when not if
TRANSCRIPT
Get your CyberEbola Vaccine NOW!It’s no longer IF your customer or employee data will be hacked; it’s WHEN.
While you are waiting for the program to begin, Take the 5-minute pre-quiz!! You can find it in the attached materials.
2
David L. Fleck, Esq.• White Collar Crime Prosecutor
• 10 Years• Los Angeles District Attorney’s
Ofc.• 53 jury trials
• Private Practice• Fraud and Cybersecurity• Prevention and Litigation
• Key Expertise• Communicating complex
material to students, juries, and clients
• College Professor – Civil Litigation
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
3
AGENDA: Preparing for a Cyber Attack
Part 1State of CyberSecurity in Business Today
Part 2Case Studies and the Law
Part 3Action Items
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
1) State of Cyber Security in Business Today
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
5
Top Hacks of 2015
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
6
HackMaggeddon.com
Aug-14
Sep-14
Oct-14
Nov-14
Dec-14
Jan-15
Feb-15
Mar-15
Apr-15
May-15
Jun-15
Jul-15
0 10 20 30 40 50 60 70 80 90 10072
69
87
80
73
91
85
70
87
89
58
74
Known Breaches Per Month
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
935 known data breaches in 12 month period
7
Affect on Breached Companies
US$3,800,000.00*US$154.00 per stolen record
*Does not include megabreaches like Target ($148M).David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected],
(818) 268-5929
8
Exception: Healthcare Companies• Average cost per stolen record: US$363• Medical records are most valuable• Easy to get – many hospitals use old software• Used to create fake profiles to:• Buy medical equipment for resale• File false claims with Medicare
• Long shelf life – can’t replace like credit card• Bundle of 10 medical records – US$4700
• Utah Medical Group: 1000s of attempts/weekDavid L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected],
(818) 268-5929
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929 9
Direct Costs of Breach• Investigating the cause of the breach• Fixing the breach• Setting up hotlines for customers• Free credit monitoring for victims• Legal costs
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
10
Indirect Costs of Breach• Loss of business because of wary customers• Loss of reputation and customer loyalty• Marketing expenses to redevelop goodwill
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
2) Case StudiesAnd the Law
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
12
The Houstonian Hotel• Luxury hotel in Houston, Texas• George HW Bush used Hotel
as his voting residence in 1980s
• By founder of Browning-Ferris Industries
• Marketed as destination “for business executives trying to shed pounds and rediscover their inner velociraptor.”
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
13
The Breach• Lasted 6 months• Possibly affected 10,000
customers; actual number unknown
• Credit card POS devices• NOT detected by hotel• Notified by Secret Service
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
14
Impact• Customers angry about
delayed notice• Direct costs
• “forensic investigators”• New POS system• Credit monitoring• No lawsuit (yet?)• 10,000 X $154 = $1,540,000
• Marketing• Rebuild trust• Rebuild brand loyalty
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
15
Lessons Learned from Houstonian Breach
1. CIO/CISO must develop a strategy to detect data breaches.• If caught early, less damage.
2. Give notice to affected customers as soon as possible.• Possible reasons for delay
Criminal investigationWant to develop strategy before announcing breach
• Anticipate breach and plan ahead
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
16
PNI Digital Media• Founded in 1995• Operates on-line photo
websites• Operates photo centers in:
• Walmart Canada• Sam’s Club• CVS• Costco• Rite Aid
• Owned by Staples since 2014
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
17
The Breach• Third-party vendor breach• Data includes
• Names• Addresses• Email Addresses• Phone Numbers• Credit Card Numbers & Verif.
Codes• Passwords
• “Breach Window” - July & Aug. 2015
• Number of Customers Unknown
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
18
Impact• Loss of All Major Clients
• Probably Enough to Destroy Company
• But it gets worse…• CLASS ACTION LAWSUIT!!• The Settlement will be
Six Figures At least• Plus attorney’s fees• Even a weak case will cost
at least US$1,000,000.00!
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
19
Lessons Learned from PNI Media Breach
1. Do you Cyber Due Diligence on the data security strategies of your 3rd Party Vendors.
2. Do you Cyber Due Diligence on the data security strategies of companies you acquire. (Consider: Experian)
3. Troubles don’t end when you fix the breach4. Your breach strategy should include plans for business
continuity after breach5. Data Breaches are expensive
Will PNI survive?
