Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
2017 CYBER AND
PRIVACY FORUM2018 and Beyond: The Evolving Cybersecurity and Privacy Landscape
S E P T E M B E R 1 4 , 2 0 1 7
Omni New Haven Hotel at Yale
155 Temple Street , New Haven, Connect icut
www.wiggin.com
A. Agenda
B. Publications and Resources
• Uber-FTCSettlementHighlightstheFTC’sFocusonAligningSecurityPromiseswithSecurityPractices• AlthoughDelayed,NewYork’sAggressiveCybersecurityLawExpectedtoAffectFinancialServicesand InsuranceFirms• CNNInterviewwithDavidHall–ReportonCrack99,abookbyWigginandDanaPartner,DavidHall• WigginandDanaWebinar–InformationSecurityandThirdPartyServiceProviders:WhatYouDon’t KnowCanHurtYou• CybersecurityPreparednessChecklist• GeneralDataPrivacyandCybersecurityDiligenceRequest• CybersecurityDueDiligenceQuestionnaire• “CybersecurityandPrivacyinBusinessTransactions:ManagingDataRiskinDeals,”BNAPrivacy&DataSecurity PracticePortfolioServices,PortfolioNo.540(availableonlineathttps://www.bna.com/privacy-data-security/)
C. PowerPoint Presentations
•RecentU.S.PrivacyLawDevelopmentsandKeyTakeaways• HybridCloudSecurityforFinancialServices• AddressingCyberRisksinVendorContracts• CybersecurityRiskinMergersandAcquisitions
D. Speaker Biographies
E. Wiggin and Dana
CybersecurityandPrivacy EUGDPRServices IncidentResponseServices Corporate EmergingCompanies MergersandAcquisitions Education HealthCare HealthCareCompliance HealthInformationTechnology HIPAA Insurance OutsourcingandTechnology
Table of Contents
2017 CYBER AND PRIVACY FORUM
SEPTEMBER 14 , 2017 I OMNI NEW HAVEN HOTEL AT YALE 8:00 a.m. - 2:30 p.m.
www.wiggin.com
2018 AND BEYOND: THE EVOLVING CYBERSECURITY AND PRIVACY LANDSCAPE
8:00 - 8:30 Registration and Breakfast
8:30 - 8:50 Cyber Threat, Threat Actors and Best Practices for Mitigating the Risk Keynote Speaker: Mr. John Boles, Director at Navigant
8:50 - 9:40 General Session Panel #1 – The Current Threat Environment, Response Strategies, and Mitigation
Wiggin and Dana Moderator: Michael Menapace
Panelists: John Boles, Navigant; Jessica Block, Ankura Consulting Group; David Hall, Wiggin and Dana
9:40 - 9:55 Break and Networking
10:00 - 10:50 General Session Panel #2 – Recent U.S. Privacy Law Developments and Key Takeaways
Panelists: Michael Kasdan, Wiggin and Dana; John Kennedy, Wiggin and Dana
10:50 - 11:40 General Session Panel #3 – Globalization & GDPR
Wiggin and Dana Moderator: Michelle DeBarge
Panelists: Nicole Wolters Ruckert, Kennedy Van der Laan; Denise Tessier, IBM; Volker Wodianka, SKW Schwarz
11:40 - 12:00 Networking
Breakout Sessions: *Optional Programs*
12:00 - 12:30 Lunch (must be registered separately for lunch and afternoon breakout sessions)
12:30 - 2:30 GDPR Intensive
Wiggin and Dana Moderator/Presenter: Michelle DeBarge
Panelists: Nicole Wolters Ruckert, Kennedy Van der Laan; Denise Tessier, IBM; Volker Wodianka, SKW Schwarz
12:30 - 1:45 Addressing Cyber and Privacy Risks in Deals: M&A, Cloud, BPO Services and Smaller Deals
Wiggin and Dana Moderator/Presenter: John Kennedy
Panelists: Evan Kipperman, Wiggin and Dana; Michael Menapace, Wiggin and Dana; Kishore Ramchandani, IBM
2017 CYBER AND PRIVACY FORUM
SEPTEMBER 14 , 2017 I OMNI NEW HAVEN HOTEL AT YALE 8:00 a.m. - 2:30 p.m.
www.wiggin.com
Uber-FTC Settlement Highlights the FTC’s Focus on Aligning Security Promises with Security Practices
The Federal Trade Commission (“FTC”) announced this week its settlement with Uber Technologies, Inc. (“Uber”) related to certain alleged deceptive data security practices at Uber. The settlement continues the FTC’s now years-long focus on alleged deceptive and unfair data security practices.
The FTC’s essential allegations in its complaint were that Uber had engaged in deceptive data security and privacy practices, “[f]irst by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data.”1 As part of the settlement (or “Consent Agreement”), Uber is required to implement (a) a comprehensive privacy program, and (b) for the next twenty years, be subject to biennial third party privacy audits and maintain records and file reports confirming compliance with the Consent Agreement. The Consent Agreement includes Uber’s statement that it neither admits nor denies any of the FTC’s allegations in the complaint.
What At t racted FTC Scrut iny
Uber’s security systems were compromised in May 2014, resulting in unauthorized access of over 100,000 drivers’ license
information, including names and social security numbers. The breach was discovered in September 2014. At the time, Uber had publicized its privacy policy (via its website and dissemination to the press) as follows:
“Uber has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data. The only exception to this policy is for a limited set of legitimate business purposes. Our policy has been communicated to all employees and contractors…The policy is also clear that access to rider and driver accounts is being closely monitored and audited by data security specialists on an ongoing basis, and any violations of the policy will result in disciplinary action, including the possibility of termination and legal action.” 2
The FTC’s complaint alleged that, in contrast to these security promises, Uber “has not always closely monitored and audited its employees’ access to Rider and Driver accounts since November 2014.” Indeed, the FTC alleged that Uber’s automated system for monitoring employee access to consumer personal information in December 2014 “was not designed or staffed to effectively handle ongoing review of access to data by
CONTINUED ON NEXT PAGE
© 2017 Wiggin and Dana llp In certain jurisdictions this may constitute attorney advertising.
A U G U S T 2 0 1 7
1 https://www.ftc.gov/news-events/press-releases/2017/08/uber-settles-ftc-allegations-it-made-deceptive-privacy-data2 See FTC’s Complaint, In the Matter of Uber Technologies, Inc., paragraph 11, copy available at https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_complaint.pdf
If you have any questions about this Advisory, please contact:
JOHN KENNEDY [email protected]
AARTHI S. [email protected]
Uber-FTC Settlement Highlights the FTC’s Focus on Aligning Security Promises with Security Practices
w w w . w i g g i n . c o m
A U G U S T 2 0 1 7 I A D V I S O R Y
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH
“Personal Information” means individually identifiable information collected or received, directly or indirectly, by Respondent from or about an individual consumer, including: (a) a first and last name; (b) a physical address; (c) an email address; (d) a telephone number; (e) a Social Security number; (f) a driver’s license or other government-issued identification number; (g) a financial institution account number; (h) persistent identifiers associated with a particular consumer or device; or (i) precise geo-location data of an individual or mobile device, including GPS-based, WiFi-based, or cell-based location information.
Respondent’s thousands of employees and contingent workers.” And although Uber implemented a new automated monitoring system in August 2015, the FTC alleged that Uber still failed to monitor its employees comprehensively for potential misuse of consumer personal information, except for specific employee-generated reports about inappropriate access to co-workers.
Based on these allegations, the FTC’s complaint charged that Uber’s security policy was deceptive.
Key Terms of the Consent Agreement
1. Comprehensive Privacy Program Under the Consent Agreement, Uber is required to establish and maintain a comprehensive privacy policy that: (1) addresses “privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of Personal Information.”3 The Consent Agreement includes all of the FTC’s standard injunctive measures for settlements of this kind, including: • thedesignationofanemployeeor employees responsible for the privacy program; • theidentificationofreasonablyforesee- able risks, both internal and external, that could result in the unauthorized collection, use, or disclosure of Personal Information
and an assessment of the sufficiency of any safeguards in place to control these risks; • thedesignandimplementationof reasonable controls and procedures to address such risks and regular testing or monitoring of the effectiveness of those controls and procedures; • selectingandretainingserviceproviders capable of protecting the privacy of Personal Information and requiring service providers, by contract, to implement and maintain privacy protections; and • evaluationandadjustmentoftheprivacy program in light of the results of the testing and monitoring efforts and any changes to operations that may have an impact on the effectiveness of the privacy program. 2. Third Party Audits for 20 yearsUber is also required to obtain initial and biennial assessments (“Assessments”) to be completed by a “qualified, objective, independent third-party professional” approved by the FTC. After an initial report covering the first 6 months after the order, biennial reports are required for the next 20 years.
The inclusion of mandated security programs subject to a 20-year audit require-ment is a standard FTC measure and has been included in most of its settlements in recent years.
CONTINUED ON NEXT PAGE
Takeaways f rom the Uber Consent Agreement
The FTC’s settlement with Uber underscores the significance that the FTC attaches to misalignments between the security and privacy commitments made by businesses in their public disclosures in website and app privacy policies, on the one hand, and the implementation of those commitments in practice, on the other. And, as the allegations in the FTC’s Uber complaint indicate, the FTC will closely scrutinize the degree to which companies abide by their privacy and security promises to consumers.
For example, the FTC investigation in this case delved not only into Uber’s access control security measures with a third party (Amazon’s S3 DataStore) for stored user and driver data, but also examined the company’s various privacy and data security claims and statements over a two-year period. The FTC noted4 that, during this period, communications from Uber’s customer service representatives included claims such as:
“Your information will be stored safely and used only for purposes you’ve authorized.”We use the most up to date technology and services to ensure that none of these are compromised.”
“I understand that you do not feel comfortable sending your personal information via online. However, we’re extra vigilant in protecting all private and personal information.”
“All of your personal information, including payment methods, is kept secure and encrypted to the highest security standards available.”
Statements of this kind are frequently included in generic statements put out by companies in responding to customer concerns. The FTC is now closely looking at such statements and does not confine its review of privacy claims merely to formal company disclosures such as published privacy policies.
In light of the Uber Consent Agreement and other similar FTC actions in recent years, businesses are well-advised (1) to conduct periodic reviews of how well their public privacy and security claims fit within the context of their actual privacy and security processes and third party relationships (including as these evolve over time), and (2) to be aware that the FTC’s review of such claims will reach beyond the four corners of even carefully crafted privacy policies.
Uber-FTC Settlement Highlights the FTC’s Focus on Aligning Security Promises with Security Practices
w w w . w i g g i n . c o m
A U G U S T 2 0 1 7 I A D V I S O R Y
This publication is a summary of legal principles. Nothing in this article constitutes legal advice, which can only be obtained as a result of a personal consultation with an attorney. The information published here is believed accurate at the time of publication, but is subject to change and does not purport to be a complete statement of all relevant issues.
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH
4 FTC Complaint, paragraph 17, available at https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_complaint.pdf.
Advisory
© 2017 Wiggin and Dana llp In certain jurisdictions this may constitute attorney advertising.
J A n u A r y 2 0 1 7
Although Delayed, New York’s Aggressive Cybersecurity Law Expected to Affect Financial Services and Insurance Firms
CoNtINuED oN NExt PAgE
If you have any questions about this Advisory, please contact:
CYBERSECURITYAND PRIVACY PRACTICE GROUP
MICHELLE [email protected]
JoHN [email protected]
tIMotHY [email protected]
INSURANCE PRACTICE GROUP
JoSEPH [email protected]
MICHAEL [email protected]
the regulatory environment for cybersecurity is rapidly changing, and state legislatures are not waiting for Congress to act. on December 28, 2016, the New York State Department of Financial Services (“NYDFS”) revised a proposed rule that imposes new cybersecurity requirements on individuals and entities operating under the New York banking law, insurance law, or financial services law (“covered entities”). Don’t stop reading if your company is not a covered entity, because the regulation also burdens third party providers with downstream requirements. Importantly, the rule covers nonpublic information, which is broader than you think. It includes personal information, health data, and sensitive business information. Although the proposed rule was expected to be implemented on January 1, 2017, it has been delayed two months and is currently in a final 30-day comment period. the final rule—which may be different than the revised proposed rule—will now become effective on March 1, 2017. Entities have 180 days after the effective date to comply. Depending on how NYDFS addresses comments from the public, the final rule is poised to become one of the most detailed and aggressive cyber laws in the country.
Broadly speaking, the rule requires covered entities to establish comprehensive data security programs, draft written policies, hire adequate personnel, and report any incidents within 72 hours. Additional requirements include maintaining detailed records and preserving data logs. the detailed nature of the requirements draws immediate similarities to the NISt Security Framework, which is increasingly
becoming the industry standard for data security programs. But, as discussed below, some elements of the rule are new and go far beyond what it required of financial institutions under existing law. Many institutions, however, may already be addressing these requirements, but it is important for covered entitles to review the law in detail to ensure that they are in compliance. It would be a mistake, for example, for a covered entity to assume that because it has gramm-Leach-Bliley-based data security measures in place, the NYDFS rule can be ignored.
IMPoRtANt ELEMENtS oF tHE PRoPoSED NY RuLE
1. Cybersecurity Program
the proposed rule requires covered entities to establish a “cybersecurity program” that preserves the confidentiality of their information and assesses risk. At a minimum, the program needs to identify internal and external cyber risks, protect an entity’s nonpublic information and information systems, detect and respond to cybersecurity events, and fulfill reporting requirements. Additionally, the program needs to include (1) annual penetration testing, (2) audit trail systems, (3) limits on user access and data retention, (4) personnel training, and (5) multifactor authentication.
2. Cybersecurity Policy
A key component of the cybersecurity program is a written cybersecurity policy that lays out all of the company’s data-related procedures. Be aware, the policy
J A n u A r y 2 0 1 7 I A d v I s o r y
Although Delayed, New York’s Aggressive Cybersecurity Law Expected to Affect Financial Services and Insurance Firms
must go beyond a simple recitation of physical and technical safeguards that the company has implemented. Among other things, the policy must address risk assessment, data governance, data classification, vendor provider management, and incident response. After a policy is formulated, a senior officer or the company’s board of directors needs to approve the policy.
3. Designation of a Chief Information Security Officer
Recognizing the importance of top-down leadership, NYDFS also included a provision in the rule requiring covered entities to designate a Chief Information Security officer (CISo). A CISo is tasked with “overseeing and implementing the . . . cybersecurity program and enforcing [the] cybersecurity policy.” the regulation permits a company to outsource the role to a third party, subject to certain conditions.
4. Third-Party Service Provider Requirements
Similar to other state and federal laws and regulations, the rule also addresses cyber risks in a company’s supply chain. Covered entities must implement policies and procedures to ensure that third-party service providers are adequately protecting nonpublic information. these polices need to include:
n A risk assessment of third parties;
n Minimum cybersecurity practices required to be met by third parties;
n Due diligence to evaluate the adequacy of third-party cybersecurity practices; and
n Periodic assessments of the adequacy of third-party practices.
Furthermore, covered entities need to include provisions in third-party contracts that address, if applicable, (1) multifactor authentication, (2) encryption technologies, (3) notification requirements following a breach, and (4) additional representations and warranties covering cybersecurity.
5. Incident Reports
Perhaps the most onerous—and controversial—requirement, covered entities must report to the Superintendent of Financial Services within 72 hours after discovering an incident. An incident refers to any event that is required to be reported under existing law or “that has a reasonable likelihood of materially harming any material part of the normal operation of the Covered Entity.” this requirement suggests that the entity must report information without having a complete understanding of what happened, what data was disclosed, and whether the breach was contained.
HoW DoES tHE PRoPoSED RuLE DIFFER FRoM ExIStINg LAWS?
As it stands now, New York’s proposed rule is a significant departure from existing federal law. By way of background, there are several regulations that currently affect financial institutions. Regulation S-P of the Securities and Exchange Commission, which implements the Security Rule of the gramm-Leach-Bliley Act (gLBA), requires registered advisors, broker-dealers, private funds, and other financial institutions to develop adequate physical, administrative, and technical safeguards to protect customer information. Section 404 of the Sarbanes-oxley Act of 2002 (Sox) requires public companies to assess their “internal
2
CoNtINuED oN NExt PAgE
J A n u A r y 2 0 1 7 I A d v I s o r y
3
This publication is a summary of legal principles. Nothing in this article constitutes legal advice, which can only be obtained as a result of a personal consultation with an attorney. The information published here is believed accurate at the time of publication, but is subject to change and does not purport to be a complete statement of all relevant issues.
