approval may not be received at the time of broadcasting. In the event a course is denied credit, a full refund or credit for another LawPracticeCLE course will be provided.
LawPracticeCLE does not seek approval in Illinois or Virginia, however the necessary documentation to seek CLE credit in such states will be provided to the registrant upon request.
LawPracticeCLE Unlimited is an elite program allowing Attorneys and Legal Professionals unlimited access to all LawPracticeCLE live and on-demand courses for an entire year.
LawPracticeCLE provides 20 new continuing legal education courses each month that will not only appeal to your liking, but also meet your State Bar Requirements.
Top Attorneys and Judges from all over the country partner with us to provide a wide variety of course topics from basic to advanced. Whether you are a paralegal or an experienced attorney, you can expect to grow from the wealth of knowledge our speakers provide.
Facebook: https://www.facebook.com/LawPracticeCLE
LinkedIn: https://www.linkedin.com/company/lawpracticecle
Instagram: https://www.instagram.com/lawpracticecle
Twitter: https://twitter.com/LawPracticeCLE
Cyber Security- Protecting Your
Employees’ Private Information
E. Philip Bush, Partner
Stefan P. Smith, Partner
LawPracticeCLE
Cyber Security – What Will be Covered?
■ Employee data privacy - an overview of
Employer responsibilities
■ Protecting the security of information
systems and employee/participant data
■ What to do in the case of a Cyber Security
Breach
2
Employer’s Legal Requirements■ International, Federal and State Laws impose requirements
on the Employer related to Security of Employee/Plan
Participant Data:
■ Health Insurance Portability and Accountability Act
("HIPAA")-Protected Health Information
■ Genetic Information Nondiscrimination Act ("GINA") –
Genetic Information related to employees and Family
■ Sarbanes-Oxley Act of 2002- Public Company Security
Standards & Threat Assessment
■ Texas Identity Theft Enforcement and Protection Act-
Much broader information that has to be protected
■ EU’s General Data Protection Regulation (GDPR)
■ To name a few…
3
Cyber Security – Consequences
of a Breach■ Employee causes of action for statutory
violations
■ Civil Penalties. Examples:■ HIPAA privacy violation penalties range $100 to
$50,000 per violation (or per record), with a maximum
penalty of $1.5 million per year for violations of an
identical provision under HIPAA.
■ Texas Identity Theft Enforcement and Protection Act
fines of up to $500 per violation (or per record)
■ Disciplinary action against those responsible
for data breach.
Are Adequate Security Measures in
Place?■ Laws typically require the following security
measures:■ Conducting Periodic Risk Assessments
■ Physical security measures
■ Administrative security measures
■ Technical security measures
Making a Cyber Security Assessment –
Internal Risks■ Your greatest asset and greatest
vulnerability are your own employees:■ Online access to personnel systems and
benefit plans creates greater risk of password/
user name theft
■ “Social Engineering”/Identity theft
■ Email: “JUST CLICK HERE”■ Ransomware
■ Phishing
■ Malware
■ Malicious Employeecontinued…
6
Making a Cyber Security Assessment –
Internal Risks
■ It can happen to you…
■ It happened to us…
continued…
7
■1/30/2018 Locke Lord Engineer Faces Fair Jail Time, 5th Circ. Says - Law360
■
■Locke Lord Engineer Faces Fair Jail Time, 5th Circ. Says By RJ Vogt
■Law360, Los Angeles (January 29, 2018, 8:58 PM EST) -- The Fifth Circuit on Monday upheld the conviction and sentencing of a former Locke Lord LLP information technology engineer, who was found guilty of felony computer intrusion for attacks on the firm’s network in 2011 and ordered to pay $1.7 million in restitution and serve 91/2 years in jail.
■Monday’s ruling, a three-judge panel affirmed the lower court’s conviction and sentencing in a four-page per curiam opinion.
