You lost data, unfortunately… Who will knock on your door and why?

hello and welcome our next speaker Gopi ramamorti he is a technology leader strategic thinker and Problem Solver he has extensive experience in engineering cyber security and compliance at Cemetery systems Gopi is leading security and compliance engineering and Automation and bringing his cyber security and compliance skills and vision to shape the product he is also managing external compliance certifications welcome go Gopi thank you good afternoon everyone first of all before I start I'd like to thank you it's a wonderful Saturday afternoon outside but please uh I really thank you all for coming here spending your Saturday afternoon here second besides volunteer run organization there are a lot of volunteers putting this show together a big big thanks to volunteers

the third important thing is I have 60 slides to go through but only 20 of them important so remaining 40 slides you can check your phone mail your evening plans and so on don't worry okay uh the agenda agenda looks long again don't worry uh first I'll start with you what you need to know before we get into the topic and then I'll take you through the Journey there's a five-day course but I'm trying to give you in 50 minutes a little bit about me I've been in the industry for 15 years uh handle Security in fintech for 10 years close to 10 years and in healthcare for five years and after all the practice I'm building

up data security product at symmetry systems disclaimer I am a cyber Security Professionals with more certifications I am not a lawyer the second important thing is I'm going to refer multiple laws here regulations here the moment I prepared this slide and then uh down the line when you refer this the laws or regulations might have changed so please check what is current and the third important thing is I looked at uh I rev I read a lot of books I looked at websites and my sincere thanks to all of them foreign first of all we need to know why this is important right you're going to spend 50 minutes and you need to have some data

points to convince yourself why this topic is important so I'm listing a list of a set of organizations here you might have used them you might be a customer for them and they all have a decent size security teams and they also go through multiple complaints certifications each year starting with sock 2 PCI ISO and more industry specific certifications so somebody come from third party come and verify them they have Basics compliance hygiene they have security requirements to meet to get the certifications but unfortunately they also had gone through data breaches so this is one data point the second data point is this particular company surf shark has been collecting data breeds data data since 2004.

and the number you see is 16 billion data records have been breached so this is only pii this not even counting PCI PMI uh Phi RCM mccui not other data so what it means is we always have a risk it doesn't matter how the company how big company is there is always inherent risk of losing data and it could be a organization mistake it may not be organization mistake sometime new technology comes in it comes with a set of vulnerabilities before it gets stabilized so irrespective of multiple security layers we build irrespective we spend money on having security teams irrespective we go through compliance still there is a risk for data so what it means is to all offices we need to be

prepared

okay this slide has a star so please pay attention before you understand the section three four five six whatever I'm going to bring it up I'll start with you you need to know what data you have do you have obviously most of the organizations have pii then do you have Health Data do you have phpci data do you have any DOD cmmc data do you have any stop secret data so you need to know all different data types you need to have then your brain will help you to see how you prepare for data breach there may not be data fridge fortunately but you need to be prepared so on the on the the left uh one you already know the

middle uh section Data Systems previously we used to have data only in databases rdbms but with last 12 years data Data Systems how data have been in flat files data have been in different types of cloud cloud storage and data in in different vendors the cloud vendors and also uh when we try to understand how to be prepared for data breeds we need to know data residency you need to know where your data is you need to know which reason you are storing and there is a there is a good paper from u.sitcommerce.com gov it talks about the data centers and NATO governed NATO countries and data centers in oecd countries so these two put together have

some level of protection for your data so the NATO countries and oecd countries put together how only three fourth of the data centers fall in those countries and one-fourth of the data centers in the globe fall outside of these countries so you don't even have a legal way to something happens you don't even have a legal way to follow up on those data centers so see not only the AWS region not only the provider make sure those regions are in the countries you want to have some political power like NATO or oecd know your data systems so again I'm just preparing you so once you find data what data you have please understand who has

access to your systems what kind of monitoring your company your security team your technology team have put in the data systems uh there have been multiple different new technologies coming in including one data Centric uh the technology dspm data security posture management this is a new one but please understand where your data is what data who has access and what monitoring your company tech tech Force have put it in okay now you know the data next we need to know if there is some incident who are the stakeholders in the in the game so so unfortunately there is a say data Bridge right who could sue the organization again I'm I try to make easy for you to I put it in

