This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, at the January 27, 2017 meeting of (ISC)² Dallas Fort Worth Chapter.
This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies.
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
2. www.solidcounsel.com
• Board of Directors & General Counsel, Cyber Future Foundation
• Board of Advisors, NorthTexas Cyber Forensics Lab
• Cybersecurity & Data Privacy LawTrailblazers, National Law Journal (2016)
• SuperLawyersTop 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-16 (IP Litigation)
• Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law)
• Council, Computer &Technology Section, State Bar ofTexas
• Privacy and Data Security Committee of the State Bar ofTexas
• College of the State Bar ofTexas
• Board of Directors, Collin County Bench Bar Foundation
• Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association
• Information Security Committee of the Section on Science &Technology
Committee of the American Bar Association
• NorthTexas Crime Commission, Cybercrime Committee
• Infragard (FBI)
• International Association of Privacy Professionals (IAPP)
• Board of Advisors Office of CISO, Optiv Security
• Editor, Business Cybersecurity Business Law Blog
Shawn Tuma
Cybersecurity Partner
Scheef & Stone, L.L.P.
214.472.2135
shawn.tuma@solidcounsel.com
@shawnetuma
blog: www.shawnetuma.com
web: www.solidcounsel.com
5. KEY POINT: Attorney’s may have privilege
“Target has demonstrated . . . that the work of the Data Breach
Task Force was focused not on remediation of the breach . . .
but on informing Target’s in-house and outside counsel about
the breach so that Target’s attorneys could provide the company
with legal advice and prepare to defend the company in
litigation that was already pending and was reasonably expected
to follow.”
In re Target Corp. Customer Data Breach Litigation
A.C. Privilege / Work Product
7. Cause for Concern
•62% of Cyber Attacks → SMBs
•Odds: Security @100% v. Hacker @1
•ACC Study (9/15) = #2 Concern
Keeping CLO’s awake at night
•Dyn & IoT?
8. www.solidcounsel.com
Cost of a Data Breach – US (Ponemon Inst.)
2013 Cost
•$188 per record
•$5.4 million = total avg. cost paid by organizations
2014 Cost
$201 per record
$5.9 million = total avg. cost paid by organizations
2015 Cost
$217 per record
$6.5 million = total avg. cost paid by organizations
10. www.solidcounsel.com
The Turning Point
Easily preventable
•90% in 2014
•91% in 2015
• 63% confirmed breaches from weak,
default, or stolen passwords
• Data is lost over 100x more than stolen
• Phishing used most to install malware
• 63% confirmed breaches from weak,
default, or stolen passwords
• Data is lost over 100x more than stolen
• Phishing used most to install malware
Easily preventable
•90% in 2014
•91% in 2015
11. www.solidcounsel.com
Start with the Basics
“Some people try to find
things in this game that don’t
exist but football is only two
things – blocking and
tackling.”
-Vince Lombardi
15. www.solidcounsel.com
Data Breach Foundations
Is the cyber event an incident or a breach?
Event: any occurrence.
Incident: an event that actually or potentially jeopardizes
the confidentiality, integrity, or availability of the system,
data, policies, or practices.
Breach: actual loss of control, compromise, unauthorized
disclosure, acquisition or access of data.
Ransomware? Encryption safe harbor?
16. www.solidcounsel.com
Data Breach Foundations
Is the cyber event caused by criminal or negligent actions?
Hacker stealing IP from network.
Employee misplaces unencrypted USB drive with PII.
Focus on the action – why was it done?
Report criminal events to law enforcement, not usually
with negligent.
17. www.solidcounsel.com
Data Breach Foundations
The difference between reporting, disclosing, notifying?
Used interchangeably, not official – just used for clarity.
Reporting: to report a crime to law enforcement.
OPTIONAL, MAYBE.
Disclosing: to disclose (notify) to a state or federal
regulator of a data breach. NOT OPTIONAL.
Notification: to notify the data subjects of a data breach.
NOT OPTIONAL.
19. www.solidcounsel.com
Data Breach Foundations
Relationship between unauthorized access and breach
notification laws?
2 sides of same coin.
Unauthorized access: prohibits actor from harming
company’s network or data, company is victim.
Breach notification: mandates actions by company after
having a breach, company transformed into wrongdoer.
