Decoding the Data Breach Framework: How to Prevent Exfiltration LIVE Webcast

Speaker Firms and Organization:
Williams Venker & Sanders LLC
Lucy T. Unger
Partner
Thank you for logging into today’s event. Please note we are in standby mode. All Microphones will be muted until the event
starts. We will be back with speaker instructions @ 02:55pm. Any Questions? Please email: info@theknowledegroup.org
Group Registration Policy
Please note ALL participants must be registered or they will not be able to access the event.
If you have more than one person from your company attending, you must fill out the group registration form.
We reserve the right to disconnect any unauthorized users from this event and to deny violators admission to future events.
To obtain a group registration please send a note to info@theknowledgegroup.org or call 646.202.9344.
Presented By:
April 08, 2016
1
Partner Firms: Lindquist & Vennum LLP
K. Jon Breyer
Partner

April 08, 2016
2
 Please note the FAQ.HELP TAB located to the right of the main presentation. On this page you will find answers to the top questions asked by
attendees during webcast such as how to fix audio issues, where to download the slides and what to do if you miss a secret word. To access this
tab, click the FAQ.HELP Tab to the right of the main presentation when you’re done click the tab of the main presentation to get back.
 For those viewing the webcast on a mobile device, please note:
o These instructions are for Apple and Android devices only. If you are using a Windows tablet, please follow the instructions for viewing
the webcast on a PC.
o The FAQ.HELP TAB will not be visible on mobile devices.
o You will receive the frequently asked questions & other pertinent info through the apps chat window function on your device.
o On Apple devices you must tap the screen anywhere to see the task bar which will show up as a blue bar across the top of the screen.
Click the chat icon then click the chat with all to access the FAQ’s.
o Feel free to submit questions by using the “questions” function built-in to the app on your device.
o You may use your device’s “pinch to zoom function” to enlarge the slide images on your screen.
o Headphones are highly recommended. In the event of audio difficulties, a dial-in number is available and will be provided via the app’s
chat function on your device.

April 08, 2016
3
 Follow us on Twitter, that’s @Know_Group to receive updates for this event as well as other news and pertinent info.
 If you experience any technical difficulties during today’s WebEx session, please contact our Technical Support @ 866-779-3239. We will post the
dial information in the chat window to the right shortly and it’s available in the FAQ.Help Tab on the right.
 You may ask a question at anytime throughout the presentation today via the chat window on the lower right hand side of your screen. Questions
will be aggregated and addressed during the Q&A segment.
 Please note, this call is being recorded for playback purposes.
 If anyone was unable to log in to the online webcast and needs to download a copy of the PowerPoint presentation for today’s event, please send
an email to: info@theknowledgegroup.org. If you’re already logged in to the online Webcast, we will post a link to download the files shortly and it’s
available in the FAQ.Help Tab

April 08, 2016
4
 If you are listening on a laptop, you may need to use headphones as some laptops speakers are not sufficiently amplified enough to hear the
presentations. If you do not have headphones and cannot hear the webcast send an email to info@theknowledgegroup.org and we will send you
the dial in phone number.
 About an hour or so after the event, you'll be sent a survey via email asking you for your feedback on your experience with this event today - it's
designed to take less than two minutes to complete, and it helps us to understand how to wisely invest your time in future events. Your feedback is
greatly appreciated. If you are applying for continuing education credit, completions of the surveys are mandatory as per your state boards and
bars. 6 secret words (3 for each credit hour) will be given throughout the presentation. We will ask you to fill these words into the survey as proof
of your attendance. Please stay tuned for the secret word. If you miss a secret word please refer to the FAQ.Help tab to the right.
 Speakers, I will be giving out the secret words at randomly selected times. I may have to break into your presentation briefly to read the secret
word. Pardon the interruption.

April 08, 2016
5
Welcome to the Knowledge Group Unlimited Subscription Programs. We have Two Options Available for You:
FREE UNLIMITED: This program is free of charge with no further costs or obligations. It includes:
 Unlimited access to over 15,000 pages of course material from all Knowledge Group Webcasts.
 Subscribers to this program can download any slides, white papers, or supplemental material covered during all live webcasts.
 50% discount for purchase of all Live webcasts and downloaded recordings.
PAID UNLIMITED: Our most comprehensive and cost-effective plan, for a one-time fee:
 Access to all LIVE Webcasts (Normally $199 to $349 for each event without a subscription). Including: Bring-a-Friend – Invite a
client or associate outside your firm to attend for FREE. Sign up for as many webcasts as you wish.
 Access to all of Recorded/Archived Events & Course Material includes 1,500+ hours of audio material (Normally $299 for each
event without a subscription).
 Free Certificate of Attendance Processing (Normally $49 Per Course without a subscription).
 Access to over 15,000 pages of course material from Knowledge Group Webcasts.
 Ability to invite a guest of your choice to attend any live webcast Free of charge (Exclusive benefit only available for PAID
UNLIMITED subscribers).
 6 Month Subscription is $499 with No Additional Fees Other options are available.
 Special Offer: Sign up today and add 2 of your colleagues to your plan for free Check the “Triple Play” box on the sign-up
sheet contained in the link below.
https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964

