5. Cyber Security is an Oxymoron
• Your kidding me right?
• You and your data will never, EVER, be
100% guaranteed safe online.
• If connected - vulnerable
6. Cyber Security is an Oxymoron
• Huge, rapidly growing problem
• Now No.1 Future Business Threat by
CEO’s
• 40% believe they are “unavoidable”
• “Career ending” Risk
12. Resources on Educational Attacks
• https://k12cybersecure.com/
• https://www.databreaches.net/category/
breach-reports/education-sector/
13. Types of Attacks
• Brute Force
• DDOS
• Ransomware
• Phishing
• Spear Phishing
• Man in the Middle
14. Types of Attacks – Brute Force
• Guess your password
• Exhaustive Key Search
• Don’t use “password” or “123456”
• Longer Password – harder to break
• Password = access = control
15. Types of Attacks – DDOS
• Distributed Denial of Service
• “Take down” a Target with massive
Traffic
• Relies on the way the internet works
• Botnets through malware
• Retailers primarily at risk
• Education – reputational damage
17. Types of Attacks – Ransomware
• Program that encrypts your files
• Will send you the key for $$$$
• Encryption is unbreakable
• Holding Your Own Data Hostage
• Pay or Reinstall Data
• Working Back Ups are Critical
18. Types of Attacks – Phishing
• Fake Emails
• Designed to Look Reputable
• Logos, Language, etc
• Get you to Click on a link
• Download malware
• Keylogger, Ransomware, Adware, etc. .
.
19. Types of Attacks – Spear Phishing
• Specifically Targeted Fake Email
• Personalized to Victim
• Some Prior Research (online)
• Goal same - Get you to Click on a link
• Download malware
• Again, Password = access = control
20. Types of Attacks – Man in the
Middle
• Attacker in the “middle” of
communications between two other
people. Impersonation.
• Can gather data or communications
• Can watch and monitor, wait to take
action
• Dangerous - relies on trust
• Financial Depts – Wire Fraud
23. I’ve Been Hacked, Now What?
• Incident Response Plan
• DOE Reporting Requirements
• Florida’s Data Breach Law
• Civil Liability
• Reputational Damage
24. Incident Response Plan
• Contain the Breach
• Identify Type and Scope
• Preserve Evidence
• Notify Authorities or Insurance as
needed
• Disclosure, if necessary
• Lessons Learned and Training
25. Disclosure Requirements -
Generally
• Often Depends on if Data Accessed
• Website Hack - doubtful
• Ransomware - doubtful
• Phishing . Spear phishing - depends
• Server Breach - depends
26. DOE Reporting Requirements
• FERPA does not require institutions to
adopt specific security controls, it does
require the use of “reasonable methods”
to safeguard student records (34 CFR §
99.31)
• No Disclosure Requirement . . For now
27. Florida’s Data Breach Law
• Passed in 2014
• Florida Statute § 501.171
• Not well known
• Protects Personal Information of FL
Residents
• Coverage includes Gov’t Entities
28. Personal Information includes:
• first name or first initial and last name in
combination with:
• SSN
• DL or ID card number issued by gov’t used to verify identity;
• Financial account numbers in combination with any required
security code, access code, or password for access
• Medical history or Treatments
• Health Ins Policy Number
• Email in combination with a password or security question
29. PI Does NOT include:
• Information Made Available to Public
by a Gov’t Entity
• Encrypted Info or Data
• Deidentified Info
30. Florida’s Data Breach Law
• Obligation to take “reasonable” measure
to protect data
• “Reasonable” measure to dispose of
data
• Fines by State for violations
• No Private Cause of Action
31. Florida’s Data Breach Law - Notice
Written Notice to Dept (Legal Affairs) if Breach
affecting 500 or more not later than 30 days after
discovery
• Notice Includes:
1. Synopsis
2. Numbers of persons affected
3. Breach related protection being offered
4. Copy of Notice to Individuals, if required
5. POC
32. Florida’s Data Breach Law - Notice
Must Also Provide to Dept Upon Request:
1. A police report, incident report, or computer
forensics report.
2. A copy of the policies in place regarding
breaches.
3. Steps that have been taken to rectify the
breach.
33. Florida’s Data Breach Law - Notice
• Notice to Individuals Who PI was Accessed
Required
• Seems to Apply to Even a Single Breach / Person
• UNLESS:
• after an appropriate investigation and consultation with
relevant federal, state, or local law enforcement agencies, the
covered entity reasonably determines that the breach has not
and will not likely result in identity theft or any other financial
harm to the individuals whose personal information has been
accessed
• Keep written records for 5 years
• Notice to Dept still required if over 500
34. Florida’s Data Breach Law - Fines
• Treated as Unfair or Deceptive Trade Practice
• Action brought by AG’s Office
• Fines not to exceed $500,000, per breach
• $1000 / day for first 30 days
• $50,000 every month thereafter
• Lesson: DON’T DELAY Investigation and Notice
35. FL Data Breach Law – Bottom Line
• Don’t Forget About This Statute
• Detailed Reading of Statute Required To Ensure
Compliance
• Investigate Promptly and Provide Notice as
Required
• Maintain Appropriate Records of all Actions
• No Case Law or AG Opinions Yet
37. What Can You Do?
• Good IT Department or Consultant
• Buy Cyber Insurance
• Back Ups – Test Often
• Good Policies in Place
• Wire Fraud, Financial, Sensitive Data
• Employee Training – KnowBe4, others