20. www.solidcounsel.com
Reporting to Law Enforcement
Role of law enforcement.
When to report to law enforcement?
Federal, state, or local law enforcement?
When will law enforcement not get involved (usually)?
21. www.solidcounsel.com
Reporting to Law Enforcement
Is it mandatory to report to law enforcement?
State breach notification presume reporting.
DOJ, NIST, FTC (“we’d view that company more
favorably than a company that hasn’t”)
US Senate (Yahoo) – when did you report to law
enforcement or other government authorities?
Credibility – the “state sponsored” “unprecedented”
game.
22. www.solidcounsel.com
Reporting to Law Enforcement
Benefits of reporting to law enforcement.
Agencies can compel info from 3rd
parties.
Can work with foreign counterparts.
Viewed favorably by regulators, shareholders, public.
Can request delay of reporting.
Result in successful prosecution.
Resources, expertise, institutional knowledge, your $$$
23. www.solidcounsel.com
The FBI is not there to re-victimize the victim. –Richard Murray, FBI
We try to be fair and know that we must be fair because that will get
around and we want to work with companies. –Shamoil Shipchandler, SEC
24. www.solidcounsel.com
Reporting to Law Enforcement
Dispelling myths of reporting to law enforcement.
Reporting to law enforcement is not same as disclosing to
regulators.
Doesn’t “take over” your operations, not like regulatory
enforcement action.
Law enforcement uses discretion, doesn’t tattle on you.
Company is still viewed as the victim.
Use hypotheticals, if needed.
25. www.solidcounsel.com
Reporting to Law Enforcement
Tips for reporting:
Unified Fed. Guide
Use and maintain logging.
Have relationship or work
with someone who does.
Best Practices
26. www.solidcounsel.com
Disclosure to Government Regulators
Remember our fiction: reporting / notifying / disclosing
What type of data was breached? (PII, PHI, Fin. Data, PCI)
Which laws apply?
Regulated industry? (HHS, SEC, FDIC, FINRA)
i.e., Health → HHS, then
≥ 500 = 60 days to report
< 500 = annual report
State jurisdictions?
27. www.solidcounsel.com
Disclosure to Government Regulators
Breach Notification Laws
No national breach notification law
47 States w/ laws + DC, PR, VI (≠ AL, NM, SD)
Data subjects’ residence determines + state doing bus.
Some consistency but some not (e.g., MA & CA)
Review each time – constantly changing.
28. www.solidcounsel.com
Disclosure to Government Regulators
Is it a triggering “breach” under each relevant states’
laws?
Which states’ laws require disclosure to their AG?
Most, under certain circumstances (not TX).
Which require pre-notice of a breach notification?
CA, CT, NH, NJ, NY, NC, PR, WA
When must disclosures be made? (w/ notif. 30/45/reas.)
How must disclosure be made? (template / portal)
30. www.solidcounsel.com
Texas Breach Notification Law
Breach of System Security: “unauthorized acquisition ...
compromises the security, confidentiality, or integrity of” SPI.
Employee leaving with customer data?
Applies to anyone doing business in Texas.
Notify any individual whose SPI “was, or is reasonably believed to
have been, acquired by an unauthorized person.”
When: “as quickly as possible” but allows for LE delay
Penalty: $100 per individual per day for delayed time, not to
exceed $250,000 for a single breach (AG / no civil remedy)
35. www.solidcounsel.com
Peters v. St. Joseph Services (S.D. Tex. 2015)
Remijas v. Neiman Marcus Group, LLC (7th Cir. 2015)
Whalen v. Michael Stores Inc. (E.D.N.Y. 2015)
In re SuperValu, Inc. (D. Minn. 2016)
Anthem Data Breach Litigation (N.D. Cal. 2016) (Koh)
Data Breach Litigation Battleship
Spokeo v. Robins, 136 S.Ct. 1540 (2016)
Tangible or intangible harm but concrete & particularized
Lewert v. P.F. Chang’s China Bistro Inc. (7th Cir. 2016)
Galaria v. Nationwide Mutual Ins. Co. (6th Cir. 2016)
36. www.solidcounsel.com
Recent Legal Developments
Takeaway: Standard is reasonableness.
•In re Target Data Security Breach Litigation (Financial Institutions)
(Dec. 2, 2014)
•Companies have a duty to be reasonably informed and take
reasonable measures to protect against cybersecurity risks.
