Update: What's happening in the cybersecurity world - Protecting Our Clients - NYPWA

 
12/3/2018

                     Protecting Our Clients
       A guided discussion on privacy, security,
            confidentiality and compliance

   NYPWA January 2019

NYPWA January 2019                                 2

Update:
What’s happening in
the cybersecurity
world

NYPWA January 2019                                 3

                                                              1
12/3/2018

NYPWA January 2019                                                            4

NYPWA January 2019                                                            5

            Internet of Things – IoT
      Connecting any device with a network
   • Cell phones                          • Televisions
   • Amazon Echo/Amazon                   • Heating/cooling systems
     Dot                                    “Nest”
   • Appliances                           • Nanny cams
   • Pacemakers/implanted                 • Kids toys
     medical devices                      • Home security systems
   • Cars                                 • Voice Queuing Systems

NYPWA January 2019                                                            6

          IoT leads to increased vulnerability

“The attackers used (the thermometer) to get a foothold in
the network. They then found the high-roller database and
then pulled that back across the network, out the
thermostat, and up to the cloud.” – April, 2018

https://www.businessinsider.com/hackers-stole-a-casinos-database-through-a-
thermometer-in-the-lobby-fish-tank-2018-4

                                                                                         2
12/3/2018

NYPWA January 2019                                                                                    7

                      Cyber Security Breaches
                       Not limited to “hackers”

“When questioned by officials…the boy said he
had acted alone and that he was only trying to see
what he could do with the apps.” – November, 2018
    http://www.govtech.com/security/Student-Behind-Illinois-High-School-Hack.html

NYPWA January 2019                                                                                    8

             Recent Cyber Security Breaches
                     Yahoo – Update

     “Yahoo’s failure to have controls and procedures in
     place to assess its cyber-disclosure obligations ended
     up leaving its investors totally in the dark about a
     massive data breach.” – April, 2018

     https://www.law.com/therecorder/2018/04/24/sec-wallops-yahoo-with-35m-penalty-over-
     breach-disclosures-or-lack-thereof/

NYPWA January 2019                                                                                    9

                  Recent Cyber Security Breaches
                                     Equifax – Update

                          Five key factors contributed:
                                  Ineffective Identification
                                       Poor Detection
                                     No Segmentation,
                                   Poor Data Governance
                                      No Query Limits
                                       - September, 2018
        https://www.bankinfosecurity.com/postmortem-behind-equifax-breach-multiple-failures-a-11480

                                                                                                                 3
12/3/2018

NYPWA January 2019                                     10

  Security Breaches Impact on Government

NYPWA January 2019                                     11

   Legal updates

NYPWA January 2019                                     12

              Recent Legal Cases
     Carpenter v. United States – background
• Supreme Court heard oral arguments on November 29,
  2017
• Cell phone records connecting phone with towers in
  vicinity of crime introduced as evidence
• Defendant convicted and sentenced to 116 years in
  prison
• Question raised: is this protected information? Or does
  the third party doctrine apply?

                                                                   4
12/3/2018

NYPWA January 2019                                                        13

                          Recent Legal Cases
                     Carpenter v. United States – decision
            https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf
•   Government’s acquisition of Carpenter’s cell-site records was a
    Fourth Amendment search
     – Fourth Amendment protects certain expectations of privacy in
         addition to property interests
•   Digital Data – personal location info held by a third party – does not
    fit in existing precedents
     – Expectation of privacy in physical location and movements
     – Expectation of privacy in information voluntarily turned over to
         third parties

NYPWA January 2019                                                        14

                          Recent Legal Cases
           Carpenter v. United States – decision
• Court cited Riley v. California
   – “Cell records hold for many Americans ‘the privacies
     of life’”
• Court adopts rule “must take account of more
  sophisticated systems that are already in use or in
  development” from Kyllo v. United States
• However, court stated this is a narrow ruling, and does
  not address issues not before the Court

NYPWA January 2019                                                        15

                          Recent Legal Cases
         Apps making it to the court (not the food variety)
           Knight First Amendment Institute v. Trump
             US District Court – Southern District of NY
• At issue: President Trump’s Twitter Account in relation to the 1st
  Amendment
   – Whether a public official can “block” a person from his/her
      Twitter account in response to the political views the person has
      expressed
   – Does the analysis differ because the public official is the
      President of the United States
• Court held no in both instances

