Human Resources and cyber Risk The New Frontier of Cyber ... · The New Frontier of Cybersecurity Regulations NYS DFS – 23 N.Y.C.R.R Part 500 • Published 9/13/16 − 45-day notice

Human Resources and Cyber Risk: The New Frontier of Cybersecurity Regulations

APRIL 5, 2017

The New Frontier of Cybersecurity Regulations

“No computer is safe.”2

2

Criminal Conviction Analysis

“No computer is safe.”

3

Criminal Conviction Analysis

4


Why hack, when you can ask for the data?

“IRS Warns of New Phishing Scheme Involving W-2s”

Source: AccountingToday, March 1, 2016

“The Internal Revenue Service issued an alert Tuesday to payroll and human resources professionals to beware of an

emerging phishing email scheme that purports to come from company executives and requests personal

information on employees.”

5


Why hack, when you can ask for the data?

“Dangerous W-2 Phishing Scam Evolving; Targeting Schools, Restaurants, Hospitals, Tribal Groups, and Others”

Source: IRS Alert issued on February 2, 2017

“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns.”

6


Why hack, when a link is available on-line?

“Last week, U.S. Bancorp (U.S. Bank) — the nation’s fifth-largest commercial bank — warned some of its employees that their W-2 data had been stolen thanks to a weakness in ADP’s customer portal”

Source: KrebsonSecurity, May 3, 2016

• Problem arose when company inadvertently published link to ADP portal together with company code for access online

• ADP considered KBA (“Knowledge Based Answer”) question− but those can be easily “hacked” via open source information.

7


Ransomware

“Los Angeles Hospital Pays Hackers$17,000 After Attack”

Source: New York Times, Feb. 18, 2016

“It sounds like the plot of a Hollywood thriller, but theall-too-real scenario played out this month at a large

Los Angeles hospital: Hackers seized control of critical computer systems and the hospital paid a $17,000

ransom to release them.”8


You may not be the (only) target.

“Nearly 70% of the attacks where a motive for the attack is known include a secondary victim. The

majority of these were not from espionage campaigns (thankfully), but from opportunistically compromised servers used to participate in denial-of-service (DoS) attacks [see recent IOT attack], host malware, or be

repurposed for a phishing site.”

Source: Verizon 2015 Data Breach Investigations Report (emphasis added)

9


• Think about your workplace 20 years ago− Desktop computers, dial-up internet

• 10 years ago− Smartphones− High speed internet

• 5 years ago− Electronic records− Cloud computing− Social media

• 1 year ago− Software as a service platforms (SaaS)− Periscope, Snapchat

Technology evolves faster than the law

10


• Employee, customer and company information is almost certainly stored electronically

• How do you protect that information?− What are the legal requirements? What are you doing now?

• What if/when a breach occurs?− Reporting obligations to employees? Government? Public?− Liability?

• What should you be being now?

11


Overview of Presentation

• Role of HR in relation to a breach

• Review of relevant:− Requirements related to data security and breaches − Requirements related to employee data

• What your company should be doing now− How does this affect you as an HR professional?

• If a breach occurs, what do you do?

12


Role of HR in a Breach

• Heightened level of attacks – what does this mean for HR?− Employee information is at risk, and HR is often the

target

• “Securing the Human” is key− A network is only as secure as its human users make it− It is often easier to break through human defenses than

to break through technical defenses

13


Common Breach Scenarios

• FBI or Secret Service comes to your door• You are alerted by a financial institution or business partner

that you are the suspected victim of a breach• Ransomware demand• Something’s wrong with the company website• Positive result in security assessment or IOC search• Employees or customers come to you to alert you that

something may have happened to their data• Spear-phishing attempt/success – Business E-mail

Compromise14


Questions to Consider

• Do you have the right personnel? Response team identified?

• How are you protecting/transmitting sensitive information?• How are you training employees? Ensuring that employees

comply with policies and protocols?• Are your policies and procedures up to date?• How will you notify employees (and others) of data breach?

15


State Data Breach Notification Statutes

• Patchwork state statutes − 47 States (and counting)

• Data breach notification rules with “backdoor” security “requirements”− See encryption safe harbors

• Some states purport to reach beyond their boundaries− E.g., Florida, Illinois, Maryland, Massachusetts, and Virginia

• Consider where your employees live, and where they retire

16



• Some include substantive requirements− E.g., Massachusetts requires encryption

• Types of protected data can differ− Biometric data (e.g., CT, NC, OR, and WI)

− E-mail address and passwords (e.g., CA and RI)

• Differing notification deadlines• Many statues require that disclosure be made as

expediently as possible and without unreasonable delay• But some states impose specific notification deadlines (e.g.,

Connecticut requires disclosure no later than 90 days after the breach is discovered)

17



• Differing substantive notice requirements− E.g., the date of the breach, a description of the personal

information accessed, and contact information for inquiries about the breach (e.g., Florida)

• For example, you can’t use a NY form response to notify for an MA breach.

