4. 4
CYBER THREATS
•
Inexperienced
•
Limited funding
•
Opportunistic behavior
•
Target known vulnerabilities
•
Use viruses, worms, rudimentary trojans, bots
•
Acting for thrills, bragging rights
•
Easily detected
Threat Level 1:
Garden Variety
•
Higher-order skills
•
Well financed
•
Targeted activity
•
Target known vulnerabilities
•
Use viruses, worms, trojans, bots as means to introduce more sophisticated tools
•
Target and exploit valuable data
•
Detectable, but hard to attribute
Threat Level 2:
Mercenary
•
Very sophisticated tradecraft
•
Foreign intel agencies
•
Very well financed
•
Target technology as well as info
•
Use wide range of tradecraft
•
Establish covert presence on sensitive networks
•
Difficult to detect
•
Supply Interdiction/hardware implants
Threat Level 3:
Nation State
5. 5
SOURCES OF DATA BREACH
Lost laptop or other device 49%
Third party or outsourcer 16%
Paper records 9%
Malicious insider 9%
Electronic backup 7%
Hacked systems 5%
Malicious code 4%
Undisclosed 2%
6. 6
Data Breach Fact Pattern
Atlanta based restaurant company has chains throughout the east coast, including Florida. Company learns that hacker has obtained access to credit card information used by restaurants in Florida. Assume that only Florida residents have been impacted. The company has also learned that an employee has absconded with the social security numbers and names of other employees of the company. This information was contained in paper files of the company, not electronic form.
8. 8
Florida’s new data breach law
•
Florida Information Protection Act of 2014
•
Effective July 1, 2014
•
Applies to covered entities
9. 9
Florida’s new data breach law
•
How does the law define a breach?
•
How does the law define personally identifying information?
•
Does Florida’s new data breach law apply to businesses operating outside of Florida
10. 10
Law enforcement?
•
What obligations do you have to notify the Florida Attorney General’s office?
•
What should the notice say?
•
How soon must the notice be issued to the Florida AG?
•
Handling forensic reports
11. 11
Notifying the public
•
When must the public be notified?
•
How should the public be notified?
•
What should the notification say?
12. 12
Litigation concerns
•
Does the statute create a private right of action?
•
Could the Florida AG enforce the statute against businesses?
•
Who has the right to enforce the statute?
•
How could the statute be used by plaintiffs’ lawyers?
14. 14
Why do you need internal controls
•
Increased regulatory requirements
•
Mandated by user entity (i.e., VMO)
•
Increased outsourcing relationships
•
Need for insight into internal controls
15. 15
Education
•
Webinars / training
•
Perform training and awareness
•
Communication plans
•
Set expectations
18. 18
Benefits
•
Demonstrate design and operational effectiveness
•
Meet regulatory or contractual mandates
•
Bolster trust and confidence
•
Demonstrates management’s responsibility and accountability
•
Promote a stronger control environment
19. 19
Challenges
•
Lack of executive / management buy-in
•
Lack of accountability to manage the process
•
Insufficient documentation or evidence of a control
•
Trying to meet multiple compliance efforts
•
Cost of compliance