Your Company Has Been Cyber Hacked! Strategies For Dealing With The Fallout
Damage caused by cyber-attacks is increasing exponentially and can cause huge losses for companies and consumers. Businesses must take cyber security seriously to avoid the threats that cybercrime possess to their networks and customers.Damage caused by cyber-attacks is increasing exponentially and can cause huge losses for companies and consumers. Businesses must take cyber security seriously to avoid the threats that cybercrime possess to their networks and customers.
- FBI new measures, such as embedding agents with police departments across Eastern Europe, including Estonia, Romania and Ukraine
- Privacy and Civil Liberties Oversight Board- their role and functions
- FCC – Small Biz Cyber Planner
- The NIH Information Security and Privacy Training Courses
- Up to the minute regulatory updates
Jim Halpert, Partner,
- Hacking is a growing problem (perpetrated not only by “recreational hackers” but also by overseas competitors and sophisticated governmental actors) that companies need to take very seriously. If you find out that you are hacked, you need to conduct a thorough investigation to understand what has occurred and to ensure that you have restored the integrity of your system with no malware or vulnerabilities remaining in your system.
- It is critical that before they are hacked organizations implement both strong information security programs and sound incident response plans. The incident response plan needs to draw on and involve key resources within your organization — IT, legal, law enforcement liaison, corporate communications and, if client data are involved, the relationship team for those client.
- For most organizations, it is a very good idea to engage a skilled computer forensics consultant to determine exactly what happened, to clean your IT infrastructure of vulnerabilities and detect and purge all malware. A key element of data security legal requirements is to adjust your system in light of actual and potential security threats. Failure to respond and learn from actual hacks will likely be considered as negligence. Furthermore, businesses have obligations under SOX to have business continuity plans and protections in place so as not to be crippled by cyber threats. Businesses in heavily targeted sectors (e.g. financial services and defense) should seriously consider going further and helping to raise the security of devices that interact with their servers.
- It is very important to assess as quickly as possible whether the hack likely involves: (1) sensitive personal information triggering a security breach notice obligation to individuals and to government authorities, (2) PCI-DSS data, which triggers requirements to notify the payment card brands and potentially to indemnify them, pay for a special PCI audit and pay fines, (3) sensitive trade secret information serious enough to trigger an SEC requirement to notify shareholders, or (4) a compromise of the security of critical infrastructure, which can give rise to significant harm. The presentation will explain each of these four categories and the steps to take in each case.
- It is also sometimes advisable with appropriate confidentiality assurances and obtaining trade secret protection, to share information about hacking incidents with law enforcement, particularly if you want to attempt to pursue the hacker. Adopting more aggressive counter-measures (for example to retrieve stolen data that is stored on an intermediary server) can sometimes be desirable, but it is important to review these measures for compliance with the law. In addition, organizations in targeted sectors often benefit from sharing information on potential and actual threats with colleagues in other organizations and potentially with government cyber-security authorities. Given the dynamic nature of cyber security threats, information sharing is very important to stay up to speed with evolving threats and to help protect the infrastructure.
C. Kelly Bissell, Global Incident Response and U.S. IT Risk Management Leader,
Deloitte & Touche LLP
breaches, fraud, and disruption of services
- Organizations are experiencing more frequent cyber incidents than ever before
- Discuss costs and impacts to organizations
- Discuss number and types of breaches
- Discuss how to plan for and respond to cyber incidents including loss of data, security
Daimon E. Geopfert, National Leader, Security and Privacy Consulting,
Paula Vuksic, CPA, MST , Partner ,
- Many organizations still rely almost exclusively on preventative controls (patching, anti-virus, IDS,
etc) while neglecting their detective (monitoring) and corrective (incident response) controls
- The issue with this is that modern threats are purpose built to bypass preventative controls (zero-
days, rapidly mutating malware, IDS evasion, etc)
- While the odds are low that any single organization will be targeted by an APT level threat, we are
seeing a “bleed-over” affect where APT-ish capabilities are being built into hacking toolkits
which are then wielded by the masses of malicious but un-skilled attackers
- The focus on preventative controls contributes not only to the large number of breaches we’ve been
seeing, but also their duration. Some organizations are breached for years at a time
without knowing it.
- Organizations should use the information in the public domain that describes how other companies
were breached, and they should run mock exercises to see if they would be capable of handling a
similar attack. They should as themselves, where would we have done better monitoring in order to
catch this attack?
- Organizations need to plan to fail as all security solutions can eventually be breached. Their goal
should be to fail gracefully, by which I mean that they can quickly identify the breach and respond
before significant damage is done.
