On Wednesday, April 27, Mitchell Hamline's Center for Law and Business hosted a lunch celebration and CLE program featuring legal and privacy professionals who discussed the importance of strong measures in protecting and enforcing the proper use of data for businesses in 2016 and beyond.
Program faculty:
Professor Sharon Sandeen, Mitchell Hamline School of Law
Andy Ubel, Chief IP Counsel at Valspar Corporation
Ken Morris, Senior Advisor at RedPoint Advisors
Charlotte Tschider, Owner/Principal at Cybersimple Security LLC
Mitchell Hamline has also launched a Cybersecurity and Privacy Law Certificate program designed to help professionals deal effectively with the complex legal, policy, and compliance issues involved in this critically important area. For more information about or to register for Mitchell Hamline's Cybersecurity and Privacy Law Certificate visit http://mitchellhamline.edu/cybersecurity/
2. Samantha Barriga
Michelle Bradley (Jan. 2016)
Katelyn Bounds
Nathan Dorschner
Brenna Finley Erdmann
Eythan Frandle
Ayn Gates
Barry Gronke
Matthew Hartranft (Jan. 2016)
Mitchell Hamline School of Law | 2April 27, 2016
2015-2016 MHSL Business Certificate Graduates
Sarah Holm
Abigail Lambert
Keith Larson
John Meyer
Ben Pflueger
Jungmin Ro
Briar Schnuckel
Ellen Tovo-Dwyer
3. Mitchell Hamline School of Law | 3April 27, 2016
“As I enter my final semester at Mitchell Hamline, it’s easy to list all of the
ways that the Law and Business program has guided and shaped my time
here.
I’ve been able to focus on my learning and development priorities both
academically and professionally through the program’s courses, networking
events, and externships. The coursework required for the Certificate along
with the variety of available elective offerings provide challenging and fulfilling
preparation for the “real world” expectations of business or corporate law.
Pursuit of the Law and Business Certificate was one of the best choices I’ve
made during law school. I’m proud to be finishing the Certificate this semester
and I will value the academic and professional experiences and connections
I’ve established through the program for years to come.”
-- Mitchell Hamline Student
4.
5. Program Faculty
• Professor Sharon Sandeen — Mitchell Hamline School of Law
• Andy Ubel – Chief Intellectual Property Counsel, Valspar Corp.
• Ken Morris – Senior Advisor, RedPoint Advisors
• Charlotte Tschider — Owner/Principal, Cybersimple Security, LLC
CLE Event Code 218968
Mitchell Hamline School of Law | 2April 27, 2016
Cybersecurity: The New Priority for Business
6. Valspar’s Story
Andy Ubel
Chief Intellectual Property Counsel
Valspar Corporation
Mitchell Hamline School of Law | 3April 27, 2016
7. A) There is really nothing you can do. IP protection in China is difficult
to obtain and this employee didn’t sign a “non-compete” agreement.
The manager should call HR and have them look for a replacement.
B) The employee should be terminated immediately. Computer access
by this employee should be severed and the employee’s laptop and
phone collected and quarantined. An immediate investigation should
be undertaken to assess whether any sensitive data has been
downloaded by the employee.
C) Fire the CIO when he tells you they don’t know if anything was taken,
because no logs are kept.
D) Fire anyone else that is nearby.
Answers
Mitchell Hamline School of Law | 4April 27, 2016
8. David Wen Lee was Valspar’s “#2
Technical Employee” in our Consumer
paints division.
Without any warning, he announced one
Monday morning that he was quitting. He
wouldn’t say where he was going.
Valspar faced this exact situation
Mitchell Hamline School of Law | 5April 27, 2016
9. Valspar had typical “security readiness.”
Like most companies Valspar had security
against outside intrusions (more about that
later), but little security against a “trusted
employee.”
Security wasn’t properly focused
Mitchell Hamline School of Law | 6April 27, 2016
10. Mitchell Hamline School of Law | 7
Lee was sent home the day he resigned. A
co-worker was asked to look at his
computer and see if there were any clues
as to where he might be headed.
We quickly uncovered some irregularities.
But we had no smoking gun at this point.
Our immediate response
April 27, 2016
11. Mitchell Hamline School of Law | 8
A co-worker looked at some “invisible files” and
uncovered a log file for a unauthorized program called
“Synch Toy.”
Lee had copied 44 Gigabytes of our sensitive data onto
an external hard drive.
We called the FBI for help. This was mid-day on
Wednesday.
