Editor: Please give our readers a brief overview of your professional background.
Luehr: I am managing director and chief privacy officer for Stroz Friedberg. I started my legal career at the Federal Trade Commission, where I chaired the Internet Coordinating Committee and was one of the early folks on the Internet as a regulator. I tell people that I was on the Internet before there were pictures! For eight years I worked largely on anti-deception and consumer protection cases. I then became a federal prosecutor for the U.S. Attorney’s Office in my home state of Minnesota, where I handled the gamut of responsibilities related to cybercrime including hacking, child pornography and online fraud. After 9/11 occurred, I oversaw the initial investigation into computer evidence related to convicted terrorist Zacarius Moussaoui and for a time worked primarily on counterterrorism investigations. For the past 10 years, I have been with Stroz Friedberg, where my focus is on privacy issues, healthcare data, digital forensics and data breach response.
Editor: What are some early warning signals of a possible cyber attack?
Luehr: The first sign of a cyber attack on a corporation is usually a phishing email. These emails are typically targeted at someone within the corporation. Criminals use that email as a means to get a foothold on the network after the recipient clicks on a malicious link or an attachment. Criminals can then deposit their malware and start surfing across the internal network looking for valuable credentials and information. Even the most sophisticated attacks involving malware and intrusions into the network often start with a simple phishing email.
Editor: It’s been said that the recent retail breaches are indicative of the spread of malware that can infiltrate point-of-sale transactions. Would you tell us more about the growth of malware intrusions?
Luehr: Malware intrusions are part of the larger problem of malicious attacks that come from outside the corporation. In 2008 only about 12 percent of data breaches were the result of malicious external attacks, but by 2012, outside attacks accounted for approximately 41 percent of all data breaches in the U.S. Keep in mind that these external breaches are usually much more harmful to an organization than a lost laptop. Unlike data misplaced by a negligent employee, malware attacks are usually targeted at specific types of valuable information (e.g. customer credit card numbers, other financial data, trade secrets) and therefore tend to be much more damaging to the corporation.
Editor: Is a company exposed to liability if it fails to discover an intrusion or notify those affected in a timely fashion? What might hinder a company from becoming aware of an intrusion and/or reporting it right away?
Luehr: A company is exposed to significant liability if it does not detect an intrusion and notify victims of that intrusion. So far, 47 states in the U.S. have a data breach notification law that requires companies to notify victims whenever their data has been compromised. If companies don’t properly notify those victims in a timely manner, they can become the targets of regulatory actions by state attorneys general or federal regulators like HHS, or defendants in class action lawsuits brought by private attorneys.
What usually hinders a corporation from detecting and reporting an incident is disorganization. Too many companies don’t know where their most sensitive information lies. They don’t know where their customers’ personal information is stored; they don’t understand how widely distributed some of their employee information is; and they don’t know where their valuable trade secret information is housed. Amidst the clutter of internal corporate networks, corporations often don’t know how badly they’ve been hit by a cyber attack, or even when and if they’ve been hit. After an intrusion, that same clutter can slow down the investigation and notification process.
Editor: Please share with us how your organization has helped clients protect their data in accordance with privacy and security laws.
Luehr: Stroz Friedberg provides preventative services, such as privacy or security assessments, to corporations so that they can better organize their network and prevent a data breach in the first place. Those assessments usually include several components, but one of the most important is a risk assessment that examines what type of sensitive information the company has collected, how it is used and shared, and what types of threats and vulnerabilities could undermine its security. Then we often will ask three types of questions about the security around that sensitive information. The first is administrative: how are you protecting sensitive information administratively through policies and procedures? The second is physical: how are you protecting your information through guards, gates, badges and signup procedures? The third is technical: how are you protecting your information in terms of firewall configurations and network security measures? We also provide advice on data mapping by sitting down with business leaders to help them better understand the organization of their most valuable information assets. We have found that if corporate managers don’t do that in advance, when a data breach does occur, we all waste the first two to three days just trying to determine where sensitive data has been located.
Editor: Aside from a breach or the recommended yearly health checks, are there other events that might or should prompt a compliance review?