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH www.wiggin.com
controls,” including It controls, that protect their financial reporting and accounting. Also, the Financial Industry Regulatory Authority mandates that its members establish supervisory controls to ensure they are complying with applicable laws, including Regulation S-P. Lastly, New York has another data-related law; most New York companies must securely destroy records containing a customer’s personal information when the records are no longer needed.
the proposed rule goes much further than these existing regulations. First, the scope of the covered data is much broader. As discussed above, the rule covers “nonpublic information,” which includes certain nonpublic personal information, health information, and business information, whereas Regulation S-P and New York’s data destruction law only cover a customer’s personal information. Second, the proposed rule imposes a more detailed cybersecurity program. Conversely, Regulation S-P allows entities to design their own programs as long as they ensure the confidentiality of consumer records and protect against threats and unauthorized access. Moreover, other major elements of the rule, including the designation of a CISo, are completely new.
WHAt SHouLD CovERED ENtItIES Do?
Assuming the NYDFS proposed rule becomes final without meaningful changes, covered entities should take proactive steps now to ensure compliance.
n Determine if your company is covered under the rule.
n Compare the rule’s requirements against those under existing laws to discern what additional steps your company must take to comply.
n tailor your existing cybersecurity policy and program to align with the particular specifications of the rule.
n If you don’t already have one, designate someone to act as CISo. that person will be instrumental in managing a cybersecurity policy and program, and should be involved in the planning process.
n Review your service vendor and provider arrangements, and determine which third parties will be covered and determine how to cover them contractually and operationally. Some contracts may need to be amended to address compliance with the rule.
n Also, as noted above, because the NISt Framework is increasingly being used as an industry benchmark, consider adding any additional features to meet the Framework’s requirements.
n Confirm that your insurance coverage adequately covers cyber threats and data breaches.
For more information on New York’s proposed rule, please contact Michelle DeBarge, John Kennedy, or Timothy Wright.
Although Delayed, New York’s Aggressive Cybersecurity Law Expected to Affect Financial Services and Insurance Firms
S E P T E M B E R 2 0 1 7
Firm News
CNN Reports on Crack 99, a Book by Wiggin and Dana Partner David Hall
Wiggin and Dana partner David L. Hall was featured on the CNN program “Declassified” on Saturday, September 2 at 9 p.m. The episode focused on the CRACK99 Chinese cyber piracy investigation and prosecution led by Hall as a federal prosecutor.
David L. Hall is a partner in the Litigation Department, including the International Trade Compliance, the White Collar Defense, Government Investigations, and Corporate Compliance, the Cybersecurity and Privacy, the Unmanned Aerial Systems, and the Art Law and Museum practice groups. Before joining Wiggin and Dana, he served as a federal prosecutor for 23 years. His book, CRACK99: The Takedown of a $100 Million Chinese Software Pirate (Norton), tells the gripping tale of the largest software piracy case ever prosecuted by the U.S. Department of Justice.
To read the CNN online article, please click on this link: http://www.cnn.com/2017/08/31/us/cyber-pirate-sting-operation-crack99-author-david- hall-declassified/index.html
Contact:
DAVID L. HALL [email protected]
w w w . w i g g i n . c o mCONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH
© 2017 Wiggin and Dana llp
In certain jurisdictions this may
constitute attorney advertising.
WEBINARInformation Security and
Third-Party Service Providers: What You Don’t Know
Can Hurt YouWhether you are a company contracting with a third party or the third-party service provider, understanding the privacy and information security regulatory and risk management implications associated with your contractual arrangements is critical. What you do not know prior to entering into and during the service arrangement can mean a world of hurt down the road. And to avoid additional pitfalls, proper planning in advance for when the arrangement ends must be considered thoughtfully as well. In this presentation, Wiggin and Dana Partners John Kennedy, Michelle DeBarge and Michael Menapace will identify the regulatory require-ments and risks from both sides of the arrangement, discuss practical considerations for managing the various and increasingly granular legal requirements, and tips for prioritizing efforts where budgetary or time constraints impose operational challenges. Industry-specific requirements will be highlighted such as HIPAA requirements and privacy and information security requirements for companies in the financial sector. Special considerations will be addressed in regard to small service providers.
We invite you to log and view this webinar recently hosted by the Cybersecurity Group. If you would like to receive a link to the webinar or want more information, please email Elizabeth Keane at [email protected]
w w w . w i g g i n . c o mCONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH
CONTINUED
Cybersecurity Preparedness Checklist
Data breaches come in many forms. With hackers and their attack strategies constantly changing, organizations must be cybersecurity-prepared and constantly vigilant against all forms of cyber breaches and attacks. Also, in most data breach incidents, the time between initial attack and data exfiltration is just minutes. The time from initial compromise to discovery, however, could be several months, and the time from a data breach discovery to its containment could be days, weeks or months. Just as the United States government has recognized that cybersecurity threats place the Nation’s security, economy, and public safety at risk, so too should private businesses confront and address cybersecurity risks. It is important to recognize how cybersecurity hazards may threaten an organization’s valuable data assets, compromise workforce and customer privacy, and harm an organization’s bottom line by driving up costs, driving down revenue, and diminishing the organization’s ability to gain and maintain customers.
Cybersecurity is not a fixed state but an ongoing process. Even if an organization has previously addressed cyber-preparedness in a written plan, the organization should conduct a periodic review of the plan’s effectiveness and make changes where necessary in light of changing risk.
Effective cybersecurity preparedness requires a thoughtful and coordinated top to bottom risk management approach involving the organization’s governing authority, high-level executives, and legal counsel, as well as information technology, human resources and public relations personnel.
This checklist addresses the key components that should be considered in developing effective cybersecurity risk mitigation strategies and procedures.
MAP AND CLASSIFY THE SENSITIVITY, PROPRIETARY VALUE AND CRITICALITY OF YOUR DATA
n Identify types and amounts of data collected, stored, accessed, and transferred
n Classify information into categories, for example:
• Personallyidentifiable/non-personallyidentifiable • Sensitive/non-sensitive • Informationsubjecttospecificstatutory/regulatory
requirements • Medicalinformation • Financialinformation • Proprietaryinformation • Informationcollectedfromminors
n Prioritize data by criticality, sensitivity and value to the organization
MAP YOUR DATA FLOWS, SYSTEMS AND SECURITY CONTROLS
n Document how information is being created, received, used, managed,disclosed,anddestroyed/disposedofbyyourorganization
• Examplesofquestionsthatshouldbeansweredwhen mapping data flows:
- What information is moving and being accessed intra- departmentally or intra-personally within your organization?
- What information is moving from your organization to third parties?
- What information is your organization receiving from third parties?
- Whatrelevantinformationismovingacrossstate/national boundaries?
• Theanswerstothesequestionswilldeterminethelevelof privacy and security-related exposure, and should inform organizational privacy and security strategy
n Identify and document systems containing data identified as “priority” and the organization’s existing administrative, technical and physical security controls for that data
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH www.wiggin.com
www.wiggin.com
PERFORM RISK ASSESSMENTS AGAINST APPLICABLE LEGAL REQUIREMENTS AND INDUSTRY STANDARDS AND GUIDELINES
n Conduct risk assessments to identify risks and vulnerabilities to data and data-processing systems
• Initialandthenperiodic,basedonoperationalchangesand
new threats to the security, integrity and availability of priority data. Operational changes may include mergers, acquisitions, system upgrades, mobile device deployment, new online marketing campaigns, etc.
• Ongoingassessmentsshouldalsoaddressevolvinglegal requirements and industry security standards applicable to the organization
ADDRESS SECURITY GAPS AND DEVELOP WRITTEN INFORMATION SECURITY PROGRAM
n Identify gaps in technical, administrative and physical safeguards that do not meet legal requirements, appropriate industry standards or risk management priorities based on the sensitivity and criticality of the data. Assess requirements domestically and abroad, in all relevant jurisdictions.
n Identify weaknesses in security practices, for example:
• Notdevelopingsecuritypoliciesorfailingtoimplement policies
• Notdesignatingspecificworkforcememberstomaintainand implement the program
• Permittinghaphazardcollection/sharingofdatainconsistent with policy requirements
• Notupdatingpoliciesandpracticesasbusiness’sinformation practices and laws change
• Notupdatingpoliciesandpracticestoaddressthecollection of changes in the type and extent of data collected
• Notknowingwhatdataisstoredbythecompanyandits location(s)
• Retentionofdatalongerthannecessarytocarryoutthe original business purpose
• Improperdisposalofdatathatisnolongerneeded
n Implement additional safeguards and modify practices to address gaps
n Draft or revise written information security program
• Reviewrequirementsofapplicablelawsandregulationsas well as industry requirements or standards
• Ensuretheprogramisenterprise-wide(notjustconfinedto the company’s IT group)
• Establishpoliciesthatdetailinformationsecurityrequirements, including appropriate administrative, physical and technical safeguards
n Consider researching, analyzing, and purchasing a cybersecurity liability insurance coverage policy, which can help mitigate losses from a variety of cyber incidents (including data breaches, network damage, and business interruption)
ENSURE EFFECTIVE GOVERNANCE INFRASTRUCTURE FOR CYBERSECURITY, INCLUDING EXECUTIVE MANAGEMENT AND BOARD OVERSIGHT
n Appoint a Security Officer who is accountable for the implementation and oversight of the information security program
• Addressthechartersandfunctionsofthepositionandthe interaction between the privacy compliance, the Board and oversightcommittees/teams
• Ensurethereisanappropriatejobdescriptionthatholds the Security Officer accountable for the security program
n Include information security as a priority within the organization’s overall corporate compliance program
CONTINUED2
Cybersecurity Preparedness Checklist
www.wiggin.com
n Designateaninternalsecurity/datagovernancecommittee • teamtaskedwithreviewingsecuritygovernancepractices • requiresecurityauditsandreportstobeateameffort
involving representatives from each relevant business division, IT, human resources, legal and senior management
n Ensure Board involvement in the oversight of information security practices. Consider designating a Board member who is sufficiently technically educated to lead Board discussions and questions on information security
ADOPT AND TEST INCIDENT RESPONSE PLANS
n Data incident response plans
• Implementaclearlydefinedandreadilyavailabledata incident response plan in place that outlines:
- Team representatives from operational groups within your organization, including IT, human resources, legal, and public relations departments
- Up-to-date24/7contactinformationforallmembersoftheteam - Standard conference line and notification procedure timeline - Hierarchy for decision-making and external communications
regarding an incident - External forensics technical contacts - Dos and don’ts for evidence preservation and general
incident team e-mails - Required documentation addressing Who, What, Where,
Why, and How
n Perform mock incident response events to ensure readiness
MANAGE VENDOR RISKS: VENDOR CONTRACTING AND SECURITY DUE DILIGENCE PROCESSES
n Assess the organization’s relationships, including business partners, strategic partners, co-branded sites, third party vendors and other external service providers (including cloud services) that might involve the use, disclosure, creation, transmission or maintenance of priority data on the organization’s behalf
n Document the names of relevant vendors and partners, and clearly articulate the details of those relationships as they affect data flows
n For each identified vendor or partner, determine level of security due diligence that should be implemented based on the nature of the relationship and risks and vulnerabilities to your data and systems
n Ensure that contractual provisions are in place to address, as appropriate, network security, application security, data security, data destruction, security breach notification, vendor data use, subcontractor data security requirements
n Consider whether ongoing monitoring and inspection rights are appropriate to enforce security measures; include a right to conduct compliance audits
n Implement security due diligence, contractual and operational requirements for new vendor and partner relationships
ADOPT “SECURITY BY DESIGN”
n The best defense is a good offense - prepare to embed security into the design of your organization’s technology, including new products, systems, and operations
n Consider security as a fundamental, foundational component of all of the organization’s functions, services, and products, as opposed to a concern that is addressed only on the back-end, as an add-on, or worse, not at all
3
Cybersecurity Preparedness Checklist
CONTINUED
www.wiggin.com
TRAIN YOUR WORKFORCE
n Ensure workforce members are trained upon hire and ongoing regarding general security awareness and corporate security policies
n Confirm employees are aware of and comply with the organization’s security policies
n Ensure workforce members have the necessary tools to help the organization identify, prevent and address security issues, including:
• Accesscontrolsandpermissionstolimitaccessonneed-to- know basis
• Policiesthatareup-to-date,clearandcomprehensibletoall employees
• Policiesthataddresstheissueofemployeesbringingtheir own devices, remote-access, and social media
KEEP ABREAST OF CURRENT ENFORCEMENT PRIORITIES AND ABSORB LESSONS FROM RECENT ENFORCEMENT ACTIONS
n Federal Trade Commission, Enforcement,http://www.ftc.gov/enforcement
n Homeland Security, Office of Cybersecurity and Communications, http://www.dhs.gov/office-cybersecurity-and-communications
n United States Department of Justice, Cyber Crime,http://www.justice.gov/usao/briefing_room/cc/
n United States Department of Health and Human Services Office for Civil Rights (HHS-OCR), Enforcement,http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html
n Federal Communication Commission, Enforcement Bureau, http://transition.fcc.gov/eb/
KEEP INFORMED ABOUT CYBER RISKS; BECOME INVOLVED IN OUTSIDE SECURITY COMMUNITY ( INFORMATION SHARING NETWORKS)
n United States Computer Readiness Team, Information Sharing Specifications for Cybersecurity,http://www.us-cert.gov/Information-Sharing-Specifications-Cybersecurity [links to free, community-driven technical specifications designed to enable automated information sharing for cybersecurity situational awareness, real-time network defense and sophisticated threat analysis]
n DDOSAttackProtection,Top100+CyberSecurityBlogs,http://ddosattackprotection.org/blog/cyber-security-blogs/
n SANSTop20CriticalSecurityControls,http://www.sans.org/critical-security-controls
n United States Department of Health and Human Services Office of the National Coordinator for Health Information Technology (HHS-ONC), Health Information Privacy, Security, and Your EHR,http://www.healthit.gov/providers-professionals/ehr-privacy-security
n NIST’sCybersecurityFramework,http://www.nist.gov/cyberframework
Cybersecurity Preparedness Checklist
4
Group Contacts
JOHN KENNEDY [email protected]
MICHELLE DEBARGE [email protected]
DAVID HALL [email protected]
© 2017 Wiggin and Dana llp
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH W W W .W IG GI N .C O M
General Data Privacy and Cybersecurity Diligence Request
Please provide the following materials and information:
1. A copy of all company written policies and disclosures related to protecting the
information privacy of employees, customers, consumers and other individuals,
including:
all policies governing information privacy in the company, including rights and
expectations of employees and other persons working with the company (e.g.,
independent contractors, temporary employees); and
all disclosures to customers, consumers and third parties of the company’s privacy
practices.
2. A copy of each policy relating to information security within the company, i.e., policies
that address protection of the confidentiality, integrity and availability of the company’s
data (including personal data) and protection of all administrative, physical and electronic
systems and facilities used in connection with the collection, use, storage, transfer,
retention and disposal of the company’s information, including personal data.
3. A copy of any policy addressing the company’s preparation for or response to
cybersecurity incidents, including data breaches.
4. A list of any standards or frameworks (e.g., ISO, COBIT, HIPAA Privacy and Security
Rules, the GLBA Privacy and Security Rules, the NIST Cybersecurity Framework, PCI
DSS) that are adopted or implemented in the company’s information security program.
5. Identify by name and title the persons in the company who have primary responsibility
for the oversight and implementation of its information privacy and information
security programs.
6. A copy of any privacy and/or security compliance risk assessments and compliance
audits conducted in the last [X] years, including (i) audit results of internal information
and systems controls, (ii) compliance certifications issued by third parties (e.g.,
TrustE), (iii) privacy impact assessments, (iv) penetration tests, social engineering tests
or other cybersecurity-related testing. Where any assessments or audit findings have
included exceptions or deficiencies, include a description of how these were corrected.
7. A copy of any privacy and cybersecurity awareness training materials that have been
used with company personnel, including senior management and the board of directors,
in the last [X] years and indicate when and how often such training is conducted.
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH W W W .W IG GI N .C O M
8. Describe any cybersecurity incidents, including actual or suspected data breaches, in
the last [X] years that involved actual or suspected unauthorized access to or use of (i)
company information (including personal data of company employees, customers or
other individuals) and (ii) company information systems or computing and network
devices (including systems and devices managed by any third party on the company’s
behalf), and describe the resolution of such incidents or to proprietary company systems
or data.
9. A copy of any legally-required notices to consumers or government authorities in
connection with any prior cybersecurity incident or data breach involving company
information or systems (including information and systems managed by any third party
on the company’s behalf).
10. List the company’s current registrations with any data protection authorities or similar
privacy-related registrations with government authorities (e.g., the U.S.-EU and/or
Swiss Privacy Shield, any EU data protection authority).
