Post on 24-Jul-2020
transcript
Human Resources and Cyber Risk: The New Frontier of Cybersecurity Regulations
APRIL 5, 2017
The New Frontier of Cybersecurity Regulations
“No computer is safe.”2
2
Criminal Conviction Analysis
“No computer is safe.”
3
Criminal Conviction Analysis
4
The New Frontier of Cybersecurity Regulations
Why hack, when you can ask for the data?
“IRS Warns of New Phishing Scheme Involving W-2s”
Source: AccountingToday, March 1, 2016
“The Internal Revenue Service issued an alert Tuesday to payroll and human resources professionals to beware of an
emerging phishing email scheme that purports to come from company executives and requests personal
information on employees.”
5
The New Frontier of Cybersecurity Regulations
Why hack, when you can ask for the data?
“Dangerous W-2 Phishing Scam Evolving; Targeting Schools, Restaurants, Hospitals, Tribal Groups, and Others”
Source: IRS Alert issued on February 2, 2017
“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns.”
6
The New Frontier of Cybersecurity Regulations
Why hack, when a link is available on-line?
“Last week, U.S. Bancorp (U.S. Bank) — the nation’s fifth-largest commercial bank — warned some of its employees that their W-2 data had been stolen thanks to a weakness in ADP’s customer portal”
Source: KrebsonSecurity, May 3, 2016
• Problem arose when company inadvertently published link to ADP portal together with company code for access online
• ADP considered KBA (“Knowledge Based Answer”) question− but those can be easily “hacked” via open source information.
7
The New Frontier of Cybersecurity Regulations
Ransomware
“Los Angeles Hospital Pays Hackers$17,000 After Attack”
Source: New York Times, Feb. 18, 2016
“It sounds like the plot of a Hollywood thriller, but theall-too-real scenario played out this month at a large
Los Angeles hospital: Hackers seized control of critical computer systems and the hospital paid a $17,000
ransom to release them.”8
The New Frontier of Cybersecurity Regulations
You may not be the (only) target.
“Nearly 70% of the attacks where a motive for the attack is known include a secondary victim. The
majority of these were not from espionage campaigns (thankfully), but from opportunistically compromised servers used to participate in denial-of-service (DoS) attacks [see recent IOT attack], host malware, or be
repurposed for a phishing site.”
Source: Verizon 2015 Data Breach Investigations Report (emphasis added)
9
The New Frontier of Cybersecurity Regulations
• Think about your workplace 20 years ago− Desktop computers, dial-up internet
• 10 years ago− Smartphones− High speed internet
• 5 years ago− Electronic records− Cloud computing− Social media
• 1 year ago− Software as a service platforms (SaaS)− Periscope, Snapchat
Technology evolves faster than the law
10
The New Frontier of Cybersecurity Regulations
• Employee, customer and company information is almost certainly stored electronically
• How do you protect that information?− What are the legal requirements? What are you doing now?
• What if/when a breach occurs?− Reporting obligations to employees? Government? Public?− Liability?
• What should you be being now?
11
The New Frontier of Cybersecurity Regulations
Overview of Presentation
• Role of HR in relation to a breach
• Review of relevant:− Requirements related to data security and breaches − Requirements related to employee data
• What your company should be doing now− How does this affect you as an HR professional?
• If a breach occurs, what do you do?
12
The New Frontier of Cybersecurity Regulations
Role of HR in a Breach
• Heightened level of attacks – what does this mean for HR?− Employee information is at risk, and HR is often the
target
• “Securing the Human” is key− A network is only as secure as its human users make it− It is often easier to break through human defenses than
to break through technical defenses
13
The New Frontier of Cybersecurity Regulations
Common Breach Scenarios
• FBI or Secret Service comes to your door• You are alerted by a financial institution or business partner
that you are the suspected victim of a breach• Ransomware demand• Something’s wrong with the company website• Positive result in security assessment or IOC search• Employees or customers come to you to alert you that
something may have happened to their data• Spear-phishing attempt/success – Business E-mail
Compromise14
The New Frontier of Cybersecurity Regulations
Questions to Consider
• Do you have the right personnel? Response team identified?
