This Webcast Will Begin Shortly - Association of...

This Webcast Will Begin Shortly

If you have any technical problems with the Webcast or the streaming audio, please contact us via e-mail at:

splemoderator@smartpros.com

Thank You!

August 19th, 2009

Presented By: Meritas

ACC’s Small Law Department Committee

www.acc.com

Data & Information Security: Friend or Foe?

Data Security (′dad·ә sә′kyu̇r·әd·ē) – Defined

The protection of data against the deliberate or accidental access of unauthorized persons. Also known as file security. (Source: Answers.com - www.answers.com)

The means of ensuring that data is kept safe from corruption and that access to it is suitably controlled. Thus data security helps to ensure privacy. It also helps in protecting personal data. (Source: Wikipedia - www.wikipedia.com)

[The] protection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure. (Source: The Institute for Telecommunication Sciences (ITS) www.its.bldrdoc.gov)

The protection of data from accidental or intentional but unauthorized modification, destruction or disclosure through the use of physical security, administrative controls, logical controls, and other safeguards to limit accessibility. (Source: US Social Security Administration www.ssa.gov/ gix/definitions.html)

Generic term designating methods used to protect data from unauthorized access (e.g., encryption). (Source: US DOJ - Office of Justice Programs www.ojp.usdoj.gov/ nij/publications/ wireless/glossary.html)

The protection of data against unauthorized access. (Source: PC Magazine - www.pcmag.com)

Business & Legal Reasons:

• SOX - Sarbanes Oxley Act • HIPAA – Health Insurance Portability & Accountability Act • FACTA - Fair and Accurate Credit Transaction Act of 2003 • GLB – Gramm-Leach-Bliley Act • FCRA – Fair Credit Reporting Act • RFR - “Red Flags Rule” • FRCP – Amended Federal Rules of Civil Procedure “eDiscovery” • …State Laws, Industry Regulations, etc…

What Are the Most Common and Costly Risks Employers Face?

-Workplace Lawsuits -Sexual Harassment Claims -Trademark and Patent Infringement Suits -Sabotage and Internal Security Breaches -External Cracker and Hacker Attacks -Lost Productivity -Wasted Computer Resources -eViruses -Lengthy Business Interruption -Six-Figure Fines and Jail Time for Software Piracy -Million Dollar Legal Fees and Settlements -Media Scrutiny -Public Embarrassment

Source: The ePolicy Institute (www.epolicyinstitute.com)

What Are the Most Common and Costly Risks Employers Face?

Other Risks Employers Face?

•  Class-action law suits from employees, others •  Business Impact/Reputation •  Compliance/enforcement •  e-Discovery •  Employee morale •  Customers, Competitors, Vendors, Current and

Former Employees, Visitors, Shareholders, Government…

•  Intellectual Assets

Types of Intellectual Assets

.

.

•  Proprietary Technologies •  Research & Development Data •  Products & Services •  Operations Methodologies •  Business and Marketing Plans •  Customer Lists and User Identity Information •  Financial Data …Essentially, everything you need to compete in business on a daily basis.

Why are Intellectual Assets Difficult to Secure?

•  Because Sensitive Information can be anywhere… –  Paper Files and Documents –  Servers, Desktops, Laptops, PDAs – or somewhere in

transit –  The heads of authorized users, primarily your

employees.

.

Myths Regarding Intellectual Asset Theft

•  “Nobody would take that…” •  “…and if they did, so what?” •  “Employees (insiders) don’t steal.” •  “Competitors (outsiders) can’t steal – We have a

firewall!” •  “Besides, only hackers and other hooligans would

try to break in.”

.

2008 CSI Computer Crime and Security Survey Demographics:

Revenues Percentage Under $10M 24%

$10M-$99M 20%

$100M-$1B 22%

Over $1B 33%

# Employees Percentage 1-99 23%

100-499 15%

500-1,499 14%

1,500-9,999 21%

9,999-49,999 15%

50,000+ 12%

Title Percentage Chief Executive Officer (CEO) 7% Chief Information Officer (CIO) 10% Chief Security Officer (CSO) 3%

Chief Information Security Officer (CISO) 12% Security Officer 25% System Administrator 8% Other 34%

2008 CSI Computer Crime and Security Survey By Title:

2008 CSI Computer Crime and Security Survey : Summary of Key Findings

•  Financial fraud cost organizations the most, with an average reported loss of close to $500,000. (Lead 2nd year in a row)

•  The second most expensive was dealing with “bot” computers within the network, reported to cost organizations an average of nearly $350,000.

