Embed Size (px)
Citation preview
PREVENTING TOMORROW'S CYBERSECURITY RISKS AND
LAWSUITS (AT ALL COSTS)DANIEL D. WHITEHOUSE, ESQ.
WHITEHOUSE & COOPER, PLLC
CYBER TODAY• Blocking and tackling• Reactive due to:
• Lack of resources
• Lack of cyber knowledge/inventory
• Refusal to acknowledge risks• I’m a small business—they won’t target me
• I don’t have anything they want
• Humans still think “they” will not fall for scams
WILL I BE BREACHED?
• 74% of companies breached don’t know about it (Bitdefender)
• More than 50% of SMBs breached in 2016 (CSO Mag)
• 31% of all organizations were attacked in 2016 (Cisco)
MORE STATS
• 72% close within 24 months• Down for 10 days+: 93% file bankruptcy w/in 12 months
• 50% file immediately
• Average cost of a data breach is $3.86m (IBM, 2018)• US is highest cost, at $7.91m
• SMB costs range from $50k - $300k
TWO AREAS OF CYBERSECURITY• System Integrity
• Ransomware, DDoS attacks, worms, etc.
• Data Integrity• Data exfiltration, stolen CC numbers, email snooping, etc.
• Both• Ransomware*, stolen/lost devices, vulnerabilities, etc.
COMMON THREATS
• Stolen or weak passwords used (81%)• Phishing scams
• Exploiting vulnerabilities
• Data loss (laptop in an Uber/airport, etc.)
CYBER LEGISLATION• 50 states, DC, Guam, PR, and VI have breach notification laws
• AGs have different notification requirements
• A few states attempting to adopt proactive legislation
• California (CCPA), Massachusetts (DPA), Nevada and Maine
• Proposed legislation in Florida this session like CCPA
• Congressional hearings regarding privacy but no movement
CURRENT PROTECTION FRAMEWORKS
• FTC security framework• NIST• DoD Framework• HIPAA, FINRA, GLBA, SOX• Private standards (PCI, SSAE18)• And yet…
CURRENT PROTECTION MEASURES
• User training• Passwords (including 2FA)• Security patches• Antivirus/malware• Introduction detection/intrusion prevention• Encryption
DATA MODELS
DECENTRALIZED DATA• Current model: everyone has our data
• Create additional copies
• Change it• Analyze it• Combine it with other data
• Too much data to manage!• Cost (labor and hardware)• Administrative burden
• Regulatory requirements
TRADITIONAL CENTRALIZED DATA
• One “original” document/source of truth• Think of document templates
• Available only “in the office”• Security and access managed centrally• Cons
• “The server” goes down, data is inaccessible
• “The server” is compromised, everything is at risk
CENTRALIZED DATA PROPOSAL FOR PII
• One single source of data. (Yep, only one.)• Owner control over access and use• Revoke access if/when desired• Full audit log of access• Reduces legislative requirements (CCPA/GDPR less
restrictive)
HOW WOULD IT WORK?
• Unique number assigned to me• You send me a request to access data
• One-time use or some TTL
• Data cannot be copied, only accessed when needed• Write access granted to trusted sources
• Rather than Equifax storing credit scores, writes it to our data set
LEGAL ANALYSIS
• No copies stored offline = no hackers accessing PII• No hackers accessing PII = no data breaches• No data breaches = (me out of a job!!)
• Owner becomes responsible for protection, not the holders
ANTICIPATED ISSUES
• Minor detail: the technology…• Major business process overhauls needed
• Ordering processes
• Marketing processes
• Would require international security framework• Federal legislation to mandate
• Penalties proportionate to crime/breach/failure to comply
THE ALTERNATIVE
• More of the same• “Hope” IT is knowledgeable about cybersecurity
UNTIL THEN…
• Conduct a risk assessment• Cost-benefit analysis
• Archive/offline/delete unnecessary data• “Easy” fixes
• Privacy shields on screens• Cover webcams
• Penetration testing (including phishing)• Web content filtering• Cyber Liability Insurance
WHY WE CAN’T WAIT(Cost of a Breach)
• Each record * following costs:• Notification letter (paper, envelope, stamp: $1)• Credit protection ($6 - $45)• Help desk calls ($?)• Administrative fines ($??)• Class-action lawsuit ($???)• Attorneys’ fees ($????)
• Best time to engage an attorney?
HOW CAN WE START?
Daniel D. Whitehouse, Esq.Whitehouse & Cooper, PLLC201 E. Pine Street, Suite 205Orlando, FL 32801(321) [email protected]
QUESTIONS?
PERSONAL INFORMATION• First name/initial and last name with:
• SSN;• Driver’s license, ID number, passport, military ID
number, etc.;• Financial account number (bank, credit/debit card);• Information regarding medical history; or• Health insurance policy number or subscriber ID
• User name or email address and a password
WHERE PII LIVES• Medical records (also PHI)• Real estate files• Employment files (Payroll services, QuickBooks)• W9s• ACH authorizations• Credit card transactions (PCI compliance)• Many, many more places
PROTECTED HEALTH INFORMATION• Information that:• Relates to the past, present, or future physical or
mental health or condition of an individual; theprovision of health care to an individual; or the past,present, or future payment for the provision of healthcare to an individual; and
– That identifies the individual; or– With respect to which there is a reasonable basis to
believe the information can be used to identify theindividual.
