3. Feel Confident in Your Security Direction
You want to improve your cyber security measures, but where do you
begin? Our Cyber Security Compass provides an analysis of your business’s
cyber security strengths and weaknesses along with recommendations for
how to address key risk areas. Let the Eide Bailly Cyber Security Compass
be your organization’s guide toward a culture of security.
Experience the Eide Bailly Difference.
844.539.5910
www.eidebailly.com/cybersecurity
#EIDELIKEI’D LIKE TO UNDERSTAND WHERE TO START WITH CYBER SECURITY
4. 4B September 19, 2016 | M i n n e s o ta L aw y e r
EXPERTSFORUM CYBERSECURITY
Welcome to Minnesota Lawyer’s Expert
Forum on cyber security. This section was
the result of a panel discussion that brought
together some of the top local experts on
cybersecurity, a topic that becomes more
and more relevant to companies of all sizes
and industries with each passing day.
The following is an edited version of the
wide-ranging discussion that took place
among our experts. Among the topics
addressed were how cybersecurity can be
defined, how to plan for and respond to a
data breach, and how the government’s role
in cybersecurity is evolving as the world of
security grows and changes.
PANEL MEMBERS:
ELIZABETH STEVENS (moderator)
is the director of Enterprise Resiliency
Response at the UnitedHealth Group.
MARY FRANTZ is managing partner
of Enterprise Knowledge Partners, LLC,
a firm of cybersecurity specialists who
do ethical hacking, penetration testing,
breach remediation, incident response
and some proactive work for government
agencies.
JERROD MONTOYA is security
and compliance counsel at Open Access
Technology International, a software and
service provider to the North American
energy sector. He is also president of the
InfraGard Minnesota Members Alliance
MELISSA KRASNOW is a partner
at Dorsey Whitney, LLP. Her practice
includes privacy and corporate law, and
she counsels companies on preparing
for, responding to and managing data
breaches and incidents.
ANDERS A. ERICKSON is senior
manager of the advisory services group
at Eide Bailly. Among other things, the
group focuses on risks related to IT,
including educating management on
understanding, managing and mitigating
IT risks.
STEVENS: How do you define
cybersecurity?
ERICKSON: I would say it’s sort of the
subset of IT and specifically, a subset of IT
security that deals with the transmission
of information. If I’ve got data in my
warehouse or on my servers sitting in
my company, there are some aspects of
cybersecurity that I have to consider.
But really, cybersecurity becomes a factor
when I want to move that data some-
where. I’m moving it across my network or
someone else’s network; it’s going across a
medium. Now, cybersecurity takes effect
because we’re worried about that data as
it moves through untrusted networks or
through different people being able to
see it. Maybe we need to make sure they
only see the things that they need access
to see. So I think when we try to define it,
it becomes the movement of information
across some medium whether it’s trusted
or untrusted.
FRANTZ: When our clients refer to
information security, a lot of times
they mean security internal to their
organization. And when they refer to
cyber, they are referring to information
and security that traverses outside the
organization -- but also they’re thinking of
protecting against external threats.
MONTOYA: Cybersecurity to me is
the protection of information or things
that have a digital footprint. It’s not just
computers. You don’t have to be just in a
data center. There’s certainly a physical
element, and it begins with what you
are seeking to protect. Then you look
around that to see if there’s a digital
connection, and to me that represents the
cybersecurity aspect.
STEVENS: What about the difference
between security and privacy? Are they
one and the same?
FRANTZ: You can’t really have one
without the other, because you can’t keep
something private if you can’t secure it.
But the concept of privacy is based on
who can see it. Security really enforces
the privacy constraints that are placed on
individual pieces of data or corpuses of
information.
STEVENS: Is it fair to say that privacy
is defined as what needs to be protected
regarding your credit card, payment
card information and so on, while
security is what needs to be done to
ensure such protection?
ERICKSON: That’s one way to put it.
When you start talking about privacy a
legal aspect takes effect. If someone came
to me and asked for help in implementing
security, there’s some risk that needs
to be understood. And then there are
definitions of what privacy is and how
certain information needs to be protected
legally.
In the accounting world, if a company
wants help with privacy, I need to ask, Do
you really want privacy or do you want se-
curity? Because if you want privacy, that’s
going to have to take a different route, and
I may have to get some people involved to
understand the legal aspects of the data,
not just the security aspects of it.
FRANTZ: I would agree that privacy is
something that you see a little bit more on
the legal definition than you do a broad
term like security.
