Cyber Security and Data Breaches

Federal Litigation Section - Annual FBA Federal Litigation Conference

Washington, D.C.
October 27, 2015

1
 Panel Members

• Greg Burkhart: Principal Director, Cyber 4Sight®

Services, Booz Allen Hamilton
• Jeffrey T. Cox, Faruki Ireland & Cox P.L.L.
• Kevin Minsky: Assoc. General Counsel, Booz Allen
• Michael Woods: V. P. and Assoc.General Counsel,
National Security and Public Safety, Verizon

• Moderator: Charles B. Molster, III, Winston & Strawn

LLP

2
 Recent High Profile Data Breaches

A. Sony: November, 2014

• Suspected North Korean hackers

• Data included personal information about Sony Pictures

employees and their families, e-mails between employees,
information about executive salaries at the company, copies
of unreleased Sony films, and other information.

• The hackers called themselves the “Guardians of Peace” and

demanded the cancellation of the planned release of the film
The Interview, a comedy about a plot to assassinate North
Korean leader Kim Jong-un.

3
 Recent High Profile Data Breaches

B. Anthem: January, 2015

• Suspected Chinese hackers.

• Nation's second largest health insurer.

• Names, addresses, social security numbers, birth

dates, and other information from 80 million
customers and employees.

• Thieves used information to rack up $40,000 in

credit card charges for some customers.

4
 Recent High Profile Data Breaches

C. Office of Personnel Management (U.S.

Government): April, 2015
• In June 2015, OPM announced that it had been the
target of a data breach targeting the records of as
many as four million people.

• Later, FBI Director James Comey estimated 18

million.

• Breach has been described by federal officials as

among the largest breaches of government data in
the history of the U.S.

5
 Recent High Profile Data Breaches

C. Office of Personnel Management (U.S.

Government): April, 2015 (cont’d)
• Information targeted included SSNs, names, dates and places
of birth, and addresses.
• Also likely involved the theft of detailed security-clearance-
related background information.
• And even 5 million fingerprints.

• On July 9, 2015, the estimate of the number of stolen records

was increased to 21.5 million.
• Soon after, Katherine Archuleta, the director of OPM, and
former National Political Director for Barack Obama's 2012
reelection campaign, resigned.

6
 Recent High Profile Data Breaches

D. Target: December, 2013

• Suspected Russian hackers.
• 70 million customers.
• Name, address, phone number and e-mail address.
• After the data breach was discovered, Target offered one
year of free credit monitoring and identity theft protection to
all customers who shopped in U.S. stores.
• Access through 3rd party vendor (HVAC).
• Shows importance of 3rd party control as well.

7
 High Level Technical Overview

A. General Overview

1. General Overview.

2. How do you approach advising clients on

cybersecurity?

3. What does the threat landscape look like now?

4. What resources are out there to help you?

8
 High Level Technical Overview

B. What can be hacked?

• Anywhere there is a device consisting of

hardware and software, typically with an internet
connection.

9
 High Level Technical Overview

C. Define Applicable Terms

i. Cyber Security: the protection of

information systems from theft or
damage to the hardware, the software,
and to the information on them, as well
as from disruption or misdirection of the
services they provide.

10
 High Level Technical Overview

C. Define Applicable Terms (cont’d)

ii. Data Breach: the intentional or

unintentional release of secure
information to an untrusted
environment.

11
 High Level Technical Overview

C. Define Applicable Terms (cont’d)

iii. Cloud: the practice of using a network

of remote servers hosted on the Internet
to store, manage, and process data,
rather than a local server or a personal
computer.

12
 High Level Technical Overview

C. Define Applicable Terms (cont’d)

iv. Phishing: the attempt to acquire

sensitive information such as
usernames, passwords, and credit card
details (and sometimes, indirectly,
money), often for malicious reasons, by
masquerading as a trustworthy entity in
an electronic communication.

13
 High Level Technical Overview

C. Define Applicable Terms (cont’d)

v. Encryption: the process of encoding

messages or information in such a way
that only authorized parties can read it.

14
 High Level Technical Overview

C. Define Applicable Terms (cont’d)

vi. Botnet: (also known as a zombie army)

a number of Internet computers that,
although their owners are unaware of it,
have been set up to forward
transmissions (including spam or
viruses) to other computers on the
Internet.