the three categories right first the leftmost customers and individuals there are direct customers who are paying you and you're serving them second there are indirect customers like a data subject like UK facts collect data about you and me but we are not directly paying in like unless we use their service but they collect data about you and me there are indirect subjects third is employees and fourth categories the private law firms filing class action lawsuits on behalf of victims it could be data subject it could be a customer but anyone so these four categories fall in the leftmost second one is private institutions so anyone in the supply chain serving part of the service right so

before 10 12 years there were less number of players in the supply chain but with all the digital transformation to make one one transaction to go through whether it's a money moving transaction or a credit card transaction or even you're buying the retail um things from Macy's or Target transaction there are multiple players involved you will see some interesting data I'll provide so those players could be if they are impacted they could sue the organization where data breeds occurred and the third important category is a big elephant in the room the government who could be sued so I'll start with the first one so anyone providing I.T security or cyber security service providers for example at the bottom line if you see in

2013 when dark Target had a data breach their PCI service PCA auditor got included in the lawsuit as well by Banks second in 2020 when Marriott had data breeds their I.T service provider Accenture was included in the lawsuit so it's be aware of the players in the game the second category is supply chain we already talked about I already talked about little here the acquiring Banks Payment Processing vendors all those starting from the network to end to make the payment all the supply chain can get sued as well by the players within the supply chain for example when something happened at Home Depot the banks suing some of the players in the supply chain same thing uh the insurance companies

some of the insurance companies in the data breeds they showed um and the organization and and organization suit the or insurance companies back to get the payments so the lawsuit could not only one way it could go back and forth based on the the classes within the insurance uh the policy so for example if you look at BEC business email compromise so some of the insurance policies Have Not Included the coverage for Bec many of them now include fishing many of the insurance policies include ransomware protection but not all of them include business email compromise attack and coverage so when your company buys insurance policy please pay attention otherwise you end up spending time here

going back and forth between you already have a bad day and then you already you have to deal with this as well where could so so this is also important uh the reason it's important is first understand the court system right at the federal level we have Supreme Court and then you have 12 appeals or circuit court so if you look at the map there are 1 through 11 and then they fall in 94 districts then 11 plus DC so 12 circuit courts and please be unders aware that not every Circuit Court interprets the law correctly not correctly consistently that's a correct word so some are lenient some are not lenient and also you need to see the history

behind that circuit court before that you you decide to file or somebody decide to file a lawsuit within the Circuit Court also it depends on jurisdiction you may have an option to select Circuit Court you may not have an option to select circuit code based on the jurisdiction so okay now we saw the players next let's see what are the regulations so there are 10 different laws that directly or indirectly connected to data breeds start with a data breach notification law as of last year or so there were 48 states but this year I mean as of 21 there were 48 states but as of 22 all for all 50 states plus DC have data

breach notification law and the second set category is cyber security protection laws so cyber security there are 10 plus states have specific cyber security laws the ucl's few states have false claim acts also few states have I have some samples but we can you can go and complete later there are privacy laws there are at state level there are six privacy laws so Colorado California Iowa Virginia and Utah so there are six privacy state level laws active as of today and Indiana is almost approved and it will go live in either this year or next year then there are federal sectoral privacy laws around 40 of them I have the slide in coming uh in the appendix but what I

mean is sectoral losses you have health care specific loss like HIPAA and Gina calgina uh 21 cure act then um there are educational laws then there's a financial specific loss there are total 40 different regulations in the FED level then there are consumer protection laws then udap udab is a very important one I'll go through that one and on the right side what you see is they are consumer protection and Anti-Trust loss but they are not directly data breeds but they have been heavily heavily used in case of data Bridge lawsuits what are the repeated costs of uh causal cited in lawsuit so in the previous slide we understood there are 10 different laws regulations could be

used to file lawsuit in case of data breach in this slide what you are trying to understand is out of all the lawsuits out of all the regulations what we talk about what are the repeated causes used again and again and again to go after the companies by the government by the by the private parties by the customers by the supply chain so first and foremost violation of its own policy and promise so you have a running a company and your security policy your like my company.com slash security policy says we protect customer data we take your customer we take customer data seriously we protect we have a lengthy lengthy statement please read it and

