Update: Whats happening in the cybersecurity world NYPWA January - - PDF document

update what s happening in the cybersecurity world
SMART_READER_LITE
LIVE PREVIEW

Update: Whats happening in the cybersecurity world NYPWA January - - PDF document

Apr 25, 2023 218 likes •387 views

12/3/2018 Protecting Our Clients A guided discussion on privacy, security, confidentiality and compliance NYPWA January 2019 NYPWA January 2019 2 Update: Whats happening in the cybersecurity world NYPWA January 2019 3 1 12/3/2018

slide-1
SLIDE 1

12/3/2018 1

NYPWA January 2019

Protecting Our Clients

A guided discussion on privacy, security, confidentiality and compliance

NYPWA January 2019 2

Update: What’s happening in the cybersecurity world

NYPWA January 2019 3

slide-2
SLIDE 2

12/3/2018 2

NYPWA January 2019 4 NYPWA January 2019 5

Internet of Things – IoT Connecting any device with a network

  • Cell phones
  • Amazon Echo/Amazon

Dot

  • Appliances
  • Pacemakers/implanted

medical devices

  • Cars
  • Televisions
  • Heating/cooling systems

“Nest”

  • Nanny cams
  • Kids toys
  • Home security systems
  • Voice Queuing Systems

NYPWA January 2019 6

IoT leads to increased vulnerability

“The attackers used (the thermometer) to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud.” – April, 2018

https://www.businessinsider.com/hackers-stole-a-casinos-database-through-a- thermometer-in-the-lobby-fish-tank-2018-4

slide-3
SLIDE 3

12/3/2018 3

NYPWA January 2019 7

Cyber Security Breaches Not limited to “hackers”

“When questioned by officials…the boy said he had acted alone and that he was only trying to see what he could do with the apps.” – November, 2018

http://www.govtech.com/security/Student-Behind-Illinois-High-School-Hack.html

NYPWA January 2019 8

Recent Cyber Security Breaches Yahoo – Update

“Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach.” – April, 2018

https://www.law.com/therecorder/2018/04/24/sec-wallops-yahoo-with-35m-penalty-over- breach-disclosures-or-lack-thereof/

NYPWA January 2019 9

Recent Cyber Security Breaches

Equifax – Update Five key factors contributed:

Ineffective Identification Poor Detection No Segmentation, Poor Data Governance No Query Limits

  • September, 2018

https://www.bankinfosecurity.com/postmortem-behind-equifax-breach-multiple-failures-a-11480

slide-4
SLIDE 4

12/3/2018 4

NYPWA January 2019 10

Security Breaches Impact on Government

NYPWA January 2019 11

Legal updates

NYPWA January 2019 12

Recent Legal Cases Carpenter v. United States – background

  • Supreme Court heard oral arguments on November 29,

2017

  • Cell phone records connecting phone with towers in

vicinity of crime introduced as evidence

  • Defendant convicted and sentenced to 116 years in

prison

  • Question raised: is this protected information? Or does

the third party doctrine apply?

slide-5
SLIDE 5

12/3/2018 5

NYPWA January 2019 13

Recent Legal Cases

Carpenter v. United States – decision

https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf

  • Government’s acquisition of Carpenter’s cell-site records was a

Fourth Amendment search – Fourth Amendment protects certain expectations of privacy in addition to property interests

  • Digital Data – personal location info held by a third party – does not

fit in existing precedents – Expectation of privacy in physical location and movements – Expectation of privacy in information voluntarily turned over to third parties

NYPWA January 2019 14

Recent Legal Cases

Carpenter v. United States – decision

  • Court cited Riley v. California

– “Cell records hold for many Americans ‘the privacies

  • f life’”
  • Court adopts rule “must take account of more

sophisticated systems that are already in use or in development” from Kyllo v. United States

  • However, court stated this is a narrow ruling, and does

not address issues not before the Court

NYPWA January 2019 15

Recent Legal Cases

Apps making it to the court (not the food variety) Knight First Amendment Institute v. Trump US District Court – Southern District of NY

