Privacy, Cyber Threats and Risk Mitigation Mitigating Liability Through the SAFETY Act

Transcription

1 Privacy, Cyber Threats and Risk Mitigation Mitigating Liability Through the SAFETY Act Joe DePaul, Senior Vice President Brian Finch, Partner April 9, 2015 Pillsbury Winthrop Shaw Pittman LLP

2 The Threat From Cyber Attacks Exposure of corporate secrets, trade secrets, and other proprietary information Exposure of personally identifiable information (employees and customers), including health information Disruption/destruction of operations Attacks are cheap: ($2 for crashing a website; $30 for malware verification; $5,000 for zero day ) Malware now tends to be one time use 1 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

3 Many Theories of Liability for Cyber Attacks Shareholder claims/sec Disclosures Loss of IP/trade secret claims Negligent selection, design or contracting Failure to take reasonable security measures for threats that a company knew or should have known about Strict liability 2 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

4 Who Is Attacking? 3 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

5 Post-Terrorist Attack Litigation Courts have found that terrorist attacks are reasonably foreseeable, and a duty is owed to plaintiffs (victims) The danger of a plane crashing as a result of a hijacking was the very risk that Boeing should reasonably have foreseen Other 9/11 cases: Negligence/Negligent selection Res Ipsa Loquitor Strict liability Negligent design and/or manufacture 4 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

6 What Would Cyber Litigation Look Like? FTC allegations in Wyndham lawsuit Wyndham failed to: remedy known security vulnerabilities such as allowing insecure server/network connections employ commonly used methods to require user IDs and passwords that are difficult for hackers to guess adequately inventory computers in order to manage network devices employ reasonable measures to detect and prevent unauthorized access or to conduct security investigations follow proper incident response procedures, including failing to monitor computer network for malware used in a previous intrusion adequately restrict 3d party vendor access share threat information/act upon shared information The key question: how can you make sure you are taking reasonable cyber security measures? 5 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

7 Recent Decisions Choice Escrow & Land Title, LLC v. BancorpSouth Bank, 754 F.3d 611 (8th Cir. 2014) A bank customer, a real estate escrow service provider, brought action against its bank, after $440,000 was stolen from the customer's bank account through fraudulent wire transfer requests. The United States District Court for the Western District of Missouri, John T. Maughmer, United States Magistrate Judge, 2013 WL , granted summary judgment to the bank. Both parties appealed. 6 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

8 Recent Decisions Patco Const. Co. v. People's United Bank, 684 F.3d 197 (1st Cir. 2012) Commercial customer filed action in diversity against bank, alleging negligence, breach of contract, breach of fiduciary duty, unjust enrichment, conversion, and that bank's security system was not commercially reasonable and that it had not consented to security procedures, after thieves had electronically stolen hundreds of thousands of dollars from its accounts 7 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

9 Cyber Product Developer Loss Scenarios Scenario 1: The product is represented to have specific capabilities and associated services (regular updates, upgrades, etc.): Product manufacturer could be liable for losses suffered by its customer, Product manufacturer could be liable for 3d party losses if they are intended beneficiaries or creates unreasonable risk of harm. Gross negligence or intentional misconduct? All bets are off. Scenario 2: The product is used at a facility storing highly dangerous materials: Could be held liable for a design defect, If the product is specifically designed to protect that type of facility, liability is more likely. The big point: Get ready for litigation. 8 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

10 FTC v. Wyndham FTC v. Wyndham decided on April 7, 2014 Facts: Federal Trade Commission sues Wyndham Hotels following a series of cyber attacks/data breaches affecting its customers. Wyndham claimed that it protected customers information by using standard industry practices. The FTC, argues otherwise, saying that Wyndham failed to provide reasonable and appropriate security for the information it collected and maintained. Claim: Wyndham claimed that the FTC had no authority to pursue enforcement actions related to data security Ruling: Court affirmed that the FTC has the authority to pursue corporate cybersecurity weaknesses under its existing regulatory powers (Section 5 of the FTC Act) to address unfair or deceptive acts or practices affecting commerce. Significance: Only a Motion to Dismiss Not a Ruling on Wyndham s Liability The FTC can act on unreasonable cybersecurity practices under existing laws without further legislation 9 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