STEVENS: Let’s talk about the business-
level concerns. What am I accountable
for when it comes to protecting
information? How do I decide what
needs to be covered?
KRASNOW: From the perspective of
an organization, what is the organization
representing on its website or mobile
application through its privacy policy?
What is the organization saying in its own
internal and external policies? It’s very
important to know what the organization
is saying in the contracts it’s entering into
with other parties.
STEVENS: What are some of the
considerations? What are the basic
elements that have contributed to the
ever lengthening privacy policies and
the changes, whether it’s from case law
or otherwise?
KRASNOW: Privacy policies are
creatures of different laws. They can
be at the state level. A great example is
California, and more recently Delaware.
They have specific requirements for
privacy policies. There’s also enforcement
actions by regulators. A great example
at the federal level is the Federal Trade
Commission. So the way privacy policies
have evolved has been in response to
Federal Trade Commission enforcement
actions.
Some provisions come in surprising ways.
An example is what happens when a com-
pany goes bankrupt. It’s not an optimistic
thought, but there have been Federal
Trade Commission and bankruptcy court
enforcement of promises made in privacy
policies. Many areas of privacy come
from guidance. Maybe not quite a legal
requirement, and maybe not quite from
a government agency. A good example is
PCI DSS [Payment Card Industry Data
Security Standard], the credit card indus-
try standard. The PCI is a group of major
brands of credit card companies -- not the
government.
STEVENS: You mentioned Delaware,
where many companies are
incorporated. What has changed there?
KRASNOW: Let me start with California.
It’s one of the leading jurisdictions in
terms of having the most privacy laws
and having a very good attorney general,
along with its own privacy office and
longstanding members who are very
knowledgeable. California historically
has required companies to have a privacy
policy if they’re doing business there. If
you have a company in Minnesota, unless
there’s a specific prohibition against doing
business with California, your website
could presumably reach someone in
California. If so, the law says you should
have a privacy policy that contains certain
content.
In addition, there was a recent case against
a company which had failed to post a
privacy policy -- not on its website but on
its mobile application. So even though the
California law was issued earlier, it was
construed to include mobile applications.
California has had this law for a long time.
Other states haven’t followed.
More recently, Delaware enacted a law that
isn’t exactly the same as California’s, but it
requires a company with a Delaware nexus
in its business to have a privacy policy and
to have content requirements very similar
to California’s. This law departs from
California in that it talks about digital
reader information. But what the law says
is if you’re collecting information from a
Delaware resident, that’s a little different
because the company is incorporated in
Delaware.
STEVENS: Let’s say I’ve started my
own LLC or LLP. Where do I start? Do
I work entirely through contractors
and consultants? Do I need to have an
in-house security guru, or am I able to
navigate some of this on my own?
ERICKSON: I think any attempt
to implement cybersecurity in an
organization requires a look at what your
resources are -- what you have in-house.
There’s nothing wrong with hiring people
in-house if that’s your business model and
you want to bring people in. But make
sure they have the proper certification and
understanding of IT security.
I think it’s helpful to look to an outside
consultant, if nothing else, to maybe get an
independent evaluation of how cybersecu-
rity is being implemented in your organi-
zation. Having that subject matter expert,
someone independent whom you trust to
do an evaluation and help you understand
your network is important. But there’s no
reason an organization couldn’t hire an IT
security professional to internally develop
the appropriate measures and controls and
security in place to operate effectively in a
secure environment.
FRANTZ: It depends on the business
they’re in. I would look to the type of
engagements and agreement they’re
making with their customers and other
contractors.
If a contractor says, “I’m going to keep
your data secure,” they need to go in and
do a checklist of best practices to make
sure they’re doing all due diligence to
show that they did everything within a
normal size and cost area. And there could
be things as simple as making sure your
cybersecurity databases are updated and
you have an anti-malware and anti-virus
Internet security platform on the PCs you
are using.
A lot of small businesses -- especially sole
proprietors and companies of up to 10
“Exercises are becoming more and more common.
Where they used to be reserved for a specific
disaster recovery tactical exercise, now you see that
executives are getting more involved in working
through tabletop scenarios.” Elizabeth Stevens
Director, Enterprise Resiliency Response, UnitedHealth Group
5. September 19, 2016 | M i n n e s o ta L aw y e r s 5B
EXPERTSFORUM CYBERSECURITY
or 15 employees -- pick up these require-
ments and checklists and they talk about
putting in a log aggregation tool and
putting in separate firewalls. They need to
look at what they’re going to be holding,
who they are doing business with, what
they’re promising and what those busi-
nesses require before they know how far
they have go to with their security and
how much they should be spending.
