managing threats to data privacy and securitymarch 1, 2016, and february 2, ... reports from the...
TRANSCRIPT
![Page 1: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/1.jpg)
Boston | Hartford | New York | Providence | Stamford | Albany | Los Angeles | Miami | New London | rc.com © 2017 Robinson & Cole LLP
1 6 4 2 5 1 2 2
Managing Threats to Data
Privacy and Security
National Scholarship Providers Association
Linn Foster Freedman, Esq.
October 9, 2017
![Page 2: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/2.jpg)
22
Overview
Identifying and Protecting High-Risk Data
Mapping Your Data/High-Risk Data
Prepare a Privacy + Security Plan Map Your Data/High-Risk Data
Security Risk Assessment
Policies and Procedures
Breach Notification Plan
Incident Response Team
WISP
Education of Employees
Recent Risks to Data Phishing/Spear-Phishing
Malware + Ransomware
Vendor Management/Contracts
Cyberliabilty Insurance
Best Practices
![Page 3: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/3.jpg)
33
Identifying and Protecting High-Risk Data
• Personally Identifiable Information • Includes SS #, state-issued ID #, mother’s
maiden name, driver’s license #, passport #, credit history, criminal history
• Students and their Parents
• Name & Contact Information • Includes initials, address, telephone
number, e-mail address, mobile number, date of birth
• Students and their Parents
• Personal Characteristics • Includes age, gender, marital status,
nationality, sexual orientation, race, ethnicity, religious beliefs
• Students and their Parents
![Page 4: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/4.jpg)
44
Identifying and Protecting High-Risk Data
(cont’d)
• Financial Data• Includes credit, ATM, debit card #s,
bank accounts, payment card information, PINs, magnetic stripe data, security codes, access codes, passwords
• Parent’s financial data, tax information
• Health & Insurance Account Information • Includes health status and history,
disease status, medical treatment, diagnoses, prescriptions, insurance account #, Medicare and Medicaid information
![Page 5: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/5.jpg)
55
Identifying and Protecting High-Risk Data
(cont’d)
• Employment Information
• Includes income, salary,
service fees, compensation
information, background
check information
• Potentially Parent’s
Information
• Intellectual Property
Information
• Student Data
• As defined by FERPA
![Page 6: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/6.jpg)
66
Mapping Your Data/High-Risk Data
Determine where your data/high-risk data is, both in
paper and electronic form, where it is going, and the
overall data flow so that you know how to protect it
(and who to protect it from)
![Page 7: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/7.jpg)
77
Prepare a Privacy + Security Plan
Map Your Data/High-Risk Data
Security Risk Assessment
Policies and Procedures
Breach Notification Plan Engage 3rd party vendors to be on stand-by in the event of a breach
Incident Response Team
WISP
Educate Employees
Audit IT Systems
Vendor Management
Cyberliability Insurance
Privacy and Security Team
![Page 8: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/8.jpg)
88
Data Mapping
Locate, identify, and classify data/high-risk data
In both paper and electronic form
Determine what kind of information it is (e.g. HR, student, payroll)
Identify its current storage state (e.g. in cabinet; encrypted at rest)
Determine how it is protected, who has access to it, whether the
information needs to be retained (e.g. if vendor accessing certain
information systems may require higher protections; older data may
not need to be retained so destroy if possible)
Identify the risks to the data
Implement appropriate policies, procedures and
practices to protect the data once you have determined
where the high-risk data is maintained
![Page 9: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/9.jpg)
99
Security Risk Assessment
The objective of a security risk assessment is to understand the existing system and environment, and identify risks through analysis of the information/data collected.
Use of internal and external vendors
Several types of information that are often analyzed include: Security requirements and objectives
System or network architecture and infrastructure
Information available to the public or accessible from the organization’s web site
Physical assets, such as hardware, including those in the data center, network, and communication components and peripherals (e.g., desktop, laptop, PDAs)
Operating systems, such as PC and server operating systems, and network management systems
Data repositories, such as database management systems and files
![Page 10: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/10.jpg)
1010
Security Risk Assessment (cont’d)
(cont’d)
A listing of all applications
Network details, such as supported protocols and network services offered
Security systems in use, such as access control mechanisms, change control, antivirus, spam control and network monitoring
Security components deployed, such as firewalls and intrusion detection systems
Processes, such as a business process, computer operation process, network operation process and application operation process
Identification and authentication mechanisms
Documented or informal policies, procedures and guidelines
![Page 11: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/11.jpg)
1111
Privacy + Security Policies and Procedures
Website Privacy Policy and Terms of Use
Privacy Policy
Security Policy
Breach Notification Plan
Written Information Security Program
Acceptable Use Procedure, Social Media Procedure,
BYOD, E-mail Procedure
Data Retention Program and Retention Schedule
![Page 12: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/12.jpg)
1212
Breach Notification Plan
To be effective the breach notification process must be part of a comprehensive information security plan:
Risk assessment
Trigger events
Mitigation plan
Security Incident Response Team
Identify State and Federal Laws and Requirements
Communications/Media Team/Vendors in Place
![Page 13: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/13.jpg)
1313
Breach Notification Across the Country
48 State Breach Notification Laws
![Page 14: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/14.jpg)
1414
Who Should be on the Incident Response
Team?