•  Virus incidents occurred most frequently, respondents said, occurring at almost half (49 percent) of the respondents’ organizations.

•  Insider abuse of networks was second-most frequently occurring (44 percent), followed by theft of laptops and other mobile devices (42 percent).

•  The vast majority of respondents said their organizations either had (68 percent), or were developing (18 percent) a formal information security policy. Only 1 percent said they had no security policy.

•  Loss of either proprietary information or loss of customer and employee confidential data averaged at approximately $241,000 and $268,000, respectively.

•  Shift of “professionalization” of computer crime.

% of Budget for IT Security

Color Key: 2008- Gold; 2007- Red; 2006-Blue

Data Breach - Definition

Many states now have data breach notification laws modeled on or inspired by California's SB 1386. Typically, under 1386, an enterprise holding private information (name plus social security number, driver’s license number or financial account number + password) in electronic form about a California resident must promptly notify the resident if the enterprise suspects a breach in security.

In all these data notification laws, a key issue is the definition of what constitutes a breach of data security.

Thus a corporation holding data might detect that a hacker accessed card data, but still conclude (based on other controls in the industry) that none of the card data in question had in fact been "compromised".

What Type of Data Presents Privacy and Security Issues?

! Confidential Information Confidential Information ! Intellectual Property Intellectual Property ! Personally Identifiable Information Personally Identifiable Information ! Health Health ! Financial Financial ! Other data that reveals sensitive Other data that reveals sensitive

information about individuals by itself or if combined with other information

The cost of data breaches for companies continues to rise.

The average cost of the breach per customer record for 2008 is $202, an increase from $197 in 2007 and $184 in 2006.

According to the study, the main reason for the increase is a loss in business opportunities from the breaches and turnover of customers.

Source : The Ponemon Institute, PGP Corporation-U.S. Cost of a Data Breach Study.

Case Examples

..

The Corporate Enterprise Network

Where do you find ESI- Electronically Stored Information?

• Laptops/Desktops • Servers • Phone Systems (VoIP) • PDAs (Smart Phones)/Cell phones • CDs/DVDs • USB Thumb Drive • Backup Tapes

. .

Getting Started with the Basics

1.  Identify ALL personal information (paper and electronic) on ALL IT systems.

2.  Identify ALL contractors, vendors and other service providers who maintain personal information.

3.  Evaluate ALL alternative work/business arrangements. 4.  Review ALL current information system configuration

documentation. 5.  Identify and/or develop a work flow to track how personal

information is received, created, accessed, used, modified, disclosed, stored, processed, or destroyed.

Cost Effective Data Security Tips

•  Develop a security plan: Short term, Long term, and most importantly Ongoing.

•  Define – How Much?, How Good?, and/or When is “Good Enough”?

•  Accept the general rule of thumb:

–  Good Security = Compliance

–  Compliance ≠ Good Security

Securing data on endpoints •  Laptops, phones, e-mail servers, PDAs, DVDs, CDs, and thumb

drives may contain inadequately protected data •  Many people use these devices for highly sensitive information •  IT departments should ensure the ability to secure information on

the network as well as the opportunity to manage data which enter and leave the company via these mobile devices

•  Creates unintended access points

TOP Data Security Issues Facing Businesses Today

Data Security Risk = Data Value x Exposure

Type of Data Value Exposure Risk Level Credit Card # 5 5 25 Social Security # 5 4 20

CVV 5 4 20

“Secret Sauce” 5 5 25 Personal Information 3 3 9

D.O.B. 2 2 4

Drivers License 2 2 4

Customer Info. 3 4 12

Assign numeric value : High: 5 ; Low: 1

Destroy Secure

Ignore Monitor

High

High Low Low

Identification and Providing Value

1. Take stock: Know what personal information you have in your files and on your computer. Understand how personal information moves into, through, and out of your business and who has access -- or could have access to it.

2. Scale down: Keep only what you need for your business. These days, if you don't have a legitimate business reason to keep sensitive information in your files or on your computer, don't.

3. Lock it: Protect the information you keep. Be cognizant of physical security, electronic security, employee training, and the practices of your contractors and affiliates.

4. Pitch it: Properly dispose of what you no longer need. Make sure papers containing personal information are shredded, burned, or pulverized so they can't be reconstructed by an identity thief.