  • At issue: President Trump’s Twitter Account in relation to the 1st

Amendment – Whether a public official can “block” a person from his/her Twitter account in response to the political views the person has expressed – Does the analysis differ because the public official is the President of the United States

  • Court held no in both instances
slide-6
SLIDE 6

12/3/2018 6

NYPWA January 2019 16

Recent Legal Cases

Cullinane v. Uber Technologies, Inc. – Conspicuous informing of Terms and Conditions

  • No click box to accept, instead display a notice of

deemed acquiescence and link to the terms

  • “If everything on the screen is written with

conspicuous features, then nothing is conspicuous.”

  • Transactions on smartphones and websites increasing,

evolving law around those transactions

NYPWA January 2019 17

Recent Legal Cases

Applebaum v. Lyft

  • Several different types of online consumer contracts

– Browsewrap, clickwrap, scrollwrap, sign-in-wrap

  • “Whether there was notice of the existence of additional

contract terms presented on a webpage depends heavily

  • n whether the design and content of that webpage

rendered the existence of terms reasonably conspicuous.”

NYPWA January 2019 18

Recent Legal Cases

State of New Hampshire v. Verrill

  • Murder case, Amazon Echo at crime scene owned by

the victim

  • Judge signed order for Amazon to provide authorities

with recordings during time when crime allegedly

  • ccurred
  • Similarities to Bates case – however, that case was not

decided by courts because defendant consented to release of information

  • Probable cause and privacy rights at issue
slide-7
SLIDE 7

12/3/2018 7

NYPWA January 2019 19

Remember our Ethical Obligations

NYPWA January 2019 20

NYS Rule 1.1

http://www.nycourts.gov/rules/jointappellate/ny-rules-prof-conduct-1200.pdf

A lawyer should provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.

NYPWA January 2019 21

NYS Rule 1.1 Clarification

Comment 8

To maintain the requisite knowledge and skill, a lawyer should (i) keep abreast of changes in substantive and procedural law relevant to the lawyer’s practice, (ii) keep abreast of the benefits and risks associated with technology the lawyer uses to provide services to clients or to store or transmit confidential information, and (iii) engage in continuing study and education and comply with all applicable and continuing legal education requirements under 22 N.Y.C.R.R. Part 1500. (emphasis added)

https://www.nysba.org/DownloadAsset.aspx?id=50671

slide-8
SLIDE 8

12/3/2018 8

NYPWA January 2019 22

ABA Model Rule 1.1 mirrors NY

ABA Commission on Ethics 20/20 In order to provide competent representation in a digital age attorneys must understand and properly use

  • technology. For example, an attorney should know how to

properly use email and create an electronic document and know the benefits and risks associated with technology.

ABA Commission on Ethics 20/20 Report 105A (Aug. 2012)

https://www.americanbar.org/content/dam/aba/administrative/ethics_2020/20120808_revi sed_resolution_105a_as_amended.authcheckdam.pdf

NYPWA January 2019 23

Legaltech News Article from October, 2018

  • 32 States require technology competence of lawyers
  • Some states adding a CLE requirement around technology
  • Need to work with professionals to assist in becoming

competent if not able to understand on own

NYPWA January 2019 24

Tech Competency

Asked to Demonstrate Computer Skills, 0 of 9 law firms passed in-house hiring test

  • Corporate counsel for Kia Motors gave a computer skills

test to potential law firm hires

  • Audit should have taken one hour, but average pace was

five hours

  • Excel, PDF, Bates numbering, Word were all tested
  • Competence can range from using MS Word to complex

e-discovery software

slide-9
SLIDE 9

12/3/2018 9

NYPWA January 2019 25

Lawyer's e-discovery error led to release of confidential info

  • n thousands of Wells Fargo clients - 2017
  • Vendor conducting e-discovery, attorney oversaw and checked the

responsive documents using the vendor’s software

  • View only allowed a limited set of documents, not the entire

response, and documents that were supposed to be redacted were not

  • Information turned over to opposing counsel included confidential

information of at least 50,000 of the banks wealthiest clients – Social security numbers – Financial details, including size of portfolios

http://www.abajournal.com/news/article/lawyers_e_discovery_error_led_to_release_of_confidential_wells_fargo_client/ NYPWA January 2019 26

