Sign Pennsylvania Terms of Use Agreement Secure

Document type sign terms of use agreement pennsylvania secure

to all those who've joined us this morning thank you so much for joining us we appreciate you guys taking a little bit of time out of your schedule to join us for this webinar i think this is gonna be really useful this is uh uh we're gonna be talking about cyber security this morning in compliance and i've asked tom fafinski to join us i met tom uh earlier in the year presented to a group that i'm a part of uh a group of msp owners talking about uh law and how it relates to msps and tom just really demonstrated a kind of a unique amount of knowledge from my experience in the msp or technology provider space and uh so i asked him if he would join us this morning and kind of share some of his experience and understanding and how cyber security and liability and compliance all come together and the importance of it because i think it's an area that often uh most businesses are kind of blind to and even something i've been blind to in the past myself and i spent a good deal of time uh trying to educate myself so with that uh tom i'm going to turn it over to you we will have a q a session uh at the end i do have the uh the q a box open as part of the zoom meeting so if there is a question that kind of pops in your mind throughout the presentation go ahead and uh pop that into the q a box and we'll make sure all those get answered at the end and um with that i'll turn it over to you tom what you tell us a little bit about yourself and then and then go from there sure yeah i'm tom fafinski and i've been practicing for about 30 years and practicing law for about 30 years and i started out in a wholly owned subsidiary of emerson electric before i was even licensed to practice and because i was the young guy in the group they said well we're going to send all licensing and technology related stuff over to fifinsky because he's the young guy he's going to understand technology and so i spent a bunch of time on non-disclosure agreements and intellectual property rights and and licensing agreements mostly dealing with refinery solutions and the implementation of emerson's process control systems in refinery solutions and then i declined an internal position as a as a corporate lawyer and took them out as a client uh they're very kind to me to patronize me as a as a client uh uh when i hung my shingle in 1991 and um so i ended up having this focus on technology and when you when you end up in a particular arena work just kind of migrates to you in that arena and so i started getting a bunch of technology related clients and the explosion of erp implementations and crm went before it was actually even referred to as crm in the early 90s my brother uh who operates in the twin cities uh where i'm located he started what is now his msp back then it was uh outsourced i.t on a on a break fixed basis which is like an hourly fee piece and so i started doing uh work for him and then his friends as he got involved with national peer groups and he would refer folks to me and i would do that that type of work so i ended up uh and i fell in love with the managed model and and really because of the issues that come up with the managed model because you're dealing with interstate commerce and things like that got really uh in in-depth with that piece and which which led me to a focus on cyber security which has really been about in the last five years has really been uh the big issue for uh the small medium and large businesses combined i mean it's a across the board type of issue so it's it's really worth addressing i think it's one of those pieces that uh are under uh considered um but most of my practice is geared towards uh representing managed service providers uh so i am the clients of managed service providers i don't do that much work for but i end up counseling my msp clients on these issues so today you're going to get the perspective of why i've been encouraging msps to take this seriously for the last five years or or longer but it really has been the last five years where it's really taken off there are a bunch of legal issues that come into play from the federal standpoint we have the federal trade commission act and that that the ftc act prohibits unfair or deceptive acts including privacy policies and we're going to learn that most of the cyber related stuff is geared towards protecting personally identifiable information of the graham bleach blindly act in sarbanes-oxley act and the health insurance portability and accountability act all came into play each in their particular industry requiring uh privacy so if you are affected if your financial institution if you are a health care provider if you're doing credit transactions a fair fair and accurate credit transaction act disposal rule comes into play the we now we have ferpa which is the family educational rights and privacy act which deals with educational institutions and it's all coming into play for each particular industry i think we'll see more of this not less and and so handling of this uh personally identifiable information which i am going to call pii uh so that i don't stumble through it the whole the whole presentation and and we also have the communications act the communications act regulates telecommunications providers and internet service providers and anybody using voice over internet protocol systems comes within the communications act so that's what's happening federally and then we have a bunch of state rules in most jurisdictions where we have consumer protection laws that prohibit these same types of of uh private information for it privits the disclosure of it considers it to be unfair or deceptive if you do so these safeguards are all directed at how we store uh and when i say we i mean the clients of uh msps as well as the msps how we store handle and protect this pii we also have social security number protection laws uh dealing with the handling and protection of social security laws and then there are laws at the state level that are dealing with disposal of pii and how we're supposed to take care of destroying that information when it's no longer needed so personally personally identifiable information is nearly all msps in nearly almost by definition all msps and all of their customers are collecting or storing or managing some piece of pii for their customers and it can be either believe it or not it can be things you derive from the phone book their name and their and their address even qualifies you got to take care of that and it's really not a question of whether or not uh the uh small business is going to come into into this knowledge it's uh it's really when they're gonna come into it unless you are you know operating a lemonade stand and you're an all-cash business and you don't use technology you're probably going to be affected by handling of some of this pii mike can you think of any other uh or any of your