Cyber Liability and Privacy Issues Lynn Sessions Baker

Cyber Liability and Privacy Issues Lynn Sessions Baker

Cyber Liability and Privacy Issues Lynn Sessions Baker & Hostetler LLP [email protected] 713.646.1352 Topics What is cyber liability? What is a data breach? Breach response Cyber insurance Regulatory enforcement and litigation 2

Where are the threats? Internal Threats External Threats Employee Negligence Security failures Lost mobile devices Employee Ignorance Improper disposal of personal information (dumpsters) Lack of education and awareness Malicious Employees

Hackers Malware Ransomware Phishing / Spear Phishing Social Engineering Corporate Espionage Vendors Political Hacktivists Anonymous Guardians of Peace 3 Common Breach Scenario

Will be an external attack involving hacking and the use of malware Vulnerability often created by third party vendors practices Breach may not be detected for months Entity learns of the breach from a third party (CPP report, law enforcement) Initial exploit relatively simple and avoidable 4 Victims By the Numbers Adapted from Mandiants MTrends Beyond the Breach: 2014 Threat Report 5 Credit Card Skimming Devices

6 Source: Google, Behind Enemy Lines in our war against account hijackers (Nov. 2014) 7 A Simplified View of a Data Breach Discovery of a Data Breach Evaluation of the Data Breach Managing the Short-Term Crisis Handling the Long-Term Consequence s Class-Action Lawsuits Theft, loss, or Unauthorized Disclosure of Personally Identifiable Non-Public Information or Third Party

Corporate Information that is in the care, custody or control of the Insured Organization, or a third party for whom the Insured Organization is legally liable Notification and Credit Monitoring Forensic Investigation and Legal Review Regulatory Fines, Penalties, and Consumer Redress Reputational Damage Public Relations Income Loss 8 What is a Data Breach? Actual release or disclosure of information to an unauthorized individual / entity that relates to a person and that:

May cause the person inconvenience or harm (financial / reputational) Names, home addresses, email addresses, usernames, passwords, family-member information, etc. May cause inconvenience or harm to your patients, employees or business partners (financial / reputational) Information that relates to patients (see above) Information that relates to current / former employees and applicants Information relating to internal matters (business plans, employment disputes, Union negotiations) Paper or electronic 9


(e.g. TX, CA) INDUSTRY SELF PCI-DSS REGULATION 10 State Laws 47 states, D.C., & U.S. territories Laws vary between jurisdictions Varying levels of enforcement by state attorneys general Limited precedent What does access mean?

What is a reasonable notice time? 11 Decisions, Decisions, Decisions Is it a breach? Do you involve law enforcement? Do you hire a forensics company? Do you retain counsel? Do you involve regulatory agencies?

Is crisis management necessary? Do you offer credit monitoring? Do you get relief from a law enforcement delay? 12 Communications Strategy Target: Speaking too soon and on the fly Dec. 20, 2013: Initial notice indicated that the breach affected card data (no PINs) of 40 million Dec. 27, 2013: PIN numbers captured Jan. 10, 2014: Personal information of 70 million customers taken 13

What Will Entity Encounter? Initial public disclosure before you are ready Forensic investigation Media & customer inquiries Regulatory inquiries Operational challenges

Decisions on public statements State breach notification law analysis Law enforcement Consumer class actions Issuing bank lawsuits Card network fines / assessments D&O lawsuits System remediation and revalidation Reporting of impact Regaining customer trust 14

Respond Respond quickly Document analysis Bring in the right team Involve the C-suite Preserve evidence Contain & remediate Let the forensics drive the decision-making

Law enforcement Be guarded, consistent, and honest in communications Plan for likely reaction of customers, employees, & key stakeholders Mitigate harm 15 Prepare Cyber Liability Insurance

Written Information Security Policy Incident Response Plan Training & Education Identify & Mitigate Risk Manage Vendors 16 Information Security & Privacy Insurance: Legal Liability Coverages Legal Liability coverage (defense costs and damages)

Regulatory Defense & Penalties Payment Card Industry Fines and Penalties Breach Response Expenses Theft, loss or unauthorized disclosure of information Legal Counsel Computer Forensics Public Relations Notification Costs Credit Monitoring First Party Coverages

