Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches- Mark Ishman regulatory and tort liability for cybersecurity breaches d1
Invited speaker: "Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches ”
with Mark W. Ishman, J.D., Masters in Law in Information Technology and Privacy Law
Semelhante a Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches- Mark Ishman regulatory and tort liability for cybersecurity breaches d1
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
Semelhante a Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches- Mark Ishman regulatory and tort liability for cybersecurity breaches d1 (20)
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches- Mark Ishman regulatory and tort liability for cybersecurity breaches d1
1. GROWING TREND OF FINDING
REGULATORY AND TORT LIABILITY
FOR CYBERSECURITY BREACHES
Mark W. Ishman, Esq.
Masters in Law in Information Technology and Privacy Law
www.IshmanLaw.com | www.IshmanLegal.com
(919) 468-3266 | mishman@ishmanlaw.com
2. WHILE THERE IS A WIDE RANGE OF EXPERIENCE AND
EXPERTISE EXHIBITED BY COMPUTER SOFTWARE
DESIGNERS AND PROGRAMMERS, THOSE WHO DEVELOP
OPERATING SYSTEMS AND SECURITY SOFTWARE ARE
GENERALLY AT THE HIGHER END OF THE PROFESSION
IN TERMS OF EDUCATION, TRAINING, AND
EXPERIENCE.
Do I have your attention?
IT IS CERTAINLY POSSIBLE TO HOLD PROGRAMMERS
WHO WRITE CRITICAL SOFTWARE, SUCH AS
OPERATING SYSTEMS AND SECURITY SOFTWARE, TO A
HIGHER STANDARD THAN THOSE WHO WRITE LESS
CRITICAL CODE SUCH AS WORD PROCESSORS AND
VIDEOGAMES.
3. Largest Known Data Breach –
160M Credit Cards – July 2013
Five men from Russia and Ukraine have allegedly stolen over 160
Million Credit Cards from 2005 to 2012, and sold them to others
in the underground market which where then used throughout
the world for ATM cash withdrawals and purchases
The defendants allegedly sought corporate victims engaged in
financial transactions, retailers that received and transmitted
financial data and other institutions with information they could
exploit for profit.
The defendants are charged with hacking and malware attacks
upon NASDAQ, 7Eleven, Carrefour, JCP, Hannaford, Heartland, Wet
Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa
Jordan, Global Payment, Diners Singapore and Ingenicard
It is not alleged that the NASDAQ hack affected its trading
platform.
http://www.justice.gov/usao/nj/Press/files/Drinkman,%20Vladi
mir%20et%20al.%20Indictment%20News%20Release.html
4. HIPAA Breach Compromises over 4
Million People – August 2013
Theft of Four UNENCRYPTED LAPTOPS compromises over 4
Million patients‘ medical files that contain their personal
identifiable information (Name, SSN, Address, Phone Numbers
and Email Addresses), Medicare data, medical
diagnoses, insurance and payment information.
2nd Largest HIPAA data breach to date (largest to date is just
under 5 Million patient records compromised)
Just last month, Theft of Two UNENCRYPTED LAPTOPS
compromises over 729,000 patients‘ medical files – October
2013
11th Largest HIPAA data breach to date
To date, HIPAA Feds have collected over $16 Million from 16
organizations who have been found guilty of violating HIPAA
Data from the Department of Health and Human Services.
