Update: What's happening in the cybersecurity world - Protecting Our Clients - NYPWA
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
12/3/2018
Protecting Our Clients
A guided discussion on privacy, security,
confidentiality and compliance
NYPWA January 2019
NYPWA January 2019 2
Update:
What’s happening in
the cybersecurity
world
NYPWA January 2019 3
112/3/2018
NYPWA January 2019 4
NYPWA January 2019 5
Internet of Things – IoT
Connecting any device with a network
• Cell phones • Televisions
• Amazon Echo/Amazon • Heating/cooling systems
Dot “Nest”
• Appliances • Nanny cams
• Pacemakers/implanted • Kids toys
medical devices • Home security systems
• Cars • Voice Queuing Systems
NYPWA January 2019 6
IoT leads to increased vulnerability
“The attackers used (the thermometer) to get a foothold in
the network. They then found the high-roller database and
then pulled that back across the network, out the
thermostat, and up to the cloud.” – April, 2018
https://www.businessinsider.com/hackers-stole-a-casinos-database-through-a-
thermometer-in-the-lobby-fish-tank-2018-4
212/3/2018
NYPWA January 2019 7
Cyber Security Breaches
Not limited to “hackers”
“When questioned by officials…the boy said he
had acted alone and that he was only trying to see
what he could do with the apps.” – November, 2018
http://www.govtech.com/security/Student-Behind-Illinois-High-School-Hack.html
NYPWA January 2019 8
Recent Cyber Security Breaches
Yahoo – Update
“Yahoo’s failure to have controls and procedures in
place to assess its cyber-disclosure obligations ended
up leaving its investors totally in the dark about a
massive data breach.” – April, 2018
https://www.law.com/therecorder/2018/04/24/sec-wallops-yahoo-with-35m-penalty-over-
breach-disclosures-or-lack-thereof/
NYPWA January 2019 9
Recent Cyber Security Breaches
Equifax – Update
Five key factors contributed:
Ineffective Identification
Poor Detection
No Segmentation,
Poor Data Governance
No Query Limits
- September, 2018
https://www.bankinfosecurity.com/postmortem-behind-equifax-breach-multiple-failures-a-11480
312/3/2018
NYPWA January 2019 10
Security Breaches Impact on Government
NYPWA January 2019 11
Legal updates
NYPWA January 2019 12
Recent Legal Cases
Carpenter v. United States – background
• Supreme Court heard oral arguments on November 29,
2017
• Cell phone records connecting phone with towers in
vicinity of crime introduced as evidence
• Defendant convicted and sentenced to 116 years in
prison
• Question raised: is this protected information? Or does
the third party doctrine apply?
412/3/2018
NYPWA January 2019 13
Recent Legal Cases
Carpenter v. United States – decision
https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf
• Government’s acquisition of Carpenter’s cell-site records was a
Fourth Amendment search
– Fourth Amendment protects certain expectations of privacy in
addition to property interests
• Digital Data – personal location info held by a third party – does not
fit in existing precedents
– Expectation of privacy in physical location and movements
– Expectation of privacy in information voluntarily turned over to
third parties
NYPWA January 2019 14
Recent Legal Cases
Carpenter v. United States – decision
• Court cited Riley v. California
– “Cell records hold for many Americans ‘the privacies
of life’”
• Court adopts rule “must take account of more
sophisticated systems that are already in use or in
development” from Kyllo v. United States
• However, court stated this is a narrow ruling, and does
not address issues not before the Court
NYPWA January 2019 15
Recent Legal Cases
Apps making it to the court (not the food variety)
Knight First Amendment Institute v. Trump
US District Court – Southern District of NY
• At issue: President Trump’s Twitter Account in relation to the 1st
Amendment
– Whether a public official can “block” a person from his/her
Twitter account in response to the political views the person has
expressed
– Does the analysis differ because the public official is the
President of the United States
• Court held no in both instances
512/3/2018
NYPWA January 2019 16
Recent Legal Cases
Cullinane v. Uber Technologies, Inc.
– Conspicuous informing of Terms and Conditions
• No click box to accept, instead display a notice of
deemed acquiescence and link to the terms
• “If everything on the screen is written with
conspicuous features, then nothing is conspicuous.”
• Transactions on smartphones and websites increasing,
evolving law around those transactions
NYPWA January 2019 17
Recent Legal Cases
Applebaum v. Lyft
• Several different types of online consumer contracts
– Browsewrap, clickwrap, scrollwrap, sign-in-wrap
• “Whether there was notice of the existence of additional
contract terms presented on a webpage depends heavily
on whether the design and content of that webpage
rendered the existence of terms reasonably
conspicuous.”
NYPWA January 2019 18
Recent Legal Cases
State of New Hampshire v. Verrill
• Murder case, Amazon Echo at crime scene owned by
the victim
• Judge signed order for Amazon to provide authorities
with recordings during time when crime allegedly
occurred
• Similarities to Bates case – however, that case was not
decided by courts because defendant consented to
release of information
• Probable cause and privacy rights at issue
612/3/2018
NYPWA January 2019 19
Remember our
Ethical
Obligations
NYPWA January 2019 20
NYS Rule 1.1
http://www.nycourts.gov/rules/jointappellate/ny-rules-prof-conduct-1200.pdf
A lawyer should provide competent representation to
a client. Competent representation requires the legal
knowledge, skill, thoroughness and preparation
reasonably necessary for the representation.
