View
5
Download
0
Category
Preview:
Citation preview
October 15, 2019
New Challenges In Preparing For And Defending Against Breach Litigation
Jon Knight
Boies Schiller Flexner LLP
Dan Gerken
VERTIV
Mike Borgia
Aon’s Cyber Solutions (former Stroz Friedberg)
New Challenges In Preparing For And Defending Against Breach Litigation
This Is A Conversation About Risk
• Increased risk of litigation and government investigation following a data breach and the factors driving that risk.
• Practical, internal conversations to identify risks and opportunities to avoid and defend against breach disputes with business partners.
• Adapting your infrastructure and policies to reduce risk.
Questions + Contact
Jon Knight Attorney Boies Schiller Flexner LLP 202-237-2727 jknight@bsfllp.com
Dan Gerken Associate GC, Americas Vertiv 614-841-5922 dan.gerken@vertiv.com
Mike Borgia Vice President Aon’s Cyber Solutions (formerly Stroz Friedberg) 617-259-9911 mike.borgia@strozfriedberg.com
The New Normal: Increased Risks
Stemming From A Data Breach
The New Normal: Increased Risk
0
200
400
600
800
1000
2017 2018 2019
Publicly Reported Data Breaches
Source: Privacy RightsClearinghouse
The New Normal: Increased Risk
2223242526272829
2016 2017 2018 2019
Percent of Data Breaches Due to Unintentional Disclosure
The New Normal: Increased Risk
010203040506070
2016 2017 2018 2019
Percentage of Data Breaches Due To External Malicious Activity
The New Normal: Increased Risk
0123456
2016 2017 2018
Percentage of Data Breaches Prompting Class Action Litigation
The New Normal: Increased Risk
Increased Risk Courts Will Not Grant a Motion to Dismiss Circuits With Relaxed Standing
Requirements Circuits With More Strict Standing
Requirements
• Third • Sixth • Seventh • Eighth • Ninth • D.C.
• Second • Fourth
The New Normal: Increased Risk
Relaxed Standing Requirement – A Case Study In Re: U.S. Office of Personnel Management Data Security
Breach Litigation
• “Risk of future identity theft” found based on the nature of the compromised data.
• Confirmed that “a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.”
• In other words, plaintiffs need not show fraudulent charges were made or other injuries. Injury is essentially presumed based on the type of data taken.
The New Normal: Increased Risk
The Ninth Circuit Is Where The Action Is Frank v. Gaos: on remand to the Ninth Circuit from the Supreme Court to consider standing. The privacy question is whether including information about a user’s search terms in the HTTP referrer header constitutes a violation of several Federal laws. The Supreme Court has asked the lower court to consider whether the plaintiffs have a concrete injury.
Facebook Consumer Privacy User Profile Litigation: the District Court denied a motion to dismiss, finding plaintiffs adequately alleged “a simple ‘privacy injury’” arising from the mere disclosure of certain information to other third parties, and that this “privacy injury” “gives rise to Article III standing” “without [any] further consequences.” Facebook has requested permission to make an immediate appeal.
The New Normal: Increased Risk
Other Factors Driving Litigation Risk • The difficulty in waiving litigation rights or forcing arbitration in some jurisdictions.
This is primarily a concern in California meaning there is a growth in the number of cases being brought in California.
• The CCPA. This law gives guaranteed statutory damages for certain breaches and an express allowance for class actions means it will be very difficult for defendants to argue that plaintiffs have no standing or no injury.
• New state laws prompt creative legal theories. The CCPA is the most recent change at the state level but other laws are pending. All such laws will provide fodder for test cases as plaintiffs will seek to probe the limits of what claims they can bring and what claims they cannot. For example, whether violations of the CCPA can be predicate violations of 17200 or whether violations of the “data sale” portion of the CCPA can be considered a data breach under the CCPA are undecided questions.
New Challenges in Data Breach Litigation: Practical Perspectives Dan Gerken
• Associate General Counsel, Americas
• October 15, 2019
An introduction to Vertiv Architects of ContinuityTM
Data Centers Communications Networks Commercial and Industrial Facilities
© 2019 Vertiv All Rights Reserved
15
Nearly all aspects of our lives involve the use of technology. Technology drives the world’s demand for data.
© 2019 Vertiv All Rights Reserved
16
Vertiv brings together hardware, software, and ongoing services to ensure our customers’ vital applications run continuously and perform optimally.