•It’s the diligence, not the breach, that counts.
•The court found duties to
• Reasonably protect others’ data
• Not disable security devices (i.e., if have it, use it)
• Respond when alerted of an attack
37. www.solidcounsel.com
Recent Legal Developments
Takeaway: Must have basic IT security.
•F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24,
2015).
•The FTC has authority to regulate cybersecurity under the unfairness
prong of § 45(a) of the FTC Act.
•Companies have fair notice that their specific cybersecurity practices
could fall short of that provision.
• 3 breaches / 619,000 records / $10.6 million in fraud
• Rudimentary practices v. 2007 guidebook
• Website Privacy Policy misrepresentations
38. www.solidcounsel.com
Recent Legal Developments
Takeaway: Must have internal network controls.
•F.T.C. v. LabMD (July 2016 FTC Commission Order)
•LabMD had 1 employee using LimeWire, Tiversa obtained file with PHI
information and provided to the FTC.
•“LabMD’s data security practices constitute an unfair act or practice
within the meaning of Section 5 of the FTC Act. We enter an order
requiring that LabMD notify affected consumers, establish a
comprehensive information security program reasonably designed to
protect the security and confidentiality of the personal consumer
information in its possession, and obtain independent assessments
regarding its implementation of the program.”
39. www.solidcounsel.com
Recent Legal Developments
Takeaway: Must have written policies & procedures.
•S.E.C. v. R.T. Jones Capital Equities Management, Consent Order
(Sept. 22, 2015).
•“R.T. Jones failed to adopt written policies and procedures
reasonably designed to safeguard customer information.”
•R.T. Jones violated the Securities Act’s “Safeguards Rule”
• 100,000 records vulnerable; no reports of actual harm
• $75,000 penalty
• Cease and desist having any future violations
40. www.solidcounsel.com
Recent Legal Developments
Takeaway: Must have written incident
response plan.
•S.E.C. v. R.T. Jones Capital Equities Management, Consent
Order (Sept. 22, 2015).
•Firms “need to anticipate potential cybersecurity events and
have clear procedures in place rather than waiting to react
once a breach occurs.”
41. www.solidcounsel.com
Response Process
• Goal is to execute IRP
• This is check list, not an
IRP
• How detailed?
• Tabletop exercises
Download here:
www.shawnetuma.com
@shawnetuma
44. www.solidcounsel.com
Recent Legal Developments
Takeaway: Know your contractual obligations.
•Addendum to business contracts
•Common names: Data Security & Privacy Agreement; Data Privacy;
Cybersecurity; Privacy; Information Security
•Common features:
• Defines subject “Data” being protected in categories
• Describes acceptable and prohibited uses for Data
• Describes standards for protecting Data
• Describes obligations and responsibility for breach of Data
• Requires binding third-parties to similar provisions
46. www.solidcounsel.com
Officer & Director Liability
KEY POINT: “boards that choose to ignore, or minimize, the importance of cybersecurity
oversight responsibility, do so at their own peril.” SEC Commissioner Luis A. Aguilar, June 10,
2014.
• Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham
• Derivative claims premised on the harm to the company from data breach.
• Caremark Claims:
Premised on lack of oversight = breach of the duty of loyalty and good faith
Cannot insulate the officers and directors = PERSONAL LIABILITY!
Standard:
(1) “utterly failed” to implement reporting system or controls; or
(2) “consciously failed” to monitor or oversee system.
47. www.solidcounsel.com
Officer & Director Liability
KEY POINT: “boards that choose to ignore, or minimize, the importance of cybersecurity
oversight responsibility, do so at their own peril.” SEC Commissioner Luis A. Aguilar, June 10,
2014.
• Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham
• Derivative claims premised on the harm to the company from data breach.
• Caremark Claims:
Premised on lack of oversight = breach of the duty of loyalty and good faith
Cannot insulate the officers and directors = PERSONAL LIABILITY!
Standard:
(1) “utterly failed” to implement reporting system or controls; or
(2) “consciously failed” to monitor or oversee system.
$4.8 Billion
Deal?
53. Virtually all companies will be breached. Will
they be liable?
It’s not the breach; it’s their diligence and
response that matters most.
Companies have a duty to be reasonably
informed of and take reasonable measures to
protect against cybersecurity risks.