[BreachExchange] Regulators enlist corporate lawyers in joint response to cyberattacks

Mon Jun 26 20:45:44 EDT 2017

http://www.abajournal.com/news/article/cybersecurity_law_breach_response/

Responding quickly to an identity theft, ransomware or other computer
attack means having a plan in place. And as participants in the National
Institute on Cybersecurity Law learned, that includes a plan to send in the
feds.

“Figure out if you have to report that breach to my office or other
regulators, state and federal,” was the advice from Iliana Peters, who’s
responsible for health care data privacy at the U.S. Department of Health
and Human Services.

Peters was on a panel of six current and former regulators assembled by the
ABA Section of Litigation on Thursday in Chicago.

“We want to be sure that entities are prepared to implement these kind of
response plans,” Peters said. “As it’s happening is not the time to be
doing that, to be figuring out how you’re going to respond.”

Reporting an incident can bring in experts to evict cyber squatters, said
Lucia Ziobro, the head of an FBI internet crime unit.

One company’s general counsel turned FBI agents away after a security
breach, she recalled. For the next week, the lawyer traded messages online
with the chief executive and technology executives about what to do next.
Meanwhile, hackers monitored the discussion, and covered their tracks. When
the feds returned, Ziobro said, “all the evidence we could have collected
was gone.”

“Come up with a different way to communicate once you know you’re
infected,” she advised.

Regulators, for their part, are more focused on prevention than
prosecution. But they don’t like surprises. “If we see a news report and we
don’t have a breach report from you, it is very likely that we will open an
investigation proactively,” Peters said.Travis LeBlanc, a former chief
enforcer for the Federal Communications Commission and the high-tech crime
unit of the California Attorney General’s Office, stressed that there’s
little downside to calling in federal or state regulators, who are
constrained by law in what information they can share.

“So often we hear from companies that they are afraid to report to the FBI
or to the Secret Service or the eCrime unit in California,” LeBlanc said.
“Not one time did we ever on the civil side receive information about a
criminal incident from a criminal law authority that resulted in an
investigation.

“It’s very important that when a company is a victim of a crime, it should
feel that it can go to the appropriate governmental authority without being
chilled by the possibility of regulatory action.”

Panelists said assessing and attending to security risks beforehand will
show a company’s good faith efforts at compliance. “We’re talking about
things like passwords and encryption,” said Susan Schroeder, acting head of
enforcement for the Financial Industry Regulatory Authority, the securities
broker-dealer watchdog. Broker disciplinary actions are likely to trigger
closer scrutiny.

Corporate bad actors are those who “failed to address the basics,” said
James A. Trilling, a Federal Trade Commission attorney.

“When you see an organization that’s done nothing upfront–hasn’t trained,
doesn’t have policies in place, isn’t managing their vendors–those are they
ones that are typically the low-hanging fruit,” Trilling said.

Ransomware attacks such as last month’s global WannaCry attack pose
difficult choices. “One in four victims of ransomware who pay don’t
actually see their data unlocked, or it’s exposed after the fact,” said
LeBlanc, now a Boies Schiller Flexner partner.

Law enforcement agencies advise victims not to pay the ransom. Even so,
LeBlanc said, “When you’re the company that has your data being held
hostage, and it is your most sensitive data possible, people’s lives may be
in jeopardy, and someone is telling you that paying $300–or $600, I think
that was the amount in WannaCry–and you have the possibility of avoiding
it, it is very tough to say we’re not going to pay that $600.”

Privacy guardians see a looming threat in the security of health data as
wearable devices become hacker targets.

“We are grossly underprepared for how these devices that are interconnected
in our lives handle information,” said Matt Van Hise, the Illinois Attorney
General’s privacy counsel. “The intelligence and genius that goes behind
them anticipates what the device is intended to do, not what the device can
and will do and where the information will go.

“We can anticipate that a smart device that’s controlling your blood
insulin can be hacked and changed and possibly affect your insulin levels,”
Van Hise said, “or a pacemaker could be shut off and unfortunately kill
you.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170626/f7d29fcb/attachment.html>