NYPWA January 2019 21
NYS Rule 1.1 Clarification
Comment 8
To maintain the requisite knowledge and skill, a lawyer should (i) keep
abreast of changes in substantive and procedural law relevant to the
lawyer’s practice, (ii) keep abreast of the benefits and risks
associated with technology the lawyer uses to provide services to
clients or to store or transmit confidential information, and (iii)
engage in continuing study and education and comply with all
applicable and continuing legal education requirements under 22
N.Y.C.R.R. Part 1500. (emphasis added)
https://www.nysba.org/DownloadAsset.aspx?id=50671
712/3/2018
NYPWA January 2019 22
ABA Model Rule 1.1 mirrors NY
ABA Commission on Ethics 20/20
In order to provide competent representation in a digital
age attorneys must understand and properly use
technology. For example, an attorney should know how to
properly use email and create an electronic document and
know the benefits and risks associated with technology.
ABA Commission on Ethics 20/20 Report 105A (Aug. 2012)
https://www.americanbar.org/content/dam/aba/administrative/ethics_2020/20120808_revi
sed_resolution_105a_as_amended.authcheckdam.pdf
NYPWA January 2019 23
Legaltech News Article from October, 2018
• 32 States require technology competence of lawyers
• Some states adding a CLE requirement around technology
• Need to work with professionals to assist in becoming
competent if not able to understand on own
NYPWA January 2019 24
Tech Competency
Asked to Demonstrate Computer Skills, 0 of 9 law firms
passed in-house hiring test
• Corporate counsel for Kia Motors gave a computer skills
test to potential law firm hires
• Audit should have taken one hour, but average pace was
five hours
• Excel, PDF, Bates numbering, Word were all tested
• Competence can range from using MS Word to complex
e-discovery software
812/3/2018
NYPWA January 2019 25
Lawyer's e-discovery error led to release of confidential info
on thousands of Wells Fargo clients - 2017
• Vendor conducting e-discovery, attorney oversaw and checked the
responsive documents using the vendor’s software
• View only allowed a limited set of documents, not the entire
response, and documents that were supposed to be redacted were
not
• Information turned over to opposing counsel included confidential
information of at least 50,000 of the banks wealthiest clients
– Social security numbers
– Financial details, including size of portfolios
http://www.abajournal.com/news/article/lawyers_e_discovery_error_led_to_release_of_confidential_wells_fargo_client/
NYPWA January 2019 26
Guided Discussion:
Securing Public Data
NYPWA January 2019 27
Security, Compliance, and Legal Obligations
• Security: Protecting the confidentiality, integrity, and
availability of the data
• Compliance: What is required by federal or state laws,
rules, regulations, or policy
• Legal Obligations: What is required by federal, state or
local law or regulation
912/3/2018
NYPWA January 2019 28
Three Key Principles in Information Security
Confidentiality
Availability Integrity
NYPWA January 2019 29
Confidentiality
• Limiting access to only authorized users
• Preventing access by unauthorized users
• Preventing impermissible disclosure, whether accessed
by authorized or unauthorized individuals
• Permitting access only where the specific job
responsibilities cannot be accomplished without such
access
• Enforcing a “Need-to-know” basis
NYPWA January 2019 30
Availability
• Focusing on ensuring the availability of information
resources at all times
• Working to ensure that hardware and software are
protected so that they will not be compromised by
viruses or malware, and thus, become unavailable
1012/3/2018
NYPWA January 2019 31
Integrity
• Ensuring the information is correct and no unauthorized
user has altered it
• Avoiding the unauthorized modification, manipulation, or
destruction of data applications and/or systems
• Protecting the trustworthiness of the information
NYPWA January 2019 32
Data Collection
Multiple pieces of data are provided to government entities on a daily
basis and stored within databases
• Name • Financial information
• DOB • Medical Information
• SS# • HIV Status
• Address • DV Status
• Phone numbers • Child support information
NYPWA January 2019 33
Questions to ask
• Who is in charge of the data privacy, security, and compliance?
• What are the applicable laws, regulations, rules, policies related to
the data being created, stored, and shared?
• What is the risk associated with the data?
• Who has access to the data, in house and as it is shared out?
• What technical measures are in place to protect the data?
• Is there a data security policy?
• What privacy/security/compliance training is offered to employees?
• What happens when there is a security incident or a security
breach?
1112/3/2018
NYPWA January 2019 34
Security and Privacy Team
• Establish and evaluate the team - data security and
protection is a group effort
• Commissioner, program staff, legal, IT, sometimes HR and
public relations all should be involved in data security
• Question: Who is currently involved in your data privacy
team? How can you get more awareness and involvement in
your data security?