ERICKSON: Another aspect of that is just
where their data is residing. If you’ve got a
co-location facility, or you’ve got vendors
who are coming and helping you establish
your environment or create applications,
all these people are touching your data or
housing your data. But the data that your
customers are entrusting you with isn’t
in your protection. It’s given to someone
else. Maybe it’s someone processing
your payroll. That’s information you’re
responsible for and you’re giving it to
somebody else. So make sure those other
organizations have appropriate internal
controls and security in place to protect
that data as it goes out and is housed or
processed somewhere else.
STEVENS: Whether I’m a large
corporation or a small independent
contractor, I have some obligation to
understand and be accountable for
those elements. How do I determine
what is most incumbent upon me and
how do I manage those third-party
relationships?
MONTOYA: It’s not just when you’re
starting out. You might choose to move
to a vendor later on in your business, so
this issue isn’t unique to new companies.
But the issue of supply chain security is
important to understand because when
you outsource to a vendor or have another
party conduct some of your business,
you’re basically expanding your attack
surface. It’s a new space where you can be
vulnerable to an email attack. It’s a new
space where ransomware, for example, is
a hot topic.
It’s important to look down that stream
and see what kind of controls are in place.
In the cloud, it’s interesting to see how
certain vulnerabilities are overlooked.
Within the cloud there are different layers
of services that can be provided at the
software layer, the platform layer or the
infrastructure layer. Each of those services
could be from a different vendor.
If you choose a software provider, there
theoretically could be two other vendors
behind them, with potential vulnerabili-
ties that you might not know about. So’s
there’s two options: Choose someone who
controls the entire infrastructure in-house,
or ask the right questions of any prospec-
tive providers.
STEVENS: What are the right questions
to ask?
FRANTZ: Let’s say you’re an independent
auditor or you’re helping somebody do
taxes. You’re going to be holding their
information. You have to look at the
content of that information. You have to
look at what you promised to know about
what your responsibilities are regarding
your own environment as well as the
environment you’re putting that data into.
Everyone has gone into a coffee shop and
logged into a wireless network with a clear
disclaimer: “We’re not responsible for the
security of your data.” If you say that to
your customers, they’re not going to want
to give you any information. But a lot of
people are using services like Office 365 in
the cloud. When they put the data some-
where, it’s their responsibility to make sure
that it’s protected.
It’s about understanding your environment
and making sure that you’re protected in
order to do that due diligence.
STEVENS: The Uptime Institute will tell
you that you can best protect your data
by putting it in a level four-certified data
center, and there are many companies
that do that. But let’s talk about other
options. Is there a very quick and easy
way for me to determine whether my
service provider has my data under
control and isn’t posing a risk to my
customers?
FRANTZ: First of all, many of the cloud
providers are level four- or level three-
certified data centers. The idea of the
cloud is basically that the data going from
point A to point B is traversing over the
Internet instead of from point to point.
So we don’t want to unnecessarily scare
people just because of the word cloud.
But there are standards that most cloud
service providers should have. One, of
course, is the SSAE [Statement on Stan-
dards for Attestation Engagements]16
statement of operating controls, type 2.
There’s FedRAMP [Federal Risk Autho-
rization Management Program]. There’s
the CSA, or the Cloud Security Alliance.
You don’t need to pick all of them because
there’s a lot of overlap between them. And
some of them are specifically made as
auditor controls. But when you are going
to put data in the cloud or in another
hosted environment, you should ask the
provider what they’re certified for. If the
certification wasn’t completed in the last
12 months, then it’s no good.
MONTOYA: At a higher level, it’s a matter
of understanding what best practices
are out there and what information
you’re seeking to protect. A program
like FedRAMP is an enhancement of
standards that come out of the National
Institute of Standards and Technology.
The NIST standards were designed to
apply to the federal government, and
they’ve grown into the private sector
because they’re very sound security
practices. So many companies do business
with the federal government that it’s very
difficult not to encounter them at one
point or another.
ERICKSON: You can do a SOC 2 in
conjunction with another framework such
as the Cloud Security Alliance framework
or NIST 853 framework. That allows you
to have an independent evaluation while
also appeasing any type of regulatory or
customer requirements for a particular
framework.
FRANTZ: People will get breached
and they’ll say they had this or that
certification. A lot of certifications are
very sound, but they didn’t necessarily hit
on what that organization needs for its
data at that time. The company still needs
to know what they are promising their
customers and how they are supposed
to handle their data from a statutory or
regulatory basis.