                                                                                      5
12/3/2018

NYPWA January 2019                                            16

                     Recent Legal Cases
              Cullinane v. Uber Technologies, Inc.
   – Conspicuous informing of Terms and Conditions
      • No click box to accept, instead display a notice of
        deemed acquiescence and link to the terms
      • “If everything on the screen is written with
        conspicuous features, then nothing is conspicuous.”
• Transactions on smartphones and websites increasing,
  evolving law around those transactions

NYPWA January 2019                                            17

                     Recent Legal Cases
                     Applebaum v. Lyft
• Several different types of online consumer contracts
   – Browsewrap, clickwrap, scrollwrap, sign-in-wrap
• “Whether there was notice of the existence of additional
  contract terms presented on a webpage depends heavily
  on whether the design and content of that webpage
  rendered the existence of terms reasonably
  conspicuous.”

NYPWA January 2019                                            18

                     Recent Legal Cases
                State of New Hampshire v. Verrill
•   Murder case, Amazon Echo at crime scene owned by
    the victim
•   Judge signed order for Amazon to provide authorities
    with recordings during time when crime allegedly
    occurred
•   Similarities to Bates case – however, that case was not
    decided by courts because defendant consented to
    release of information
•   Probable cause and privacy rights at issue

                                                                          6
12/3/2018

NYPWA January 2019                                                                      19

   Remember our
   Ethical
   Obligations

NYPWA January 2019                                                                      20

                                   NYS Rule 1.1
          http://www.nycourts.gov/rules/jointappellate/ny-rules-prof-conduct-1200.pdf

 A lawyer should provide competent representation to
 a client. Competent representation requires the legal
    knowledge, skill, thoroughness and preparation
      reasonably necessary for the representation.

NYPWA January 2019                                                                      21

                      NYS Rule 1.1 Clarification
                                   Comment 8
To maintain the requisite knowledge and skill, a lawyer should (i) keep
 abreast of changes in substantive and procedural law relevant to the
     lawyer’s practice, (ii) keep abreast of the benefits and risks
associated with technology the lawyer uses to provide services to
  clients or to store or transmit confidential information, and (iii)
     engage in continuing study and education and comply with all
   applicable and continuing legal education requirements under 22
                N.Y.C.R.R. Part 1500. (emphasis added)
                     https://www.nysba.org/DownloadAsset.aspx?id=50671

                                                                                                    7
12/3/2018

NYPWA January 2019                                                                     22

              ABA Model Rule 1.1 mirrors NY
                     ABA Commission on Ethics 20/20
  In order to provide competent representation in a digital
      age attorneys must understand and properly use
 technology. For example, an attorney should know how to
 properly use email and create an electronic document and
  know the benefits and risks associated with technology.

        ABA Commission on Ethics 20/20 Report 105A (Aug. 2012)
https://www.americanbar.org/content/dam/aba/administrative/ethics_2020/20120808_revi
                sed_resolution_105a_as_amended.authcheckdam.pdf

NYPWA January 2019                                                                     23

                Legaltech News Article from October, 2018

• 32 States require technology competence of lawyers

• Some states adding a CLE requirement around technology

• Need to work with professionals to assist in becoming
  competent if not able to understand on own

NYPWA January 2019                                                                     24

                          Tech Competency
Asked to Demonstrate Computer Skills, 0 of 9 law firms
               passed in-house hiring test
• Corporate counsel for Kia Motors gave a computer skills
  test to potential law firm hires
• Audit should have taken one hour, but average pace was
  five hours
• Excel, PDF, Bates numbering, Word were all tested
• Competence can range from using MS Word to complex
  e-discovery software

                                                                                                   8
12/3/2018

NYPWA January 2019                                                                                                    25

Lawyer's e-discovery error led to release of confidential info
        on thousands of Wells Fargo clients - 2017
• Vendor conducting e-discovery, attorney oversaw and checked the
  responsive documents using the vendor’s software
• View only allowed a limited set of documents, not the entire
  response, and documents that were supposed to be redacted were
  not
• Information turned over to opposing counsel included confidential
  information of at least 50,000 of the banks wealthiest clients
   – Social security numbers
   – Financial details, including size of portfolios
http://www.abajournal.com/news/article/lawyers_e_discovery_error_led_to_release_of_confidential_wells_fargo_client/