15
 High Level Technical Overview

C. Define Applicable Terms (cont’d)

vii. Patch: a piece of software designed to

update a computer program or its
supporting data, to fix or improve it. This
includes fixing security vulnerabilities.

16
 High Level Technical Overview

C. Define Applicable Terms (cont’d)

viii. Two-Factor Authentication: a security

process in which the user provides two
means of identification from separate
categories of credentials; one is
typically a physical token, such as a
card, and the other is typically
something memorized, such as a
security code.

17
 High Level Technical Overview

Additional resources on cyber security and

data breach topics:
• Federal Trade Commission, “Start with Security”
guidance to businesses
(https://www.ftc.gov/system/files/documents/plain-
language/pdf0205-startwithsecurity.pdf). This is generic
guidance drawn from the FTC’s recent enforcement
cases. It’s fairly simple and written in non-technical
language, but it provides some insight into what one
group of federal regulators are thinking is (or should be)
the standard of care for a business.

18
 High Level Technical Overview

Additional resources on cyber security and

data breach topics (cont’d):
• NIST Cybersecurity Framework
(http://www.nist.gov/cyberframework/). This document
was developed through a lengthy consultation process
with industry; it is meant to provide a general approach
to cybersecurity, and to point businesses toward the
relevant existing standards. In many industry contexts, it
is becoming the de facto “standard of care.”

19
 High Level Technical Overview

Additional resources on cyber security and

data breach topics (cont’d):
• NIST Recommendations
(http://csrc.nist.gov/publications/PubsSPs.html). These
documents are more detailed and technical
recommendations developed through the NIST
collaborative process with industry. The “800” series
are particularly important in cybersecurity. The
documents are designed for use by IT professionals
responsible for implementing a company’s cybersecurity
program.

20
 High Level Technical Overview

Additional resources on cyber security and

data breach topics (cont’d):
• Verizon Data Breach Report (DBIR)
(http://www.verizonenterprise.com/DBIR/) is annual
analysis of cyber threats as reflected in actual data
breaches and security incidents. The report looks at
anonymized data submitted by a broad range of law
enforcement agencies, private companies, and
cybersecurity providers.

21
 High Level Technical Overview

Additional resources on cyber security and

data breach topics (cont’d):
• Steptoe & Johnson Cyberlaw Podcast
(http://www.dhs.gov/topic/cybersecurity-information-
sharing). Weekly podcast put out by a group of lawyers
at Steptoe. They provide a good summary of case law,
policy developments, and legislation relating to cyber,
data breach, privacy, national security, etc.

22
 High Level Technical Overview

Additional resources on cyber security and

data breach topics (cont’d):
• DHS Information Sharing resources: DHS supports a
number of information sharing initiatives. You can find
summary information here:
http://www.dhs.gov/topic/cybersecurity-information-
sharing.

23
 100% Prevention is NOT POSSIBLE

• Lose credibility if you state (or think)

otherwise.

• Critical to recognize the reality.

24
 100% Prevention is NOT POSSIBLE

• Three kinds of entities:

• Have been hacked.

• Will be hacked.

• Have been or will be, but just don’t know it (or don’t
admit it).

25
 Standard of Care

A. A standard of care is developing:

i. NIST.

ii. DOJ Guidelines.

iii. Homeland Security.

B. Critical to be – and stay – ahead of the curve.

26
 Government Involvement

A. Federal Law Enforcement

i. FBI: FBI Infraguard

ii. U.S. Secret Service: Electronic Crisis Task

Force (ECTF)

iii. Entities organized by state or local authorities

(e.g., https://cyberva.virginia.gov/)

27
 Government Involvement

B. Federal Agencies

i. SEC.

ii. DOJ.

iii. FTC.

iv. Homeland Security.

28
 Government Involvement

C. Federal Legislation:
i. Cyber information sharing legislation passed by
House in the spring (two versions).

ii. Senate bill is expected to come to the floor for a

vote this month.

iii. Federal legislation focuses on enhanced information

sharing – both private/private, and private/govt.

iv. Bills include privacy and liability protections.

29
 Government Involvement

D. State Regulations
i. 49 states

ii. Different definitions of “breach.”

iii. Different requirements re notification of government officials,

law enforcement, etc.

iv. Different requirements re notification of customers.

v. Different requirements as to what data elements must be

disclosed in notifications.

vi. Virginia: Va. Code § 18.2-186.6.

