cybersecurity: protecting your employees and benefit plans

Cybersecurity: Protecting Your Employees and Benefit Plans

2018 Edition

11161 E State Road 70 #110-213Lakewood Ranch, Florida 34202

www.lawpracticecle.com941-584-9833

LawPracticeCLE is a national continuing legal education company designed to provide education on current, trending issues in the legal world to judges, attorneys, paralegals and other interested business professionals. New to the playing field, LawPracticeCLE is a major contender with its offerings of Live Webinars, On-Demand Videos, and In-person Seminars. LawPracticeCLE believes in quali-ty education, exceptional customer service, long-lasting relationships and networking beyond the classroom. We cater to the needs

of three divisions within the legal realm: Pre-Law and Law Students, Paralegals and other support staff, and Attorneys.

At LawPracticeCLE, we partner with experienced attorneys and legal professionals from all over the country to bring hot topics and current content that are relevant in legal practice. We are always looking to welcome dynamic and accomplished lawyers to share their knowledge!

As a LawPracticeCLE Speaker, you receive a variety of benefits. In addition to CLE teaching credit attorneys earn for presenting, our presenters also receive complimentary tuition on LawPracticeCLE’s entire library of webinars and self-study courses.

LawPracticeCLE also affords expert professors unparalleled exposure on a national stage in addition to being featured in our Speakers catalog with your name, headshot, biography and link back to your personal website. Many of our courses accrue thousands of views, giving our speakers the chance to network with attorneys across the country. We also offer a host of ways for our team of speakers to promote their programs, including highlight clips, emails, and much more!

1. A Course Description2. 3-4 Learning Objectives or Key Topics3. A Detailed Agenda4. A Comprehensive PowerPoint Presentation

Bankruptcy LawBusiness LawCannabis LawConstruction LawCriminal LawEducation Law Employment LawEmployment LawEntertainment Law Estate Planning

Ethics, Bias and ProfessionalismFamily LawFederal LawFood and Beverage LawGun LawHealth LawImmigration LawImmigration LawInsurance LawNonprofit Law

Paralegal StudiesPersonal Injury LawPractice Management & Trial PrepReal Estate LawSocial Security LawSpecialized TopicsTax LawTax LawTechnology Law

LawPracticeCLE will seek approval of any CLE program where the registering attorney is primarily licensed and a single alternate state. The application is submitted at the time an attorney registers for a course, therefore approval may not be received at the time of broadcasting. In the event a course is denied credit, a full refund or credit for another LawPracticeCLE course will be provided.

LawPracticeCLE does not seek approval in Illinois or Virginia, however the necessary documentation to seek CLE credit in such states will be provided to the registrant upon request.

LawPracticeCLE Unlimited is an elite program allowing Attorneys and Legal Professionals unlimited access to all LawPracticeCLE live and on-demand courses for an entire year.

LawPracticeCLE provides 20 new continuing legal education courses each month that will not only appeal to your liking, but also meet your State Bar Requirements.

Top Attorneys and Judges from all over the country partner with us to provide a wide variety of course topics from basic to advanced. Whether you are a paralegal or an experienced attorney, you can expect to grow from the wealth of knowledge our speakers provide.

Facebook: https://www.facebook.com/LawPracticeCLE

LinkedIn: https://www.linkedin.com/company/lawpracticecle

Instagram: https://www.instagram.com/lawpracticecle

Twitter: https://twitter.com/LawPracticeCLE

Cyber Security- Protecting Your

Employees’ Private Information

E. Philip Bush, Partner

Stefan P. Smith, Partner

LawPracticeCLE

Cyber Security – What Will be Covered?

■ Employee data privacy - an overview of

Employer responsibilities

■ Protecting the security of information

systems and employee/participant data

■ What to do in the case of a Cyber Security

Breach

2

Employer’s Legal Requirements■ International, Federal and State Laws impose requirements

on the Employer related to Security of Employee/Plan

Participant Data:

■ Health Insurance Portability and Accountability Act

("HIPAA")-Protected Health Information

■ Genetic Information Nondiscrimination Act ("GINA") –

Genetic Information related to employees and Family

■ Sarbanes-Oxley Act of 2002- Public Company Security

Standards & Threat Assessment

■ Texas Identity Theft Enforcement and Protection Act-

Much broader information that has to be protected

■ EU’s General Data Protection Regulation (GDPR)

■ To name a few…

3

Cyber Security – Consequences

of a Breach■ Employee causes of action for statutory

violations

■ Civil Penalties. Examples:■ HIPAA privacy violation penalties range $100 to

$50,000 per violation (or per record), with a maximum

penalty of $1.5 million per year for violations of an

identical provision under HIPAA.