April 08, 2016
6
Knowledge Group UNLIMITED PAID Subscription Programs Pricing:
Individual Subscription Fees: (2 Options)
Semi-Annual: $499 one-time fee for a 6 month subscription with unlimited access to all webcasts, recordings, and materials.
Annual: $799 one-time fee for a 12 month unlimited subscription with unlimited access to all webcasts, recordings, and materials.
Group plans are available. See the registration form for details.
Best ways to sign up:
1. Fill out the sign up form attached to the post conference survey email.
2. Sign up online by clicking the link contained in the post conference survey email.
3. Click the link below or the one we just posted in the chat window to the right.
Questions: Send an email to: info@theknowledgegroup.org with “Unlimited” in the subject.

Partner Firms:
April 08, 2016
7
Lindquist & Vennum’s 170 attorneys in Minnesota, Colorado, and South
Dakota provide a full array of corporate finance, transactional, and litigation
services. The firm has established and emerging practices in many industry
and specialty areas, including private equity, data security, financial
institutions, real estate, healthcare and life sciences, renewable energy, and
bankruptcy. For nearly five decades, the firm has served corporate,
governmental, and individual clients across the nation and around the world.
For more information, visit www.lindquist.com.
Williams Venker & Sanders, LLC (“WVS”) is a boutique trial firm in St. Louis,
Missouri that specializes in complex litigation. WVS prides itself on preparing
matters to the client’s best advantage so that the client can have the latitude
to decide whether to take the case to trial or dispose of it some other
way. Its lawyers offer clients the expertise, skill and wisdom sometimes
associated with only larger law firms, but with the immediate availability and
cost-effectiveness of a small firm, striving to provide each client with a
focused, comprehensive strategy that provides an early, clear analysis of
options so that the client can make informed decisions as quickly as
possible.

Brief Speaker Bios:
K. Jon Breyer
As a seasoned trial lawyer and MSBA Certified Civil Trial Law Specialist, Jon Breyer represents companies in complex transaction-
related disputes arising from all varieties of business agreements. Jon is also head of Lindquist & Vennum’s Privacy and Data Security
Litigation practice group and counsels clients on data security and privacy laws, including representing businesses and individuals
who have fallen victim to data security breaches and those targeted by litigation and government investigations stemming from several
highly publicized data security cases.
April 08, 2016
8
Lucy T. Unger
Lucy Unger is a partner in the St. Louis-based boutique law firm of Williams Venker & Sanders. Last year she was named one of
Missouri’s three top Woman Litigators by her peers. She spends 100% of her time representing clients in the healthcare,
manufacturing, financial, government, and insurance industries with a variety of litigation matters. She tends to represent her clients
after they have been sued and are defending claims made against them, but she also takes cases on behalf of corporate plaintiffs for
commercial claims. For the past 20 years, she has regularly appeared before State and Federal Courts at both the trial court and
appellate court level throughout Missouri and Illinois.
► For more information about the speakers, you can visit: https://theknowledgegroup.org/event-homepage/?event_id=1463

In today’s fast evolving cybersecurity backdrop, maintaining an up-to-date and efficient data breach security has
been a tough challenge for companies all over the world. Data attackers are no longer particular with the size of
their target and may attack at any moment. Effective detection and prevention of data breach or any form of illegal
release of data and information from a company’s system, requires robust security system and close-monitoring
from the top level management.
In a two-hour LIVE Webcast, a notable panel of thought leaders and professionals assembled by The Knowledge
Group will offer the audience with an in-depth discussion of the fundamental aspects of a data breach. The panel
will also provide the audience with the best practices to avoid common risk and pitfalls in a data breach.
Key topics include:
• The Anatomy of a Breach
• Risks and Legal Challenges in Data Breach
• Data Exfiltration Methods
• Identifying, Detecting and Preventing Data Breach
• Recent Trends and Developments
April 08, 2016
9

Featured Speakers:
April 08, 2016
10
SEGMENT 1:
K. Jon Breyer
Partner
Lindquist & Vennum LLP
SEGMENT 2:
Lucy T. Unger
Partner