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
20
Settlements AvMed 1 Million Records
SSNs and Medical Records$3.1M
Stanford University 20,000Medical Records
$4.1M
Schnucks (grocery) 2.4 MillionCredit Cards
$2.1M
Vendini (ticketing system)
3 MillionCredit Cards
$3M
Sony (PlayStation) 77 MillionLogin Credentials, Credit Cards
$5M
LinkedIn 6.4 MillionLogin Credentials
$1.25M
Sony Pictures 50,000 $8M
Target 40 MillionCredit Cards
$67M
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
21
• Causes of Action: sets of facts sufficient to justify a right to sue1. Negligence2. Breach of Implied Contract3. Breach of Contract4. Bailment5. Violation of State Statute About Privacy6. Unjust Enrichment
T.A.N., an individualv.
PNI Digital Media, Inc.
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
22
NEGLIGENCE: Requires a Duty to Act/Not Act
• Duty to exercise reasonable care in safeguarding/protecting info.
• Duty to design, maintain, and test security systems and take other reasonable security measures to secure personal information
• Duty to implement processes to detect breaches
• Duty to make timely disclosure of breach
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
23
SOURCES OF DUTY (Part One)• COMMON LAW• Reasonable Care: the degree of
caution an ordinarily prudent and rational person would.
• Consider:1. Foreseeable likelihood of
breach2. Foreseeable severity of harm3. Burden of taking precautions
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
24
SOURCES OF DUTY (Part Two)• State Statutes• PNI – Georgia• Sony – California & Virginia
• US Statutes• HIPAA – Medical Data• COPPA – Children’s Data
• International Agreements• US-EU Safe Harbor
Frameworks• APEC Privacy Framework
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
25
Examples of Negligence from Lawsuits• Failure to develop and implement adequate security
protections• Ignoring recommendations of employees and
consultants• Misleading consumers about level of security• Not having or not following cybersecurity protocol• Executives and Board Members uninformed on issue of
cybersecurity• Taking too long to give notice to customers about breach
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
3) Action Items
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
27
Personally Identifiable Information (PII)“Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.”• First name or initial plus last
name and any of the following:• SSN• Date of Birth• Financial Numbers• Medical Record
• Definition varies from state to state
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
28
STEP 1:Survey Your Employees
• Data Landscape in Your Company • What data does your company collect from employees,
customers, vendors, etc.?• How is the data used?
• Security Measures• What security measures and procedures
are in place?• Who has access to the data?• What security measures do your
competitors, affiliates and vendors have in place?
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
29
STEP 1:Survey Your Employees
• Weak Points• Employee Access?
• Who has access to the data?• Who needs access to the data?• How do you verify the ID of the employee
before they access the data/• External Threats
• Hackers• Dumpster Divers
• Third-Parties• Vendors• Acquired Companies
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
30
STEP 2:Survey the Law
• Which Privacy Statutes Apply to your Industry?• Medical Record Statutes – Health Insurance Portability and
Accountability Act (HIPAA), Medical Information Privacy and Security Act (MIPSA)
• Financial Privacy Laws – Right to Financial Privacy Act, Dodd-Frank Act, Gramm-Leach-Bliley Act
• Privacy of Children – Children’s Online Privacy Protection Act (COPPA)
• Consumer Privacy Laws• Statutes in your State or Country• International Statutes and Agreements
• What requirements do the statutes impose on your company?
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
31
STEP 3:Develop your Company Policies
• Before a Breach• Provide Notice to Customers of Privacy Protections (if
required by law)• Implement multi-layered strategy to prevent breach• Establish procedures to detect data breaches• Purchase CyberInsurance• Look first at your Commercial General Liability (CGL) policy• If CGL has data breach exclusions, perchase “cyber” insurance as
needed.
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
32
STEP 3:Develop your Company Policies
• In Preparation for a Breach• Draft a Data Breach Response Manual• Develop Breach Chain of Command and Crisis Communication
Channels• Create Plan to Document details of the breach and its discovery• Develop Plan to preserve documentation• Develop a relationship with law enforcement• Develop plan for giving notice to customers whose data was
affected
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
33
1. A data breach is almost inevitable in today’s business world
2. The cost can be devastating
3. Preparation can:1. Reduce the likelihood of
breach2. Reduce your liability3. Ensure that your company
continues to exist
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929
Thank you.
35
David L. FleckAttorney-at-
Law
www.RudoyFleck.com
(818) 268-5929
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929