View
220
Download
3
Category
Preview:
Citation preview
© Sheppard Mullin Richter & Hampton LLP 2016
Cybersecurity Update 2016The Latest on Treats, Laws and Best
Practices for Retailers
Laura Jehl
Overview
The Threat
What’s new in 2016?
The Risk
The Law
The Preparation
The Cost
The Help
2
The Threat
What’s your digital nightmare?
Theft of data?
– Credit card numbers
– Personally identifiable information (employee/customer)
– Confidential company information
– IP/Trade secrets/corporate espionage
Ransomware?
– Systems encrypted, disabled, ransom demanded
DDoS (Distributed Denial of Service) Attack?
– Website or other host overwhelmed and disabled
All of the Above?
3
The Threat
Threats exist in every connected system:– Network/enterprise systems
– Wireless networks
– Social media
– “Internet of things”
– Point of sale machines
– Employee devices (“BYOD”)
The “Vectors”– Collaborative tools
– File sharing applications
– Finance & Accounting software/application
The Spoils– Customer Data
– Intellectual Property
– Financial Data
– Money
4
What’s New? Carbanak Group 2.0
Operates out of Russia and China
Attacked banks by sending “spearphishing” emails to
their employees and customers.
– Clicking on the email attachments downloads malware onto their
computers
– Malware lurks for a long time, learning about the behavior of the
user or processes at the bank
Steals money by emulating legitimate employee or
customer activities, such as normal-looking online
banking transactions.
– Able to avoid detection and fraud monitoring
5
What’s New? Carbanak Group 2.0
(cont’d) 2.0 now targeting corporate finance and accounting
departments, moves money to what looks like legitimate
corporate accounts
Group “GCMAN” sends spearphishing emails with
malware attachments that look like Word documents
– Once inside, uses legitimate penetration testing tools to move
around and finds a way to transfer money from the bank to digital
currency
– One case sent $200 a minute
– Can lurk in a victim's network for a year and a half before
activating a theft
6
The Threat: What’s New?
Source and Nature of Attacks:
Ransomware
– Malware disables systems or encrypts data and demands a
payment to unlock them
– New variants combine ransomware with scraper and DDoS
capabilities
– FBI predicts total ransomware costs >$1 billion in 2016
– Phishing emails containing ransomware up 789% in Q1 2016
7
The Threat: What’s New
Source and Nature of Attacks:
Fraudulent Financial or Data Transfers
– Fake “CEO” emails requesting employee W2 data
– Fake “CFO” emails requesting fraudulent wire
transfers
– Hackers interact with targeted employees, answer
questions
– “Epidemic” of these attacks in 2016
Hacktivism
– The “Panama Papers”
8
The Threat: What’s Not New?
“Phishing”/”Spearfishing”
– Not new, but increasingly sophisticated and
interactive
– “Phishing” emails contain links that look legitimate
(Word docs); intended to steal credentials
– “Spearfishing” emails contain malware
– 93% of spam now contains ransomware
– Still the best and most effective mode of attack
Hostile Foreign States
Insider Threats
9
Financial gain
Ideology/terrorism
Espionage
Fame/ego/self-
image/recognition
Divided loyalties
Revenge/disgruntlement
Adventure/thrill
Vulnerability to blackmail
Compulsive or destructive
behavior
Negligence
Or all of the above (e.g.,
Sony)
The Threat
10
Motivations for Cyber Attacks
The Threat
The “Human” Element
– Research shows that >50%, and possibly >90% of all data
breaches include an aspect of employee ignorance, negligence,
or malice
Employee Training is Key
– Index to past experiences and threat intelligence
– Tailor to meet staff abilities and roles
– Interactive training with participation
– Lather . . . Rinse . . . Repeat
11
The Threat
Valuable Personal Data:
Names
Addresses
Birthdates
Credit Card Numbers
Financial Account Numbers
Financial Account Balances
Social Security Numbers
Foreign Tax ID Numbers
Passport Issuers/ Numbers
Valuable Company Data:
Intellectual Property
Company Financials
Email/Communications
HR Information
. . . And money
The Threat
12
The Risk
Retail in hacker crosshairs:
– One-third of retail IT professionals say a breach has occurred at
their company
– Retail largest share of breaches over last 4 years; 25% of
breaches, 42% of records breached (CA AG Data Breach Report
2016)
Shopper attitudes:
– 75% of shoppers hold retailers responsible for keeping their
information secure
– 50% believe retailers could avoid breaches by installing better
technology
– But . . . 64% accept risk breaches as part of shopping process
(Interactions study)
13
Payment Card Industry Data Security Standard (PCI DSS)
A common set of industry tools and measurements to
help ensure the safe handling of sensitive information
Provides an actionable framework for developing a robust
account data security process - including preventing,
detecting and reacting to security incidents
Applies to any entity that stores, processes and/or
transmits CHD
Version 3.1 released April 2015
The Risk
Bottom Line