then make sure you follow it for your cyber security professional please take it seriously and follow it if you are a legal professional please review your own publicly posted policy and review it because that was the repeated mentioned in the lawsuit again and again the second one is lack of fundamental cyber security the third one is lack of reasonable security for example Equifax collecting all the sensitive data they need to have a little higher level of cyber security hygiene compared to some other company collecting a public data like LinkedIn profile we all post our own public data but uq facts TransUnion have higher sensitive data so those companies should have higher level of protection Okay so

on the right side what you see is the financial institutions have brought multiple lawsuits against the retail companies or other companies that have went through data breach and and not have a reasonable protection and these are the causes I found in multiple lawsuits Last by category uh regulation by category so I try to put little bit more details connecting to the previous uh two slides back so this one is data breach notification law uh we I talked about States how all states have database notification law federal government has four direct data breach notification law other other regulations are not directly related to data bridge but we will go through that wet Federal has four direct

related to data breeds loss and the middle section you see is cyber security and data protection regulations these are some examples I have listed this is not comprehensive for example at the bottom of the uh slide I've listed Florida one New York one a New Hampshire one and Ohio one but this is not comprehensive I have given this for examples biometric data Protection Law there are four States including New York has biometric data protection loss so I I can add it in the uh the appendix but understand that there's another category we need to worry about if somebody collecting a biometric data from the customers the right column here you see is FTC act FTC Act is very important one

and we'll go through I have one slide for that one okay so Federal Trade Commission act this is one of the highly highly repeatedly used uh article the section five uh in multiple cases in most of the big data breach uh cases Section 5 was used to go after the companies where data breach occurred so Section 5 talks about it prohibits unfair or deceptive Acts or practices in that affecting the Commerce so this is multiple time highly used against the uh in data Bridge lawsuits the remaining section Section 8 13 and 19. so these come up when the the company uh they do not agree on Section Five FTC has ways to go after those companies

using Section 8 13 and 19. and understand FTC rule was created in 19 1914 and it's continuously updated number one number two from FTC there have been multiple child organizations connected to FTC like cff BBB and few more even though there are multiple Federal entities have been created still FTC has a higher authority to go after these data breach companies standing to sue so whenever there's a lawsuit in this we need to understand whether the victim has a standing to sue the organization and it's coded in article 3 section 2 of U.S Constitution so what is standing right so whether victim has a legal case to go after the organization they always look at the code always look

at three things standing causation and harm so harm some of the courts understood or interpret us what has been caused so far what how much money the victim spent how much time the victim spent but some of the appeals court also looked at the harm that would be cause in future if you look at this um uh I think uphill got three looked at the future harm and approved some of the legal cases against the organizations so you need to understand how different appeal courts worked based on the history they may interpret the regulations differently okay this does the data another data point how much uh so some data is lost and how much is being sold in the uh

dark web this data is from Experian and the range would you see some ranges vary from confirmed user identity to not so confirmed user identity okay this is one of the recent important role from Caesar to govern and and making sure the 19 sectors 19 critical sectors in the U.S report any cyber security incident to see sir that includes data breach as well yeah how to report where to report what's the timeline this is the uh slide so 72 hours you need to report the rule and the rule making is still in progress the rule making could take anywhere from 18 months to 42 months but Cesar already has given a template to report and she's a and also the

organization could share um what what could be said with other companies so they have an option to indicate that I talked about a direct data breach rules from the FED these are the four the others are all indirect these are the four direct data breeds related um regulations 1996 and 2009 they both are related to healthcare one and 1999 the glba came in and 2022 it just us talk about circia on the international side uh everybody knows gdpr that's uh that's a big one and article 33 and 34 talk about data bridge and what to do um I have one slide for that one so as part of any uh data breach um some organizations and need to know

how to how prepared data breach um notification plan so the basic template should include all these uh definitions and we need to understand what these definitions are because these are the definitions repeatedly mentioned from 50 different states data breach notification laws and some of the international one so I'm going to go through some of these sample definitions in coming slides they the middle portion of this slide talks about what is the notification timeline notification requirements and some of the interesting thing I found is some state government requires multiple notifications not only when the data breeds occurred and you found it's also when the customers notified and then they have few other Milestones it's not one time

