Into the Breach: Prepare, Prevent, Recover
Presented by
Deena Coffman, Tedrick Housh & Rob Newman
EMERGING TECHNOLOGIES
The Internet of Things
The Internet of Everything
Wearable Electronics
Cloud Storage
Tablet and Phone Platforms
Smaller, Faster, Better?
Why Law Firms?
Cyber criminals are attracted to
• Clients’ intellectual property assets
• Details of pending merger and acquisition activities
• Information on litigation that could impact a stock price
Poll No. 1
How many attorneys at your firm use personal devices to access unencrypted client data?
• All
• Most
• Some
• A Few
• None
Poll No. 2
How many of your attorneys place firm data on Dropbox, Yahoo! Mail, Gmail or on similar web-based programs?
• All
• Most
• Some
• A Few
• None
Beware: The State of Law Firm Data Security
According to a 2012 study published by Mandiant, a security consulting firm, nearly 80 percent of the 100 largest American law firms had some malicious computer breach in 2011.
In a 2013 ABA study, 70 percent of law firms reported they didn’t know if their firm ever experienced a security breach.
Also in the 2013 ABA study, 34 percent of lawyers reported that their firms allow them to connect their mobile devices to the firm’s network without restrictions.
Mary Galligan, head of the cyber division in the NYC office of the FBI warned top law firms in NYC that hackers “see attorneys as a back door to the valuable data of their corporate clients.”
Beware: FBI and IC3 Reports of Cyber Acts vs. Law Firms
Viruses. In November, 2009, the FBI issued an alert that hackers were attacking U.S. law firms using spear phishing e-mails with malicious payloads by attaching a file to the message or including a link to the domain housing the file and enticing users to click the attachment or link. Infection occurs once someone opens the attachment or clicks the link, which launches a self-executing file and, through a variety of malicious processes, attempts to download another file.
The Equivalent of a Nigerian Prince. In March, 2012, the FBI stated that it continued to receive reports of scammers who contact lawyers via e-mail, claiming to be overseas and requesting legal representation in collecting a debt from third parties located in the U.S. The law firms receive a retainer agreement and a check payable to the law firm. The firms are instructed to deposit the check, take out retainer fees, and wire the remaining funds to banks in China, Korea, Ireland, or Canada. After the funds are wired overseas, the checks are determined to be counterfeit.
Beware: Reports of Law Firm Breaches Are Rare, but…
In 2011, a law firm lost a portable hard drive containing 161 medical records. The employee was taking the hard drive home as a security precaution in case of fire or flood; it was not encrypted. The insurer for the doctor’s group sent out notices to the patients two months later.
Between September 2010 and April 2011, hackers traced back to China infiltrated the networks of seven Toronto Bay Street law firms in an attempt to derail a $40-billion proposed takeover of Potash Corp. of Saskatchewan. The deal later fell through for unrelated reasons.
In 2012, hackers associated with Anonymous leaked a trove of emails hacked from the law firm representing a Marine accused of murdering 24 innocent Iraqis. In other emails Anonymous released, members of the firm appeared worried that the hack may "completely destroy the Law Firm."
In late fall 2013, a vendor to a large firm was attacked by hackers who obtained the password of an account administrator. As a result, the personally identifiable information of 441 current and former employees was breached. No law firm client information was accessed.
Beware: Sophisticated and Gov’t Sponsored Hackers
Beware: The Cost and Likelihood of Data Breach in 2014
The Ponemon Institute has tracked the cost of data breaches for 9 years now. It just released its 2014 report.
• For 2014, the Institute examined the data breach costs incurred by 61 U.S. companies (5,000 to 100,000 records) in 16 industry sectors.
• Malicious or criminal attack was the main cause in 44% of the breaches, with employee negligence (31%) and system glitches (25%) next.
• On average the cost of a data breach for an organization represented in the study increased from $5.4 million to $5.9 million. In general, $195 per record.
• Over the next two years, a U.S. company’s likelihood of suffering a material data breach (a minimum of 10,000 records) is nearly 19 percent.