EXAMPLES:
General Counsel (and Outside Counsel)
Privacy Officer
Security Officer
Communications
Chief Financial Officer or Other C-Suite
Human Resources
Crisis Management
Forensics
Chief Information Security Officer (Information Technology Department)
Representatives of Board
Others?
![Page 15: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/15.jpg)
1515
Written Information Security Program
MASSACHUSETTS DATA SECURITY
REGULATIONS, 201 C.M.R. 17.00
RHODE ISLAND IDENTITY THEFT PROTECTION
ACT, R.I.G.L. § 11-49.3-1
CONNECTICUT PUBLIC ACT NO. 15-142)
CALIFORNIA (CAL. CIV. CODE § 1798.81.5)
![Page 16: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/16.jpg)
1616
Educate Employees
Employees must know the policies and procedures
that are in place
Employees are one of the greatest risks to an
organization’s data
Yearly comprehensive training and/or after an event
Creative education and incentives
![Page 17: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/17.jpg)
1717
Recent Risks to Data
• Phishing• A malicious “spam-like” message sent in large batches
to broad audience
• Spear-Phishing • A form of phishing – messages appear to come from a
familiar or trusted sender and target recipients
• Ransomware• A type of malicious software designed to block access to a
computer system until a sum of money is paid
• Malware• Software that is intended to damage or disable computers
and computer systems
![Page 18: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/18.jpg)
1818
Phishing/Spear-Phishing
IRS Issued Warnings to Payroll/HR
March 1, 2016, and February 2, 2017
Warning of phishing schemes that affected
numerous companies
According to the IRS, “If your CEO appears
to be emailing you for company employees’
personal information, including SSNs, check
it out before you respond.”
May email [email protected] to report
phishing schemes
![Page 19: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/19.jpg)
1919
Phishing/Spear-Phishing (cont’d)
FBI issued warnings due to the “dramatic
rise” in these schemes
April 2016 and June 2016
Received complaints from victims in every
state in the U.S. and at least 100 countries,
from 22,143 victims
To date, the losses associated with the email
scams total more than $3.1 billion
![Page 20: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/20.jpg)
2020
Phishing and Spear-phishing -
Growing and Expen$ive Problem
Among email users who receive “bait” messages
23% open the bait messages
11% click on attachments and links in the bait messages
1 in 10 open email attachments from unknown senders
$1.8 million is average amount users cost their employer
Major data breaches resulting from phishing or spear-phishing
![Page 21: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/21.jpg)
2121
Malware/Ransomware
EXAMPLES:
Hollywood Presbyterian Medical Center
HEI Hotels & Resorts (Hyatt, Sheraton, Marriott and Westin Hotels
MedStar Health
Horry County Schools (South Carolina)
Bigfork Public School District (Montana)
K-Mart
Los Angeles Valley College
University of Calgary
DocuSign
Malware and Ransomware Attacks on the Rise
![Page 22: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/22.jpg)
2222
Ransomware/Malware (cont’d)
Higher education is particularly vulnerable because—in
contrast to hacking targets like banks—college and
university computer networks are more open
Reports from the Internet security teams
at Symantec and Verizon state that nearly 1 million
new malware threats released every day
More than 317 million new pieces of malware (computer
viruses or other malicious software) were created in 2016)
![Page 23: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/23.jpg)
2323
Some Statistics…
2,500 cases of ransomware costing victims $24
million in the US alone were reported to the Internet
Crime Complaint Center in 2015
10 is the average number of evasion techniques
used per malware
97% of malware is unique to a specific endpoint,
rendering signature-based security virtually useless
15% of new files are malicious
Ransomware/Malware (cont’d)
![Page 24: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/24.jpg)
2424
Statistics continued…
98% of Microsoft Office-targeted threats use macros
600%+ increase in attachment-based vs. URL
delivered malware attacks from mid 2014 to 2015
50% increase last year in email attacks where
macros are the method of infection
Ransomware/Malware (cont’d)
![Page 25: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/25.jpg)
2525
Vendor Management + Contracts
Map all vendors who have access to PI
Follow the data
Put vendor confidentiality agreements in place with each
Payroll/HR
Benefits/insurance
Website hosting provider
Cloud service provider
CPA
Lawyer
![Page 26: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/26.jpg)
2626
Cyberliability Insurance
Need to cover information you have in your
possession –most comprehensive general insurance
liability policies DO NOT cover a data breach
Those general policies were not designed for when
information gets into the wrong hands when an employee
leaves a laptop on a subway or a hacker accesses your
database
![Page 27: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/27.jpg)
2727
Cyberliability Insurance (cont’d)
Cyberliability insurance in general will cover: liability
for failure to protect personal information held on
computer systems or mobile devices, costs to notify
individuals, investigative costs, public relations, legal
fees, media coverage, mitigation, etc.