notifications so please be aware that there are multiple milestone in notification to some of the states another thing uh interesting that I found is if there is a thousand records or more or thousand individuals are more impacted the states have the Mandate for the organizations to notify credit reporting agencies so that the victims don't have to if there's a huge level of data breeds because the organization should reach should report credit reporting agencies

stands for breeds notification rules uh I'm listening we'll go through a few sample definitions to understand uh the the listing I made here and they have some differences but that's why I put some samples first one every state have defined almost most of the states and the international organizations have defined or what do they mean by personal data and some states just talk about the first name last name address some State some states or International bodies talk about financial and health care and some International countries they talk about the religion and the labor union and political parties you are connected with so it depends um but the high level just understand uh based on your jurisdiction what you are

collecting what you need to know and what the law applicable to second one is a preemption of compliance this I read from few States so what it means is the company already following certain federal level regulations related to data breach then it means they are already they are meeting some of the state level requirements so for example uh the DC looking a company if they're already following a high-tech glba requirements then the state assumes that the organization have met some of the data breach requirements preemption of complaints from California if California are just looking at high tech and HIPAA while the DC looked at the glba as well security breach definition so I I read

some of the states uh they were very simple like data from the stored systems last it's a security breach but some of the states have gone through a long definition uh this one from Connecticut if you read this electronic files media database computerized data so they go through multiple medium because with the technology the data could be in multiple places so some of the states have defined data Bridge definition in length risk harm analysis so if some of the states have defined if there's no risk caused by this point kind of data breach then the uh they they have some lenient in the notification and other process okay this is the security breach definition from

cfr4144 I mean CFR 45 um anhipa and the important thing here is HIPAA gives you a class that if risk assessment has been done and risk assessment concludes there is no harm then there is um the BNR requirement is not um it's it's not fall under disclosure or breach okay so now let's look at one sample uh International one gdpr article 33 and 34 right 33 um is defining what the requirement of data breach notification is and it it tells the the within 72 hours this needs to be reported and for the data processor it needs to be immediately they need to notify to the data controller okay so in next five slides I am going

to give you the tables you can build on I have created the template and it takes uh I have books in the in the credits and it takes 30 minutes or 20 minutes to build each table I'm giving you a template you can go and build on and Please be aware this table may change the next year and next year and so on so first one I am looking at a bridge notification timeline so this table um I put together from immediately to 60 days and you can fill I fill some of them you can fill uh remaining based on your jurisdiction and what data you have all those things this is the substitute notice

so this table is very interesting one so some say a data breach occurred and the the organization have said 200 000 customers trying to connect them may be possible may not be possible or may be very expensive so what government have defined governments have defined as if it's going to cost more than certain amount of dollars you can have substitute notice what it means is you can go and display the notice on your website number one or you can contact your local state media and you can put a notice that this happened so you don't have to reach all the customers number one you may not even have the address of the customers customers made a mood so this is where

substitute substitute notice comes so there are alternate ways for the organizations to reach out to customers number of individuals uh interestingly HIPAA Hippa is 500 records right between this and this slide but many states I have read they have the 250 records or person limit if there is a violation or data Breeze occurred for 250 records or more then the the state data breach notification rule kicks in so please be aware it's not always 500 it's not always 1000 it's many states have 250 so please be aware okay I talked about this one reporting to Consumer reporting agencies so some states require the organization to report to the UK facts TransUnion Experian and any consumer reporting

agencies if there is a certain threshold crossed ransomware reporting I included this slide because many of the time when ransomware happens and eventually uh I mean uh the data Breeze also occur right the Bad actors trying to get your data uh many of the time throw ransomware so I included this information in the slide and if any ransomware occurs the organization have a legal man legal uh requirement to report to a FBI our top secret service number one number two the government does not encourage the organization to make payment for ransomware but for some reason the organization make the payment they need to report to devotee sisa so please be aware of that okay now we learned about the systems

the players the regulations and some of the cases now we need to have a template to have a plan right so I looked at the web and went through this FTC has a very good template and also at International level the Australian information security comes in our office has a good template uh make look at them and see how he can make use of it how you can customize to your own company okay this is uh Let's uh learn I mean let's look at some samples what happened and we can learn from them okay so this slide lasting more than 20 companies I mean there's a long list but uh I put picked up uh the major ones and