We learned that David Lee was booked on a flight to
China in less than 10 days!
We got lucky
April 27, 2016
13. Lee’s theft woke us up.
Our IT systems were built with only a basic perimeter
security focus and little internal security.
1. Trusted insiders could steal a lot of information –
because they had wide access.
2. Outsiders, if they could get past the perimeter defenses,
would also be able to steal a lot of information.
Valspar’s new state of “readiness”
THIS MODEL IS OBVIOUSLY FLAWED
Mitchell Hamline School of Law | 10April 27, 2016
14. • Denial of Service attacks
• Hactivists
• “Insider” trade secret theft
• “Outsider” Cyber-thefts
– “APT” theft of information
• TS
• PII
• Etc.
– Bank transaction theft
– Ransomware
CyberSecurity – Attack Categories
Mitchell Hamline School of Law | 11April 27, 2016
15. • APT is an advanced hacking technique that permits an outsider to
infect a computer network and download sensitive data without
detection.
• APT hackers are well organized and will target specific company’s
data in exchange for a fee.
• APT hacking is a professional and profitable business.
• APT is not some bored teenager in his bedroom.
Advanced Persistent Threat –”APT”
Mitchell Hamline School of Law | 13April 27, 2016
16. Security measures were grouped in four main categories:
• Data Security
• End Point Device Security
• Network Security
• Policy & Training
“Points” are awarded when certain security measures
have been achieved.
Security “Scorecard”
Mitchell Hamline School of Law | 14April 27, 2016
18. Classify
• Special Control
• Confidential
• Internal Use Only
• Public
Protect
• “Need-to-know” access
• Focus on important Trade Secrets
Report
• Monitoring / security tool
Identify & Protect
Mitchell Hamline School of Law | 16April 27, 2016
19. After you identify and classify your most important
information you will then still need to identify all the
ways that that information moves throughout your
organization.
This will not be easy ….
Classification is only the first step
Mitchell Hamline School of Law | 17April 27, 2016
21. “DLP” - Data Loss Prevention
ACTIVITY
What is the User
Doing With It?
DISCOVERY
What & where is
Sensitive Data?
DESTINATION
Where Is the
Data Going?
CONTROL
What action is
appropriate?
Classification
-Persistent
-Inheritance
Context
-Location
-Type
- User
Content
-Similarity
-Keyword
-Dictionary
Email
-Attach
-Copy/Paste
-Compose/Send
Files
-Move
-Copy/Paste
-Burn/Print
-Upload
Application Data
-View
-Delete
-Modify
Devices
Applications
Networks
Printers
Internet
Recipients
Incident Alert
- Detection
Prompt User
- Intent/Educate
Warn User
- Awareness
Encrypt Data
- Protection
Block Action
- Prevention
Mitchell Hamline School of Law | 19April 27, 2016
22. 22
Digital Guardian
3. Download/Sync
Digital
Guardian
• Monitoring
• Controls
• Classification
• Encryption
Windows Workstations
Encrypt
Encrypt
Block
Prompt/
Justify
1. Extract
Windows File Servers
2. At Rest
Block
Mitchell Hamline School of Law | 20April 27, 2016
23. Sensitive data is accessed using “end point” devices.
MOST companies configure these devices with
negligible security and hackers can exploit known
weaknesses to gain access to these devices.
• Step 1 - BUILD a secure image for PCs, mobile
devices, and servers.
• Step 2 - MAINTAIN the secure configuration.
– Lock down the Admin Rights;
– Prevent the use of unauthorized software; and
– Patch the OS on a regular basis.
• Step 3 – DEPLOY the secure image on all
machines.
– Don’t trust the BYOD model.
End Point Device Security (Protect)
Mitchell Hamline School of Law | 21April 27, 2016
24. • Step 1 - BLOCK unauthorized devices (not just users) from gaining
network access through VPN, wireless and LAN connections.
• Step 2 - DEPLOY a secure configuration for firewalls, routers and
switches.
• Step 3 - ENABLE an Intrusion Prevention System that ALERTS
security in real time as to any anomalous traffic.
• Step 4 - DEPLOY a Security Event Incident Management tool where
all switch, router, firewall and critical server and database logs can be
analyzed.
Network Security – (Detect)
Mitchell Hamline School of Law | 22April 27, 2016
25. • Step 1 - PUBLISH simplified corporate policies – that are
SUPPORTED by the CEO.
• Step 2 - DEVELOP a robust incident response team.
• Step 3 - DESIGN and CONDUCT periodic penetration testing
and auditing.
