Privacy compliance as a competitive differentiator: 97% of 3,200 companies surveyed say they are receiving auxiliary benefits today from their data privacy investments, beyond just meeting compliance requirements.

Benefits cited include:

  • greater agility and innovation
  • competitive advantage versus competition
  • operational efficiency
  • investor appeal
  • less costly data breaches
  • for companies that had undergone GDPR compliance work, breaches are said to have included fewer records, be shorter in duration and led to smaller financial impact
  • fewer sales delays

Details from the International Association of Privacy Professionals.

2019 presents businesses with new cybersecurity and privacy challenges: rapid advances in technology, sophisticated new cyberattacks and stricter privacy regulations here and around the world, just to name a few. Businesses that fail to plan risk significant financial and reputational damage.

Those at the front of the fight, but out of the headlines will:

  • Afford users and consumers true “data self-determination” and transparent control over data while providing a frictionless digital experience.
  • Master what data they collect, who has access to it and how long they have it: “Cradle-to-grave” control over data will win the day.
  • Master baseline data privacy and security, whether defined by statutory schemes, best practices or voluntary industry standards.
  • Remain battle-ready for the critical infrastructure breach (financial, utility and/or transportation).
  • Deploy robust methods to repel the email compromise.
  • Implement tested response plans for digital deep fakes (false video and audio recordings) and other disinformation campaigns.
  • Master vendor and supply chain data security.
Registration for the Privacy Summit is open.

Fox Rothschild’s Minneapolis Privacy Summit on November 8 will explore key cybersecurity issues and compliance questions facing company decision-makers. This free event will feature an impressive array of panelists drawn from cybersecurity leaders in major industries, experienced regulatory and compliance professionals and the Chief Division Counsel of the Minneapolis Division of the FBI.

Attendees receive complimentary breakfast and lunch, and can take advantage of networking opportunities and informative panel sessions:

GDPR and the California Consumer Privacy Act: Compliance in a Time of Change

The European Union’s General Data Protection Regulation has been in effect since May. Companies that process or control EU citizens’ personal data should understand how to maintain compliance and avoid costly fines. Many more businesses should also prepare for the next major privacy mandate: the California Consumer Privacy Act.

Risk Management – How Can Privacy Officers Ensure They Have the Correct Security Policies in Place?

Panelists offer best practices for internal policies, audits and training to help maintainn protected health information (PHI), personally identifiable information (PII) or other sensitive data. Learn the cutting edge strategies to combat the technology threats of phishing and ransomware.

Fireside Chat

Jeffrey Van Nest, Chief Division Counsel of the Minneapolis Division of the FBI, speaks on the state of affairs in regulation and enforcement, including how to partner with the FBI, timelines of engagement and the latest on cyber threat schemes. His insights offer details on forming effective cyber incident response plans.

Keynote Speaker – Ken Barnhart

Ken is the former CEO of the Occam Group, a cybersecurity industry advisor and the founder and principal consultant for Highground Cyber – a spin-off of the Occam Group’s Cybersecurity Practice Group. For more than a decade, he has helped companies of all sizes design, host and secure environments in private, public and hybrid cloud models. Prior to his work in the corporate sector, Ken served as a non-commissioned officer in the United States Marine Corp and is a decorated combat veteran of Operation Desert Shield\Storm with the HQ Battalion of the 2nd Marine Division.

Geared toward an audience of corporate executives, in-house chief privacy officers and general counsel, the summit will provide important take-aways about the latest risks and threats facing businesses.

Stay tuned for more agenda details. Registration is open.

On March 15, Fox Rothschild partner Scott Vernick will participate in a panel discussion on Developments in Data Privacy & Security as part of the 2017 Argyle Chief Legal Officer Leadership Forum. The Forum will take place from 8 a.m. to 5 p.m. at the Convene Conference Center at 730 3rd Ave in New York City.

Scott L. Vernick, Partner, Fox Rothschild LLPScott and his fellow panelists will discuss the evolution of the GC role to include cybersecurity and data privacy, how cybersecurity fits into an organization’s risk management structure, as well as proactive risk assessments GCs can use to identify and prioritize critical assets and data for their business. Attendees will also receive information on new regulatory challenges, how GCs can best collaborate with and advise other organization leaders on the topic of cybersecurity, and working with outside counsel on these and related issues. The panel discussion is scheduled from 10:10 a.m. to 11:00 a.m.

To register for the event, please visit the Argyle Forum event page.

The White House is building on recent laws addressing cybersecurity in the United States with the release of a new Cybersecurity National Action Plan (“CNAP”). The plan focuses on:

  • improving cybersecurity awareness and protections;
  • additional privacy and security protections for individuals through the creation of a permanent Federal Privacy Council;
  • maintenance of public safety, economic security and national security through a new Commission on Enhancing National Security; and
  • encouraging citizens to take better control of their digital information and security.

