45
Be Careful What You Wish For: Lessons Learned on Security Breach Response Presented by: Paul H. Luehr , Rohan Massey, & Vivienne Artz
Be Careful What You Wish For: Lessons Learned on Security Breach Response
Presented by:
Paul H. Luehr , Rohan Massey, & Vivienne Artz
Agenda
Experiences in other jurisdictions (US)
An overview of current EU legal positions on
data security breach response
The approach to personal data breaches
under the proposed Data Protection
Regulation
© Stroz Friedberg, LLC 2012
© Stroz Friedberg, LLC 2012
Experiences in other jurisdictions (US)
Paul Luehr
Stroz Friedberg
U.S. Data Breach Trends
2011 Average Loss to Organization = $5.5 million
• Down from $7.2 million in 2010
• Not including organizations in excess of 100,000
• Low of $566K, High of $20.9 million
2011 Average Loss per Victim = $194
• Cost per Malicious Attack = $222
• Cost per Negligent Employee = $174
2011 Malicious Attacks, up over 3x
• Up from 12% to 24% to 31% to 37% (2008-2011)
Source: Ponemon Institute/Symantec, 2012 U.S. Cost
of a Data Breach Study (49 organizations across 14 sectors)
Data Breach – Types
Hacking Phishing/spear phishing
Brute force attack
SQL injection
Advanced Persistent Threat (APT)
Data theft or loss Media stolen (e.g. laptops, thumb drives, tapes)
Data stolen (e.g. by current or former employee)
Data lost (e.g. in taxi or during data migration)
Data leakage Exposure to public (e.g. via web site)
Exposure to unauthorized person (e.g. wrong employee)
Sensitive data sent via unencrypted channel
Examples:
© Stroz Friedberg, LLC 2012
New Security Risk – ID Theft for Tax Fraud
Chicago - 765 tax returns, over $900,000 in fraudulent refunds
Lansing - 2,137 tax returns, over $3.3 million in refunds
FLORIDA
Tampa - 88,724 tax returns, over $468 million in refunds
Miami - 74,496 tax returns, over $280 million in refunds
© Stroz Friedberg, LLC 2012
US – Challenges
A Patchwork of Laws and Stakeholders
Federal
Federal Trade Commission
Health & Human Services
Others – State Dept., Defense Dept., Bank Regulators
State
Attorneys General, Consumer Affairs, Police, Cyber-security
Insurance Regulators and Health Commissioners
Industry
Card Brands and Merchant Banks (PCI DSS)
Credit Reporting Agencies, Business Partners, Investors
© Stroz Friedberg, LLC 2012
© Stroz Friedberg, LLC 2010
US – Healthcare Example
© Stroz Friedberg, LLC 2012
Minnesota Attorney General
Accretive Health Inc. settles suit (7/30/12)
• $2.5 million
• 2 year ban; 4 more years subject to AG approval
Original Allegations (filed 1/19/12)
• HIPAA Violations – for failure to secure patient data
• MN Health Records Act – unauthorized “release” of data
• Debt Collection – for improper disclosures/registrations
• MN Deceptive Practices – failure to disclose role, data access
State Law
US – Healthcare Example
© Stroz Friedberg, LLC 2012
US – Healthcare Example
Other Officials
California Department of Health
• $250,000 fine issued against Stanford Hospital in Sept. 2010
• Failure to report 532 victims with 5 days (13 days late)
Connecticut Insurance Dept.
• Bulletin Issued Aug. 18, 2010
• Requires state notification of breach within 5 days
State Law
US - Challenges
Did an unauthorized party:
Access
Acquire
Misuse
Disclose PII/PHI
Does investigation show:
Material compromise
Actual loss or injury to consumer
Material risk of ID theft or fraud
Significant risk of financial, reputational, other harm
Breach Definitions
© Stroz Friedberg, LLC 2012
US – Challenges
Reporting Requirements
Form
Details – Most states, “Yes”; Massachusetts , “No!”
Delivery – Mail, telephone, alternatives
Order – Government, bus. partner, or victims first?
Timing
“Most expedient time possible”
60 days – HITECH Act, HHS or FTC
45 days – Florida, Ohio, Vermont, Wisconsin
10 days – Puerto Rico
5 days – CT and CA Commissioners
© Stroz Friedberg, LLC 2012
US – Challenges
Paradox
More careful analysis takes time
More careful analysis increases certainty Can locate lost/stolen data
Can account for malware changes, attacking IP’s
Can run scans across entire network
Can better account for PII and PHI sources
More careful analysis reduces cost
2010 Ponemon Findings: Quick Responder* Cost = $268 per record
Later Responder Cost = $174 per record *notification within 30 days
© Stroz Friedberg, LLC 2012
1 5 10 15 20
Breach Investigation - Timing
Preservation (2-5 days)
Forensic Analysis (10-14 days)
Malware Analysis (4-7 Days)
Scanning (10-14 days)
DAYS
Rebuild Drives
Report
(5-10 days)
RESOURCES
State Data Breach Laws – www.ncsl.org
FTC Privacy Actions – www.ftc.gov/privacy
HHS Health Information Privacy - ww.hhs.gov/ocr/privacy
NIST Computer Security Resource Ctr – csrc.nist.gov
Privacy Rights – www.privacyrights.org
Open Security Foundation, Data Loss DB – datalossdb.org
© Stroz Friedberg, LLC 2012
An overview of current EU legal positions
on data security breach response
Rohan Massey,
McDermott Will & Emery UK LLP
© Stroz Friedberg, LLC 2012
Security breach Now!
