Boston | Hartford | New York | Providence | Stamford | Albany | Los Angeles | Miami | New London | rc.com © 2017 Robinson & Cole LLP

1 6 4 2 5 1 2 2

Managing Threats to Data

Privacy and Security

National Scholarship Providers Association

Linn Foster Freedman, Esq.

October 9, 2017

22

Overview

Identifying and Protecting High-Risk Data

Mapping Your Data/High-Risk Data

Prepare a Privacy + Security Plan Map Your Data/High-Risk Data

Security Risk Assessment

Policies and Procedures

Breach Notification Plan

Incident Response Team

WISP

Education of Employees

Recent Risks to Data Phishing/Spear-Phishing

Malware + Ransomware

Vendor Management/Contracts

Cyberliabilty Insurance

Best Practices

33

Identifying and Protecting High-Risk Data

• Personally Identifiable Information • Includes SS #, state-issued ID #, mother’s

maiden name, driver’s license #, passport #, credit history, criminal history

• Students and their Parents

• Name & Contact Information • Includes initials, address, telephone

number, e-mail address, mobile number, date of birth

• Students and their Parents

• Personal Characteristics • Includes age, gender, marital status,

nationality, sexual orientation, race, ethnicity, religious beliefs

• Students and their Parents

44

Identifying and Protecting High-Risk Data

(cont’d)

• Financial Data• Includes credit, ATM, debit card #s,

bank accounts, payment card information, PINs, magnetic stripe data, security codes, access codes, passwords

• Parent’s financial data, tax information

• Health & Insurance Account Information • Includes health status and history,

disease status, medical treatment, diagnoses, prescriptions, insurance account #, Medicare and Medicaid information

55

Identifying and Protecting High-Risk Data

(cont’d)

• Employment Information

• Includes income, salary,

service fees, compensation

information, background

check information

• Potentially Parent’s

Information

• Intellectual Property

Information

• Student Data

• As defined by FERPA

66

Mapping Your Data/High-Risk Data

Determine where your data/high-risk data is, both in

paper and electronic form, where it is going, and the

overall data flow so that you know how to protect it

(and who to protect it from)

77

Prepare a Privacy + Security Plan

Map Your Data/High-Risk Data

Security Risk Assessment

Policies and Procedures

Breach Notification Plan Engage 3rd party vendors to be on stand-by in the event of a breach

Incident Response Team

WISP

Educate Employees

Audit IT Systems

Vendor Management

Cyberliability Insurance

Privacy and Security Team

88

Data Mapping

Locate, identify, and classify data/high-risk data

In both paper and electronic form

Determine what kind of information it is (e.g. HR, student, payroll)

Identify its current storage state (e.g. in cabinet; encrypted at rest)

Determine how it is protected, who has access to it, whether the

information needs to be retained (e.g. if vendor accessing certain

information systems may require higher protections; older data may

not need to be retained so destroy if possible)

Identify the risks to the data

Implement appropriate policies, procedures and

practices to protect the data once you have determined

where the high-risk data is maintained

99

Security Risk Assessment

The objective of a security risk assessment is to understand the existing system and environment, and identify risks through analysis of the information/data collected.

Use of internal and external vendors

Several types of information that are often analyzed include: Security requirements and objectives

System or network architecture and infrastructure

Information available to the public or accessible from the organization’s web site

Physical assets, such as hardware, including those in the data center, network, and communication components and peripherals (e.g., desktop, laptop, PDAs)

Operating systems, such as PC and server operating systems, and network management systems

Data repositories, such as database management systems and files

1010

Security Risk Assessment (cont’d)

(cont’d)

A listing of all applications

Network details, such as supported protocols and network services offered

Security systems in use, such as access control mechanisms, change control, antivirus, spam control and network monitoring

Security components deployed, such as firewalls and intrusion detection systems

Processes, such as a business process, computer operation process, network operation process and application operation process

Identification and authentication mechanisms

Documented or informal policies, procedures and guidelines

1111

Privacy + Security Policies and Procedures

Website Privacy Policy and Terms of Use

Privacy Policy

Security Policy

Breach Notification Plan

Written Information Security Program

Acceptable Use Procedure, Social Media Procedure,

BYOD, E-mail Procedure

Data Retention Program and Retention Schedule

1212

Breach Notification Plan

To be effective the breach notification process must be part of a comprehensive information security plan:

Risk assessment

Trigger events

Mitigation plan

Security Incident Response Team

Identify State and Federal Laws and Requirements

Communications/Media Team/Vendors in Place

1313

Breach Notification Across the Country

48 State Breach Notification Laws

1414

Who Should be on the Incident Response

Team?