Cyber Extortion Data Restoration Business Interruption 17 Information Security & Privacy Insurance: Cyber Insurance is more than indemnification Clients often have very little experience with data breach issues. Breach response can be complex and time consuming. What do insureds that incur a data breach want? (To put it behind them so they can get back to business!) Top breach response insurers have handled thousands of incidents and are prepared to provide guidance and direction to an insured. Its not the fact that you had a breach that is important, it is

how you handle the breach that matters. 18 Become CompromiseReady Incident response tabletop exercises Security assessments Understand where assets and sensitive data are located Reasonable security Detection capabilities Technology

Personnel Threat information gathering Ongoing diligence 19 What are regulators looking at? Transparency Risk assessments

Encryption Business Associate Agreements (health care) / Vendor Agreements Minimum necessary (health care) Documentation of breaches Policies and procedures Old data Prompt and thorough investigation Good attitude & cooperation (commitment to compliance and safeguarding PII) Appropriate and prompt notification Remediation and Mitigation Regulators look beyond the breach incident and look at information security enterprise wide. 20 Litigation Common theories of harm:

Increased risk of identity theft; Time and effort to monitor / fix credit; Emotional distress; Personal information as property; Invasion of privacy; Breach of contract; Breach of fiduciary duty; Negligence; Unfair, deceptive and unlawful business practices; Defamation, libel, and slander; and Unjust enrichment 21 Conclusions: Not if but when Information exists in multiple formats throughout an organization Information is subject to a multiple forms of loss The costs of a data breach event may be significant! Notification Costs Credit Monitoring Expenses Defense Costs

Cost of settlement or judgments The assistance and guidance of a trusted partner may be more valuable Costs generally not covered by traditional insurance Information security & privacy liability insurance is available as a specialty coverage 22 Questions?

Recently Viewed Presentations

  • Trip to Volgograd, Russia May 10-24, 2007 Robert

    Trip to Volgograd, Russia May 10-24, 2007 Robert

    Accomodations Though staying in 3 different locations, the team usually ate its meals at the Methodist Church of the Transfiguration, home of Pastor Valery and several men and women. Accomodations Dwight and I stayed in a rented, furnished apartment a...
  • Virginia Department of Education Module Eleven Driver Responsibilities

    Virginia Department of Education Module Eleven Driver Responsibilities

    It adds weight to your car, but the savings are guaranteed to be more than the cost of the extra weight. The best options are things that can be pre-cooked and keep well or food that doesn't require cooking at...
  • Revision -10 - Weebly

    Revision -10 - Weebly

    A business, once established, will often decide to stay in its original location even if other factors suggest a new location would be beneficial. The term for this is "industrial inertia". A positive reason is that the existing location provides...
  • Formal Syntax and Language Change

    Formal Syntax and Language Change

    Language change: why study it? Elly van Gelderen Festival delle Scienze, Rome, May 2017 Insight into the mind of the learner Like She forgot all about the library like she told her old man now (Beach Boys' song). (2) So...
  • Wage and Hour Issues for Employees and Supervisors

    Wage and Hour Issues for Employees and Supervisors

    Welcome to the Wage and Hour Issues for Employees and Supervisors Module offered by the Office of the Vice President for Ethics and Compliance in conjunction with the Office of the Vice President for Human Resources as a part of...
  • Software Verification- a postpositivistic approach

    Software Verification- a postpositivistic approach

    'All swans are white.' (in particular, there are no black ones) Slide 4 Slide 5 Slide 6 Slide 7 Slide 8 Slide 9 Slide 10 Slide 11 Slide 12 Slide 13 Slide 14 Slide 15 ...
  • The Newspaper Article

    The Newspaper Article

    Verdana Arial Wingdings Calibri Globe 1_Globe The Newspaper Article Examples of Contemporary Newspapers What is the point of a newspaper? PowerPoint Presentation Structure of the Newspaper Article Recall our opening paragraph: Building Blocks - The Body Photos - Proper and...
  • 2012 ControlledExperiments Tutorial2

    2012 ControlledExperiments Tutorial2

    This is a valid test if the sample size is large enough for the means to have a normal distribution (central limit theorem). If you have many metrics (an experiment could have hundreds) there will necessarily be some false positives...