1. 6 CityPlace Drive, Suite 900 | St. Louis, Missouri 63141 | 314.983.1200 1520 S. Fifth Street, Suite 309 | St. Charles, Missouri 63303 | 636.255.3000 2220 S. State Route 157, Ste. 300 | Glen Carbon, IL 62034 | 618.654.3100 888.279.2792 | www.bswllc.com Cyber Attacks/Bad Publicity Missouri Municipal Attorney’s Association July 20, 2014

2.  Security, Privacy, Information Security, Cybersecurity?  Information Security and Privacy  Confidentiality, Integrity, Availability  Data Classification  Data Breaches  Areas of Information Security & Privacy Management  Compliance & Regulation Considerations  Questions © 2014 Brown Smith Wallace All Rights Reserved Agenda

3. Security: Measures taken to guard against espionage or sabotage, crime, attack or escape. Privacy: Freedom from unauthorized intrusion and observation Information Security: Protecting information from cyber criminals and those who do not have a need to view, access, modify or use. Cybersecurity: Measures taken to protect a computer or computer system connected to the Internet against unauthorized access or attack. © 2014 Brown Smith Wallace All Rights Reserved Security, Privacy, Information Security & Cybersecurity?

4. The growing number of attacks on our cyber networks has become, in President Obama's words, "one of the most serious economic and national security threats our nation faces.“ Source: The Department of Homeland Security Another day, another hack: Social Security numbers stolen – The Social Security Administration is investigating possible online fraud after complaints were registered at the Social Security office in Fenton. – St. Louis Business Journal, April 30, 2013 Schnucks says 2.4 million cards may have been compromised - As many as 2.4 million credit and debit cards used at 79 Schnucks stores may have been compromised over a three- month period, leading to widespread fraudulent charges at locations around the globe, the company said Sunday. – St. Louis Post-Dispatch April 15, 2013 St. Louis university announces potential data breach – Washington University in St. Louis announced a potential data breach affecting more than 1,000 patients after a surgeon's laptop was stolen in Argentina. Data stored in the unencrypted laptop included surgery dates, names of patients and health record numbers, as well as Social Security numbers for 39 individuals. – January 2013 © 2014 Brown Smith Wallace All Rights Reserved Security, Privacy, Information Security & Cybersecurity?

5. In June, Butler University in Indiana said personal information related to up to 160,000 students, faculty and alumni was put at risk because of a data breach tied to a suspect in California who had a flash drive with Butler employees’ personal information, including birthdays, Social Security numbers and bank account information. Two in June… In June the Montana Department of Public Health and Human Services said a department server containing about 1.3 million records on client information, including names, addresses, birth dates, Social Security numbers and clinical information, had been broken into by hackers. It was unclear whether data had been extracted © 2014 Brown Smith Wallace All Rights Reserved

6. Is your data classified? – Public: Disclosure is not welcome; but, it would not cause and adverse impact to a company or person – Sensitive: Requires special precautions to ensure the integrity and confidentiality of the data by protecting it from unauthorized modification or deletion. Requires a higher than normal assurance of accuracy and completeness. – Private: Person information for use within a company. Unauthorized disclosure could adversely affect company or person. – Confidential: For use with the company only. Data that is exempt from disclosure under the Freedom of Information Act or o ther laws and regulations. Unauthorized disclosure could seriously affect a company. – Unclassified: Data is not sensitive or classified. – Sensitive but unclassified (SBU): Minor Secret, if disclosed it could cause serious damage. – Secret: If disclosed, it could cause serious damage to national security. – Top secret: If disclosed it could cause grave damage to national security. © 2014 Brown Smith Wallace All Rights Reserved Data Classification

7. What is the value of information that is in your custody, that you own, store, process or transmit?  Value vs. cost of protection? What is your risk appetite?  What is the cost if your data is compromised?  Reputation, lost of revenue, legal fines and restitution? Source: Ponemon 2013 Cost of Data Breach Study © 2014 Brown Smith Wallace All Rights Reserved Cost of Data Breach U.S. businesses paid an average cost of $5.4 million per data breach That is $188 per record