Talk to broker who has experience with cyberliability
policies
Work with insurer to have existing relationships
approved
![Page 28: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/28.jpg)
2828
Best Practices with Mobile Devices
Laptops, USB, portable hard drive, and smartphones
are high risk if they contain PI
Stolen unencrypted mobile devices still an issue every day
Lost laptops and USB drives
Connecting to an unsecure Wi-Fi network
If a mobile device contains PI and the PI is
accessed, used, or disclosed by an unauthorized
individual you may be required to notify under state
law
![Page 29: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/29.jpg)
2929
Best Practices with Mobile Devices (cont’d)
Risks with using USB drives
Cyber criminals starting to write viruses and worms that
specifically target USBs
So small they’re easy to lose
If a lost or stolen USB drive contains sensitive personal
information that’s not encrypted or secure it could be a
reportable data breach
![Page 30: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/30.jpg)
3030
Best Practices with Mobile Devices (cont’d)
How to manage mobile devices
• Decide whether mobile devices will be used to
access, receive, transmit or store PI or used as part
of an internal network or system
• Consider how mobile devices affect the risks to PI
• Identify mobile device risk management strategy
• BYOD Policy
• Train employees about mobile device privacy and
security awareness and best practices
![Page 31: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/31.jpg)
3131
Best Practices with Mobile Devices (cont’d)
How can you protect and secure PI when using a mobile device?
• Use a complex password or other user authentication
• Install and enable encryption
• Install and activate remote wiping and/or remote disabling
• Disable and do not install or use file sharing applications
• Install and enable a firewall
![Page 32: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/32.jpg)
3232
Best Practices for Transportation of Sensitive
Data
Use a chain of custody log
Tracking data, the times and dates of transfers, names and
signatures of individuals releasing the information, and a
general description of the information being released
Paper records in non-transparent envelopes and
boxes, electronic records encrypted
Contracts in place with vendors who transport and
store the data
With indemnification and insurance
![Page 33: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/33.jpg)
3333
Best Practices Using Gmail & other Free E-
mail Providers
Use of Gmail to communicate or transmit PI leaves
the information open to vulnerabilities
PI sent via standard Gmail is not protected
Gmail terms state Google has access to all data
transmitted through Gmail account
Google mines all data
![Page 34: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/34.jpg)
3434
Best Practices when Using E-mail
• Encryption
• Virtual Private Network/RSA
• Verify Selected Recipients
• Use Standard Confidentiality Disclaimers in Outlook
• “Sensitive” communications should be given special
protections against disclosure to 3rd parties
• It is the responsibility of the employee directing the
communication to determine if the communication is
“sensitive”
![Page 35: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/35.jpg)
3535
Best Practices to Protect Paper Records
• Protect High risk data
• Paper records
• Any documents with SSN
• W-2s
• Benefits records
• Health records
• Salary and personnel
information
• Applications/recruiting
• Student information
How to Protect
• Locked filing cabinets
• Locked facility
• Only accessed by authorized
personnel with a need to know
• Do not send via regular mail
• Implement a Shred Policy and
shred everything
• Destroy any paper records that
don’t need to be kept/stored
![Page 36: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/36.jpg)
3636
Best Practices to Protect Paper Records
(cont’d)
Record keeping
Only maintain paper copies as necessary to fulfill business
and legal requirements
Follow your Record Retention Policy
![Page 37: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/37.jpg)
3737
Conclusion
Know where your high risk data is
and follow your privacy and
security plan to keep it protected!
![Page 38: Managing Threats to Data Privacy and SecurityMarch 1, 2016, and February 2, ... Reports from the Internet security teams at Symantec and Verizon state that nearly 1 million ... •Train](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed1577f4008b975c8557217/html5/thumbnails/38.jpg)
Linn Foster Freedman
Robinson + ColeOne Financial Plaza
Suite 1430
Providence, RI 02903
401-709-3353
Thank you
QUESTIONS?