11. A copy of any required disclosures to or filings with regulatory authorities made in the
last two [X] years with regard to the company’s information security risks, information
security practices and/or privacy practices (e.g., cybersecurity disclosures made in
filings with the Securities and Exchange Commission, filings with primary federal or
state regulators, filings with data protection authorities outside the U.S., required filings
to any enforcement agency such as the FTC, state attorneys general offices, primary
financial regulators, the Department of Health and Human Services, state public
utilities commissions, etc.)
12. Identify and describe for the last [X] year period any litigation, claims, investigations,
demands, court or administrative order, notices of inquiry, settlements, consent decrees
or other proceedings, actual, pending or threatened, which relate to or arise out of the
company’s privacy and cybersecurity policies or practices.
13. To the extent not described in materials requested above, provide a copy of any
company policy addressing the management of third party privacy and cybersecurity
risks with the company’s suppliers, vendors, business partners and third party service
providers.
14. Describe all insurance coverage (including primary and excess layers) for first and third
party losses related to or arising from privacy and cybersecurity incidents (including
losses arising from data breaches) and other loss, theft, corruption or unavailability of
data.
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH W W W .W IG GI N .C O M
©2017 Wiggin and Dana LLP
SAMPLE POLICY STATEMENT FOR REQUIRING VENDORS TO COMPLETE PRIVACY AND CYBERSECURITY DUE DILIGENCE QUESTIONNAIRE [Company] Procurement Guidelines for Vendors Providing Products or Services Affecting [Company] Data and/or Information Systems Whenever [Company] bids for or engages vendors whose products or services involve access to or use of (i) [Company] data (including sensitive company data and personally-identifying data of [Company] employees, customers or other natural persons) and/or (ii) [Company]’s computers, networks, mobile devices and other information systems (whether owned, leased or outsourced), vendors shall be required to:
1. Complete the standard [Company] Vendor Data Privacy and Cybersecurity Questionnaire as part of any RFP or other due diligence process; and
2. Accept [Company]’s standard Vendor Data Privacy and Cybersecurity Contract Terms included in [Company]’s RFP package.
When These Guidelines Apply to Procurement by [Company] The types of Vendor products or services that are subject to the foregoing Guidelines include contracts where product functions or vendor services involve one or more of the following types of activity:
software products or services (including cloud-based services) that will store or process sensitive [Company] data or personal data of individuals
procurement or disposal of computer hardware used to store or process [Company] data or manage [Company] information systems;
ISP, network management, network security or telecommunications services;
data storage or warehousing (including for purposes of disaster recovery and business continuity);
data brokerage services, data compilation or aggregation services; outsourced processing of customer or employee data (e.g., customer
transaction records, financial records, HR records, recruiting services); payment services, including credit and debit card and mobile payments
processing services; data analytics and data mining services; data verification, data cleansing, data conversion, data enrichment, data
disposal or data migration services;
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH W W W .W IG GI N .C O M
©2017 Wiggin and Dana LLP
background or credit check services or other services for investigation of individuals, such as potential employee hires;
advertising, profiling and marketing services involving personal data (e.g., through e-mail, telephone, social media or text campaigns);
designing or operating a website, mobile app or social media presence for the company;
hosting the company’s public website, intranet or extranet; cross-border data transfers in transactions such as outsourcing,
consulting and cloud computing; developing, upgrading, consolidating or replacing computer systems
and/or software (including IT outsourcing and systems integration work); any consulting services or employment agreement involving access to
personal data of employees, clients or customers of the company; purchasing, servicing, recycling or otherwise accessing company
equipment containing stored electronic data (including IT desktop and laptop support services, hardware maintenance, data sanitizing services);
managing company mailing and e-mailing lists for customers, clients or employees;
purchase, sale or other transfer of company data in an acquisition, merger or reorganization;
any vendor services that include access to the [Company] network or include other [Company] systems use privileges for vendors, including physical access to facilities that house [Company] information systems containing sensitive [Company] data and/or personal data;
use of subcontractors in connection with any of the foregoing.
1
General Session Panel #2
Recent U.S. Privacy Law
Developments and Key Takeaways
Panelists: John Kennedy & Michael Kasdan
Connecticut Privacy and Cybersecurity Forum
September 14, 2017
© 2
017 W
iggin
and D
ana
LLP
2
1. Selected Recent Cases in Privacy and Takeaways
2. Location Tracking for Apps: Best Practices for Tech Companies
3. Data Collection in the Era of the IoT and Intelligent Products: Best Practices for Mitigating Privacy and Security Risk
4. Privacy and Security Risks in the Growing Use of Big Data Analytics: Emerging Best Practices
Agenda/Discussion Roadmap
AGENDA - ROADMAP
3
© 2
017 W
iggin
and D
ana
LLP
Round-up of Recent Cases
• Standard Innovation (‘smart’ vibrators) case on data
collection
• Facebook and Google cases on biometric privacy
• Update on FTC/Lab MD case on data security
FTC Privacy Enforcement Activity and Directions under the New Commission
1. Selected Recent Cases and
Enforcement in Privacy: Takeaways
SELECTED RECENT PRIVACY CASES
2
4
© 2
017 W
iggin
and D
ana
LLP
Standard Innovation, maker of ‘smart’ vibrators, settled a class action lawsuit earlier this year for $3.75M.
Suit alleged “Standard Innovation collected individual-level usage information – often tied to users’ personally identifiable addresses,” they said, adding that the firm “breached its customers’ trust, devalued their purchases” and “violated federal and state law in the process.”
Takeaways: Clear notice, security, disclosure/choice re: data shared by customers
Standard Innovation: Data Collection
SELECTED RECENT PRIVACY CASES
We-Vibe: ‘Smart’ vibrator
product allows users to
remotely “turn on your lover”
via Bluetooth connection using
We-Connect mobile app.
5
© 2
017 W
iggin
and D
ana
LLP
Licata et al. v. Facebook
• A number of Facebook users (now
consolidated into a class) sued the
social media giant in 2016 claiming it
violated the Illinois Biometric
Information Privacy Act of 2008 by
collecting and retaining information
about the geometry of users’ faces from
their uploaded photographs without
written notice or informed consent.
• The BIPA says no private entity can
gather and keep an individual’s
“biometric identifiers” without prior
notification and written permission from
that person.
Facebook and Google Cases:
Biometric Data Collection
SELECTED RECENT PRIVACY CASES
6
© 2
017 W
iggin
and D
ana
LLP
Rivera et al. v. Google• Similarly, a number of Google users in 2016 claiming it violated the Illinois
Biometric Information Privacy Act of 2008 by automatically uploading
plaintiffs’ mobile photos and allegedly scanning them to create unique face
templates (or “faceprints”) for subsequent photo-tagging without consent.
Takeaways
• Both the Facebook and Google cases have survived motions to dismiss.
• They are part of a recent wave of suits employing BIPA claims against social
media and photo-sharing companies
• Social media companies have sought to push back against the law, pushing
an amendment that would specifically exempt physical and digital
photographs and biometric information derived from them from BIPA.
Facebook and Google Cases:
Biometric Data Collection
SELECTED RECENT PRIVACY CASES
3
7
© 2
017 W
iggin
and D
ana
LLP
A grueling, epic litigation saga since 2013
• The FTC’s history of data security complaints under the
“unfairness” prong of Section 5 of the FTC Act
• Lab MD’s basic challenge to enforcement authority
• Where the case stands today
Recent arguments before the 11th Circuit in June 2017
• The court: FTC approach to Section 5 harms: “as nebulous as
you can get”
Implications of an FTC loss at the 11th Circuit
Update on FTC/Lab MD Litigation: Limits on the
FTC’s Data Security Enforcement Authority?
SELECTED RECENT PRIVACY CASES
8
© 2
017 W
iggin
and D
ana
LLP
Commissioner Olhausen’s Agenda for Privacy and Data Security Enforcement
• Section 5 unfairness focus on consumer harm and Commission
“transparency”
Recent FTC Privacy and Security Actions and Takeaways
• Uber (data security/cloud/employee access)
• Lenovo (OEM-installed adware compromising security)
• Taxslayer (alleged Safeguards Rule violations in tax prep service)
• Blue Global (failure to secure sensitive consumer information in
deceptive loan application scheme)
• Credit Acceptance Corporation (investigation re: use of GPS Data)
FTC Privacy Enforcement Activity and
Directions under the New Commission
FTC ENFORCEMENT ACTIVITY AND GUIDANCE
9
© 2
017 W
iggin
and D
ana
LLP
What is the Issue?
FTC and Industry Guidance
Best Practices for Companies
2. Location Tracking for Apps: Best
Practices for Tech Companies
LOCATION TRACKING FOR APPS: BEST PRACTICES
4
10
© 2
017 W
iggin
and D
ana
LLP
Collecting and tracking geo-location data is increasingly a feature of mobiles devices and apps
• Examples: Apple/Google, SnapChat Maps, Facebook, FourSquare
What Is The Issue?
LOCATION TRACKING FOR APPS: BEST PRACTICES
11
© 2
017 W
iggin
and D
ana
LLP
Tracking websites visited, consumer purchases, consumer attributes and behaviors enables access to very useful and private data
Access to specific and continuous geo-location data enables tracking at an even deeper level
Increase ability for advertisers/companies to target users based on their behaviors and locations in the world
Increased “creepiness factor”?
Safety issues re: presence in real world
Concerns as to how companies and their partners use this very intimate data
What Is The Issue?
LOCATION TRACKING FOR APPS: BEST PRACTICES
12
© 2
017 W
iggin
and D
ana
LLP
FTC Guidance
• Basic Principles
o Privacy by Design
o Increased Transparency
o Simplified Customer choice re data collected and shared
• “Opt in” affirmative express consent (not opt out)
• Clear just-in-time disclosures so customers understand what is
collected/shared and with whom.
Industry Self Regulation Guidelines
• Digital Advertising Alliance (DAA): Transparency and Control
• Network Advertising Initiative (NAI): Opt in consent and Reasonable Access
to customer’s own data
FTC and Industry Guidance
LOCATION TRACKING FOR APPS: BEST PRACTICES
5
13
© 2
017 W
iggin
and D
ana
LLP
Understand exactly how the tracking technology works, including what data it collects, where it sends data, and who can see the collected data. Establish robust privacy by design practices within the business.
Conduct privacy impact reviews before using or deploying new tracking technologies.
Privacy issues, like tracking consumers, are not just legal issues. They also impact customer relations.
• When deploying tracking technologies, companies should consider industry
best practices and customer expectations. Customer relations may require
the company to go beyond what US law requires.
Ensure all privacy notices or customer-facing statements accurately reflect the tracking technologies used.
Best Practices for Companies
LOCATION TRACKING FOR APPS: BEST PRACTICES
14
© 2
017 W
iggin
and D
ana
LLP
Before using tracking technologies to collect precise geolocations, biometric data or other highly sensitive personal information:
• obtain the person's affirmative opt-in consent; and
• establish data security measures appropriate to the data's sensitivity
level.
Companies using tracking technologies outside of the US must consider the impact of potentially stricter foreign data privacy laws.
• The benefits of establishing uniform tracking technology and
personal data use policies may lead a company to adopt a stricter
procedure or policy approach than US laws require.
• Foreign laws may also apply if companies transfer personal data
across borders.
Best Practices for Companies
LOCATION TRACKING FOR APPS: BEST PRACTICES
15
© 2
017 W
iggin
and D
ana
LLP
What is the Issue?
• New class of devices
collecting and using personal
data in variety of ways
• Billions of distributed,
embedded, data-collecting,
Internet-connected devices
with little or no user interface
for disclosing privacy practices
3. Data Collection in the Era of the IoT and
Intelligent Products: Best Practices for
Privacy and Security
DATA COLLECTION IN ERA OF IIOT/INTELLIGENT PRODUCTS
6
16
© 2
017 W
iggin
and D
ana
LLP
Some Recent Examples
• Roomba, IoT, automotive industry collection of data in cars,
recent controversy of UnRoll.Me selling data, Google’s recent
decision to stop scanning email for ads
• Cybersecurity botnet attacks such as Mirai attack, fall 2016
What is the Issue?
DATA COLLECTION IN ERA OF IIOT/INTELLIGENT PRODUCTS
‘Your Roomba May Be Mapping Your Home, Collecting Data That Could Be Shared’ – NYT (July 25, 2017)
‘Unroll.me Service Faces Backlash Over a Widespread Practice: Selling User Data’ – NYT (April 24, 2017)
‘Cars Suck Up Data About You. Where Does It All Go?’ – NYT (July 27, 2017)
17
© 2
017 W
iggin
and D
ana
LLP
Federal and state enforcement activity involving IoT
• FTC cases: e.g., TrendNet, Asus, D-Link
• New York AG: SafeTech Products settlement
Proposed legislation
• California’s S.B. 37 (“Teddy Bear and Toaster Act”)
• U.S. Senate Bill, “Internet of Things (IoT) Cybersecurity
Improvement Act of 2017”
Recent Enforcement Activity/Legislation
DATA COLLECTION IN ERA OF IIOT/INTELLIGENT PRODUCTS
18
© 2
017 W
iggin
and D
ana
LLP
Several U.S. federal agencies have offered compliance guidance for IoT market participants (e.g., NTIA, FTC, DHS, NIST)
Guidance Highlights:
• Follow “security by design” and “defense in depth” principles and build on
recognized security practices
• Stay on top of security patches and vulnerability management and
communicate patch and update policies
• Focus on secure authentication and secure interfaces with other devices and
services
• Default settings should favor consumer privacy and choice
• Be transparent about data collection and use practices
• Build communication channels with security researchers and users
Best Practices to Address
Regulatory Scrutiny and Consumer Complaints
DATA COLLECTION IN ERA OF IIOT/INTELLIGENT PRODUCTS
7
19
© 2
017 W
iggin
and D
ana
LLP
4. Privacy and Security Risks in the Growing Use
of Big Data Analytics: Emerging Best Practices
PRIVACY/SECURITY RISKS IN GROWING USE OF BIG DATA ANALYTICS
20
© 2
017 W
iggin
and D
ana
LLP
PRIVACY/SECURITY RISKS IN GROWING USE OF BIG DATA ANALYTICS
‘Big Data’ is Not Always ‘Smart’ DataPer Capita Cheese Consumption
Correlates with
Number of people who died by becoming tangled in their bedsheets
28.5
30
31.5
33
34.5
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
Chee
se C
onsu
med
Bedsheet Tanglings Cheese Consumed
21
© 2
017 W
iggin
and D
ana
LLP
Regulators are Paying Attention
PRIVACY/SECURITY RISKS IN GROWING USE OF BIG DATA ANALYTICS
8
22
© 2
017 W
iggin
and D
ana
LLP
What Laws Apply to Big Data Today?
Black Letter Law
PRIVACY/SECURITY RISKS IN GROWING USE OF BIG DATA ANALYTICS
Financial, healthcare, genetic and other data privacy
and data security laws (state and federal)
State-regulations, such as insurance laws regulating
underwriting, rating, claims handling
Anti-discrimination laws
Consumer protection laws
Gaps?
23
© 2
017 W
iggin
and D
ana
LLP
Basic Questions for Due Diligence and
Risk Assessment in Data Analytics
PRIVACY/SECURITY RISKS IN GROWING USE OF BIG DATA ANALYTICS
How do we embed (i)
regulatory compliance and (ii) fidelity to
our data policies into
algorithms and
predictive models?
Who ownsall of this data?
How do analytics
projects affect
our cybersecurity risk?
What are the legal
ground rules for
using and sharinginternal customer data in
analytics projects?
What rules govern
use
of data sourced fromthird-party sources
(e.g., data brokers,
IoT devices,
social platforms)?
24
© 2
017 W
iggin
and D
ana
LLP
Best Practices: Ethics and Codes of Conduct
PRIVACY/SECURITY RISKS IN GROWING USE OF BIG DATA ANALYTICS
Prevent discriminatory impact and bias
Demonstrate respect for consumer privacy
Enforce accountability
Build in transparency, auditability of scoring models
Assure data quality and relevance
9
Questions?
© 2
017 W
iggin
and D
ana
LLP
This presentation is a summary of legal principles.
Nothing in this presentation constitutes legal advice, which can only be
obtained as a result of a personal consultation with an attorney.
The information published here is believed accurate at the time of
publication, but is subject to change and does not purport to be a
complete statement of all relevant issues.
