Risk Management and Loss Control
Take Action Now to Protect Against Cyber-incidents
MCIT hosted the seminar “Data Breaches: A Primer for County Attorneys” March 30. The topic is unfortunately timely for local Minnesota public entities, given the recent high-profile data breaches of the Minneapolis Public Schools and Rochester Public Schools, and 17 cyber claims MCIT received just since January.*
As the expert speakers repeated, it is not if an entity will have a cyber-incident, it is when. As such, the eye-opening information and recommendations presented are important for all MCIT member entities and their employees to understand and upon which to take action.
Understand ‘Data Breach’ Legal Definition
The Minnesota Government Data Practices Act classifies data to determine whether and how a governmental entity can share data, among other provisions. Attorney Ann Goering of Ratwik, Roszak & Maloney P.A. reminded the group that the law also includes a specific definition for what constitutes a data breach.**
It is imperative that members understand this definition. If an incident meets this definition, it may trigger additional requirements, such as notifications, investigations and release of findings. Members should keep in mind that not every unauthorized acquisition of data constitutes a breach under the MGDPA.
This is a technical aspect of the law. If a member suspects that an incident meets the definition of “data breach” under the MGDPA, the organization should report it to MCIT and not take any action without first consulting with MCIT or the assigned breach coach.
Current Cyber-threats
Jeffrey Birnbach, senior partner, managing director of Sylint LLC, spoke about the evolving threats to public entities from ransomware, which is malicious encryption of files to deny the owner access to and use of the data; and cyber-extortion, which is a demand for payment based on a threat to expose, damage or deny access to the data.
Birnbach highlighted that ransomware as a service (RaaS) has emerged to make launching a cyber-attack relatively cheap, easy and quick. RaaS is essentially the ability of a bad actor to purchase someone else’s already developed ransomware tools to execute a ransomware attack. He also discussed attack vectors and vulnerabilities, and what makes public entities such easy and attractive targets, particularly the large amount of sensitive data they have on individuals and the historically lax or outdated security of their systems.
A key takeaway was considerations about the IT response to an attack and reasons engaging an incident response professional is essential. The immediate impulse may be to restore the system from backups, but entities must remember that the compromised system is, in fact, a crime scene. Although well-intentioned, any efforts to return the system to service, can often lead to the obfuscation or loss of essential data as to how the attack occurred and exactly what data had been compromised.
Business Email Remains Major Vulnerability
Antonio (Tony) Rucci, independent cyber-security consultant, led the group deeper into various types of business email compromise, and discussed systems assessments and the need for independent penetration testing of systems to determine the strength of the system against intrusion.
Perhaps the most fascinating part of the presentation occurred when Rucci took the audience through a live demonstration of the dark web, showing active dark markets that sell various criminal services. Attendees witnessed in real time where stolen critical data lands; and how it can be sold, traded, auctioned or dumped for the world to see and download. The point was to show how easy it is for anyone to access the information at nearly any price.
Plan for Incident Response
Matthew H. Meade, a member of the Eckert, Seamans law firm, and chair of the firm’s Cybersecurity, Data Protection and Privacy group, walked through practical steps to respond to a cyber-incident. Using real-life scenarios, he presented questions to consider. The main takeaways for members are that they should all have a cyber-incident response plan and practice it, for example in a tabletop exercise, like other emergency response plans.
Meade also highlighted certain smartphone applications such as BeReal that can be used to capture images of work spaces that may contain private or confidential data, which could then be used by threat actors.