5. Publicly Traded Companies’ Data
Breaches
Sony paid $171 Million in cleanup from its April 2011
PlayStation Network breach;
Heartland Payment systems paid an estimated $140
million in its lost
Email services firm Epsilon paid an estimated $225
Million in total costs as a result of its data breach
PUBLICLY TRADED COMPANIES RETAIN OUTSIDE
IT PROFESSIONAL CONSULTANTS FOR THEIR
RECOMMENDATIONS AND FOR THEIR SPECIALIZED
SEUCIRTY SERVICES BOTH FOR THE RETAINED SKILL SET
AS WELL AS FOR LIABILITY REASONS
6. Federal Trade Commission Complaints
FTC has implemented initiatives to police computer
data breaches
FTC Complaints are REactive and NOT PROactive –
FTC complaints are all after the fact, rather than
implementing rules and providing guidance
Most companies settle with the FTC and pay a fine
If you defend against a FTC complaint, expect LARGE
litigation expenses, for example:
Large corporation Wyndham has just responded to a FTC
complaint and has spent $5 Million already on discovery
Small corporation LabMD (25-peson company) has just
responded to the FTC complaint and has spent $500,000 on
discovery
7. How is there liability to IT
security professionals for insecure
software?
8. Top Ten List of Security Certifications???
10. Vendor Certifications - CISCO and Microsoft specific
certifications top the list.
9. CCE-Certified Computer Examiner
8. CPP—Certified Protection Professional
7. CBCP-Certified Business Continuity Professional
6. CEH-Certified Ethical Hacker
5. CSFA-CyberSecurity Forensic Analyst
4. CISA-Certified Information Systems Auditor
3. GIAC-The Global Information Assurance Certification
2. CISM-Certified Information Security Manager
1. CISSP—Certified Information System Security Professional
9. What information security standards exist? Let’s
look at the law…
• Global
• State Laws -- Data security and
breach notification laws
• IS0 17799, 27001
• Industry
• Basel II, EU Safe Harbors
• Payment Card Industry –
VISA, CISP, Mastercard SDP
• Country Standards
• Healthcare – HIPAA
• National – NIST & OECD
• Finance – Gramm Leach
Bliley, SEC, NASD, FFIEC,
OTS
• Finance – CoBIT & BITS
• Energy and Utility – NERC
1300, FERC, (NEI 04-04)
• Federal Government
• E-Commerce – FTC Ecommerce Req‘s
• DOD - Rainbow Series, NIST
• NSA
• Presidential Directives
10. What is the legal and business impact of
breached information security?
Contractual Violations
Violation of state, federal and international laws
Business interruption – income loss, extra expense
Data asset loss, corruption, value reduction
Lost ROI on technology and marketing investments
Reputation losses & loss of valuation
Extortion and other crisis Management costs
11. What Laws Govern Insecure Software?
HIPAA, Sarbanes-Oxley Act, Gramm-Leach-Bliley Act and Other Acts and
their Potential Impact on Liability to Software Developers
Article 2 of the U.C.C.
Computer hardware and packaged software, as movable objects, are
clearly goods and thus subject to the provisions of Article 2 – and for our
conversation, Article 2 protection from Tort-related causes of action
Transactions involving primarily personal services, such as those for
customization, expertise, maintenance, training, and support, are often
held not to be goods, and thus NOT to fall within the U.C.C.
What about specialized ―secure‖ computer software? Does that fall under
Article 2 or customized services?
Negligence
Product Liability
Professional Malpractice Liability
Federal Trade Commission Complaint for unfair and deceptive acts or
practices for deceptive claims that companies were safeguarding
customer data appropriately
12. Health Insurance Portability and
Accountability Act (HIPAA)
HIPAA makes security a necessary prerequisite to
providing services to the health industry, including the
provision of any financial services.
Breach Notification Rules
Notify affected individuals
Notify Business Associates
Notify HHS (Federal Agency)
Audits and Fines
Penalty Amount: $100 to $50,000 or more per
violation, repeat violations are $1,500,000, with a Calendar
Year Cap of $1,500,000
13. Sarbanes-Oxley Act (SOX)
SOX requires that the CEO sign filings with the SEC that certify that the
company‘s computer systems are secure and that the company
maintains, in all material respects, effective internal controls over its
financial reporting.