clients that don't deal with pii no no i would say all of our our clients definitively have pii uh pretty much everyone we deal with has some sort of line of business application that's gonna store um you know names phone numbers addresses of people and i'd say even beyond that most of our customers have some level of pfi uh protected financial information in their business and then we certainly also have a smattering of healthcare businesses that are going to fall under hipaa as well so i i think you know this is absolutely applicable to our entire client base so your client base needs to take reasonable measures to prevent breaches in order to have safety under these laws and these reasonable measures are going to continue to be more stringent as time goes on because because the industry is evolving as it evolves the the requirements that other people that you this i'm sorry the technology piece is evolving the people in your industry the uh businesses in your industry will continue to add protection and that the reasonable prudent person standard applies here so that reasonable your customers will need to have have implemented or business i'm going to just say businesses need to have implemented so that is a very important component that needs to be monitored by businesses there are some events which under the federal and most states require notification to third parties if if personal identifiable information is lost or stolen by an employee or a third party like the home depot breach the home depot breach dealt with a really sophisticated piece of technology it was a malware that was uh installed at the point of sale terminals to lift payment card information from individuals so you know the part where i heard a comedian say that they they thought that grocery stores had given up on on customer service because now when you go to the i forgot the guy's name he's just hilarious too it's on netflix it's sebastian something i think it's he's a really funny guy we're seeing but he he was explaining that that now we're checking ourselves out that you know what used to be uh something that somebody would go through training exercise to be a cashier is now being thrust upon the general public and his proposition was they've given up on customer service yeah so what they did was they took those point-of-sale terminals that people were doing the self-check on that we're really being unguarded other than the the youngest person employed at the store is there as your help person if you have problems with it just like i was when i was in emerson process controls legal department that led to a you know they hit home depot for crying out loud that's a huge uh enterprise 27.25 million dollar uh settlement was reached uh there on that deal that was a costly mistake for home depot but they installed it at the point of sale terminals likewise uh in the there was a dairy queen breach and in the dairy queen breach they the almost 400 stores were affected by this it was malware that was installed at the cash registers so now we had it from the point of sale piece where the individuals were self-checking to now we had it to the dairy queen where it's dealing with a non-self-check item they're grabbing information about credit cards and and the the data on the back of the credit cards the account numbers and the cv numbers adobe a big technology company had nearly three million encrypted credit cards plus all of the login data with stolen that one was done by a hacker that was able to access it uh the one the one that really probably gave everyone cause to pause was the target breach do you remember the target breach mike i do and do you do you remember how that actually happened i think it was uh it was wi-fi right they were sitting in the parking lot and the wi-fi wasn't secured as properly as it was supposed to be it kind of seems is that is that i remember the right breach yeah and it went once it went one step further it was they they they were accessing the wi-fi of a company called fazio mechanical right how's your next case yeah big hvac firm right and fazio had a contract with target so they were able to access the wi-fi into fazio and then backdoor into target and they took 110 million 110 million consumer information now that was done with a combination of malware but uh and and fishing so do you want to explain what a fishing attack is mike yeah yeah sure fishing and it's something we've seen a lot in our environment uh recently uh but fishing is a well-crafted email that looks highly legitimate uh that comes into your mailbox you know comes from places like might come from target we see a lot from like amazon ups fedex but they look legitimate look like something you'd be expecting and the whole purpose of it is to solicit you to enter in your username and password uh we've also seen some that have come in they look like they're from microsoft say hey please reset your username and password and then what they do is enough times are sophisticated enough where you enter the credentials and they actually pass you into the system you're expecting uh so you're very unaware of hey i just gave a hacker my credentials um but it's they're they're putting up a piece of software website in the middle that looks legitimate and capturing this information and then they have access to uh either you know your email or even your your local network and um i i i also think uh i just want to point out too uh tom because i think you're making an excellent point with even talking about the target breach it's something we see our clients that they don't think real hard about often is when they do let these uh other vendors into their space like an hvac or a copier company or some sort of monitoring organization that wants to put some sort of technology on their network and they just say oh okay yeah just plug right in uh but not you know slowing down to think about what is the liability they just added to their own network and what is the insecurity potentially added to their network uh by just letting someone add something to their network without properly securing it so that's a really great point the uh we're going to talk more about the types of things that msps can do but mike i'm going to ask you a question about just technical what an msp can do from a technical standpoint to prevent phishing attack just software-based solutions not training stuff not education not policies but software-based solutions that will eliminate a phishing attack sure well the the two things that we've been doing uh recently uh and you're kind of hamstringing me because i believe strongly in the human firewall in the trading piece but uh two technical things that we've been doing are uh multi-factor authentication so that if the password is compromised if it is given up there's a secondary layer uh and multi-factor is kind of the concept of using a secondary device like your cell phone uh to have a code sent to it that is uh time based uh so that's