EXAMPLES:

General Counsel (and Outside Counsel)

Privacy Officer

Security Officer

Communications

Chief Financial Officer or Other C-Suite

Human Resources

Crisis Management

Forensics

Chief Information Security Officer (Information Technology Department)

Representatives of Board

Others?

1515

Written Information Security Program

MASSACHUSETTS DATA SECURITY

REGULATIONS, 201 C.M.R. 17.00

RHODE ISLAND IDENTITY THEFT PROTECTION

ACT, R.I.G.L. § 11-49.3-1

CONNECTICUT PUBLIC ACT NO. 15-142)

CALIFORNIA (CAL. CIV. CODE § 1798.81.5)

1616

Educate Employees

Employees must know the policies and procedures

that are in place

Employees are one of the greatest risks to an

organization’s data

Yearly comprehensive training and/or after an event

Creative education and incentives

1717

Recent Risks to Data

• Phishing• A malicious “spam-like” message sent in large batches

to broad audience

• Spear-Phishing • A form of phishing – messages appear to come from a

familiar or trusted sender and target recipients

• Ransomware• A type of malicious software designed to block access to a

computer system until a sum of money is paid

• Malware• Software that is intended to damage or disable computers

and computer systems

1818

Phishing/Spear-Phishing

IRS Issued Warnings to Payroll/HR

March 1, 2016, and February 2, 2017

Warning of phishing schemes that affected

numerous companies

According to the IRS, “If your CEO appears

to be emailing you for company employees’

personal information, including SSNs, check

it out before you respond.”

May email phishing@irs.gov to report

phishing schemes

1919

Phishing/Spear-Phishing (cont’d)

FBI issued warnings due to the “dramatic

rise” in these schemes

April 2016 and June 2016

Received complaints from victims in every

state in the U.S. and at least 100 countries,

from 22,143 victims

To date, the losses associated with the email

scams total more than $3.1 billion

2020

Phishing and Spear-phishing -

Growing and Expen$ive Problem

Among email users who receive “bait” messages

23% open the bait messages

11% click on attachments and links in the bait messages

1 in 10 open email attachments from unknown senders

$1.8 million is average amount users cost their employer

Major data breaches resulting from phishing or spear-phishing

2121

Malware/Ransomware

EXAMPLES:

Hollywood Presbyterian Medical Center

HEI Hotels & Resorts (Hyatt, Sheraton, Marriott and Westin Hotels

MedStar Health

Horry County Schools (South Carolina)

Bigfork Public School District (Montana)

K-Mart

Los Angeles Valley College

University of Calgary

DocuSign

Malware and Ransomware Attacks on the Rise

2222

Ransomware/Malware (cont’d)

Higher education is particularly vulnerable because—in

contrast to hacking targets like banks—college and

university computer networks are more open

Reports from the Internet security teams

at Symantec and Verizon state that nearly 1 million

new malware threats released every day

More than 317 million new pieces of malware (computer

viruses or other malicious software) were created in 2016)

2323

Some Statistics…

2,500 cases of ransomware costing victims $24

million in the US alone were reported to the Internet

Crime Complaint Center in 2015

10 is the average number of evasion techniques

used per malware

97% of malware is unique to a specific endpoint,

rendering signature-based security virtually useless

15% of new files are malicious

Ransomware/Malware (cont’d)

2424

Statistics continued…

98% of Microsoft Office-targeted threats use macros

600%+ increase in attachment-based vs. URL

delivered malware attacks from mid 2014 to 2015

50% increase last year in email attacks where

macros are the method of infection

Ransomware/Malware (cont’d)