Introduction
As a seasoned trial lawyer and MSBA Certified Civil Trial Law Specialist, Jon Breyer represents
companies in complex transaction-related disputes arising from all varieties of business agreements. Jon
is also head of Lindquist & Vennum’s Privacy and Data Security Litigation practice group and counsels
clients on data security and privacy laws, including representing businesses and individuals who have
fallen victim to data security breaches and those targeted by litigation and government investigations
stemming from several highly publicized data security cases.
April 08, 2016
11
SEGMENT 1:
K. Jon Breyer
Partner

The Anatomy of a Data Breach
April 08, 2016
12
SEGMENT 1:
K. Jon Breyer
Partner

Presentation Objectives
• Examine the three most common sources of data breaches:
1. Well-meaning insiders
2. Targeted attacks from outside the organization
3. Malicious insiders
• Illustrate the ways in which each source gains access to the network, finds and then exposes
sensitive information.
• Recommendations on what organizations can do to stop data breaches.
April 08, 2016
13
SEGMENT 1:
K. Jon Breyer
Partner

Types of Attackers
April 08, 2016
14
SEGMENT 1:
K. Jon Breyer
Partner
Well-meaning Insider
• Lost laptop or thumb-
drive.
• Emailing sensitive data to
personal accounts.
• Wrong email address
Malicious Outsider
• White Collar Crime
• Terminated employees
• Career building with
company data
• Industrial espionage
• Malvertising
• Targeted Malware
• SQL Injection
• Phishing
Malicious Insider

2015 in Review
• IBM® X-Force® tracked 272 security incidents for 2015, on
par with the 279 incidents tracked in 2014.
• In terms of total disclosed records, 2014 was notable for more
than one billion records being leaked, while 2015 was down to
a still-staggering 600 million records.
• In 2015 we saw a rise in the exfiltration of point-of-sale (POS)
credit card data using specialized malware.
• February saw the first of five 2015 healthcare mega-breach
disclosures, which together exposed nearly 100 million records
of patient data.
• Breaches at adult websites including Adult Friend Finder and
Ashley Madison exposed people’s sexual preferences and
infidelities to the general public.
April 08, 2016
15
SEGMENT 1:
K. Jon Breyer
Partner

Most Commonly Attacked Industries
April 08, 2016
16
SEGMENT 1:
K. Jon Breyer
Partner
0 5 10 15 20 25 30 35
Computer services
Retail
Healthcare
Media/Entertain
Financial
Travel/Transport
Government
Education
Telecom
Non-Profit
Professional Services
Energy/Utilities
Industial Products
Source: IBM X-Force Threat Intelligence Report 2016

Cost by Industry
April 08, 2016
17
SEGMENT 1:
K. Jon Breyer
Partner
$0 $50 $100 $150 $200 $250 $300 $350 $400
Transportation
Research
Media
Technology
Hospitality
Energy
Consumer
Services
Industrial
Retail
Communications
Financial
Pharmaceuticals
Education
Health
Series 3 Series 2 Series 1

Anthem Security Breach
• Stolen personal data from health insurer Anthem was
very lucrative
• Typically, stolen payment cards sell on black market for $1
• Health insurance credentials sell for $20
• Complete identity-theft kit containing comprehensive
health insurance credentials sell for $1,000 each
• Attackers use identity information (birth dates, Social
Security numbers, addresses, employment
information, income, etc.) to open new credit
accounts on an ongoing basis, rather than exploiting
just one account until it canceled
• Key pieces of stolen data can be used to access
financial records
• In 2014 healthcare providers and payers reported a
60% increase in detected incidents, resulting in
financial losses that increased 282% over 2013
April 08, 2016
18
SEGMENT 1:
K. Jon Breyer
Partner

Rising Costs
• The cost of a data breach increased from a total average
cost of $1.33 million last year to $1.57 million in 2015.
• Includes abnormal turnover of customers,
increased customer acquisition activities,
reputation losses and diminished goodwill.
• The average data breach costs associated with detection
and escalation also increased from $760,000 last year to
$990,000.
• Typically includes forensic and investigative
activities, assessment and audit services, crisis
team management and communications to
executive management and board of directors.
April 08, 2016
19
SEGMENT 1:
K. Jon Breyer
Partner
Source: Ponemon Institute's "2015 Cost of Data Breach Study,"