Beware: More on the Rising Cost of a Data Breach
2014 Verizon Data Breach Investigations Report
• 1,367 confirmed data breaches • 63,437 security incidents • Finance (34%), Public (13%),
Retail (11%), Accommodation (10%)
• 94% of breaches follow nine basic patterns
2014 Javelin Identity Fraud Report
• 1 in 3 data breach letter recipients will become identity fraud victims
• 62% of breach notifications to victims stemmed from compromised payment card data
Prepare & Prevent: Poll No. 3
Does your firm have a written Data Incident Response Plan in place?
• Yes
• No
• I do not know
Prepare & Prevent: How to Plan for a Data Breach
Why incident response planning is important
How to develop an incident response plan
Prepare & Prevent: Immediate “To Do” List
Incident Response Planning Checklist
•
• Assess Data Risks and Policies
• Develop an Incident Response Team and Written Plan
• Conduct Employee Training
• Perform Vulnerability and Penetration Testing
• Execute IRP Drills
• Manage and Transfer Risk
Perform a Data Risk Assessment to identify information assets as well as the risks to those assets.
• What information is (or should be) protected?
• What constitutes an “event” or “incident”
• The signs of events likely to occur
• The impact and probability of an incident type
• What constitutes a “breach”
Prepare & Prevent: Assess Data Risks
Prepare & Prevent: Assess Policies regarding Data
Do you have an internal firm-wide privacy policy?
Do you authenticate the identity of persons who access data?
Do you have a security plan to protect data from accidental or unauthorized disclosure?
Do you track updates to antivirus and security software?
Do you monitor employee computer or telephone use?
Do you have a written protocol for responding to security intrusions?
Do you have a document retention and destruction policy?
Are you familiar with the legal requirements in event of a security breach?
Have you obtained third-party privacy certification?
Do you have a documented disaster recovery process?
Do you have a Chief Privacy Officer and/or Information Security leader?
Who is responsible for your data?
Prepare & Prevent: Define Your Team
IT
Legal
Compliance
HR/Employee Communications
PR/Client Communications
Marketing
Privacy
Finance
Security Professionals (internal and external)
Management – Executive & Departmental
Prepare & Prevent: Internal and External Resources
Know how to contact suppliers likely to be needed (ex: ISP, hardware, forensics, DR/BC resources, etc.)
Include building facility contact information (after-hours access, A/C, etc.)
Have access to baselines and backup configuration files.
Have the ability to quickly modify configurations for
• Firewalls
• Databases
• Backups
• Routers
• IDS/IPS
• Log files
Prepare & Prevent: Assign Team Responsibilities
Define who is responsible for these actions
• Reporting potential events
Responsibility, guidelines and reporting mechanisms should be implemented and communicated
Penalties for non-compliance
• Evaluating reported information and declaring an incident
• Activating the full Incident Response Team (“IRT”)
• Leading, overseeing, communicating and reporting
• Organizing an after-action briefing
• Creating and maintaining an incident response plan
Poll No. 4
For those of you with an Incident Response Plan, how frequently do you test and/or practice it?
• Monthly
• Quarterly
• Annually
• Occasionally
• Never
Prepare & Prevent: Technical and Other Readiness
Current inventory of PI
Log data (if you don’t start logging now, you won’t have this when you need it)
Active protocols, ports and services
DHCP assignments
Authorized applications
Baselines
Administrator or privileged account usage
Security reports (anti-virus definition updates, anti-virus scan reports, tripwire, etc.)
Pre-authorize financial resources
Have relevant contracts available
Have relevant third-party provider SLA and contact information
Prepare & Prevent: Spotting a Data Security Event
Attempts to gain unauthorized access to a system or its data
Disruption of business processes and services
Website compromise
Lost or stolen mobile device/laptop
Theft, loss or exposure of protected data
Changes to system hardware, firmware, or software without proper authorization and change control
Theft of IP or client materials by departing or disgruntled employee
Large volume of data being uploaded to a cloud storage service (Dropbox or Box, etc.)
Unusually large number of “tweets”
Virus, worm, etc. that is unable to be contained by routine measures
Prepare & Prevent: Testing, Auditing and Updating
Are you sure? How do you know?