that's a really big piece and protecting against uh after the attack uh the other thing that we've been doing is incorporating microsoft has a component called atp or advanced threat protection that does advanced phishing detection uh where they're actually scanning for known phishing type attacks uh known urls known servers they do deep scanning on these uh so those two pieces are pretty pretty powerful to protect against those types of attacks right now so folks understand what mike just explained it the answer to this is the only thing that can be done in advance of a phishing attack the only thing that you can really do is have is have a technical solution in place from a technical standpoint is to have a technical solution in place that identifies uh something that looks like prior known phishing attacks that's it so from a technical standpoint if you hire an msp that's not well versed in cyber security they're not going to be giving you the training that you need to understand what phishing attacks look like the training required for employees to not share information uh the physical thing like like for instance you can um test your facility uh yours is one of the vulnerabilities if if i can walk into your and get past a reception desk into the back offices then you're right for a phishing attack that can happen and it has nothing to do with the technical components all they have to do is find a laptop that has it retired and they can and they can jump on or a computer that hasn't retired so it's really important to select the right uh msp and to and to elect to have the services associated with training and policies and procedures for your employees because it phishing attacks there's there's just not a lot you can do from a technical standpoint now in the in the fazio deal then they they implanted they used that access so phishing is another way of saying an authorized person shared the information that they shouldn't have shared they gave now they have um access to the system and they can drop a piece of malware mike would you explain what malware is yeah sure so uh malware is a close cousin you know we've all heard of you know computer viruses over years malware's kind of a close cousin uh but it's a little bit more insidious sometimes in nature uh because what it tries to do is rather than just corrupt the system uh is is exfiltrate in many cases informa ion or uh you know ransomware is a big sound a sub component of that see where it actually encrypts your data and holds it hostage so you know not so long ago a lot of the people that uh create those things these nefarious actors realized that there wasn't much money in viruses and just crashing organizations and a lot of small business specifically uh had you know reasonable measures we had backup in place and if we lost our data you know we could probably tolerate a certain amount but uh we you know and people thought hey nobody cares about my data you know there's no real value to it well the value is to you the owner of the business and they said hey if we can hold them hostage you know right we'll encrypt it hold it hold it hostage for a ransom payment then we can monetize our attacks we can actually uh make this worth our while from a monetary standpoint and then that's what they've very very effectively done and you know we've seen you know uh you know ransom attacks you know in the hundreds of thousand dollars in the millions of dollars depending on the size of organization and um what we're seeing even more recently is even if you pay the ransom uh sometimes they'll ransom you to get your data back and then they'll have exfiltrated they'll have downloaded the data then they come back a second time and say hey uh okay you got your data back but if you don't want us to release it publish it on our website release it to your competitors let your all your uh uh vendors and partners and clients know then you to pay a second ransom and you still don't even know if they're not going to do it and come back for a third time in future so it's kind of this huge uh just snowball that gets away from you so that malware is just i mean it's a terrible thing then have malware installed and it's this is how devious and insidious it becomes they will actually monitor your system to determine how the the duration of your backups and they will sit quietly in the background for 100 days and and uh before they launch their attack if they know that your backups aren't occurring uh and let's say you do backups and then you start reusing stuff after 90 days or something actually sit and wait for for you not to have a clean backup uh or keep their their malware embedded even in a full restore on the on the back up and then they'll punish you for that piece and if you think wow this can't happen to us you know they're you know we've got this we've got pieces in place well it happened to ebay ebay has uh is it you know online auction giant site hackers used the credentials of three corporate employees that were accessed through a phishing attack and had access complete access ebay system for 229 days unbelievable that they were able to do this uh and and um and of course that led to a huge uh loss and settlement of a loss of pii there there's a situations where pii is used by authorized persons for unauthorized authorized persons for unauthorized purposes morrison supermarket lost a hundred thousand customers uh the bank details of the hundred thousand customers of their pii and it was done with the assistance of a perpetrator one person inside this large organization the perpetrator ended up getting eight years uh but you know essentially uh completely ruined the credit of a hundred thousand customers of morrison um supermarket chain uh so we see and we see unauthorized access by unauthorized people too like in the uh in the sony breach involving north north korea came in just to show what they could do and they and they went to sony to prevent them from releasing a movie i mean it is uh it is a huge issue and it's not just in place they're not going to be harmed if holding people can be harmed if target can be harmed if pf changs can be harmed they lost a bunch of information if eba if ebay can be harmed you know you are and they have all the resources in place they just weren't thinking about it then you you need to address it so what happens when you have the breach most jurisdictions require that you notify uh here up on the slide you have to notify the affected customers employees third parties law enforcement credit reporting agencies and business partners so there's an obligation to um to notify if you have a situation the national standards in technology uh published a um a plan a framework for improving critical infrastructure for businesses this isn't just for msps this is for businesses all businesses it was done pursuant to an executive 2014 uh it is suggestions it became the industry standard but it's not a law but it's it's just suggestions so it's