Data Breach

2
ANATOMY OF A DATA BREACH
1. Well-Meaning Insiders. The majority of data breaches
are caused by company employees who inadvertently
violate data security policies.
Employees, unaware of company policies, who store,
send or copy sensitive information in an unencrypted
manner.
Lost/stolen laptops.
Sending unencrypted confidential information in
emails.
Sharing data with third party business partners (such
as 401(k) plan information).

3
ANATOMY OF A DATA BREACH
2. Targeted attacks. Targeted attacks are aimed at stealing
information primarily for the purpose of identity theft.

Cyber-criminals using malicious code that can penetrate into an

organization undetected and export data to remote hacker sites.

This is made possible by: (1) system vulnerabilitieslaptops,

servers and desktops that do not have the most up-to-date
security features; (2) improper credentialsusing default
passwords that are easy to figure out and obtain by hackers; (3)
targeted malwarehackers using spam communications that
are embedded with malware; (4) SQL injectionhackers
analyze the URL syntax of targeted websites and are then able
to embed instructions to upload spyware that gives the hackers
remote access to the targeted servers.
4
ANATOMY OF A DATA BREACH
3. The malicious insider. This includes insiders who
knowingly steal data.
White collar criminals
Industrial espionage
Theft of trade secrets (employees who store
confidential information on their personal computers
for use in subsequent employment or to compete).

5
RECENT
CYBERSECURITY
BREACHES
Cyber attack may have
compromised about 76
million households.
Included customer
names, addresses,
phone numbers and
email contact
information.
In addition, the breach
affected about 7 million
of J.P. Morgans small
businesses customers.
Overall, it may have
been the biggest cyber
attack in corporate
history.

6
RECENT
CYBERSECURITY
BREACHES
Cyber thieves stole up
to 60 million credit
card numbers.
The attacks went on
for 5 months before
discovered.
The company said
anyone who used a
credit card to shop at
Home Depot in the
US or Canada over a
6 month period could
have been a victim.

7
RECENT
CYBERSECURITY
BREACHES

Hackers accessed
personal information
from as many as 110
million consumers.
Costs associated with
the hacking added up
to about $148 million.

8
RECENT
CYBERSECURITY
BREACHES

Hackers broke into the

iCloud accounts of a
number of Hollywood
celebrities and made off
with nude photos.

Celebrities targeted
included Jennifer
Lawrence, Kate Upton
and Kirsten Dunst.

9
RECENT
CYBERSECURITY
BREACHES
In late November 2014, thousands
of gigabytes of data were
transferred out of Sonys network
undetected, including salary and
bonus information of executives,
unflattering comments about
movie stars, health information
about employees and copies of
unreleased films.
The attack began with email
phishing that used programs that
roamed unopposed and
undetected through Sonys
network.
This was an act of what some
called cyberterrorism in
opposition to the release of an
upcoming Sony Picture's movie,
The Interview.
The hackers attempted to
blackmail Sony and warned it not
to release the film.
Sony ultimately released the film.

10
 Hackers stole data of
July 9, 2015 over 21 million US
More than 21 million Social Security
numbers were compromised in a breach
that affected a database of sensitive
government workers
information on federal employees held by
the Office of Personnel Management.

That number is in addition to the 4.2

million Social Security numbers that were
compromised in another data breach at
OPM that was made public in June.
Officials have privately linked both
intrusions to China.

Of the 21.5 million records that were

stolen, 19.7 million belonged to
individuals who had undergone
background investigations, OPM said.
The remaining 1.8 million records
belonged to other individuals, mostly
applicants' families.

The records that were compromised

include detailed, sensitive background
information, such as employment history,
relatives, addresses, and past drug abuse
or emotional disorders. OPM said 1.1
million of the compromised files included
fingerprints.

11
FUTURE
CYBERSECURITY
BREACHES?

BIGGEST
THREATS ARE
THE ONES THAT
ARE UNKNOWN
AND NOT YET
DISCOVERED

12
 WHAT TO DO ABOUT IT

The cyberworld is like the wild wild west.

Barack Obama

13
APPROACHES TO CYBERSECURITY

Cybersecurity does not fit into one box.

Requires collaboration between the

government and the private sector.

Requires collaboration between IT

professionals and legal professionals.

14
 CYBERLAW
In its infancy.

There is no overarching federal law that

deals with cyberactivity.

Cyberlaw is influenced by some existing

laws.