• How are you protecting/transmitting sensitive information?• How are you training employees? Ensuring that employees
comply with policies and protocols?• Are your policies and procedures up to date?• How will you notify employees (and others) of data breach?
15
The New Frontier of Cybersecurity Regulations
State Data Breach Notification Statutes
• Patchwork state statutes − 47 States (and counting)
• Data breach notification rules with “backdoor” security “requirements”− See encryption safe harbors
• Some states purport to reach beyond their boundaries− E.g., Florida, Illinois, Maryland, Massachusetts, and Virginia
• Consider where your employees live, and where they retire
16
The New Frontier of Cybersecurity Regulations
State Data Breach Notification Statutes
• Some include substantive requirements− E.g., Massachusetts requires encryption
• Types of protected data can differ− Biometric data (e.g., CT, NC, OR, and WI)
− E-mail address and passwords (e.g., CA and RI)
• Differing notification deadlines• Many statues require that disclosure be made as
expediently as possible and without unreasonable delay• But some states impose specific notification deadlines (e.g.,
Connecticut requires disclosure no later than 90 days after the breach is discovered)
17
The New Frontier of Cybersecurity Regulations
State Data Breach Notification Statutes
• Differing substantive notice requirements− E.g., the date of the breach, a description of the personal
information accessed, and contact information for inquiries about the breach (e.g., Florida)
• For example, you can’t use a NY form response to notify for an MA breach.
• Conflicting requirements− MA: Cannot describe nature of breach
− NY: “Description of the breach” required
18
The New Frontier of Cybersecurity Regulations
State Data Breach Notification Statutes
• Penalties can vary− NY: $5,000 to $10,000 per record, up to $150,000 per breach
− ME: not more than $500 per violation, limited to $2,500 for each day the person is in violation of the data breach notification statute
− MA: up to $5,000 for each violation
− OR: up to $1,000 per violation, but not more than $500,000 total
19
The New Frontier of Cybersecurity Regulations
State Data Breach Notification Statutes
• What’s required? Generally, only notice to:− Affected individuals
− This includes employees, retired employees
− But some states also require notice to the Attorney General (e.g., Connecticut, Maryland, Massachusetts, Montana, and New York) and others
− Media (in case of substitute notice)
• Call center − Probably mandatory for large breaches, as many states require a
single telephone number for customer questions
• Some states require credit monitoring20
The New Frontier of Cybersecurity Regulations
Health Insurance Portability and Accountability Act (HIPPA)
• Covered Entities only and only in relation to ePHI• Four factors to determine whether incident is not a HIPAA
breach:− The nature and extent of the protected health information involved,
including the types of identifiers and the likelihood of re-identification;
− The unauthorized person who used the protected health information or to whom the disclosure was made;
− Whether the protected health information was actually acquired or viewed; and
− The extent to which the risk to the protected health information has been mitigated.
21
The New Frontier of Cybersecurity Regulations
HIPAA – Covers Business Associates Directly
• A person, who on behalf of the covered entity “creates, receives, maintains or transmits” PHI while performing a function or activity.
• Omnibus Rule extends Privacy and Security Rules to BAs directly
• Independent obligation for BA to be in compliance• Phase 2 audits now covering BAs
22
The New Frontier of Cybersecurity Regulations
HIPAA – Breach Notification
• Rule: if there is a breach of unsecured PHI, then the notification rule applies
• Notification:− Notify all persons whose PHI was breached (written notice by first
class mail)
− < 500 involved, maintain a log and notify HHS annually 60 days after the calendar year in which the breach was discovered
− > 500 involved, must notify the media within 60 days after discovery of the breach and must notify HHS within 60 days after discovery of the breach
23
The New Frontier of Cybersecurity Regulations
HIPAA – Ransomware
• Ransomware can now be a reportable breach under HIPAA− Maybe it always was
• HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware
• If a security scan detects ransomware, this is now clearly a “security incident” under the Security Rule
• Whether or not the ransomware is a breach depends on the outcome of the four factor analysis
24
The New Frontier of Cybersecurity Regulations
Federal Trade Commission (“FTC”)
• There are no “regulations” governing the FTC’s actions, only the FTC Act
“[U]nfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” 15 U.S.C. § 45(a)(1)“The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations . . . from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(2).