If he‘s wrong, he faces potential prosecution for violations of SOX, with
personal fines up to one to five million dollars and/or
imprisonment for up to ten to twenty years
If the company asks its software vendors, whose products the company
relies upon to provide that security and effective control, to certify that
their systems meet the SOX‘s requirements, the vendors
politely decline, mumbling something about how all software has bugs
and the company is not willing to assume the risk that the customer‘s
system may be compromised by hackers, cyberterrorists, or perhaps just a
disgruntled ex-employee.
Thus far the SEC has not taken action against any corporate executives
who have signed such an undertaking that later turned out to be untrue.
We have not yet had a major accounting scandal arising from software
vulnerabilities
14. Gramm-Leach-Bliley Act (GLB)
GLB is a comprehensive privacy and security law that financial
companies must adhere to.
GLB covers both information handling practices and security
practices for ―nonpublic personal information‖ (NPI).
GLB‘s security requirements:
You shall develop, implement, and maintain a comprehensive
information security program that is written in one
or more
readily accessible parts and contains administrative, technical, and
physical safeguards that are appropriate to your size and
complexity, the nature and scope of your activities, and the
sensitivity of any customer information at issue (emphasis added).
Also requires:
1. Exercise appropriate due diligence in selecting your service
providers;
2. Require your service providers by contract to implement
appropriate measures designed to meet the objectives of these
Guidelines; and
3. Where indicated by your risk assessment, monitor your service
providers to confirm that they have satisfied their obligations as
required by paragraph D.2. As part of this monitoring, you
15. Article 2 of the UCC
Most bundled software (off-the-self or custom) fall
within Article 2 of the UCC
a Good Thing for IT Professionals because you can use the
UCC to limit your liability, e.g., disclaimer of express and
implied warranties, limitation of liabilities and remedies
Standalone (unbundled), customized and expertise
(security) software are determined on a case-by-case
basis
Plaintiff attorneys will allege that the software vendor is
the best position to take action to prevent security
breaches with standalone customized software.
Plaintiff attorneys will allege that software vendors were
negligent in the production or design of the computer
security systems, e.g., coding of the security and
encryption software
16. Negligence Claim – 5 Elements
(1)
Software vendor owed a DUTY to the Plaintiff
What type of Duties?
Duty to design and develop secure software
Duty to instruct the licensee on how to use its products safely
Duty to warn its licensees of the hidden dangers that the designed
software may contain
Duties exist in the law is largely a policy-based determination
Foreseeability of harm of security breach
Degree of certainty between the vulnerabilities and harm
Closeness of the connection between lax Internet security practices
and the injury suffered
Policy of preventing future intrusions
Burden of the IT industry
Consequences to the public of imposing a duty to maintain adequate
security
Availability, costs and prevalence of security solutions
Insurance
17. Negligence Claim – 5 Elements
(2)
Duty
Standard of Care Imposed on Software Vendor by that
Generally this means what the reasonably prudent person
would do under the circumstance
In the IT industry, this standard of care is evolving
rapidly, and methodologies, procedures, and practices have
been accepted by the industry as risks are exposed
The appropriate level of care to be followed in custom
software will vary depending on the nature and intensity of
the perceived risk resulting from an error
Thus, software developer‘s duty under negligence law is not
perfection, but only reasonableness, i.e., standard of care of
a reasonable developer of security-related software under
like circumstances – employing industry‘s best practices
security standards
18. Negligence Claim – 5 Elements
(3)
Breach of Duty
With secure software, there is no accepted tests that
exist currently for determining when a software
developer has breached its duty
19. Negligence Claim – 5 Elements
(4)
Causation
Two-prong test:
Software developer‘s negligence must have been the causein-fact of the plaintiff‘s injuries (but for or substantial
factor);
Software developer‘s conduct must have been the
proximate (legal) cause of the injury, i.e., a foreseeable
result of the negligent act
20. Negligence Claim – 5 Elements
(5)
Damages
Plaintiffs are entitled to recover ALL damages, e.g., personal
injuries, property damages, economic loses
Some courts do not allow recovery of economic
losses, e.g., defamation
Some courts do not allow damages for data entered into the
computer system by a customer because that data is not part of the
software
Until recently, for security breach cases, the plaintiffs have been unable
to establish the ―damages‖ requirement for negligence.