What? Why? Where? What is a data security breach?
Accidental (loss of laptop, system failure). Unlawful destruction. Loss. Alteration. Unauthorised disclosure. Unauthorised Access. NB does not have to be malicious.
What is notification?
Reporting breach to the individual and/or the relevant authority. Why notify?
Individual’s safety. Better understanding of compliance. Mandatory in some cases.
Which law governs the notification?
Usually local law will apply. Not all laws are the same.
© Stroz Friedberg, LLC 2012
The Problems of the US Patchwork ….
The US has 47 separate notification regimes (46 states +
DC).
Different
Information requirements – How must authority and individuals be informed?
Timelines – When must notification take place?
• “within 24 hours of discovery” vs. “as soon as practical”.
Data sets - What information is expected?
Increase in internal costs and legal spend
Does the system really achieve its aims?
© Stroz Friedberg, LLC 2012
EU Data Breach Legislation
Directive 95/46/EC on data protection
— Applies to processing in the context of the activities of an establishment of the controller on EU territory and/or processing using automated means in the EU.
— Obligation to take appropriate technical and organisational protection measures, but no specific consequences if protection measures are not met or if protection measures are insufficient.
— No obligation to notify data breaches.
Directive 2002/58/EC on the protection of privacy in the electronic communications sector
— Applies to processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the EU (e.g. internet service providers (ISPs)).
— Mandatory data breach notification for electronic communications operators and ISPs.
© Stroz Friedberg, LLC 2012
Local data breach security measures
There is currently no general data breach notification
requirement across the EU.
Some Member States have chosen to:
—pass laws requiring mandatory data breach reporting.
—implement guidance issued by DPAs for voluntary data breach reporting.
—pass laws setting out a mandatory procedure for the management of data breaches, but that do not require any form of external notification (e.g. Spain’s Royal Decree 1720/2007).
—take no additional steps in relation to data breaches or reporting.
Mandatory breach notification
Norway
— First country in the EU to introduce mandatory breach notification.
— 2005 - organisations required to notify DPAs (and individuals if instructed to do so by DPA) when an unauthorised disclosure of data requiring confidential treatment is made.
Germany
— 2009 - organisations required to notify DPAs and individuals without undue delay when personal data breaches may lead to “serious impediments for privacy and other individual interests”.
— Where a large number of individuals are affected, announcements in 2 national newspapers can replace individual notices.
— US Style.
Austria
— 2010 - organisations required to notify individuals (not DPAs) without undue delay of “serious misuse” of data that may cause harm to the data subject.
— No notification if harm is minor, breach incidental or cost of informing disproportionate.
Voluntary breach notification Denmark
– Danish Data Protection Agency decisions set out best practice.
– Individuals should be made aware of breaches involving sensitive data.
Ireland
– Data Protection Commissioner (DPC):
• voluntary breach notification guidance
• personal data security breach code of conduct
– DPC should be informed of any breaches involving sensitive or financial personal
data. DPC decides whether and how individuals should be notified.
UK
– Information Commissioner’s Office (ICO):
• Guidance on data security breach management
• Guidance on notification of data security breaches to the ICO
– ‘Serious breaches’ of data security should be brought to the attention of the ICO.
Guidance for notifying the UK ICO When assessing what constitutes a ‘serious breach’ consider:
— Potential detriment to individuals (this is the overriding consideration when deciding whether or not a breach should be reported);
— Volume of data affected (presumption to report when a large volume of personal data is concerned); and
— Sensitivity of data (presumption to report when smaller amounts of sensitive data are involved).
Serious breaches should be notified by completing and submitting a security breach notification form by email or post, including details of facts, effects and remedial action. Inclusion of additional information (e.g. incident report) is encouraged.
The ICO will contact the data controller within seven calendar days of receipt of a breach notification form to provide a case reference number and an explanation of what to expect during the investigation of the incident.
Since April 2010 the ICO has the power to impose monetary penalties of up to GBP£500,000 and has recently issued a number of significant fines to local authorities in response to a wave of security breaches. Fines can be increased for failure to notify the ICO.
Problems with the current regime in Europe
No harmonisation
—A patchwork like the US.
—Some jurisdictions have mandatory notification requirements.
—Some go further than required by Directives.
—Some have nothing.
Requirement for local advice and assessment
—Expensive.
—Delays.
—Requirement to work with numerous DPA’s.
© Stroz Friedberg, LLC 2012
Breach notification in the EU - where now ?
How can notification be simplified?
—What are the real drivers for business, individuals and
the DPAs?
—What information is critical for notification?
—How quickly does this information need to be shared?
—What should the implications of failure to notify be?
Would a one-stop-shop be better? Could it work?
Does the proposed Regulation hold the key?
