The Stakes Are Going Up: Hacking and the New Paradigm of Data Breaches

Transcription

1 The Stakes Are Going Up: Hacking and the New Paradigm of Data Breaches Edward McNicholas Global Co-Leader, Privacy, Data Security and Information Law Sidley Austin LLP

2 The cyber threat is one of the most serious economic and national security challenges we face as a nation America's economic prosperity in the 21st century will depend on cybersecurity.

3 Conflicting Legal Paradigms Strict Liability Data breach notification laws No fault insurance approach Developed for dams: socially useful, but dangerous collection of water; if it breaks for whatever reason, owner is liable Same rules for socially useful but potentially dangerous collections of data? Internalization of costs Negligence Industry standards / best practices Companies should not be liable when they act reasonably so they have an incentive to improve compliance Companies should only bear the costs of their mistakes Who bears the costs of a nonnegligent or coding error?

4 The Cloud Makes This More Complicated Cross-border data transfers implicates EU Data Directive Access/control by Cloud providers complicates privacy and security compliance Cross-border data transfers, remote processing, and storage increase the risk of disclosure to governments, litigants, other third parties Perception of magnified risks of data loss due to hacking, security breaches, or inadvertent disclosure, destruction or inter-mingling of data Potential loss of control for cloud client: lack of transparency and accountability Conflicts in national consumer protection standards Conflicts in business practice standards 4

5 The Internet of Things Will Exponentially Grow Attack Vectors Connected Car Connected Home

6 SEC Cybersecurity Focus SEC Cybersecurity Roundtable held March 26, 2014 Chair Mary Jo White emphasized cybersecurity risks and need for stronger public-private partnership Commissioner Luis Aguilar emphasized At a minimum, boards should work with management to assess their corporate policies to ensure how they match up to the Framework s guidelines. Disclose cyber-risks if among the most significant factors that make an investment in the company speculative or risky Expect cybersecurity to become a central issue in enforcement actions and disclosure efforts SEC now investigating corporate victims of hacking for lack of internal controls or timely disclosures

7 NIST Cybersecurity Framework Nominally Voluntary Guidance to Help Organizations Manage Cybersecurity Risks o The Framework provides a means of expressing cybersecurity requirements to business partners and customers and help identify gaps in an organization s cybersecurity practices. The Framework Outlines Actions to Improve Cybersecurity in Five Categories Identify Protect Detect Respond Recover o The Framework provides implementation tiers for classifying how effectively an organization implements actions: Partial, Risk Informed, Repeatable, Adaptive Although Voluntary and Aimed at Critical Infrastructure, Government Leaders Encourage Implementation o SEC Office of Compliance and Examinations indicated that cybersecurity will be a 2014 Examination Priority, and certain information requests will incorporate the Framework o Treasury Secretary and SEC Commissioners have urged companies to implement the Framework o Accounting-based attestation of compliance being developed by private sector o Insurance companies exploring linking framework to coverage 7 Attorney-Client Privileged & Confidential

8 Changing European Landscape: Harsher Penalties and Enforcement Ahead Expected to apply to data controllers outside EU that offer goods and services to EU residents GDPR includes novel enforcement mechanisms Enforcement organizations acting in the public interest can go to court on behalf of individuals to seek damages and remedies even without consent Damages permitted for non-pecuniary loss such as distress Non-compliance with the GDPR can lead to harsh penalties up to 5% of annual worldwide turnover

9 The Feeding Frenzy Case Study Activists, Academics, Anarchists, Spies, Thieves and Krebs Loss Contingencies 20 Year Monitoring / Best Practice Mandates Wall Street Journal USA Today New York Times Board Room / 10-Ks Operational Options Diminish Congress and the Court of Public Opinion Plaintiffs / FTC / AGs / DPAs / PCI Remediation / Confidence / Innovation 9

10 Possible Results of a US Breach Congressional hearings and inquiries Consumer class action litigation Multi-state AG investigation FTC investigation Sector-specific investigation, e.g. HIPAA OCR SEC investigation Shareholder derivative action alleging failure of Board oversight Potential litigation brought by recent purchasers of securities Criminal investigation of the hacker PCI Forensic Investigation Internal investigation Potential litigation with the credit card brands Discussions with the insurance carrier about coverage Implication under company financial covenants Shareholder activism

11 A Tale of Three Trails Board Reports to the Board on cybersecurity? Internal Document organizational response to NIST? Written information security plan? Incident response and notification planning? External Cyber Insurance? Secure relationships with vendors and third parties? Engaged forensic and breach response experts?

12 Edward McNicholas This program has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Viewers should not act upon this without seeking advice from professional advisers. BEIJING BOSTON BRUSSELS CHICAGO DALLAS GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C. Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, ; One South Dearborn, Chicago, IL 60603, ; and 1501 K Street, N.W., Washington, D.C , Sidley Austin refers to Sidley Austin LLP and affiliated partnerships as explained at