Cybersecurity: No Longer Just IT s Problem'

Transcription

1 Cybersecurity: No Longer Just IT s Problem' Association of Corporate Counsel Webcast March 10, 2016 Privacy Officer Tori Silas, Esq., Senior Counsel and Cox Enterprises, Inc. Evan J. Foster, Esq. Joseph C. Monahan, Esq. Saul Ewing LLP 1

2 WELL-KNOWN RECENT CYBER ATTACKS 2

3 WELL-KNOWN RECENT CYBER ATTACKS (cont d) Japan Public Pension 3

4 4

5 Types of Cyber Threats Advanced, Persistent, State-Sponsored Threats (APT) Seeking information and strategic advantage May exfiltrate information May penetrate system and watch Organized Cybercrime Seeking monetary gain or identity theft, so financial databases are often targeted Short-term benefit until gap fixed Market for stolen identities, financial information, proprietary information Individual Political Interest A/K/A Hacktivists Seeking embarrassment or sensationalism Careless/Negligent loss of equipment/material 5

6 Where is This Coming From? Verizon Data Breach Investigations Report: 98% of attacks are external 58% of data theft tied to activist groups 4% involve internal employees 1% or less involves business partners 81% utilize hacking 69% use malware 10% involve physical attacks on property / equipment 46% discovered the breach accidentally 6

7 IMPORTANT FACTS USA Today: 43% of companies have had a security breach The Sony security breach was only 33 rd on the list of 2014 security breaches by size 32 larger security breaches than that of Sony in 2014 Cybersecurity costs expected to increase 38% over the next 10 years Between 2009 and 2013, the number of cyber incidents doubled 228,700 incidents in 2013 Average cost = $200 per record to comply with notification laws Average cost of a security breach = $5.4 million, large breach cost estimate = $163 million 7

8 2015 Association of Corporate Counsel Study 1 in 4 Chief Legal Officers (CLO) experienced a data breach in the last 2 years Data/cybersecurity ranks only behind ethics/compliance and mergers/ acquisitions in importance to CLOs Only 1 in 3 reporting companies carries data breach protection insurance 8

9 According to the LA Times, cyber attacks jumped 44% in 2014 from 2013 statistics Lloyds of London reported that cyber crime costs exceed $400 billion per year Lloyds also reported that by 2013 cybersecurity had risen to no. 3 on the list of concerns of boards of directors Cyber attacks are not limited to computer systems alone at least one attack was reported to have used smart devices such as televisions and a refrigerator CSO Magazine/PWC 2015 study (of 500 respondents) found that: 28% of the boards have no presentations from security leaders 26% of security leaders make only an annual presentation to board 42% did not view cybersecurity as a corporate governance issue 9

10 Federal Regulatory Response SEC/FTC response SEC Commissioner Aguilar [B]oards that chose to ignore or minimize the importance of cybersecurity oversight responsibility do so at their own peril. [E]nsuring the adequacy of a company s cybersecurity measures needs to be a critical part of a board of director s risk oversight responsibilities. April 2014 SEC announced it would review 50 registrants to determine cybersecurity preparedness. FTC has begun over 40 actions against companies for failing to protect customer data. 10

11 Federal Regulatory Response- FCC March 2015 broadband internet access classified as a telecommunication service under Title II of the Communications Act CPNI obligations applicable to broadband internet Effectively, FCC is now in the cybersecurity game Consent Decree with Cox Communications related to disclosure of info of 61 subscribers $600k fine and extensive compliance obligations Seemingly adopted a strict liability standard; FTC uses a reasonable security standard 11

12 Federal Regulatory Response (cont d) Cybersecurity Information Sharing Act Passed the Senate on October 27, 2015 Has to be reconciled with similar House bill Creates a voluntary threat information sharing vehicle with the Department of Homeland Security Includes liability protections from lawsuits for sharing certain types of information Provides some privacy safeguards for customers personal information Authorizes companies to use countermeasures retaliatory actions aimed at disrupting or disabling computers of adversaries Critics dispute its usefulness and argue it might increase government surveillance and lacks sufficient privacy protections 12

13 State Regulatory Response 47 states and District of Columbia (no AL, NM, SD) Generic definition of personal information: An individual s first name or first initial and last name plus one or more of following data elements: (i) Social Security number, (ii) driver s license number or state-issued ID card number, (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account Frequent requirement to report to state official/ag Most laws require notification whenever there is a breach Some states require mandatory credit reporting! 13

14 State Regulatory Response Cont d. New Trend (CA, FL) user name and password breach now requires notification NJ, MT and WY have already updated in NJ: 1/15 requiring health insurers to implement specific protections for computerized personal information data - MT: effective 10/1/15 adds medical record information, TIN, and AG notification WY: effective 7/1/15 adds shared (login) secrets or tokens known to be used for database authentication, user name and password, birth or marriage certificate, medical information, health insurance information, biometric data, and TIN 14