NYPWA January 2019 35
Relevant Laws, Regulations, Policies
• Federal and State laws, rules, regulations and policies govern the
protection of public data
• Source of the data governs which protections apply
• In addition to Social Services Law § 136
– IRS Publication 1075
– HIPAA
– Federal Parent Locator Service Agreement
– Security Breach and Notification Act
• Question: What compliance obligations attach to your data?
NYPWA January 2019 36
Risk Assessment
• Only the data that is necessary to support business
should be collected
• Data should only be kept as long as necessary pursuant
to record retention requirements and any other legal
obligations e.g. litigation holds, business need
• Risk assessment can be completed based on
information classification
• Question: What is the risk level associated with the data
you collect and retain?
1212/3/2018
NYPWA January 2019 37
Risk Equation
Risk = Impact X Probability / Cost
• Impact is the effect on the organization should a
risk event occur
• Probability is the likelihood the event could
occur within a given timeframe
• Cost is the amount it takes to mitigate or reduce
the risk to an acceptable level
NYPWA January 2019 38
Sample Data Directories,
Maps, Lost Phone*,
Lost Laptop*, Job
Employment data
Software keys
Contracts/Budget
Meeting information
SS #s
Health Plan Info
Health Care Info
Passwords
Classification Postings,
Marketing Material,
Press Releases
Personal data
** no ss # **
Design /planning
/Project
Driver License
Financial Info
Tax Info
Unencrypted
used in a Examples Public
documents
Private
devices
Individualized
Risk Assessment
NYPWA January 2019 39
Access
• Only those with a legitimate business need to the data should
have access to the data, both in house, and after it has been
shared
– Physically and technically
• Consider who may have access with any outside contracts, third
party vendors, data exchange agreements and use risk
assessment to determine if business justification allows access
• NDA’s should be in place for those with access to data
• Question: Is access to your data restricted to those with legitimate
business need? Who has access once the data is shared? Are
the proper NDA’s and consents in place?
1312/3/2018
NYPWA January 2019 40
Technical Measure Review
• Technical measures secure the data
– Authentication protocols
– Encryption
– Password practices
– Multifactor identification
– Firewall and Anti-virus
• Technical measures to alert when unauthorized access
occurs
• Question: What technical measures do you have in
place to secure the data?
NYPWA January 2019 41
Security Policy
• Policy should include:
– Purpose
– Scope
– Definitions
– What the policy is for, what it covers, who it applies to
– Who enforces the policy
– Contact for questions
• 18-LCM-10 ** This updated 14-LCM-15 for Social
Services Districts
• Question: Is there a data security policy? When was it
last updated?
NYPWA January 2019 42
Training
• Humans error is often the weakest link in data security
• Employee training informs those who have access to the
data to keep it protected and highlights common security
issues
– Phishing emails
– Password security
– Access
• Questions: Does your training include data privacy and
security? Is the training comprehensive? Have all
employees taken the training? How regularly?
1412/3/2018
NYPWA January 2019 43
Security Incident and Security Breach
• Policy to dictate what to do when a security incident or
security breach occurs
– Should include definitions of what each of these mean
– Should set out process for reporting
– Should include contacts if there are any incident or
breach questions
• 18-LCM-10
• Question: Is there a security incident/security breach
policy in place? Have all staff been apprised of the
policy?
NYPWA January 2019 44
Policy Creation
As IT becomes more mainstream, additional policies are
necessary
• Email Use Policy – Banner Splash Screen
• Mobile Device Policy
• Bring Your Own Device (BYOD) – The Sedona Conference
Commentary
• Internet Use Policy
• Wireless Policy
• 18-LCM-10 **Updated 14-LCM-15– Use and Protection of
Confidential, Private, Personal and/or Sensitive Information
NYPWA January 2019 45
Current use of IT Products
Current IT solutions used need constant review to ensure
compliance
• Thumb drives • Facebook
• Encryption • File Storage
• Cloud solutions • End User License
• Passwords Agreements updates
• SharePoint • Terms Of Service updates
1512/3/2018
NYPWA January 2019 46
Vetting Proposed IT Solutions
• Technology is ever-expanding and new IT solutions are
always available
• Review End User License Agreements (EULA)
• Review Terms of Service (TOS)
• Review against NIST Standards – cybersecurity
framework 1.1 updated April, 2018
• Review against IRS Safeguards Program Topic Areas
NYPWA January 2019 47
Meeting Legal Obligations
Legal obligations attach to data the same as any other
information
• Records Retention
• Auditing
• Litigation Hold
• Chain of Custody
• FOIL
• E-Discovery
NYPWA January 2019 48
Contacts
Carmela Pellegrino, Esq. Meghan A. Deltry, Esq.
Associate Attorney Assistant Counsel
Division of Legal Affairs Division of Legal Affairs
OTDA OTDA
518-473-8266 518-474-5638
Carmela.Pellegrino@otda.ny.gov Meghan.Deltry@otda.ny.gov
Scott Rogler, CISSP, GSEC
OTDA ISO
Division of Legal Affairs
OTDA
518-474-4964
Scott.Rogler@otda.ny.gov
16You can also read