Policy and Physical Security (Respond/Recover)
Mitchell Hamline School of Law | 23April 27, 2016
26. Information security is basically “free.”
Properly secured IT systems will:
• Be streamlined (with fewer different “versions” of software);
• Be more cost effective (deployment of software will take less
testing); and
• Require less field service.
Some good news
Mitchell Hamline School of Law | 24April 27, 2016
27. Cybersecurity is not about
Security
It is About Trust: Growth and Market Value
Ken Morris, J.D.
Redpoint Advisors
knectIQ Inc.
Mitchell Hamline School of Law | 25April 27, 2016
28. Forget any and all national/state data security
regulations and frameworks. Any computing
device capable of storing, processing,
receiving or transmitting PII/PHI/M2M
identifying information or other valuable
enterprise information will be targeted.
Bottom Line: Meeting a statutory, regulatory
or compliance provision is often suboptimal
when it comes to protecting PII/PHI/M2M
identifying or other valuable enterprise
information.
Mitchell Hamline School of Law | 26April 27, 2016
41. TRUST AS A SERVICE
• Managed security is still primarily a traditional security approach
– Proactive, learning systems instead of traditional reactive models
• Security needs new champions – beyond the CISO and CRO
– Board level leadership
• Innovation is nice but execution is what matters
– Anyone or any organization that touches the enterprise must be involved in
maintaining a trusted environment
• Satisfaction with Security is an Illusion (most enterprises in reactionary mode)
– Frame cybersecurity as a risk management matter
• Digital trust requires a commitment to an ecosystem approach
– Every entity in the ecosystem secures identifying and sensitive information
• Customer expectations, the growth of threat surfaces in mobile and the IoT are
disruptors that traditional and conventional cybersecurity approaches do not
adequately address.
– Agility and adaptability become paramount
Mitchell Hamline School of Law | 39April 27, 2016
42. Sender generates UID.
De-identified
encrypted data
sent with hashed
and salted UID.
Validation & authentication
Receiver removes salt from
transmitted UID. Generates
local UID.
Compare UID’s.
If matched, receive data,
authenticate, accept data,
eliminate UID’s.
A COMPLEMENTARY PROTOCOL
• NO SINGLE USE TOKENS
• NO STORED KEYS OR
CERTIFICATES
• UNIQUE & CONSISTENT
IDENTIFIER
• HARDENS
AUTHENTICATION
• ENABLES OPTIMAL USE
OF CONNECTED
DEVICES & DATA
Patent Pending…
Mitchell Hamline School of Law | 40April 27, 2016
43. CONSIDERATIONS
• Establish and Enforce Cyber Governance
– IAM
• Strong passwords
• MFA (Multi-factor authentication)
• Role based access
– Board led “security as risk management “ policy development
– Risk stratify digital and data assets
• Identify Vulnerabilities
• Protect the “Crown Jewels”
• Identify and monitor Threats
– Active, heuristic threat learning AI based platforms
• Collect, Analyze and Report Relevant Threat and Incident Information
• Do you have a “Trust as a Service Ecosystem”
– Vendors
– Suppliers
– Other affiliate business partners (professional services: outside counsel,
consulting firms, etc.)
– Customers
• Plan and Respond!
Mitchell Hamline School of Law | 41April 27, 2016
44. Investing in Preparation:
The Incident Response Process
Reducing business impact through an efficient
incident response process.
Charlotte Tschider, J.D.
Cybersimple Security, LLC
Mitchell Hamline School of Law | 42April 27, 2016
45. Mitchell Hamline School of Law | 43April 27, 2016
Is it a Data Breach?
Day 1, 11:45 AM
“Jay Stellant” has gathered information from social media about your company, a
provider of online timecard software. Jay calls your organization’s help desk, and
convinces the operator that Jay is a business associate of your organization. The
help desk operator gives Jay the director of finance’s business information.
Day 2, 9:00 AM
Jay calls the large business customers for your organization listed on your Website
and marketing materials, posing as the finance director for your organization and
is referred to their respective procurement departments.
Jay mentions that your organization has not yet received payment for their
subscription, and access to your software will be removed if payment is not
transferred within the next two business days. Jay provides an offshore account
number registered with your business name and provides an e-mail address that
is similar, but different from the finance director’s e-mail address.
46. Mitchell Hamline School of Law | 44April 27, 2016
Is it a Data Breach?
Day 3, 10:30 AM
The procurement contact searches records and discovers that your organization
has already been paid. He fears that the wrong account number was used for
payment and sends an email to Jay’s false email address arranging a phone call.