■ Texas Identity Theft Enforcement and Protection Act

fines of up to $500 per violation (or per record)

■ Disciplinary action against those responsible

for data breach.

Are Adequate Security Measures in

Place?■ Laws typically require the following security

measures:■ Conducting Periodic Risk Assessments

■ Physical security measures

■ Administrative security measures

■ Technical security measures

Making a Cyber Security Assessment –

Internal Risks■ Your greatest asset and greatest

vulnerability are your own employees:■ Online access to personnel systems and

benefit plans creates greater risk of password/

user name theft

■ “Social Engineering”/Identity theft

■ Email: “JUST CLICK HERE”■ Ransomware

■ Phishing

■ Malware

■ Malicious Employeecontinued…

6


Internal Risks

■ It can happen to you…

■ It happened to us…

continued…

7

■1/30/2018 Locke Lord Engineer Faces Fair Jail Time, 5th Circ. Says - Law360

■

■Locke Lord Engineer Faces Fair Jail Time, 5th Circ. Says By RJ Vogt

■Law360, Los Angeles (January 29, 2018, 8:58 PM EST) -- The Fifth Circuit on Monday upheld the conviction and sentencing of a former Locke Lord LLP information technology engineer, who was found guilty of felony computer intrusion for attacks on the firm’s network in 2011 and ordered to pay $1.7 million in restitution and serve 91/2 years in jail.

■Monday’s ruling, a three-judge panel affirmed the lower court’s conviction and sentencing in a four-page per curiam opinion.

■According to court records, Laoutaris was a senior systems engineer for Locke Lord from March 2006 to August 2011. In December 2011, he allegedly twice accessed the firm’s computer network, and on both occasions took steps that “caused significant damage to the network,” including deleting or disabling hundreds of user accounts, desktop and laptop accounts and user email accounts.

■Laoutaris was charged in October 2013 with transmitting a malicious code and computer intrusion causing damage to 18 administrator accounts, 356 computers and 359 user accounts, and the data and information contained in and associated with those accounts. A second count blamed Laoutaris for impairing 105 server accounts and 140 computer accounts, and a third count accused him of attacking the email accounts of all Locke Lord’s Dallas employees.

Link:

https://www.law360.com/articles/1006938/print?section=cyber security-privacy

■h

https://www.law360.com/articles/1006938/print?section=cybersecurity-privacy


External Risks■ External Threats:

■ Wire transfer email fraud- Email from who appears to be

CEO…

■ Brute Force Attacks

■ Brute force attacks work by typing endless

combinations of characters until hackers luck into

someone’s password

■ Does your system suspend or disable user credentials

after a certain number of unsuccessful login attempts?

■ Are you protected against authentication bypass?

■ Have your web applications been tested for widely-

known security flaws, including “predictable resource

location”?

9

Physical Security Measures■ Preventing unauthorized physical access to

your computer systems and networks that

process and store the data:■ Physical barriers

■ Locks, safes and vaults

■ Security force

■ Sensors and alarms

continued..

Physical Security Measures ■ Physical security measures

■ Workstations:■ Clean desk policy – make sure that documents containing

personal information is not on desk unattended.

■ Position computer so as to avoid viewing by unauthorized

personnel.

■ Lock, logoff or shut down computer when not attended.

■ Use automatic password protected screen savers.

■ Portable equipment must be secured (laptops, USBs, etc.)

■ Do not write passwords on paper beside the computer, under

the keyboard, etc.

■ Do not share your passwords with anyone.

■ Lock drawers, file cabinets or offices.

■ Do not leave keys to drawers, file cabinets or offices lying

around.

continued…

Physical Security Measures ■ Securing paper, physical media, and devices

■ Are you securely storing sensitive files?

■ Are you protecting devices that process

sensitive/confidential/personal information?

■ Do you have safety standards in place when data is being

is stored on laptops or external drives?

■ Do you dispose of sensitive data securely?

■ Examples:

■ Copy machines with stored memory

■ Disposal of hard drives

■ Shredding (check document retention policy)

■ Report to supervisor or Privacy Officer if shredding

bin too full for disposal

12

Administrative Safeguards

■ Administrative security measures■ Implement controls to prevent unauthorized

access and to provide an acceptable level of

protection for computing resources and data.