totally voluntary you don't have to do it but it really has become the standard of care uh in in the business industry because it's been around now for almost seven years so if you don't have a nist plan in place you should think about getting a nist plan which deals with and we'll go on and talk about it a little bit here but which deals with this stuff and and that nist is act that that plan having that plan in place just having the plan if you don't you probably can't meet the standard of care if you do have it in place and it's reasonable you'll likely be able to meet the standard of care now what does that mean that means if you have a loss of pii and your customers come to you and say hey you got all my my pii and i got damaged by it they have a claim against you under one of the various acts and if you can demonstrate that you adhered to the reasonable standard of care because you had this nist in place then then you'll likely be able to fend that case off here's the here's a crazy little thing about cyber security it's an active um set of solutions that you're in place so if there's a known piece of malware that's out there and you're not guarding against it then you will likely not be able to meet the standard of care to defeat a claim for anybody who has a loss based upon it if it is a brand new attack and it couldn't be contemplated then you're likely okay because it's a new form and the industry doesn't have knowledge of it yet so if there's if the stuff is out there and exists and you don't do anything like for instance if you just don't have a firewall well that's crazy i mean that's just crazy not to have a firewall if you don't have a firewall in place you will not meet it you know so because that the industry's caught up to that ten years ago you might have gotten away without having a firewall and not having liability but now you don't the courts will refer to the the nist framework as a as a voluntary standard of care for you this is the stuff that we're trying to protect on if you are a business that collects electronic information you store it in any way you access it in any way you transfer it or manage it in any way and you uh and you dispose of it or do dispose of it because there's there's an if if you don't dispose it of the information and then it gets released pursuant to an attack well the customer is going to say okay you had your nest plan in place but you didn't deal you didn't follow the instructions on when you didn't need this data anymore if you don't need the data anymore but you continue to store it under the under the theory of why would i why would i get rid of this i might need it again someday maybe that kind of hoarder type of mentality i've got lumber that is from a construction project i did 13 years ago because you know someday i might need that 2x4 you know and it's that type of thing if you're keeping that data then the then the court system the juries will look at it and say well you you know that may have been really efficient for you as a business to keep that in case you needed it but it really stuck for the individual who lost their pii under a new attack because so even if it's a totally new attack and you've taken adequate safeguard measures on all other types of of uh cyber security breaches that are known uh to to the industry but you just you just kept the data and there's a new one that comes in you're gonna be found liable because why did you keep that data you didn't need to keep it so you gotta have a plan for for that piece but should involve um employee awareness and it should uh safeguards to have in place and security measures the safeguards are mult are a multitude you have to have an administrative safeguard which says that you know passwords are going to change and the multi-level authentication type stuff you have to have technical things like firewalls and software malware software that detects that stuff and you have to have physical precautions to protect against you should work with your msp to develop all of those and so so there are some msps that will approach you and they'll say yeah you know we got the cyber security all taken care of if they have not trained you at all on administrative changes that need to administer policies that need to be in place they're not somebody you should be working with if they've not talked to you about the physical protocols of it which is kind of the newest uh part of the thing you should ask them what what are the physical protocol pieces that we should be looking at so those are the three types of safeguards msps are squarely in the technical component and historically they've addressed the technical pieces but not the administrative and physical stuff and that's and it really is moving it's already moved to the administrative and it's moving towards the physical too now that doesn't mean that those services have been haven't been declined by you because sometimes you'll be presented with an opportunity you're like hey we can give you all this training about keeping your environment protected but it's going to cost additional money and we can do on-site audit inspections of your facility but it's going to cost you additional money and you say you know what i got to cut somewhere i'm going to cut those pieces what what does that mean that means you have no protection on the msp it is you are riding without any sort of protection on that piece because the msp is not going to be rendering services that you're not paying them to do or that they haven't been engaged to do so consider adding administrative and physical if you haven't already tom i wonder if i could jump in for one second because i i i love what you're saying yes please um one of the things that we've struggled with and um and we have you know and maybe you know you could lend some uh weight to the conversation we have a handful of uh law offices as clients and one of the things that we've talked to them about over over time is specifically uh the retaining of very very old data and how it is inadvisable and in some cases we even we bumped into struggles with there's such a preponderance of data that we've struggled to back it up and we're you know coming back you know every few years and saying hey you gotta you gotta add more hard drive space you've gotta add more backup and like oh my goodness why do we gotta do this like well you guys either gonna do that or you've gotta get rid of data and then we try to have a conversation about getting rid of data and it's like you know they start to freak out a little bit oh you can't get rid of our data and and stuff that maybe even is 10 and 12 and 15 years old cases that are long cold can you kind of maybe even you know from a legal expertise speak about just your perspective on that yeah so my perspective on the legal industry it is different because we have ethical obligations which transcend statutes of limitations so most statute limitations in my jurisdiction and at six years you'll