1 / 37

Lessons Learned From the Famous Data Breach Incidents

Explore recent data breach incidents, lessons learned, and practice tips for protecting your business internationally. Learn about cross-jurisdictional crimes, multi-lateral enforcement, contracting for cloud safety, and more.

luisv
Download Presentation

Lessons Learned From the Famous Data Breach Incidents

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lessons Learned From the Famous Data Breach Incidents Ted Claypoole Partner, Womble Carlyle

  2. What will we Learn? • Recent Data Incidents • Lessons Learned • Practice Tips for Protecting a Business (throughout)

  3. International Problem • Cross Jurisdictional Crimes • Multi-lateral Enforcement • Contracting for Cloud Safety • Cross-Border Data Transfers (EU)

  4. Recent Attacks • Retail Giants Lose “Mass Quantities” • Target/Home Depot/Michaels/N-Marcus • Marriott/White Lodging/Trump • CVS/Costco/RiteAid • Heartland • Health Care Data Targeted • Anthem/Partners/Premera BC/CareFirst • 100 Bank Cyber heist/Scottrade • Vtech toy hack • Ashley Madison

  5. Recent Attacks • Nation state Attacks • The Strange Case of Sony • Kaspersky Labs/RSA/LastPass/Infrastructure providers • OPM/DoD/HSD/Army Nat. Guard • Banks hit by Iran • Attacks by Criminals on Government • IRS/State Tax Authorities

  6. All Data Holders are Targets • Wherever valuable data can be found • Creative uses of data (blackmail) • Data is power (OPM) • Quantity and Quality • Law firms are “soft underbelly” of business • Panama Papers • Cravath/ Weil Gotshal

  7. Credit Cards Are Not the Only Target of ID Thieves • Medical Records • Anthem/BCBS • Tax Records • IRS • South Carolina • School Information • Many examples (fresh identities, unchecked) • Immigration Fraud

  8. Hacking is now Highly Organized Crime • Tools available for anyone (marketplaces) • Organized markets for the stolen goods • System kidnapping • Botnet networks for lease • Hacking for hire • Bitcoin for payments

  9. Secondary Markets • Market for Hacking Tools (Target) • Markets for stolen information

  10. Secondary Market Exploits Zero-Day Prices Over Time “Some exploits” $200,000–$250,000 2007 “Weaponized exploit” $20,000–$30,000 2007 A “real good” exploit $100,000 2007 Microsoft Excel > $1,200 2007 Adobe Reader $5,000–$30,000 2012 Android $30,000–$60,000 2012 Chrome or Internet Explorer $80,000–$200,000 2012 Firefox or Safari $60,000–$150,000 2012 Flash or Java Browser Plug-ins $40,000–$100,000 2012 iOS $100,000–$250,000 2012 Mac OSX $20,000–$50,000 2012 Microsoft Word $50,000–$100,000 2012 Windows $60,000–$120,000 2012.

  11. Secondary Market Data • Sales test – Most interest in Brazil, Russia and Nigeria • Creativity – discounts, guaranties, and customer loyalty programs according to Krebs • Darkode Bust, July 2015 • Arrests in 20 countries • Most sophisticated English Language forum for criminal hackers • Darkode was one of 800 data bazaars

  12. Take Away • Anybody can be a hacker now • Anybody can profit from hacking now • Any data holder can be hacked • Your company HAS been hacked, IS being hacked, and WILL be hacked

  13. Resiliency is the Watchword • Increasing Sophistication of Attacks • Attacks for Reasons Beyond Greed • Private Political Hackers • Attacking Business as an Act of War • Job 1 – Keep the Enterprise Running • Job 2 – Be Competent in Handling Adversity

  14. Buck Stops at C-Level • Recent Study Finds Majority of Board Executives blame CEO rather than security team for a data breach. • NY Stock Exchange/Veracode study – 200 directors • C-Level holds purse • C-Level sets enterprise priorities • Target CEO fired • Sony Co-Chair resigned

  15. Buck Stops at C-Level SEC holds Directors Responsible “Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.” See: CF Disclosure Guidance: Topic No. 2, Cybersecurity, Oct. 13, 2011