In essence, courts have ruled that a consumer taking pre-emptive
actions to protect his or her credit has not suffered compensatory
damages.
Even if a consumer can show that they suffered identity theft they
still have to establish that the security breach was the cause of such
identity theft (in theory the consumer‘s personal information could
have been obtained from a multitude of sources).
Companies face the prospect of expensive attorney fees to defend these
actions, and if the plaintiffs‘ bar breaks through they could face
significant liability.
21. Negligence Applied to Security
Breach Liability
Traditionally, security breaches are criminal acts of third
parties, and a software vendor cannot be liable for third
party criminal conduct unless it is determined that such
criminal conduct was highly foreseeable.
With hundreds of thousands of new cybersecurity threats
created every day, isn‘t third party criminal acts of hacking
highly foreseeable?
Duty, Standard of Reasonable Care, Breach of Duty, Causation
(foreseeability) and damages
California real estate escrow company has filed a
NEGLIGENCE lawsuit against its former bank for the loss of
$465,000 in an online banking hack last year
http://krebsonsecurity.com/2011/07/
22. Negligence Cases
Invacare Corp. v. Sperry Corp., (N.D. Ohio 1984)
Federal district court refused to dismiss a negligence claim
alleging that a computer seller was negligent for
recommending its program and services to the buyer when ―it
knew, or in the exercise of ordinary care, it should have
known, that . . . the programs and related data processing
products were inadequate,‖ and because it advertised to the
buyer when it knew or should have known that ―the programs
furnished could not satisfy [the buyer‘s] requirements.‖
The court held that personnel in the computer industry, like
personnel in other trades
(doctors, accountants, lawyers), should be held to the
ordinary standard of care for their trade.
23. Negligence Case
Claridge v. Rockyou, Inc. (N.D. Cal. 2011)
Rockyou is a publisher and developer of online services and applications
for use with social networking sites such as Facebook and MySpace
Rockyou applications allow its users to share photographs and write
special text on a friend‘s page, or play game with other users.
Customers are required to sign up to use Rockyou applications by
submitting personal identifiable information to it that Rockyou stores in
a database
Plaintiff alleges that Rockyou promised through its website to safeguard
its personal identifiable information through commercially reasonable
measures …. that did not include any form of encryption
Plaintiff‘s personal identifiable information was hacked and available
online
Federal district court held that plaintiff‘s negligence claim could
proceed against Rockyou despite not alleging specific damages other
than unauthorized and public disclosure of its personal identifiable
information
24. Negligence Case
Patco Constr. Co. Inc. v. People‘s United Bank (1st Cir. July 2012)
Hackers installed malware on Patco‘s computers and stole its banking user name
and password; and used Patco‘s banking credentials to transfer money offshore
from Patco‘s account (common hacking facts)
Since the hackers were attempting a large offshore transfer that was so far out of
the normal conduct by Patco, it caused an alert to flag this transaction
The bank manager decided that since the password/user name combination and
accompanying answers to certain challenge questions were sufficient to verify the
transaction, the bank manager ignored the alter and all the money went offshore
The Federal Appellate Court held that the Bank‘s reliance on password
authentication and its decision to ignore certain transaction-based flags that
highlighted the unusually large offshore transfer was not necessarily a good
commercial practice.
Court found that the Bank‘s reliance on answers to challenge questions that the
hackers provided was not a good security practice.
Court found that the Bank‘s contract with Patco incorporated UCC requirement
that the bank act in a commercially reasonable way, and found that the Bank‘s
protections that it implemented were unreasonable
Afterwards, this case settled for $345,000 (the amount transferred) and $45,000 in
interest.