Luehr: Rather than wait for a specific triggering event, we think it is important for corporations to take affirmative steps to regularly test their specific data breach response plans. We recommend that companies set aside time to run through a “tabletop” exercise. Consider this scenario: it is 9:00 a.m. Friday morning, and you have just been notified that one of your websites went down. Who needs to be at the table? How do you start responding? If a corporation runs this type of tabletop exercise, it is far more likely to respond quickly and efficiently when a breach occurs.
Editor: Under HIPPA, covered entities must have a contingency plan to protect data in case of an emergency. What are key components of such a plan?
Luehr: A contingency plan is an important part of a comprehensive security policy. Whereas a data breach response plan is focused on a data incident that is affecting your network and your information assets, a contingency or disaster recovery plan is broader and covers, not just computer failures, but also other crises and events like fire, floods, hurricanes and even terrorist attacks. The key component in a disaster recovery plan is resiliency. Having crucial information backed up so that it is not affected by these natural or manmade disasters is vital. You must also be able to access that information effectively so that your corporation can come back online and start operating quickly and efficiently. One downfall of most disaster recovery plans is, again, that companies do not test them. For instance, we often find that companies have never successfully restored data from their “disaster recovery” tapes.
Editor: What are the best defenses in preventing cyber attacks?
Luehr: At the organizational level, the most important component of prevention is buy-in from top-level executives. We believe a corporate culture that takes security seriously is one of the most valuable security measures you can have. At the technical level, there are two significant preventive measures that companies can take. First, corporations can make sure that only their information technology staff has “administrative access” to company computers. That means that the average employee cannot and should not have the ability to download anything and everything he or she sees on the Internet. An organization should use a common set of software applications and only allow IT staff privileges to upgrade or download software on individual computers. A second key technical component is encryption. Sensitive data like healthcare information, credit card information and other financial information should always be encrypted, whether it is being transmitted or sitting at rest.
Editor: Are corporate concerns triggering legislation or regulations around data privacy and security? In general, what does the future hold in terms of state and federal legislation/regulation?
Luehr: There is a growing chorus of citizens and legislators calling for some type of national data security legislation. In the wake of recent cyber attacks, consumers want more protection while there is a growing concern among businesses that they can’t deal effectively with many different state laws. As a result, both consumer groups and business organizations are calling for a single data breach notification law. We’re also seeing a push for stronger privacy and data security laws from our trading partners overseas, especially in the wake of the Snowden affair. While I don’t think we’ll see national legislation across the entire spectrum of data privacy or data security, it’s likely we will see some national legislation on the specific issue of data breach notification.
Editor: Please define some of the cybersecurity standards currently used by organizations. Are these standards effective? What more can be done from a policy perspective?
Luehr: Cybersecurity standards vary from sector to sector in the United States. There are, however, some standards that organizations can look to for general cybersecurity guidance. These include the SANS Top 20 Critical Security Controls, NIST Publication 800-53 and ISO 27001-2, which has gained credibility within the international community. We often advise clients to look toward the SANS and NIST standards because they are specific enough to provide a company with good guidance, and they are broad enough to cover many different types of industries.
Newcomers to data security also may want to review the “Cybersecurity Framework” launched by the White House in February 2014. This cybersecurity initiative does a good job of consolidating over 30 different industry-specific security standards and lays out complicated security principles in an easy-to-follow, easy-to-read format. The full framework can be found at the NIST web site and boils cybersecurity down to five core functions: identify, protect, detect, respond, recover.
Editor: We’ve heard a lot of the Heartbleed flaw in recent weeks. What possible long-term implications might that have on data security issues?
Luehr: The implications of the Heartbleed bug are quite severe. It exploits a vulnerability in one of the most common server configurations used across the global Internet. A patch has already been made available, and every company’s IT department should already have checked their websites and their Internet hardware to see if this Internet vulnerability has affected them. If affected, a company should make sure they have upgraded their systems, downloaded the patch and removed the vulnerability. However, we know from experience that many systems will go unpatched for years. History tells us that a year or two down the road, we will continue to see data breaches and intrusions that are taking advantage of a vulnerability that is known today.