1
Hybrid Cloud Security forFinancial ServicesKISHORE RAMCHANDANI
September 14, 2017
IBM Proprietary
2 Security IBM Proprietary
Financial services companies are becoming more data-centric and it is important to understand their top security drivers
6. Data protection and encryption
7. Application security
8. Visibility and intelligence
9. Workload-centric capabilities
10. Cloud-agnostic managed security
services
1. Regulatory and compliance alignment
2. Standard security frameworks, detection
capabilities and response controls
3. Rigorous monitoring of regulatory changes
4. Access management
5. Network security
3 IBM Security IBM Proprietary
This is what a typical hybrid cloud environment looks like
PUBLIC CLOUDVIRTUAL PRIVATE COMPUTING
ON-PREMISE DATA CENTERPRIVATE CLOUD
2
Regulators expect the same level of control in a cloud environment
Regulators require financial services firms to review the following before deciding to use cloud services
• Location of data and the related legal jurisdiction
• Identity and access management
• Auditability
• Availability
• Data classification
• Encryption management
• Security incident management
• Business continuity
4 Security IBM Proprietary
Key considerations for mass hybrid cloud adoption
• Design and implement a controls framework to
comply with multiple regulatory requirements
• Implement processes to continuously monitor
and adjust to regulations changes
• Accelerators and Cloud intellectual property
• Deploy cloud-agnostic security
• Implement an end-to-end approach to security
controls and continuous compliance monitoring
5 Security IBM Proprietary
6 Security IBM ProprietaryIBM Proprietary
3
STRATEGY
Set the overall strategic approach to
assessing and managing risk, and the risk
appetite that fits with business goals and the
firm’s environment
Outline the budget, roadmap
and implementationapproach
7 Security IBM Proprietary
CONTROLS
Define the control environment that
delivers the chosen risk appetite and
enforces the policy framework
MONITORING, MEASURING AND
MANAGEMENT INFORMATION
Monitor threats, incidents and the
performance of controls
Track the performance of risk
management against risk appetite,
using quantitative metrics where
possible
GOVERNANCE
Define organizational roles and
responsibilities, policy framework
and arrangements for oversight of
the risk profile and risk
management framework
Feedback loop – from
front line controls to
overall strategy
EXTERNAL COMMUNICATION AND
STAKEHOLDER MANAGEMENT
Manage external reporting
requirements and requests,and
engagement with external
stakeholders such as regulators
Any Move to Cloud Needs an Effective Control Framework
Cloud Security Approach
Cloud is more than a technology change!
It is a cultural change to organizations that impacts:
• Security Strategy
Service Consumption
IaaS, PaaS, SaaS
Time Horizon
8 Security IBM Proprietary
6 “Must Have” Capabilities for Hybrid Cloud Security
ACCESS
MANAGEMENT
QUESTIONS TO ADDRESS
How do you…
• Secure access to hybrid apps?
• Onboard and manage users?
• Ensure only the right users have access?
VISIBILITY AND
INTELLIGENCE
• Discover cyber threats?
• Respond to cyber threats?
DATA
PROTECTION
• Visualize and lock down sensitive data?
• Ensure that all cloud-bound sensitive data is
encrypted?
• Manage ShadowIT?
NETWORK
SECURITY• Efficiently protect the extended network?
APPLICATION
SECURITY
• Discover and remediate application security
risks?
WORKLOAD
SECURITY MGMT
• Secure cloud workloads and the devices
accessing them?
9 Security IBM Proprietary
4
Shared security model has expectations of the customerThis is extremely important point to understand when engaging clients in the
discussion of security for the cloud
CLOUD SERVICE PROVIDER CUSTOMER RESPONSIBILITY
Security IN the CloudSecurity OF the Cloud
Virtualization
Infrastructure
Network
Infrastructure
Physical
Layer
NGFW UTM IDPS VPN
- Threat Intelligence
- Event Visibility
- Data Protection
- Identity &Access
- Application Security
- Network Controls
10 Security IBM Proprietary
1
Afternoon Breakout Session #2
Addressing Cyber Risks in
Vendor Contracts
Privacy and Cybersecurity Practice Group
Connecticut Privacy and Cybersecurity Forum
September 14, 2017
© 2
017 W
iggin
and D
ana
LLP
2
Increased reliance on third parties
• The Target example: HVAC
Relevant contract types
Does the service provider have access to:
• proprietary or regulated data?
• company systems?
• facilities housing company data or systems?
• other contractors with such access?
Service Provider Risk in an
Outsourced World• Outsourcing• Cloud• Apps• Managed
security• Advertising• Payments• Big data• Consulting• Facilities• Lawyers,
accountants
© 2
017 W
iggin
and D
ana
LLP
3
1. Conduct meaningful due diligence on service providers who will access company data or systems
2. Obligate service providers by contract to provide appropriate levels of security to company data and systems
3. Carry out meaningful supervision, monitoring and oversight of the service provider’s performance of its obligations respecting company data and systems
The Basic Message from Regulators
2
© 2
017 W
iggin
and D
ana
LLP
4
Use a security practices questionnaire/audit form
– Identify gaps with regulatory and company standards
– Include appropriate in-house technical experts, and/or
an outside cybersecurity consultant, on the diligence
team
– Conduct inspections and tests as appropriate
Assess the service provider’s cybersecurity track record and customer references
Get input from all key stakeholders in the diligence process
o Legal, compliance, audit, risk management, HR,
procurement
Cybersecurity Due Diligence
© 2
017 W
iggin
and D
ana
LLP
5
Define the relevant data sets
o “Customer Data” v. “Service Provider Data”
o “Personal data", "sensitive data”, “PHI”, etc.
o “Aggregated data”, “de-identified data”, “anonymized data”
o “Derived data”
Be clear about roles and who owns what data
o Processor vs. controller (EU)
o Ownership issues:
– Customer-provided data
– Secondary or derivative data
– Service Provider meta-data and “usage” data
1. Key Deal Terms: Identify the Data
© 2
017 W
iggin
and D
ana
LLP
6
What processing by the service provider is authorized?
• Details may be set out in a statement of work
• What restrictions apply to the processing?
Where will processing take place?
• Have the data flows been mapped?
o Collection, storage, enhancement, transfer/sharing, return,
disposal, destruction
o Shared processing with customer?
o Jurisdictions implicated for cross-border transfers?
– Required data transfer agreements?
2. Key Deal Terms: Specify Data Uses
3
© 2
017 W
iggin
and D
ana
LLP
7
Is there an applicable legal, industry or other security standard?
o E.g., HIPAA Security Rule, GLBA Security Rule, NYS Cybersecurity
Rule, state minimum security laws, etc.
o ISO family of standards, PCI DSS, NIST Cybersecurity Framework*
(*not a ‘standard’)
o Key items: encryption, de-identification, access controls
o Be wary of bare “industry standards” or “industry best practices”
How and where are security requirements documented?
o Level of detail required
o Security schedules, attached policies, SLAs
Changes in law, security requirements or methods
3. Key Deal Terms: Security Levels
© 2
017 W
iggin
and D
ana
LLP
8
Is ‘security breach’ defined broadly or narrowly?
What are the service provider’s incident response obligations?
• Incident response plan, timing of vendor notice, cooperation, access,
investigation, interviews, reporting, remediation
• Customer control over communications and notices
Who pays and how much?
• Allocating financial responsibility for security incidents and breaches
• Specifying the breach cost components and any caps on liability
4. Key Deal Terms: Clarify Incident and
Breach Response Obligations
© 2
017 W
iggin
and D
ana
LLP
9
Customers should supervise service providers with access to data and systems
Regulatory and internal audit requirements related to service provider security controls
o Reporting standards (e.g., ISAE 3402, HIPAA Security Rule, PCI DSS,
AICPA, COBIT)
o Spot and emergency audits
o Audit frequency; audit conditions; cost-shifting
o Response to audit deficiency findings
Reports, SLAs and monitoring
Flow-through requirements for subcontractors
5. Key Deal Terms: Specify Audit and
Monitoring Rights
4
© 2
017 W
iggin
and D
ana
LLP
10
Balance aggregate cyber risk with the commercial stakes
Will direct damages be capped or uncapped?
Will all forms of indirect damages be excluded?
Common exceptions to the cap:
• IP indemnities, confidentiality
Enhanced caps for data breaches?
Carve outs for ‘deemed’ direct damages
Scope of indemnification for data breaches
6. Key Deal Terms: Define Liability and
Indemnification Terms
© 2
017 W
iggin
and D
ana
LLP
11
Representations and warranties:
o Compliance with laws and service provider policies
o No malware
o No data breaches
Personnel background checks
Subcontractor approvals and flow-down terms
Termination assistance and data disposition
Cyber liability insurance coverage
7. Other Key Contract Terms
© 2
017 W
iggin
and D
ana
LLP
12
Not all service providers will negotiate away from their forms
• E.g., some public cloud providers
• Required “flow-down” terms from third-party platform providers
What to do?
• Keep shopping the work
• Negotiate an exceptions rider to the service provider’s paper
for material terms
• Exclude sensitive data and functions if necessary
• Get required internal approvals supported by a risk analysis
‘Take it or Leave It’ Contracts
5
© 2
017 W
iggin
and D
ana
LLP
This presentation is a summary of legal principles.
Nothing in this presentation constitutes legal advice, which can only be
obtained as a result of a personal consultation with an attorney.
The information published here is believed accurate at the time of
publication, but is subject to change and does not purport to be a
complete statement of all relevant issues.
1
Afternoon Breakout Session #2
Cybersecurity Risk
in Mergers and Acquisitions
Privacy and Cybersecurity Practice Group
Connecticut Privacy and Cybersecurity Forum
September 14, 2017
© 2
017 W
iggin
and D
ana
LLP
2
Cyber Risk: The New Normal
Ashley Madison
Mossack FonsecaCy
be
roa
mJP
Mo
rga
n
HACKEDRSA
© 2
017 W
iggin
and D
ana
LLP
3
Lost IP
Lawsuits
Regulatory fines
Lost revenues
Breach notification costs
Lost customers, goodwill
Lost time and productivity
Cost of security products/services
Cost of outside consultants, attorneys
Out-of-pocket costs to make breach victims whole
These costs can strip value from or even scuttle a deal
Cyber Risk: The New Normal
2
© 2
017 W
iggin
and D
ana
LLP
4
Privacy and cyber regulation have evolved in a piecemeal manner in the U.S. based on industry sectors
• In contrast, e.g., the EU treats privacy as a fundamental human right
• Applicable U.S. laws reflect a strong bias to be “technology neutral” in order not to stifle
innovation
As a result, there are few specific, prescriptive minimum cybersecurity mandates on private businesses
• For example, for most U.S. businesses there is no legally specified standard for minimum
encryption strength or type, even where encryption of data is required by law
o Exceptions include: HIPAA Security Rule, government contracting requirements (e.g.,
DoD)
• An adequate security practice will be considered what is reasonable under the
circumstances in view of the (1) sensitivity of the data, (2) commercially available risk
mitigation measures, and (3) relevant industry practices
The U.S. Cyber Regulatory Approach:
Largely Sector-Specific
© 2
017 W
iggin
and D
ana
LLP
5
Federal Trade Commission
Securities Exchange Commission
Federal banking regulators
Food and Drug Administration
Federal Communications Commission
Department of Energy
Department of Defense
Department of Homeland Security
State Attorneys General (e.g., California)
U.S. Regulators are Increasingly
Focused on Cyber Risk
© 2
017 W
iggin
and D
ana
LLP
6
Consumer Data: FTC Act
Health Data: HIPAA
Financial Data: GLBA
Consumer Credit Data: FCRA
Federal Agencies: FISMA
Credit Card Data: PCI-DSS
Defense Data: DFARS
U.S. Regulators are Increasingly
Focused on Encryption
3
© 2
017 W
iggin
and D
ana
LLP
7
SEC’s OCIE
• Conducted cybersecurity examination of 49 investment advisers in
2015
• Most firms reported cyber-related incident
• Issued Risk Alert indicating second round of investigations
• SEC’s Division of Enforcement
First-ever cyber-related enforcement action
Cyber Risk: The New Normal
© 2
017 W
iggin
and D
ana
LLP
8
Acquirer assumes some or all of target’s
• Network and systems
• Data
• Products/services
• Third party relationships
Both sides represent target of opportunity and increased risk
M&A Cyber Considerations
© 2
017 W
iggin
and D
ana
LLP
9
Until recently, cybersecurity risks were not part of core due diligence protocols in M&A
• Cybersecurity diligence tended to be light and left to the ‘techies’
• One recent survey:
o 78% of respondent firms noted cyber risk is not fully assessed
o But 83% said that cyber concerns could reduce deal valuations or even be deal-killers
This complacent mindset is changing in light of:
• Overwhelming evidence that cybercrime is now a global underground industry
• Cyber attacks from criminals, hackers and state-backed enterprises that grow more
sophisticated and relentless
• Economic losses to private business reaching hundreds of billions annually across all
industry sectors
• Increased regulatory attention to private sector cybersecurity failures and related
enforcement actions and fines
• Class action litigation targeting businesses for lax cybersecurity
Cybersecurity Due Diligence:
Moving to Front and Center in M&A?
4
© 2
017 W
iggin
and D
ana
LLP
10
Technology and security companies are not exempt
o E.g., attacks in recent years against Adobe, Microsoft, RSA, Kaspersky Labs
and other technology and security companies
Companies entering the U.S. cybersecurity market should expect heightened due diligence from U.S. buyers, investors and business partners
• No one wants to buy a costly and embarrassing data security disaster, especially in the
cybersecurity sector.
An additional concern: many cybersecurity incidents go unreported
• Cyber risks can be well hidden and latent in a business partner
• Technology companies are favored targets of the cybercrime community
• Accordingly, there is a strong incentive for buyers and investors to ‘dig deep’
into cyber diligence
Cybersecurity Due Diligence:
Moving to Front and Center in M&A?
© 2
017 W
iggin
and D
ana
LLP
11
Existing or continuing data breach
Undiscovered prior breaches
Malware-ridden environment
Weak internal security policies and practices (technical and administrative)
• Including inadequate security design and testing protocols
Lack of corporate data governance and accountability
Misleading marketing claims for security or privacy features (e.g., FTC v Facebook)
Loose controls over subcontractors and third party providers who have access to data and/or systems
Major Types of Cyber Risk in Deals
© 2
017 W
iggin
and D
ana
LLP
12
Treat cybersecurity as an independent category of deal risk
Use a security practices questionnaire/audit form
Interview key executives and subject matter experts at the target (e.g., CISO, CIO, CPO)
Include appropriate in-house technical experts, or a reputable outside cybersecurity consultant, on the diligence team
• Integrate the technical diligence with the full diligence report (i.e., don’t isolate or
overlook critical technical findings)
Review recent compliance audits
Address non-technical cyber risks
• E.g., insider risks, company security and disaster recovery policies, data security
governance program
Assess deal risks/deal valuation/deal terms in light of diligence findings
Cybersecurity Due Diligence:
Basic Steps in the Process
5
© 2
017 W
iggin
and D
ana
LLP
13
Current U.S. cybersecurity diligence requests in M&A and investment deals are likely to include some or all of the following items:
• Provide all company written policies related to the security of
company systems, data and products and the privacy of personal data
• Disclose internal and external audit results related to the security of
company systems, data and products over the past [x] years
• Disclose security testing protocols employed in the development
and maintenance of company products and services
• Identify all security standards adopted in company operations and all
security-related certifications of the company and its personnel
Basic Cybersecurity Questions to
Expect in U.S.-based Deals (I)
© 2
017 W
iggin
and D
ana
LLP
14
• Disclose any non-trivial security incidents in the past [x] years involving
company systems, data or products and how incidents were resolved
o Incidents include those involving personal information and trade secrets
or other intellectual property
• Identify the management team accountable for the company’s security
policies and practices (e.g., CISO, CIO, CPO) and describe the security
governance program
• Disclose the company’s cyber risk management policies for vendors
and subcontractors
• Describe the company’s employee training and awareness programs
for managing cyber risks
Basic Cybersecurity Questions to
Expect in U.S.-based Deals (II)
© 2
017 W
iggin
and D
ana
LLP
15
• Disclose findings of the company’s most recent cybersecurity
risk assessment of its operations and products
• Disclose the company’s incident response and disaster
recovery policies
• Disclose any claims asserted against the company for
alleged violations of privacy, security or other applicable laws
arising from company products or services
• Disclose the company’s liability insurance coverage related
to cyber losses
Basic Cybersecurity Questions to
Expect in U.S.-based Deals (III)
6
© 2
017 W
iggin
and D
ana
LLP
16
Financial services
Healthcare
Medical devices
Energy and utilities
Telecommunications
Payment Systems
Security products and services (e.g., identity management, managed network security, cloud and mobile security)
Government procurement (e.g., Defense
Expect Extra Scrutiny from Buyers, Investors and
Commercial Partners in Certain Sectors
© 2
017 W
iggin
and D
ana
LLP
17
2003: Seisint, Inc. (data broker used by businesses to locate people, assets) breached
2004: Reed Elsevier, Inc. (REI) acquires Seisint
• REI is unaware of the breach
• Post-acquisition, REI integrates Seisint’ s data
Case Study 1: Reed Elsevier (I)
© 2
017 W
iggin
and D
ana
LLP
18
2008:
• FTC complaint alleges violation of 5(a) of FTC Act
• Respondents failed to employ reasonable and appropriate
measures to prevent unauthorized access to sensitive
consumer information . . . . Respondents’ practices caused,
or are likely to cause, substantial injury to consumers . . . .