Jay calls the procurement contact and asks to validate the account number on
record and an associated PIN. Jay now has one of your organization’s bank
account numbers.
47. Mitchell Hamline School of Law | 45April 27, 2016
Is it a Data Breach?
Day 3, 12:30 PM
Jay sends an email to a finance supervisor for your company they discovered on
LinkedIn, after validating from a public Facebook account that the director of
finance is currently on vacation.
Jay sends an email, using a convincing email signature from his e-mail address
and listing the account number he gathered from the customer, mentioning that
he is validating the correct account numbers for payment purposes with one of
your customers, and would like to review the full account list directly in the
system but needs the user ID/password. He states that he is on vacation, and that
he needs this information as soon as possible.
Knowing the finance director is actually on vacation and wanting to impress him,
the finance supervisor sends the log-on information for the system to Jay, a
system that is managed by a third party and accessible outside of the corporate
network.
48. Mitchell Hamline School of Law | 46April 27, 2016
Is it a Data Breach?
Day 3, 5:30 PM
By the end of the day, the finance supervisor feels a bit unsettled with sending
the e-mail earlier, and he decides to talk to his manager about the director’s
request. The finance manager, who usually receives requests from the finance
director, knows this is not typical behavior.
The finance manager reports the situation immediately through the employee
relations hotline.
Day 4, 9:00 AM
An incident manager on the IT security team receives the report and calls the
finance manager to gather more information. Together, they call the bank
managing accounts, and the bank confirms that substantial amounts of money
have been transferred to an offshore account.
WHAT HAPPENS NEXT?
49. • Introduction to Incident Response
• Incident Response, the Law, and Industry
• The Incident Response Process
• The Incident Response Plan
• The Incident Response Management Team
• Collaborating with Government Officials
• Data Breach Obligations
• Key Takeaways
Mitchell Hamline School of Law | 47April 27, 2016
Agenda
50. DEFINING INCIDENT
An occurrence that actually or
potentially results in adverse
consequences to an information
system or the information that the
system processes, stores, or
transmits and that may require
a response action to mitigate the
consequences.
Mitchell Hamline School of Law | 48April 27, 2016
Introduction to Incident Response
An “Incident” includes potential future data breaches before they are
confirmed and other adverse consequences.
Incidents may affect the confidentiality of information, availability of
information, or integrity of information.
51. DEFINING DATA BREACH
The unauthorized movement or
disclosure of sensitive
information to a party, usually
outside the organization, that is
not authorized to have or see the
information.
Mitchell Hamline School of Law | 49April 27, 2016
Introduction to Incident Response
“Sensitive information” can be interpreted differently depending on industry,
but state data breach notification statutes usually apply to personal
information.
TERMINOLOGY MATTERS!
52. AN EFFECTIVE INCIDENT RESPONSE PROCESS:
• Can identify potential incidents through tools and self-reporting quickly,
reducing or avoiding damage
• Centralizes reporting for fast escalation and decision-making
• Does not define a situation too early; focuses on information gathering
• Prioritizes communication strategy, both external and internal
• Enables retention of accurate information for future litigation, involving civil
and criminal liability
Mitchell Hamline School of Law | 50April 27, 2016
Introduction to Incident Response
Incident response is a collaborative process, including a variety of business
leaders and government, depending on the incident.
53. Mitchell Hamline School of Law | 51April 27, 2016
Incident Response, the Law, and Industry
Organization Type Requirement*
Financial Institutions Interagency Guidance under the Gramm-Leach-Bliley Act
requires a security breach response program.
Healthcare HIPAA
Covered Entities
The HIPAA Security Rule at 45 CFR § 164.308(a)(6)(i)
requires a covered entity to “identify and respond to
suspected or known security incidents.”
Government Contractors Government contractors may be required to follow NIST
guidelines within a government contract under FISMA.
Organizations with
customers in specific
states/territories
51 U.S. state and territory data breach notification
statutes require notification upon discovery of a
reasonably suspected data breach.
Retailers/
Organizations Accepting
Payment Cards
Payment Card Industry requirements specify
“implement[ion of] an incident response plan [and to] be
prepared to respond immediately to a system breach.”
*Contracts may also require incident response efforts and notification.
54. Mitchell Hamline School of Law | 52April 27, 2016
The Incident Response Process
Plan
Detect
Contain
Notify
Recover
Improve
• One employee should be
responsible for Incident
Response.