Types of Attack
• Malvertising. Malicious ads can be designed to appear legitimate, but
redirect visitors to infected or malicious servers that expose users to
exploit kits such as the ever-popular off-the-shelf Nuclear or Angler
• Targeted malware. Hackers use spam, email and instant message
communications often disguised as known entities to direct users to
websites that are compromised with malware
• SQL injection. By analyzing the URL syntax of targeted websites,
hackers are able to embed instructions to upload spyware that gives
them remote access to the target servers. The specially crafted user
data tricks the application into executing unintended commands or
changing data.
• Phishing. The first “phishing” campaigns typically involved an e-mail
that appeared to be coming from a bank convincing users they needed
to change their passwords or provide some piece of information, like,
NOW.
• Spear phishing is targeted. The attackers did their research, usually
through social engineering. They might already know your name or
your hometown, your bank, or your place of employment—information
easily accessed via social media profiles and postings
April 08, 2016
20
SEGMENT 1:
K. Jon Breyer
Partner

Most Common Types of Attack
April 08, 2016
21
SEGMENT 1:
K. Jon Breyer
Partner
Phishing
3%
SQLi
4%
Malvertising
5%
Ddos
15%
Misconfig.
8%
Malware
18%
Undisclosed
43%
Physical Access
2%
Watering Hole
1%
Brute Force
1%

April 08, 2016
22
SEGMENT 1:
K. Jon Breyer
Partner

April 08, 2016
23
SEGMENT 1:
K. Jon Breyer
Partner
From: USAA <fevima@infonegocio.com>
Date: March 18, 2016 at 6:41:26 PM CDT
Subject: Action Needed: Update Account Alert
Confirm Your USAA Account
Dear USAA Customer,
We're currently upgrading our systems to bring enhanced features to
your USAA Account experience. As a result, your account is temporarily unavailable.
Please click ENROLL and upgrade your USAA Account to our new system.
Note: FAIL TO UPGRADE YOUR ACCOUNT, IT WILL BE AUTOMATICALLY
CLOSED.
After this step, you are permitted to access your usaa.com.
Thank you,
USAA
USAA, 9800 Frederick sburg Road, San Antonio, Tex as 78288
USAA m eans United Services Automobile Association and its insurance, banking and investment affiliates.
105026-1109

April 08, 2016
24
SEGMENT 1:
K. Jon Breyer
Partner

April 08, 2016
25
SEGMENT 1:
K. Jon Breyer
Partner

SMiShing
• Phishing lures sent via SMS text message and
voice phishing (vishing).
• “Thank you for calling Bank of America. A
text message has been sent to inform you
that your debit card has been limited due to a
security issue. To reactivate, please press 1
now.”
• Caller then prompted to enter last four digits of
Social Security number, and then full card number
and expiration date.
April 08, 2016
26
SEGMENT 1:
K. Jon Breyer
Partner

Four Phases of Targeted Attacks
1. Incursion. The cyber criminal, or threat actor, gains entry
through an email, network, file, or application vulnerability and
inserts malware into an organization's network. The network is
considered compromised, but not breached.
2. Discovery. The hacker maps out the organization's systems
and automatically scans for confidential data, network access
and vulnerabilities.
3. Capture. Exposed data stored by well-meaning insiders on
unprotected systems is immediately accessed. In addition,
components called root kits are surreptitiously installed on
targeted systems and network access points to capture
confidential data as it flows through the organization.
4. Exfiltration. Perpetrator collects data on a staging server, then
exfiltrates the data off the network. At this point, the network is
considered breached. Evidence of the cyber attack is removed,
but the network remains compromised. The cyber criminal can
return at any time to continue the data breach.
April 08, 2016
27
SEGMENT 1:
K. Jon Breyer
Partner

April 08, 2016
28
SEGMENT 1:
K. Jon Breyer
Partner
Provided by IBM Security Intelligence

Small Business is Not Immune
• Easy and profitable.
• Good practice targets for cyber attackers.
• Small businesses lack the funds and personnel of
large businesses, so cyber-thieves know they don’t
have to work too hard to break into a small
network.
• Attackers often hone their techniques on small companies
until they get their malware and attack vectors down just
right.
• Attackers will often practice taking down a small business
organization’s website using a Distributed Denial of
Service (DDoS) attack. When they have perfected the
craft, they use it on larger businesses and banks.
• Ideal ransom targets.
April 08, 2016
29
SEGMENT 1:
K. Jon Breyer
Partner

Detection Response Time
 In its annual cyber-threat report, Mandiant, an
incident response service, said the average time
a company takes to detect a data breach fell to
205 days in 2014, down from an estimated 229 in
2013 and 243 in 2012.
 But as cyberattacks increase in complexity and
sophistication, companies don’t always have the
in-house resources to detect them. As a result,
only 31% of organizations discovered they were
breached through their own resources in 2014,
compared with 33% in 2013 and 37% in 2012.
April 08, 2016
30
SEGMENT 1:
K. Jon Breyer
Partner

