3/20/20 F. Marshall Wall Cranfill Sumner & Hartzog LLP F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 1 Cyber Risks for Municipalities 1. Ransomware 2. Business Email Compromise (BEC) 3. Data Breach 4. Employment Issues F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 2 Cyber Risks Why are municipalities targeted by hackers? F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 3 1
3/20/20 There’s money in it – at least that is the perception Q: “Why do you rob banks Willie? A: “Because that’s where the money is.” – Willie Sutton, Where the Money Was: The Memoirs of a Bank Robber F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 4 Ransomware There have been at least 16 reported ransomware attacks on North Carolina cities, counties, school systems, and State and local agencies in the last three years F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 5 Ransomware Attacks What is “ransomware”? Malicious software that infects a user’s computer or a network, and restricts access until a ransom is paid F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 6 2
3/20/20 Ransomware How is ransomware spread? – Most often someone responds to a “phishing” email by clicking a link or opening an attachment. – Some ransomware is spread through social media sites or instant messaging apps F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 7 Ransomware Should we pay the “ransom” ? – Law enforcement generally recommends against paying. – Insurance companies may see paying as the cheapest alternative, however. – Business and operational realities can making paying the best option. Ransomware can lock up critical infrastructure, limiting choices. F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 8 Ransomware If we decide to pay, how do we do that? And the answer is… F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 9 3
3/20/20 BITCOIN! F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 10 Business Email Compromise (BEC) • The FBI estimates cyber losses of about $3.5 Billion in 2019 • Approximately 50% of these losses were the result of BEC F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 11 BEC What is BEC? – Hackers compromise or spoof a legitimate email account – This account is then used to send a phony invoice and request a wire transfer or ACH to an account controlled by the hackers F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 12 4
3/20/20 Avoiding Losses How can losses to ransomware and BEC be avoided or minimized? – Backup important information regularly and separate the backup from your network. – Keep software up-to-date and patched, anti- virus and firewall software. – Limit users’ ability to download and run software applications. – TRAINING F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 13 Data Breaches – NC Identity Theft Protection Act What is a "security breach"? F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 14 What is a “security breach”? • Unauthorized access to AND acquisition of • Unredacted AND unencrypted records or data • Containing personal information • Where illegal use of this data has occurred OR is reasonably likely to occur • Creating a reasonable risk of material harm to a consumer F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 15 5
3/20/20 NOT a Security Breach • If only encrypted data is taken and the encryption key is not with the data, it is not a data breach • If the data was accessed but not “acquired”, it is not a data breach • If there is no risk of material harm to a customer, it is not a data breach F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 16 NC Identity Theft Protection Act What is the legal standard for protection of personal information? F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 17 NC Identity Theft Protection Act • The Act requires that “reasonable care” be used to protect data • No further definition is given F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 18 6
3/20/20 What is “personal information”? A person's first name or first initial and last name in combination with other information such as: F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 19 What is “personal information”? • Social Security number • Driver's license number • Passport number • Checking or savings account number • Credit or debit card number • PIN code • Biometric data • Passwords F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 20 Data Breach How quickly must notice be given? • There is no specific deadline for notice • Notice must be “made without unreasonable delay, consistent with the legitimate needs of law enforcement.” F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 21 7
3/20/20 Data Breach Who Gets Notice? • Everyone whose personal information was contained in the records • The Consumer Protection Division of the Attorney General’s staff • If more than 1,000 people are affected by the breach, notice must also be given to the three major credit bureaus F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 22 What if those affected live in other States? • Data protection statutes are specific to the States where your customers live • All 50 States – Alabama became the last in March 2018 – the District of Columbia, and Puerto Rico have their own statutes • Notice requirements, including the time to give notice, vary significantly F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 23 Who can sue? • North Carolina allows a private right of action, but only if the consumer can show injury • A cause of action under the Act cannot be assigned • A violation of the Act is an unfair or deceptive trade practice under N.C. Gen. Stat. § 75-1.1 F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 24 8
3/20/20 Avoiding Data Breach Incidents • Prevent • Detect • Respond F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 25 Avoiding Data Breach Incidents • Assess your systems, policies, and procedures routinely • Educate employees – most cyber incidents are the result of human error • Outside testing of your security • Determine what data you collect, where and for how long you keep it, and why F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 26 Avoiding Data Breach Incidents • Have an incident response plan and PRACTICE it • Restrict access and monitor activity • Encrypt data • Back up data continually • Update your software F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 27 9
3/20/20 Employment Issues – Federal Statutes • The Wiretap Act • The Electronic Communications Privacy Act (ECPA) • Stored Communications Act (SCA) F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 28 The Wiretap Act and Electronic Communications Privacy Act (ECPA) • Strict restrictions on the interception of wire communications, oral communications, and electronic communications • Also covers phone calls, emails and other electronic communication (think Skype, Slack, etc.) F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 29 ECPA (cont.) • TWO EXCEPTIONS 1) Consent of one of the individuals 2) Interception was done “in the ordinary course of business” (example of what this means: call-in help centers where communications between customers and representatives are recorded) F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 30 10
3/20/20 Stored Communications Act (SCA) • Prohibits the unauthorized access to electronic communications while it is in a facility through which an electronic communications is provided. F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 31 SCA (cont.) F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 32 • If an employee signed a consent release that covers various forms of employer monitoring, the employer should be wary of relying on the prior consent when expanding collection and monitoring procedures. (May need an updated consent form signed!) • Not doing a careful risk/benefit analysis before implementing a data collection policy. • Not fully understanding what data you are collecting from your employees F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 33 11
3/20/20 Questions? F. Marshall Wall mwall@cshlaw.com @NCCyberLawyer 34 12
Recommend
More recommend