You’ve got the privacy inherent in hold-
ing someone’s Social Security number
and their personal information, but then
you’ve got the obligation to hold on to that
information appropriately. But as far as
putting your data someplace else, find out
how the provider is certified.
STEVENS: Has it become time to look
at a national data breach standard that
is not necessarily specific to health care
or finance?
KRASNOW: There’s been a lot of talk
about a national standard for breach
notification. In a sense, we have it for
protected health information through
the federal HIPAA law. We also this
year have a proposal from the Federal
Communications Commission to
regulate broadband service providers.
It is not yet final, but there would be
breach notification in cybersecurity
requirements.
As things stand now, breach notification
is governed by 47 breach notification laws
plus four additional laws in other territo-
ries. One of the important points is that
they’re constantly changing. In January
2015, President Obama proposed a federal
breach notification law, but here we are
almost two years later and we don’t have it.
What happened in that time? Many states
either enacted or further amended their
breach notification laws to impose ad-
ditional requirements. One big area of
requirements is in addition to notifying
an effected individual, an organization
also must notify a state attorney general, a
regulator that has an interest in protecting
consumers. There are more extensive noti-
fication requirements, so it’s interesting the
state laws are now more complicated. One
day there probably will be an overarching
federal breach notification law, but we are
not there yet.
Illinois was the most recent state. It
amended its breach notification law and it
now has a security procedures law that will
go into effect until January 1, 2017. While
47 states have breach notification laws plus
four territories, it’s interesting to me that
at the state level about 25 percent of states
have any security procedures laws. To me,
there should be as many, if not more, state
security procedures law requirements
to protect at the outset. Those laws are
increasing.
STEVENS: What prompted the change
in Illinois?
KRASNOW: Illinois had been
considering a lot of amendments to its
breach notification law, and last year
more extensive amendments. Its governor
refused to sign the bill, saying too many
requirements were being imposed on
businesses. Illinois is a state with budget
issues. It has a very active attorney general
in Lisa Madigan. The question is, if you
are imposing requirements on businesses
and having the state attorney general
enforce them, would the state have
adequate resources to effectively enforce?
MONTOYA: It’s amazing, with all this
activity and complexity in the privacy
space, to imagine that even with
nationalized standards, there are still
potentially gaps out there in terms of
cybersecurity. There could be breaches
that you might not know about if they
didn’t impact private card information or
private health information.
Late last year there was a story out of the
Ukraine about a power grid being hacked,
and in that situation the flow and the
energy transmission data is not something
that’s heavily controlled within national
standards. So what you’re seeing in the
grid space in particular -- and there’s prob-
ably other critical infrastructures sectors
that face a common challenge -- is that
there’s a national standard and then a gap
at the local level. One of the gaps right
now that’s being discussed is what do you
do on the distribution side of the grid. The
wholesale market has been regulated for
years by the Federal Electric Regulatory
Commission and North American Reli-
ability Corporation.
But while those are applicable to the
wholesale transmission and energy trading
space, the local side of that is that utili-
ties that bring power to your house aren’t
necessarily regulated on the same level.
Efforts are being made, but even with that,
there’s a potential to miss some spaces. So
it’s a great challenge.
STEVENS: There’s a wide variety of
attacks that can happen. Let’s talk about
the social engineering element and
ransomware.
MONTOYA: Ransomware is not
particularly new. It’s describing a form of
phishing, sending an email and trying to
get someone to click on a link.
There’s a way to embed certain code in a
link that if you click it the sender could
download malware onto your device. The
reason this is so important is that when
you click on that link, there’s cryptography
activity that takes place in the background,
and the code will go to your files and begin
encrypting them one by-one. And before
you know it, you try to click on a file and it
doesn’t open. Instead you get this message
that says your files have been encrypted.
The fact that ransomware has become such
a topic of conversation is good. But you
cannot harp enough and train enough on
how to prevent these attacks. Years ago,
the stereotypical phishing attack was an
email about a Nigerian prince who had all
“There’s been a lot of
talk about a national
standard for breach
notification. In a sense,
we have it for protected
health information
through the federal
HIPAA law.”Melissa Krasnow
Partner, Dorsey Whitney LLP
6. 6B September 19, 2016 | M i n n e s o ta L aw y e r
EXPERTSFORUM CYBERSECURITY
this money he wanted to give you and all
you had to do was just send your Social
Security number. It was easy to spot. But
now the attackers are actually doing in-
depth research and they know the indus-
try, they know the companies. I saw one
example where the attacker would email
not a company’s executives but rather
somebody else – who would forward it
on and say, “Hey, we’ve got to take care of
this.” Or they sent it to the executive with
such in-depth and particular knowledge
that he or she had to click that link.