Guided Discussion: Securing Public Data

NYPWA January 2019 27

Security, Compliance, and Legal Obligations

  • Security: Protecting the confidentiality, integrity, and

availability of the data

  • Compliance: What is required by federal or state laws,

rules, regulations, or policy

  • Legal Obligations: What is required by federal, state or

local law or regulation

slide-10
SLIDE 10

12/3/2018 10

NYPWA January 2019 28

Three Key Principles in Information Security

Confidentiality Integrity Availability

NYPWA January 2019 29

Confidentiality

  • Limiting access to only authorized users
  • Preventing access by unauthorized users
  • Preventing impermissible disclosure, whether accessed

by authorized or unauthorized individuals

  • Permitting access only where the specific job

responsibilities cannot be accomplished without such access

  • Enforcing a “Need-to-know” basis

NYPWA January 2019 30

Availability

  • Focusing on ensuring the availability of information

resources at all times

  • Working to ensure that hardware and software are

protected so that they will not be compromised by viruses or malware, and thus, become unavailable

slide-11
SLIDE 11

12/3/2018 11

NYPWA January 2019 31

Integrity

  • Ensuring the information is correct and no unauthorized

user has altered it

  • Avoiding the unauthorized modification, manipulation, or

destruction of data applications and/or systems

  • Protecting the trustworthiness of the information

NYPWA January 2019 32

Data Collection

Multiple pieces of data are provided to government entities on a daily basis and stored within databases

  • Name
  • DOB
  • SS#
  • Address
  • Phone numbers
  • Financial information
  • Medical Information
  • HIV Status
  • DV Status
  • Child support information

NYPWA January 2019 33

Questions to ask

  • Who is in charge of the data privacy, security, and compliance?
  • What are the applicable laws, regulations, rules, policies related to

the data being created, stored, and shared?

  • What is the risk associated with the data?
  • Who has access to the data, in house and as it is shared out?
  • What technical measures are in place to protect the data?
  • Is there a data security policy?
  • What privacy/security/compliance training is offered to employees?
  • What happens when there is a security incident or a security

breach?

slide-12
SLIDE 12

12/3/2018 12

NYPWA January 2019 34

Security and Privacy Team

  • Establish and evaluate the team - data security and

protection is a group effort

  • Commissioner, program staff, legal, IT, sometimes HR and

public relations all should be involved in data security

  • Question: Who is currently involved in your data privacy

team? How can you get more awareness and involvement in your data security?

NYPWA January 2019 35

Relevant Laws, Regulations, Policies

  • Federal and State laws, rules, regulations and policies govern the

protection of public data

  • Source of the data governs which protections apply
  • In addition to Social Services Law § 136

– IRS Publication 1075 – HIPAA – Federal Parent Locator Service Agreement – Security Breach and Notification Act

  • Question: What compliance obligations attach to your data?

NYPWA January 2019 36

Risk Assessment

  • Only the data that is necessary to support business

should be collected

  • Data should only be kept as long as necessary pursuant

to record retention requirements and any other legal

  • bligations e.g. litigation holds, business need
  • Risk assessment can be completed based on

information classification

  • Question: What is the risk level associated with the data

you collect and retain?

slide-13
SLIDE 13

12/3/2018 13

NYPWA January 2019 37

Risk Equation

Risk = Impact X Probability / Cost

  • Impact is the effect on the organization should a

risk event occur

  • Probability is the likelihood the event could
  • ccur within a given timeframe
  • Cost is the amount it takes to mitigate or reduce

the risk to an acceptable level

NYPWA January 2019 38

Examples

Private Individualized Public

Directories, Maps, Lost Phone*, Lost Laptop*, Job Postings, Marketing Material, Press Releases Employment data Software keys Contracts/Budget Meeting information Personal data ** no ss # ** Design /planning /Project documents SS #s Health Plan Info Health Care Info Passwords Driver License Financial Info Tax Info Unencrypted devices

