This presentation focused on how teaching attorneys how to counsel their clients on cyber insurance and guide them through the data breach incident response process. Cybersecurity and data privacy attorney Shawn Tuma presented this continuing legal education session on March 10, 2017. It was delivered live at the TexasBarCLE presents the 8th Annual Course
Essentials of Business Law:Four Modules for a Robust Practice Cosponsored by the Business Law Section of the State Bar of Texas.
2. @Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Breach! Immediate Priorities
• Leadership!
• Assess the situation
• Be a counselor
• Instill confidence
• Bring peace
• Facilitate rational thought &
rational behavior
3. @Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Data Breach Foundations
Is the cyber event an incident or a breach?
▪ Event: any occurrence.
▪ Incident: an event that actually or potentially jeopardizes
the confidentiality, integrity, or availability of the system,
data, policies, or practices.
▪ Breach: actual loss of control, compromise, unauthorized
disclosure, acquisition or access of data.
▪ Ransomware? Encryption safe harbor?
4. @Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Data Breach Foundations
Is the cyber event caused by criminal or negligent actions?
▪ Hacker stealing IP from network.
▪ Employee misplaces unencrypted USB drive with PII.
▪ Focus on the action – why was it done?
▪ Report criminal events to law enforcement, not usually
with negligent.
5. @Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Data Breach Foundations
The difference between reporting, disclosing, notifying?
▪ Used interchangeably, not official – just used for clarity.
▪ Reporting: to report a crime to law enforcement.
▪ Disclosing: to disclose (notify) to a state or federal
regulator of a data breach.
▪ Notification: to notify the data subjects of a data breach.
6. @Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Disclosure to Government Regulators
▪ Remember our fiction: reporting / notifying / disclosing
▪ What type of data was breached? (PII, PHI, Fin. Data, PCI)
▪ Which laws apply?
▪ Regulated industry? (HHS, SEC, FDIC, FINRA)
▪ i.e., Health → HHS, then
≥ 500 = 60 days to report
< 500 = annual report
▪ State jurisdictions?
7. @Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Data Breach Response
The difference between reporting, disclosing, notifying?
▪ Used interchangeably, not official – just used for clarity.
▪ Reporting: to report a crime to law enforcement.
OPTIONAL, MAYBE.
▪ Disclosing: to disclose (notify) to a state or federal
regulator of a data breach. NOT OPTIONAL.
▪ Notification: to notify the data subjects of a data breach.
NOT OPTIONAL.
8. @Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Disclosure to Government Regulators
Breach Notification Laws
▪ No national breach notification law
▪ 47 States w/ laws + DC, PR, VI (≠ AL, NM, SD)
▪ Data subjects’ residence determines + state doing bus.
▪ Some consistency but some not (e.g., MA & CA)
▪ Review each time – constantly changing.
9. @Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Disclosure to Government Regulators
▪ Is it a triggering “breach” under each relevant states’ laws?
▪ Which states’ laws require disclosure to their AG?
▪ Most, under certain circumstances (not TX).
▪ Which require pre-notice of a breach notification?
▪ CA, CT, NH, NJ, NY, NC, PR, WA
▪ When must disclosures be made? (w/ notif. 30/45/reas.)
▪ How must disclosure be made? (template / portal)
10. @Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Texas Breach Notification Law
Notification Required Following Breach of Security of
Computerized Data, Tex. Bus. Comm. Code § 521.053
▪ “A person who conducts business in this state and owns or
licenses computerized data that includes sensitive personal
information shall disclose any breach of system security, after
discovering or receiving notification of the breach, to any
individual whose sensitive personal information was, or is
reasonably believed to have been, acquired by an unauthorized
person.” (See Appendix B)
11. @Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Texas Breach Notification Law
▪ Breach of System Security: “unauthorized acquisition ...
compromises the security, confidentiality, or integrity of” SPI.
Employee leaving with customer data?
▪ Applies to anyone doing business in Texas.
▪ Notify any individual whose SPI “was, or is reasonably believed to
have been, acquired by an unauthorized person.”
▪ When: “as quickly as possible” but allows for LE delay
▪ Penalty: $100 per individual per day for delayed time, not to
exceed $250,000 for a single breach (AG / no civil remedy)
12. @Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
first
name or
first
initial
last
name
SSN
DLN or
GovtID
data
breach
first
name or
first
initial
last
name
Acct or
Card #
Access or
Security
Code
data
breach
Info that
IDs
Individ.
Health-
care,
provided,
or pay
data
breach
Duty to notify when “unauthorized acquisition of computerized data that compromises the security, confidentiality, or
integrity of sensitive personal information …” Tx. Bus. Comm. Code § 521.053
CIVIL PENALTY $100.00 per individual
per day for notification delay, not to
exceed $250,000 for single breach §
521.151
13. @Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Reporting to Law Enforcement
▪ Role of law enforcement.
▪ When to report to law enforcement?
▪ Federal, state, or local law enforcement?
▪ When will law enforcement not get involved (usually)?
14. @Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Reporting to Law Enforcement
▪ Is it mandatory to report to law enforcement?
▪ State breach notification presume reporting.
▪ DOJ, NIST, FTC (“we’d view that company more
favorably than a company that hasn’t”)
▪ US Senate (Yahoo) – when did you report to law
enforcement or other government authorities?
▪ Credibility – the “state sponsored” “unprecedented”
game.
15. @Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Reporting to Law Enforcement
Benefits of reporting to law enforcement.
▪ Agencies can compel info from 3rd parties.
▪ Can work with foreign counterparts.
▪ Viewed favorably by regulators, shareholders, public.
▪ Can request delay of reporting.
▪ Result in successful prosecution.
▪ Resources, expertise, institutional knowledge, your $$$
16. @Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Reporting to Law Enforcement
Dispelling myths of reporting to law enforcement.
▪ Reporting to law enforcement is not same as disclosing
to regulators.
▪ Doesn’t “take over” your operations, not like regulatory
enforcement action.
▪ Law enforcement uses discretion, doesn’t tattle on you.
▪ Company is still viewed as the victim.
▪ Use hypotheticals, if needed.
18. @Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Cyber Insurance – Key Questions
• Even know if you have it?
• What period does the policy cover?
• Are Officers & Directors Covered?
• Cover 3rd Party Caused Events?
• Social Engineering coverage?
• Cover insiders intentional acts (vs.
negligent)
• Contractual liability?
• What is the triggering event?
• What types of data are covered?
• What kind of incidents are covered?
• Acts of war?
• Required carrier list for attorneys &
experts?
• Other similar risks?