This idea of social engineering is just
really manipulation of the human mind
to solicit information or have the target
take a particular action. It’s not necessar-
ily a technological solution as much as it’s
a people solution. You have to train and
educate and continue to talk about it to
effectively mitigate this.
STEVENS: So it’s more than having
the right sets of certifications and
being compliant with your regulatory
responsibilities. How do we balance
this solution so that it includes
elements beyond just the regulatory
requirements?
ERICKSON: I like what Jerrod was
talking about, that idea of a regulatory
environment. I think there needs to
continue to be that national discussion
about that; but it’s expensive and at some
point it plateaus in the value you get for it.
There needs to be something more, and I
think it’s incumbent upon executives and
management to begin to create this culture
within their own sphere. There needs to
continue to be that element of education
that executives begin to realize their role
in this. They can’t just leave it to IT to do
their best. They need to take a proactive
approach and be part of the solution – to
understand that they need to bring in
independent experts outside their organi-
zation.
You can often look to the accounting
industry as an example. Investors who
want to know how a company is doing
financially don’t just take the financial
statements themselves. They go get an
independent industry expert to come in
and evaluate that organization. Likewise, I
think companies need to look for those in-
dependent experts to come in and evaluate
the third-party second opinion, to evaluate
the organization and to pull back the cov-
ers of IT and understand what’s happening
there.
It has to go beyond regulatory compliance
and get to our day-to-day activities, where
security becomes a part of that culture.
MONTOYA: This is such an important
idea. They shouldn’t be combative,
compliance and security. They’re
complementary, and I would leverage the
compliance framework to communicate
your security to your audience -- whether
it’s your industry or your regulator.
But the other side here is, don’t just stop at
compliance. You have to continue to think
about the security and have a secured base
going forward, whether you are doing that
in-house or through an advisory service.
STEVENS: How do you create a
culture where there’s enthusiasm for
cybersecurity wherein everybody is a
part of it?
FRANTZ: There’s good and bad hype.
There are good and bad scare tactics. The
stuff that happens in a corporation is the
stuff that can happen to you at home
too, and we try to relate it back to an
everyday situation. If a pizza delivery
guy comes to your front door wanting to
sell you a pizza and you never ordered
one, they’re not just going to traverse the
neighborhood and just try to find a door
that’s open. They’re trying to trick you.
The other thing we try to do is when we
give scenarios and circumstances, we talk
about people’s personal data. We don’t talk
about the data of the corporation, which
sometimes is a little too surreal for them.
We have to make it personal. The stuff that
happens when you log into your own bank
account, when you get onto social media,
etcetera. The same basic concepts do apply.
When you start throwing the big words
around and the acronyms, cryptography,
all this kind of stuff, you start talking at a
level where people kind of go, “I don’t get
it. Just tell me what I need to do.”
STEVENS: The costs need to be
quantified personally and in other ways,
but I don’t know that we’ve really got a
good barometer for that. What are these
things really going to cost a company?
KRASNOW: There are a number of
publicly traded companies who have had
major material breaches worthy of media
attention. And if the company happens to
be publicly traded, it makes filings with
the Securities Exchange Commission.
Go to www.sec.gov and look up a
company’s name. Often these disclosures
might be in the financial statement notes.
And sometimes the disclosure will talk
about the costs they have incurred as of a
specific date, and, further, the disclosure
may also cover whether they have
insurance coverage and maybe have some
qualifying language about the extent to
which they might be able to recover. These
are tangible and quantifiable costs.
The Ponemon Institute and Verizon
annually issue reports on the cost of a
data breach. Their methodologies are
different so there have been articles say-
ing Ponemon will give a higher cost to
the breach experienced by a company
whereas Verizon will assign a lower cost
per breach. One reason for this is Verizon
deals with criminal enforcement for its
reporting, and they do not take into ac-
count certain costs. The insurance indus-
try also has calculators on the Internet.
They vary, but you can put in number
of records, type of information at issue,
etcetera, to come up with an estimate
about the cost.
What we’re talking about are tangible
costs. There’s a whole other realm of
intangible costs. Are there organizations
that are now measuring the cost of a data
breach on a company’s reputation and/or
brand? There are, but there are different
organizations using different measures.
I think this is an area to watch in terms of
assigning some sort of intangible value.