Predictions for 2016
• The EMV Chip and PIN liability shift will not stop
payment breaches.
• Big healthcare hacks will make the headlines but
small breaches will cause the most damage.
• Growth of corporate extortion.
• Cyber conflicts between countries will leave
consumers and businesses as collateral damage.
• 2016 U.S. presidential candidates and campaigns
will be attractive hacking targets.
• Hacktivism will make a comeback.
April 08, 2016
31
SEGMENT 1:
K. Jon Breyer
Partner

Create a Preparedness Plan
• Identify persons within your organization who are/will be
responsible for data management.
• Assemble a response team, both internal and external
• Identify compliance requirements according to
applicable laws.
• Identify the types of data your organization
collects/processes/develops.
• Review vendor contracts.
• Create a risk assessment plan and mitigation plan.
• Develop policies and educate all staff.
• Have a reporting mechanism that is well publicized and
encouraged.
• Procure insurance to cover data breaches (cyber policy).
April 08, 2016
32
SEGMENT 1:
K. Jon Breyer
Partner

Introduction
Lucy Unger is a partner in the St. Louis-based boutique law firm of Williams Venker & Sanders. Last year
she was named one of Missouri’s three top Woman Litigators by her peers. She spends 100% of her time
representing clients in the healthcare, manufacturing, financial, government, and insurance industries with
a variety of litigation matters. She tends to represent her clients after they have been sued and are
defending claims made against them, but she also takes cases on behalf of corporate plaintiffs for
commercial claims. For the past 20 years, she has regularly appeared before State and Federal Courts at
both the trial court and appellate court level throughout Missouri and Illinois.
April 08, 2016
33
SEGMENT 2:
Lucy T. Unger
Partner

Disclaimers
All materials have been prepared for general information purposes only. The information presented is not legal advice, is not to be acted on as such,
may not be current and is subject to change without notice.
Communication of information through this webinar and your receipt or use of it (1) is not provided in the course of and does not create or constitute an
attorney-client relationship, (2) is not intended as a solicitation, (3) is not intended to convey or constitute legal advice, and (4) is not a substitute for
obtaining legal advice from a qualified attorney. You should not act upon any such information without first seeking qualified professional counsel on
your specific matter. The hiring of an attorney is an important decision that should not be based solely upon webinar communications or
advertisements.
You also should not rely upon the transmission of an e-mail message to an attorney through this webinar to create an attorney-client relationship. The
transmission of information will not do so. Without an attorney-client relationship, we cannot assure you that your communications will be privileged or
(unless we otherwise agree in a specific case) that we will treat them as such.
The content in this webinar is not intended as advertising or solicitation in any jurisdiction where it would fail to comply with all applicable laws and
ethical rules of that jurisdiction. Lucy Unger and Williams Venker & Sanders LLC do not seek to represent anyone based solely upon a visit to this
webinar or upon advertising, or where to do so would not comply with applicable local laws and rules.
The information presented in this webinar is provided "as is" without representation or warranty of any kind -- as to suitability, reliability, applicability,
merchantability, fitness, noninfringement, result, outcome or any other matter. We do not represent or warrant that such information is or will be always
up-to-date, complete, or accurate. Any representation or warranty that might be otherwise implied is expressly disclaimed.
You agree that we are not liable to you or others, in any way or for any damages of any kind or under any theory, arising from this site, or your access to
or use of or reliance on the information in or through this webinar, including but not limited to liability or damages under contract or tort theories.
April 08, 2016
34

RECENT DEVELOPMENTS IN STANDING TO SUE MERCHANTS FOR DATA
BREACHES
• A data breach plaintiff is no different from any other plaintiff when it comes to establishing standing.
• In order for a plaintiff in any case to establish Article III standing to sue, the “injury” must be:
• “concrete, particularized, and actual or imminent. Although imminence is concededly a somewhat
elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is
not too speculative for Article III purposes—that the injury is certainly impending. Thus we have
repeatedly reiterated that the injury must be certainly impending in fact, and that the allegations of
possible future injury are not sufficient.” Clapper v. Amnesty International USA, 133 S.Ct. 1139
(2013), cited in Green v eBay Inc., 2015 WL 2066531 at *3 (E.D.La. May 4th, 2015).
April 08, 2016
35
SEGMENT 2:
Lucy T. Unger
Partner

BREACHES
--A mere threat of future injury is not enough
--Plaintiff must allege that the “threatened injury is certainly impending”
--Even if you have proof of an actual injury, you still have to prove that the data breach caused the use
of your PPI
April 08, 2016
36
SEGMENT 2:
Lucy T. Unger
Partner