25
The New Frontier of Cybersecurity Regulations
FTC – What Does the FTC Expect You to Do?
• Whatever is reasonable− FTC v. Wyndham Worldwide Corp., et al. (DNJ - 2:13-cv-01887-ES-
JAD): “[T]he contour of an unfairness claim in the data-security context, like any other, is necessarily ‘flexible’ such that the FTC can apply Section 5 ‘to the facts of particular cases arising out of unprecedented situations’.”
• “[FTC standards] can be found in speeches, business education, Congressional testimony, articles, blog entries, these concepts have been laid out pretty clearly in Commission materials, as well as other FTC settlements in the data security area.”− In re LabMD, Deposition of Daniel Kaufman, FTC.
26
The New Frontier of Cybersecurity Regulations
FTC – What’s Next?
• All indications should point to more FTC enforcement actions, but effect of new administration unclear
• Balance will be between loosening regulations and being tough on cybersecurity
• But the FTC has no cyber regulations, so the FTC could increase enforcement efforts without adding new regulations
• Headlines/politics will likely drive enforcement• Fines can drive enforcement can drive fines can drive
enforcement . . . .
27
The New Frontier of Cybersecurity Regulations
28
The New Frontier of Cybersecurity Regulations
29
The New Frontier of Cybersecurity Regulations
Non-governmental Standards?
• PCI-DSS = Contractual Standard Set by Card Brands− 12.10.1a requires that a breach response plan allow for legal
analysis of customer notification requirements• Specific notification requirements in agreements with card
brands, acquirers, processors− Usually “immediately” with some outside timeframe
• “Self”-regulation− Leads to contractual claims for indemnification (assessments)
• Beware, many processor contracts pass assessments down to the merchant, although the merchant is not required to be PCI-DSS compliant
30
The New Frontier of Cybersecurity Regulations
NYS DFS – 23 N.Y.C.R.R Part 500
• Published 9/13/16− 45-day notice and comment period – ended 11/14/16
• Revised 12/28/16− New comment period ended 1/27/17
• In effect as of 3/1/17− Stay tuned for more possible changes
• “First-in-the-nation” regulations, covering thousands of entities directly, and — potentially — tens of thousands indirectly
• Covered employee data
31
The New Frontier of Cybersecurity Regulations
NYS DFS – 23 N.Y.C.R.R Part 500
• Information System − Can include the cloud− Industrial/process controls− Telephone switching/PBX− HVAC− Should include lighting/power management
• Data agnostic− Your Information System does not have to contain protected data to
be covered under new regulations
32
The New Frontier of Cybersecurity Regulations
NYS DFS – 23 N.Y.C.R.R Part 500
• Nonpublic Information− 3 categories− Material adverse impact− PII as defined under N.Y. Gen. Bus. Law § 899-aa, plus biometric
records− Healthcare information
• Regardless of type of Covered Entity, to whom the info applies, or why the Covered Entity has it− Puts same burden on a bank in relation to healthcare information as
it does on a health plan
33
The New Frontier of Cybersecurity Regulations
NYS DFS – 23 N.Y.C.R.R Part 500 – Notice of Material Cybersecurity Event• 72 hours• Standard:
− Whenever any other notice required or− Reasonable likelihood − Of materially harming− Any material part − Of normal operations
• Includes unsuccessful attacks – data agnostic• How do you scrub through all Cybersecurity Events, which could
include every firewall deny, to determine whether they qualify?• No reporting portal yet in place
34
The New Frontier of Cybersecurity Regulations
NYS DFS – 23 N.Y.C.R.R Part 500 – Vendors
• Minimum cybersecurity practices to be met− What is the minimum going to be?