8. Major Causes of Data Breach Malicious attacks cause 41% of data breaches, with a per capita cost of $277 Human Error cause 33% with a cost of $174 Employee Negligence cause 26% cost $159 Malicious attacks most costly, more frequent Malicious and criminal attacks include malware, criminal insiders (employees, contractors or other third parties), phishing/social engineering and web site attacks System glitch includes loss of system or component, IT and Business process failures Human error is negligent insiders that are individuals who cause a data breach because of their carelessness, as determined in a post data breach investigation. Ponemon 2013 Cost of Data Breach Study

9. Cost of Data Breach Table 2. Percentage data breach cost categories 2006 2007 2008 2009 2010 2011 2012 Investigations & forensics 8% 8% 9% 8% 11% 11% 12% Audit and consulting services 10% 10% 11% 12% 10% 9% 8% Outbound contact costs 9% 7% 6% 6% 5% 6% 5% Inbound contact costs 10% 8% 6% 5% 6% 5% 5% Public relations/communications 1% 3% 1% 1% 1% 1% 1% Legal services – defense 6% 8% 9% 14% 14% 15% 15% Legal services – compliance 3% 3% 1% 2% 2% 3% 4% Free or discounted services 2% 1% 2% 1% 1% 1% 1% Identity protection services 3% 2% 2% 2% 2% 3% 4% Lost customer business 39% 41% 43% 40% 39% 37% 36% Customer acquisition cost 8% 9% 9% 9% 9% 9% 9% Total 100% 100% 100% 100% 100% 100% 100% © 2014 Brown Smith Wallace All Rights Reserved Source: Ponemon 2013 Cost of Data Breach Study

10. The company had an incident management plan. 52% of organizations had a data breach incident management plan in place at the time of the data breach event. The company had a relatively strong security posture at the time of the incident. 47% of organizations had a security effectiveness score (SES) at or above the normative average. CISO (or equivalent title) has overall responsibility for enterprise data protection. 43% of organizations have centralized the management of data protection with the appointment of a C-level information security professional. Data was lost due to third party error. 40% of organizations had a data breach caused by a third party, such as vendors, outsourcers and business partners. The company notified data breach victims quickly. 38% of organizations notified data breach victims within 30 days after the discovery of data loss or theft. The data breach involved lost or stolen devices. 35% of organizations had a data breach as a result of a lost or stolen device, which included laptops, desktops, smart phones, tablets, servers and USB drives containing confidential or sensitive information. Consultants were engaged to help remediate the data breach. 42% percent of organizations hired consultants to assist in their data breach response and remediation. 7 Factors that Influence the Cost of a Data Breach © 2014 Brown Smith Wallace All Rights Reserved

11. Relying on outside vendors increases an organization’s information security risk. A vendor management program is intended to address and monitor relevant risks through due diligence on new vendors and ongoing monitoring of existing vendors. This has been a new emphasis by regulatory organizations, they consider it is no longer sufficient to just get a signed Business Associate Agreement, but that also the Covered Entity should sufficiently assure itself that the vendor has the capability to meet the Security requirements. Formal procedures should be established for hardware, software, or services vendor qualification. Considerations for their selection should include the following: Applicability of the IT solutions to the intended environment The sensitivity of the data The organization's security policies, procedures, and standards Other requirements such as resources available for operation, maintenance, and training. What evidence can be reviewed: Security audits, pen tests, SSAE 16 SOC 1 or SOC 2 reports, PCI DSS SOC reports Vendor Management © 2014 Brown Smith Wallace All Rights Reserved

12. Educate employees and train them on how to handle confidential information. Update and Patch Systems OS’s, programs, utilities, everything Use IDS & DLP technology to find sensitive data and protect it from leaving your organization. Deploy encryption data at rest and in motion, and implement strong authentication solutions. Vendor Management are they fit for purpose 5 Steps to Reduce the Risk © 2014 Brown Smith Wallace All Rights Reserved

13. Frameworks: Areas of Information Security & Privacy Management  Information Security Governance  Information Risk Management and Compliance  Information Security Program Development and Management  Information Security Incident Management

14. Responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, and determining that risk is managed appropriately and verifying that the enterprise’s resources are used responsibly. Source Information Security Governance Guidance for Boards of Directors and Executive Management – IT Governance Institute (ITGI) Couple of Key Points: Establish and maintain an information security strategy in alignment with organizational goals; including a security framework to guide activities that support the strategy including:  Information security policies that communicate management’s directives and guide the development of standards, procedures and guidelines  Develop business cases to support investments in information security.  Holistic (internal and external) influences to the organization (e.g. technology, business environment, geographic location, etc.)  Define and communicate roles and responsibilities throughout the organization  Measure the effectiveness of the information security strategy. © 2014 Brown Smith Wallace Information Security Governance

15. Systematic application of management policies, procedures and practices that identify, analyze, evaluate, report, treat and monitoring information risks Couple of Key Points:  Asset classification to ensure that measures taken to protect assets are proportional to their business value  Identify legal, regulatory, organizational and other applicable requirements to manage the risk of noncompliance to acceptable levels (e.g. HIPAA, PCI, GLBA)  Ensure risk assessments, vulnerability assessments and threat analysis are conducted periodically to identify risk to the organization’s information  Integrate information risk management into business and IT processes (e.g. development, procurement, project management) to promote a consistent and comprehensive information risk management process across the enterprise  Monitor existing risk to ensure that changes are identified and managed appropriately Compliance does not mean your information is secure. 15 Information Risk Management and Compliance © 2014 Brown Smith Wallace All Rights Reserved

16. Organizations should conduct annually a formal risk assessment for all systems to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of systems and data. There are several excellent resources: NIST Special Publication SP 800-30 Guide for Conducting Risk Assessments, and NIST Special Publication SP 800-66 Introductory Resource Guide for Implementing the HIPAA Security Rule. In this document Appendix E is the Risk Assessment Guidelines. OCR has published “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” © 2014 Brown Smith Wallace LLC 16 Security Risk Assessment

17. The goal is to demonstrate and model real world threats used by malicious attackers to steal information and gain system access.  Vulnerability Assessment: is the process of identifying, quantifying, prioritizing, and ranking the vulnerabilities in a system using manual and automated software testing.  Penetrating Testing: is a method of evaluating the computer security of a computer system or network by simulating an attack from malicious outsider. Provides a true evaluation of the impact of a real world attacks and demonstrates the business impact in a controlled environment to then allow for vulnerability remediation. Vulnerability & Penetrating Testing © 2014 Brown Smith Wallace All Rights Reserved

18. Development and documentation of activities, projects, and/or initiatives to implement the information security strategy and manage the program. Couple of Key Points:  Program needs to align with information security strategy  Align needs to exist with other business functions such as HR, accounting, procurement and IT)  Manage internal and external resources to execute the information security program; including third parties  Establish and maintain information security architectures (people, process, technology)  Develop and conduct security awareness and training  Integrate information security requirements into organizational processes  change management  software development  business continuity, disaster recovery  Continually measure the program 18 Information Security Program - Development and Management © 2014 Brown Smith Wallace All Rights Reserved

19. Manage unexpected disruptive events minimizing impacts and maintaining or restoring normal operations within a defined time period. Key Points:  Establish a hierarchy to accurately identify and response to incidents  Develop and maintain an incident response plan to be able to respond appropriately (e.g. legal and regulatory requirements)  Develop processes, train teams and periodically conduct tests to effectively identify and respond of information security incidents  Establish incident escalation and notification processes  Establish and maintain internal and external communication plans.  Perform root cause analysis post-incident and record as “lessons learned”.  Integrate incident response plan, disaster recovery plan and business continuity plan. 19 Information Security Incident Management © 2014 Brown Smith Wallace All Rights Reserved

20. Assessing and reporting compliance on the Payment Card Industry (PCI) Data Security Standards (DSS). Includes 12 high level requirements that must be assessed to ensure Primary Account Numbers (PANs) are processed, transmitted and/or stored in a secure environment.  There are approximately 321 controls that must be tested  Compliance is required when certain transactional levels are reached; however, it is always the discretion of the merchant/acquiring bank  Being “compliance ready” is always a good practice  2014 now requires compliance to PCI DSS Version 3.0 Standards issued by the PCI Security Standards Council  Do your credit card processors have a valid and up-to-date Service Provider Report on Compliance (ROC) based upon PCI DSS v3.0 20 Payment Card Industry (PCI) - Data Security Standards (DSS) © 2014 Brown Smith Wallace All Rights Reserved