• Conflicting requirements− MA: Cannot describe nature of breach

− NY: “Description of the breach” required

18



• Penalties can vary− NY: $5,000 to $10,000 per record, up to $150,000 per breach

− ME: not more than $500 per violation, limited to $2,500 for each day the person is in violation of the data breach notification statute

− MA: up to $5,000 for each violation

− OR: up to $1,000 per violation, but not more than $500,000 total

19



• What’s required? Generally, only notice to:− Affected individuals

− This includes employees, retired employees

− But some states also require notice to the Attorney General (e.g., Connecticut, Maryland, Massachusetts, Montana, and New York) and others

− Media (in case of substitute notice)

• Call center − Probably mandatory for large breaches, as many states require a

single telephone number for customer questions

• Some states require credit monitoring20


Health Insurance Portability and Accountability Act (HIPPA)

• Covered Entities only and only in relation to ePHI• Four factors to determine whether incident is not a HIPAA

breach:− The nature and extent of the protected health information involved,

including the types of identifiers and the likelihood of re-identification;

− The unauthorized person who used the protected health information or to whom the disclosure was made;

− Whether the protected health information was actually acquired or viewed; and

− The extent to which the risk to the protected health information has been mitigated.

21


HIPAA – Covers Business Associates Directly

• A person, who on behalf of the covered entity “creates, receives, maintains or transmits” PHI while performing a function or activity.

• Omnibus Rule extends Privacy and Security Rules to BAs directly

• Independent obligation for BA to be in compliance• Phase 2 audits now covering BAs

22


HIPAA – Breach Notification

• Rule: if there is a breach of unsecured PHI, then the notification rule applies

• Notification:− Notify all persons whose PHI was breached (written notice by first

class mail)

− < 500 involved, maintain a log and notify HHS annually 60 days after the calendar year in which the breach was discovered

− > 500 involved, must notify the media within 60 days after discovery of the breach and must notify HHS within 60 days after discovery of the breach

23


HIPAA – Ransomware

• Ransomware can now be a reportable breach under HIPAA− Maybe it always was

• HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware

• If a security scan detects ransomware, this is now clearly a “security incident” under the Security Rule

• Whether or not the ransomware is a breach depends on the outcome of the four factor analysis

24


Federal Trade Commission (“FTC”)

• There are no “regulations” governing the FTC’s actions, only the FTC Act

“[U]nfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” 15 U.S.C. § 45(a)(1)“The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations . . . from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(2).

25


FTC – What Does the FTC Expect You to Do?

• Whatever is reasonable− FTC v. Wyndham Worldwide Corp., et al. (DNJ - 2:13-cv-01887-ES-

JAD): “[T]he contour of an unfairness claim in the data-security context, like any other, is necessarily ‘flexible’ such that the FTC can apply Section 5 ‘to the facts of particular cases arising out of unprecedented situations’.”

• “[FTC standards] can be found in speeches, business education, Congressional testimony, articles, blog entries, these concepts have been laid out pretty clearly in Commission materials, as well as other FTC settlements in the data security area.”− In re LabMD, Deposition of Daniel Kaufman, FTC.

26


FTC – What’s Next?

• All indications should point to more FTC enforcement actions, but effect of new administration unclear

• Balance will be between loosening regulations and being tough on cybersecurity

• But the FTC has no cyber regulations, so the FTC could increase enforcement efforts without adding new regulations

• Headlines/politics will likely drive enforcement• Fines can drive enforcement can drive fines can drive

enforcement . . . .

27


28


29


Non-governmental Standards?

• PCI-DSS = Contractual Standard Set by Card Brands− 12.10.1a requires that a breach response plan allow for legal

analysis of customer notification requirements• Specific notification requirements in agreements with card

brands, acquirers, processors− Usually “immediately” with some outside timeframe

• “Self”-regulation− Leads to contractual claims for indemnification (assessments)

• Beware, many processor contracts pass assessments down to the merchant, although the merchant is not required to be PCI-DSS compliant

30


NYS DFS – 23 N.Y.C.R.R Part 500

• Published 9/13/16− 45-day notice and comment period – ended 11/14/16

• Revised 12/28/16− New comment period ended 1/27/17

• In effect as of 3/1/17− Stay tuned for more possible changes

• “First-in-the-nation” regulations, covering thousands of entities directly, and — potentially — tens of thousands indirectly