BREACHES
In the past 2 years, lower Courts have begun to find standing when:
1. Breached data is then posted on the Internet without the owner’s authorization
April 08, 2016
37
SEGMENT 2:
Lucy T. Unger
Partner

BREACHES
Corona, et al. v. Sony Pictures Entertainment, Inc., 2015 U.S. Dist. LEXIS 85865, *1-2 (C.D.Ca. June 6,
2015);
--salaries, scripts, & internal Sony e-mails
--threats of physical violence against movie theaters over showing “The Interview”
--Sony’s Co-Chair (Amy Pascal) forced to resign
Remijas v. Neiman Marcus Group, LLC, 2015 WL 4394814, *1 (7th Cir. 2015).
April 08, 2016
38
SEGMENT 2:
Lucy T. Unger
Partner

BREACHES
2. The plaintiff has paid extra for promised security that was never provided
In re LinkedInUser Privacy Litigation, #5:12-CV-03088 (N. D. Cal. 3/28/14)
April 08, 2016
39
SEGMENT 2:
Lucy T. Unger
Partner

BREACH
3. The likelihood of future harm is “literally certain”
In re Adobe Systems Inc. Privacy Litigation, No. 13-cv-05226, 2014 US Dist. LEXIS 124126 (N. D. Cal
9/4/14)
Moyer v. Michaels Stores, 2014WL3511500 (N.D. Ill. July 14, 2014)
April 08, 2016
40
SEGMENT 2:
Lucy T. Unger
Partner

BREACHES
When the target of a data breach is an entity as opposed to individual
consumers, does that make Courts more willing to find an injury in fact?
Watch for decision in Spokeo Inc. v. Robins Inc. (currently pending argument before Supreme Court)
ISSUE: Whether Congress may confer Article III standing upon a plaintiff who suffers no concrete
harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by
authorizing a private right of action based on a bare violation of a federal statute.
April 08, 2016
41
SEGMENT 2:
Lucy T. Unger
Partner

EMERGING ROADMAPS AND BEST PRACTICES
April 08, 2016
42
SEGMENT 2:
Lucy T. Unger
Partner
• Prevention
• Detection
• Reporting

The FTC is the governmental body that oversees businesses’ responses to data breaches.
FTC has publications for businesses seeking to improve or maintain good cyber security practices
Its most recent 10-step process is a good starting point
On-line tutorials
Blog posts
News Releases
April 08, 2016
43
SEGMENT 2:
Lucy T. Unger
Partner

1. Start with security – i.e., “Go lean and mean” in data collection, retention & use
2. Control access to data
3. Require secure passwords & authentication
4. Store sensitive personal information security & protect it during transmission
5. Segment the network and monitor who’s trying to get in/out
April 08, 2016
44
SEGMENT 2:
Lucy T. Unger
Partner

6. Secure remote access
7. Apply sound security practices when developing new products
8. Make sure service providers implement reasonable security measures
9. Put procedures in place to keep security practices current
10. Secure paper, physical media, and devices
AND HAVE A WRITTEN PLAN FOR HOW YOU WILL HANDLE A DATA BREACH!
April 08, 2016
45
SEGMENT 2:
Lucy T. Unger
Partner

Legal and Ethical Obligations of Lawyers/Law Firms
Perfect protection of client data is not possible,
practical, or required
April 08, 2016
46
SEGMENT 2:
Lucy T. Unger
Partner

Model Rules 1.1 and 1.6
Rule 1.1 – requires a lawyer to provide competent representation to a client. This “requires the legal knowledge, skill, thoroughness,
and preparation reasonably necessary for the representation.” It includes competence in selecting and using technology. In August 2012, the
ABA House of Delegates added a comment to Rule 1.1 that imposes an additional professional competency responsibility to keep “abreast of
changes in the benefits and risks associated with relevant technology” as those changes relate to the law and legal practice. If the lawyer doesn’t
have such expertise himself/herself, then they need to consult with or hire someone that does.
Rule 1.6 – prohibits lawyers from revealing information related to the representation of a client without that client’s informed consent.
Lawyers must act competently to safeguard confidentiality. Most States have Comments requiring attorneys to take “reasonable precautions” to
prevent unauthorized access. The Comments provide that attorneys generally do not need to take “special security measures if the communication
affords a reasonable expectation of privacy,” but note that special circumstances may warrant special precautions. Relevant factors include the
sensitivity of the information and the extent to which the privacy of the communication is protected by law or agreement.
April 08, 2016
47
SEGMENT 2:
Lucy T. Unger
Partner