  16. Protecting Your Company: Sweat the Small Stuff • Install updates and patches • Proper Password Hygiene • Protect your valuables (Sony) • Listen to alerts (Target) • TRAIN, REINFORCE, TRAIN MORE regarding NO clicking on unknown links

  17. Corporate Hack Victim will be Treated as Offender • Stolen data is not per se proof of recklessness or malfeasance • All systems can be breached • Yours will be • Guard against all parties with an interest in your company’s liability

  18. How to Protect Your Board/Executives • Regular security training • Exposure to budgets and risks • Role for Outside Experts • Document, Document, Document • Train, Train, Train

  19. Take Away • Your regulators care about data security • Your bosses will be held responsible for • successful attacks, and • insufficient responses • You can make a difference for your company/clients

  20. Data Loss Litigation is Becoming More Complicated • Palkon v. Holmes, No. 2:14-CV-01234 (D.N.J. Oct. 20, 2014) Shareholder filed against 10 officers and directors. Board had firm grasp of data situation. (evidence of security discussions in meetings) • In re Heartland Payment Systems Inc. Securities Litigation, No. 09-1043 (D. N.J. Dec. 7, 2009)Plaintiffs alleged securities fraud for claiming in 10-K that company placed emphasis on security. Fact of breach was not, in itself, enough to show careless company. High spending on security in favor of company

  21. Data Loss Litigation is Becoming More Complicated • Genesco v. Visa, U.S. M.D. Tennessee, No. 3:13-00202 $13 Million seized by Visa after Data Breach Claimed “operating expenses” • Similar to Elavon v. Cisero’s, Summit County Utah, Case No. 100500480 • In re: Target Corporation Customer Data Security Breach Litigation, U.S. Dist. Minnesota, No. 14-md-02522. $10 Million in settlement to class of affected individuals Class members don’t need to show damages to collect

  22. Remember all Stakeholders • Customers • Employees • Regulators • Merchant Bank • Vendors • Contracting Requirements

  23. Phishing Works • Phishing will likely always work • Easiest way to introduce malware into your system • Separate Internet from wall safe • Internal Encryption is becoming standard

  24. No Solution to Ransomware • State Bar advisory to law firms • Law enforcement advice – “pay the man” • No one is safe • Did we mention – “Thou shalt not click on Links in Email from unknown senders, EVER.”

  25. No Network Connection is Safe • Target (HVAC Vendor Portal) • Online Restaurant menu • Email is not the only way in

  26. Take AwayWhat is Reasonable? • Appropriate budget for security • Appropriate training • Up to Date Knowledge on tools, standards, risks • Local Risk management structure • Pre-planning for incidents • Build security around obligations, risks and types of data

  27. Internal Walls as Important as External • “They are in your system now” • How does someone walk from the vendor portal t the cash registers? • System level, Application level, Hardware level protection

  28. Cyber Insurance is Vital for Many • Rapidly evolving market • Costs decreasing for better coverage

  29. Preparing for the Worst • Spend the money for smart protection • Follow advice • Be prepared to defend your decisions

  30. Take Away • Hedge your Risks • Document your reasoning and your actions • Third party advice can show why your decision was reasonable

  31. Things Target Did Wrong • System Issues: • Upgraded POS systems without security audit • Did not listen to its own network warnings • Needed more compartmentalized network • Personnel Issues: • No CISO or single name for data security • CTO/CIO had no technical background

  32. Things Target Did Well • Its Website is helpful, informative and complete • Apologize • “Hold Harmless” promise to customers • Help line • It is investing in Cyber Security Education with BBB

  33. Credit Monitoring may not be the Best Service to Offer • What was stolen • ID Theft consulting may be more useful to affected parties • Free credit freeze available without additional purchase

  34. The Role of Vendors • The vendor may be a trap door • The vendor may lose your data • Require: protection, notice, insurance, audit, indemnity, high liability cap • Review: procedures, personnel, technology, training

  35. Take AwayTechnical Lessons • Close Your System • Log what goes out and what comes in • Internal Encryption • Segmented System • Access Management • Keep a wall safe in your bedroom

  36. Take AwayLessons on Surviving • Getting it right is better than quick • All about Competence • Speak up • Work with Law Enforcement/Regulators • Don’t go it alone

  37. Thank You • Ted Claypoole • Partner, Womble Carlyle

More Related