■ Administrative security procedures frequently

include personnel management, training, and

discipline.


■ Basic Security■ Is access to and use of personal information

limited on a need-to-know only basis?

■ Is information held only as long as there is a

legitimate business need?

■ Do You Have an Adequate Training

Program in Place to Assure Compliance?■ Employees generally?

■ Employees with Access to Private Information?

continued…

14


■ Service Providers■ Have you implemented reasonable security

measures with your service providers?■ Are appropriate security standards a part of your service

contracts? Cyber insurance?-See STARK standards

■ Are you verifying compliance with these contractual

requirements?

■ Does Service Provider have adequate training of its

personnel?

■ Do you have an incident response plan in the case of a

breach by a service provider?

■ Is access limited to what is needed to get the job done?

15

Technical Security Measures

■ Technical security measures ■ Safeguards incorporated into computer

hardware and software to provide access

control, authentication prior to access and

protect the integrity of stored and transmitted

data. Examples include: firewalls, access

control software, antivirus software,

passwords, smart cards, biometric tokens, and

encryption.

continued…


■ Secure Password and Authentication■ Are you using complex and unique passwords?

■ Is your system vulnerable to hackers who use

password-guessing tools, or try passwords

stolen from other services?

■ Are passwords stored securely?

continued…

17


■ Storage and Transmission of sensitive

personal information■ Is confidential material secured by encryption

during storage and transmission?

■ Is sensitive information kept secure throughout

its lifecycle? By your vendors?

■ Are you following industry-tested and accepted

methods for protection of sensitive

information? continued…

18


■ Segmenting your network and monitoring

who’s getting in and out■ Is your network segmented?

■ Not every computer in your system needs to be

able to communicate with every other computer

■ Is personnel data protected by housing it in a

separate secure place on your network?

■ Do you have an effective intrusion detection tool to

detect unauthorized activity on your network?

continued…

19

Technical Security Measures ■ Securing remote access to your network

■ Endpoint security: Do you assess service

provider’s cyber security before activating

remote login account?

■ Do you have sensible access limits in place?

20

What To Do If There Is a Security

Breach■ Incident Response

■ Requires advanced preparation

■ Incident Response Plan

■ A well-defined, organized approach for handling any

potential threat to Company communications,

systems, data, and assets, such as your intellectual

property.

continued…

21


Breach■ Have an Incident Response Plan

■ Identify and describe:

■ Roles, responsibilities and members of the Incident

Response Team

■ Contact information for internal and external team

members

■ Types of potential incidents (e.g., HIPAA breach)

and remediation plans for each

continued…

22


Breach■ Breach Notification

■ Have a communications plan:■ Designate a point person for releasing information

regarding the breach and to respond to inquiries.

■ Reach all affected persons: employees, former

employees, participants, beneficiaries.

■ Don’t make misleading statements about the breach.

■ Don’t withhold key details that might help affected

persons protect themselves and their information.

■ Don’t publicly share information that might put

affected persons at further risk.

continued…

23



■ In deciding who to notify, and how, consider:■ state and federal laws

■ the nature of the compromise

■ the type of information taken

■ the likelihood of misuse

■ the potential damage if the information is misused

continued…

24



■ Determine your legal requirements (notification

and Remedial Action):■ Check state and federal laws or regulations for any

specific requirements for the type of breach and

your business.

■ A breach involving electronic protected health

information (PHI) covered by HIPAA requires

specific remedial and notification procedures.

25

What To Do If There Is a HIPAA

Security Breach■ Conduct a fact-specific risk assessment.

■ The nature and extent of the PHI.

■ The unauthorized person involved.

■ Whether the PHI was actually acquired or

viewed.

■ Extent to which any risk has been mitigated.

■ Documentation of the risk assessment is

required.continued…

26


Security Breach■ Once a breach or suspected breach is

discovered, contact the Privacy Officer.■ The Privacy Officer should immediately contact the

legal department and outside HIPAA privacy counsel.

■ Working with legal counsel, conduct the risk

assessment as quickly as possible to determine

the extent of the breach and whether an exception

applies.

■ Consult your HIPAA Breach Notification policies

for a step by step guide to responding to a

breach.continued…

27


Security Breach■ Summary of health plan’s notification obligations:

■ Individual notification by first class mail required

(unless individual has consented to electronic notice).