30
 Government Involvement

E. Report on Status of Regulatory Rulemaking

1. Federal: NIST Framework, Exec. Order effect
on regulatory agencies.

2. Specific agency interest

i. SEC.
ii. FTC.
iii. FCC.
iv. Sector agencies.

31
 Information Sharing Among
Stakeholders, Government Agencies, Etc.

A. Report on general status.

B. Government contractors and subcontractors have

different obligations than other entities.

32
 3rd Party Vulnerability
and Efforts to Control

A. Target Breach Was Through an HVAC

Vendor.

B. Questionnaires/Interviews re Data Security

Practices.

C. Audits re Same.

33
 Who are the Hackers?

A. Nation States (North Korea, China, Russia,

other?)

B. Criminal Groups.

C. “Patriotic hackers.”

D. Terrorists/ISIL.

E. Even Teenagers.

34
 What Are Their Motiviations?

F. Money is the usual driver.

• But not always – see Ashley Madison (morality
was the driver?)

G. Ransom scams are common.

35
 Data Breach Litigation

• Recent General Counsel article predicting

“Wave of data breach litigation.”

• Recent 7th Circuit case re Standing in Data

Breach cases. (Remijas v. Neiman Marcus
Group, 794 F.3d 688 (2015)).

• Class Action Cases Against Target, Anthem,

Sony, etc.

36
 Commercially Available
Products and Services

A. High level, publically available discussion of

prior work for DOD and Intelligence
Community:

i. Booz Allen Hamilton.

ii. Verizon Communications.

37
 Commercially Available
Products and Services

B. Cyber products and services available from

Booz Allen Hamilton:
i. Threat analyses (pre-breach): vulnerability testing and
recommendations for mediation.
ii. Cyber4Sight® Services: Predictive intelligence service help
clients prepare for future attacks – information/reports on
threat-actor activities and trends.
iii. Post-cyber incident threat mitigation
iv. Workforce skills assessment and cyber training.
v. Analytics of risks, threats, and opportunities for companies,
government, and executive clients.

38
 Commercially Available
Products and Services

C. Products and services available from

Verizon:
i. Managed Security Services.

ii. Forensic Response.

iii. Rapid Response Retainers.

iv. Government partnerships (ECS).

39
 Suggested Best Practices

A. Must have a carefully constructed

response plan in place BEFORE the
crisis hits.

40
 Suggested Best Practices

B. Critical for:

• Post-breach litigation.

• Government inquiries/investigations (SEC, DOJ,

FTC, state regulators, etc.).

• Response to media inquiries/public opinion/

investors/corporate executives.

41
 Suggested Best Practices

C. Plan should include:

1) Identify and protect critical assets (not necessarily
“everything”).

2) Experienced external counsel and forensic

experts retained in advance:
a) No delay for conflict checks.

b) Expert advice to help develop the plan (make sure have

backup of critical data and ability to log event traffic).

c) Expert advice available as soon as breach is detected.

d) After hours/weekend response already negotiated.

42
 Suggested Best Practices

2) Law enforcement contacts developed in

advance:

• FBI Infraguard.

• USSS ECTF.

• Others.

43
 Suggested Best Practices

3) Media Response Plan:

• Single point of contact.

• Recognize investigation and recovery takes time

– OPM, etc.

44
 Suggested Best Practices

4) Dissemination of Information to Board of

Directors:
• Critical – Boards are beginning to be held
accountable.

• Boards need to understand that this is no longer

just a low level IT issue.

• Boards need to understand the extent and

importance of efforts to prevent, monitor, detect
and mitigate.

45
 Suggested Best Practices

5) Dissemination of Information to Investors

• Critical that Investor Relations Dept. understands

and is prepared for investor inquiries and
notifications post-breach.

46
 Suggested Best Practices

6) Notification of Customers:

• Currently governed by 49 different state laws.

• Plus a host of international rules and regulations

for global customers.

• Uniform federal legislation may be on the way.

47
 Suggested Best Practices

D. War Games/Simulations:

• Good practice for the real thing.

• Also shows awareness, seriousness and taking

responsibility in advance of a breach.

48
 Suggested Best Practices

E. Engage “White Hat” Hackers:

• Run “Bug Bounty” programs.

49
Questions?

50