STEVENS: Could we ever maybe get
to the point where there’s some sort of
Good Housekeeping Seal of Approval
where as a consumer I might feel
confidence in a company?
KRASNOW: There are third-party
organizations who do have seals, but the
issue is whether they could actually provide
that guarantee and whether a regulator
would be OK with it. There are different
ways to get at the same issue. You can find
on the Internet whether a company has
experienced breaches. Some state attorneys
general post data breach letters. You can
look for media coverage. And you could
actually make inquiry of the company in
terms of how they’ve handled a breach. Just
because a company has suffered a breach
does not necessarily mean that it’s at fault.
STEVENS: Among directors and
officers, is there a level of liability there?
KRASNOW: Yes. Privacy and security are
one of many risks a board of directors and
officers must oversee. In the U.S., liability
for directors is through state corporate law
statutes, and it is the directors’ fiduciary
duties. So it is a corporate standard, not a
privacy standard. In a nutshell, they must
show a duty of care and a duty of loyalty.
Interestingly, companies’ directors and of-
ficers have been sued in the context of ma-
jor breaches. In the case of both Target and
Wyndham, the suit against the directors
and officers was dismissed. So you must
show the directors did not adhere to their
duty of loyalty. It’s a very difficult standard
to meet. A plaintiff must plead facts with
particularity, and thus far plaintiffs have
not prevailed.
That said, I do not think lawsuits against
directors and officers and breaches will
stop. I think that plaintiffs’ counsel will
start pleading with more particularity.
They will look at examples of complaints
that were filed and what the result was,
and I think they’ll become more sophisti-
cated. I think we’re at the beginning, not
the end.
MONTOYA: I think in the privacy space
this idea of reasonable security has been
injected into the conversation. That’s
an ongoing evolution about what is
reasonable under the circumstances. And
it’s just going to take time.
KRASNOW: One consequence of
directors and officers being sued, even
if a suit is without basis, is that it is not
pleasant for the directors and officers or
the company. There’s risk. There’s cost.
You have to hire lawyers, among others.
When directors and officers of these
large companies start to get sued, it’s
unpleasant. But it promotes awareness:
You start to see directors seeking
education in privacy and security. It sets
the tone from the top. This was one of
the top issues last year for the National
Association of Corporate Directors.
STEVENS: We’ve seen the bad actors
come up with new ways to attack us.
We’ve increased awareness through
directors and officers, corporate levels
and media exposure. Who is ahead
today?
ERICKSON: I think the moment we
start saying we’re ahead, we’re behind.
The awareness has allowed discussions
to begin to take place at levels they
hadn’t taken place before. And that just
alone perpetuates a greater speed on the
responsive, detective side. And so it’s a
matter of how we get to the point where
we are anticipating for the next attacker’s
move.
This idea of taking responsibility at the
corporate level, that is going to drive cor-
porations to say, OK, what’s next? Where
should we anticipate the next step, as op-
posed to being reactive? We’re moving in a
proactive direction, but I don’t think we’re
quite there yet.
“Theyshouldn’tbe
combative,compliance
andsecurity.They’re
complementary,andIwould
leveragethecompliance
frameworktocommunicate
yoursecuritytoyouraudience
—whetherit’syourindustry
oryourregulator.”Jerrod Montoya
Security Compliance Attorney, OATI; President,
InfraGard Minnesota Members Alliance
“Therearegoodand
badscaretactics.The
stuffthathappensina
corporationisthestuff
thatcanhappentoyou
athometoo,andwetry
torelateitbacktoan
everydaysituation.”Mary Frantz
Founder managing partner, Enterprise
Knowledge Partners, LLC
7. September 19, 2016 | M i n n e s o ta L aw y e r s 7B
EXPERTSFORUM CYBERSECURITY
KRASNOW: I am seeing interest in this
topic this year among governmental
entities. And in the Department of
Homeland Security, the OPM [U.S. Office
of Personnel Management] breach, the
CIO and the officers were the subject of a
lawsuit. This is the federal government.
FRANTZ: There are attackers out there
all the time. But the awareness is really
the key. It’s about acknowledging that
there’s a problem, something needs to get
done and we need to take responsibility
for making sure it gets done. That’s new
among corporate boards. Five or six years
ago they used to say, Don’t tell us.
KRASNOW: Years ago when I was
handling sizeable breaches, it never went
to the board level. It might not have even
escalated to a top executive level. These
days it could be a smaller breach, but it is
almost immediately heard by the board
and the executive officers because they
deem it to be important.
STEVENS: Is that simply because there’s
recognition that a small breach has the
potential to become much larger?