AC Power, DC Power, Energy Storage, Industrial Solutions, Thermal
Edge Systems, IT Systems, Rack, Rack PDU, Rack Thermal, Rack UPS
Large Infrastructure IT and Edge Infrastructure
Solutions
Services and Software
© 2019 Vertiv All Rights Reserved
•
• Small, medium and large uninterruptible power systems (UPS)
• Industrial-grade UPS • AC power distribution
systems
• 12V to 400V DC power systems
• Custom DC UPS systems along with DC battery chargers and distribution
• Small thermal systems including room and row/ rack cooling
• Air handling and chiller: large systems located outside the data room that provide climate control
• IT and infrastructure management solutions
• Rack PDUs • Integrated solutions
• Diverse array of services to handle ongoing customer equipment and product needs
• Maintenance, project and training services
• Tailored customer offerings
Description
Select offerings
Brands
Integrated Solutions
Liebert iCOM
Liebert CRV
Liebert DSE Package System
NetSure 5000
NetSure 7000
NetSure 8000
Liebert EXM
Liebert EXL S1
Liebert FPC
Preventive Maintenance
Performance Optimization
Project Services
Remote Services
Software & Monitoring
Liebert DS
KVM & Serial Console
Racks
POWER MANAGEMENT THERMAL MANAGEMENT IT AND EDGE
INFRASTRUCUTRE AND SOLUTIONS
SERVICES
17
Our portfolio
© 2019 Vertiv All Rights Reserved
Vertiv Data Center Application
Air handlers & chillers
Thermal management
UPS systems
Condensers Power distribution
Integrated solutions
Racks & containment
Monitoring control & management
Project services
Customer base We serve +70% of Fortune 500 companies
19
Operating capabilities We have 20+ GW of installed cooling capacity and 14+ GW of installed UPS power. Creating a $15B installed base
Customer satisfaction We have a Net Promoter Score of 40
Data We make decisions based on data collected from 1,000,000+ pieces of equipment
Support We employ ~2,700 service technicians which is 4x that of closest competitor
Performance We have 85% service renewal rates and 55% warranty capture rate in power*
Sites We keep 600,000+ customer sites connected
First-time fix We have ~90% first-time fix rate in site emergency visits. Returning critical load within 24 hours
Remote monitor We remotely monitor 12,000+ customers
Training We deliver 200,000 hours of technical training each year
* For medium and large UPS
500 FORTUNE
Other noteworthy Vertiv Stats
Customer base We serve +70% of Fortune 500 companies
20
Operating capabilities We have 20+ GW of installed cooling capacity and 14+ GW of installed UPS power. Creating a $15B installed base
Customer satisfaction We have a Net Promoter Score of 40
Data We make decisions based on data collected from 1,000,000+ pieces of equipment
Support We employ ~2,700 service technicians which is 4x that of closest competitor
Performance We have 85% service renewal rates and 55% warranty capture rate in power*
Sites We keep 600,000+ customer sites connected
First-time fix We have ~90% first-time fix rate in site emergency visits. Returning critical load within 24 hours
Remote monitor We remotely monitor 12,000+ customers
Training We deliver 200,000 hours of technical training each year
* For medium and large UPS
500 FORTUNE
Other noteworthy Vertiv Stats
Vertiv Timeline Combining the entrepreneurial spirit of a startup with the resources and reach of an established leader.
1965
Liebert Corporation was formed as industry’s first manufacturer of
precision computer room air conditioning (CRAC)
1987
Emerson acquires Liebert®
Corporation – now a pioneer in thermal management, power
protection for IT systems
2000
Emerson forms Network Power (ENP) business – integrates critical
infrastructure technologies under single brand
2001
ENP increases presence in Asia – purchase of Avansys and forms ENP India
ENP acquires Marconi outside plant and power system – expanding telecom
industry solutions
2006
ENP acquires Germany-based Knürr AG – leading provider of enclosure
systems
2009
ENP acquires Avocent – provider of service processor and data center management software and KVM
solutions
ENP acquires Chloride® – customized power solutions for industrial
applications
2016
Vertiv launches as stand-alone business building on the success of Emerson’s past while expanding capabilities and
commitment to support the mission of designing, building and servicing mission-critical technologies that drive possibility for our customers
Vertiv makes its first three acquisitions, Energy Labs, a U.S.-based manufacturer of custom air
handling systems, Geist, a leading manufacturer of rack power distribution units, and the service contracts of MEMS, a UK power generation
maintenance business
2018
2004
2010
Our numbers
Sales 4.3 B
Employees ~19,700
Customers Include Alibaba, Alstom, America Movil, AT&T, China Mobile, Equinix, Ericsson, Reliance, Siemens, Telefonica, Tencent, Verizon, Vodafone
Manufacturing Sites: 19 Customer Centers/Labs: 17 Operations: 51 Countries
Communications
© 2019 Vertiv All Rights Reserved
Critical Infrastructure and Solutions IT and Edge Infrastructure Services and Software Solutions
Offering Broad range of power, thermal, and IT and edge infrastructure, solutions and services portfolio
Geography Global, well-established footprint, and supply-chain network
Americas
EMEA
AP
End Market Customers who operate in some of the world’s most critical industries
Data Centers
Commercial & Industrial
Our presence Worldwide Manuf. And Assembly Locations 19 Service Centers 270+ Service Field Engineers 2700+ Technical Support/Response 330+ Customer Experience Center/Labs 17
US and Canada Manuf. And Assembly Locations 7 Service Centers 120+ Service Field Engineers 850+ Technical Support/Response 120+ Customer Experience Center/Labs 4
Latin America Manuf. And Assembly Locations 1 Service Centers 20+ Service Field Engineers 300+ Technical Support/Response 25+ Customer Experience Center/Labs 2
Europe, Middle East, and Africa Manuf. And Assembly Locations 5 Service Centers 70+ Service Field Engineers 600+ Technical Support/Response 95+ Customer Experience Center/Labs 6
Asia Pacific Manuf. And Assembly Locations 6 Service Centers 60+ Service Field Engineers 950+ Technical Support/Response 90+ Customer Experience Center/Labs 5
Meeting our customers’ demand for data – wherever they are.