CNAP includes a request to Congress to invest over $19 billion for the 2017 Fiscal Year Budget, which is a 35% increase to resources allocated to cybersecurity during FY 2016.

The plan is highlighted by a new Commission on Enhancing National Security (“Commission”). The Commission will be comprised of top technical, strategic, and business advisors in the private sector chosen by bipartisan Congressional leadership.  It will make detailed recommendations to improve cybersecurity awareness both inside and outside the government.  The Commission will also make specific findings about improving national security and empowering citizens to better handle their digital security.  These recommendations and findings must be reported to the President before the end of this year.

The White House looks to make significant improvements in government cybersecurity as part of a $3.1 billion Information Technology Modernization Fund, which will allow agencies to modernize outdated IT infrastructure, networks and systems. A new Federal Chief Information Security Officer will be solely dedicated to developing, managing, and coordinating cybersecurity policies, strategies and operations in the federal government.  The Department of Homeland Security will have new federal civilian cyber defense teams to protect associated networks, systems and data.  The plan also calls for disrupting cyberattacks and improving cyber incident response.

CNAP’s concern for citizens’ privacy and security is reflected in an Executive Order making the Federal Privacy Council permanent. Privacy officials from across the government will help ensure that more strategic and comprehensive federal privacy guidelines are implemented.  The Administration wants citizens to leverage multiple layers of authentication when logging into online accounts instead of just a password. Extra factors like a fingerprint or a single use code via text message are ways to improve online security. The federal government is accelerating adoption of this approach for citizen-to-government digital services, such as tax and health benefit information.  The White House’s new milestones for the 2014 BuySecure Initiative will build upon the already 2.5 million issued Chip-and-PIN payment cards.

Research and development will continue to be a focus with a new Federal Cybersecurity Research and Development Strategic Plan. The strategic plan outlines research and development goals so that U.S. can advance cybersecurity technologies.  CNAP further mentions working with the Linux Foundation’s Core Infrastructure Initiative to maintain and improve internet infrastructure.

——–

Randall J. Collins is a law clerk in Fox Rothschild’s Philadelphia office.

Notification

This blog post is the fifth entry of a six series discussing the best practices relating to cyber security.  The previous post discussed the important steps that a business should take to preserve evidence and information once a cyberattack has been identified.  This post will discuss the individuals and organizations that should be notified once a cyberattack occurs.  The four most important groups to contact are (1) individuals within the business, (2) law enforcement officials, (3) The Department of Homeland Security, and (4) other possible victims.

Individuals within the Business

A business’ Response Plan should list the specific employees to be contacted once a business has been attacked.  These employees normally include the senior executives, information technology officers, public affairs officials, and a business’ legal counsel.  Multiple methods of communication for each employee, including cell phone numbers, home phone numbers, and personal email addresses, should be listed in the Response Plan.  These critically important individuals should be contacted at the first sign of a cyber incident.

Law Enforcement Officials

Law enforcement officials should be contacted once a business suspects that its cyber incident is a result of criminal activity.  A business should not hesitate to contact law enforcement even if it fears that its business operations will be disrupted.  Both the FBI and the U.S. Secret Service prioritize their ability to work around a business’ normal operations when conducting an investigation.  These government organizations will work with a business to ensure that sensitive information is not released and that the business’ reputation is not unnecessarily tarnished.  Both groups will help the company release a press statement and decide what information is necessary to disclose to shareholders.  In addition, law enforcement officials are able to receive support from international counterparts in order to track stolen data around the globe.

The Department of Homeland Security

The National Cybersecurity & Communications Integration Center (NCCIC) is a branch of the Department of Homeland Security that provides continuous updates on cyber incidents, cybersecurity information, and recovery efforts.  By alerting the NCCIC to a cyber incident, a business is able to share and receive information that may be beneficial in its recovery efforts.  A business should keep in regular contact with the NCCIC, even if it is not experiencing a cyber incident, in order to stay alert to the latest trends in cyberattacks.

Other Potential Victims

After a business discovers a cyberattack it should alert other businesses in its network because they are potential victims.  Cyberattacks often use network communications between businesses to spread malware and disrupt work flow.  Notifying other businesses may allow them to take preventative measures and insulate themselves from possible attacks.  If a business does not feel comfortable contacting other potential victims it should communicate through law enforcement officials.  Victims may also be able to share information to assist each other in managing the cyber incident and discovering the source of the cyberattack.

The next blog post will discuss what a business should not do after a cyberattack and how a business should begin to recover.

Preservation of Evidence

This blog post is the fourth entry of a six-part series discussing the best practices relating to cyber security.  The previous post discussed the initial steps that a business should take once a cyberattack has been identified.  This post will discuss further steps that a business should take after an attack.