If you take plastic, PCI applies to you
14
The Risk
PCI Forensic Investigation Program
Requires an entity to notify the affected card brand(s) in
the event of a compromise
Brands may/will require the compromised entity to
engage a PFI to conduct an independent forensic
investigation
– The affected company is responsible for all fees and expenses
but report goes directly to card company
– PFI is intended to seek out the truth – but not infallible
Bottom Line
PFIs are looking for your mistakes – get a second opinion
15
The Law
Duty to protect privacy and security of personally
identifiable information (“PII”) you collect
This means you must:
– Comply with applicable state and federal laws
– Comply with your own privacy statements (e.g.,
privacy policy)
– Clearly disclose what types of information you collect,
and how that information is used
16
The Law
A security breach can lead to liability, including under
the following laws:
FTC Act
Gramm-Leach-Bliley Act
FACTA (credit card number masking)
PII/Credit Card Collection laws (CA, MA and 16 other states)
Data Security Breach Notification laws (47 states)
Sarbanes-Oxley
Fair Credit Reporting Act
Electronic Signatures in Global and National Commerce Act
Federal Information Security Management Act
Homeland Security Act of 2002
SEC and DOJ Guidelines
17
The Law
Many different bodies enforce these laws:
– FTC, SEC, CFPB, State Attorneys General, DOJ, private Class
Action Litigation
Enforcement is getting tougher:– FTC is promising much stricter enforcement of federal privacy
laws; now has authority to regulate cybersecurity preparedness
– SEC just announced $1M fine of Morgan, Stanley for lax
cybersecurity
– State Attorneys General cracking down, with CA in the lead
– Class actions for data privacy violations are becoming much
more common, and are not being dismissed
– Court has repeatedly declined to dismiss Anthem MDL (@100
class actions consolidated in N.D. Ca)
18
The Preparation
Engage your Cyber Threat
team– Legal, IT, and HR critical
Third party experts– Communications
– Legal
– Cyber-Forensics
Map your Data – know what
you have
Understand regulatory
requirements
Legal and contractual
obligations
Required notifications?
Public relations plan
Executive and board
member roles
Contact information for law
enforcement
Review insurance coverage
Create an Information Security Incident Response Plan
19
The Preparation
Testing a Data and Information Security Plan
“Exercise your nightmare(s)” at different levels– Board
– C-Suite
– Cyber incident response team
Examine different scenarios – Ransomware
– Breach
– Hacktivism
Outside counsel should lead “table top” exercises– Protects privilege if vulnerabilities are identified
– Identifies legal risk at every step of process
– Allows the perspective of a third party
20
The Preparation
BE PREPARED
Review where critical data is located and implement
proper security controls (encrypt it, use access controls,
etc.)
ASSUME you will be breached
Have procedures to prevent breach by insiders as well
Utilize security monitoring mechanisms to detect early
red flags of potential breach
Don’t retain unnecessary data; securely destroy it!
For data that you do retain, constantly assess who has
access to it and how it can be accessed
21
The Cost of Cybersecurity
$$$
Data mapping, forensic security analysis, penetration testing by outside consultants (they may suggest remediation of some systems, which can be
costly)
$$
Preparation of incident response plans (varies with levels of customization)
$
Deterrence (train and test employees through “phishing campaigns,” institute two factor
authentication on all systems
22
The Cost
Impacts of a breach– Fraud ($$)
– Financial loss
– Brand damage/
– Embarrassment
– Data leak / Breach
– IP loss
– Identity theft
– Liability risk
23
Responding to a Cyber Incident
Call your lawyers & forensic experts
Follow the “First 30 Minutes” checklist
Follow your written, updated, and exercised ISIR plan
– Stop the bleeding
– Restore back-up version of data (if uncompromised)
Document whatever steps are taken and costs incurred
to mitigate the damage!
Assess both the nature and scope of the incident
– Intentional or Unintentional?
– Level of Access?
The Help
24
Goal should be security…not compliance
Know your business and your employees
Train your employees and test their response to
“phishing” campaigns
Baseline your systems’ “normal” to spot “abnormal”
Understand and moderate your data collection needs
Wall it off: Insist on limited access to PCI and PII data
Back it up: make sure data is securely backed up and
available when/if needed
Encrypt sensitive data
And…
Best Practices
25
Best Practices
“Ensure Your Legal Counsel is Familiar
with Technology and Cyber Incident
Management to Reduce Response Time
During an Incident”
As suggested by the DOJ…
~ Computer Crime & Intellectual Property Section
Criminal Division, U.S. Department of Justice
Best Practices for Victim Response and Reporting
of Cyber Incidents Version 1.0 (April 2015)
26
Questions?
Questions?
27
Recommended