■According to court records, Laoutaris was a senior systems engineer for Locke Lord from March 2006 to August 2011. In December 2011, he allegedly twice accessed the firm’s computer network, and on both occasions took steps that “caused significant damage to the network,” including deleting or disabling hundreds of user accounts, desktop and laptop accounts and user email accounts.
■Laoutaris was charged in October 2013 with transmitting a malicious code and computer intrusion causing damage to 18 administrator accounts, 356 computers and 359 user accounts, and the data and information contained in and associated with those accounts. A second count blamed Laoutaris for impairing 105 server accounts and 140 computer accounts, and a third count accused him of attacking the email accounts of all Locke Lord’s Dallas employees.
Link:
https://www.law360.com/articles/1006938/print?section=cyber security-privacy
■h
Making a Cyber Security Assessment –
External Risks■ External Threats:
■ Wire transfer email fraud- Email from who appears to be
CEO…
■ Brute Force Attacks
■ Brute force attacks work by typing endless
combinations of characters until hackers luck into
someone’s password
■ Does your system suspend or disable user credentials
after a certain number of unsuccessful login attempts?
■ Are you protected against authentication bypass?
■ Have your web applications been tested for widely-
known security flaws, including “predictable resource
location”?
9
Physical Security Measures■ Preventing unauthorized physical access to
your computer systems and networks that
process and store the data:■ Physical barriers
■ Locks, safes and vaults
■ Security force
■ Sensors and alarms
continued..
Physical Security Measures ■ Physical security measures
■ Workstations:■ Clean desk policy – make sure that documents containing
personal information is not on desk unattended.
■ Position computer so as to avoid viewing by unauthorized
personnel.
■ Lock, logoff or shut down computer when not attended.
■ Use automatic password protected screen savers.
■ Portable equipment must be secured (laptops, USBs, etc.)
■ Do not write passwords on paper beside the computer, under
the keyboard, etc.
■ Do not share your passwords with anyone.
■ Lock drawers, file cabinets or offices.
■ Do not leave keys to drawers, file cabinets or offices lying
around.
continued…
Physical Security Measures ■ Securing paper, physical media, and devices
■ Are you securely storing sensitive files?
■ Are you protecting devices that process
sensitive/confidential/personal information?
■ Do you have safety standards in place when data is being
is stored on laptops or external drives?
■ Do you dispose of sensitive data securely?
■ Examples:
■ Copy machines with stored memory
■ Disposal of hard drives
■ Shredding (check document retention policy)
■ Report to supervisor or Privacy Officer if shredding
bin too full for disposal
12
Administrative Safeguards
■ Administrative security measures■ Implement controls to prevent unauthorized
access and to provide an acceptable level of
protection for computing resources and data.
■ Administrative security procedures frequently
include personnel management, training, and
discipline.
Administrative Safeguards
■ Basic Security■ Is access to and use of personal information
limited on a need-to-know only basis?
■ Is information held only as long as there is a
legitimate business need?
■ Do You Have an Adequate Training
Program in Place to Assure Compliance?■ Employees generally?
■ Employees with Access to Private Information?
continued…
14
Administrative Safeguards
■ Service Providers■ Have you implemented reasonable security
measures with your service providers?■ Are appropriate security standards a part of your service
contracts? Cyber insurance?-See STARK standards
■ Are you verifying compliance with these contractual
requirements?
■ Does Service Provider have adequate training of its
personnel?
■ Do you have an incident response plan in the case of a
breach by a service provider?
■ Is access limited to what is needed to get the job done?
15
Technical Security Measures
■ Technical security measures ■ Safeguards incorporated into computer
hardware and software to provide access
control, authentication prior to access and
protect the integrity of stored and transmitted
data. Examples include: firewalls, access
control software, antivirus software,
passwords, smart cards, biometric tokens, and
encryption.
continued…
Technical Security Measures
■ Secure Password and Authentication■ Are you using complex and unique passwords?