FRANTZ: OPM is an excellent example
because some of the things that happened
earlier were deemed small breaches. But
they got in. A lot of organizations before
might have said, “Oh, this isn’t that big of a
deal.” And now they’re realizing that in an
interconnected world, it is a big deal because
it’s a pattern of behavior that you want to stop.
They’re becoming more educated, so they
understand that a breach is a breach, and
they have fiduciary responsibilities to be
aware of that and know they could be held
liable if they’re not.
STEVENS: The elections are coming up.
There are conversations about what we
expect of our government when it comes
to cybersecurity.
KRASNOW: We were just talking about
the OPM breach. The great irony is
the men and women whose job it is to
protect us, their personal information was
compromised.
FRANTZ: There is definitely a disconnect
between the need to budget for certain
things and the government and how
they go about doing it. Hopefully this
will change as we move into future
administrations. You have to include the
infrastructure stability of the systems that
run the government as part of national
security. They have really got to include
this as a top-level priority.
MONTOYA: It should be included within
the planning and the implementation of
the election infrastructure itself. It should
be viewed as a critical infrastructure that
you should secure the same way you would
anything else that you were going to rely on
for a very important function. Basically, it’s
assessing risk and implementing effective
controls to mitigate it.
ERICKSON: One of the challenges for
the federal government is that it takes a
long time for a big organization. With the
government, with its cyclical nature and
turnover, it’s hard to get initiatives done
that are aimed at the long term. They want
to know what can be done in one year.
STEVENS: Melissa, as an attorney you
no doubt get some of those first calls for
help from companies saying they have
been breached. What’s the first step? How
quickly do they need to respond? Who
needs to be involved?
KRASNOW: It’s always a surprise.
Sometimes the facts seem horrible
initially, but then you wade through and
sift through and find out it may not be
a legal breach. Other times they are that
horrible and could be worse. So the first
thing I try to do is gather information.
They’re probably calling because they
want to know if there’s a breach under the
breach notification laws in the U.S. There
are certain types of information covered
by these laws and other information
that’s not. In every state’s breach law, an
individual’s name plus Social Security
number is covered. Usually, so is name
plus driver’s license or state ID.
Some state laws have been expanding to
include healthcare information, insur-
ance information, biometrics, and a new
category, email account plus password.
This potentially expands the universe of
information that’s subject to these laws.
That leads to the question of whether these
laws are based on residence. Does your
company have people outside the U.S.?
Countries outside the US increasingly are
passing data breach notification laws.
The other questions are, have you con-
tained the breach? Have you told anyone?
Have you made any public communica-
tions? What do you need to do regarding
your cyber insurance?
One question I ask up front is whether it
might be a negligent breach, or if it was
a result of criminal activity. It would be a
good idea for the company to notify fed-
eral law enforcement, which could mean
the FBI by default, or the Secret Service
in the event the compromised data are
financial in nature.
STEVENS: How quickly do you need to
notify those law enforcement?
KRASNOW: Immediately. And breaches
do not always happen between 9:00 and
5:00. So make sure you have contact
information for the FBI and Secret
Service. Get to know the people working
in your area. These are part of an incident
response plan, and you should have after-
hours contact information for everyone,
including your attorney.
STEVENS: I serve customers in 50
states and beyond. How do I make my
immediate notification accordingly?
KRASNOW: Some people have a knee-
jerk reaction to make a disclosure without
analyzing the law. You always need to
find out what your information is first,
and this takes time. If you involve law
enforcement under the state breach
notification laws, often those laws will be
stayed until law enforcement performs its
duties, which lets you get a breather and
have time to find out more information.
One thing companies have been criticized
for in very public breaches is changing
their information during the course of the
breach. If you’re going to send a letter to
individuals, or putting something on your
website, or sending something to a regula-
tor, you want to make sure it’s as correct as
it can be. And sometimes you will need to
hire a third-party forensics firm to find out
if personal information has been compro-
mised.
One thing that can be challenging is that
the state breach notification laws increas-
ingly are requiring notification in shorter
periods of time. And sometimes, media or
others will get wind of the situation, and
you’ll have to be prepared to address that.
What do you say if you don’t know? Do
you simply say “No comment”?
STEVENS: Never say “No comment.” It
suggests nothing but guilt. If you don’t
have information, you acknowledge that
there’s a situation that’s being investigated
and as soon as information can be made
available it will be.
KRASNOW: You will want to consult
with law enforcement, because they may
also have something to say about the
extent to which you can say anything.
