2016 Cyber Presentation
13
© 2016 Tressler LLP Presented by: Cyber Security: Protecting Your Agency And Patrons 2016 IAPD/IPRA Soaring To New Heights January 30, 2016 Session #109 Todd M. Rowe, Tressler LLP Ken Sullivan, Tressler LLP Kevin Mahoney, Tressler LLP Mike Benard, Wheaton Park District Chandler Howell, Nexum Inc.
Transcript of 2016 Cyber Presentation
© 2016 Tressler LLP
Presented by:
Cyber Security: Protecting Your Agency And Patrons
2016 IAPD/IPRA Soaring To New Heights
January 30, 2016
Session #109
Todd M. Rowe, Tressler LLP
Ken Sullivan, Tressler LLP
Kevin Mahoney, Tressler LLP
Mike Benard, Wheaton Park District
Chandler Howell, Nexum Inc.
© 2016 Tressler LLP
» Who Is Our Audience Today?
» What does Cyber Mean?
» Everyday Examples
» High Profile Breaches
» High Profile Decisions
Part I: Pre-Breach Considerations
2
© 2016 Tressler LLP
» The Hypothetical (Part I)
Pre-Breach Considerations
3
In February 2016, the Hackersville Park District decided to add a pre-teen basketball camp to its summer program. The camp was designed for children that are between the ages of 9 and 12. In addition to helping kids with their basketball skills, the camp will partner with East Shore Health System. While the Park District would not typically request participants’ social security numbers, East Shore Health System claims it needs this information for all participants. The Park District Director asked the Park District IT guy to include a space on the registration form for social security numbers. The Director asked her administrative assistant to gather the social security numbers for the registration forms and forward the information to East Shore Health Systems. Like many of the Park District’s programs, the camp proves to be a huge success and the Park District created a second camp to serve all the interested kids. The Park District expects nearly 200 participants in the basketball camp. The administrative assistant forwarded all the participants’ information to East Shore Health Systems.
© 2016 Tressler LLP
» Identifying Threats » Both federal and state law
regulate cyber-crime. » The laws regulate computer
fraud, hacking, cyber-squatting, cyber-stalking, reporting requirements, and the disposal of personal information.
» Insurance
Pre-Breach Considerations: The Lawyers
4
© 2016 Tressler LLP
» Identifying Threats
» Devices Provided To Employees
» Vendors
» Malware
» Non-Traditional Sources
» Property Damage—The Internet of Things
Pre-Breach Considerations:
The Technology Concerns
5
© 2016 Tressler LLP
» FOIA Requests
» Employees/Employee Information
» Patron Information
» Medical Information
» Vendors
» Website
» Use of Social Media
Pre-Breach Considerations:
Park District Concerns
6
© 2016 Tressler LLP
» Assess Data Retention Policies
» Classify Data
» Internal Compliance Information
» Information Disposal
» Employee Policies
» Create Uniform Response Plan
» Create Breach Response Team
Pre-Breach Considerations:
Response Plan
7
© 2016 Tressler LLP
» Hypothetical (Part II)
In April 2016, the Director of the Hackersville Park District received a phone call from their contact person at East Shore Health Systems informing them that East Shore Health Systems had a major data breach. The contact does not have much information and promises to call back. The Park District Director mentions the breach to a few people in the office and continues on with her day. Two days later, the Director left a frantic voicemail with her contact person at East Shore Health Systems asking for more information related to the breach. The East Shore Health Systems data breach is in the news and parents of the camp participants are calling for information about their children. The Director’s numerous calls over the next few days to her contact go unreturned.
One week after the Director learned of the breach, the Park District receives a letter from the East Shore Health Systems indicating the camp’s participants’ information may have been included in the breach and that more information will be provided in the future. Uncertain as what her next steps should be, the Director asks the IT guy to look into the breach. Without knowing where to start, the IT guy investigates how the participants’ information was handled on the Park District’s end of things. It is at this point he notices the administrative assistant emailed the information to East Shore Health Systems and a personal email account. The IT guy tells the director that the information was also sent to an account he did not recognize. The Director asks her administrative assistant who received the other email. The assistant explained that she sent the email to her husband’s personal email account so she could work on the list at home. She said it would not be a problem because he does not read his emails anyway. In light of the fact that the Park District is involved in the East Shore Health System breach, the Director does not see the email to her administrative assistant’s husband to be a problem.
Part II: The Breach
8
© 2016 Tressler LLP
» What Does It Look Like?
› Data
› Loss or damage to assets
› Business interruption
› Cyber Extortion
› Theft
Part II: The Breach
9
© 2016 Tressler LLP
» Hypothetical Part III
By the end of April 2016, the Director has discussed the East Shore Health Systems breach with her contact. No longer avoiding her, the Director’s contact has assured her that East Shore Health Systems will take responsibility for the breach. Shortly thereafter, parents of the basketball campers receive a notice in the mail from East Shore Health Systems stating their information may have been included in the breach and East Shore Health Systems will pay for credit monitoring for one year.
Just as the Director is feeling better with the pressure off, she gets a call from the Hackersville Policy Department that her administrative assistant’s husband has been arrested for identity theft. The Hackersville Police Department has found personal information from the Park District stored on the husband’s home computer. They have not found any evidence that the husband has used the personal information.
Part III: Post Breach
10
© 2016 Tressler LLP
» If a cyber-security breach occurs, implement your park district’s incident response plan.
» Your district’s first priority should be securing the data as soon as possible so the minimum amount of data is compromised.
» As soon as the data is secure, notify law enforcement of the breach.
Part III:
Post Breach
11
© 2016 Tressler LLP
» Notification Requirements
» Other considerations
› PR
› Patrons
Part III: Post Breach
12
© 2016 Tressler LLP
» Insurance Issues
» Breaches continue through the “Internet of Things”
» Information that must be protected will evolve
“Think of a massive cyberattack as an intelligent hurricane…If it hits a house that doesn’t fall down it learns why the house didn’t fall and it changes.”
Observations for 2016
13