This practice was, and is, an unfair act or practice.
• REI and FTC settle matter in consent decree
Case Study 1: Reed Elsevier (II)
7
© 2
017 W
iggin
and D
ana
LLP
19
April 15, 2015: Telstra acquires Pacnet for $697 million
April 16, 2015: Pacnet informs Telstra that Pacnet’s network had been breached two weeks prior
May 2015: Telstra is forced to foot bill for system assessment and Pacnet’s response
Case Study 2: Telstra
© 2
017 W
iggin
and D
ana
LLP
20
FIN4 acquires information about M&A discussions
Identifies involved stakeholders
Uses SEC and M&A-themed visuals to capture usernames/passwords
Case Study 3: FIN4
With access gained, FIN4 has real-time access to deal timing
FIN4 steals actual deal discussion docs and weaponizes them
Focus on healthcare and pharma—stocks move dramatically based on news
© 2
017 W
iggin
and D
ana
LLP
21
Massive, years-long data breach revealed at Yahoo! between signing and closing of acquisition by Verizon
Resulting deal revaluation to the tune of $350MM
Other fallout:
• Multiple class actions and regulatory investigations
• Resignation of general counsel (without severance)
• Resignation of CISO
• Millions spent to cover legal defense, investigation and forensic
costs
Case Study 4: Yahoo/Verizon
8
© 2
017 W
iggin
and D
ana
LLP
22
Know
• Firms going through M&A have disrupted biz ops processes—security suffers
o 2x exposure risk: both buyer and seller
o Info sent to lawyers, consultants 3rd parties for DD
o Insider risk (disenfranchised and easier to “turn”)
• Hackers may reside in network for months/years without detection—allocate
risk accordingly
Do
• Look for cyber “red flags”
• Take attacker’s perspective
• Conduct cyber due diligence (thorough/early)
Lessons Learned
© 2
017 W
iggin
and D
ana
LLP
This presentation is a summary of legal principles.
Nothing in this presentation constitutes legal advice, which can only be
obtained as a result of a personal consultation with an attorney.
The information published here is believed accurate at the time of
publication, but is subject to change and does not purport to be a
complete statement of all relevant issues.
JESSICA BLOCK
Jessica Block is a Senior Managing Director at Ankura Consulting Group based in the Washington, DC office and leads the firm’s data governance practice within the Regulatory & Contractual Compliance group. She has more than a decade of experience helping companies face complex information management challenges. Ms. Block specializes in applying technology to unlock the value of data and decrease the burden of compliance. Ms. Block has led consulting efforts across the lifecycle of various litigations, arbitrations, investigations and transactions. She also strategizes with key internal and external stakeholders to craft resilient policies and standards in readiness for such events and in support of ongoing business operations.
Ms. Block’s professional experience includes:
•MultinationalAnti-Bribery/Anti-CorruptionInvestigation–Ledalarge-scaledocumentrevieweffortforaglobal pharmaceuticalcompanyfacingUSandinternationalregulatoryinvestigationinmultiplejurisdictions.Guidedamulti- disciplinary team of several dozen professionals supporting the processing and production of multiple terabytes of data. Staffed hundreds of English and foreign language lawyers conducting document review of the millions of files implicated by the production demands of various authorities and investigative needs of the company. Coordinated in-countryforensiccollectionandmobiledocumentreviewtoaccommodaterestrictionsondatamovement.•GulfOilSpillInvestigation–Supportedamajordefendantinlitigationandinvestigationresponseresultingfromevent. Ledtheteamresponsibleformanagingdataprocessing,documentreviewworkflowdevelopment,andmultiple terabytes of incoming and outgoing production volumes. •SEC/DOJInvestigation–Architectedalarge-scaledataconversionefforttomergelegacyeDiscoverydatabasesfora largefinancialinstitutionrespondingtoSECandDOJinvestigation.Designedandimplementedcustomprocessto reduce overlapping email information from various, disparate data sources to minimize the cost of compliance. •Multi-DistrictLitigation–Ledteamsintheacquisition,review,andproductionofovermultipleterabytesof electronically stored information for a large pharmaceutical manufacturer. Supported over 1,200 attorneys reviewing data simultaneously. Participated alongside counsel in negotiating production format and defending eDiscovery efforts to a court appointed special master. •PreferredPartnership–FosteredongoingpreferredeDiscoveryproviderpartnershipswithmultiplemajorcorporations. Participate in team conferences with inside legal team and outside counsel to implement best practices, data reuse, and efficient working methods. Supported development of centralized playbook for different matter scenarios and data types.Facilitatedefficientworkingmethodsacrossaportfolioofhundredsofactivemattersofvaryingsizesand complexities.IndustriessupportedincludePharmaceutical,Energy,andHospitality.•LitigationReadinessExerciseforRegionalHospitalSystem–Supporteddevelopmentofcomprehensivedatarisk assessment plan and systems inventory for litigation readiness. Conducted interviews of relevant system owners and document details in formal data map.
JOHN BOLES
AsDirectorintheGlobalLegalTechnologySolutions,InformationSecuritysub-practice,JohnBolescollaborateswith clients to address their information and data security needs and to ensure their cyber risks are identified and managed. AsaformernationalsecurityandcyberexecutivewiththeFBI,John’suniqueexperienceprovidestheexpertiseclientsneed to protect their business or recover from an incident.
CONTINUED
Biographies
2017 CYBER AND PRIVACY FORUM
www.wiggin.com
2017 CYBER AND PRIVACY FORUM
www.wiggin.com
JohnandtheNavigantteamconductcyberinvestigationsworldwide,performingforensicanalysistodeterminehowanincident occurred, assess whether data was at risk, and identify affected individuals. Combining operational experience with computer forensic expertise, modern technical data mining, endpoint monitoring, and industry knowledge, John provides expert information security solutions to companies, law firms, cyber insurers, and health care brokers.
Johnisrecognizedasanexpertincyberoperationsandsecurity,hacking,andinternationaloperations.Hehasdirectedandlednationalsecurityandcyberinvestigationsaroundtheworld,inpartnershipwithforeigngovernments,Fortune50companies,theU.S.IntelligenceCommunity,andotherU.S.stateandfederalagencies.HehastestifiedbeforetheU.S.CongressandadvisedtheWhiteHouseandNationalSecurityCounciloncyber-relatedissuesandpolicies.
Johnservedover20yearsintheFBI,includingpoststoUSEmbassiesinUkraine,Belarus,andRussia.In2006,John receivedtheSuperiorHonorAwardfromtheUSDepartmentofStateforhisperformanceasLegalAttachéinKiev,Ukraine.AsDeputyAssistantDirector,hemanagedanddirectedtheFBI’scyberoperations,investigations,andcriticalincidentresponse.HealsoledtheNationalCyberInvestigativeJointTaskForce,a19-memberagencyteamresponsibleforUScybernationalsecurityinvestigations.HisfinalassignmentintheBureauwasAssistantDirector,responsibleforallFBIoperationsoverseas.PriortojoiningNavigant,JohnwasSeniorVicePresident,RegionsBank,directingcyberfraud and international investigations.
MICHELLE WILCOX DEBARGE
MichelleWilcoxDeBargeisapartnerinWigginandDana’sHealthCareDepartment.ShechairstheHIPAAPracticeGroupandtheClinicalResearchRegulationandCompliancePracticeGroup.Shealsoco-chairstheCybersecurityandPrivacyGroupandisamemberofthefirm’sBiotechnologyandLifeSciencesPracticeGroup.
Michelleadvisesnationalandinternationalbusinesses,healthcareorganizations,andpharmaceutical/biotechnologycompaniesonawide-rangeofhealthcareregulatory,healthinformationtechnology,privacy/securityandclinicalresearch issues.Withovertwentyyearsofexperience,sheregularlyadvisesclientsonHIPAAandotherstateandfederalprivacyandsecurityrequirements;databreachandincidentresponse;healthinformationexchange,includingdatamanagementandexchangeissuesinthecontextofaccountablecareandhealthcareintegrationandaffiliations.Herpracticealsofocuses on Medicare and Medicaid compliance and audits, including fraud, waste and abuse obligations of federal and downstreamcontractors;clinicalresearchregulationandclinicalresearchcontracting;evolvingthird-partyreimburse-mentmodels;andgeneraloperationalmattersinthehealthcareregulatoryarea.Michellelecturesfrequentlyonboththestateandnationallevel.Sheisaco-authorofthe“HIPAAHandbook:ImplementingtheFederalPrivacyRuleinaLong-TermCareSetting,”publishedbyTheAmericanAssociationofHomesandServicesfortheAgingandistheauthorof“HIV-infectedPhysicians:TheDutytoDiscloseundertheInformedConsentDoctrine,”publishedintheUniversity of ConnecticutLawReview.
Before practicing law, Michelle was a program director with the American Cancer Society, where she worked with physicians, nurses, and other health professionals to implement rehabilitation and educational programs for cancer patients, health professionals, and the general public. Before joining Wiggin and Dana, she also supervised the communications programofacommunity-basedhealthandsocialserviceagency.
MichelleisamemberoftheInternationalAssociationofPrivacyProfessionals(IAPP),AppliedResearchEthicsNationalAssociation,andtheAmericanHealthLawyersAssociation.
CONTINUED
2017 CYBER AND PRIVACY FORUM
www.wiggin.com
Michelle is also a member and former Chair of the Advisory Committee on Patient Privacy and Security to the State of Connecticut’sHealthInformationandTechnologyExchange.ShepreviouslyservedontheLegalandPolicySubcommitteeoftheConnecticutHealthInformationandTechnologyExchangeandontheBoardofDirectorsoftheConnecticutHealthLawyersAssociation.MichellehasbeenrecognizedbyChambers USA in the category of health care lawyers. Clients indicatethatsheis“veryresponsiveandefficient”andhas“verygoodnegotiationskills”and“awillingnesstofind solutions.”SheisalsolistedinTheBestLawyersinAmericasince2006andasaConnecticut“SuperLawyer” since 2007. Michelle was also named by BestLawyersasHartfordlegalcommunity’s“HealthCareLawLawyeroftheYear” for2012and2016.
MichellereceivedaB.A.fromWilliamsCollege,studiedabroadattheUniversityofKentinCanterbury,England,andreceivedherJ.D.withHighHonorsfromtheUniversityofConnecticutSchoolofLawwhereshewasEditor-in-Chiefof the UniversityofConnecticutLawReview.MichellealsoholdsthecertificationofCIPP/USandCIPP/E(CertificationInformationPrivacyProfessional/USandEurope),acertificationgrantedbytheInternationalAssociationof Privacy Professionals.
DAVID L. HALL
DavidL.HallisapartnerintheLitigationDepartment,includingtheInternationalTradeCompliance,theWhiteCollarDefense,GovernmentInvestigations,andCorporateCompliance,theCybersecurityandPrivacy,theUnmannedAerialSystems,andtheArtLawandMuseumpracticegroups.
David is a seasoned trial lawyer who represents corporations and individuals in complex civil litigation and in investigationsandprosecutionsconductedbytheDepartmentofJusticeandotherfederalandstateagencies.Heconducts internal investigations and corporate compliance assessments for companies, including those in the defense, financial, andhealthcareindustries.DavidadvisesclientsconcerningtheForeignCorruptPracticesActandcybersecurityand dataprivacy,includingassessmentsofpoliciesandprocedures,anddatabreachpreparationandresponse.Heassistsclientsintheunmannedaerialsystemsindustryregardingtheregulatoryrequirementsoffederalagencies.Davidhassuccessfully defended individuals and companies under investigation by the federal government for a wide range of suspectedunlawfulactivity,includingbankfraud,securitiesfraud,politicalcorruption,unlawfulsalesofartandantiquities, fraud against the government, and unlawful exports.
In2013,DavidretiredfromtheUnitedStatesDepartmentofJusticeafteradistinguished23-yearcareerasanAssistantUnited States Attorney. While in federal service, David received the Director’s Award for Superior Performance, numerous SpecialActAwards,andotherawardsandcommendationsfromgovernmentagencies,includingtheFBI,CIA,DEA,andATF.HehasalsobeenrecognizedwiththeDHS/ICEExcellenceinLawEnforcementAward,theDHS/ICEInternational AchievementAward,andtheSAFEBeaconAward.
DavidservedintheUnitedStatesNavyReserveasanintelligenceofficerforthirtyyears,retiringattherankofCaptain.Heis the author of CRACK99:TheTakedownofa$100MillionChineseSoftwarePirate,publishedbyW.W.Nortonin2015.
MICHAEL J. KASDAN
Michaelisapartnerinthefirm’sIntellectualPropertyPracticeandisamemberoftheDiversityCommittee.Hehasnegotiated,defendedandassertedIPrightsinthenumerousfederalcourts,theUSPatentandTrademarkOffice,theInternationalTradeCommissionandinprivatearbitrationsandmediations.Asanadvisor,hehasworkedwithbothestablishedcompaniesandstart-upstoobtain,evaluatevalue,licenseanddeveloppatentportfoliosandtrademarks.
CONTINUED
2017 CYBER AND PRIVACY FORUM
www.wiggin.com
Trainedinelectricalengineeringandwithabusinessbackgroundasatechnologyconsultant,Michaelworkswithabroad range of technologies, including consumer electronics, wireless devices, medical products and devices, computer architecture,softwareandnetworks,open sourceissues,semiconductorchipsandInternetande-commerceplatforms.
Hisclientsrelyonhimtoresolvebothlargeandsmallpatent,trademark,andcopyrightcasesefficientlyandcost- effectively.Forexample:
Inafast-movingITCcase,hespearheadedthetwokeyclaimconstructionissuesforthejointdefensegroup.The AdministrativeLawJudgetooktheunusualstepofagreeingtostagetheclaimconstructionphaseonpotentiallydispositive termsearlyinthecase.ThesuccessingettingtheCourttoagreetoanearlyclaimconstructionphasedrovefavorableearly settlements for numerous defendants.
Inacompetitorsemiconductorcasebroughtaspartofaglobalpatentwarinvolvingthemajorelectronicscompanies,hewasinstrumentalinthedefenseofpatentinfringementclaimsandhelpedtoobtainajuryverdictofnon-infringementforhis client.
Michael was involved in the defense of a series of patent claims asserting infringement of mechanical processes, inspection processes and the materials structure of diaper and training pants products, among two competitors in the field.
Michael also counsels clients on strategic patent prosecution and portfolio development, and provides opinions and analyses on various patent issues, including patent infringement, validity and enforceability.
During2008-2009,hewassecondedtoPanasonicCorporationinJapan.Asin-housepatentcounselinPanasonic’s licensingcenter,heactedasleadcounselrepresentingthecompanyinnumerousthird-partypatentassertionsandlicense negotiations, where he was responsible for developing substantive defensive positions. Michael also provided legal opinions across a broad set of technology areas and in many facets of patent law, and negotiated complex agreements, includingportfoliocross-licenseagreements.Inaddition,heworkedwiththecompany’smanagersandengineerstoidentify high value patents and to strengthen their protection and mitigate exposure to infringement claims.
MichaelfrequentlywritesandspeaksonarangeoftopicsincludingIPlitigation,standardessentialpatents,patentmonetization,valuationandlicensingpractices,howtoaddressIPissuesforstart-upandearlystagecompanies,patenteligibility,patentexhaustion,willfulinfringement,patentmisuse,patentvaluationandinequitableconduct.Hisarticleshavebeenpublishedinleadingpublications,includingLEXIS,PracticalLawCompany,IPLAW360,Bloomberg/BNA,andManagingIPMagazine.MichaelisthesoleauthorofPracticalLawCompany’sPracticeNoteonPatentLawandtheLexisPracticeAdvisoronPatentLicensing.HewasselectedtoauthorthechapteronPatentLicensingandMonetizationoftheOxfordHandbookofIntellectualPropertyLaw(OxfordPress,2017).Michaelhasalsobeenthekeynotespeakeratcon-ferencesaddressingtopicssuchasdiversityandmentorship.Inaddition,hewasinterviewedonCNBC’spublictelevisionNightlyBusinessReportregardingtheMapsfeaturesofSnapchatanditsprivacyimplications.
