School Law Forum - Cybersecurity

Cybersecurity: A Risk Based Approach

James Mottola, MS, CISM, CPP
Vice President, Data Privacy, Security and Investigations

FORTY-NINTH ANNUAL SCHOOL LAW FORUM

Thursday, October 24, 2019

Topics for Discussion:

• What is an Attack Surface?
• What are the Risks to Businesses today?
• What can organizations do about it?

What is an Attack Surface?

Attack Surfaces

• Virtual Assets - Emails, photos, online
accounts, domain names, websites

• Systems – Integration of technologies:
software, hardware, telecom to create,
store, process and distribute
information

• Processes - Procedures, tools that take
inputs produce outputs and require
management by reporting, planning,
and deployment

Attack Surfaces (Cont.)

• Technology – Solutions, tools, applications,
programs, platforms, devices

• Data – Information, IP, Work Products, PII,
PHI, Input/output

• 3rd Parties – Vendors, Partners,
Customers, IT Providers

• Employees – 1,000 End Points of Risk

What is the Risk to
Business Information?

Attack Surface

600% increase in users: 2014 – 3.0 billion 2017 – 4.4 billion

2001 – 0.5 billion

More Attack Surfaces = More Breaches

• Increasing Cloud Services
• IoT – 4.9b 2015 to 25b by 2020 (Gartner)
• Increasing Vulnerabilities
• Domino effect
• 3rd party multiples

Is all information created equal?

"Digital assets now represent 85 percent of an
organization’s value. A digital asset is a system,
process, technology, or data and all have
interdependent relationships. Cyber touches every
aspect of the business and is unescapable."

Crown Jewel Safety-Critical Systems – Loss of life or
Assets serious environmental damage for an
Industrial control system (ICS) for a
Most prized or valuable chemical manufacturing plant.
asset in terms of its
Mission-Critical Systems – Supports a
profitability and future mission-critical system such as a
prospects navigational system for a spacecraft.

Transactional Systems – Goal-directed
activity such as a trusted processing private
data, credit reporting

Crown Jewel Business Critical Systems – Very high
Assets (Cont.) costs for the business using that system.
Customer account system in a bank.
Most prized or valuable
asset in terms of its Business Crucial – A system whose failure
is not critical but has a significant impact
profitability and future – Online Banking Phone App Down
prospects
Non-Business Crucial – Reputational but
not system failure, Employee accesses
accounts

Asset Classification Evaluation

Classification of an attack surface or a system is an evaluation of the business value of
information. Business value is determined by understanding the types of elements that
make up information and defining specific controls to safeguard that information. The
three classification attributes are:

• Confidentiality - Only authorized and approved users
have access to the data.

• Integrity - data is unaltered and is consistent,
accurate, and trustworthy over its entire life cycle.

• Availability - available to authorized users.

Types of Risks to
Business Enterprise

THEFT OF Data breaches where there is theft of IP,
INTELLECTUAL proprietary data, confidential business secrets,
PROPERTY financial transactional information, M&A.

Countries actively stealing and attempting to
steal such information for economic advantage
and independence

IP can be stolen not just from hacking into the
target company’s computer systems but via the
vendors (i.e. professional service providers like
law firms, accounting firms, etc.) that do work for
them. In fact, it’s often easier to do it this way.

THEFT OF INFORMATION:
EMPLOYEE NEGLIGENCE

• Data breaches via negligence include leaving a
laptop or a smartphone in a coffee shop or on a bus

• Negligence is responsible for about 70% of all
breaches, while network hacking or a malicious breach
only responsible for 30%

• Example Equifax

• Did not patch a system whose breach was not
isolated to a crown jewel system

THEFT OF RESOURCES

• Ransomware – Over 330,000 detections at
businesses in Q1 2019
• Often caused by employee negligence, third-party
vendors, or poorly maintained systems
• Pay? Don’t pay? Insurance?
• Business Email Compromise Totaled Over $12.5 B
(October 2013 to May 2018)
• Often caused by employee negligence, poor
internal controls, and email compromise

Theft of Many employers and their employees engage in social
Public media of some sort – a corporate blog, Twitter,
Facing Facebook, LinkedIn, etc.
Reputation
Employer use of social media can lead to privacy
defamation, trade libel, trademark infringement, and
copyright infringement claims.

A recent study shows that only 40% of corporate
directors and general counsel at public companies
believe their company has a good handle on the risks
associated with social media.

Only 39% of companies have a social media policy. If
properly tied to an overall internet and email policy, a
comprehensive social media policy can be used to help
reduce defamation, trade libel, trademark infringement,
and copyright infringement claims.

Risks by 3rd Party VENDOR and BUSINESS
PARTNER ISSUES

63% of all breaches are caused by vendors

For Example:
• Litigation Support
• HVAC vendor
• Mail Room
• Cleaning Service etc.
• Offsite Storage
• Disaster Recovery
• Shredding Service

The Cost of Doing Nothing or Not Enough

Recent studies show that data security was the
number one concern of directors and general
counsel at public companies.