find in other jurisdictions it might be longer uh but the statute of limitations uh doesn't doesn't run uh in for some claims until there's a discovery and then we have these ethical obligations that come into play so we don't really need the information for the purposes of operating our business we really need the information for the purposes of protecting our license that doesn't mean it has to be active and there and available uh on the on the servers and systems you can retire it archive it store it separately so that you're not processing all the time but yeah in the legal industry it is really hard to get rid of of of data now in 2002 you know 2004 i went paperless and it was a nightmare to go paperless because we had to go through every file from 1991 to 2004. wow and of course we retained all of our draft why wouldn't you keep it was done in in paper you every draft was done so we'd have to get down to the final draft of what we had and then we'd have to determine whether or not if it was filed with a court then we then we don't maybe we don't have to keep it if it wasn't filed with a corridor that type of stuff so when when we got rid of it we had to have we had a 30-yard dumpster uh that was brought in uh and we had we we had to stage the disposal of the information so it was staged inside our secure office and then on one particular day uh when we had we had a couple of rooms filled almost literally floor to ceiling it wasn't quite to the ceiling but almost literally with banker's boxes we we walked it all out to the the uh dumpster and then we went to the to uh with the dumpster we went and witnessed the destruction of the data the complete destruction of the data and it had to be destroyed all at the same time so i think it was burned we were looking at shredding and just decided you know let's just burn it uh we went to the we were about three miles away from the minneapolis incinerator and so we just took it to the i think we took it to the incinerator wow but it was and at that point i said okay i am not keeping any any debt i am never going to keep an original document unless i absolutely have to so from 1991 to 2004 so that's 13 years i had a 30 yard dumpster destroyed from 2004 to 2020 that's 14 years i have one cabinet with four drawers that are filled with originals that's it i'm never doing it again and everything is stored everything is dead in the cloud but yeah there are ethical pro in some pieces so but that doesn't mean that you have to have it accessible you can you can lock it up and put it in a separate um uh environment it doesn't have to be in your operating environment just has to be accessible and that's what we've really started to try to encourage people to do the very least is to is to you know put it in cold storage of some sort so we can bring it back if we need to but get it out of the where if there's a compromisation it's something we have to consider yeah yeah thank you so under the nist standards you should have a wisp plan uh a wisp plan is the written information security program i sometimes call them you should develop it and implement you should work with your msp to do it you should work with your lawyer to do it as well you should to understand what laws apply to your industry and what regulations apply to your industry it should be an enterprise-wide implementation not just the it group uh not just a few people not just the cfo it should be industry-wide uh it should identify who's responsible for leading that program it should identify the type of customer information we're going to collect store share where it's going to be collected we should con the plan should conduct risk assessments to identify and manage the risks of and how we're addressing the gaps that if possible you should define administrative physical and technical policies all three categories by the way when there is a cyber uh when there's a cybersecurity catastrophic failure about 60 of the time in my experience this is how it happens it's a fishing deal and the fishing leads to the uh deposit of a malware and that is that is about maybe it's not 60 maybe it's fifth but that is the huge component of it that is really difficult for an msp to prevent that phishing because there's just nothing you can do other than the training so if you're not dealing with the administrative that's probably about half the time and you have no claims against anybody you don't have claims against your employee who gave it away uh we uh yeah you just don't see it and and then once the malware gets detected then you address it but that's sometimes when the malware is there you just can't you can't uh undo it can't g t that horse back in the barn uh your your wisp plan should ensure that there are safeguards that are implemented and maintained you should ensure that your service providers have adequate security measures and monitored when they when they are accessing it so that your msp is opening it opening up the gate and allowing them in when they need to be in for a timed period and understanding who's doing it why they're doing it with oversight and possibly sanctions if they do something wrong and then that program should be reviewed and tested periodically and that truly is what you should be doing in your wisp plan whis plan should probably be done with in conjunction with your law firm so that so that you can measure how this plan the priorities especially when it comes to the gaps analysis how you're addressing that if you work with let's say you work with uh mike and you do and you develop a plan and mike comes back and says you should do this this this this but you're looking at it you're like okay that is ideal in a perfect world but we're living in a post covent pandemic uh recession here i can't afford to do all that stuff so if you start taking down priorities and you say okay this is an acid then what ends up happening is if there's a breach and it's in the places where the priorities that you did not have as high the the communications between your msp and you are going to be discoverable to anybody who's affected by it so there's there's one particular case remember the name but in retrospect it happened about two months ago in retrospect they hired an attorney to come in to try to protect those conversations under the attorney-client privilege and the court said no that doesn't work you can't use the attorney-client privilege to undo that piece so they they got stuck i mean it was they were they were literally stuck and all of the information was disclosed about the priority of taking it on so if you're working with with uh mike in in terms of developing your plan include your local attorney or or i you know include us we'll be we'd be happy to do uh to do it if we can refer you to somebody that we can because you want that attorney-client privilege information to protect you that that attorney-client privilege to protect you from that information being disclosed because if it's communications