NYPWA January 2019                                                                                                    26

Guided Discussion:
Securing Public Data

NYPWA January 2019                                                                                                    27

Security, Compliance, and Legal Obligations
• Security: Protecting the confidentiality, integrity, and
  availability of the data

• Compliance: What is required by federal or state laws,
  rules, regulations, or policy

• Legal Obligations: What is required by federal, state or
  local law or regulation

                                                                                                                                  9
12/3/2018

NYPWA January 2019                                                 28

     Three Key Principles in Information Security

                                     Confidentiality

                     Availability                      Integrity

NYPWA January 2019                                                 29

                             Confidentiality
• Limiting access to only authorized users
• Preventing access by unauthorized users
• Preventing impermissible disclosure, whether accessed
  by authorized or unauthorized individuals
• Permitting access only where the specific job
  responsibilities cannot be accomplished without such
  access
• Enforcing a “Need-to-know” basis

NYPWA January 2019                                                 30

                                    Availability

• Focusing on ensuring the availability of information
  resources at all times

• Working to ensure that hardware and software are
  protected so that they will not be compromised by
  viruses or malware, and thus, become unavailable

                                                                              10
12/3/2018

NYPWA January 2019                                                          31

                                Integrity
• Ensuring the information is correct and no unauthorized
  user has altered it
• Avoiding the unauthorized modification, manipulation, or
  destruction of data applications and/or systems
• Protecting the trustworthiness of the information

NYPWA January 2019                                                          32

                          Data Collection
 Multiple pieces of data are provided to government entities on a daily
                   basis and stored within databases

    •   Name                              •   Financial information
    •   DOB                               •   Medical Information
    •   SS#                               •   HIV Status
    •   Address                           •   DV Status
    •   Phone numbers                     •   Child support information

NYPWA January 2019                                                          33

                        Questions to ask
•   Who is in charge of the data privacy, security, and compliance?
•   What are the applicable laws, regulations, rules, policies related to
    the data being created, stored, and shared?
•   What is the risk associated with the data?
•   Who has access to the data, in house and as it is shared out?
•   What technical measures are in place to protect the data?
•   Is there a data security policy?
•   What privacy/security/compliance training is offered to employees?
•   What happens when there is a security incident or a security
    breach?

                                                                                       11
12/3/2018

NYPWA January 2019                                                       34

                     Security and Privacy Team
• Establish and evaluate the team - data security and
  protection is a group effort
• Commissioner, program staff, legal, IT, sometimes HR and
  public relations all should be involved in data security
• Question: Who is currently involved in your data privacy
  team? How can you get more awareness and involvement in
  your data security?

NYPWA January 2019                                                       35

       Relevant Laws, Regulations, Policies
•   Federal and State laws, rules, regulations and policies govern the
    protection of public data
•   Source of the data governs which protections apply
•   In addition to Social Services Law § 136
     – IRS Publication 1075
     – HIPAA
     – Federal Parent Locator Service Agreement
     – Security Breach and Notification Act
•   Question: What compliance obligations attach to your data?

NYPWA January 2019                                                       36

                         Risk Assessment
• Only the data that is necessary to support business
  should be collected
• Data should only be kept as long as necessary pursuant
  to record retention requirements and any other legal
  obligations e.g. litigation holds, business need
• Risk assessment can be completed based on
  information classification
• Question: What is the risk level associated with the data
  you collect and retain?

                                                                                    12
12/3/2018

NYPWA January 2019                                                                                 37

                      Risk Equation
              Risk = Impact X Probability / Cost
• Impact is the effect on the organization should a
  risk event occur
• Probability is the likelihood the event could
  occur within a given timeframe
• Cost is the amount it takes to mitigate or reduce
  the risk to an acceptable level

NYPWA January 2019                                                                                 38

Sample Data                         Directories,
                                  Maps, Lost Phone*,
                                  Lost Laptop*, Job
                                                        Employment data
                                                        Software keys
                                                        Contracts/Budget
                                                        Meeting information
                                                                                  SS #s
                                                                                Health Plan Info
                                                                                Health Care Info
                                                                                Passwords

Classification                    Postings,
                                  Marketing Material,
                                  Press Releases
                                                        Personal data
                                                        ** no ss # **
                                                        Design /planning
                                                        /Project
                                                                                Driver License
                                                                                Financial Info
                                                                                Tax Info
                                                                                Unencrypted

used in a              Examples    Public
                                                        documents