25. Negligence Case
Lone Star Bank, et. al v. Heartland Payment Systems (5th Cir.
September 2013)
Heartland had a contract with acquiring banks (plaintiffs) to
provide credit card processing services.
Heartland was hacked in 2009 and lost the data from more than
160 million credit card accounts.
Because of the interlocking web of financial relationships with
credit card transactions, Heartland was not the only bank
affected by the hacking incident
Damages included losses from fraudulent use of the stolen
data, cost of replacing credit cards and costs of providing their
customers with credit monitoring services
Federal Appellate Court held that the issuing banks had a valid
negligence claim against Heartland for its cybersecurity failures
and that, if proven, they could recover their consequential
damages from Heartland
26. Today‘s recent headlines
Negligence for theft of data from UNENCRYPTED LAPTOPS
Hackers breaks in at a US based company that brokers
reservations for limousine and Town Car services nationwide
that resulted in personal and financial information of more
that 850,000 well to do customers, such as Fortune 500
CEOs, lawmakers and celebrities
http://krebsonsecurity.com/2013/11/hackers-take-limoservice-firm-for-a-ride/
Negligence for theft of data from storing data on servers
where it is known that hackers use to stash their stolen data
27. Professional Malpractice Law
Professional liability has generally been applied to those who
by virtue of specific training and licensing are deemed to
have a level of skills higher than that of non-professionals.
To date, courts have been reluctant to hold computer
designers or programmers to the higher standard of
professionals due to the lack of established educational
standards or regulations governing the performance of
software programmers and developers, and because they are
not licensed as professionals … that is changing
Many software developers have received extensive training in
the use of certain programming and testing
techniques, passed rigorous tests to become ―certified,‖
reached levels of expertise not held by general programmers.
While this is not identical to the licensing requirements of
state licensing boards such as state bar associations or
medical boards, it may be sufficient to justify holding these
certified developers to a higher, professional
standard, particularly where their certifications relate to
secure software development.
28. Top Ten List of Security Certifications???
10. Vendor Certifications - CISCO and Microsoft specific
certifications top the list.
9. CCE-Certified Computer Examiner
8. CPP—Certified Protection Professional
7. CBCP-Certified Business Continuity Professional
6. CEH-Certified Ethical Hacker
5. CSFA-CyberSecurity Forensic Analyst
4. CISA-Certified Information Systems Auditor
3. GIAC-The Global Information Assurance Certification
2. CISM-Certified Information Security Manager
1. CISSP—Certified Information System Security Professional
29. Professional Malpractice Case
Diversified Graphics, Ltd. v. Groves (8th Cir. 1989)
Plaintiff hired a large accounting firm to help it locate a
turnkey computer system.
When the chosen system proved inadequate for the
company‘s needs, the company sued.
The court ruled that the accounting firm should be held to
the American Institute of Certified Public Accountants‘
Management Advisory Service Practice Standards, which the
firm had incorporated into its guidelines for internal use.
While the court refused to acknowledge a cause of action for
computer malpractice, by holding the accounting firm to the
AICPA standards, it achieved essentially the same result.
30. Professional Malpractice Case
Data Processing Services, Inc. v. L.H. Smith Oil Corp. (Ind. Ct.
App. 1986)
Plaintiff claimed that the defendant was negligent in
designing an accounting and data processing software system.
The state appellate court stated in dictum that ―[t]hose who
hold themselves out to the world as possessing skill and
qualifications in their respective trades or professions
impliedly represent they possess the skill and will exhibit the
diligence ordinarily possessed by well informed members of
the trade or profession.‖
The court concluded that ―[t]he situation here is more
analogous to a client seeking a lawyer‘s advice or a patient
seeking medical treatment for a particular ailment than it is
to a customer buying seed corn, soap, or cam shafts.
31. Product Liability for Insecure Software
Product liability law is imposed on the theory that the costs of damaging events due to
defectively dangerous products can best be borne by the enterprisers who make and sell
these products.