Jonathan Fowler, EnCE, ACE , Director of Forensics,
First Advantage Litigation Consulting
- Internal Fallout
- The company needs to determine how the hack was carried out so that appropriate measures can be put in place to (a) prevent the hack from being carried out again and (b) ensure that corporate IT systems are no longer infected. Additionally, proactive measures should be taken to educate employees on potential dangers of hacking (including social engineering concepts).
- External Fallout
- Depending on the type of data hacked, does the company have an obligation to report the incident, either to governmental regulators or to investors (or both). Outside counsel may need to be involved to assist the company in navigating through the various state and Federal regulations/requirements in reporting these incidents.
- Proactive Steps
- Aside from corporate IT departments using proactive tools and techniques to monitor for attacks, corporations should form data breach incident teams that include personnel from IT, Risk Management, Legal, as well as business-group leaders to put together a set of standard procedures for the company to follow should an incident occur in the future. This may also involve outside vendors as well, such as computer forensic or cybersecurity specialists.
Who Should Attend:
- Chief Security Officers
- Senior Executives
- Chief Risk Officers
- IT Heads
- Other related Professionals>
Jim Halpert is a partner in the Communications, E-Commerce and Privacy practice of DLA Piper.Mr. Halpert counsels technology and content companies on a broad range of legal issues concerning new technologies, including intellectual property protection, content regulation and First Amendment law, privacy, cyber-security, government surveillance, Internet gambling, Internet jurisdiction, telecommunications regulation, on-line contract formation, and marketing. His counseling practice includes advising a wide range of companies regarding privacy and computer security issues, and advising copyright owners, ISPs, and equipment manufacturers regarding IP infringement and copy protection technology strategies.Mr. Halpert has represented and counseled Fortune 500 and smaller companies on a broad range of privacy issues, including information management, data transfer, data security, government regulation of marketing practices, the privacy practices of network operators and websites, communications companies, email spam, and disclosure of customer information in response to government surveillance requests. For example, he has counseled clients regarding responses to more than one hundred data security breaches.Mr. Halpert is deeply involved in the evolution of new law in the technology area, and draws on this experience to provide strategic advice to clients both about where the law is today, and how it is likely to evolve in the future. He has helped draft many of the federal laws that govern e-commerce and use of the Internet. These include the Digital Millennium Copyright Act, the CAN-SPAM Act, USA Patriot Act, Children’s Online Privacy Protection Act, and Communications Decency Act. Representing a coalition of Fortune 500 companies, Mr. Halpert has helped to draft most of the state data security, security breach notification, and state spyware laws and many of the recent state spam laws, as well as California’s online privacy law. Mr. Halpert has also been involved in drafting and negotiating provisions in a variety of international treaty provisions affecting e-commerce, including the Council of Europe Cybercrime Convention, and portions of the IP protection provisions in the US-Singapore and US-Chile Free Trade Agreements.
Jim Halpert is a partner in the Communications, E-Commerce and Privacy practice of DLA Piper.Mr. Halpert counsels technology and content …
Kelly Bissell is a Principal Deloitte’s Security & Privacy group. Kelly has been with Deloitte for over nine years and helped build the Identity Management practice from a handful of practitioners in 2002 to more than 300 today.While at Deloitte, Kelly has led 29 IAM projects (6 global) and has lead numerous other projects ranging from Cyber Security, Identity Management, breach forensics, Business Continuity, Privacy, application and business risks and performed 16 M&A due diligence projects and is a frequent speaker. Before Deloitte, Kelly held various leadership positions with Arthur Andersen, BellSouth (AT&T), Medaphis, and McKesson.In addition to being highly technical, Kelly has an MBA from Emory University focusing on Corporate Strategy and Finance. Kelly has 23 years of technology experience and has performed numerous security and privacy projects for clients.
Kelly Bissell is a Principal Deloitte’s Security & Privacy group. Kelly has been with Deloitte for over nine years and …
Daimon Geopfert is a director with the technology risk advisory services group at McGladrey LLP. He specializes in penetration testing, vulnerability and risk management, security monitoring, incident response, digital forensics and investigations, and compliance frameworks within heavily regulated industries. Daimon has over 17 years of experience in a wide array of information security disciplines. He serves as the firm’s national leader for the security and privacy practice, responsible for the development of the firm’s overall strategy related to security and privacy services and applicable methodologies, tool kits and engagement documentation.Daimon is a regular presenter for organizations such as Information Systems Audit and Control Association (ISACA), InfraGard, the Certified Fraud Examiners and SC Magazine’s World Congress. He has been quoted in a variety of publications including The Wall Street Journal, Fortune Magazine, The Washington Post, and the Kansas City Business Journal.