■ Is your system vulnerable to hackers who use
password-guessing tools, or try passwords
stolen from other services?
■ Are passwords stored securely?
continued…
17
Technical Security Measures
■ Storage and Transmission of sensitive
personal information■ Is confidential material secured by encryption
during storage and transmission?
■ Is sensitive information kept secure throughout
its lifecycle? By your vendors?
■ Are you following industry-tested and accepted
methods for protection of sensitive
information? continued…
18
Technical Security Measures
■ Segmenting your network and monitoring
who’s getting in and out■ Is your network segmented?
■ Not every computer in your system needs to be
able to communicate with every other computer
■ Is personnel data protected by housing it in a
separate secure place on your network?
■ Do you have an effective intrusion detection tool to
detect unauthorized activity on your network?
continued…
19
Technical Security Measures ■ Securing remote access to your network
■ Endpoint security: Do you assess service
provider’s cyber security before activating
remote login account?
■ Do you have sensible access limits in place?
20
What To Do If There Is a Security
Breach■ Incident Response
■ Requires advanced preparation
■ Incident Response Plan
■ A well-defined, organized approach for handling any
potential threat to Company communications,
systems, data, and assets, such as your intellectual
property.
continued…
21
What To Do If There Is a Security
Breach■ Have an Incident Response Plan
■ Identify and describe:
■ Roles, responsibilities and members of the Incident
Response Team
■ Contact information for internal and external team
members
■ Types of potential incidents (e.g., HIPAA breach)
and remediation plans for each
continued…
22
What To Do If There Is a Security
Breach■ Breach Notification
■ Have a communications plan:■ Designate a point person for releasing information
regarding the breach and to respond to inquiries.
■ Reach all affected persons: employees, former
employees, participants, beneficiaries.
■ Don’t make misleading statements about the breach.
■ Don’t withhold key details that might help affected
persons protect themselves and their information.
■ Don’t publicly share information that might put
affected persons at further risk.
continued…
23
What To Do If There Is a Security
Breach■ Breach Notification
■ In deciding who to notify, and how, consider:■ state and federal laws
■ the nature of the compromise
■ the type of information taken
■ the likelihood of misuse
■ the potential damage if the information is misused
continued…
24
What To Do If There Is a Security
Breach■ Breach Notification
■ Determine your legal requirements (notification
and Remedial Action):■ Check state and federal laws or regulations for any
specific requirements for the type of breach and
your business.
■ A breach involving electronic protected health
information (PHI) covered by HIPAA requires
specific remedial and notification procedures.
25
What To Do If There Is a HIPAA
Security Breach■ Conduct a fact-specific risk assessment.
■ The nature and extent of the PHI.
■ The unauthorized person involved.
■ Whether the PHI was actually acquired or
viewed.
■ Extent to which any risk has been mitigated.
■ Documentation of the risk assessment is
required.continued…
26
What To Do If There Is a HIPAA
Security Breach■ Once a breach or suspected breach is
discovered, contact the Privacy Officer.■ The Privacy Officer should immediately contact the
legal department and outside HIPAA privacy counsel.
■ Working with legal counsel, conduct the risk
assessment as quickly as possible to determine
the extent of the breach and whether an exception
applies.
■ Consult your HIPAA Breach Notification policies
for a step by step guide to responding to a
breach.continued…
27
What To Do If There Is a HIPAA
Security Breach■ Summary of health plan’s notification obligations:
■ Individual notification by first class mail required
(unless individual has consented to electronic notice).
■ Media notification required for breach involving 500 or
more residents of a state or jurisdiction.
■ Must notify HHS.