Preservation is critical when responding to a cyberattack, the more evidence that a business is able to preserve, the greater the chance that the business will be able to determine how its system was hacked.  “Forensic imaging” is a useful way to preserve a system because it is an exact copy of a computer’s hard disk.  A forensic image will capture all of the deleted files, the system’s files, and any other information that may be necessary for a detailed analysis of the attack.

After the necessary information and evidence of an attack has been preserved, the business should begin to transfer its information onto a clean system.  It is important to ensure that the new data is completely free of any impacted documents when transferring information.  The business should write-protect the transferred data to ensure that it is unable to be altered by other corrupted documents.  In order to maintain authenticity of the documents, access to the documents should be restricted and a chain of custody should be used.

All personnel involved with the response to the attack should keep detailed records of their actions.  This will not only help when modifying the Response Plan in the future, but may also be useful for law enforcement during its investigation.  Preferably, one employee should be in charge of coordinating and maintaining each individual’s information.  This ensures organization and continuity between employees’ responsibilities.  Important information to record includes (1) a description of all incident-related events, (2) details of all communications regarding the incident, (3) a description of each employee’s duties in response to the attack, (4) a listing of how each network system was impacted by the cyberattack, and (5) the version of software on the network.

If an attack is continuous, like a worm circulating through the network, a business should attempt to record the attack’s actions.  A business may be able to use network monitoring devices, like a “sniffer,” to intercept and note communications between the cyberattack and the business’ servers.  This type of monitoring is usually lawful if it is done to protect the business’ property or if network users have previously given consent.  However, a business should consult its legal counsel if it plans to engage in this type of monitoring because it may implicate the Wiretap Act or impact the business’ employment agreements.  A business should also ensure that is has enabled the ability to log on an impacted server if it has not previously done so.  Finally, increasing the default size of the log files can help to prevent data loss and defeat the cyberattack.

The following blog post will discuss which individuals and organizations a business should contact after a cyberattack.

Executing an Response Plan

This blog post is the third installment of a six-part series discussing the best practices relating to cyber security.  The first two blog posts discussed the best practices for preparing a business in case of a cyberattack.  This post will discuss the initial steps that a business should take after a cyberattack occurs.

Once an employee discovers a cyber incident, the business should immediately assess the nature and range of the situation.  It is important to determine whether the disruption is a purposeful cyberattack or a system accident.  This determination will assist a business in executing the appropriate Response Plan.  If the incident is a malicious cyberattack, the business may need to disengage its entire system and shut down its technological operations.  If the incident is a product of faulty software, the business may be able to take less extreme measures.

Gathering the correct information as quickly as possible will not only help defend the system from additional attacks, but also provide law enforcement with information to begin its investigation.  The system administrator should survey the network to determine which computer systems were impacted, where the incident originated, and what malware may have been installed on the network.  Additional information concerning which users were logged onto the network and which programs were running on the network is also useful in determining the source of the attack.

During the initial assessment it is important to determine if data was exported from the system.  The data trail may illustrate the possible motive behind the attack and where it could strike next.  If a business can identify other networks that are impacted by the attack it should alert those networks’ administrators.  This may help to weaken the attack and increase the chance of retrieving stolen data.

After the initial assessment is complete, the business may need to employ preventative measures in order to stop the loss of data.  Common approaches to prevent additional attacks include (1) redirecting network traffic, (2) segregating all or part of a network, or (3) filtering all messages and communications on the network.  If a specific user or network terminal is identified as being the root of the attack, it should be blocked and disabled immediately.  In more extreme cases, an entire network may need to be shut down if an attack persists.  A business should store backup copies of critical data if its Response Plan calls for the network to be shut down.  This allows the business to continue some operations from a remote network while its main network is disabled.

It is important that all steps taken to gather information and diminish damages are recorded accurately.  This information will be useful in law enforcement’s efforts to bring criminal charges and for a business’ insurance claims.

The following blog post will discuss the next steps for a business to take once these initial steps are complete.

PREVENTING A CYBERATTACK (Part 2)

This is the second installment in a six-part discussion on the best practices to prevent a cyberattack.  The first part discussed four critical steps to prepare a business in the case of a cyberattack.  These included: (1) identifying the crucial assets and functions a business, (2) creating an Response Plan, (3) installing the appropriate technology, and (4) obtaining authority for network monitoring.  This article builds on those steps by suggesting further best practices in order to prevent a cyberattack.

5. Align Business Policies with the Response Plan

When an organization creates an Response Plan in the event of a cyberattack, it must ensure that the plan is cohesive with preexisting business policies within the organization.  In order for the Response Plan to be implemented effectively, it cannot clash with any of the business’ standard operating procedures.  For example, if the Response Plan states that whoever discovers the cyberattack must alert the entire organization, but the organization’s policy prevents an employee from emailing the entire company, there is a problem.  By testing the Response Plan, organizations can locate these potential problems before a credible cyberattack occurs.  Another important practice is to suspend the network access of former employees as soon as they are terminated.  This practice guards against the liability of an angry employee seeking revenge via a cyberattack.