15 Cybersecurity also presents a potential for liability of board members and company officers Business Judgment Rule generally insulates an officer or director of a corporation from liability for a business decision made: In good faith When the director/officer is not interested in the subject of the business judgment When the director/officer is informed with respect to the subject of the business judgment» In some states (e.g. CA), this duty to be informed includes a duty to engage in reasonable inquiry and exercise ordinary reasonable care in making the decision When the director/officer rationally believes that the business judgment in question is in the best interest of the corporation E.g., Aronson v. Lewis, 473 A.2d 805, 812 (Del. 1984) 15

16 As the SEC Commissioner Aguilar noted, a board that fails to deal with cybersecurity does so at their own peril. Since a board s judgment must be informed to be protected by Business Judgment Rule, conversely a board that is uninformed likely violates its duty of care, nor can it be said that the officer or director acted in good faith if he or she made no effort to be informed. Del. Code Ann. tit. 8, 141(e) (West 2014) (protects directors who rely in good faith upon corporate records and information from another whom the corporation has selected with reasonable care and based on a reasonable belief that such information is within that person s professional or expert competence ). 16

17 So what to do? 17

18 Recommended Board actions Board should become more conversant and educated on cybersecurity issues and the company s cybersecurities practices and protocols Some corporations (only 42 of the S&P 500) have created board-level risk committees responsible for privacy and security risks, with clear lines of reporting and authority. The committee should meet regularly and report directly to the board. Make cybersecurity a regular board agenda item, including regular presentations by officers (GC, CIO, CTO) 18

19 Recommended Board actions (cont d) According to a NY Times survey only 11% of companies boards reported a high level of understanding of cybersecurity issues Briefings should occur on at least a quarterly basis and the board should make adequate time on the agenda Board should focus on, and require that the company has, identified and classified its data Health data, personal information and financial information is particularly sensitive The subject of statutes and regulations requiring heightened security 19

20 Board should hire appropriate personnel Full-time many companies have hired a CIO or Chief Privacy Officer (CPO) Outside Experts Could be hired if company is not in position to hire a full-time personnel Could be utilized by CIO, CTO, or CPO to assist with legal or technical issues Could be utilized to audit or assess cybersecurity practices and data protection systems and suggest areas for improvement Board should consider assessments and any variances from management assessments and representations 20

21 Review of Policies Acceptable Use Policy Information Security Data Stewardship Information Classification Records Retention Data/Equipment Destruction Privacy Web Internal Data Breach/ Incident Response BYOD Vendor Policies POLICIES MUST= PRACTICE 21

22 Privacy Programs & Technical Controls Data Inventories Privacy Impact Assessments Channel your inner 5 year old: Why, Why, Why??? Vendor Review/Certification Incident Response Planning Tabletop Exercises Identity Management and Governance Access certification Data Loss Prevention (DLP) Tools 22

23 Incident Response Plan Create and implement an incident response plan What offices/roles should be involved in the initial response Who will manage the investigation A designated spokesperson on behalf of the company to media Who will develop internal and external communications about the incident A checklist of external parties for consultation or contact such as call centers, insurance brokers, outside counsel, and forensics companies Integrate the plan into the company s overall governance, risk management, and business continuity framework Include Legal, IT, Privacy, Compliance, Risk, HR/Training, Corporate Communications and others as necessary in the plan creation process Review information security policies & procedures Review insurance coverage to plan and evaluate cybersecurity risk profile 23

24 Data Breach First Responders Incident Response Team should include: Risk management Business continuity Communications IT Legal Communications Plan should include: Designated Communications Coordinator Internal communications Breach letter (based on existing template) External communications 24

25 After a Breach Activate Incident Response Plan Designate a spokesperson Conduct forensic investigation Address vulnerabilities ASAP Conduct a risk assessment Consider contacting law enforcement Contact insurers to notify Determine whether notification is necessary Call center Mailings Assess lessons learned 25

26 When Conducting an Investigation When investigating a cyber-security breach, involve the lawyers Target created Data Breach Task Force at the request of in-house and outside counsel Purpose was to educate counsel about aspects of the breach to allow them to provide informed legal advice Different than the concurrent ordinary course investigation focused on remediation 26

27 When Conducting an Investigation Different teams from Verizon involved in each track of the investigation Court found that documents regarding the work of the Data Breach Task Force are protected from discovery as privileged and/or work product Documents regarding the ordinary course investigation are discoverable 27

28 Communicate in Plain Language Ensure the communication enables recipients to: Find what they need; Understand what they find; and Use what they find to meet their needs Helpful writing techniques include: Logical organization with the reader in mind You and other pronouns Active voice Short sentences Common, everyday words Easy-to-read design features 28

29 Cyber Security and Litigation A security breach can lead to litigation from a variety of potential plaintiffs The individual whose data was compromised could pursue any number of theories Need to establish non-speculative present harm sufficient to articulate a claim for relief This element poses less of a challenge where there has been actual misuse of the data 29