21. HITECH New Approach to Notice Triggering State Model Personal information means: First name or first initial and last name in combination with one or more of the following, when either name or data elements are not encrypted: 1.SSN 2.Driver’s license number 3.Account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s account 4.Up to 10 other factors added in many states HITECH Model Any “Unsecured” Protected Health Information © 2014 Brown Smith Wallace, LLC All Rights Reserved Missouri: "Personal information", an individual's first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable: (a) Social Security number; (b) Driver's license number or other unique identification number created or collected by a government body; (c) Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; (d) Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual's financial account; (e) Medical information; or (f) Health insurance information. Page 21

22. Data Breach “Risk of Harm” HHS Rule: access or acquisition, only notice if “risk of harm” FTC Rule: “acquisition” is access to notice-triggering information – there is no “risk of harm” threshold States: take your pick: – Access, acquisition, use – Risk of harm – Materiality – Illegality – fraud © 2014 Brown Smith Wallace, LLC All Rights Reserved Missouri: "Breach of security" or "breach", unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information. Page 22

23. What is “unauthorized” HHS: Breach means the acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule FTC: Unauthorized means without the authorization of the individual State Law: much less specific © 2014 Brown Smith Wallace, LLC All Rights Reserved Page 23

24. Is Encryption a Safe Harbor? HHS: unsecured PHI means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary… FTC: Unsecured means PHR identifiable information that is not protected through the use of technology or methodology specified by the Secretary (think NIST) States: many of the states are backing away from pure encryption safe harbor language, to a requirement that encryption must have been effective, the key must not also have been breached, the information must be unusable Wyoming accepts only redaction © 2014 Brown Smith Wallace, LLC All Rights Reserved Page 24

25. HHS – methods for protecting Two approved methods for protecting: encrypt or destroy Two types of encryption: 1.Data at rest: NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices 2.Data in transit: compliance with the Federal Information processing Standard (FIPS) 140-2 requirements Two methods of destruction: 1.Non-electronic media: shredded or destroyed such that PHI cannot be recovered 2.Should be cleared, purged, or destroyed consistent with NIST SP 800-88, Guidelines for Media Sanitization such that PHI cannot be recovered © 2014 Brown Smith Wallace, LLC All Rights Reserved Page 25

26. Paper Breaches included? HHS Rule: yes FTC Rule: no…BUT dumpster diving cases have been among their most often pursued as unfair and/or deceptive trade practices since 2005 –see next side 6 States: yes Other States/DC/Territories: no Missouri: no, only covers “personal information maintained in computerized form” © 2014 Brown Smith Wallace, LLC All Rights Reserved Page 26

27. Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case Date: Tue, 27 Jul 2010 15:38:54 -0400 From: "OS OCR PrivacyList, OCR (HHS/OS)" Subject: Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case Company agrees to substantial corrective action to safeguard consumer information - July 27, 2010 Rite Aid Corporation and its 40 affiliated entities have agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced today. In a coordinated action, Rite Aid also signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act. Rite Aid, one of the nation's largest drug store chains, has also agreed to take corrective action to improve policies and procedures to safeguard the privacy of its customers when disposing of identifying information on pill bottle labels and other health information. The settlements apply to all of Rite Aid's nearly 4,800 retail pharmacies and follow an extensive joint investigation by the HHS Office for Civil Rights (OCR) and the FTC… Disposing of individuals' health information in an industrial trash container accessible to unauthorized persons is not compliant with several requirements of the HIPAA Privacy Rule and exposes the individuals' information to the risk of identity theft and other crimes. This is the second joint investigation and settlement conducted by OCR and FTC. OCR and FTC settled a similar case involving another national drug store chain in February 2009… Page 27 © 2014 Brown Smith Wallace, LLC All Rights Reserved