33% of GCs believe their board is not effective at
managing cyber risk. Yet only 42% of companies
had a crisis management plan in place.

Threat actors remain embedded in the
environment, moving laterally from system to
system, escalating privileges and infiltrating data,
unknown for months, years.

Breach Statistics Source: Verizon Data Breach Report 2019

• One-quarter of all breaches are still associated with
espionage

• Ransomware attacks account for 24% of malware
incidents analyzed, ranking as the second most used
malware variety

• External threat actors account for 69% of attacks
with insiders accounting for 34%

• 18% of people who clicked on test phishing links did
so through mobile devices.

Privacy Breach Losses - Example

Number of Records Compromised 100,000 250,000 500,000 1,000,000

Privacy Notification Costs $ 400,000 $ 1,000,000 $ 2,000,000 $ 4,000,000

Call Center Costs $ 100,000 $ 250,000 $ 500,000 $ 1,000,000

Credit Monitoring Cost $ 1,000,000 $ 2,500,000 $ 5,000,000 $ 10,000,000

ID Theft Repair $ 500,000 $ 1,250,000 $ 2,500,000 $ 5,000,000

Total Estimated First Party Costs* $ 2,000,000 $ 5,000,000 $ 10,000,000 $ 200,000,000

Card Reissuance Liability $ 600,000 $ 1,500,000 $ 3,000,000 $ 6,000,000

Fraud Liability $ 5,000,000 $ 12,500,000 $ 25,000,000 $ 50,000,000

Total Estimated Third Party Liability $ 5,600,000 $ 14,000,000 $ 28,000,000 $ 56,000,000

Total Estimated Privacy Event $ 7,600,000 $ 19,000,000 $ 38,000,000 $ 76,000,000
* May be subject to a Privacy Event Cost Sublimit
Source: Marsh
Assumptions:

Notification costs - $4 per record

Call Center Costs - $5 per call (20% expected participation)

Credit monitoring - $50 per record (20% expected participation)

ID Theft Repair - $500 per record (5% of those monitored experience theft)

Card re-issuance - $6 per record (potential liability to issuers, i.e., banks)

Fraud Liability - $1,000 per record (range is $500 per record to $6,400 average fraud charges - 5% experience fraud)

Compliance as a risk

D&O Liability Willis Towers Watson’s 2018 Management Liability (Directors and Officers)
U.S. Survey, the top D&O risks “in the coming year” includes:

• Cyber incident/cyber claims (80%),
• Claims by employees (55%)
• Regulatory and enforcement risks (48%)

State and Federal (U.S.) government efforts:
New laws and regulations

Common law: class actions

State Laws: • Illinois
• NYS DFS Part 500
• CCPA
• MASS

International Law and Privacy Trends

What can organizations do to
address Risks to Business
Enterprise

ESTABLISH AN ENTERPRISE SECURITY STRATEGY

Governance • Continuous Risk & Control Assessment

Technology • Security Solutions and Architecture
Process
People • Policies and Procedures
• Information Security Awareness and
Training Program

NIST Security Approach

Reduce the Risk of Cyber Attacks from Detect/Respond to Attacks & Minimize Back to Normal
Happening Impact Business Operations

Identify Protect Detect Respond Recover

 Technical Security  Network/  Security  Incident Response
Testing Application/ Operations Center Planning and
Mobile Security (SOC) Exercise
 Security Risk Solutions
Assessments  Automatic  Cyber Insurance
 Email Security Security Alerting Coverage
Solutions Etc.
 Security Incident  Incident
Response Team Investigation and
Forensics Capability

SECURITY INITIATIVES TO
CONSIDER

• Network and Infrastructure Security
• Endpoint and Mobile Device Security
• Applications Security
• Cloud Security
• Threat and Vulnerability Management
• Security Awareness and Training Program
• Security Monitoring and Operations

Management
• Security Governance

Policies

Establish Security Policies and
Standards

• Acceptable Use
• Clean Desk
• Data Breach Response
• Password Protection
• Encryption
• BYOD
• Social Media
• Data Privacy
• Business Process Controls
• Network Policies
• Server Policies
• Application Policies

Programs

Establish Security Cyber
Security Program Categories

• Oversight and Leadership
• Logical and Physical Access
• Products and Services

Lifecyle
• Systems and Security

Operations
• Monitoring and Event

Management
• Quality and Continuity of

Service
• Program Auditing, Testing

and Certification
• Business Process Controls

Thank You!
James Mottola, MS, CISM, CPP

Vice President, Data Privacy,
Security and Investigations

[email protected]

(973) 889-4277

Kasi M. Gifford, Esq.
Cooper Levenson, P.A.