To the extent a legal service provider stores client data in the Cloud, the ABA maintains an online chart
listing opinions about the type of contractual terms required between a lawyer and the Cloud service
provider.
http://www.americanbar.org/groups/departments_offices/
legal_technology_resources/resources/charts_fyis/cloudthcs chart.html
April 08, 2016
48
SEGMENT 2:
Lucy T. Unger
Partner

--Legal service providers must take reasonable and appropriate measures to protect client data,
considering:
--specific client’s requirements;
--promises made to the client, or safeguards the client was led to believe would be in place;
--the nature, or sensitivity, of the data;
--the risk of unauthorized access;
--specific rules that attach to the data (HIPAA, etc.); and
--the costs associated with protecting the data
April 08, 2016
49
SEGMENT 2:
Lucy T. Unger
Partner

The GOALS of storing client data are:
--privacy/confidentiality
--accessibility only for those that need it (to avoid unauthorized changes); and
--ready accessibility at all times
--cost efficiency
Cost-shifting when clients demand data security beyond what the lawyer provides generally
April 08, 2016
50
SEGMENT 2:
Lucy T. Unger
Partner

Model Rules 5.1 & 5.3
Rule 5.1 and Rule 5.3 incorporate the duty to supervise the work of subordinate attorneys and non-
attorneys, agents and third-parties that work with confidential client information, including those
outside the law firm. Lawyers must make “reasonable efforts” to ensure that all are working
compatible with the professional obligations of the lawyer.
April 08, 2016
51
SEGMENT 2:
Lucy T. Unger
Partner

Comment 3 to Rule 5.3 expressly refers to a lawyer’s use of outside technology services and cautions
that the degree of due diligence required to vet and supervise those contractors depends “upon the
circumstances, including the education, experience, and reputation of the non-lawyer, the nature of
the services involved, the terms of any arrangements concerning the protection of client information,
and the legal and ethical environments of the jurisdictions in which the services are performed,
particularly with regard to confidentiality.”
April 08, 2016
52
SEGMENT 2:
Lucy T. Unger
Partner

Best Practices For Lawyers/Law Firms
Periodic risk assessments by an outside assessor (at least annually)
--this includes an assessment of
--what new data is being stored since the last assessment?
--what is the potential harm that would result from unauthorized disclosure, breach, loss or
theft of particular data?
--have there been world events or industry-specific developments that necessitate greater protections for
certain data?
i.e., what are the specific threats and vulnerabilities that could result in unauthorized disclosure?
e.g., Personal Device Policies & Practices
April 08, 2016
53
SEGMENT 2:
Lucy T. Unger
Partner

--and what is the magnitude of each specific threat or vulnerability?
--have new rules or promises been made to clients about old data that is still being stored?
--has the legal service provider changed its storage devices?
April 08, 2016
54
SEGMENT 2:
Lucy T. Unger
Partner

2. Develop & implement policies & practices to mitigate risks identified
Prioritize
The larger the law firm, the more people need to be involved in overseeing compliance
Whether it is one person or one committee, the overseers must have both authority and
responsibility
Expect non-compliance and develop policies accordingly
Effective security is an entity-wide concern; the entity is only as strong as the
weakest link
Probably the worst thing to do is to publish a policy you know will not be
adhered to
April 08, 2016
55
SEGMENT 2:
Lucy T. Unger
Partner

Cost is always a factor when choosing security tools
Encryption is a darned good tool—and inexpensive
Password protection is another darned good tool—and also inexpensive
Have & implement your record retention policy and include mention of it in engagement letters
Re-assess policies & practices on a regular interval (at least, annually)
April 08, 2016
56
SEGMENT 2:
Lucy T. Unger
Partner

3. Detection - DEVELOP A CULTURE OF VIGILANCE AND AWARENESS
Because the vulnerabilities are so numerous & varied, good detection devices are just as numerous & varied.
Perhaps the best detectors are the employees themselves
Encourage internal reporting of ANY suspicious activity to a designated person responsible for receiving such reports
Discourage (and even consider zero tolerance for) all bad practices
April 08, 2016
57
SEGMENT 2:
Lucy T. Unger
Partner

Train, train, and train some more – across all levels within the organization
The best training is interactive and involves testing to confirm that the trainees understand
Send reminders, warnings, tips, and updates on a regular basis
Identify the source of the breach
Decide whether to stop the breach or involve law
enforcement
Investigate the extent of loss
Test your detection tools
April 08, 2016
58
SEGMENT 2:
Lucy T. Unger
Partner

Expect that some breaches will not even be detected.
April 08, 2016
59
SEGMENT 2:
Lucy T. Unger
Partner