involving your lawyer even if it's involving a third party who's coming in to that relationship then you're you will have protection afforded to you so they're gonna look at are you gonna do your processes to keep the the pii inventory current are you maintaining security levels are you encrypting are you truncating um do you want to get in truncation mike uh so i think what you're referring to is like especially with like social security numbers not keeping or at least not displaying the full number right you you're exiting out the first um five digits only showing the last four digits stuff of that nature so any time uh typically what we you know and often this is something within database systems on the business systems uh that most systems do now but it's important to recognize especially where i think a lot of people can start to get off the rails a little bit is when they're starting to build ancillary solutions with spreadsheets and uh word documents and stuff and you know they're not understanding the need for this uh but you know only showing the most needful information and not showing full information in case there's a breach is kind of that idea of truncating data and when you are when you are in an environment this is the this is the biggest exposure um that i see uh folks uh this this darn phone you say well i'm gonna save money uh and not not have that device devices covered by the msp because they're charging by the device say and so you know my employees they have a laptop they have a tablet and they have a smartphone and we're just going to cover the laptop they can live with it on the other side well the employee links up and connects with their with their uh um telephone and they link up and connect with their tablet and their now they're unprotected and they're it's you have an open door it's an open door now it's an open door only to somebody who knows that that door is there but it's an open door and something you should really be considering is protecting those devices and with some level of protection with your msp it's also this thing also can be a beautiful um safety device too because if it's being protected and your call and your employees are in the public which we're getting a lot with work from home where they are working from uh their their personal residence and and now when they return they'll probably be working more remotely they'll be working from coffee shops and restaurants and and taverns and you name it and they jump onto the the public wi-fi and uh what happens when you jump on the public wi-fi mike while you all you're you know you're exposed if you don't have a firewall running on your uh device you know you potentially expose anyone else sitting on that public wi-fi uh the name of your machine is often visible on that uh running scans on it sometimes can even show the name of your corporate network uh so there's a lot of information that is is potentially exposed that would give a potential hacker clues to who you are where you're from and and what you know potential vulnerabilities would be and then when you go up and get your coffee refilled and you and your laptop is uh is um on the table and it's opened and it and it's set to close if it's inactive for 10 minutes and you go up and you get your coffee refilled you know they somebody can slip can slip through and just drop a thumb drive in and and your employee's device has been exposed so the the safety thing and this is a really simple safety thing first make sure your tablet because most of the time people will be using their tablet in the coffee shops not their laptops that's just the way it is uh and and so if you are using a tablet and especially if it's an unprotected device have them not connect to the public wi-fi uh even if it looks like you know it says starbucks coffee well that looks good well they can call their their wi-fi connection to have access to your piece somebody can establish a wi-fi connection call whatever they want device connected to their cell phone hotspot is going to give you far more protection than jumping onto any public wi-fi now that's a training piece that your msp if you engage them to do training they'll go through that stuff with you absolutely and i was going to add to that too uh not just a tablet or pc be careful uh that the networks that you're going on the public wi-fi you're going on with your phone uh just a few years ago we had an attorney who traveled overseas and his iphone actually became compromised overseas uh his email subsequently got compromised and he brought it back into their law office and we had this whole issue of things we had to deal with because that iphone had gone out in the world had gotten on a rogue access point somewhere and had actually gotten infected uh so even those of you in the mac world that know and love mac that think macs are impervious they're not uh their technology like any other device and they need to be protected as well and still still need to have a high level of user caution so most of the information labor security applies to physical documents as well does it it doesn't discriminate against electronic versus physical so if you've got paper you got you should cross-cut that paper uh data if you're retiring equipment you should wipe the data before you discard or reuse the equipment with somebody else especially when you have employees that you like if you have a key employee that's getting a new device and the old device is going to be used by somebody else or that key employee may have had access to information the other person might not have access to and it's not so much that the other person you're looking at and say well they're honest they'll do the right thing it's what hands that computer falls into or what other access provisions those folks have because that data is still there even if you have them signing in as a different user hackers can access the other data and put plant devices for it so you should do with mobile devices encryption truncation access and transmission of pii should be regulated there should be risk allocation look to the msp for delivery and compliance and data security programs and risk assessments consider hiring your msp to do a risk assessment the other the not just the technical but the physical in the in the administrative i think when you hire an msp it's actually better to hire somebody who's had issues with through customers and has dealt through those issues so be careful of the msp that says we've never had any sort of cyber security uh breach ever even attempted nothing never happened and no no customers ever well all that's telling me is that when you select that person they're gonna have zero experience if you're the first so you don't wanna be the first so it's not necessarily a bad thing if they've had a security incident i'm not saying you should stay away from them but you should be you know well what what are you doing to make sure that you're adequately trained