• Cybersecurity controls should
be in place to detect intrusion
and unauthorized use.
• The Incident Response Team
should use repeatable
procedures to contain and
preserve incident details.
• Continuous learning is critical to
timely response.
55. An Incident Response Plan Should Include:
• Mission, strategies, and goals statements
• Organizational approach
• Details of senior leadership involvement and approval
• Approach for communication within and outside the organization
• References to procedures (which then include checklists, technical
processes, forms, or playbooks)
• Effectiveness metrics
• Maturity Roadmap
Mitchell Hamline School of Law | 53April 27, 2016
The Incident Response Plan
Incident response plans should be tested at least annually. Tabletop exercises
and true readiness testing ensure plans are useful during an incident.
56. Mitchell Hamline School of Law | 54April 27, 2016
The Incident Response Management Team
CEO
Chief Information
Security Officer
General Counsel
Chief Information
Officer
Public Relations
Chief Risk Officer
(or CFO)
Incident Response
Manager
Human
Relations
Marketing
Technology
Architect
Internal
Communications
External
Counsel
CORE INCIDENT
RESPONSE TEAM
ADDITIONAL
TEAM MEMBERS
57. Mitchell Hamline School of Law | 55April 27, 2016
Collaborating with Government Officials
ADVANTAGES DISADVANTAGES
• Officials may be able to “connect
the dots” across other information
sources
• Early assistance with correct
forensic procedures
• May reduce damage with more
complete, efficient response
• Benefit of the doubt if
administrative action taken
• Better positioned to stop a
particular actor from attacking
again
• Future partnership and information
sharing
• Once engaged, the government will
typically take control to manage a
situation
• Administrative agency notification
may be required sooner than an
organization might feel comfortable
• Disclosing information to the
government may necessitate
involvement of external counsel
earlier in the process
58. Data breach notification obligations may include:
• Administrative agencies overseeing federal regulations to which the
organization must comply (i.e. FTC, FCC, OCR, OMB)
• Affected consumers under specific regulations (e.g. HIPAA)
• Shareholders, if a data breach is considered “material”
• Customers or insurers that are owed notification under contract
Based on affected person’s residence, notification to:
• International authorities (e.g. the EU Data Protection Authorities)
• Consumers whose personal information has likely been compromised in a
state with a statute requiring notification
• Major credit monitoring agencies and state AGs when required
• The media as an alternative to direct consumer notice over a specific
volume
Mitchell Hamline School of Law | 56April 27, 2016
Data Breach Obligations
59. • Incident response is an effective risk management technique to
protect organizational assets.
• Incident response plans must be exercised to ensure they are
effective when used.
• Organizations must include executives early in the incident
response process.
• Organizations should decide government involvement on a case-
by-case basis.
• Organizations must be reasonably certain of exposure before
labeling an incident a “data breach.”
Mitchell Hamline School of Law | 57April 27, 2016
Key Takeaways
60. BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEMS, Interagency Guidelines
Establishing Information security Standards (AUG. 2, 2013),
HTTPS://WWW.FEDERALRESERVE.GOV/BANKINFOREG/INTERAGENCYGUIDELINES.HTM.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, Computer Security Incident
Handling Guide, Special Publication 800-61-Revision 2 (Aug 2012),
http:dx.doi.org/10.6028/NIST.SP.800-61r2.
NATIONAL INITIATIVE FOR CYBERSECURITY CAREERS AND STUDIES, A Glossary of
Common Cybersecurity Terminology, https://niccs.us-cert.gov/glossary.
NATIONAL CONFERENCE OF STATE LEGISLATURES, Security Breach Notification Laws
(Jan. 4, 2016), http://www.ncsl.org/research/telecommunications-and-information-
technology/security-breach-notification-laws.aspx.
UNITED STATES COMPUTER EMERGENCY READINESS TEAM, US-CERT Federal
Incident Notification Guidelines (Oct. 1, 2014), https://www.us-
cert.gov/sites/default/files/publications/Federal_Incident_Notification_Guidelines.pdf
Mitchell Hamline School of Law | 58April 27, 2016
More Information
61. Panel Discussion and Q&A
Program Faculty
• Professor Sharon Sandeen — Mitchell Hamline School of Law
• Andy Ubel – Chief Intellectual Property Counsel, Valspar Corp.
• Ken Morris – Senior Advisor, RedPoint Advisors
• Charlotte Tschider — Owner/Principal, Cybersimple Security, LLC
Mitchell Hamline School of Law | 59April 27, 2016