28. Notification Timing… HHS Rule: 60 days after reasonably “should have known” – Covered entities may be held to the date their business associates should have known. Breach impacting more than 500 individuals requires “immediate” notification to HHS – and if the 500 are in one state or jurisdiction, then notice must be made to prominent media outlets, for cases involving less than 500, CE must maintain a log and submit annually to HHS. FTC: 60 days, but notify the FTC in 10 business days if 500 or more individuals affected State Laws: 7 days after law enforcement in Maine, 45 days after “reasonably” should have known in Ohio, Wisconsin & Florida. Otherwise “promptly”, or “most expedient” or similar. Missouri: “made without unreasonable delay”, but may be delayed by law enforcement. More than 1,000 notify the State AG Page 28 © 2014 Brown Smith Wallace, LLC All Rights Reserved

29. This update to the existing Florida statute both tightens and increases the scope: Expands the definition of "personal information" to include health insurance policy or subscriber numbers, information regarding an individual's medical history, financial information, and online user names or email addresses in combination with their associated passwords or security questions and answers to permit account access. Aims to protect Floridians from identity theft by requiring business and governmental entities to protect personal information and report data breaches. Requires businesses and governmental entities to report data breaches to the Florida Department of Legal Affairs, and to consumers within 30 days, unless good cause is shown for a 15-day extension. Requires business and governmental entities to take reasonable measures to protect personal information to authorize enforcement actions for statutory violations under the Florida Deceptive and Unfair Trade Practices Act (FDUTPA). The new statute still provides that affected individuals need not be notified if there is a determination that the breach was not harmful; however, it requires that this determination be made after consultation with relevant federal, state, or local law enforcement agencies, and that a copy of that determination be provided to the Florida Department of Legal Affairs within 30 days of the determination. Now covers paper records as well as electronic information. Florida Governor Signs Florida Information Protection Act – June 2014 © 2014 Brown Smith Wallace All Rights Reserved

30. Responsibilities Breach notification and its legal requirements generally leave all the risk on the covered entity, owner, or licensee Be very careful with terminology – if you term it a breach, the rules kick in. Let legal make the call. And, the great majority of breaches are not notice-triggering Service Provider should: 1.Contact covered entity when it first suspects a data breach, NOT when it has been investigated 2.Follow the instructions of the covered entity 3.Assume financial responsibility (negotiate credit monitoring costs – for number of enrollees accessing, not records breached)(and, don’t assume insurance will cover the costs) Page 30 © 2014 Brown Smith Wallace, LLC All Rights Reserved

31.  Information Security impacts all our lives on a daily basis. Due diligence and caution should be taken when divulging personal information via public networks and social media outlets.  Controls need to be defined, documented and implemented to reduce the risk of information being viewed, accessed or compromised. Proper mixture of people, processes and technology needs to exist. And education…  The need for information security will continue to increase, possibly exponentially, as technology continues to evolve and becomes integrated into the mainstream of business processes. Network perimeters once defined and controlled by business and educational institutions continue to erode (e.g. BYOD).  Security and privacy is a continuous process not just a product. Having good compliance does not mean you are secure. Vulnerability assessment and penetrating testing are one of the tools that can help an organization gain a better understanding of their security strengths and weaknesses. Conclusion © 2014 Brown Smith Wallace All Rights Reserved Page 31

32. © 2014 All Rights Reserved Brown Smith Wallace LLC Questions Disclaimer Whilst all information in this document is believed to be correct at the time of writing, the Information in this presentation is for educational and awareness purposes only. For legal advice, please consult an attorney. Page 32

33. Presenter © 2014 Brown Smith Wallace All Rights Reserved Tony Munns Partner – IT Risk Advisory Services CISA, FBCS, CITP, CIRM amunns@bswllc.com amunns@bswllc.com Tel: 314.983.1297 Cell: 314.614.6582  Leads the Risk IT Audit Services for the firm’s clients for the past 11 years.  Prior experience includes 3 years with Andersen LLP as Technology Risk Consulting Practice Leader  Previous employment experience over 18 years at 3 Fortune 500 companies: Lucent Technologies, Kraft Foods and the Prudential Assurance Company