• Due diligence in vetting/contractual provisions• Periodic assessment of third parties and Third Party
Information Security Policy− This will undoubtedly have the broadest effect under the
regulations− Each Covered Entity can have dozens of Third Party Service
Providers• 2 year lead time
35
The New Frontier of Cybersecurity Regulations
What About the Unwritten Rules?
• NY AG has stated publically that two-factor authentication is a “no-brainer”
• ID Theft Protection and Credit Monitoring – not always required, but a good idea
36
The New Frontier of Cybersecurity Regulations
Confidentiality
• Regulatory trend toward public disclosure • See Massachusetts Public Records Law (M.G.L. c.66)
(making the state’s Data Breach Notification Archive available to the public online)− http://www.mass.gov/ocabr/data-privacy-and-
security/data/data-breach-notification-reports.html− Lists whether data was encrypted or not: roadmap for
hackers?
37
The New Frontier of Cybersecurity Regulations
What You Should Be Doing Now
• HR is key to help with internal communications and organization in relation to cybersecurity issues− Simply another employee compliance issue that HR has an
important role in managing• Most important step to prepare for a breach is planning• This can include: training/education, time, coaching,
discipline• Requires the right policies and procedures
− E.g., A data breach response plan that inadvertently gives an outside forensic investigator access to ePHI without a BAA in place creates a separate HIPAA breach.
38
The New Frontier of Cybersecurity Regulations
What You Should Be Doing Now
• Should HR be on the breach response team?− It depends on your organization− If employee data is the prime target, than likely yes− If HR is necessary to proper execution of the plan, than absolutely
yes• Disaster recovery/business continuity analogy
− If HR is part of the DR/BC team, it should likely be part of the data breach response team
• Why is this a legal concern?− Because failure to constitute an effective breach response team
leads to legal risks arising from inadequate/inefficient/improper breach response
39
The New Frontier of Cybersecurity Regulations
What You Should Be Doing Now
• Drill the plan.− DR/BC analogy continued− A breach response plan is only as good as it is in practice
• Your organization may be required to drill the plan− PCI-DSS Requirement 12.10.2: “Test the plan at least annually”
• One plan does not fit all. “Fit” will come into focus in the drill
• The plan will change over time. Drills will help expose weaknesses
40
The New Frontier of Cybersecurity Regulations
Best Practices in Relation to a Breach• Don’t ignore it.
− Treat every incident as a potential breach until it is proven otherwise.
• N.Y. Gen. Bus. Law § 899-aa− “Breach of the security of the system” shall mean unauthorized
acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business. Good faith acquisition of personal information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.
• Difficulty in proving the negative. Does unauthorized access = unauthorized “acquisition?”
41
The New Frontier of Cybersecurity Regulations
Best Practices in Relation to a Breach
• Follow your plan− Document preservation policy analogy
• The only thing worse than not having a plan is having a plan and not following it
• Ensure proper communication− The water cooler can be a dangerous place− Beware of the “b” word
• Employees should know what they should keep confidential• False reporting of a breach can be as harmful to the
organization as an actual breach• Protect confidential/privileged communications• Manage the “fog of war” surrounding a breach
42
The New Frontier of Cybersecurity Regulations
Best Practices in Relation to a Breach
• Work with your professionals.− Legal− Forensic vendors− Breach notification vendors− Crisis communication/PR
• Learn from the breach.• Someone in the organization should be tasked with a post-
breach response post mortem, to review what worked, what didn’t, and what can be improved.
43
The New Frontier of Cybersecurity Regulations
Other HR Breach Issues
• Working with law enforcement• Bringing charges against an insider• Paying the ransom• Discipline/termination• Dealing with upper management
− Old dogs, new security tricks• Incentivizing/fostering a culture of security
− Check-the-box compliance is not enough• Post breach turnover
44
F. Paul Greene585.231.1435
fgreene@hselaw.com
hselaw.com