A View from Inside: Perspectives of In-House Counsel Responsible for Addressing Cyber and Data Privacy Issues

Transcription

1 Cybersecurity and Data Privacy Law Conference January 26, 2017 A View from Inside: Perspectives of In-House Counsel Responsible for Addressing Cyber and Data Privacy Issues Panelists: Altresha Burchett-Williams, AT&T, Dallas Seth Jaffe, Technology Attorney, Southwest Airlines, Dallas Ryan Lobato, Counsel, ExxonMobil, Houston Moderator: Bart Huffman, Locke Lord, Austin

2 INCIDENT RESPONSE Seth Jaffe Jan. 2017

3 HERDING THE CATS Established Disciplines Team Director Communication Protocols Incident Response Plan Bifurcation Procedures Policies Governing Body (Steering Committee) Seth Jaffe Jan. 2017

4 DISCIPLINES Every company is unique, but most teams have standard members. At some point, the size becomes unwieldly. How do you pare it down? Comm Customer Support Brand PR Call Center Loyalty Seth Jaffe Jan. 2017

5 TEAM DIRECTOR ROLE OF DIRECTOR Manage the room Maintain big picture status Provide a forum for discussion Challenge the assessments of members Set priorities Set the timeline Facilitate useful discussion Include relevant stakeholders Assign actions Verify actions are complete CAPABILITIES OF DIRECTOR Proficient in all core disciplines Recruited from core discipline Receives management training Maintains relationship with disciplines Receives PR training Seth Jaffe Jan. 2017

6 COMM PROTOCOLS Who is speaking? Who is she speaking to? Has she modified her vernacular to the target audience? Curb the tautology. Seth Jaffe Jan. 2017

7 PLAN PROCEDURES POLICIES/RULES Response Guide Guide decisions based on prior agreed Step by step in the heat of the policies moment Provide an easily indexed reference Clear for backup disciplines guide for policies of the Plan Steer disciplines to ancillary Set out the do's or don't s in clearly documents understandable text Provide a more easily updatable Provide rationale for decisions document Serve as a training tool for disciplines Modify on lessons learned Indicate subject matter experts Serve as a training tool for a discipline Provide a more easily updatable Serve as a training tool for other document disciplines Modify on changes in policy Coordinate actions between disciplines Modify on lessons learned Easier to reference actions Document controlled Seth Jaffe Jan. 2017

8 Other approaches? PLAN

9 Approach TABLETOPS Facilitation Frequency Fidelity/Realism Contingencies

10 HANDLING ACTUAL INFORMATION SECURITY INCIDENTS Privilege Considerations Internal (execution of the Plan) Coordination with Third Parties (when incident arises from third-party processing) Investigation External Relations (corporate communications, notifications to individuals, etc.) Regulatory Concerns

11 MANAGING CYBER SECURITY RISKS

12 PROACTIVE MEASURES TO AVOID OR MINIMIZE THE IMPACT OF A BREACH Masking and other data-protective technologies Tracking and flagging patterns and potential problems Vendor relations, generally Standing arrangements with computer forensic specialists

13 RISK ASSESSMENTS Types of risk (business continuity, data integrity, theft, litigation, etc.) Working with internal Info Sec teams Helping the internal client identify data that is being transferred and its value (and associated dependencies) Special considerations associated with engagement of small vendors Special considerations associated with engagement of outside counsel

14 ENGAGEMENT OF THIRD PARTIES Security Requirements Level of detail Tailoring Flexibility/evolution over time Controls regarding software Fundamental Contract Provisions Adherence to privacy & security laws Adherence to privacy & security rules imposed by industry [e.g., PCI, IAB] Safeguards no less rigorous than as set out in [standard] Alignment with company s WISP Notification and risk allocation terms

15 ENGAGEMENT OF THIRD PARTIES (cont.) Risk allocation Limitations of liability Indemnity Notification and identity protection costs Cyber insurance

16 ENGAGEMENT OF THIRD PARTIES (cont.) Validation/monitoring Audits and certifications (ISO 27001, SOC 2, etc.) Trade-offs between assurances and other contract terms Offshore challenges

17 ENGAGEMENT OF THIRD PARTIES (cont.) Impacts of security failures Damages Contract termination Opportunities for improvement

18 OTHER TOPICS Privacy Shield Cloud Big Data / De-Identification and Anonymization

19 ??? Altresha Burchett-Williams, AT&T Seth Jaffe, Southwest Airlines Ryan Lobato, ExxonMobil Bart Huffman, Locke Lord