MANAGING CYBERSECURITY INVESTIGATIONS - Tara Swaminatha, Of Counsel, Washington, DC Sam Millar, Partner, London May 12, 2016 - DLA Piper

Page created by Theresa Ortega
 
CONTINUE READING
MANAGING CYBERSECURITY INVESTIGATIONS - Tara Swaminatha, Of Counsel, Washington, DC Sam Millar, Partner, London May 12, 2016 - DLA Piper
MANAGING CYBERSECURITY
                          INVESTIGATIONS
                          Tara Swaminatha, Of Counsel, Washington, DC
                          Sam Millar, Partner, London
                          May 12, 2016

                   If you cannot hear us speaking, please make sure you have called into the teleconference
                   number on your invite information.
                   •    US participants: 1 800 893 0176
                   •    Outside the US: 212 231 2928
                   •    The audio portion is available via conference call. It is not broadcast through your computer.
                   *This webinar is offered for informational purposes only, and the content should not be construed as legal advice on
                        any matter.

www.dlapiper.com                                                                                                  May 12, 2016       0
MANAGING CYBERSECURITY INVESTIGATIONS - Tara Swaminatha, Of Counsel, Washington, DC Sam Millar, Partner, London May 12, 2016 - DLA Piper
Speakers

                   Tara Swaminatha              Sam Millar
                   Of Counsel, Washington, DC   Partner, London

www.dlapiper.com                                                  May 12, 2016   1
MANAGING CYBERSECURITY INVESTIGATIONS - Tara Swaminatha, Of Counsel, Washington, DC Sam Millar, Partner, London May 12, 2016 - DLA Piper
If you have a breach, call counsel yesterday

 Contact inside and outside counsel early (ideally before a breach)
 In the wake of a suspected or actual breach, using counsel (properly)
  allows you to keep things under wraps until you have a chance to get
  facts straight
    – As you triage internally, keep your internal discussions and
      documents confidential
    – Better to take a minute and sort out game plan before saying
      anything
 *Privilege is not automatic simply by using counsel
 Fact-specific inquiry
 Requires adherence to protocol

www.dlapiper.com                                                     May 12, 2016   2
Incident response (IR) policy – important elements

 Purpose
 Roles and responsibilities
 Escalation procedures
 Types of incidents
 Incident-specific response procedures
 Communications plan
 Contact information (consider alternative methods of communication)

www.dlapiper.com                                              May 12, 2016   3
Other important elements of strong IR plan
(improves efficacy of investigations)

 Response plan “cheat sheets” organized by role
 Proper training for team members
 Vendors engaged through counsel
 Privileged protocol established
 Pre-existing relationships with law enforcement
 Tabletop/security drill
 Continually revise and adapt plans and protocol

www.dlapiper.com                                    May 12, 2016   4
Phase 1   Phase 2        Phase 3   Phase 4

Role                                          ``

Role

Role                                          `

Role

Role

Role

       www.dlapiper.com                                                May 12, 2016   5
Security incident triage guidelines

www.dlapiper.com                       May 12, 2016   6
Roles & Responsibilities Matrix

www.dlapiper.com                   May 12, 2016   7
Chain of custody

www.dlapiper.com   May 12, 2016   8
Data breach incident response quick start guide

 Assemble an incident response team  Conduct interviews of personnel
  (IRT)                                involved
 Contact inside and outside counsel       Reissue or force security access
  to establish a “privileged” reporting     changes
  and communication channel                Do not probe computers and
 Coordinate with legal counsel to          affected systems
  bring in cybersecurity experts and       Do not turn off computers and
  forensic examiners                        affected systems
 Stop additional data loss                Do not image or copy data, or
 Secure evidence                           connect storage devices/media, to
                                            affected systems
 Preserve computer logs
                                           Do not run antivirus programs or
 Document the breach
                                            utilities
 Define legal obligations
                                           Do not reconnect affected systems
 Contact law enforcement (possibly)
www.dlapiper.com                                                      May 12, 2016   9
Importance of attorney-client privilege and
confidentiality (in USA)

