Cybersecurity and Data Breach Issues AN OVERVIEW

Transcription

1 Cybersecurity and Data Breach Issues AN OVERVIEW October 4, 2017

2 Download Slides

3 What is Cybersecurity? Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack -- Merriam-Webster Dictionary

4 Cyber Security and Data Security: A Legal Issue? Data security is not just a public relations issue, it is a legal issue as well. Each company displayed on this background (and many more) has experienced a data breach incident. From January 1, 2005 to August 16, 2017, there has been 7,815 reported data breaches, representing 904,813,755 records exposed. 1 Cybersecurity and data breaches M are common and far-reaching events. 48 States have enacted data breach legislation which impose certain duties and obligations on companies in the event a data breach occurs. 1. According to the Identity Theft Resource Center, idtheftcenter.org, which provides resources and awareness information concerning data breaches.

5 We Are All Targets and Yahoos and Sonys How far reaching are data breaches? - via Law360.com

6 We Are All Targets and Yahoos and Sonys Law firm business clients are perfect targets for criminal data attacks. Law firms of all sizes are desirable targets to reach the firm s client information. In all fighting, the direct method may be used for joining battle, but indirect methods will be needed to secure victory. - Sun Tzu The Art of War Jim Shelton Example M Rural Texas solo practitioner Targeted in a phishing attack Attackers used the address of an employee to send an attachment to the firm s contacts The attachment to the s contained malware that when opened allowed the attackers to steal bank credentials and personal information

7

8 Cybersecurity: A Legal Issue?

9 What is a Breach? 48 states currently have laws addressing data security and requirements in the case of a data breach Each state has different rules The definition of a breach varies by state Federal agencies also have rules

10 Legal Obligations International Laws Federal Laws & Regulations HIPAA, FTC, FCC, SEC, ETC. State Laws 48 states have enacted data breach laws. Alabama and South Dakota are the only two states with no breach notification requirements. Industry Groups FINRA, PCI, ETC. Contracts Vendors & Suppliers Business Partners Data Security Addendum

11 Regulatory and Administrative - FTC Companies must have basic IT security. Companies have fair notice that their cyber and data security practices could fall short of FTC requirements. F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3 rd Cir. Aug. 24, 2015). The FTC has authority to regulate data security under Section 45(a) of the FTC Act, which prohibits unfair... practices in or affecting commerce.

12 Regulatory and Administrative - FTC Businesses must evaluate business partners security. In re GMR Transcription Svcs, Inc., 2014 WL (Aug. 14, 2014). Businesses must follow 3 steps when contracting with third party service providers: 1. Investigate before hiring data service providers. 2. Obligate their data service providers to adhere to the appropriate level of data security protections. 3. Verify that the data service providers are complying with obligations (contracts).

13 Regulatory and Administrative - SEC You must have written (1) Policies & Procedures and (2) Incident Response Plan S.E.C. v. R.T. Jones Capital Equities Management, Consent Order (Sept. 22, 2015). Firms must adopt written policies to protect their clients private information [T]hey need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs

14 Addendum to Business Contracts Vendors and third-parties pose substantial risks to data security because they usually: Have access to, and/or maintain, the company s sensitive data May access the company s network Have different business models with different data requirements Companies began taking notice of this vulnerability and have started imposing contractual requirements for data security on their third party vendors.

15 Addendum to Business Contracts Know your contractual obligations Common names for the Addenda: Data Security & Privacy; Data Privacy; Cybersecurity; Privacy; Information Security Common Features Defines subject Data being protected in categories Describes acceptable and prohibited uses for Data Describes standards for protecting Data Describes requirements for deleting Data Describes obligations if a breach of Data occurs Requires binding third parties to similar provisions

16 Texas Law: Business Duty to Protect Data A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business. 1 Reasonable is an amorphous concept and means different things to different people at different times. Sensitive Personal Information? 1 Tex. Bus. & Com. Code (a).

17 What is Sensitive Personal Information? Texas law defines sensitive personal information as: 1 (1) an individual s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted: (i) social security number; (ii) driver s license number or government-issued identification number; or (iii) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to any individual s financial account; or (2) information that identifies an individual and relates to: (i) the physical or mental health or condition of the individual; (ii) the provision of health care to the individual; or (iii) payment for the provision of health care to the individual. For the sake of clarity, sensitive personal information does not include publicly available information that is lawfully made available to the public from federal, state, or local governments (a)(2) (b).

18 What is a Breach? Texas broadly defines a breach of system security as an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt it. 1 A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made as quickly as possible, except as... necessary to determine the scope of the breach and restore the reasonable integrity of the data system. 2 1 Tex. Bus. & Com. Code (a) (b).

19 New Texas Cyber Legislation Sponsored by Representative Giovanni Capriglione Effective as of September 1, 2017 The Texas Cybersecurity Act Establishes cybersecurity requirements for state agencies: Each agency is required to conduct an information security assessment of its network systems, data storage systems, data security measures, and information resources vulnerabilities. Creates a cybersecurity council The goal: to ensure state agencies are good stewards of private data The Texas Cybercrime Act Creates classes of criminal offenses for ransomware, electronic access interference, denial of service attacks, and intentional deceptive data alteration Seriousness of offense depends on the amount of financial loss involved These are strides in the right direction to deter malicious cyber attacks. Texas takes cybersecurity seriously!