                                                        Private
                                                                                devices

                                                                              Individualized

Risk Assessment

NYPWA January 2019                                                                                 39

                                  Access
 • Only those with a legitimate business need to the data should
   have access to the data, both in house, and after it has been
   shared
    – Physically and technically
 • Consider who may have access with any outside contracts, third
   party vendors, data exchange agreements and use risk
   assessment to determine if business justification allows access
 • NDA’s should be in place for those with access to data
 • Question: Is access to your data restricted to those with legitimate
   business need? Who has access once the data is shared? Are
   the proper NDA’s and consents in place?

                                                                                                              13
12/3/2018

NYPWA January 2019                                               40

                     Technical Measure Review
• Technical measures secure the data
   – Authentication protocols
   – Encryption
   – Password practices
   – Multifactor identification
   – Firewall and Anti-virus
• Technical measures to alert when unauthorized access
  occurs
• Question: What technical measures do you have in
  place to secure the data?

NYPWA January 2019                                               41

                          Security Policy
• Policy should include:
   – Purpose
   – Scope
   – Definitions
   – What the policy is for, what it covers, who it applies to
   – Who enforces the policy
   – Contact for questions
• 18-LCM-10 ** This updated 14-LCM-15 for Social
  Services Districts
• Question: Is there a data security policy? When was it
  last updated?

NYPWA January 2019                                               42

                             Training
• Humans error is often the weakest link in data security
• Employee training informs those who have access to the
  data to keep it protected and highlights common security
  issues
   – Phishing emails
   – Password security
   – Access
• Questions: Does your training include data privacy and
  security? Is the training comprehensive? Have all
  employees taken the training? How regularly?

                                                                            14
12/3/2018

NYPWA January 2019                                               43

       Security Incident and Security Breach
• Policy to dictate what to do when a security incident or
  security breach occurs
   – Should include definitions of what each of these mean
   – Should set out process for reporting
   – Should include contacts if there are any incident or
     breach questions
• 18-LCM-10
• Question: Is there a security incident/security breach
  policy in place? Have all staff been apprised of the
  policy?

NYPWA January 2019                                               44

                          Policy Creation
  As IT becomes more mainstream, additional policies are
                      necessary
• Email Use Policy – Banner Splash Screen
• Mobile Device Policy
• Bring Your Own Device (BYOD) – The Sedona Conference
  Commentary
• Internet Use Policy
• Wireless Policy
• 18-LCM-10 **Updated 14-LCM-15– Use and Protection of
  Confidential, Private, Personal and/or Sensitive Information

NYPWA January 2019                                               45

                     Current use of IT Products
 Current IT solutions used need constant review to ensure
                        compliance

   •   Thumb drives                 • Facebook
   •   Encryption                   • File Storage
   •   Cloud solutions              • End User License
   •   Passwords                      Agreements updates
   •   SharePoint                   • Terms Of Service updates

                                                                            15
12/3/2018

NYPWA January 2019                                                  46

               Vetting Proposed IT Solutions
• Technology is ever-expanding and new IT solutions are
  always available
• Review End User License Agreements (EULA)
• Review Terms of Service (TOS)
• Review against NIST Standards – cybersecurity
  framework 1.1 updated April, 2018
• Review against IRS Safeguards Program Topic Areas

NYPWA January 2019                                                  47

                     Meeting Legal Obligations
 Legal obligations attach to data the same as any other
                       information
• Records Retention
• Auditing
• Litigation Hold
• Chain of Custody
• FOIL
• E-Discovery

NYPWA January 2019                                                  48

                             Contacts
    Carmela Pellegrino, Esq.                 Meghan A. Deltry, Esq.
        Associate Attorney                      Assistant Counsel
      Division of Legal Affairs              Division of Legal Affairs
               OTDA                                   OTDA
           518-473-8266                           518-474-5638
  Carmela.Pellegrino@otda.ny.gov            Meghan.Deltry@otda.ny.gov

                          Scott Rogler, CISSP, GSEC
                                   OTDA ISO
                            Division of Legal Affairs
                                     OTDA
                                 518-474-4964
                           Scott.Rogler@otda.ny.gov

                                                                               16
You can also read
NEXT SLIDES ... Cancel