Sample Data Classification used in a Risk Assessment

NYPWA January 2019 39

Access

  • Only those with a legitimate business need to the data should

have access to the data, both in house, and after it has been shared – Physically and technically

  • Consider who may have access with any outside contracts, third

party vendors, data exchange agreements and use risk assessment to determine if business justification allows access

  • NDA’s should be in place for those with access to data
  • Question: Is access to your data restricted to those with legitimate

business need? Who has access once the data is shared? Are the proper NDA’s and consents in place?

slide-14
SLIDE 14

12/3/2018 14

NYPWA January 2019 40

Technical Measure Review

  • Technical measures secure the data

– Authentication protocols – Encryption – Password practices – Multifactor identification – Firewall and Anti-virus

  • Technical measures to alert when unauthorized access
  • ccurs
  • Question: What technical measures do you have in

place to secure the data?

NYPWA January 2019 41

Security Policy

  • Policy should include:

– Purpose – Scope – Definitions – What the policy is for, what it covers, who it applies to – Who enforces the policy – Contact for questions

  • 18-LCM-10 ** This updated 14-LCM-15 for Social

Services Districts

  • Question: Is there a data security policy? When was it

last updated?

NYPWA January 2019 42

Training

  • Humans error is often the weakest link in data security
  • Employee training informs those who have access to the

data to keep it protected and highlights common security issues – Phishing emails – Password security – Access

  • Questions: Does your training include data privacy and

security? Is the training comprehensive? Have all employees taken the training? How regularly?

slide-15
SLIDE 15

12/3/2018 15

NYPWA January 2019 43

Security Incident and Security Breach

  • Policy to dictate what to do when a security incident or

security breach occurs – Should include definitions of what each of these mean – Should set out process for reporting – Should include contacts if there are any incident or breach questions

  • 18-LCM-10
  • Question: Is there a security incident/security breach

policy in place? Have all staff been apprised of the policy?

NYPWA January 2019 44

Policy Creation

As IT becomes more mainstream, additional policies are necessary

  • Email Use Policy – Banner Splash Screen
  • Mobile Device Policy
  • Bring Your Own Device (BYOD) – The Sedona Conference

Commentary

  • Internet Use Policy
  • Wireless Policy
  • 18-LCM-10 **Updated 14-LCM-15– Use and Protection of

Confidential, Private, Personal and/or Sensitive Information

NYPWA January 2019 45

Current use of IT Products

Current IT solutions used need constant review to ensure compliance

  • Thumb drives
  • Encryption
  • Cloud solutions
  • Passwords
  • SharePoint
  • Facebook
  • File Storage
  • End User License

Agreements updates

  • Terms Of Service updates
slide-16
SLIDE 16

12/3/2018 16

NYPWA January 2019 46

Vetting Proposed IT Solutions

  • Technology is ever-expanding and new IT solutions are

always available

  • Review End User License Agreements (EULA)
  • Review Terms of Service (TOS)
  • Review against NIST Standards – cybersecurity

framework 1.1 updated April, 2018

  • Review against IRS Safeguards Program Topic Areas

NYPWA January 2019 47

Meeting Legal Obligations

Legal obligations attach to data the same as any other information

  • Records Retention
  • Auditing
  • Litigation Hold
  • Chain of Custody
  • FOIL
  • E-Discovery

NYPWA January 2019 48

Contacts

Carmela Pellegrino, Esq. Associate Attorney Division of Legal Affairs OTDA 518-473-8266 Carmela.Pellegrino@otda.ny.gov Meghan A. Deltry, Esq. Assistant Counsel Division of Legal Affairs OTDA 518-474-5638 Meghan.Deltry@otda.ny.gov Scott Rogler, CISSP, GSEC OTDA ISO Division of Legal Affairs OTDA 518-474-4964 Scott.Rogler@otda.ny.gov