4. Reporting
Not every breach needs to be reported
Generally,
Every State is different
Many industries have their own rules
To be safe, choose the most onerous law, abide by that, and you will be in compliance with the rest
April 08, 2016
60
SEGMENT 2:
Lucy T. Unger
Partner

April 08, 2016
61
Contact Info:
K. Jon Breyer
Partner
E: jbreyer@lindquist.com
T: 612 371 3964
Lucy T. Unger
Partner
Williams Venker & Sanders
LLC
E: lunger@wvslaw.com
T: (314) 345-5055

► You may ask a question at anytime throughout the presentation today. Simply click on the question mark icon located on the floating tool bar on the bottom right side of your screen. Type
your question in the box that appears and click send.
► Questions will be answered in the order they are received.
Q&A:
April 08, 2016
62
SEGMENT 1:
K. Jon Breyer
Partner
SEGMENT 2:
Lucy T. Unger
Partner

April 08, 2016
63
Welcome to the Knowledge Group Unlimited Subscription Programs. We have Two Options Available for You:
FREE UNLIMITED: This program is free of charge with no further costs or obligations. It includes:
 Unlimited access to over 15,000 pages of course material from all Knowledge Group Webcasts.
 Subscribers to this program can download any slides, white papers, or supplemental material covered during all live webcasts.
 50% discount for purchase of all Live webcasts and downloaded recordings.
PAID UNLIMITED: Our most comprehensive and cost-effective plan, for a one-time fee:
 Access to all LIVE Webcasts (Normally $199 to $349 for each event without a subscription). Including: Bring-a-Friend – Invite a
client or associate outside your firm to attend for FREE. Sign up for as many webcasts as you wish.
 Access to all of Recorded/Archived Events & Course Material includes 1,500+ hours of audio material (Normally $299 for each
event without a subscription).
 Free Certificate of Attendance Processing (Normally $49 Per Course without a subscription).
 Access to over 15,000 pages of course material from Knowledge Group Webcasts.
 Ability to invite a guest of your choice to attend any live webcast Free of charge (Exclusive benefit only available for PAID
UNLIMITED subscribers).
 6 Month Subscription is $499 with No Additional Fees Other options are available.
 Special Offer: Sign up today and add 2 of your colleagues to your plan for free Check the “Triple Play” box on the sign-up
sheet contained in the link below.

April 08, 2016
64
Knowledge Group UNLIMITED PAID Subscription Programs Pricing:
Individual Subscription Fees: (2 Options)
Semi-Annual: $499 one-time fee for a 6 month subscription with unlimited access to all webcasts, recordings, and materials.
Annual: $799 one-time fee for a 12 month unlimited subscription with unlimited access to all webcasts, recordings, and materials.
Group plans are available. See the registration form for details.
Best ways to sign up:
1. Fill out the sign up form attached to the post conference survey email.
2. Sign up online by clicking the link contained in the post conference survey email.
3. Click the link below or the one we just posted in the chat window to the right.
Questions: Send an email to: info@theknowledgegroup.org with “Unlimited” in the subject.

April 08, 2016
65
ABOUT THE KNOWLEDGE GROUP
The Knowledge Group is an organization that produces live webcasts which examine regulatory
changes and their impacts across a variety of industries. “We bring together the world's leading
authorities and industry participants through informative two-hour webcasts to study the impact of
changing regulations.”
If you would like to be informed of other upcoming events, please click here.
Disclaimer:
The Knowledge Group is producing this event for information purposes only. We do not intend to
provide or offer business advice.
The contents of this event are based upon the opinions of our speakers. The Knowledge Group does
not warrant their accuracy and completeness. The statements made by them are based on their
independent opinions and does not necessarily reflect that of The Knowledge Group‘s views.
In no event shall The Knowledge Group be liable to any person or business entity for any special,
direct, indirect, punitive, incidental or consequential damages as a result of any information gathered
from this webcast.
Certain images and/or photos on this page are the copyrighted property of 123RF Limited, their
Contributors or Licensed Partners and are being used with permission under license. These images
and/or photos may not be copied or downloaded without permission from 123RF Limited

Decoding the Data Breach Framework: How to Prevent Exfiltration LIVE Webcast

Recommandé

Recommandé

Contenu connexe

En vedette

En vedette (9)

Similaire à Decoding the Data Breach Framework: How to Prevent Exfiltration LIVE Webcast

Similaire à Decoding the Data Breach Framework: How to Prevent Exfiltration LIVE Webcast (20)

Dernier

Dernier (20)

Decoding the Data Breach Framework: How to Prevent Exfiltration LIVE Webcast