15
PRIVACY LAW AND DATA SECURITY
Most, if not all, laws regarding cybersecurity or data security have
their origins in protecting privacy.
This is an evolving field.
Regulates the relationship between the Data Subject, the Data
Controller and the Data Processor.
Laws and regulations relating to data security typically address the
following areas:

1. Notice
2. Consent (Opt In/Opt Out)
3. Access
4. Correct/Update
5. Information Security

16
DATA PROTECTION MODELS
COMPREHENSIVE MODEL (EU)
SECTORAL MODEL (US AND JAPAN)
CO-REGULATORY MODEL (AUSTRALIA
AND NZ)
HABEAS DATA (SOUTH AMERICA)

17
 Terms And Definitions
Personal information, personally identifiable
information or personal data. Shorthand reference
could also be information or data. This is any
information that can be linked to a specific individual.
Data subject. The person to whom the personal
information pertains.
Data controller. The entity that has gathered, is in
possession of and/or owns the personal information.
Data processor. Typically, a third party (e.g., a
vendor) to whom the data controller provides personal
information in batch for a specific purpose.
Data processing. Anything done with the personal
information, including collection, storage, use,
deletion, searching, compiling, etc. Very broad term.
18
US HEALTH DATA PROTECTION LAWS
HIPPAHEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT OF 1996

HITECHHEALTH INFORMATION TECHNOLOGY FOR

ECONOMIC AND CLINICAL HEALTH ACT

GINAGENETIC INFORMATION NON-DISCRIMINATION ACT OF

2008

19
US FINANCIAL DATA PROTECTION LAWS

FCRAFAIR CREDIT REPORTING ACT OF 1970

FACTAFAIR AND ACCURATE CREDIT

TRANSACTIONS ACT OF 2003

GLBAGRAMM-LEACH-BLILEY ACT OF 1999

20
 OTHER US DATA PROTECTION LAWS

PRIVACY ACT OF 1974 (GOVERNMENT SECTOR)

FERPAFAMILY EDUCATION RIGHTS AND PRIVACY ACT
OF 1974 (EDUCATION SECTOR)
PPRAPROTECT OF PUPIL RIGHTS AMENDMENT OF
1978 (EDUCATION SECTOR)
NO CHILD LEFT BEHIND ACT OF 2001 (EDUCATION
SECTOR)
TELECOMMUNICATIONS ACT OF 1995
(TELECOMMUNICATIONS SECTOR)
CABLE TELEVISION PRIVACY ACT OF 1984
(TELECOMMUNICATIONS SECTOR)
VPPAVIDEO PRIVACY PROTECTION ACT OF 1988
(TELECOMMUNICATIONS SECTOR)
COPPACHILDRENS ONLINE PRIVACY PROTECTION
ACT OF 1988 (INTERNET)

21
FEDERAL TRADE COMMISSION

Section 5 of the FTC Act gives the FTC jurisdiction to take

action to prevent unfair and deceptive business practices
affecting commerce, including conducting investigations.

The FTC has been the most active regulatory authority

with respect to policing data breaches.

22
FTC ENFORCEMENT ACTIONS
FAILURE TO IMPLEMENT ADEQUATE SECURITY
SAFEGUARDS FOR CUSTOMERS PERSONAL DATA
IS AN UNFAIR BUSINESS PRACTICE.
FAILURE TO COMPLY WITH PRIVACY NOTICE
GIVEN TO CUSTOMER IS A DECEPTIVE BUSINESS
PRACTICE

23
 RESULTS?
Violations have resulted in multi-million settlements with
the FTC.
As of early 2014, 50 settlements reached.
The FTC also requires violators to sign consent decrees,
which may last for years and require, among other
things, hiring of data protection/privacy officer.

24
FTC v. Wyndham Worldwide Corp., et al.

25
 FTCs Allegations
Wyndham Group required all franchisees to
use a designated computer system, known
as the Property Management System.
The Property Management System was
centrally administered and maintained by
Wyndham Group.
The Property Management System contained
customers personal data, both as to
identification and credit/debit card numbers.

26
 FTCs Allegations
Between April 2008 and January 2010,
intruders (most likely Russian hackers)
gained access to the Property
Management System three times.
The data breaches compromised 619,000
payment card numbers.
The data breach resulted in $10.6 million
in fraudulent charges.

27
 FTCs Allegations
Wyndham Group failed to require use of
strong passwords.
Wyndham Group had no inventory of its
computers and other hardware, making it
difficult to timely discovery where and how
the system was compromised.
Wyndham Group failed to limit access to
the computer system under least
privilege principles.
28
 FTCs Allegations
Wyndham Group failed to adequately
address the first breach by patching its
system, which allowed the subsequent
breaches.
Wyndham Group failed to use firewalls to
segregate portions of the Property
Management System, so a single breach
allowed access to the entire system.
Wyndham Group committed consumer fraud
by falsely promising customers, via Privacy
Notices on its various websites, that data
they provided was kept safe and secure.
29
 Wyndham Groups Defenses
FTC has no authority to bring unfairness or
deception claims for breaches of data security.
There are no rules or regulations articulatingand
giving a defendant noticeas to what data security
practices must be implemented, so the FTCs claim
violates due process.
Despite the $10.6 million in aggregate fraudulent
charges, there was no substantial harm to
consumers that could not be avoided by the
consumers (another requirement for the FTC to
have jurisdiction), as each consumers loss was
limited to $50 or less by law.

