This Webcast Will Begin Shortly If you have any technical problems with the Webcast or the streaming audio, please contact us via email at: webcast@acc.com Thank You! 1
Cybersecurity Changing Landscape and Opportunities April Doss Sarah Geffroy 2
2016 Cybersecurity Incident Trends Costs of data breach: By sector: Healthcare: $355/record Education $246/record Financial Services: $221/record Data Sources: 2016 Ponemon Institute Study 2016 Verizon Study Impact of preparedness: Measurable cost reduction ($16/record) Trends 26% chance of a data breach of >10K records in next 2 years Over half of incidents caused by insiders Careless, inadvertent, or malicious Ransomware continuing to rise Spear phishing and social engineering Internet of Things 3
2016 Developments: States State breach notification laws More defined timelines Continued variation and overlap Increased activity in the states New York Department of Financial Services Cybersecurity draft regulations issued in Sept. 2016 Comments being reviewed now Concerns: Precedent for other states Inconsistent with risk-based approach Detailed requirements and sweeping effect» 72-hour breach notification» Broad definition of personal information» Covered entities must have CISO, incident response policies and plans» Specific technical requirements (e.g. encryption in transit and at rest) 4
2016 Developments: Federal FTC enforcement LabMD case Expansion of FTC role No need to demonstrate likelihood of harm DHHS OCR HIPAA enforcement Amherst case Illustrates trends in OCR enforcement of HIPAA Federal Rules of Criminal Procedure Rule 41(b) Rule change took effect Dec. 1 International obligations EU s General Data Protection Regulation Effective May, 2018 5
2016 Developments: Associations Voluntary/association standards for cybersecurity preparedness National Association of Insurance Commissioners Draft Model Law on cybersecurity for regulated entities Similar in content to NYDFS regulations Would have to be enacted by states to be binding But even without state enactment, could set expectations for standard of care in litigation 6
2016 Developments: Litigation What constitutes a reasonable standard of care? California Attorney General February 2016 California Data Breach Report In re Home Depot Federal Trade Commission Act and eight state laws Derivative litigation/ Directors and Officers liability claims What is the basis for monetary damages? In re Anthem N.D. CA, Feb. 14, 2016 Data security failures support claim consumers were overcharged In re Vtech N.D. Ill. 2016 Overpayment claim re product rather than service 7
Federal Developments - Continued CISA implementation Regulatory concerns President s Cybersecurity Commission ISAO standards development 8
2017: A New Administration Look for: Renewed engagement in protecting critical infrastructure (Cyber Review Teams) Continued discussion about active defense Priorities from industry Clearer federal deterrence policy Public-private partnership Less duplication and better organization at the federal level IoT attention in an ecosystem-wide manner Information Sharing - actionable information Resources for small and medium sized businesses International engagement 9
2017: A New Administration - Continued Continuing standards development: ISAO standards development Encryption 10
2017: Proactive Steps All the steps you already know: Cybersecurity preparedness Incident response plan Consider cyber insurance Employee policies Personnel training 11
2017: Proactive Steps Some additional steps you may not have considered Participating in: Trade associations, federal and state coalitions Standard-setting bodies Information sharing organizations Developing additional relationships With local FBI field offices 12
Questions? 13
Thank you for attending another presentation from ACC s Webcasts Please be sure to complete the evaluation form for this program as your comments and ideas are helpful in planning future programs. If you have questions about this or future webcasts, please contact ACC at webcast@acc.com This and other ACC webcasts have been recorded and are available, for one year after the presentation date, as archived webcasts at http://www.acc.com/webcasts 14