• Covered employee data

31



• Information System − Can include the cloud− Industrial/process controls− Telephone switching/PBX− HVAC− Should include lighting/power management

• Data agnostic− Your Information System does not have to contain protected data to

be covered under new regulations

32



• Nonpublic Information− 3 categories− Material adverse impact− PII as defined under N.Y. Gen. Bus. Law § 899-aa, plus biometric

records− Healthcare information

• Regardless of type of Covered Entity, to whom the info applies, or why the Covered Entity has it− Puts same burden on a bank in relation to healthcare information as

it does on a health plan

33


NYS DFS – 23 N.Y.C.R.R Part 500 – Notice of Material Cybersecurity Event• 72 hours• Standard:

− Whenever any other notice required or− Reasonable likelihood − Of materially harming− Any material part − Of normal operations

• Includes unsuccessful attacks – data agnostic• How do you scrub through all Cybersecurity Events, which could

include every firewall deny, to determine whether they qualify?• No reporting portal yet in place

34


NYS DFS – 23 N.Y.C.R.R Part 500 – Vendors

• Minimum cybersecurity practices to be met− What is the minimum going to be?

• Due diligence in vetting/contractual provisions• Periodic assessment of third parties and Third Party

Information Security Policy− This will undoubtedly have the broadest effect under the

regulations− Each Covered Entity can have dozens of Third Party Service

Providers• 2 year lead time

35


What About the Unwritten Rules?

• NY AG has stated publically that two-factor authentication is a “no-brainer”

• ID Theft Protection and Credit Monitoring – not always required, but a good idea

36


Confidentiality

• Regulatory trend toward public disclosure • See Massachusetts Public Records Law (M.G.L. c.66)

(making the state’s Data Breach Notification Archive available to the public online)− http://www.mass.gov/ocabr/data-privacy-and-

security/data/data-breach-notification-reports.html− Lists whether data was encrypted or not: roadmap for

hackers?

37


What You Should Be Doing Now

• HR is key to help with internal communications and organization in relation to cybersecurity issues− Simply another employee compliance issue that HR has an

important role in managing• Most important step to prepare for a breach is planning• This can include: training/education, time, coaching,

discipline• Requires the right policies and procedures

− E.g., A data breach response plan that inadvertently gives an outside forensic investigator access to ePHI without a BAA in place creates a separate HIPAA breach.

38



• Should HR be on the breach response team?− It depends on your organization− If employee data is the prime target, than likely yes− If HR is necessary to proper execution of the plan, than absolutely

yes• Disaster recovery/business continuity analogy

− If HR is part of the DR/BC team, it should likely be part of the data breach response team

• Why is this a legal concern?− Because failure to constitute an effective breach response team

leads to legal risks arising from inadequate/inefficient/improper breach response

39



• Drill the plan.− DR/BC analogy continued− A breach response plan is only as good as it is in practice

• Your organization may be required to drill the plan− PCI-DSS Requirement 12.10.2: “Test the plan at least annually”

• One plan does not fit all. “Fit” will come into focus in the drill

• The plan will change over time. Drills will help expose weaknesses

40


Best Practices in Relation to a Breach• Don’t ignore it.

− Treat every incident as a potential breach until it is proven otherwise.

• N.Y. Gen. Bus. Law § 899-aa− “Breach of the security of the system” shall mean unauthorized

acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business. Good faith acquisition of personal information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.

• Difficulty in proving the negative. Does unauthorized access = unauthorized “acquisition?”

41


Best Practices in Relation to a Breach

• Follow your plan− Document preservation policy analogy

• The only thing worse than not having a plan is having a plan and not following it

• Ensure proper communication− The water cooler can be a dangerous place− Beware of the “b” word

• Employees should know what they should keep confidential• False reporting of a breach can be as harmful to the

organization as an actual breach• Protect confidential/privileged communications• Manage the “fog of war” surrounding a breach

42


Best Practices in Relation to a Breach

• Work with your professionals.− Legal− Forensic vendors− Breach notification vendors− Crisis communication/PR

• Learn from the breach.• Someone in the organization should be tasked with a post-

breach response post mortem, to review what worked, what didn’t, and what can be improved.

43


Other HR Breach Issues

• Working with law enforcement• Bringing charges against an insider• Paying the ransom• Discipline/termination• Dealing with upper management

− Old dogs, new security tricks• Incentivizing/fostering a culture of security

− Check-the-box compliance is not enough• Post breach turnover

44

F. Paul Greene585.231.1435

[email protected]

hselaw.com

Documents

Human Resources and cyber Risk The New Frontier of Cyber ... · The New Frontier of Cybersecurity Regulations NYS DFS – 23 N.Y.C.R.R Part 500 • Published 9/13/16 − 45-day notice