30
 Trial Courts Ruling
As to jurisdiction, FTC has broad latitude in regulating unfair
business practices; since these practices evolve constantly,
especially with new technologies, FTC can regulate these
practices even if its rulemaking has not caught up.
As to notice, Wyndam had fair notice that it could be held
liable under the FTC Act, just as it could be held liable under
ordinary tort principles of negligence (unreasonably exposed
consumers to harm by negligently handling confidential data).
Also, FTCs publications provided adequate notice.
As to substantial harm, small amount of harm to large
amount of individuals can constitute substantial harm, and
consumers have no way of avoiding the harm caused by
Wyndham Group failing to protect their sensitive personal
information.
Third Circuit/Current Status of Case.

31
What Data Security Measures Should Be Taken?

Wyndams argument was, to a certain extent,

true: there is no rule or regulation setting out,
with specificity, every best practice for
safeguarding data.
To the extent addressed in statutes, such as
GLBA and FACTA, laws require that
reasonable safeguards be taken.
Until rules and regulations are adopted, what
is reasonable is typically determined on a
case-by-case basis.

32
 Economic Model
Riskoverall adverse impact from
potential event.
Threatevent such as hacking attack or
human error.
Vulnerabilityweakness in system that
can be exploited.

RISK = THREAT * VULNERABILITY*EXPECTED LOSS

33
 Reasonableness Factors
Type of personal information maintained.
Size, complexity and capability of the
entity.
Technical infrastructure, hardware and
software.
Costs of security measures.
Probability and magnitude of potential
risks to sensitive personal information.

34
 BASIC SAFEGUARDS
Physical
Administrative
Technical

35
 COMPONENTS
Access control.
Segregation of duties.
Least privilege.
Accountability.
Authentication.
Password management.
System monitoring.
Firewalls/Virtual servers.
Anti-virus software.
36
ADVERSE PUBLICITY

37
 INCIDENT MANAGEMENT
Have a written incident management and response plan in place.

Employ a defense in depth strategy to secure a network.

1. Identify information and resources that need to be protected.
2. Specify security goals and policies for securing those
resources.
3. Deploy mechanisms that are configured to enforce those
policies.

Consider the following key principles when employing a defense in depth

strategy:
1. Dont keep what you dont need.
2. Patch software.
3. Close unused ports.
4. Create and implement security policies.
5. Protect the network with security software.
6. Conduct periodic network audits, including penetration tests.

38
 Red Flags
Numerous failed log-in attempts; brute
force attack.
Sudden use of idle or dormant account.
Use of computer systems during off or
unusual hours.
Presence of new or unauthorized user
account.
Weak user passwords.

39
 Red Flags
Unexplained elevation in user privileges.
Changes in file permissions.
Presence of unknown devices connected
to the network (data storage devices).
Gaps or deletions from system logs.
Alerts from anti-virus or anti-intrusion
software.

40
Red Flags
Loss or theft of hardware.
Mismatch of inventories of hardware and
equipment.
Customer complaints.

41
 Actions
Once a breach is recognized, contain it.
1. Shut down accounts.
2. Revoke user access.
3. Make sure laptops and hand held devices
have installed on them remote wipe
technology; deactivate laptops and
devices.
4. determine the scope of the breach.
Implement notification requirements.

42
GET CYBERSECURITY INSURANCE

43
 The Future Of Cyberlaw
Big Data. The effect of having virtually unlimited storage
capacity for datathere is already a burgeoning data broker
industry, where businesses have been created specifically to
compile and store datacoupled with increasingly powerful
and sophisticated custom search algorithms to connect these
bits and pieces of data together for a particular purpose.
The Internet of Things. As computer processors get smaller,
faster and cheaper, products from cars to kitchen appliance
can be designed to collect data, connect to the internet
wirelessly and transmit or download that data.
Do Not Track
Privacy By Design
EUs Right To Be Forgotten.

44
 The Future of Privacy
Geolocation data from smart phones. Companies
are developing applications to, for example, send
you an ad or coupon for a business when you
come into its vicinity.
Facial recognition technology that can be coupled
with information about an individual, for example,
a Facebook or LinkedIn profile. Google Glass is
working on an application that will recognize faces
and pull up such information to be displayed to
the wearer.
Video surveillance.
Domestic drone surveillance.

45
Thank you
William J. Clements, Esquire and CIPP/US
[Certified Information Privacy Professional/United States]

Klehr Harrison Harvey Branzburg LLP

nci@excelsior.edu

www.nationalcybersecurityinstitute.org

Follow NCI:

46