609-572-7456

Cyber Incidents Legally Speaking

Four Key Areas to Address Today:
-Legal Considerations
-Operational Considerations
-Cost Considerations
-Regulatory Considerations

The First 12 Hours are the Most

Critical

 Follow the Incident Response Plan
 If You Do Not Have One *Note to Add One At The Conclusion of This
Event*

 Protect the School District and Personally Identifiable Information
 Keep Confidential
 Contain the Intrusion If Possible
 Contact-Attorney Skilled in Cyber Security

 Phone Call with Attorney to Discuss Options
 Establish Incident Response and Preserve Attorney Client

Privilege
 Hire Forensic Team If Needed

 Phone Call with Forensic Team to Discuss Options

Legal

 Immediate Steps:
 Contact Insurance Company

 See If You Have Coverage
 Note to Self* If No Coverage start shopping for an Insurance Company that
Does Have Coverage

 If You Have Coverage:
 Assigned Attorney
 Immediate Contact with Attorney

 If You Do Not Have Coverage:
 Find an Attorney that Specializes in Cyber Security

 Do Not Talk To Anyone Outside of Your Response Team and Do Not Call
it a Cyber Breach refer to it as a Cyber Incident until More
Information is Known

Who is Your Response Team?

 Who Is In The Team?

 Superintendent
 Business Administrators
 Attorney Insurance/ Attorney Solicitor for

School
 IT Department
 Others ? PR?
 Forensic Expert

Public Relations

 Create a legally approved public relations
statement to address the incident

 Create a legally approved e-mail to employees
and/or the school community depending on type
of cyber incident

 Work Hand in Hand with Attorney

 Control the Narrative as to Who Can Speak to
the Press? Staff? Parents? Community?

Operational

 Containment

 Limit Damages
 Turn Off Computer
 Check with Third Party Hosts to Turn Off Access

to School?

Operational

 Determine the Scope of the Cyber Incident
 What did compromise have access to?

 Financial Records
 Data

 Ransomware-Data Held Hostage!

 Is there another way to get to data?
 Cloud-Based Storage?
 In-District Storage?

 Is Storage Up to Date?

Ransomware* Is a Business!

 1. Ignore and use back up data
 2. Pay
 3. Do Nothing and Lose data
 4. Negotiate

Financial Data

 How Big is the Incident?

 One Computer?
 Computer Network?
 Virus that can take anyone’s personal financial

information if they were on the District Server at the
time of the cyber incident.

Cost Considerations

 Public Upset
 Cost $$

 Legal Fees
 Forensic Fees

 Trust in the Community
 Possible Criminal Prosecution

Cost Considerations

 Damage and destruction or loss of data
 Downtime
 Lost Productivity
 Post-attack disruption
 Forensic Investigation
 Restoration and deletion of hostage data

and systems

Regulatory

 Notification Requirements:

 All 50 states have enacted legislation requiring
private or government entities to notify
individuals of security breaches of information
of personally identifiable information.

Regulatory

 Notification Requirement:

 Security breach laws typically have provisions
regarding who must comply with the law, what
constitutes a breach, requirements for notice
and exemptions.

Regulatory

 Notification Requirements:
 No consistency among state laws

 Varying definitions of personally identifiable
information and what triggers reporting

 Many require notification of State Attorney General
 Timelines for response vary widely from state to

state

 Why do other states matter?

 If you have an employee that lives in PA, DE, etc.

Regulatory

 Family Educational Rights and Privacy Acts

 Educational Records Disclosure

 Personally Identifiable Information includes
student’s name, parents name, address, personal
identifier (social security number, personal
characteristics, other information)

Regulatory

 Proposed New Laws Not Yet Passed:

 NJ SJR 134 Designates October of each year as Cyber Security Awareness
Month.

 NJ S3836 Creates affirmative defense for certain breaches of security.
 NJ S3738 Requires State employees to receive best cybersecurity practices.
 NJ S3673 Directs State Cybersecurity and Communications Integration Cell,

Office of Information Technology, and State Big Data Alliance to develop an
advanced cyber infrastructure strategic plan.
 NJ S3488 Directs State Cybersecurity and Communications Integration Cell to
develop cybersecurity best practices and awareness materials for consumers
in this State.

Regulatory

 NJ S3436 Directs State Cybersecurity and Communications Integration
Cell to develop cybersecurity prevention and awareness materials for
businesses and to establish electronic mail fraud internet website.

 NJ S2692 Requires certain persons and business entities to maintain a
comprehensive information security program.

 NJ A3542 Requires state, county, and municipal employees and certain
state contractors to complete cybersecurity awareness training.

 NJ A2355 Concerns debarment of contractors for conviction of certain
computer related crimes.

Legal Action Plans

 Have a Policy
 Follow It!

 Create a Cyber Incident Response Plan Manual
 Do Table Top Exercises to Practice!
 Require IT to be Trained in Cyber Security throughout the year
 Require Staff to be Annually Trained in Cyber Security
 Add disclaimers to staff e-mails as to *inside or *outside network

e-mail
 Add disclaimer prior to allowing staff to click on a link
 Hire a Forensic Company to Due an Audit and Test of Your System
 Check Your Insurance Policy-Does it Cover Cyber Incidents? How

Much?
 If You See Something/ Say Something

Kasi M. Gifford, Esq

609-572-7456

[email protected]