With insecure software, an examination of whether the software insecurity is due to a
design defect or a manufacturing defect
Software development generally goes through a number of phases before reaching the
user, such as (i) the design phase, (ii) the coding phase, (iii) the testing phase, and (iv)
the replication and distribution phase
defect introduced into the product during the design phase would be deemed a design
defect.
defect introduced into the product at the replication and distribution phase would be
deemed a manufacturing defect.
Coding phase??? Grey Area
Vendors would generally argue that everything before the replication and distribution
phase is part of the product design process, hence, a negligence standard should apply
to insecure software, except in the rare case where the defect occurred in the
replication process.
Licensees would argue that the design defect standard should apply only to defects
introduced in the design phase, and that everything thereafter should be deemed part
of the manufacturing phase—and subject to a strict liability standard.
No cases on point, but that is not say that they are not on their way …
32. Federal Trade Commission Complaints
FTC has implemented initiatives to police computer
data breaches
FTC Complaints are REactive and NOT PROactive –
FTC complaints are all after the fact, rather than
implementing rules and providing guidance
Most companies settle with the FTC and pay a fine
If you defend against a FTC complaint, expect LARGE
litigation expenses, for example:
Large corporation Wyndham has just responded to a FTC
complaint and has spent $5 Million already on discovery
Small corporation LabMD (25-peson company) has just
responded to the FTC complaint and has spent $500,000 on
discovery
33. Federal Trade Commission
TRENDNET, Inc. Case (September
2013)
TRENDNET alleged failed to provide reasonable security ―to
prevent unauthorized access to sensitive information‖
FTC Consent Order required TRENDNET to engage in
"secure software, development, and testing" risk assessments
as well as "reasonable and appropriate software security
testing techniques‖
Conduct an initial, and thereafter biennial, assessments and
reports – for Twenty years – performed by a third-party CSSLP
or CISSP or ―a similarly qualified person or organization; or a
similarly qualified person or organization approved by the
Associate Director for Enforcement, Bureau of Consumer
Protection, Federal Trade Commission….‖
34. Federal Trade Commission
In re HTC America, Inc. Case
(February 2013)
FTC complaint alleged that HTC:
failed to ―employ reasonable and appropriate security in
the design and customization of the software on its mobile
devices.‖
failed to (1) implement an ―adequate program to assess
the security of products it shipped to consumers,‖ (2)
provide ―adequate privacy and security guidance or
training for its engineering staff,‖ (3) ―conduct . . .
reviews, or tests to identify potential security
vulnerabilities in its mobile devices,‖ and (4) ―implement a
process for receiving and addressing security vulnerability
reports from third-party researchers.‖
35. Federal Trade Commission
The FTC has begun taking action against software users whose
systems were breached by hackers and third party confidential
information was disclosed.
These recent FTC decisions suggest a new willingness by the FTC
to hold software makers liable for
failing to design security into their products from the start and
to test and discover security vulnerabilities before releasing the
product into the market for advanced beta testing by paying
customers who not only thereby pay for the "privilege" of testing the
vendor‘s product (saving the vendor enormous R&D costs) but who
previously had little or no remedy beyond a replacement of the
product (if that).
Most victims still do not receive real recourses from FTC actions
because the FTC doesn't even investigate much less act in all in
most cases and limits on private recourse and practical barriers
to enforcement obstruct private remedies.
Plaintiffs attorneys will take over and advance negligence, strict
product liability and professional malpractice causes of action
against software developers
36. Counterhacking Legal???
Computer Fraud and Abuse Act
‗exceeds authorized access‘ means to access a computer with
authorization and to use such access to obtain or alter information in
the computer that the accesser is not entitled so to obtain or alter.‖
Put another way, you exceed authorized access if you obtain or alter
information you‘re not entitled to obtain or alter.
Who controls the computer? The data owner or the computer
owner?