• Test
• Audit/Sample after implementation
What worked last year may not work in the current environment
Change control is an important mechanism to reduce unintended consequences
Prepare & Prevent: IRP Testing
Test the plan’s efficacy under scenarios such as
• A Trojan may have been introduced into the network
• A worm may have infected the network
• Cyber extortion
• An external party accuses the company of sending malicious email
• A laptop is lost
• An employee inadvertently sends unencrypted PI via email to an unauthorized individual
• DDoS/DoS attack
• Unknown wireless access point is discovered
• An employee who terminates takes IP or client files
• The marketing Twitter account is “hacked”
Poll No. 5
Do you personally know of a firm (or the friend of a firm) that has suffered a data breach?
• Yes
• No
Respond & Recover: An Overview
Verify the apparent incident
Document and notify counsel, insurers & others
Consider internal threat exposure
Collect volatile data first
Determine containment plan
Disconnect affected systems
Assess the nature and extent of damage
Research current attack intelligence
Form eradication and recovery plan
Respond & Recover: Discussions with Counsel
Notification to criminal enforcement authorities (FBI, DOJ, Police)
Notify vendors
Internal and External Announcements
Data Owner and Data Maintainer Notification Obligations
Determination of Remediation Offers
Regulator Notification
Data Subject Notification
Call Center and Response Management
Response Evaluation
Respond & Recover: Documentation of the Event
Make sure documentation is contemporaneous, thorough, accurate and objective. It should include
• How the breach occurred
Date and time
Methods, tools and technologies used and results
Point of compromise
• Date and time of each response effort
Who did what and when – objective only
• Nature, extent, format and volume of the information exposed
• Whether the information was encrypted
• Financial impact to the business (for insurance purposes)
Respond & Recover: Documentation Considerations
Internal communications should be verbal rather than via e-mail other than official documentation
• Avoid communicating speculative information in written format
Preserve documentation in original format when available
Consider forensic technology and a formal chain of custody documentation for events with potential legal or regulatory implications
Respond & Recover: Logistics
Where will you centralize incident response operations?
• You’ll need a room and equipment
Secure communication (not your email system)
Enforce maximum working hours and minimum sleep hours
• Lack of sleep causes mistakes
• Supplies of food, beverages and hotel rooms may be necessary
Respond & Recover: Catch Your Breath, then…
Evaluate exposure
• Data type and volume
Continue to engage legal
• evidence requirements
• compliance with state, local, federal laws
• contractual requirements
• maintaining legal privilege for certain communications
Communicate requirements to the IRT
Do not communicate to the press, to the impacted individuals or to employees outside of the IRT without confirmation by legal/compliance that the message meets all legal requirements
Engage PR/Communications to minimize attrition
Review and determine insurance coverage provisions and the necessity of making notification to the company’s insurance company(s)
Poll No. 6
Does your firm or company have Cyber Insurance?
• Yes
• No
• I don’t know
Respond & Recover: Cyber Insurance
Basic Types of Cyber Insurance
• First Party Coverage — For direct losses of a company’s assets. It can include insurance to respond to regulatory costs associated with the release of personally identifiable information (PII) and personal health information (PHI).
• Third Party Coverage — Covers company’s liability for causing a loss to another party. Often required by contract and almost exclusively offered on a claims-made basis.
Expect that insurer will want to play key role in response decisions, as it is likely paying for them.
Respond & Recover: Notification
Breach notification laws are required in 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands
Notification time frames vary by state
Notification requirements to other parties vary by state
Federal laws such as HIPAA, COPPA, and GLBA also may apply
Respond & Recover: International Obligations
EU US
Respond & Recover: After the Storm
Back up data (if not also compromised)
Leverage disaster recovery and business continuity resources
Respond & Recover: Debrief and Reinforce
After each testing event or incident response event, the actions taken and results observed should be reviewed by the IRT
• What went well?
• What could have been done faster or with more accurate results?
• What resource(s) would have made the response faster or more accurate?
• What changes to the plan would benefit future IR teams?
• What alerts or precursors should be added to the detection system?
• What preventative actions or systems would be beneficial?
Training is Critical
If you don’t tell them, how will
they know?
We’ll now open it up for questions
Questions