■ Note that the above requirements apply even for
breaches caused by a Business Associate; however,
depending on the Business Associate Agreement,
either the health plan or Business Associate will be
responsible for the notifications, typically dependent on
who caused the breach.
continued…28
What To Do If There Is a HIPAA
Security Breach■ Content of health plan’s individual/media notice:
■ a brief description of what happened, including the
date of the breach and the date of the discovery of
the breach, if known;
■ a description of the unsecured PHI that was
involved in the breach (such as whether full name,
social security number, date of birth, home address,
account number, diagnosis, disability code, or other
types of information were compromised);
■ what, if any, steps individuals should take to protect
themselves from potential harm resulting from the
breach. continued…
29
What To Do If There Is a HIPAA
Security Breach
■ Content of health plan’s individual/media
notice:■ a brief description of the measures the health
plan is taking to investigate the breach, to
mitigate harm to individuals, and to protect
against any further breaches; and
■ contact procedures for individuals to ask
questions or learn additional information, which
must include a toll-free telephone number, an e-
mail address, a Web site or a postal address.
30
Post-HIPAA Breach – Steps for
Correction of Privacy Rule Violation
■ Investigate:■ A health plan must investigate a violation of the
Privacy Rule to determine scope of improper
conduct.
■ If unsecured PHI, investigate the incident in
accordance with the Breach Notification Rule
described earlier.
■ If secured electronic PHI, investigate the
incident in accordance with the health plan’s
security incident policy.
continued…
31
Post-HIPAA Breach – Steps for
Correction of Privacy Rule Violation
■ Mitigate:■ A health plan must mitigate any harmful effect
known to the health plan to have occurred as a
result of a use or disclosure of PHI in violation of
the Privacy Rule.
■ For example, if there is an unauthorized
disclosure of PHI to an individual, the health plan
should contact the individual regarding the
unauthorized disclosure and request that the
information is returned or destroyed and not
further used or disclosed.continued…
32
Post-HIPAA Breach – Steps for
Correction of Privacy Rule Violation■ Sanctions:
■ A health plan must review its sanctions policy
and determine what type of sanctions are
necessary under the circumstances.
■ Consider who is responsible for the failure:■ Did a particular employee fail to follow the Privacy
Rule?■ Did the employee do this intentionally or by accident?
■ Did the employee take steps to resolve the situation
(by, for example, contacting the Privacy Officer to
notify of a breach or stop the violation from occurring
again)?
continued…
33
Post-HIPAA Breach – Steps for
Correction of Privacy Rule Violation■ Reinforce:
■ A health plan must conduct training or reinforce the
importance of maintaining the privacy and security
of PHI after a violation occurs.
■ The training should at a minimum focus on the
reason the incident occurred and solutions to
prevent the same from occurring again.
■ As a best practice, in addition to the workforce
member(s) involved with the incident being trained,
other workforce members who have similar
responsibilities should also be trained.
continued…
34
Post-HIPAA Breach – Steps for
Correction of Privacy Rule Violation
■ Revisit:
■ A health plan should review the administrative,
technical, and physical safeguards that apply to
the incident and implement new/revised
safeguards if needed.
■ For example, if a breach occurred because
unsecured PHI was disclosed to an unauthorized
individual, it may make sense to mitigate the issue
by requiring encryption for transmissions of
unsecured PHI.
■ Implementation of encryption should then occur soon
after the determination that it is needed.
35
Helpful Links
36
Privacy and Cyber Security Risks: Locke Lord Desk Reference, 7th Edition:
https://www.lockelord.com/newsandevents/publications/2016/11/privacy-and-
cybersecurity-risks
National Institute of Standards and Technology Framework for Improving
Critical Infrastructure Cybersecurity
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-
framework-021214.pdf
SPARK Institute, Inc. Industry Best Practice Data Security Reporting
http://www.sparkinstitute.org/pdf/SPARK%20Data%20Security%20Industry%20Best%20
Practice%20Standards%209-2017.pdf
Greater Houston Partnership Cyber Security Self-Assessment Tool:
http://www.houston.org/policy/security.html
Questions/Comments?
37
Philip Bush
(214) 740-8542
Stefan Smith
(214) 740-8796