11 Who Is To Blame? 10 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

12 The In-Law Problem 11 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

13 The SAFETY Act Support Anti-Terrorism by Fostering Effective Technologies Act Part of the Homeland Security Act of 2002 Eliminates or minimizes tort liability for sellers of DHS-approved technologies should suits arise after an attack (physical or cyber), including: SAFETY Act protections obtained by submitting an application to DHS Applies to services, products, policies This includes self-deployed programs Protections apply even if the attack originates from abroad so long as US interests implicated (i.e., economic losses) Protections apply to cyber attacks unrelated to terrorism 12 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

14 Act of Terrorism What is an act of terrorism? (i) is unlawful; (ii) causes harm, including financial harm, to a person, property, or entity, in the United States, or in the case of a domestic United States air carrier or a United States-flag vessel in or outside the United States; and (iii) uses or attempts to use instrumentalities, weapons or other methods designed or intended to cause mass destruction, injury or other loss to citizens or institutions of the United States. Definition is read to include events that impact the United States. 13 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

15 Designation vs. Certification Two levels of protection under the SAFETY Act Under Designation : Claims may only be filed in Federal court Damages are capped at a level set by DHS Bar on punitive damages and prejudgment interest Under Certification sellers also receive a presumption of immediate dismissal In both circumstances claims against CUSTOMERS are to be immediately dismissed 14 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

16 Act of Terrorism = Cyber Attack Any cyber security product, service, and/or policy is eligible for SAFETY Act protections Cyber attacks are encompassed under this definition There is NO requirement that the attacker s identity or motivation be identified/proven: Only mention of intent potentially relates to intent to cause injury or loss, NOT traditional terrorist intent This means that ANY cyber attack could potentially trigger SAFETY Act liability protections 15 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

17 SAFETY Act Evaluation Criteria What are you seeking coverage for? How does the product or service work/how is it provided? How do you know it works? How will you make sure it continues to work? Can you show your product/service is repeatable (e.g., documented policies and procedures)? Is it safe? Quality control, quality assurance, written policies, and evidence of effectiveness are key data points. It is not necessary to meet all of the evaluation criteria in order to obtain SAFETY Act protections. 16 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

18 Information Needed Data and documentation is critical to application process. Key information required for submission includes: Documented processes and procedures. Evidence of management chain/quality control. Audits/effectiveness reports.. Points of contact with local law enforcement. DHS requires records demonstrating utility, effectiveness, and quality control. Gathering and interpreting information is typically the most time consuming part of the process. 17 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

19 Firewalls Antivirus System Forensic Investigation SAFETY Act BYOD Policies SAFETY Act Customer suffers loss/damage s SAFETY Act Breach Response Plan SAFETY Act APT Defense Systems Malware Protection Programs General Cybersecurity Policies and Procedures 18 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

20 Antivirus System Firewalls Forensic Investigation BYOD Policies APT Defense Systems Customer suffers loss/damages Malware Protection Programs Breach Response Plan General Cybersecurity Policies and Procedures 19 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

21 The Application Process 20 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

22 Key Questions and How To Use Any costs for filing a SAFETY Act application? No. What kind of security products are eligible for SAFETY Act protections? All products, services, and/or policies, including internal policies, whether physical or cyber. What is the practical effect of obtaining SAFETY Act protections? A cap on damages or immunity from damages arising out of or related to cyber attacks or acts of terrorism. 21 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

23 Key Questions and How To Use Cont. Can I realize SAFETY Act benefits just by purchasing and using SAFETY Act approved cyber security solutions? Yes. Can I require SAFETY Act approval in procurements? Yes. What kind of claims will this help mitigate/eliminate? Negligence, third party liability, failure to take reasonable mitigation steps, D&O claims. 22 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

24 SAFETY Act vs. Cyber/Terrorism Insurance SAFETY Act Jurisdictional defenses (Exclusive Federal jurisdiction, no punitive damages, no prejudgment interest) Cap on 3d party damages Possible immunity Government endorsement of security plans and technologies Cyber/Terrorism insurance Reimbursement for damages, but no cap No jurisdictional defenses No government sanction of security plans and technologies Less certainty as to coverage Tying SAFETY Act to cyber insurance can result in reduced premiums 23 Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches

25 Thank You for Participating! Joe DePaul Senior Vice President FINEX North American Cyber and E&O Team Willis Americas Administration, Inc. Phone: Brian E. Finch Partner, Public Policy Pillsbury Winthrop Shaw Pittman LLP Phone: Privacy, Cyber Threats and Risk Mitigation Preparing for and Handling Data Breaches