David Willson, Esq.

CISSP

Titan Info Security Group

“A Risk Management and Cyber Security

Law and Consulting Firm”

Cybersecurity and Liability: Are you informed?

Agenda Suffering a Breach is a foregone conclusion, but how bad is it really?

Why we are still optimistic

Emperor has no clothes

The Problem and the Perfect Storm

Computers – IT – Cyber Security - Risk

Agenda cont. What you can do

Now, before the breach

When the breach is discovered

After the breach

The Assessment

The Policy

The Training

Bottom LineDo an assessment

Write the policies

Train employees

Know when to ask for help(e.g. collaborate with someone to help you assess the risk to

your business, your customers, etc. Collaborate with a cyber

security expert)

Recent Data Breaches

How were they breached? Target: Target breach also started with a hacked vendor — a heating and air

conditioning company in Pennsylvania that was relieved of remote-access credentials

after someone inside the company opened a virus-laden email attachment. (PoS)

Home Depot: IT told to minimize costs and system downtime at the expense of

improving security. crooks initially broke in using credentials stolen from a third-party

vendor. (facing at least 44 civil suits) (PoS)

Sears/Kmart: (PoS)

How were they breached? cont. Chick-fil-A: (PoS) Detected by a credit card association who notified financial

institutions that payment card systems had been breached. Breach occurred between

Dec. 2013 and Sept 2014. See the connections, and length of time?

JP Morgan: 76 million households and 8 million small businesses. Root cause –

employee’s computer. Georgetown law professor: "JP Morgan spends crazy amounts

of money on IT security and yet they can still be hacked," he said. "There’s really no

way you can be connected to the Internet and keep things safe."

US Postal Service: 800,000 employee records. Also the Pentagon, NOAA, OPM, the

White House and more.

How were they breached? cont.

White House: The breach was reported to the Govt via an ally. Like many breaches, it was not discovered internally but reported by an outside third-party.

Sony: Well, depending on who you believe, it was either North Korea who was mad because their dictator’s head explodes in a movie that was supposed to be released over Christmas, or, it was former employees who were terminated, or a combination, or maybe something or someone much more nefarious?

* These are just a few of the many breaches that are known. On average most breaches were discovered months after they were initiated, if you can even trust those statistics. Consider the

Shady RAT report from McAfee in 2012. They discovered hackers had been in 70 large companies and nation government computers for 5 years, since 2006, before anyone detected

them!

The Art of Deception Can we really trust the results of investigations that say XXX was

responsible for the breach?

Think about it: if you are going to commit a crime, isn’t making it look

like someone else is responsible a great ruse?

So, who really created and released Stuxnet? Who really attacked

Estonia? Did North Korea hack Sony?

* Can we really know?

SURVEY

Would you believe me if I said, 80% of companies in the US have been or will be

breached?

Statement made by the Director of the FBI!

SURVEY Does anyone believe there is an 80% chance that their company will suffer a breach

in the next year?

50% chance?

30%?

SURVEY Does anyone believe there is an 30% chance another company will be breached?

50% chance?

80%?

SURVEY

When surveyed in my classes, most

believe their neighbor will be breached

but not their company?

Why?

Optimism

www.bizmarkblog.com

Optimism Bias

blogs.ucl.ac.uk

Optimism Bias

www.nature.com

The Perfect Storm

IT Security

• Information Technology: “the technology involving the development,

maintenance, and use of computer systems, software, and networks for

the processing and distribution of data.” Merriam-Webster

• The emperor has no clothes!

blog.etq.com

Who is Responsible for Corporate Risk?

www.caldwellpartners.com

The Castle Walls have Fallen!

www.dreamatico.com

Who are You Connected To?

You

Cloud Provider

Customer

ManufacturerISP

Integrator

Are You Potentially Liable?

What if you are breached?

What if someone you are connected to or

provide service to is breached?

Negligence-Liability & the Target Case

Dec. 2 ruling, Judge Paul A. Magnuson of the U.S. District Court in St.

Paul, Minnesota, refused to dismiss the litigation. He said plaintiffs can

proceed with their lawsuit on a theory of negligence.

He further stated: “At this preliminary stage of the litigation, plaintiffs

have plausibly (pleaded) a general negligence case.” “Although the

third-party hackers' activities caused harm, Target played a key role in

allowing the harm to occur.”

Negligence-Liability & the Target Case cont.

The ruling essentially holds that Target may have been

responsible for the damages the hackers caused even

though there may have been no direct contractual

relationship between the retailer and the credit card

issuers.

Judge Magnuson concluded, “that there can be a direct

duty between the issuing banks and the retailer, and that

lets them get over this motion to dismiss hurdle.”

Negligence-Liability & the Target Case cont.

So, two significant findings that impact us

1. Plaintiffs have put forward enough evidence to

show negligence might be proven.

2. At this point in the case, a causal connection

and duty to protect might be proven between

the banks and Target.

Negligence-Liability & the Target Case cont.

You need to be prepared ahead of time

Make sure you have a proper incident response plan in place, and,

Appropriate lines of authority so there is an immediate response when a

red flag appears.

“The more reasonable the steps [businesses] take — and document — to

protect consumer data, the more likely they are to survive a conduct-

based challenge.” (E.g. Negligence claim)

See: Business Insurance, “Target’s data breach liabilities mount as credit card issuers’ suit proceeds,” http://www.businessinsurance.com/article/20150104/NEWS07/301049970?tags=|299|75|303|335

What Can You Do to Protect Yourself?

www.youngupstarts.com

What to do before during and after the breach!

Assess

Draft

Train

Source: openlockproject.btck.co.uk

Assess What do you collect, process, and store?

Categorize it

Where does it come in from?

Who has access to it?

Any outside vendors? What’s their security? Cloud provider?

Policies Do you have written policies?

Two goals

Outline process and policy to inform workforce

Provide proof of a plan

Write the Policy

www.marketingtechblog.com

Policies

Train the workforce

www.isqem.com

Training

www.sandiegopchelp.com

www.infosyssec.org

www.facebook.com

Train

Ensure employees are aware of policies

Teach them how to recognize the risks

Teach them how to react

Teach them what to say

Develop Agreements/Ask Questions

www.niutoday.info

hr2you.com.au

www.eminentwebservices.com

Final Note: the Cloud

Who holds your stuff?

What’s their security?

Who do they allow to see your stuff?

What can you do?

Do You Feel Lucky?

If not, get yourself a Plan!!

http://www.youtube.com/watch?v=u0-oinyjsk0

Don’t Be This Guy!!

http://1rico.wordpress.com/2011/02/01/

Self Risk Assessment Form

If you would like to receive my self risk assessment form please call

or email me and I will send to you. I will also make it available to

PSA TEC to post so you can get it there. If you have the time and

desire, it will help you make the initial steps to assess the state of

your security. You can also use it to ask customers to provide

feedback to find out where their state of security is.

Q & A

David Willson

Attorney at Law

CISSP

Titan Info Security Group

719-648-4176

david@titaninfosecuritygroup.com

www.titaninfosecuritygroup.com