Michaelalsoteachesasanadjunctprofessorathisalmamater,NYU,aswellasatNewYorkLawSchool,addressingtopicssuchasIPlicensing,globalpatentlitigation,patentexhaustion,andinequitableconduct.HehasalsoguestlecturedattheNYUBusinessandLawClinic,theNYUSchoolofMedicine,andatNewYorkLawSchoolandSetonHallLawSchool.HeclerkedfortheHonorableJudgeRoderickR.McKelvieintheUnitedStatesDistrictCourtfortheDistrictof Delaware.
CONTINUED
2017 CYBER AND PRIVACY FORUM
www.wiggin.com
Michael received his J.D. magna cum laude,fromNewYorkUniversitySchoolofLaw.HewasamembertheNYULawReview,theOrderofTheCoif,andwasFish&NeaveFellowfortheEngelbergCenteronInnovationLawandPolicy,andservedasPresidentoftheIntellectualPropertyandEntertainmentLawSociety.HeistheCo-ChairoftheMediaCommittee fortheNYIPLA(NYIPLawyersBarAssociation)andalsoservesasamemberoftheLegislativeActionCommittee.
Michael also received a B.S.E. in Electrical Engineering, magna cum laude,fromtheUniversityofPennsylvania.HewasamemberofEtaKappaNuandTauBetaPi,EngineeringHonorSocieties,andamemberofPennParliamentaryDebateTeam.
Outsideofwork,MichaelservesastheDirectorofCommunicationsandDevelopmentofthenon-profitMyChild’sCancer.HealsoservesontheBoardoftheSouthNextFestival.HewasformerlytheChairmanoftheBoardofthenon-profitCity-Science,whichfocusesonimprovingSTEMEducationinourcities.HeisalsoacontributorforTheGoodMenProject. Hehasspokenonavarietyofissuesonmajormedianetworks,includingCNNHeadlineNews,AlJazeeraAmerica,NPR,andCBCRadio,andhiswritingshaveappearedinwell-knownpublicationssuchasTheHuffingtonPost,Salon,TheBBC,TheDailyDot,MoneyandRedbook.
JOHN B. KENNEDY
JohnKennedyisapartnerinWigginandDana’sCorporateDepartmentandamemberoftheInformationTechnologyandOutsourcing,andPrivacyandInformationSecurityGroups.
In25yearsofpractice,Johnhasfocusedontransactionsandcounselinginthelawofinformationtechnology,dataprivacyandsecurity,intellectualpropertyande-commerce.Histransactionalpracticeincludesoutsourcing,softwaredevelopmentandlicensing,e-commercetransactions,technologytransferandintellectualproperty-intensiveM&A,divestitures,jointventuresandre-structurings.HisclientshaveincludedFortune500aswellasemergingcompaniesinthe financial services, technology, communications, media, energy and consumer products sectors.
Johnhasnegotiatedcomplexinformationtechnology(IT)outsourcingservicesagreementsinvolvingcloudcomputing,ITinfrastructureandsoftwareprocurement,systemsintegration,softwaredevelopmentandmaintenance,voiceanddataservicesanddisasterrecoveryandbusinesscontinuity.Hehasalsonegotiatedbusinessprocessoutsourcing(BPO)agreements for call centers and customer support services, finance and accounting services, human resources adminis-tration, enterprise procurement services, government passport and visa services, research and development services and supplychainmanagement.Hisworkinthisareaincludesadvisingclientsonallstagesofthecontractprocess,includingRFPpreparationandevaluation,vendordiligence,negotiationofdefinitiveagreementsandongoingadviceconcerninggovernance, dispute management and amendments.
InJohn’sextensivepracticeininformationprivacyandsecuritylaw,hehasrepresentedclientsinconnectionwithriskand compliance assessments of data privacy policies and practices, data breach preparedness and response, regulatory investigations of data practices, behavioral advertising campaigns and ‘privacy by design’ analyses of products and services insocialmediaandmobilee-commerce,corporateinformationgovernanceprograms,internationaldatatransfersandcompliancewithU.S.stateandfederaldataprivacyandinformationsecuritylaws.Hisclientsinthisareaincludecompanies inthefinancialservices,technology,media,energyandconsumerproductsindustries.Heistheauthorofnumerousarticlesonprivacyanddatasecurityandsince2000hasco-chairedPracticingLawInstitute’sAnnualPrivacyandDataSecurityLawInstitute.BloombergBNArecentlypublishedJohn’sPrivacy & Data Security Practice Portfolio Series, CybersecurityandPrivacyinBusinessTransactions:ManagingDataRiskinDeals(March2015).
CONTINUED
2017 CYBER AND PRIVACY FORUM
www.wiggin.com
HehasbeennamedintheWho’sWhoofBusinessLawyersfor2012forInternet,e-CommerceandDataProtection.Chambers USA ranksJohnnationallyintheirOutsourcingcategory.TheBestLawyersinAmerica has named him for his workinInformationTechnologyLawsince2009.RecentlyhewaselectedtoTheAmericanLawInstitute,theleadingindependent organization in the United States producing scholarly work to clarify, modernize, and otherwise improve the law.
JohnreceivedhisJ.D.fromColumbiaLawSchool.HewasaWilliamRaineyHarperFellowattheUniversityofChicago,whereheearnedanM.A.inEnglishandAmericanLiterature,andgraduatedmagna cum laude from Carleton College.
EVAN S. KIPPERMAN
EvanKippermanisapartnerinthefirm’sCorporateDepartmentandco-chairofitsEmergingCompaniesandVenture Capitalpracticegroup.Evan’spracticeisfocusedoncorporatefinancetransactions,mergersandacquisitions,venture capital financing, securities law, licensing arrangements and general corporate matters across a broad range ofindustries,includingsoftware/informationtechnology,lifesciences,digitalmedia,financialservices,manufacturing,educational technology, consumer products and food and beverages, among others. Evan’s clients, include early stage companies,publiclyheldmiddle-marketcompanies,familyoffices,high-networthindividualsandprivateequityfirms. Heregularlyservesasoutsidegeneralcounselforprivatelyheldcompaniesatvariousstagesofdevelopment,ensuringthattheyareappropriatelystructured,scalableandpositionedforgrowth,whileleveragingthemulti-disciplinarycapabilities ofWigginandDanatoofferhisclientsone-stopservicesfortheirlegalneeds.AsanactivememberofthebusinessandinvestmentcommunityintheheartoftheBostontoNewYorkcorridor,EvanispartofanetworkthatincludesorganizationssuchasCrossroadsVentureGroup,ConnecticutTechnologyCouncil,CURE,MITEnterpriseForum,AngelInvestorForumandtheAssociationforCorporateGrowth,aswellasacademicinstitutionsincludingColumbiaUniversity,NewYorkUniversity,UniversityofConnecticutandYaleUniversity,amongothers.
BeforejoiningWigginandDana,EvanpracticedataprominentNewYorklawfirmwherehegainedextensiveexperienceadvising U.S. and international public and private companies in a wide range of industries with regard to mergers and acquisitions,securitiestransactionsandgeneralcorporatematters.
EvanreceivedhisJ.D.fromtheUniversityofPennsylvaniaLawSchoolwherehewasasenioreditoroftheJournalofInternationalEconomicLaw.HereceivedhisB.A.inbothInternationalRelationsandPoliticalSciencefromtheUniversityof Pennsylvania.
EvanisadmittedtopracticeinConnecticutandNewYork.
MICHAEL MENAPACE
Michael represents insurers in state and federal courts as well as in arbitrations across the country. Michael has litigated disputes concerning bad faith, insurance coverage, reinsurance, premium calculations, allocation among policies, utility andenergyinfrastructureconstruction,securitiesclassactions,andmergerandacquisitionclaims.LeadinginsuranceindustrytradegroupshaveengagedMichaeltorepresentthemonmattersofindustry-wideimportancebeforetrialandappellatecourts.Hehastriednumerouscasesthroughfinalverdict.
CONTINUED
2017 CYBER AND PRIVACY FORUM
www.wiggin.com
Michael advises insurers on policy construction, coverage, compliance and regulatory issues and often represents stock, mutual, and captive insurers on their dealings with state regulators, including proceedings concerning rates, applications foracquisitionofcontrol,andmarketconductexams.Inaddition,Michaeladvisescompaniesonavarietyofprivacyanddata protection issues, and defends companies facing potential data breach liability. Michael also advises clients in connectionwithinternalinvestigationsandresponsestogovernmentinquiriesandsubpoenas,includingfederalandstateinquiriesintoforcedplacedinsurance,contingentcommissions/brokercompensation,andfinitereinsurancetransactions. Withregardtohisclassactionexperience,Michaelhasrepresenteddefendantsinawiderangeofsuits.Hisexperienceincludesdefendingactionsallegingviolationsoffederalsecuritieslaws,federalandstateenvironmentallaws,ERISA,andtheAlienTortAct.
Michaellecturesandpublishedregularly.HeteachesinsurancelawattheQuinnipiacUniversitySchoolofLaw,is co-editorofTheHandbookonAdditionalInsureds,publishedbytheAmericanBarAssociation(2012),andco-authorofTheReferenceHandbookontheCGLPolicy–CoverageAPrincipalExclusions,2nded.,publishedbytheABA(2014).
Michaelbeganhislegalcareerintheinsurance/reinsurancepracticegroupofamajorinternationallawfirm.Heis admittedtopracticeinConnecticutandNewYork.HegraduatedwithaB.M.fromUniversityofHartford/TheHarttSchoolofMusicandreceivedhisJ.D.fromQuinnipiacUniversitySchoolofLaw.
MichaelistheTreasurerandanExecutiveCommitteememberoftheBoardofDirectorsoftheHartfordCountyBarAssociationandisCo-ChairofTheHarttSchool’sBoardofTrustees.HewastherecipientoftheNewLeadersoftheLawAward from the ConnecticutLawTribunein2005.Beforepracticinglaw,Michaelwasacollegemusicprofessorandadministrator with an active U.S. and international music performance schedule, including as saxophonist with theHartfordSymphonyOrchestra.
KISHORE RAMCHANDANI
KishoreRamchandaniisanInsuranceIndustryExecutiveinIBMAnalytics,wherehefocusesonleadingedgeAnalyticsandCognitivesolutionsfortheInsuranceindustry.Previously,hewastheLeaderofIBM’sGlobalInsuranceIndustryCenterofCompetence,specializinginInformationTechnologyandBusinessStrategyandTransformation.HeledIBM’sefforttocreatetheInsuranceIndustryComponentBusinessModel(CBM)mapsandisthefocalpointforlinkingthesemapstotheindustryspecificServiceOrientedArchitecture(SOA).HeleadshighperformanceteamsthatassistclientsindevelopingacomprehensiveInformationTechnologystrategythatistightlylinkedtothebusinessplanandinEnterprisebusinesstransformation.Hehasmanagedseverallarge,complexprojectsthathaveincludedbusinessprocessredesignbasedonbestpractices,architectureassessment,applicationassessments,businessneedsanalysis,systemdesign/developmentandimplementation,ITorganizationdesign,M&Aduediligencestudies,legacysystemstransformation,feasibilitystudies,requestforproposalpreparation,andvendorselection.Hehasover30yearsofexperiencewithclientsintheinsurance,banking,financialmarkets,andhealthcareservicesindustriesandinthepublicsector.HeisasubjectmatterexpertinLifeInsuranceandisoftencalledupontoleadIBM’sglobalinsuranceinitiatives.
HeisamemberoftheexclusiveIBMIndustryAcademytowhichhewasadmittedbyIBMExecutiveManagementbasedonhisInsuranceexpertiseandeminence.HeisaMemberoftheInstituteofManagementConsultantsandisaFellowoftheLifeManagementInstitute(LOMA).
CONTINUED
2017 CYBER AND PRIVACY FORUM
www.wiggin.com
NICOLE WOLTERS RUCKERT
NicoleWoltersRuckertjoinedKennedyVanderLaanin2004.ShefirstreceivedherlawdegreeinBelgiumandthen tookaMastersinInternationalBusinessLawandTransactionsattheAmsterdamNyenrodeLawSchoolinAmsterdam.
Nicoleisamemberoftheprivacypractice.Nicole’spracticefocusesonthecommercialuseofpersonaldata;e.g. e-marketing,onlineadvertisingandBigData. ForMarketingFacts.nlNicoleregularlywritesaboutthecookielawandotherdevelopmentsinthefieldofprivacy.
Nicole’sBelgian‘roots’haveledhertoappreciategoodfoodandwine.Sheknowsthebestnewrestaurantsin Amsterdam.Theater,filmsandbookssatisfyherculturalhunger.Sheisaskierinwinterandanenthusiasticrunner all year around.
DENISE TESSIER
DeniseTessierisaRegulatoryComplianceProjectExecutiveforIBM’sGlobalTechnologyServicesdivision,whichprovidesoutsourcing,infrastructure,cloud,mobilityandother“backoffice”servicestosomeoftheworld’slargestcompanies. She provides regulatory compliance advice to highly regulated clients such as those in the financial services industry.HerfocusiscurrentlyonglobalprivacyandtheEUGeneralDataProtectionRegulation(GDPR),CybersecurityandRiskManagement(ERMorGRC)issues,anddataresidencygenerally.PriortojoiningIBM,shehadover25yearsof legalandregulatoryexperienceintheInsuranceindustry.ShehasbeeninGeneralCounselandComplianceOfficerroles withtheAspenInsuranceGroup,andwascounselforTheHartfordInsuranceGroups,handlingawidevarietyofinsurance coverage,claimandcomplianceissues.SheisagraduateofWesternNewEnglandUniversityandProvidenceCollege,and is admitted to the Bar in Connecticut and Massachusetts.
VOLKER WODIANKA, LL.M.
Dr.VolkerWodiankaspecializesindataprotectionlawandadvisesoncomplexprocesslaunchesincorporategroups,conceptualandoperationalsupportofdataprotectionprojectsinIT&DigitalBusiness,lifesciences&healthcare,aswellasinindustryandstart-ups.Ininternationaldataprotection,heisanexpertfortheimplementationoftheGeneralDataProtectionRegulationaswellastherequirementsofcross-borderdatatraffic(PrivacyShield,EUstandardcontractclauses).Asalectureratauniversityandin-houseseminars,heoffersbestpracticerecommendationsinthetrend topicsofcloudcomputingandInternetofThings(IoT).
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH W W W .W I G G I N. CO M
©2017 Wiggin and Dana LLP
CYBERSECURITY AND PRIVACY PRACTICE GROUP
G R O U P C O N T A C T S
JOHN B. [email protected]
DAVID L. [email protected]
MICHELLE WILCOX [email protected]
What is "cybersecurity" and why is it relevant to your business?
Broadly speaking, "cybersecurity" refers to public and private sectorefforts to secure the nation's infrastructure against attacks designedto cripple government, defense, commerce, power grids,transportation and/or other basic services critical to the nation'sinfrastructure. At one extreme, cybersecurity refers to national cyber-defense strategy against concerted cyber-attacks by foreign powersor terrorists (a/k/a "cyber-warfare"). At the other extreme, the termrefers to persistent, sophisticated cyber-hacking, cyber-espionageand cyber-terrorism events, large and small, targeting individualgovernment agencies and private corporations for purposes ofsabotage or for acquiring sensitive intelligence information,government secrets and/or commercial trade secrets. These incidentsdo not only target the Fortune 500 businesses; small to medium-sizedbusinesses have been a major target of cybercrime in recent years.
The Cybersecurity Framework
The Obama Administration's recent executive order has launched aneffort to promulgate a voluntary national framework under whichgovernment agencies and private sector businesses can establishand maintain minimum cybersecurity standards and practices. Asproposed, adoption of the framework by private sector businesseswould be accompanied with various incentives for investment incybersecurity and sharing information with the government. For somemonths, a draft Cybersecurity Framework has been open for publiccomment by the national institute for standards and technology. Afinal, revised version is scheduled for release in February 2014.Numerous bills pending in Congress, if enacted, would serve furtherto "federalize" the area of private sector cybersecurity standards,especially for industries designated as critical to the country'sinfrastructure (such as public utilities, communications networks anddefense contractors). Regardless of the final form of any agreed uponcyber risk framework, government cybersecurity regulations andguidance are likely to issue.
