Embed Size (px)
Citation preview
Cyber Risk & Fraud 2.0
Shawn E. TumaScheef & Stone, LLP@shawnetuma
Shawn TumaPartner, Scheef & Stone, L.L.P.
214.472.2135
@shawnetuma
blog: shawnetuma.com
web: solidcounsel.com
This information provided is for educational purposes only, does not constitute legal advice, and no attorney-client relationship is created by this presentation.
Shawn Tuma is a cyber lawyer business leaders trust to help solve problems with cutting-edge issues involving cybersecurity, data privacy, computer fraud, intellectual property, and social media law. He is a partner at Scheef & Stone, LLP, a full service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, throughout the world.
Texas SuperLawyers 2015
Best Lawyers in Dallas 2014 & 2015, D Magazine (Digital Information Law)
Chair, Collin County Bar Association Civil Litigation & Appellate Section
College of the State Bar of Texas
Privacy and Data Security Committee, Litigation, Intellectual Property Law, and Business Sections of the State Bar of Texas
Information Security Committee of the Section on Science & Technology Committee of the American Bar Association
Social Media Committee of the American Bar Association
North Texas Crime Commission, Cybercrime Committee
Infragard (FBI)
International Association of Privacy Professionals
Information Systems Security Association
Contributor, Norse DarkMatters Security Blog
Editor, Business Cyber Risk Law Blog
“There are only two types of companies: those that have been hacked, and those that will be.” –Robert Mueller
97% - Companies Tested – Breached in Prior 6 mos.
Odds: Security @100% / Hacker @ 1
www.solidcounsel.com
Data
Sources
Company Data
Workforce Data
Customer / Client Data
Other Parties’
Data
3rd Party Business
Associates’ Data
Outsiders’ Data
www.solidcounsel.com
Threat Vectors
Network
Website
BYOD
USBGSM
Internet Surfing
Business Associates
People
www.solidcounsel.com
Malicious
• compete
• newco
• Sabotage
• disloyal insider
Negligence
• usb
• passwords
Blended
• foot out the door
• misuse of network
• stealing data
• negligence with data
• violate use policies
Hacking / Cracking
Social Engineering
Malware
Stealing
Planting
Corrupting
Outsider & Insider Threats
www.solidcounsel.com
data devices
misuse?
•Stewardship
•Public Relations
•Legal
Responding: Execute Breach Response Plan
• contact attorney (privilege)
• assemble your Response Team
• notify Card Processor
• contact forensics
• contact notification vendor
• investigate breach
• remediate responsible vulnerabilities
• reporting & notification
What does “reporting & notification” mean?
• Law Enforcement
• State Attorneys General
• pre-notice = VT (14 days), MD, NJ St. Police
• Federal Agencies
• FTC, SEC, HHS, etc.
• Consumers
• Fla, Ohio, Vermont = 45 days
• Industry Groups
• PCI, FINRA, FFIEC
• Credit Bureaus
• Professional Vendors & Suppliers
www.solidcounsel.com
first name or
first initial
last name
SSN
DLN or
GovtID
data breach
first name or
first initial
last name
Acct or Card #
Access or
Security Code
data breach
Info that IDs Individual
Health-care, provided, or
paydata breach
Duty to notify when “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information …” Tx. Bus. Comm. Code § 521.053
CIVIL PENALTY $100.00 per individual per day for notification delay, not to exceed $250,000 for single breach § 521.151
2013 Cost (pre-Target) $188.00 per record $5.4 million = total average cost paid by organizations
2014 Cost$201 per record
$5.9 million = total average cost paid by organizations
“The primary reason for the increase is the loss of customers following the data breach due to the additional expenses required to preserve the organization’s brand and reputation.” –Ponemon Institute 2014 Cost of Data Breach Study
Cost of a Data Breach
2014: 90% Preventable
Blocking & Tackling
Theft
Lost
Passwords
Phishing
Websites
Basic IT
Case Stories
Blocking & Tackling
You will be breached, but will you be liable?
“Must Haves” if you haveComputerData Internet
Blocking & Tackling
Approved & DocumentedBasic IT Security
Basic Physical Security
Policies & Procedures Focused on Data Security Company
Workforce (Rajaee v. Design Tech Homes, Ltd.)
Network
Business Associates (Travelers Casualty v. Ignition Studio, Inc.)
Implementation & Training
Regular Reassessment & Update
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
www.solidcounsel.com
• Login Credentials
• “You don’t drown from falling into the water”
• 25k v. 40m (T) / 56m (HD)
www.solidcounsel.com
Protecting businesses from information
Contracts
• 3rd party liability
• Healthcare (BA)
• Software license audit
• Permissible access & use in policies, BYOD
• EULA / TOS
Marketing
• FTC Act § 5
• SPAM laws
• NLRB rules
• CDA § 230
• Website audits
• IP issues
• Acct ownership
Privacy
• Privacy policies
• Privacy & data practices
• Destruction policies
• Monitoring workforce
• Business intelligence
Industry Regulation
• PCI (Payment Card Industry)
• FFIEC (Federal Financial Institution Examination Council)
• FINRA (Financial Industry Regulatory Authority)
• SIFMA (Securities Industry and Financial Markets Association)
www.solidcounsel.com41
protecting misusing respondingdata
devices