Daimon Geopfert is a director with the technology risk advisory services group at McGladrey LLP. He specializes in penetration testing, …
Jonathan Fowler is Director of First Advantage’s Digital Forensics practice in the United States. In that capacity, he conducts complex digital forensic investigations and electronic discovery projects, and also has managerial oversight of all forensic investigations taking place within the United States. Additionally, he is responsible for the day-to-day operational management of the firm’s Washington, DC office and has direct supervisory responsibility for all forensic personnel in the New York and Washington, DC offices. He regularly consults with clients to manage all facets of both computer forensic investigations (such as theft of intellectual property, data breaches, etc.), and electronic discovery projects encompassing such types of matters as FCPA investigations and Second Requests.Mr. Fowler has been court-qualified as an expert witness in the field of computer forensics, providing expert testimony for matters in both Federal and state courts; and, is also an Adjunct Professor at George Mason University teaching the capstone seminar in the graduate program in Computer Forensics. He is currently a member of the American Academy of Forensic Sciences – Digital & Multimedia Section, InfraGard, and the Ethics Committee for the Consortium of Digital Forensics Specialists.
Jonathan Fowler is Director of First Advantage’s Digital Forensics practice in the United States. In that capacity, he conducts complex …
Print and review course materials
Method of Presentation:
On-demand Webcast (CLE)
Unlock All The Knowledge and Credit You Need
Leading Provider of Online Continuing Education
It's As Easy as 1, 2, 3
Get Your 1-Year All Access Pass For Only $199
About DLA Piper
DLA Piper became one of the largest business law firms in the world in 2005 through a merger of unprecedented scope in the legal sector. We were built to serve clients wherever in the world they do business – quickly, efficiently and with genuine knowledge of both local and international considerations. Whether our clients require seamless coordination across multiple jurisdictions or delivery in a single location, they can count on us to deliver the right service and solutions.
About Deloitte & Touche LLP
Deloitte’s Audit & Enterprise Risk Services help organizations build value by taking a Risk Intelligent approach to managing financial, technology and business risks. This approach helps our clients focus on their areas of increased risk, bridge silos to effectively manage risk across organizational boundaries and seek not only risk mitigation, but also pursue intelligent risk taking as a means to value creation.Deloitte’s Security & Privacy practice assists clients across all industries with information risk management, security, and privacy initiatives including:• Information & Technology Security Management • Business Continuity Management • Privacy & Data Protection • Cyber Threat & Vulnerability Management • Identity & Access Management • Application Integrity Its innovation center, the Deloitte Center for Security & Privacy Solutions, focuses on building innovative, transformational and sustainable solutions that address current management challenges posed. The Center has been developing new ways to help organizations align strategies, processes, and operations to improve operational resilience in uncertain environments.Visit:https://www.deloitte.com/us/securityandprivacysolutions
About McGladrey LLP
McGladrey is the fifth largest U.S. provider of assurance, tax and consulting services, with nearly 6,500 professionals and associates in more than 70 offices nationwide. McGladrey is a licensed CPA firm, and is a member of RSM International, the sixth largest global network of independent accounting, tax and consulting firms. We have approximately 100 information assurance professionals nationwide dedicated exclusively to serving clients’ technology security- and risk-related needs. The McGladrey professionals who work with you have wide-ranging experience within the forensics and response fields, including law enforcement, military, intelligence and corporate investigations. Our professionals carry a multitude of industry recognized certifications, and several of our members are recognized thought leaders within the security industry. Our certifications include EnCase Certified Examiner (EnCE), GIAC Certified Incident Handler (GCIH), Certified Forensic Computer Examiner (CFCE) and various security certifications such as the Certified Ethical Hacker (CEH) and the Certified Information Security Systems Professional (CISSP).
About First Advantage Litigation Consulting
First Advantage Litigation Consulting is an international eDiscovery and managed review provider with extensive experience in litigation, antitrust, second requests, and internal and external investigations. The company supports law firms and corporations with cost-effective, end-to-end litigation services that include data collection, computer forensics, expert testimony, multi-lingual and on-site data processing, hosting and document review. Safe Harbor certified, the company can deploy its services rapidly and efficiently to clients anywhere in the world from offices and data centers in North America, Europe and Asia. For more information, please visit www.fadvlit.com.