6. Ensure Legal Counsel Understands the Legal Response to Cyber Incidents

Cyberattacks create unique legal situations that may be unfamiliar to a business’ legal counsel.  An organization should rely on its legal counsel for assistance in creating its Response Plan.  A legal counsel’s understanding of its client’s Response Plan can save valuable time and resources in the event of a cyberattack.  Legal counsel can instruct a business on its obligations to report breaches to customers, its ability to terminate employees based on cyber incidents, and its privacy concerns associated with network monitoring.  A business should also ensure that its legal counsel understands possible legal action that it can take, both in the short term and the long term, in the event of a cyberattack.  Legal counsels that are familiar with cyber security laws will be better equipped to immediately assist clients if a cyberattack occurs.

7. Cultivate Relationships with Cyber Incident Information Centers

Access to a network of cyber intrusion news and information can be a valuable resource for a business in order to keep ahead of the latest threats.  Organizations that collect and disseminate cyber security information exist in every market sector and are commonly referred to as ISACs (Information Sharing and Analysis Centers).  A business that is committed to maintaining a strong cyber security network should subscribe to the appropriate ISACs for its market sector.  This will enable the business to prepare for possible threats and share helpful information. Businesses in niche sectors can rely on government created ISAOs (Information Sharing and Analysis Organizations) for their cyber security information.

8. Establish Connections with the Appropriate Authorities

Businesses should establish a working relationship with local law enforcement and cybercrime units before a cyberattack occurs.  Familiarity between law enforcement and a business will allow for a more accurate and efficient response in the event of a cyberattack.  On the federal level, the Federal Bureau of Investigation and the U.S. Secret Service frequently deal with cyberattacks. Each agency has a department that conducts outreach to private businesses. The departments are the FBI’s Cyber Task Force and the Secret Service’s Electronic Crimes Task Force.  A business should contact these agencies to review its Response Plan and seek support prior to a cyberattack.

PREVENTING A CYBER ATTACK (Part 1)

Cyber-attacks can impact any business regardless of size, sector, or level of cyber security.  The best way to minimize damages from a cyber-attack is to plan ahead and prepare for a possible attack.  Forward thinking can minimize damages and shorten the process of recovery from a cyber-attack.  The following suggestions are important steps that every business should take to prepare for a cyber-attack.

1. Identify the Crucial Assets and Functions

When determining how to secure a business against cyber-attacks it is important to first identify what parts of a business’s operation are most vital to its success.  These components should receive the most attention to ensure that the business is able to function as close to normal as possible during an attack.  For example, if communication with clients is the key component of a business’s operation, its ability to send and receive email would be the most important segment for protection.  Additionally, if a business’s core strength is its ability to store and retrieve data, the security surrounding the business’s data storage system should receive the most attention.  Once the business’s core operations have been identified, attention can be focused accordingly.

2. Create an Response Plan

A business should plan the steps that it will take once a cyber-attack occurs on its system.  By creating an Response Plan before an attack occurs organizational leaders are able to address all possible responses and discuss different options without the external pressure of an existing cyber security threat.  It should provide clear directions and action items for each individual involved with the plan.  The Response Plan should be discussed and explained to any employee who may be impacted by it.  It is important that the plan be routinely modified and updated as business assets and key personal change.  Testing the plan by using a fake cyber-attack will allow the deficiencies in the plan to be exposed and corrected before a credible threat occurs.  The Response Plan should include the following items:

  • the responsibilities of each individual involved with the Response Plan;
  • how individual involved with the Response Plan should be contacted;
  • which business operations should receive the most attention during an attack;
  • the procedures to determine if clients should be notified of the attack;
  • the procedures for notifying law enforcement or cyber security support; and
  • the ways to preserve evidence of the cyber-crime for law enforcement.

3. Install Appropriate Technologies and Services

Businesses should purchase and install the appropriate level of defense systems that fit its needs and supports its Response Plan.  These systems may include off-site data backup, data loss prevention systems, devices for traffic filtering, and programs to detect intrusions.  These technologies should be routinely tested as part of the Response Plan.

4. Obtain Authority for Network Monitoring

A business is typically allowed to monitor its own network if it has obtained prior approval from the network users.  This can be accomplished by a “banner” or warning message when users log onto the network stating that it is being monitored.  Consent can also be obtained during employee training programs and disclosures in the organization’s Employee Manual.  Once a business has the authority to monitor its own network, it is more equipped to detect and respond to cyber incidents in real time.

This is part one of a six-part series discussing the best practices to prevent cyber-attacks.