5. Plan ahead: Draft a plan to respond to security incidents. Designate a senior member of your team to create an action plan before a breach happens.

Five key practices to having a sound data & information security plan:

Modern Life Communications

TOP Data Security Issues Facing Businesses Today

Social Networking Sites and Blogs:

•  Posting of sensitive data •  Increased number of possible viral connections to work computers •  Users should take steps to ensure protection of personal data, considering the consequences and the privacy settings available on social networks. •  Companies should develop a usage policy for staff that takes into account the possible uses of SNS data for social engineering attacks. •  “Spear-phishing” attacks, which are targeted e-mail attacks that a scammer sends only to people within a small group, such as those within a company, for the purpose of stealing identifying information.

Preserving Electronic Data •  For internal auditing purposes and in anticipation of litigation •  Under the law, you have a duty to preserve electronic data as

soon as you should reasonably be aware that a claim may be or has been filed against you

•  Court-ordered sanctions are becoming more common for companies that fail to comply with this requirement in discovery proceedings

TOP Data Security Issues Facing Businesses Today

Metadata issues

•  Metadata is “data about other data,” and is attached to files such as emails, documents, and spreadsheets that are sent electronically.

•  Metadata contains basic information such as the author, size, and format of a document, but may contain more sensitive information such as track changes or hidden attributes that the document creator may want to keep private.

•  In litigation, state courts are divided about the extent to which unintentionally sent metadata may be used in discovery and litigation.

•  Companies should be cautioned to be aware of the metadata attached to documents provided to consumers, clients, or in preparation for litigation.

TOP Data Security Issues Facing Businesses Today

Types of ESI that contain metadata

E-mails Spreadsheets

Graphics - Pictures

Word Docs

Almost all of the information that you typically want in discovery can be retrieved COST EFFECTIVELY (if done properly) by getting the documents electronically.

.

Printed E-mail Backdated MS Office Word Document

Case Example

The Old Fashioned Way (Paper) vs. (Digital)

ESI contains information that a hard copy does not:

•  Creation Dates/Times •  Access Dates/Times •  Versions •  Comments •  Author •  Login Information •  E-Mail Access Lists, Audit Trails and Computer Logs •  Gateways/Web Browsing History •  Much, much more...

•  E-mail metadata can provide additional information, including the sender's domain, the route a message has traveled over the Internet, and where delays may have occurred between sending and receipt.

Simple Ways To Find Metadata

TOP Data Security Issues Facing Businesses Today

• Companies have a duty to protect their data from internal (internal e-mail, intranet, databases) and external attacks (internet, e-mail, social networking sites, ftp) • Preserve the confidentiality of sensitive information by controlling the access, use, and dissemination of information to the extent required by law, contract, or business need • Data and systems should be secured such that those who need access to the data may get it, while those activities that can reduce the efficiency or availability of critical business systems are avoided • Keeping current with data mining, which allows information to be extracted from hidden patterns of data; data mining is commonly used in a wide range of profiling practices, such as marketing, surveillance, fraud detection and scientific discovery

Data Protection and Privacy

TOP Data Security Issues Facing Businesses Today

Employee privacy rights

• Companies may look at their employees activities throughout the day, but may want to be transparent with the types of surveillance that are conducted. • This includes monitoring computer keystrokes and files; internet, Web and e-mail usage; locations, movements and activities through “smart card” technologies; phone conversations and numbers dialed; and other means. • Security legally trumps employee privacy rights in the workplace.

Effective Policies

Potentially Relevant Policies ! Privacy policies Privacy policies ! Employee policies Employee policies ! Business partner policies (e.g., Business partner policies (e.g.,

contract policies) ! Document retention policies (e.g., Document retention policies (e.g.,

destruction of records containing sensitive personal information) ! Incident response policies Incident response policies

Cyber Insurance Protection •  CIP is an insurance product used to protect businesses from

internet-based risks; and more generally from risks related to information technology infrastructure and activities.

•  Internet and network exposures are increasingly subject to exclusion from "traditional" insurance policies because CGL and property policies were originally designed to respond to liabilities and natural perils that damage physical assets.

•  With Internet-based technologies, "i-exposures" are largely intangible, the result of human error, or deliberate malicious attacks and crimes.

