Why are municipalities targeted by hackers? F. Marshall Wall - - PDF document

why are municipalities targeted by hackers
SMART_READER_LITE
LIVE PREVIEW

Why are municipalities targeted by hackers? F. Marshall Wall - - PDF document

Mar 09, 2023 297 likes •437 views

3/20/20 F. Marshall Wall Cranfill Sumner & Hartzog LLP F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 1 Cyber Risks for Municipalities 1. Ransomware 2. Business Email Compromise (BEC) 3. Data Breach 4. Employment Issues F. Marshall

slide-1
SLIDE 1

3/20/20 1

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

  • F. Marshall Wall

Cranfill Sumner & Hartzog LLP 1

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Cyber Risks for Municipalities

  • 1. Ransomware
  • 2. Business Email Compromise (BEC)
  • 3. Data Breach
  • 4. Employment Issues

2

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Cyber Risks

Why are municipalities targeted by hackers?

3

slide-2
SLIDE 2

3/20/20 2

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

There’s money in it – at least that is the perception

Q: “Why do you rob banks Willie?

A: “Because that’s where the money is.”

– Willie Sutton, Where the Money Was: The Memoirs of a Bank Robber

4

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Ransomware

There have been at least 16 reported ransomware attacks on North Carolina cities, counties, school systems, and State and local agencies in the last three years 5

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Ransomware Attacks

What is “ransomware”?

Malicious software that infects a user’s computer or a network, and restricts access until a ransom is paid

6

slide-3
SLIDE 3

3/20/20 3

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Ransomware

How is ransomware spread?

– Most often someone responds to a “phishing” email by clicking a link or opening an attachment. – Some ransomware is spread through social media sites or instant messaging apps

7

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Ransomware

Should we pay the “ransom” ?

– Law enforcement generally recommends against paying. – Insurance companies may see paying as the cheapest alternative, however. – Business and operational realities can making paying the best option. Ransomware can lock up critical infrastructure, limiting choices.

8

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Ransomware

If we decide to pay, how do we do that? And the answer is…

9

slide-4
SLIDE 4

3/20/20 4

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

BITCOIN!

10

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Business Email Compromise (BEC)

  • The FBI estimates cyber losses of about

$3.5 Billion in 2019

  • Approximately 50% of these losses were

the result of BEC 11

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

BEC

What is BEC?

– Hackers compromise or spoof a legitimate email account – This account is then used to send a phony invoice and request a wire transfer or ACH to an account controlled by the hackers

12

slide-5
SLIDE 5

3/20/20 5

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Avoiding Losses

How can losses to ransomware and BEC be avoided or minimized?

– Backup important information regularly and separate the backup from your network. – Keep software up-to-date and patched, anti- virus and firewall software. – Limit users’ ability to download and run software applications. – TRAINING

13

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Data Breaches – NC Identity Theft Protection Act

What is a "security breach"?

14

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

What is a “security breach”?

  • Unauthorized access to AND acquisition of
  • Unredacted AND unencrypted records or

data

  • Containing personal information
  • Where illegal use of this data has occurred

OR is reasonably likely to occur

  • Creating a reasonable risk of material

harm to a consumer 15

slide-6
SLIDE 6

3/20/20 6

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

NOT a Security Breach

  • If only encrypted data is taken and the

encryption key is not with the data, it is not a data breach

  • If the data was accessed but not

“acquired”, it is not a data breach

  • If there is no risk of material harm to a

customer, it is not a data breach 16

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

NC Identity Theft Protection Act

What is the legal standard for protection of personal information?

17

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

NC Identity Theft Protection Act

  • The Act requires that “reasonable care” be

used to protect data

  • No further definition is given

18

slide-7
SLIDE 7

3/20/20 7

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

What is “personal information”?

A person's first name or first initial and last name in combination with other information such as:

19

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

What is “personal information”?

  • Social Security number
  • Driver's license number
  • Passport number
  • Checking or savings account number
  • Credit or debit card number
  • PIN code
  • Biometric data
  • Passwords

20

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Data Breach How quickly must notice be given?

  • There is no specific deadline for notice
  • Notice must be “made without

unreasonable delay, consistent with the legitimate needs of law enforcement.” 21

slide-8
SLIDE 8

3/20/20 8

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Data Breach Who Gets Notice?

  • Everyone whose personal information was

contained in the records

  • The Consumer Protection Division of the

Attorney General’s staff

  • If more than 1,000 people are affected by

the breach, notice must also be given to the three major credit bureaus 22

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

What if those affected live in

  • ther States?
  • Data protection statutes are specific to the

States where your customers live

  • All 50 States – Alabama became the last

in March 2018 – the District of Columbia, and Puerto Rico have their own statutes

  • Notice requirements, including the time to

give notice, vary significantly 23

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Who can sue?

  • North Carolina allows a private right of

action, but only if the consumer can show injury

  • A cause of action under the Act cannot be

assigned

  • A violation of the Act is an unfair or

deceptive trade practice under N.C. Gen.

  • Stat. § 75-1.1

24

slide-9
SLIDE 9

3/20/20 9

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Avoiding Data Breach Incidents

  • Prevent
  • Detect
  • Respond

25

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Avoiding Data Breach Incidents

  • Assess your systems, policies, and

procedures routinely

  • Educate employees – most cyber

incidents are the result of human error

  • Outside testing of your security
  • Determine what data you collect, where

and for how long you keep it, and why 26

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Avoiding Data Breach Incidents

  • Have an incident response plan and

PRACTICE it

  • Restrict access and monitor activity
  • Encrypt data
  • Back up data continually
  • Update your software

27

slide-10
SLIDE 10

3/20/20 10

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Employment Issues – Federal Statutes

  • The Wiretap Act
  • The Electronic

Communications Privacy Act (ECPA)

  • Stored

Communications Act (SCA) 28

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

The Wiretap Act and Electronic Communications Privacy Act (ECPA)

  • Strict restrictions on the interception of wire

communications, oral communications, and electronic communications

  • Also covers phone calls,

emails and other electronic communication (think Skype, Slack, etc.)

29

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

  • TWO EXCEPTIONS

1) Consent of one of the individuals 2) Interception was done “in the

  • rdinary course of business”

(example of what this means: call-in help centers where communications between customers and representatives are recorded)

ECPA (cont.)

30

slide-11
SLIDE 11

3/20/20 11

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Stored Communications Act (SCA)

  • Prohibits the unauthorized access to

electronic communications while it is in a facility through which an electronic communications is provided. 31

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

SCA (cont.)

32

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

  • If an employee signed a consent release that

covers various forms of employer monitoring, the employer should be wary of relying on the prior consent when expanding collection and monitoring procedures. (May need an updated consent form signed!)

  • Not doing a careful risk/benefit analysis before

implementing a data collection policy.

  • Not fully understanding what data you are

collecting from your employees

33

slide-12
SLIDE 12

3/20/20 12

  • F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Questions?

34