we already talked about the breaches the administrative physical and technical components these are the reasons the that it happens the failure to have a wisp access through vendors bring your own device failing to have regular password changes and multi-level authentication granting access to everybody for all of the information in the organization even if they don't need it you know you have staff people that are floating through that don't need financial information from your customers they just don't need it so why why provide them that access keeping old data big a big piece is having a place for terminated employees these are all administrative related safeguards here are some other administrative related safeguards insufficient resources not enforcing your policies you know your policy says you're going to change the password every x period of time but you don't and there's no ramifications if they don't running through technical here's a whole list i'll share this with you mike and you can forward it on to members but here's all the risks and the technical thing and you've got to have safeguards in place for that here's some other technical pieces data housed off site and transmission pieces and the physical safeguards restricting the physical access to where the pii is located that's the big one failing to limit access to equipment use transmitter storage i want to make sure i'm at one hour i want to make sure if there are any questions out there that i'm that i'm addressing that anybody have any questions we don't have any questions in the box at the moment uh but if anyone does have a question go feel free to put those in the q a box and and i can field those over to tom uh while we're waiting just give people a minute or two to type uh tom i i think first of all i think this has been terrific and i know we could we could probably easily go for a couple hours trying to cover all the topics uh that come up under this it's just a very very deep uh but important topic i wrote down a few things here i'm just looking at my notes yeah um can you talk about here's here's probably one of the things that we bump into because we do deal in the you know the small to mid space i'd say uh predominant our our predominant client has a hundred seats or less 100 you know endpoints or lesser environment and a lot of people uh have you know maybe one of two one of two uh kind of philosophies on this uh one i actually heard last year from a lawyer uh kind of told me uh that if they ever if anything ever happened specifically in a hipaa environment uh or if they ever got audited or they ever had some sort of breach they just uh give the keys to the government and walk away from the business it was kind of a cavalier attitude uh so there's kind of that you know that kind of standpoint if we just you know we're we can't afford to spend on this you know we'll just walk away uh the other attitude or kind of posture we've seen is hey we're a small business um you know we're just uh you know nobody's ever gonna pay attention if we if our data is lost and just not taking it seriously so maybe you could speak a little bit to what and you talked earlier on like all the compliance factors that you know all the different federal and state stuff but what are what are the rubber meets the road consequences for if there is uh some sort of breach and and i know it probably varies state to state but you just give us kind of maybe some high level examples what are the consequences even for a small business if they don't take this uh stuff seriously from a legal standpoint not even just from a business impact but from a legal standpoint what are the consequences that's a great that's a great question you know the the impact company that's affected can be significant so that quantity and it normally has a contract right with their customers so we look to the contract to determine the liabilities that doesn't mean that the company doesn't voluntarily assume a duty to act on their behalf outside of the contract in something we call a negligence lawsuit kind of like if you go to a doctor and the doctor renders care for you when if if it turns out to be malpractice which is is essentially the negligence case if it turns out to be malpractice the claim is against the doctor and the clinic it's not just against the doctor practice is we have malpractice when it when you're dealing with an accountant and and uh and uh doctors and and we malpractice is just a fancy way of saying professional negligence so depending on the arena that you're in you may be held to a higher standard the highest the the profession the standard of care for that profession so if you're a medical clinic you will be held to that higher standard if you're just a regular run-of-the-mill small to medium-sized business and it's not a profession you're going to be you're still going to be held to a negligence standard which is a harder standard to defend against it's easier to prove a negligence claim than it is to prove a malpractice claim because in a negligence claim all we got to do is say you didn't do what an ordinary reasonable prudent person would do in a malpractice claim it's you didn't the plaintiff has to demonstrate you didn't do what an ordinary reasonable prudent professional in your environment that's a higher standard not just a reasonable person but a professional so what happens is if you are accessing this data customer has claims against the corporation and sure you can turn the keys over thanks to anybody in that organization who voluntarily assumed access to that data to operate it so i i would look at you see it happen all the time where a company and individuals in that company are sued so i don't think you get to walk away with just the keys on it i think you still have to defend on the negligence piece you still have exposure on the negligence piece that's good okay and without even demonstrating a piercing of the corporate veil so you know courts could look at it and say well you know you treated it as an ultra ego of yourself and and therefore we're going to command answer your question mike yeah no i think that's really good um and i think that's because that's that's one of the things um and i think you you kind of really wrapped it into the legal terminology of kind of what my understanding already was but that's you know something we've really tried to express to our clients over the years is that you know this is important and and it's it's not just uh you know having a cavalier attitude it's not gonna solve anything uh so that's good you use the term you use the term uh frequently and i know this is kind of a legal context but could you maybe give a little clarification to the term reasonable and and you know you talk about you know re having done reasonable things from an i.t perspective having done a reasonable thing uh from a policy perspective give us a little bit of a context of again may e a rubber meets the road of where does