Cyber Insurance Protection Cyber insurance offers protection for internet and network

exposures, including: –  Liability: privacy and confidentiality –  Copyright, trademark, defamation –  Malicious code and viruses –  Business interruption: network outages, computer failures –  Attacks, unauthorized access, theft, Web site defacement and

cyber extortion –  Technology errors & omissions –  Intellectual property infringement

Marsh: http://global.marsh.com/risk/ecommerce/ Chubb: http://www.chubb.com/businesses/csi/chubb822.html

Practice Tips for Breach Issues

! Adopt plan Adopt plan ! Pay attention to suspicious activity or complaints Pay attention to suspicious activity or complaints ! Address these issues with your business partners Address these issues with your business partners ! Realize that multiple parties may have duty to Realize that multiple parties may have duty to

disclose same incident ! Implement escalation procedures Implement escalation procedures ! Comply with highest legal standard Comply with highest legal standard

Compliance Resources •  Sarbanes-Oxley

–  Corporate responsibility, Board oversight –  http://www.soxlaw.com

•  Health Insurance Portability and Accountability Act (HIPAA) –  Privacy rules for health care records –  http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html

•  Gramm-Leach-Bliley Act –  Protection of consumer financial information held by financial institutions –  http://www.ftc.gov/privacy/privacyinitiatives/glbact.html

•  Fair Credit Reporting Act –  Monitoring consumer reporting agencies –  http://www.ftc.gov/os/statutes/fcrajump.shtm

•  Payment Card Industry –  Rules and security standards for credit card transaction security –  https://www.pcisecuritystandards.org/

•  EU Data Privacy Directive –  Rights regarding personal data collection –  http://www.privacilla.org/business/eudirective.html

•  Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) –  Collection, use, and disclosure of personal information in the course of business –  http://www.priv.gc.ca/legislation/02_06_01_e.cfm

•  European Network and Information Security Agency –  Agency that provides advice, recommendations, data analysis, and expertise to stimulate cooperation between

the public and private sectors. –  Follows and studies the development of standards, risk assessment activities, and risk management issues. –  http://www.enisa.europa.eu/

•  The Federal Trade Commission (FTC) “The Red Flags Rule” (www.ftc.gov/redflagsrule)

Sources: •  The Open Security Foundation's DataLossDB, a research project that documents known and reported

data loss incidents worldwide: (http://datalossdb.org).

•  Privacy Rights Clearinghouse, a nonprofit consumer organization with a two-part mission -- consumer information and consumer advocacy: (http://www.privacyrights.org/index.htm).

•  Ponemon Institute conducts independent research on privacy, data protection and information security policy: (http://www.ponemon.org)

•  Computer Security Institute (CSI) conducts “The CSI Computer Crime & Security Survey” yearly and is the world's most widely quoted research on computer crime. (www.gocsi.com)

•  NOTE: A copy of the 2008 Survey Can Be Downloaded at : (http://i.cmpnet.com/ v2.gocsi.com/pdf/CSIsurvey2008.pdf

•  The SANS (SysAdmin, Audit, Network, Security) Institute was established in 1989 as a cooperative research and education organization: (http://www.sans.org)

•  Javelin Strategy & Research conduct nation’s longest-running study of identity fraud (www.javelinstrategy.com)

Thank You for your attention!

Any Question

s?

Questions?

“Where law, technology, and human error collide . . .” •  An eDiscovery best practices blog that identifies the pitfalls of eData and offers solutions on how to avoid them. •  Visit: www.eLLblog.com and sign up for our newsletter alerts.

Educational eData Blog

Educational Monthly Newsletter

1545 US Route 206 Bedminster, NJ 07921 908-396-1467 (Ofc) 973-699-0167 (Cell) www.intell-group.com Rob Kleeger Managing Director rkleeger@intell-group.com

721 Route 202-206 Bridgewater, NJ 08807-5933 908-252-4128 (ofc)

www.nmmlaw.com Fernando M. Pinguelo Partner fmp@nmmlaw.com

Contact Information

Disclaimer:

These slides are made available for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this information, you understand that there is no attorney client relationship between you and the publisher. This information should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Thank you for attending another presentation from ACC’s Desktop Learning Webcasts

Please be sure to complete the evaluation form for this program as your comments and ideas are helpful in planning future programs.

If you have questions about this or future webcasts, please contact ACC at accwebcasts@acc.com

This and other ACC webcasts have been recorded and are available, for one year after the presentation date, as archived webcasts at

http://webcasts.acc.com You can also find transcripts of these programs in ACC’s Virtual Library at

http://www.acc.com/search/cfm