STEVENS: You talked about forensic
capability earlier. Can you explain how
that works and what that element of a
response involves?
ERICKSON: One thing our forensics group
provides is a relationship ahead of time
with the client. So if I’ve got a client who
recognizes that having a forensics plan or
instant response plan is an important part
of its information security program, I’ll
get it in contact with a forensics team, and
they come in and study the environment.
Once you’ve had a breach, you don’t want
to bring somebody in brand new and have
to bring them up to speed. They should
be able to hit the ground running and to
know what’s legally required when it comes
to how data is handled, how to respond to
these discovery requests, how to segregate
pieces of information so they’re later
permissible in court.
FRANTZ: And there is a different
forensics process for incident response
than there is for e-discovery. E-discovery
is much more formal. But in a forensic
response to an immediate breach, timing
is everything because that data will
disappear. Especially in a cloud or virtual
environment, you have to know where
the data is and how to lock it down so you
don’t lose any of it.
KRASNOW: A classic example is a credit
card breach or hack. Everyone uses a
third-party processor to process payment
cards. Do they have that agreement at the
ready? Because there will be talk about a
contract provision. What do you need to
do? You might need to inform your card
brand, and there often are requirements
there. So before anything bad happens, go
through your contracts, know what the
privacy and security and particularly the
breach notification provisions are, and
know where a signed copy is.
STEVENS: Exercises are becoming more
and more common. Where they used
to be reserved for a specific disaster
recovery tactical exercise, now you
see that executives are getting more
involved in working through tabletop
scenarios. Mary, can you just talk briefly
about the Cyber Security Summit
exercise provisions that are underway?
FRANTZ: We’re doing a Cyber Security
Summit tabletop exercise, and the
emphasis is on identification and
understanding of the event that occurred
and why that is so critical to determining
the communication between all parties
involved. But one of the goals of trying
to do that exercise live is to let people
know that when you’re in that type of
environment it’s OK to ask questions.
You want people to come to the table and
communicate freely.
The other thing we’re trying to do is turn it
back into the same thought process of di-
saster recovery. When organizations used to
practice disaster recovery for real, sometimes
I walked into a data center, unplugged the
machine and said, “Let’s see what happens.”
The cyber tabletop exercises in the past years
have been more about sitting around a table
and talking about it. Then when the real
event occurs you’ve got people who have big
binders full of things that met the checklist
for compliance of having an instant re-
sponse, but they’re underprepared when the
event actually occurs.
STEVENS: Anything to add that might
be helpful to the people reading this
section?
MONTOYA: This idea of being prepared,
I think, is the common theme. A breach
doesn’t happen at a convenient time, and
you have to be prepared going into it.
Connect with your local law enforcement
through InfraGard [an information-
sharing partnership between the FBI and
private businesses].
In the area of disaster recovery, we’ve seen
things move from having an alternate site
that’s offline to having an alternate site
that’s online and running at the same time
in real time. And as we move into this next
phase, we’re going to see the implemen-
tation of micro grids to help in disaster
recovery -- if you’re disconnected from
the grid you can continue to run with
self-generation and do it in an optimized
manner that you can use even when there’s
not an incident. So it’s important to stay
forward thinking, maintain those relation-
ships and just never stop implementing
these best practices and concepts no mat-
ter how the situation changes.
ERICKSON: I think that from a
cybersecurity perspective, we have to just
keep trying. We’re going to fail. We’re
going to see more breaches. But this idea
of not giving up and continuing to try
and push the envelope for how secure
we can be and how secure we can make
customers, constituents, whoever it is. It’s
easy to scare people, but let’s not lose sight
of the fact that there’s a lot of good that
goes on. We’ve got to keep pushing and
not be discouraged.
“Onethingour
forensicsgroupprovides
isarelationshipaheadof
timewiththeclient.”Anders A. Erickson, CISA, CISSP, CRISC
Senior Manager, Risk Advisory
Services, Eide Bailly
8. Feel Confident in Your organization’s Culture of Security
Creating a culture of security requires three critical components: the
right people, the precise processes, and the specific technology, in
place to proactively prevent, detect and respond to cyber attacks.
Our cyber security team can help you evaluate your people,
process technology to identify weaknesses, create a roadmap for
strengthening your defenses, and support your team so you can stay
focused on business.
Experience the Eide Bailly Difference.
844.539.5910
www.eidebailly.com/cybersecurity
#EIDELIKEI’D LIKE TO FOCUS ON BUSINESS, NOT WORRY ABOUT CYBER SECURITY