the the middle portion of the slide tells which government bodies went after these companies on the right side what you see is what regulations are laws used in the lawsuits against these companies first let's start with uh okay before we go to your sample I'm just reminding what are the repeated causes we learned in section three so these were the repeated causes used again and again in multiple lawsuits now let's jump onto a sample we'll start with Equifax right so Equifax uh they didn't patch the Apache stretched on time and because of that they went through air data breach and there were 390 plus civil lawsuits and companies spent more than 700 million dollars and two plus years of

distraction company faced now the outcomes um I mean before out comes there were multiple lawsuits by the government as well as the uh the individual data subject like the class action lawsuits the outcomes if you look at this one uh the last one I would start with this is where it the company failed uh patch management was weak and so the the lawsuit uh asked the the outcome of the lawsuit is to reorganize the patch management team the second one is conduct risk based pen test so if the organization having multiple exposed publicly exposed end points and the data is connected to them do the risk based pen test so that's an important one and

interestingly with California settlement with Equifax sorry Equifax settling with California California mandated apply zero trust principles wherever possible that's an interesting one from the zero trust perspective and the one you see in the red minimize data collection I'm not sure how Equifax or credit reporting agencies trying to implement that they are they're all collecting as much data as possible but that was written in the outcome of the lawsuit settlement next one I'll go through Uber so Uber went through a data breach the bad actor was paid and it was not disclosed and after certain change in the leadership and management after one year Uber disclosed the data breach and immediately all the 50 states jumped

on to file the lawsuit and the outcome is the the problem was there was a weak password from the third party can get to the data so outcome is what you see on the on the on the right side they asked to have strong password and encrypt personal information wherever it's required and the important technically if we are technical um the lawsuit outcome included incorporate privacy by Design that's a good thing about this so next one target data Bridge so this happened in 2013 so HVAC um HVAC third party uh user had admin access control from there it got misused and the bad actor had a multiple lateral navigation to get to the POs to plant a

script to collect the data from the memory so this high level technical right now coming to the data breach incident there were 92 claims multiple 92 class action lawsuits and and the company went through like four years of distraction it even caused the job for CEO and the outcomes uh is how monitor risk-based auditing of vendor so that's the important one so you have multiple vendors but based on the vendors and what access they have we need to have risk based auditing and monitoring so in terms of Zoom they were climbing they were encrypting all the meetings data from what you and me talked over the last three years but actually they were not so FTC found out and they went after

Zoom to file a lawsuit okay so far we saw we learned some samples we learned the regulations now the takeaways so at the end of the day we need to have we need to know the systems we need to have appropriate Security based on the data we collect based on the risk the data we collect and please understand who is the data controller who is the data processor the whole ecosystem the second one is understand the regulations and jurisdictions so where your data is what type of data you have and how and what regulations they fall under understand them and create a data breach incident response and notification plan and I would recommend everything is now

automation right everything is highly becoming Technical and their data is exploding so please try to see how it can be automated how the Technologies you already paying can be put to use to bring more visibility into the data management the the the the um the technology keeps changing application security host security network security everything can be done but but data needs to be focused important because data security start with data security because all the thing application broken or data host broken or network broken they all going to go after your data so start with data security first and then go towards other one these are the websites uh I I looked at a long list of websites on books but

this is at high level

I like to show um this one so this is very very uh interesting one so many of you work through code of federal regulations so this U.S government have put together 50 titles and each title has its own important and understand these I highlighted some of them you may come across when you try to do a cyber security or data protection or complaints and understand take a look at these regulations and see how it's relevant to your job it's a very useful one for example title 45 years HIPAA and title 21 is about FDA any clinical trials any Tylenol or cancer or covet medicine testing have to follow the regulations under title 21 the banking cost 12 and the devotee all

those are 48 and um 48 that's one more 32. so try to understand I mean look at this map help your brain to capture this and then your brain will help to correlate things for you the appeal courts I talked about these are the 12 and there are 94 uh districts within the 12 these are the 40 plus sectoral loss I talked and this not directly related to data breach notification but having having a little bit understanding of this would help to uh fill the fill the puzzles in your in your plan so for example say you are collecting Finance data or you're a public company you have a socks complaints each year you need to do so

you need to you need to have some level of knowledge into what Financial regulations are and online privacy so if your company having online gaming or online services company you need to understand few of the um uh the online privacy regulations

thank you everyone foreign