■ Media notification required for breach involving 500 or

more residents of a state or jurisdiction.

■ Must notify HHS.

■ Note that the above requirements apply even for

breaches caused by a Business Associate; however,

depending on the Business Associate Agreement,

either the health plan or Business Associate will be

responsible for the notifications, typically dependent on

who caused the breach.

continued…28


Security Breach■ Content of health plan’s individual/media notice:

■ a brief description of what happened, including the

date of the breach and the date of the discovery of

the breach, if known;

■ a description of the unsecured PHI that was

involved in the breach (such as whether full name,

social security number, date of birth, home address,

account number, diagnosis, disability code, or other

types of information were compromised);

■ what, if any, steps individuals should take to protect

themselves from potential harm resulting from the

breach. continued…

29


Security Breach

■ Content of health plan’s individual/media

notice:■ a brief description of the measures the health

plan is taking to investigate the breach, to

mitigate harm to individuals, and to protect

against any further breaches; and

■ contact procedures for individuals to ask

questions or learn additional information, which

must include a toll-free telephone number, an e-

mail address, a Web site or a postal address.

30

Post-HIPAA Breach – Steps for

Correction of Privacy Rule Violation

■ Investigate:■ A health plan must investigate a violation of the

Privacy Rule to determine scope of improper

conduct.

■ If unsecured PHI, investigate the incident in

accordance with the Breach Notification Rule

described earlier.

■ If secured electronic PHI, investigate the

incident in accordance with the health plan’s

security incident policy.

continued…

31



■ Mitigate:■ A health plan must mitigate any harmful effect

known to the health plan to have occurred as a

result of a use or disclosure of PHI in violation of

the Privacy Rule.

■ For example, if there is an unauthorized

disclosure of PHI to an individual, the health plan

should contact the individual regarding the

unauthorized disclosure and request that the

information is returned or destroyed and not

further used or disclosed.continued…

32


Correction of Privacy Rule Violation■ Sanctions:

■ A health plan must review its sanctions policy

and determine what type of sanctions are

necessary under the circumstances.

■ Consider who is responsible for the failure:■ Did a particular employee fail to follow the Privacy

Rule?■ Did the employee do this intentionally or by accident?

■ Did the employee take steps to resolve the situation

(by, for example, contacting the Privacy Officer to

notify of a breach or stop the violation from occurring

again)?

continued…

33


Correction of Privacy Rule Violation■ Reinforce:

■ A health plan must conduct training or reinforce the

importance of maintaining the privacy and security

of PHI after a violation occurs.

■ The training should at a minimum focus on the

reason the incident occurred and solutions to

prevent the same from occurring again.

■ As a best practice, in addition to the workforce

member(s) involved with the incident being trained,

other workforce members who have similar

responsibilities should also be trained.

continued…

34



■ Revisit:

■ A health plan should review the administrative,

technical, and physical safeguards that apply to

the incident and implement new/revised

safeguards if needed.

■ For example, if a breach occurred because

unsecured PHI was disclosed to an unauthorized

individual, it may make sense to mitigate the issue

by requiring encryption for transmissions of

unsecured PHI.

■ Implementation of encryption should then occur soon

after the determination that it is needed.

35

Helpful Links

36

Privacy and Cyber Security Risks: Locke Lord Desk Reference, 7th Edition:

https://www.lockelord.com/newsandevents/publications/2016/11/privacy-and-

cybersecurity-risks

National Institute of Standards and Technology Framework for Improving

Critical Infrastructure Cybersecurity

https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-

framework-021214.pdf

SPARK Institute, Inc. Industry Best Practice Data Security Reporting

http://www.sparkinstitute.org/pdf/SPARK%20Data%20Security%20Industry%20Best%20

Practice%20Standards%209-2017.pdf

Greater Houston Partnership Cyber Security Self-Assessment Tool:

http://www.houston.org/policy/security.html

https://www.lockelord.com/newsandevents/publications/2016/11/privacy-and-cybersecurity-risks

https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf

http://www.sparkinstitute.org/pdf/SPARK Data Security Industry Best Practice Standards 9-2017.pdf

http://www.houston.org/policy/security.html

Questions/Comments?

37

Philip Bush

(214) 740-8542

[email protected]

Stefan Smith

(214) 740-8796

[email protected]

mailto:[email protected]

mailto:[email protected]

cybersecurity: protecting your employees and benefit plans

Documents