ATTORNEY DIRECTED...computer intrusions, insider attacks, malware outbreaks, Internet fraud and...

Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015

ATTORNEY DIRECTED

INCIDENT RESPONSE

Jim Prendergast, Lewis Brisbois Bisgaard & Smith LLP

Tim Ryan, Kroll Cyber Investigations

Brian Lapidus, Kroll Identity Theft and Breach Notification

1

Kroll | Lewis Brisbois Bisgaard & Smith, LLP | March 5, 2015 2


TODAY’S SPEAKERS

Brian Lapidus is Managing Director and Practice Leader for the Identity Theft and Breach Notification group at Kroll. Former head of Strategic Development, Brian’s extensive background in the risk consulting industry includes organizational development, business process structure and performance management programs for offices within the federal government as well as private business.

Timothy P. Ryan is Managing Director and head of Kroll’s Cyber Investigations Practice based in New York. Prior to joining Kroll, Tim was a Supervisory Special Agent with the Federal Bureau of Investigation (FBI). He is an expert in cyber-crime and has led complex investigations into corporate espionage, advanced computer intrusions, insider attacks, malware outbreaks, Internet fraud and theft of trade secrets.

Jim Prendergast is a partner in the Lewis Brisbois Philadelphia area office. Jim’s practice is focused on representing clients who have experienced a data compromise and clients with data privacy issues. Jim has represented clients with high profile, national-exposure data compromises. Jim uses the legal skills and talents he developed over the past twenty-plus years as a prosecutor and trial attorney to assist his clients.

3


WHY THIS MATTERS

4


WHAT YOU WILL LEARN

1. Important trends requiring attorney directed incident response (IR)

2. How an ‘event’ is different than an ‘incident,’ and the types of incidents we commonly investigate

3. Why attorneys should direct the incident response investigation

4. What we mean by “direct the incident response” versus “run the incident response”

5. The phases of incident response

5


WHAT YOU WILL LEARN

6. The three ways that companies learn of a breach

7. The attorney’s role during a cyber incident investigation

8. What attorneys should be asking during different types of incidents

9. Key attributes of a good attorney IR leader

10. Points to remember when constructing an attorney directed IR process

6


IMPORTANT TRENDS REQUIRING ATTORNEY DIRECTED INCIDENT

RESPONSE

Plaintiff class action NOT dismissed

FTC enforcement action NOT dismissed

Victim corporation suing the card brand

7


TRENDS One Breach, Six Investigations

1. Internal Investigation

2. Shareholders v. Directors and Officers

3. Card Brand v. Company

4. Federal Government v. Company

5. State Government v. Company

6. Law Enforcement v. Attacker

8


AN EVENT OR AN INCIDENT?

An Event:

Any observable occurrence in a system or network.

An Incident:

NIST defines as “A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.”

Kroll refines to indicate that the threat involved an account or device that may have had access to PCI, PHI, PII or a specific sensitive asset.

NIST Special Publication 800-61 Computer Security Incident Handling Guide, Rev. 2.

9


TYPES OF INCIDENTS WE COMMONLY INVESTIGATE

Malware on endpoints e.g. Dyre, Zeus, Ransomware

Phishing attacks to obtain credentials

Lost devices

Sophisticated, persistent intrusions

Insiders stealing sensitive data (IP, PII)

Terminated employees returning to get or destroy data

Extortionate and threatening communications

10


ATTORNEY DIRECTED INCIDENT RESPONSE – WHY?

Litigation Target Class Action

Judge denies Target’s motion to dismiss, holding that banks established plausible allegation that failure to detect intrusion caused the financial institutions harm.

Regulatory Action HHS/OCR: Presbyterian Hospital & Columbia University (2014)

ePHI accessible through internet search engines related to 6,800 individuals.

OCR investigation found: hospital made no effort to assure the server was secure or contained appropriate software protections; no thorough risk analysis or risk management plan; failed to implement appropriate policies or to enforce those it did have in place.

$4.8 million settlement.

FTC: Wyndham Worldwide Corporation (2014) U.S. District Court for the District of N.J. denied Wyndham’s attempts to dismiss the complaint.

Court found FTC had authority to bring an unfairness claim in data security context.

Court warned “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.”

11


ATTORNEY DIRECTED INCIDENT RESPONSE – WHY?

SINGLE PLAINTIFF Identity theft

Privacy

GOVERNMENT ACTION Attorney General

FTC (Wyndham)

HHS (Hospice of North Idaho, Massachusetts Eye and Ear, Alaska Dept. of HHS)

SUBRO/INDEMNITY Contractual Issues

BANKS Cost of replacing credit cards

Reimbursement of fraudulent charges

Business interruption

CLASS ACTION Failure to protect data

Failure to properly notify

Failure to mitigate

Unjust enrichment

Violations of consumer protection

Statutory

Time

12


“DIRECT THE INCIDENT RESPONSE” VERSUS “RUN THE INCIDENT RESPONSE”

It is the difference between being the air traffic controller versus the pilot.