30 Cyber Security and Litigation Potential legal theories include: Contract (express or implied) threshold requirement to establish a binding contract Negligence the economic loss rule can pose a hurdle Negligent misrepresentation Consumer protection statutes 30

31 Cyber Security and Litigation Where credit card data is at issue, the issuer of the card may seek to recover the costs of issuing new cards, reimbursing fraudulent charges and monitoring accounts 31

32 Cyber Security and Litigation Shareholders may pursue derivative suits against directors and officers of the breached company Two derivative suits filed relating to the Target breach currently stayed while Board investigates Court dismissed such an action in the Wyndham Worldwide matter based on business judgment rule Derivative lawsuit filed in September 2015 relating to The Home Depot data breach 32

33 Cyber Security and Litigation Derivative suit legal theories include breach of fiduciary duty and waste of corporate assets Target suits challenge failure to protect customer data and also failure to timely and accurately notify customers of the scope of the breach 33

34 Cyber Security and Litigation Home Depot derivative suit allegations Breach of fiduciary duty and waste of corporate assets for failing to adequately protect against data breach Board was on notice of possibility of breach due to, among other things, well-publicized other breaches at Neiman-Marcus and Target Demand on Board is futile and thus excused 34

35 Cyber Security and Insurance Coverage is in its formative stage, so policies can greatly differ Companies would likely find it useful to hire a knowledgeable broker Carriers are often paired with cybersecurity consultants who analyze the company s security deficiencies for underwriting purposes Insurance considerations Company must figure out what it can afford to pay out-ofpocket for a cyber loss will determine retention or deductible 35

36 Coverage relates primarily to three areas of loss liability, breach-response costs, and fines and penalties Understand what event triggers coverage must be suited to company s data usage and systems Exclusions must ensure that primary risks are included Data coverage policy must be consistent with company usage Breach response costs should cover at least crisis management and breach notifications, credit monitoring, loss of business income, privacy regulatory defense and penalties, forensic investigations, legal fees, hacker damage costs Vendor/counsel selection can company select its own? 36

37 Cyber Security and Insurance Other potential coverage exists through more traditional policy types, including general liability, directors and officers, errors and omissions and crime policies 37

38 Cyber Security and Insurance Caselaw goes both ways regarding CGL policies and data breaches, often turning on whether a publication has occurred for purposes of Coverage B Coverage A only applies where there is harm to tangible property (hardware, server, etc.) 38

39 Cyber Security and Insurance Travelers Indemnity v. Portal Health Care Solutions LLC, 35 F. Supp. 3d 765 (E.D. Va. 2014) Patient records posted to Internet CGL carrier sought declaratory judgment regarding duty to defend class actions Court held that the breach was a publication of private information triggering the policy s personal and advertising injury coverage 39

40 Cyber Security and Insurance Zurich Insurance Co. v. Sony, No /2011 (N.Y. Sup. Ct. Feb. 24, 2014) Massive hacking scheme accessing private information of tens of millions of Sony PlayStation users, leading to more than 50 class action suits Zurich denied coverage for the approximately $2 billion in losses claimed by Sony 40

41 Cyber Security and Insurance Summary judgment in favor of Zurich Court agreed that a CGL policy would cover publication of private information but found there was no coverage here since the publication was not by Sony, but by third party hackers Case settled while appeal was pending 41

42 Cyber Security and Insurance Recall Total Information Management Inc. v. Federal Insurance Co., 2015 WL (Conn. May 26, 2015) Vendor transporting tapes with private information regarding 500,000 IBM employees Tapes fall off truck and never recovered No apparent use or publication of the data 42

43 Cyber Security and Insurance Vendor voluntarily settles with IBM, paying over $6 million to cover notification and credit monitoring expenses Seeks coverage under CGL policy Federal denies coverage since no publication and no suit Connecticut Supreme Court sides with Federal on both issues 43

44 Cyber Security and Insurance Standard CGL policies typically include a 2014 ISO exclusion that expressly carves out coverage for disclosure of, among other things, credit card, financial and health information 44

45 QUESTIONS? 45

46 Reference Materials Reference Materials and Practical Tools 1. SANS Institute's, "Incident Handler's Handbook" 2. SANS Institute's, "An Incident Handling Process for Small and Medium Size Businesses" room/ whitepapers/incident/incident-handling-process-small- mediumbusinesses SANS Institute's, "Incident Response: How to Fight Back" 4. SANS Institute's, "Critical Security Control 18--Incident Response and Management" 46

47 Reference Materials Reference Materials and Practical Tools (continued) 5. SANS Institute's "Incident Response Annual Testing and Training" room/whitepapers/ incident/incident-handling-annual-testing- training NIST's "Computer Security Handling Guide" 7. Carnegie Mellon's, "How to Create A Computer Security Incident Response Team (CSIRT)" 47

48 Reference Materials Reference Materials and Practical Tools (continued) 8. ISO/IEC 27035, "Security Incident Management " 9. AICPA Incident Response Plan 10. Verizon, 2015 Data Breach Investigations Report 48