reasonable start and i know it's kind of an open definition but help give us you know maybe like where do we start you know if we want to approach being reasonable from a professional standpoint uh both kind of as an msp but also from our clients you know what is reasonable for them to start to try to do so i sound like a politician because i can't give you an answer that's that's clear and staked on it um because it's really the ultimate arbiter of what is reasonable is the jury sure so there isn't a statute out there that says you're acting reasonably if you do this the jury is is charged with what would a reasonable person in this environment who's acting in a prudent manner what measures would they have adopted to prevent against the event occurring and and so it's different in different things you know so if you are a tax lawyer for instance um and and you do you propose something and it turns out to affect the claim adversely the standard is not what a reasonable prudent attorney would do because that's not who they hired it's what a reasonable prudent tax lawyer would do so it elevates to the higher standard for the negligence piece same is true and the medical same is true and give me an example of a customer that industry that you have not not their name just the industry that they're in well sure we have a fair amount of manufacturing um all different types it's a very strong manufacturing region we're here in northeast pennsylvania so that's a strong one for us so in manufacturing what you're dealing with a lot are procurement cards that your customers have they have the you know equivalent of a credit card they're they're making orders and they're you're receiving electronic payment through procurement cards and that's your business your your that's your standard commerce is through these procurement cards say or electronic payment if you store this data and you don't take adequate measures to do that and that data gets released so that all has to happen then it gets released so up until then as long as nobody's hurt no foul i mean no no harm no foul truly but once there's a pain by somebody now they come in and they say the manufacturing industry this is what they do uh to protect against disclosure procurement cards or or electronic payment information and and so that becomes the the standard that you have to live by and you don't even know what it is and the jury gets to define it and so each side would present their case normally through expert testimony that in the industry these are the measures that are taken so your msp is going to give you a better idea of what you ought to do if you're if you're not doing what your msp says you ought to do for sure then um that's probably going to be your standard that you're failing to meet so if you're if your uh msp comes in and said you know you really need to do the following things um and then you could do these things but or i'm sorry you should do these things but you don't have to but you should and so that's another level and then you could do these things too you don't really need to but you could and that gives you more prof2 that's going to for sure be that reasonable stake you should probably going to meet in that reasonable standard you're probably going to have a little dispute on it between the parties at the time of trial but uh you don't want to get to trial because it's way too expensive so let me let me and and i don't have any questions on the queue right now throw one you know kind of one more thing at you uh and you and you can correct me if i'm wrong because maybe i'll learn something here here's here's how i have kind of gone after reasonable because it's something we talk about in hipaa and we talk about a lot of security things uh what i've told my customers as the the start is uh and i kind of flip it around and say what's unreasonable unreasonable is doing nothing uh you've got to be doing something and unreasonable is not reviewing it periodically to say how can we improve it and unreasonable is not working in some way to improve what we've already identified is is in in inefficient or insufficient uh would you would you agree with that that's kind of a good uh standpoint or would you revise that in some way absolutely i agree yeah absolutely and i have a little bit more clarity on your question too so one of the things is having that plan having that wisp in place your nist plan you really should have something like that if you do that and the plan kind of hits all the uh all owners of the of the deal you probably right now can meet the standard of care and you're probably going to be good work with your msp to do that work with your attorney to do that that probably but yeah the the um it's easier to define what's unreasonable doing nothing is unreasonable right than it is to define where reasonableness starts it is reasonable to have a plan it's probably unreasonable to not to have a wisp plan okay okay and i've listed here on the slide all of the pieces now i'm on slide 18 of 29 so i can keep plowing through it here if you'd like mike i just recognize that we're beyond the hour no no we're at the top of the hour i'm happy to go no i think i think i'll probably cut you off there tom and i do super appreciate all the content and your willingness to keep going uh i just i know i also have some stuff scheduled coming up here i know other people have stuff scheduled so i don't want to i want to respect the time we kind of told people we're already into the chat over the hour um tom uh in in closing uh you know if if any of our viewers want to get a hold of you they have more questions or want to engage you uh how do they get a hold of you how do they reach out to your firm all right tom i think actually my personal website is down my personal website i think is down right now i don't know why i got to figure that part out i'm a technology attorney i'm not a technologist for crying out loud fair enough sir fair enough um well tom thank you so much for your time today i do super appreciate it i learned a little bit i appreciate uh you're engaging with us and being willing to educate our customers on this topic and i'm sure that we'll be engaging uh more in the future uh for those uh that are watching i have engaged tom he is actively working with our organization uh to help make us better on these things make us more aware uh you know because it is important to us you know something we take very seriously in uh protecting our clients and making sure we're fully knowledgeable and aware of all the things that we need to do and so that we're bringing best practices and awareness downstream uh to our client base here in northeastern pennsylvania um so again tom thank you so much and um i hope to talk to you soon thanks for having me you're so welcome super thanks for having me all right talk to mike about administrative processes in and in the physical processes not just technical perfect thanks tom have a good one take care you