20 Cost of a Data Breach The average cost of a data breach in the United States is $7.35 million. 1 The average cost per lost or stolen record is $ These figures have steadily increased over the past five years. Factors contributing to the cost: Loss of customers Size of breach and number of records involved Time to contain breach Post data breach costs (notification) 1 Ponemon Institute 2 Id.

21 Root Causes of Data Breaches - Ponemon Institute

22 Cost of a Data Breach An ounce of prevention is worth a pound of cure.

23 : What Happened? Data breaches may occur in many different forms including: hacking; misplacing files; theft; sending files to the wrong recipient; etc. Equifax experienced a hacking attack in which the attackers accessed Equifax files through an unpatched security vulnerability. The hackers accessed names, Social Security numbers, birth dates, addresses, and driver s license numbers. The unauthorized access occurred from mid-may through July The breach was allegedly discovered July 30, 2017 The breach was disclosed on September 7, 2017.

24 : What Happened? Equifax Hypothetical: Business operating as usual A notice was sent to the business (likely by or within the particular software itself) notifying the business that a software update has been released to remedy bug fixes or vulnerabilities Not wanting to disrupt the business operations for a pesky system update, the business puts it on the to-do list. (the curse of the Remind Me Later update option)

25 : What Happened? Equifax Hypothetical, cont d: Days turn into weeks, and weeks turn into months. Meanwhile, a hacker on the other side of the globe has purchased a new suite of virus software. The hacker finds a vulnerability in the company s network/system. Eager to test the virus software, the criminal deploys the virus on the company s network.

26 : What Happened? Equifax Hypothetical, cont d: The virus lays dormant in the company s computer system. Weeks later, users of the business s computer systems notice problems with the computers. The problems are escalated to the IT department. The IT department investigates and find the computer systems were probably compromised. (If the company is wise, a cybersecurity and privacy lawyer would be retained at this point to lead the investigation and response)

27 : What Happened? Equifax Hypothetical, cont d: The attorney retained by the company hires a forensics investigator to confirm the initial finding that there has been a compromise. 1 The attorney and the company s data breach team scrambles to assist the company in meeting its legal obligations. 1 It is important that the attorney acts as the initiator of the third-party contacts in data breach response to preserve attorney privilege.

28 Attorney/Client & Work Product Privilege The question of whether attorney/client and work product privileges apply to cover breach response is a question of concern of many in the C- Suite. In re Target Corp. Customer Data Sec. Breach Litig., No MDL142522PAMJK, 2015 WL (D. Minn. Oct. 23, 2015) Target customers affected by data breach sought to compel production of certain documents in its class action lawsuit. The court found that the requested documents were privileged. The court noted that although Target would have had to investigate and remedy the breach regardless of the litigation, Target created a separate task force and that outside counsel hired the data breach investigators so that its counsel could provide Target with informed legal advice and prepare to defend Target in litigation that was already pending and reasonably expected to follow.

29 Attorney/Client & Work Product Privilege The Target privilege holding has been adopted in other jurisdictions: In re Experian Data Breach Litigation, 15-cv AG (C.D. Cal. May 18, 2017) Earlier this year, a California federal court reached the same conclusion as Target. The court held that in response to a motion to compel, a forensics report created by a third-party forensics consultant was not discoverable. The court found that despite Experian s independent business duty to investigate, the forensics investigator conducted the investigation and prepared the forensics report for outside counsel in anticipation of litigation, even if it was not the forensic investigator s only purpose.

30 Attorney s Role in Data Breach Response Attorneys are the first responders in a data breach: we put out the fires; tend to the wounds; and in the case of criminal attackers, help facilitate the prosecution Assess the situation Be a counselor Facilitate rational thought and behavior Instill confidence Bring Peace

31 Officer & Director Liability for Data Breach Boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril. - SEC Commissioner Luis A. Aguilar, June 10, Derivative claims have been pursued which were premised on the harm to the company from a data breach. Caremark Claims: Premised on lack of oversight/breach of duty of loyalty and good faith Officers and directors are not insulated from personal liability The standard used: (1) utterly failed to implement reporting system or controls; or (2) consciously failed to monitor or oversee the system

32 Data Breach Response A Data Breach Response should accomplish the following: Determine whether breach justifies escalation Begin documentation of decisions and actions Engage experienced legal counsel to lead process Notify and convene Incident Response Team Notify cyber insurance carrier Engage notification/credit services vendor Investigate whether data has been breached Engage forensics to mitigate continued harm, gather evidence, and investigate Assess scope and nature of data compromised Preliminarily determine legal obligations Determine whether to notify law enforcement Begin preparing public relations message Notify affected business partners Remediate and protect against future breaches

33 Cybersecurity Risk Management Program: Making Companies More Secure and Legally Defensible Reassess & Refine Cyber Risk Assessment Strategic Planning Tabletop TesAng Develop, Implement & Train on Policies and Procedures Deploy Defense Assets

34 Importance of a Written Response Plan Keep in mind that while this chaos is ensuing, the clock is ticking with regard to data and cybersecurity breach obligations Notification Requirements: 45 days (most states) 30 days (some states) 3 days (federal contracts) Immediately (contracts)

35 Essentials for Every Organization Basic IT Security Written Policies and Procedures Written Incident Response Plan

36 The Bottom Line Virtually all companies will be breached. It is not the breach that matters most -- it is the company s diligence, communication, and response that matters most. Companies have a duty to be reasonably informed of and take reasonable measures to protect against cybersecurity risks.

37 Questions?

38 Contact Information Jeremy Rucker Attorney Dallas