2525

Vendor Management + Contracts

Map all vendors who have access to PI

Follow the data

Put vendor confidentiality agreements in place with each

Payroll/HR

Benefits/insurance

Website hosting provider

Cloud service provider

CPA

Lawyer

2626

Cyberliability Insurance

Need to cover information you have in your

possession –most comprehensive general insurance

liability policies DO NOT cover a data breach

Those general policies were not designed for when

information gets into the wrong hands when an employee

leaves a laptop on a subway or a hacker accesses your

database

2727

Cyberliability Insurance (cont’d)

Cyberliability insurance in general will cover: liability

for failure to protect personal information held on

computer systems or mobile devices, costs to notify

individuals, investigative costs, public relations, legal

fees, media coverage, mitigation, etc.

Talk to broker who has experience with cyberliability

policies

Work with insurer to have existing relationships

approved

2828

Best Practices with Mobile Devices

Laptops, USB, portable hard drive, and smartphones

are high risk if they contain PI

Stolen unencrypted mobile devices still an issue every day

Lost laptops and USB drives

Connecting to an unsecure Wi-Fi network

If a mobile device contains PI and the PI is

accessed, used, or disclosed by an unauthorized

individual you may be required to notify under state

law

2929

Best Practices with Mobile Devices (cont’d)

Risks with using USB drives

Cyber criminals starting to write viruses and worms that

specifically target USBs

So small they’re easy to lose

If a lost or stolen USB drive contains sensitive personal

information that’s not encrypted or secure it could be a

reportable data breach

3030

Best Practices with Mobile Devices (cont’d)

How to manage mobile devices

• Decide whether mobile devices will be used to

access, receive, transmit or store PI or used as part

of an internal network or system

• Consider how mobile devices affect the risks to PI

• Identify mobile device risk management strategy

• BYOD Policy

• Train employees about mobile device privacy and

security awareness and best practices

3131

Best Practices with Mobile Devices (cont’d)

How can you protect and secure PI when using a mobile device?

• Use a complex password or other user authentication

• Install and enable encryption

• Install and activate remote wiping and/or remote disabling

• Disable and do not install or use file sharing applications

• Install and enable a firewall

3232

Best Practices for Transportation of Sensitive

Data

Use a chain of custody log

Tracking data, the times and dates of transfers, names and

signatures of individuals releasing the information, and a

general description of the information being released

Paper records in non-transparent envelopes and

boxes, electronic records encrypted

Contracts in place with vendors who transport and

store the data

With indemnification and insurance

3333

Best Practices Using Gmail & other Free E-

mail Providers

Use of Gmail to communicate or transmit PI leaves

the information open to vulnerabilities

PI sent via standard Gmail is not protected

Gmail terms state Google has access to all data

transmitted through Gmail account

Google mines all data

3434

Best Practices when Using E-mail

• Encryption

• Virtual Private Network/RSA

• Verify Selected Recipients

• Use Standard Confidentiality Disclaimers in Outlook

• “Sensitive” communications should be given special

protections against disclosure to 3rd parties

• It is the responsibility of the employee directing the

communication to determine if the communication is

“sensitive”

3535

Best Practices to Protect Paper Records

• Protect High risk data

• Paper records

• Any documents with SSN

• W-2s

• Benefits records

• Health records

• Salary and personnel

information

• Applications/recruiting

• Student information

How to Protect

• Locked filing cabinets

• Locked facility

• Only accessed by authorized

personnel with a need to know

• Do not send via regular mail

• Implement a Shred Policy and

shred everything

• Destroy any paper records that

don’t need to be kept/stored

3636

Best Practices to Protect Paper Records

(cont’d)

Record keeping

Only maintain paper copies as necessary to fulfill business

and legal requirements

Follow your Record Retention Policy

3737

Conclusion

Know where your high risk data is

and follow your privacy and

security plan to keep it protected!

Linn Foster Freedman

lfreedman@rc.com

Robinson + ColeOne Financial Plaza

Suite 1430

Providence, RI 02903

401-709-3353

Thank you

QUESTIONS?