© 2019 Vertiv All Rights Reserved
Data Privacy – Practical Perspectives
24
Agreements (1 of 2) 1. What does my client WANT TO DO with this agreement?
• Sell products? Sell services? Buy products? Buy services?
• If so, what products, or what services, and why? 2. What does THIS THING DO?
• How does it do it? Who made it? • Who maintains / updates it? How? How often?
3. What protections DO WE WANT? • What is CRITICAL TO OUR BUSINESS?
• Not to “business model” generally, and not scapegoating the general business approach • How do we preserve that?
• Hardware; software; users • SCOPE OF DATA collected
• What protections to we HAVE TO PASS DOWN from our customers / clients? • We need the same, or better, language compared to that prior agreement
Data Privacy – Practical Perspectives
25
Agreements (2 of 2) 4. What are the RISKS?
• Regarding this product offering? With this provision? • Ask engineers • Consider a conversation, without deadline pressure, between outside counsel, inside counsel,
and product offering engineers • What unintended consequences are there? Be creative and imagine the worst case
scenario
Data Privacy – Practical Perspectives
26
Litigation 1. You know your position – but what are THE FACTS?
• Engage an independent expert – perhaps quickly • Share discovery with her.
• Discovery – with engineers! • Craft interrogatories with their input • Ask them to read depo transcripts • Ask them to review your depo outlines
2. Cut to the chase – plan for your cleanest DISPOSITIVE MOTION • If there is any hope of MTD, MSJ, MPSJ, write it now and plan discovery around it
• Be strategic about what motion, on what claims, and when to file • Coordinate discovery accordingly
• Ask a junior associate to write the motion with today’s facts • Read the blank “facts” section – what do you need? • Unleash discovery on the cold spots in your “facts” section
Adapting Your IT Environment to
the New Normal
Security Challenges of the New Normal
Heightened risk of liability increases pressure to: • Protect Personal Data
• Defend against unauthorized access • Inhibit misuse through information governance and
strong privacy practices
• Adopt “reasonable security” measures
Defending Your Personal Data
Access Controls
and Defenses
• MFA • Firewalls • Malware and Threat
Detection • Network and
System Hardening
InfoGov and
Privacy Program Mgmt.
• Encryption • Data Minimization • Segmentation • Data Disposal • Obfuscation,
Pseudonymization
Reducing Risk Through InfoGov.
Name
Address
SSN
Tx History
In re Zappos.com, Inc. “[T]he type of information accessed in the Zappos breach can be used to commit identity theft, including by placing them at higher risk of ‘phishing’ and ‘pharming.’”
Name
InfoGov and the Data Lifecycle
Collect
Store
Use Share
Archive
Destroy Minimization
Encryption, Segregation
Access Management, Privacy by Design
Minimization, Pseudonymization
Encryption, Retention Schedule
Retention Schedule Destruction
Reasonable Security
• Business operations using sensitive data
• IT systems • Security threats • Impact of security events • Harm to company • Harm to data subjects
• Policies, procedures, and mechanisms to address identified risks
• Operational, technical and physical
• Documentation of controls in place and how they address identified risks
• Analysis of why certain controls are not needed, and how company is mitigating related risk
Risk Assessment Responsive Controls
Program Documentation
Reasonable Security
• But is it “reasonable”?
CCPA, § 1798.150(a)(1): Any consumer whose nonencrypted or nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action ….
Reasonable Security
Generally accepted frameworks provide a strong baseline. For example: • NIST 800-53 • Secure Controls Framework (SCF) • ISO 27001, 27002 • Center for Internet Security (CIS) Controls • NIST Cybersecurity Framework • Security is not “check-the-box,” but…
To regulators, you should be able to explain why you aren’t checking certain boxes
October 15, 2019
New Challenges In Preparing For And Defending Against Breach Litigation
Jon Knight
Boies Schiller Flexner LLP
Dan Gerken
VERTIV
Mike Borgia
Aon’s Cyber Solutions (formerly Stroz Friedberg)
Recommended