The approach to personal data breaches
under the proposed Data Protection
Regulation
Vivienne Artz,
Citi
© Stroz Friedberg, LLC 2012
•What is the position under the new Regulation?
•What does this mean in practice?
OVERVIEW
27
Article 31 – Notification of a personal data breach
to the supervisory authority
28
Article 31(1)
“In the case of a personal data breach, the
controller shall without undue delay and, where
feasible, not later than 24 hours after having
become aware of it, notify the personal data breach
to the supervisory authority. The notification to the
supervisory authority shall be accompanied by a
reasoned justification in cases where it is not made
within 24 hours.”
What constitutes a “personal data breach”?
29
Personal data breach: “means a breach of security
leading to the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or
access to, personal data transmitted, stored or
otherwise processed;”
Proportionality etc
• Encryption
• Context
• Risk
• Type of data i.e. sensitive
• Volume of data
• Likelihood of theft, fraud, misuse etc
• Restrict to serious breaches only?
• Does supervisory authority have capacity to deal
with breach notifications?
30
Article 31 – Notification of a personal data breach to
the supervisory authority (cont) Article 31(3)
The notification referred to in paragraph 1 must at least:
• describe the nature of the personal data breach including the categories and
number of data subjects concerned and the categories and number of data
records concerned;
• communicate the identity and contact details of the data protection officer or
other contact point where more information can be obtained
• recommend measures to mitigate the possible adverse effects of the
personal data breach;
• describe the consequences of the personal data breach;
• describe the measures proposed or taken by the controller to address the
personal data breach.
31
Article 32 – Communication of a personal data
breach to the data subject
32
Article 32(1)
When the personal data breach is likely to adversely
affect the protection of the personal data or privacy
of the data subject, the controller shall, after the
notification referred to in Article 31, communicate
the personal data breach to the data subject without
undue delay.
Effects of Data Subject Breach Notification
•Notification fatigue/ desensitised
•Panic/ loss of trust particularly re digital economy
•Is there anything the data subject practically can do?
•Cost (£79 per record in UK and $204 per record in
US – Ponemon)
•What is the purpose and is this a benefit to the data
subject?
33
34
Article 29 Working Party WP199
Opinion 09/2012 providing further input on the data protection reform discussions Adopted 5 October 2012
Article 31 Calls for further clarification on the legally binding text around what is a personal data breach rather than relying on a delegated act.
Article 32 Calls for clarity in the text of the Regulation around what conditions require a communication to a data subject, rather than relying on a delegated act.
What does a personal data breach look like?
35
• Encrypted tapes stolen from courier en route from data
centre to back-up site
• Staff e-mailing client information to personal home
account, such as gmail or hotmail, to work on at home
from family computer
• Encrypted laptop lost/stolen at airport
• Documents/disk stolen from hotel room
• Systems error causes statements to be posted to
incorrect customers
Mitigating Factors
36
What if data is .....
•Recovered?
•Destroyed?
•No evidence or likelihood of misuse?
Why do personal data breaches happen?
37
•Poor systems, training, policies, oversight
•Human error and negligence
•Fraud or security attacks
•Disgruntled staff
Conclusion
38
• The personal breach notification provision has
attracted a lot of comment for being:
• Benefit to data subjects is questionable
• Scope for improvement to avoid challenges
such as notification fatigue, notifications without
reference to risk, inability to comply with Article
31 in practice
unclear
timescales too tight
disproportionate
too wide
Questions?
© Stroz Friedberg, LLC 2012
© Stroz Friedberg, LLC 2012
Develop a Response
Plan
Organize your
Network Data
Build Your Team
PREPARE for Disaster
© Stroz Friedberg, LLC 2012
PREPARE: Develop a Plan
Management endorsement
Contact Lists
Legal Analysis and Timeline
Categories of adverse events
“First steps” checklist
Facilities and equipment lists
Outreach plan
Develop a Response
Plan
Organize your Network Data
Build Your Team
PREPARE: Organize your Data
Map your critical assets
Record backup schedules and inventories
Update user lists
Centralize logging functions
Synchronize network times
Develop a Response
Plan
Organize your
Network Data
Build Your Team
© Stroz Friedberg, LLC 2012
© Stroz Friedberg, LLC 2012
PREPARE: Build your Team
Client and
Media
Relations
Human
Resources
Business Unit
CPO, CSO
Compliance
In-House
IT
In-House
Counsel
Incident
Response
Outside Incident
Response Experts
Outside
Counsel
Develop a Response
Plan
Organize your
Network Data
Build Your Team
COMMUNICATE
Best Practices
In advance:
Establish an effective governance structure
• Speak truth to power
• Enforce security across the organization
Provide security training to your employees
When a breach hits:
Assemble response team immediately
Discourage blame, data hoarding, and avoidance
Communicate often, but not constantly
Coordinate with counsel over reporting © Stroz Friedberg, LLC 2012
Paul H. Luehr
Managing Director, Chief Privacy Officer
Stroz Friedberg
Rohan Massey
Partner
McDermott Will & Emery LLP
Vivienne Artz
Managing Director & Legal Counsel
Citi
