ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW Janis Kestenbaum (Federal Trade Commission) John O Tuel (GlaxoSmithKline) Alfred Saikali (Shook Hardy & Bacon) Christopher Wolf (Hogan Lovells)
2011 Data Breach Statistics 558 breaches 126 million records 76% server exploits 92% avoidable $318 cost per record $7.2 million average cost of each breach $6.5 billion impact to U.S. businesses Source: Online Trust Alliance (2011)
Why Should You Care? 90% of organizations have suffered a breach; 59% experienced two or more breaches in the last year; 41% of those who suffered a breach said it cost their organization at least $500,000 or more. Source: Ponemon Institute (2010). Companies are increasingly storing information electronically (and so are their service providers) Companies are increasingly storing information in the cloud (and so are their service providers) Most companies have suffered or will suffer a data breach, and it will be expensive to resolve The definition of Personally Identifiable Information ( PII ) continues to evolve
What is a Data Breach? Generally -- unencrypted personal information that is acquired by an unauthorized person. Negligence -- lost laptop, hard drive, thumb drive, mobile device, or misdirected information (76% of all U.S. data breaches) Malicious or criminal attack -- phishing, malware, economic espionage, advanced persistent threats, political hacking (24% of all U.S. data breaches) Third party flub -- service provider suffers a data breach (42% of all U.S. data breaches) Source: Ponemon Institute (7/13/10)
First Step: Assessment What information is maintained by the company (and its service providers)? Where is it maintained? How is it maintained? What measures have been taken to protect confidentiality of data? Are there policies/procedures/training about the maintenance of the information and what to do if a breach occurs? Is an incident response team and backup plan in place should a data breach occur? Do you know what legislative and regulatory provisions govern the maintenance of the information and, should a breach occur, the obligation to disclose?
Second Step: Prevention Classify the data Draft policies/procedures regarding proper maintenance of the data Train employees on maintenance of data Adopt measures to maximize security of the data Negotiate contractual provisions with service providers to secure data and limit liability Create an incident response plan Insure against risk of loss (??)
Proactive Technical Remedies Require approved browsers for all employees and partners Proper levels of encryption of files that are transmitted externally and also at rest on portable devices/cloud storage/ routers/access points Password management Monitoring for third-party code, email phishing (links/ advertising), and other malware Always On SSL & EV SSL certificates
Third Step: Response Identify the scope of affected data Identify the source of the intrusion Possible involvement of law enforcement (?) Remediation Disclosure (see next slide) Communication (internally and externally) Credit monitoring (?)
Disclosure Issues Do I need to disclose? What data was affected? How was it affected? What do I disclose? How detailed must the disclosure be? To whom do I need to disclose? Customers? Government entity (state/federal)? Shareholders? Partners/subsidiaries/IP collaborators? How/when do I disclose? Statutes/regulations governing the method of notification?
Civil Lawsuits Examples include Dropbox, Hannaford, and Providence Health Causes of action (Breach of contract? Unfair Trade Practices? Negligence? Fraud?) Defenses (lack of harm, economic loss rule) Damages (credit monitoring, emotional distress for risk of fraud, punitive damages, attorney s fees)
U.S. Data Privacy/Security Laws 47 different state data breach laws Electronic Communications Privacy Act Gramm-Leach-Bliley Act U.S.A. Patriot Act Privacy Protection Act Pending federal Cybersecurity Act HIPAA/Medical information regulation
Privacy by Design Privacy protection is incorporated into a company s products, customs, services, and practices from the beginning where possible. Example -- Google+ -- all contacts placed in nonpublic circles and users are asked to designate the circle to share with for every post. Example -- Apple iphone s purple arrow icon -- appears at the top of the screen letting user know that their location information is being sent to an app.
Issues Relating To The Cloud Single-tenant vs. multi-tenant server Limitations on liability clauses Security measures taken by cloud service provider Location of servers (data privacy/security requirements in jurisdictions of those servers) Government s ability to search data in the cloud
Speaker Information Janis Kestenbaum Federal Trade Commission jkestenbaum@ftc.gov John O Tuel GlaxoSmithKline john.w.o tuel@gsk.com Special thanks to: Craig Spiezle OT Alliance craigs@otalliance.org Alfred Saikali Shook Hardy & Bacon, LLP asaikali@shb.com Christopher Wolf Hogan Lovells U.S. LLP christopher.wolf@hoganlovells. com