Air traffic controller has a broader view on what is happening but the pilot is in the best position to

make tactical decisions.

The attorney directs the aircraft –

The technical team flies the aircraft.

13


NETWORK SECURITY / DATA RISK

Data Creates Duties

What data do you collect, and why?

Where is it?

How well is it protected?

Who can access it?

When do you purge it?

How do you purge it?

14


WHAT ARE THE MAIN RISKS U.S. COMPANIES FACE DURING A DATA

BREACH Malicious attack

Hackers in network, malware and viruses, phishing scams, physical theft of hardware and paper

Rogue employees

Employees Negligence related to use and storage of data, failure to follow or

learn policies and procedures, loss of portable devices, mis-mailing of paper, unencrypted emails to the wrong recipients

Business partners Any of the above can occur to a business partner with whom

data is shared

15


THE PHASES OF INCIDENT RESPONSE

Planning

Detection

Escalation

Containment

Reporting and Eradication

Recovery: Technical, Business, Legal

Lessons Learned Under Privilege

16


UNDERSTANDING THE THREE WAYS THAT COMPANIES LEARN OF A BREACH The same way you find out if you house is on fire:

You smell smoke

Smoke detector goes off

You see fire trucks at your house when you come home from the store

In terms of cyber incidents:

User and Help Desk

Network defenders and devices

Outside Party: law enforcement, banks 17


INTERNAL INSURED ISSUES Internal reporting Broker involvement SIR Management

EXPERTS Breach coach Forensics Public relations

INVESTIGATION—internal/forensic/criminal

How did it happen When did it happen Is it still happening Who did it happen to What was accessed/acquired (What wasn’t) Encrypted/protected

NOTICE OBLIGATIONS State Federal Other (i.e. PCI)

NOTICE METHODS Written Electronic Substitute Media

DEADLINES Can be from 48 hours to “without unreasonable delay”

INQUIRIES State regulators (i.e. AG, PD) Federal regulators (i.e. OCR) Federal agencies (i.e. SEC, FTC) Consumer reporting agencies Plaintiffs

WHAT IS THE ATTORNEY’S ROLE DURING A CYBER INCIDENT INVESTIGATION?

18


WHAT ATTORNEYS SHOULD BE ASKING DURING DIFFERENT TYPES OF

INCIDENTS Is the attacker still active inside the network?

What indicators of compromise have the investigative team found?

Is evidence being preserved and examined by qualified personnel?

Is there a real or appearance of a conflict of interest when handling this internally?

Is this being kept on a need to know basis?

How are the IR Responders tracking their work?

Has this happened before?

Is the investigation truly complete or is everyone just tired?

Conduct Lessons learned

19


KEY ATTRIBUTES OF A GOOD ATTORNEY-INCIDENT RESPONSE LEADER

Calm

Prioritizes corporate objectives over legalese

Understands their capabilities and limitations

Doesn’t pretend to be a forensic examiner unless they are

Isn’t shy about requiring IRT members explain their findings until the attorney understands them. This prevents obscurity through complexity.

Knows that protecting the enterprise is tough stuff and doesn’t assume that if the enterprise was breached that someone inside the company must be at fault.

Understands the inherent conflicts of interest that occur during breach investigations

20


KEY ATTRIBUTES CONTINUED

Understands realistic timeframes for analysis of data.

Helps the IRT understand the legal complexities of situations and why some records are created and others are not.

Meets with the IRT and CISO regularly so they have a strong working relationship prior to an incident.

Understands their reporting requirements and timeframes for the different types of data and jurisdictions.

21


WHAT CAN BE DONE? Proactive Risk Manager Steps

Empowered Senior Executive Talk to your IT Security folks. Gain an appreciation of the many

challenges Not many Firms can say: how many records they have; what type of data

is being collected, stored, shared, protected; where does all this data reside; when is it purged?

Assess & test your own staff and operations

Incident response plan Document your due care measures (training and enforcement)

Insurance Red Flags, data security and breach response plans – affirmative duties Service level agreements Repeat

22


POINTS TO REMEMBER WHEN CONSTRUCTING AN ATTORNEY DIRECTED

IR PROCESS

Communication flow and escalation is essential.

IT will naturally try to fix things for as long as possible.

Having concrete triggers that require escalation is important.

External notification should be routed through legal counsel.

23


Thank you!

Date post:	27-Jun-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

ATTORNEY DIRECTED...computer intrusions, insider attacks, malware outbreaks, Internet fraud and...

Documents