 Confidential discussions or documents (“privileged communications”)
 Write and distribute documents within organization with reduced
  likelihood of disclosure
 Forensic exam analysis kept confidential
 Tradeoffs in a risk analysis
 Purpose of attorney-client privilege

www.dlapiper.com                                               May 12, 2016   10
Discuss confidentiality procedures

 External team engaged through counsel
    – PR/communications experts
    – Forensic cybersecurity experts
 Internal team
    – IT
    – Legal
    – HR
    – PR/communications
    – Customer relations
    – Risk management
    – Operations (physical breaches)
    – Finance (company financial information lost)
www.dlapiper.com                                     May 12, 2016   11
Choosing a forensic partner/vendor

 Recent launch of two UK government schemes to help companies
  choose a cybersecurity incident response supplier – CESG/CPNI CIR
  and CREST CSIR. Recognized set of professional qualifications and
  best practice standards
 Technical expertise to carry out sophisticated security incident
  investigations quickly and effectively
 Expert forensic ability
 Consider which elements of the investigation will be outsourced and
  which will be dealt with in-house
 Consider location of investigation e.g., does the business require a
  forensic vendor with international reach and ability to deploy teams
  globally?

www.dlapiper.com                                                     May 12, 2016   12
Critical protections/lessons learned

 Strong security culture – whistleblowing
 Businesses should have a robust set of policies and procedures to
  manage cyber security risks. Having such policies is not enough –
  companies need to ensure that they are implemented correctly by
  monitoring compliance
 Regular training on cybersecurity issues linked to these policies is also
  important
 Screening: pre-employment and at regular intervals for employees and
  contractors to help manage "insider threat"
 Physical/digital security – strong link
 Portable devices – ban? encryption?

www.dlapiper.com                                                  May 12, 2016   13
Critical protections/lessons learned (continued)

 Clear accountability for cybersecurity risk within the business
 Contract management to incorporate security controls
 User privileges
 Anti-virus software/malware detection
 Audit: security audits to include insider threat audit
 Incident management planning

www.dlapiper.com                                                    May 12, 2016   14
Cybersecurity trends in the EU

 The FCA has identified cybercrime as a priority in its 2016-2017
  Business Plan
 EY's Global Information Security Survey 2015 indicates that the threats
  people are most concerned about are phishing and malware
 The Panama Papers leak highlights the risk of cybersecurity/data
  breaches for law firms
 Increased coordination and information sharing between the police and
  the NCA in responding to and managing cybersecurity threats
 CPNI, GCHQ, BIS and the Cabinet Office have published an updated
  '10 Steps to Cyber Security' – practical steps businesses can take to
  improve the security of their networks and the information carried on
  them
 Increased reporting
www.dlapiper.com                                                May 12, 2016   15
EU General Data Protection Regulation

 Key provisions include:
    – Harmonization: single set of rules, directly applicable in all EU member
      states
    – Enforcement: power for regulators to levy heavy financial sanctions of up
      to 4% of the annual worldwide turnover of the organization. This significantly
      increases the risk associated with privacy non-compliance
    – Offshore processing: application of EU regulatory framework to
      companies established outside the EU if they target EU citizens
    – Governance: increased responsibility and accountability on organizations
      to manage how they control and process personal data
    – One-stop-shop: ability to nominate a single national data protection
      authority as the lead regulator for all compliance issues in the EU, where
      the organization has multiple points of presence across the EU

www.dlapiper.com                                                         May 12, 2016   16
EU General Data Protection Regulation (continued)

    – Consent: adoption of a more active consent based model to support lawful
      processing of personal data
    – Right to be forgotten: a statutory “right to be forgotten” which will allow
      individuals the right to require a controller to delete data files relating to
      them if there are not legitimate grounds for retaining it

www.dlapiper.com                                                             May 12, 2016   17
Questions?
   Contact us to learn more

              Tara Swaminatha                Sam Millar
              Of Counsel, Washington, DC     Partner, London
              tara.swaminatha@dlapiper.com   sam.millar@dlapiper.com
              +1 202 799 4323                +44 (0)20 7153 7714

www.dlapiper.com                                                       May 12, 2016   18
www.dlapiper.com   May 12, 2016   19
You can also read