Businesses in all sectors, not only in defense and utilities, havereason to prepare for the impending U.S. cyber- security regime. As asenior government official recently put it, "There are two kinds ofbusinesses today: those that know they have been hacked, and thosethat don't know it yet." Any business that relies on networks and ondigital systems to conduct operations and store information assets isexposed to cyber-risk. The unfolding federal cybersecurity
CYBERSECURITY AND PRIVACY PRACTICE GROUP
w w w .w igg in .com
2
"framework" is likely to expand through federal andstate regulatory structures and lead to multiple newcompliance mandates and guidelines for all majoreconomic sectors. Recently, the Department ofDefense issued new regulatory guidance to addresscybersecurity in defense procurement contracts,likely signaling a larger trend across all federalprocurement requirements. Recently the Departmentof Defense and the Government Services Agencyissued a recommendation for enhancedcybersecurity compliance by federal contractors.Evolving federal cybersecurity standards may alsoaffect standards for civil liability associated withmaintaining information systems and for theinsurability of cyber-risks. Businesses will ignorethese developments at their peril.
What services does Wiggin and Dana providerelating to cybersecurity?
Risk Assessments and Compliance: Thefoundation of cybersecurity preparedness is acomprehensive risk assessment. And riskassessments need to be informed by anorganization's particular legal and regulatorycompliance posture and liability exposures. Workingwith clients and in some cases technical consultants,firm lawyers help structure risk assessments andthen prepare and help clients implementcybersecurity compliance programs. Areas ofcompliance may include not only primarycybersecurity rules and guidelines but also suchmatters as export compliance, privacy and datasecurity, computer crime laws, SEC disclosurerequirements, health care legal requirements,employment practices, fraud prevention and otheragency and industry ‘best practices.'
Internal Investigations: Cybersecurity incidents,threatened incidents, data breaches and evenroutine compliance efforts may reveal circumstancesthat call for sensitive internal investigations. Wigginand Dana's litigation, White Collar and Regulatory
Compliance practices have extensive experience insuch investigations, and our team includes severalpartners with substantial prior governmentexperience, including Global Information AssuranceCertification in data security investigations.
Government Investigations: Governmentregulators and state attorneys general areincreasingly focused on security lapses in the privatesector. The Federal Trade Commission, for example,has brought over a hundred enforcement actions inthe last few years directed at private sector privacyand security practices. Government contractingpractices are under increased scrutiny for theirsecurity implications. This compliance andenforcement environment translates into moreinvestigations of data security incidents, databreaches and other corporate missteps involvingsecurity systems or government data. As withinternal investigations, our litigation, white collar andcompliance attorneys have extensive experienceadvising clients in their responses to suchinvestigations.
Corporate Information Security Policies,Employee Awareness, Governance and BoardEducation Programs: The adoption of appropriate,written cybersecurity policies will be a cornerstonefor corporate compliance efforts, including employeetraining programs and for overall enterprisegovernance of cybersecurity practices. Wiggin andDana's privacy and data security lawyers havesubstantial experience in this kind of policydevelopment work and in ‘best practices'approaches to information security governance andtraining.
Security Incident and Breach Preparedness andResponses: Data security incidents are routine andpervasive, but, increasingly, businesses are alsofalling victim to sophisticated cyber-attacks (or"advanced persistent threats") designed not to stealcustomer data but to acquire company assets or toseize control of systems and disrupt business
3
w w w .w igg in .com
CYBERSECURITY AND PRIVACY PRACTICE GROUP
operations. Clients typically require outside legaladvice in responding to these incidents, in managingthe multiple consumer and regulatory noticeobligations imposed by state and federal law and inmitigating litigation risk. Our litigators, privacy andhealth care lawyers have extensive experience indata breach preparedness and response programs.Often these services are coupled with assistance indeveloping relevant client security and incidentresponse policies.
Litigation: Although it remains to be seen whethercybersecurity regulations will create a new field forcivil litigation, there is already a thriving class actionindustry in data breach litigation under existing stateand federal laws. However, standards of liability forsecurity lapses are likely to be affected ascybersecurity law and policy evolve. Businesses thatare victims of cyber-attacks will likely findthemselves sued in addition to their othercompliance related problems. Litigators at Wigginand Dana have extensive litigation experience indefending consumer protection and privacy claimsand in handling complex class action cases.
Cyber-risk in Procurement, OutsourcingTransactions and Supply Chains: As morecompanies outsource or send parts of theiroperations into ‘the cloud', procurement increasinglybecomes a cybersecurity risk vector. Howcompanies go about buying technology andtechnology-related services can have a significantimpact on their cyber-risk profile. Many existingregulations obligate businesses to engage inreasonable due diligence and obtain appropriate,written contractual terms from vendors that haveaccess to company systems and data. With therecent issuance of Department of Defensecybersecurity guidelines for procurement,businesses that contract with the federalgovernment can expect cybersecurity to be aprominent requirement for certain federal awards.Any comprehensive approach to managing cyberrisk will involve appropriate procurement and supply
chain management policies and practices. Lawyersin Wiggin and Dana's outsourcing and technologygroup regularly advise clients on these issues inconnection with individual transactions andprocurement policies.
Cyber-liability Insurance Products: Lawyers in thefirms insurance and litigation practices haveextensive experience in advising on insurancecoverage disputes. Our insurance lawyers have alsohelped insurers develop new cyber-liabilityinsurance products.
What kinds of businesses should be addressingcybersecurity risks?
Businesses in economic sectors identified by thegovernment as "critical infrastructure", include publicutilities, defense contractors, health care,manufacturers, technology companies, banking andfinancial services companies and transportationbusinesses.
All other businesses that:
maintain substantial proprietary information andintellectual property on information systems,whether internal or outsourced;
contract with, or are otherwise in the supply chainfor, "critical infrastructure" businesses or thegovernment, and therefore need to keep pace withthe evolving requirements for the criticalinfrastructure;
are already subject to state or federal regulatoryrequirements pertaining to information security(e.g., financial services, health care, education);
are critically dependent upon the security of theirdata and information systems to operate andmaintain business continuity, or
4
CYBERSECURITY AND PRIVACY PRACTICE GROUP
w w w .w igg in .com
for reputational, risk management and brand-protection reasons, seek to limit their exposure topublic data breach and cyber-hacking incidents.
What about small and medium-sized businesses?
Smaller and mid-sized businesses may assume thatthey can avoid serious cyber-risk if they just sitquietly and keep their heads down. But the factsindicate otherwise; several major industry studieshave emphasized that cyber-assailants are findingsome of their richest targets in smaller, and lessprepared, businesses. The answer for suchbusinesses is not ‘zero preparation' but appropriatepreparation.
MICHELLE DeBARGE, CIPP/US, CIPP/[email protected]
JOHN [email protected]
Contacts:
www.wiggin.comC O N N E C T I C U T | N E W Y O R K | P H I L A D E L P H I A | WA S H I N G T O N , D C | PA L M B E A C H
ARE YOU READY FOR THE EU GDPR?
The deadline is May 25, 2018, and if you are subject to the GDPR, you have a lot to do between
now and then. Even if you are not currently subject to the European Union (EU) Data
Directive, you may be subject to the GDPR, given its broader territorial scope and that data
processors are now directly regulated. In addition, the GDPR broadens pre-existing data
processing requirements and includes tougher sanctions for non-compliance.
What is the GDPR?
The GDPR is a European regulation that governs the processing of personal data (data
concerning a natural person). “Processing” includes the collection, storage, use, disclosure,
or retrieval of personal data. It also contains provisions giving personal data subjects certain
individual rights in connection with their personal data.
What is Personal Data?
The definition of “personal data” is broad. It includes virtually any information related to an
identified or identifiable natural person (a “data subject”).
CONTINUED
Cybersecurity and Privacy Group:EU General Data Protection Regulation (GDPR) Services
WHO MUST COMPLY WITH THE GDPR?
You may be subject to the GDPR even if you do not have a physical establishment in the EU. The GDPR applies to:
(1) controllers (those who determine the purposes and means of the processing of personal data) and processors (those that processes personal data on behalf of a controller) with an establishment in the EU regardless of whether the processing takes place in the EU.
and
(2) a person or entity that offers goods or services to data subjects in the EU or that monitors their behavior as far as their behavior takes place in the EU, regardless of whether the person or entity has an establishment in the EU.
An establishment is not defined by a particular presence or legal form. According to the recitals in the GDPR, establishment “implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”
WHAT DOES THE GDPR REQUIRE?
Controller Obligations:
n Obtain consent for or document other justification for processing activities and provide notice of processing activities
n Implement special processes to address data collection and processing for children under 16
n Maintain appropriate data security measures
n Implement “privacy by design and privacy by default”
n Notify data protection agencies and data subjects of breaches
n Perform Privacy Impact Assessments (PIAs, for short) and consult with regulators before performing certain processing activities
n Honor and implement processes to address individual rights
n Implement appropriate processes and data use agreements in connection with third-party data processors
n Maintain documentation of processing and compliance activities
n Comply with cross-border transfer restrictions
n Appoint a Data Protection Officer, if required
n Cooperate with supervisory authorities
CONTINUED
www.wiggin.com
C Y B E R S E C U R I T Y A N D P R I V A C Y G R O U P : E U G E N E R A L D A T A P R O T E C T I O N R E G U L A T I O N
Processor Obligations
n Maintain appropriate data security measures
n Notify controllers of breaches
n Assist with PIAs
n Assist with processes to address individual rights
n Obtain consent from controllers for arrangements with sub-processors, Implement appropriate processes and data use agreements in connection with sub-processors
n Maintain documentation of processing and compliance activities
n Ensure personal data is deleted or returned when processing activities end
n Comply with cross-border transfer restrictions
n Appoint a Data Protection Officer, if required
n Cooperate with supervisory authorities
WHAT ARE THE PENALTIES FOR NON-COMPLIANCE?
Penalties for non-compliance can be as high as €20 million or 4% of total global turnover from the prior year, whichever is higher. The penalties are clearly severe and if imposed could threaten the viability of many companies. Data subjects also are entitled to specific remedies under the regulation.
HOW CAN WE HELP?
We offer a full range of GDPR support services, including initial assessments and development of a comprehensive implementation plan for those not previously subject to EU data protection require-ments. We have a team of attorneys who can assist with GDPR data privacy and security implementation and compliance, led by partners Michelle DeBarge and John Kennedy. Michelle has 24 years of privacy experience and holds both an IAPP/US and IAPP/E certification. John Kennedy is a recognized leader in the privacy and cybersecurity legal field with nearly 20 years of experience advising clients on a full range of privacy and security matters. Our team includes a deep bench of individuals with specialized knowledge in the area of breach response, health care services, life sciences, financial services, outsourcing, insurance, and information technology. We coordinate our services with local counsel in EU Member States to ensure additional privacy and security requirements of individual Member States are considered.
We also can serve as a company’s DPO (Data Protection Officer) both in the U.S. and abroad for companies who do not have internal DPO expertise or whose operations do not require a full-time DPO.
For more information on our GDPR services, contact Michelle DeBarge at 860.297.3702 or at [email protected]
www.wiggin.com
C Y B E R S E C U R I T Y A N D P R I V A C Y G R O U P : E U G E N E R A L D A T A P R O T E C T I O N R E G U L A T I O N
New Haven OfficeOne Century Tower265 Church StreetP.O. Box 1832New Haven, Connecticut 06508-1832p 203.498.4400f 203.782.2889
Greenwich Office30 Milbank AvenueGreenwich, Connecticut 06830p 203.363.7600f 203.363.7676
Hartford Office20 Church StreetHartford, Connecticut 06103p 860.297.3700f 860.525.9380
Stamford OfficeTwo Stamford Plaza281 Tresser BoulevardStamford, Connecticut 06901p 203.363.7600f 203.363.7676
New York Office437 Madison Avenue, 35th FloorNew York, New York 10022-7001p 212.490.1700f 212.490.0536
Philadelphia OfficeTwo Liberty Place50 S. 16th Street, Suite 2925Philadelphia, Pennsylvania 19102p 215.988.8310f 215.988.8344
Washington, DC Office1350 I Street, NWWashington, D.C. 20005-3305p 202.800.2470
Palm Beach Office231 Bradley PlaceSuite 202Palm Beach, Florida 33480p 561.701.8700
WIGGIN AND DANA OFFICE LOCATIONS
www.wiggin.com© 2017 Wiggin and Dana llp In certain jurisdictions this may constitute attorney advertising.
C Y B E R S E C U R I T Y A N D P R I V A C Y G R O U P : E U G E N E R A L D A T A P R O T E C T I O N R E G U L A T I O N
CONTINUED
We have successfully worked with our clients to prepare for and respond to data breach and cybersecurity events in multiple industry sectors.
Group Contacts:
JOHN [email protected]
DAVID [email protected]
MICHELLE [email protected]
Cybersecurity Group: Incident Response Services
Data incident response is a critical component of an organization’s risk mitigation strategy
and arguably more important than ever. There were over 64,000 data security incidents in
2015 alone that compromised organizational data confidentiality, integrity, or availability.
These include 2,260 instances of confirmed unauthorized disclosure.
Companies must be prepared at a moment’s notice to handle data incident investigation,
forensics, remediation, crisis team management, regulatory inquiries, and internal
communications. Moreover, a company that fails to have a comprehensive data incident
response plan in place or that is not prepared to follow the plan in the event of an incident,
faces significant legal risk of a regulator’s enforcement action or a civil lawsuit. Simply having
a well-written incident response plan is not enough preparation for today’s cyber threats.WIGGIN AND DANADATA BREACH
TOLL-FREE HOTLINE 1-844-9BREACH
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH www.wiggin.com www.wiggin.comC O N N E C T I C U T | N E W Y O R K | P H I L A D E L P H I A | WA S H I N G T O N , D C | PA L M B E A C H
Cybersecurity and Privacy Group:Incident Response Services
www.wiggin.com
C Y B E R S E C U R I T Y G R O U P : I N C I D E N T R E S P O N S E S E R V I C E S
OUR SERVICES
Given the growing number of data breaches and the substantial cost to contain, investigate, and respond to them, your organization should be prepared with an effective incident response program, including fully ready relationships with external providers, including data breach counsel. As part of our privacy and cybersecurity legal services, Wiggin and Dana offers our clients a comprehensive set of security incident and data breach preparation and response services, including:
n developing client incident response plans and providing related training;
n helping assemble a team of other external advisors and service providers, including forensic consultants, providers of notification and credit monitoring services and public relations/media consultants;
n advising a client’s internal breach response team, working with forensic investigators and coordinating overall incident response measures;
n legal analysis and preparation of applicable consumer and regulatory notification requirements;
n managing relationships with law enforcement officials;
n representation in regulatory and attorney general office inquiries and investigations; and
n defense in civil suits and class action litigation.
Our privacy lawyers have helped clients prepare for, respond to, and defend lawsuits and regulatory investigations arising from a wide variety of data security incidents, ranging from sophisticated external attacks on client systems to internal failures of security risk management.
In the current technological and legal environment, companies that own or control significant data assets are exposed to a myriad of persistent and sophisticated security threats that can lead to costly litigation, long-term regulatory scrutiny, substantial fines and lingering reputational damage. These concerns are particularly pressing for regulated entities that are in relationships of trust with consumers, such as insurance companies. High-profile data breaches show that any business can be “hit” by outside hacking or internal security failures, making it all the more critical that a business can demonstrate, at a minimum, that it was reasonably prepared and capable of a timely and effective response.
OUR EXPERIENCE
We have worked with our clients in the insurance, healthcare, technology, financial services, and public utilities sectors to prepare for and respond to data breach and cybersecurity events with the following:
n appropriate written information security and incident response policies and the development of client teams to manage these policies;
n training and testing exercises that simulate security incidents and reveal administrative and technical vulnerabilities;
n improved vendor and supply chain risk management procedures;
n improved cyber risk assessments and information sharing regarding the threat environment; and
n proactive and informed involvement of senior management and the board in the oversight of cybersecurity risk management.
Additionally, our data breach coaching lawyers have handled scores of data security incidents for our clients in multiple industry sectors. This experience ranges from small but sensitive spills of personal data, to reportable breaches involving millions of customer records to advanced persistent threats that target trade secrets and data on key personnel.
RECENT PROJECTS
Our recent data incident projects have included:
n representing a public utility in its response to a data breach involving loss of a significant amount of current and former employee data and in making notifications to residents, state regulators and law enforcement agencies across the country;
CONTINUED
www.wiggin.com
C Y B E R S E C U R I T Y A N D P R I V A C Y G R O U P : I N C I D E N T R E S P O N S E S E R V I C E S
www.wiggin.com
C Y B E R S E C U R I T Y G R O U P : I N C I D E N T R E S P O N S E S E R V I C E S
www.wiggin.com
n representing a national property and casualty insurer in its response to a breach involving social engineering exploits with its employees and the compromise of computers, customer accounts and credit card data at one of
its affiliates;
n representing a health care insurer in connection with a security lapse at a third party vendor which potentially exposed protected health information and other customer records to public access and data thieves;
n representing an institution of higher education in its response to a data breach involving the loss of sensitive data related to students, faculty and staff;
n advising one of the country’s largest insurers in connection with the Anthem breach, its responses to state and federal regulators and its compliance obligations concerning affected group plans at
Anthem which are underwritten by the insurer;
n assisting an insurer in a sensitive internal investigation involving potential employee violations of internal security policies and unauthorized use of data;
n selection by Zurich, N.A. to be among the law firms on its roster of approved data breach coaches for insureds; and
n investigation and analysis of numerous potential security incident fact patterns and advising insurance clients on whether a reportable event has occurred under applicable notification laws.