Are you entitled to take back your stolen data from a
computer, but not sell the computer at a pawn shop?
So can Disney hack into everyone‘s computers in pursuit of
pirated videos?
Can future amendments recognize counterhacking right to gather
evidence but not to harm innocent third parties? Will there be
distinquishment between 99-cent music files and competitive
business data?
37. What Can You Do To Minimize Your
Risks to Liability?
Always enter into written agreements that specifically addresses
express and implied warranties and limitation of liabilities
Always have your written agreements state what law controls
the agreement. Be sure to make it a state that does not have
any cases where it has found software to be a service and the
UCC not applicable, or cases finding tort liability for insure
software
Always use Beta Agreements or Beta Language when launching
new or customized software, as software is always launched with
glitches requiring patches/maintenance issues
Always have your written agreements state who is responsible
for maintenance services and whether such service requires
additional fees
38. What Can You Do To Minimize Your
Risks to Liability?
Continuing Education is always Ongoing
Audits – work with a security team to identify security issues
and determine what else can done (e.g., encryption,
passwords, additional firewalls, etc.)
―shall act with the care of an ordinary prudent person or
agency in like position would exercise under similar
circumstances‖
Policies & Procedures: Create an security incident response
and notification Plan
Response team, contact police/local FBI, and document
response
Consider great malpractice and cyber-insurance coverage
(typically covers notification costs) and utilizing it when in
question
39. Procedure:
What Constitutes a Breach?
Was unencrypted and unredacted personal information
and/or protected health information accessed?
Personal Information means the first name or first initial
and last name linked to one or more of the following data
elements of a resident of this state:
SSN
Driver License Number
Account number, credit card/debit card number, in
combination with security code/access code/password
40. Procedure:
Is Notice Required?
Material Breach?
Would access be likely to cause substantial loss, or
injury, or result in identity theft?
How many to notify?
Cost?
Duty to notify as expeditiously as practical without
undue delay
41. Policy:
What Must the Notice Include?
Describe the security breach (date/time)
Describe the type of personal information that is the subject of
unauthorized access/use
Describe what you have done to protect data from further
security beaches
Include a telephone number where a notice recipient may obtain
assistance or additional information
Remind recipients in the Notice of the need to remain vigilant
for incidents of fraud and identity theft
MAY have to notify consumer reporting agencies
By mail, telephone, electronic means?
42. So What? Why do this?
State AG fines for failure to provide notice
($250/person), up to $750,000
FTC fines - $1,500,000
Civil Remedy under state/federal law
State trade practices statutes
Breach of contract (terms/privacy policy)
Breach of implied covenant of good faith and fair dealing
Breach of implied contract
Negligence/negligence per se
Ruined Reputation
43. Policy and Procedure
Practical Tips
If you have experienced a data security breach, it may
have to comply with more than one state‘s laws if it has
customers that reside there
Where health information is stored, requirements for
notification are far greater
Know that class actions are out there, and increasing
http://www.informa0onweek.com/security/client/
linkedin‐security-breach‐triggers‐mill/240002407
44. RESOURCES
www.IshmanLaw.com
(919) 468-3266
mishman@ishmanlaw.com
State Laws (except in AL, KY, NM, SD)
http://www.ncsl.org/issues-research/telecom/security‐notification‐laws.aspx
Many states of identity theft statutes that may be applicable when there is a security
breach issue
Federal law proposals on data breach notification requirements, but nothing enacted
YET
International
Federal Trade Commission
– http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html
Biggest Data Breaches in 2013
Canada‘s Personal Information Protection and Electronic Documents Act (PIPEDA)
http://www.crn.com/slide-shows/security/240159149/the-10-biggest-data-breaches-of2013-so-far.htm
10 Biggest HIPAA Data Breaches in the U.S.
http://www.healthcareitnews.com/slideshow/slideshow-top-10-biggest-hipaa-breachesunited-states