OUR TEAM
Our team is cross-disciplinary - leveraging our attorneys who specialize in privacy compliance, cybersecurity regulation, defense litigation, insurance law and information technology law. This group is deeply familiar with the varied requirements and nuances of state and federal breach notification laws and is seasoned in managing the investigations, regulatory inquiries, and civil suits that often follow security incidents.
John Kennedy, Partner and Co-Chair, Cybersecurity and Privacy Group (U.S. state and federal data privacy and cybersecurity matters; data
breach management; privacy and data security policies and governance; transactional matters involving data privacy and security; international data transfers)
David Hall, Partner and Co-Chair, Cybersecurity and Privacy Group (Cybersecurity and related compliance matters, internal and external
investigations)
Michelle DeBarge, Partner and Co-Chair, Cybersecurity and Privacy Group (HIPAA matters and related compliance and policy advice;
OCR audits and investigations; and state AG investigations)
Aaron Bayer, Partner (data breach defense litigation; state and federal regulatory inquiries and investigations)
Michael Menapace, Partner (Insurance law matters, cybersecurity insurance coverage)
Jody Erdfarb, Associate (HIPAA matters and related compliance and policy advice; privacy and security awareness training)
C Y B E R S E C U R I T Y A N D P R I V A C Y G R O U P : I N C I D E N T R E S P O N S E S E R V I C E S
New Haven OfficeOne Century Tower265 Church StreetP.O. Box 1832New Haven, Connecticut 06508-1832p 203.498.4400f 203.782.2889
Greenwich Office30 Milbank AvenueGreenwich, Connecticut 06830p 203.363.7600f 203.363.7676
Hartford Office20 Church StreetHartford, Connecticut 06103p 860.297.3700f 860.525.9380
Stamford OfficeTwo Stamford Plaza281 Tresser BoulevardStamford, Connecticut 06901p 203.363.7600f 203.363.7676
New York Office437 Madison Avenue, 35th FloorNew York, New York 10022-7001p 212.490.1700f 212.490.0536
Philadelphia OfficeTwo Liberty Place50 S. 16th Street, Suite 2925Philadelphia, Pennsylvania 19102p 215.988.8310f 215.988.8344
Washington, DC Office1350 I Street, NWWashington, D.C. 20005-3305p 202.800.2470
Palm Beach Office231 Bradley PlaceSuite 202Palm Beach, Florida 33480p 561.701.8700
WIGGIN AND DANA OFFICE LOCATIONS
www.wiggin.com© 2017 Wiggin and Dana llp In certain jurisdictions this may constitute attorney advertising.
C Y B E R S E C U R I T Y G R O U P : I N C I D E N T R E S P O N S E S E R V I C E S
www.wiggin.com
n representing a national property and casualty insurer in its response to a breach involving social engineering exploits with its employees and the compromise of computers, customer accounts and credit card data at one of
its affiliates;
n representing a health care insurer in connection with a security lapse at a third party vendor which potentially exposed protected health information and other customer records to public access and data thieves;
n representing an institution of higher education in its response to a data breach involving the loss of sensitive data related to students, faculty and staff;
n advising one of the country’s largest insurers in connection with the Anthem breach, its responses to state and federal regulators and its compliance obligations concerning affected group plans at
Anthem which are underwritten by the insurer;
n assisting an insurer in a sensitive internal investigation involving potential employee violations of internal security policies and unauthorized use of data;
n selection by Zurich, N.A. to be among the law firms on its roster of approved data breach coaches for insureds; and
n investigation and analysis of numerous potential security incident fact patterns and advising insurance clients on whether a reportable event has occurred under applicable notification laws.
OUR TEAM
Our team is cross-disciplinary - leveraging our attorneys who specialize in privacy compliance, cybersecurity regulation, defense litigation, insurance law and information technology law. This group is deeply familiar with the varied requirements and nuances of state and federal breach notification laws and is seasoned in managing the investigations, regulatory inquiries, and civil suits that often follow security incidents.
John Kennedy, Partner and Co-Chair, Cybersecurity and Privacy Group (U.S. state and federal data privacy and cybersecurity matters; data
breach management; privacy and data security policies and governance; transactional matters involving data privacy and security; international data transfers)
David Hall, Partner and Co-Chair, Cybersecurity and Privacy Group (Cybersecurity and related compliance matters, internal and external
investigations)
Michelle DeBarge, Partner and Co-Chair, Cybersecurity and Privacy Group (HIPAA matters and related compliance and policy advice;
OCR audits and investigations; and state AG investigations)
Aaron Bayer, Partner (data breach defense litigation; state and federal regulatory inquiries and investigations)
Michael Menapace, Partner (Insurance law matters, cybersecurity insurance coverage)
Jody Erdfarb, Associate (HIPAA matters and related compliance and policy advice; privacy and security awareness training)
C Y B E R S E C U R I T Y A N D P R I V A C Y G R O U P : I N C I D E N T R E S P O N S E S E R V I C E S
CORPORATE DEPARTMENT
G R O U P C O N T A C T
WILLIAM A. PERRONE, CHAIR 203.363.7604 [email protected]
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH W W W .W I G G I N . C O M ©2017 Wiggin and Dana LLP
We act as trusted advisors to clients large and small by learning their businesses, gaining their confidence and earning their trust. We believe that our familiarity with clients, their businesses and their industries gives us a solid foundation to render the sound legal advice and practical business counsel that helps them clarify goals, find solutions and achieve results. Our corporate lawyers advise clients in industries as diverse as biotechnology, cannabis, pharmaceuticals, medical devices, software, and internet of things, telecommunications, health care, financial services, energy and utilities, outsourcing, specialty chemicals, high-tech and traditional manufacturing and retail.
Wiggin and Dana serves as outside general counsel or as special counsel to clients from publicly traded corporations (including Fortune 500 Companies) to emerging and entrepreneurial companies and their investors. Our clients do business globally and we assist them with transactions in North and South America, Europe, India, China, Japan and the Middle East.
We regularly advise clients on a wide variety of commercial and financial matters, including mergers and acquisitions, joint ventures, strategic alliances, public and private debt and equity financing, outsourcing, entity formation, creation and protection of intellectual property, licensing and distribution, franchising and workouts and restructuring. These projects and transactions range from million to billion dollar values. Accordingly, we know how to deliver sophisticated and efficient counsel in both small and large transactions.
While we provide a broad array of corporate legal services, here are some of the specific areas in which we can serve you:
Clean Technology
Cybersecurity and Privacy
Digital Media and Technology
Education
CORPORATE DEPARTMENT
W W W .W I G G I N . C O M
Emerging Companies and Venture Capital
Finance and Restructuring and Workouts
Franchise and Distribution
India Practice Group
Intellectual Property
Life Sciences
Medical Cannabis
Mergers and Acquisitions
Patent Prosecution
Securities and Capital Markets
Software and Internet
Tax Exempt Organizations
Taxation
Technology and Outsourcing
Trademark and Copyright
EMERGING COMPANIES AND VENTURE CAPITAL PRACTICE GROUP
G R O U P C O N T A C T
EVAN S. [email protected]
PAUL A. [email protected]
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH W W W .W I G G I N. CO M
©2017 Wiggin and Dana LLP
Wiggin and Dana attorneys have a deep understanding of the issuesfaced by emerging growth companies and investors alike. Our business-minded approach has won the trust of numerous emerging growthcompanies at all stages of their life cycles, as well as investors of alltypes — from angel investors and venture capitalists, to family offices,traditional private equity firms and other strategic and financial investors.
We are a value-added provider of mission-critical services. We offer aninvaluable perspective, putting to work our experience in representingboth companies and investors across a broad range of industries, suchas software/information technology, telecommunications, life sciences,financial services, clean technology, digital media, consumer products,education technology and health care services. Our attorneys work withemerging company clients to ensure that they are appropriatelystructured, scalable and positioned for growth and a liquidity event, whileavoiding obstacles and helping them withstand the rigorous duediligence scrutiny of investors, lenders, strategic partners andunderwriters. We work with venture capital clients and other investors tohelp review their targets, structure their investments and accomplish theirbusiness objectives. We strive to find creative solutions for our clientswith sound counsel that not only considers potential legal risks but alsomakes us trusted advisors.
We deliver enhanced one-stop services to our clients by leveraging ournetworks and our multidisciplinary capabilities. Our attorneys arefounders and leaders of the region’s most prominent technology, venturecapital and trade organizations, giving us a wide network of experienceto draw from to help our clients. Our networks include organizations suchas Crossroads Venture Group, Connecticut Technology Council, CURE,Angel Investor Forum and the Association for Corporate Growth, as wellas academic institutions including Columbia University, New YorkUniversity, University of Connecticut and Yale University, among others.
As a full-service law firm, we are ideally equipped to meet the needs ofour clients, and we routinely provide a full complement of interdisciplinarylegal services to effectively and efficiently address the issues our clientsface, including:
Enterprise formation and governance Venture capital and seed financing Intellectual property prosecution, strategy and litigation Tax structuring
EMERGING COMPANIES AND VENTURE CAPITAL PRACTICE GROUP
2
Licensing and distribution Collaborations and other strategic alliances Private placements Regulatory matters Cybersecurity International trade compliance Commercial litigation
Debt financings Employment, labor, benefits and immigration
matters Real estate matters Public offerings Mergers and acquisitions Investment adviser and broker dealer regulation
MERGERS AND ACQUISITIONS PRACTICE GROUP
G R O U P C O N T A C T S
MARK S. KADUBOSKI 203.363.7627 [email protected] SCOTT L. KAUFMAN 212.551.2639 [email protected]
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH W W W .W I G G I N . C O M ©2017 Wiggin and Dana LLP
Wiggin and Dana has recently assisted clients – operating in the U.S., Europe, the Middle East, the Americas and Asia – in over a hundred M&A deals worth billions of dollars.
We can handle all aspects of mergers and acquisitions, providing assistance with structuring and negotiating transactions, and advising on antitrust, securities, tax, labor, employment, environmental, and other matters. We also provide exceptional value to our clients thanks to the deep experience of our M&A lawyers, their acute business acumen and their practical approach to acquisition and divestiture work.
Our attorneys are experienced representing public companies, closely-held businesses and their owners, private equity funds and their portfolio companies and other institutions. We have experience in numerous industries – including biopharma/medical devices, chemicals, computer software/web technology, construction/ engineering, distribution, financial services, healthcare/healthcare services, manufacturing, media/publications, technology, and utilities/telecom.
Our work spans mergers, stock and asset purchases and dispositions, as well as other transactions that transfer business interests, including product-line acquisitions, joint ventures with purchase options and equity investments with purchase options. When we help acquire or sell public companies, we are equipped to advise on fiduciary issues, securities law compliance and stockholder matters. We also can advise on and provide all antitrust structuring and filings, intellectual property due diligence, tax structuring and other necessary support for our clients.
EDUCATION PRACTICE GROUP
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH W W W .W I G G I N. CO M
©2017 Wiggin and Dana LLP
Educational institutions today face unprecedented opportunities andchallenges — increased economic competition, continually changingregulatory requirements, complex labor and employment concerns,modifications in technology and data security, and the ever-evolving needsof students and faculty. Wiggin and Dana is well suited to help colleges,universities, and other educational institutions cope with these challenges.
For more than half a century, our firm has represented institutions of highereducation in Connecticut and other states on a wide array of educationmatters, including FERPA, Title IX, Clery Act, privacy and data security,intellectual property, art and museum law, labor and employment,affirmative action, immigration, charitable gifts and endowments, taxexemption, board governance, corporate organization and finance,commercial transactions and government contracts, construction and realestate outsourcing, health care, and export and sanctions compliance. Wehave guided educational institutions in responding to governmentinvestigations, conducted internal investigations for them, handled complexand highly sensitive lawsuits, and helped them negotiate critically importantstrategic alliances and affiliations.
Our Education Practice Group has long-standing relationships withcolleges and universities, independent and proprietary schools, andextensive experience counseling them on the full range of legal issues theyface. Our lawyers work closely with boards of trustees, presidents, senioradministrators, deans, department chairs, and in-house counsel to findpractical solutions to complex legal issues.
The head of our practice group is a former general counsel to a college. Heand the other lawyers in our group understand how educational institutionsoperate and how an institution's constituencies can influence decisionmaking.
Our higher education clients include:
Yale University Wesleyan University Connecticut College Princeton University Quinnipiac University University of New Haven University of Bridgeport Goodwin College
G R O U P C O N T A C T
AARON S. [email protected]
EDUCATION PRACTICE GROUP
2
w w w .w igg in .com
We have also long represented independentschools, including:
Choate-Rosemary Hall The Hotchkiss School The Foote School
In addition, our firm has counseled proprietaryschools, including the Institute of Culinary Educationand Stone Academy.
Our firm has also represented organizations that areassociated with educational institutions, such as theGraustein Memorial Fund, Connecticut Conferenceof Independent Colleges, as well as other non-profitinstitutions and organizations whose missions areclosely aligned with education, such as theConnecticut Science Center, Mystic SeaportMuseum, and the Institute for Health CareCommunications.
We counsel colleges, universities, independentsecondary schools, proprietary schools and othereducational institutions on a full range of legalissues, including:
Labor, employment and employee benefits
Faculty employment, promotion, and tenure Immigration issues Personnel policies and manuals Defending claims of wrongful discharge,
discrimination and sexual harassment Design and implementation of employee benefits
plans and programs Qualified and non-qualified deferred compensation
and executive compensation
Student issues
Student disciplinary matters Disability accommodations Housing, academic and admissions issues International programs Student privacy (FERPA, HIPAA, and other
federal and state privacy laws) Online courses
Tax exemption and corporate governance
Charitable giving Endowment management Compliance with state charitable trust and
solicitation laws Governance and related Form 990 issues
(including conflicts of interest) Executive compensation Relationships with support organizations Tax exempt bond financing
Commercial contracting
Information technology (IT) licensing andimplementation Outsourcing Equipment leases Government contracts Car share program agreements Location agreements
3
w w w .w igg in .com
EDUCATION PRACTICE GROUP
Intellectual property
Copyright and trademark Development and implementation of policies
regarding invention disclosures, ownership ofinventions and patent protection, andcommercialization of IP Licensing arrangements and technology transfer
agreements Sponsored research, grants and consulting
arrangements Prosecution and litigation of patents, trade secrets,
trademarks, domain names, copyrights, and otherintellectual property rights
Real estate and facilities
Acquisition, sale, disposition, and leasing of realproperty Construction and design matters including
negotiation and drafting of contracts witharchitects, engineers, and contractors Telecommunications matters including distributed
antenna systems, dark fiber installations, and cellsite leasing and development Land use and zoning Environmental matters, alternative energy, onsite
power generation solutions, and green initiatives CHEFA financing and other tax exempt bond
issues Property tax valuation and exemption matters
Federal and state regulatory compliance
SEVIS reporting Campus safety and student right to know laws Data security and financial privacy laws Freedom of information laws (FOIA) Federal regulations governing human subject
research and scientific misconduct
Government investigations
Representation in state and federal investigations,including investigations and enforcement actionsby state attorneys general, state departments ofeducation, and the U.S. Department of Education Conducting internal investigations
Export and economic sanctions compliance
Compliance with US export and sanctions laws isanother area of growing concern for universities andresearch centers, which must grapple with the exportand sanctions compliance issues presented bypresentation of papers at international conferences,requests for academics to visit sanctioned countries,collaboration with foreign institutions/academics/students in an environment of increasing reliance onprivate sponsors who may wish to restrict publicationand thereby jeopardize universities’ use of exportexemptions for fundamental research, intentional orinadvertent exposure of research equipment andresults to international graduate students andfaculty, misdirected emails containing export-controlled information, the temptations and perils ofcloud computing, and research involving cuttingedge (and often export-controlled) technologies suchas unmanned aerial and submarine vehicles(drones). Our large and experienced team ofinternational trade compliance partners andassociates routinely provide counsel on these andother international trade compliance issues –including by providing interpretive advice, creating orimproving compliance policies, conducting trainings,internal audits, or investigations, assisting withlicense applications, and drafting voluntary ordirected disclosures – to clients ranging fromFortune 50 defense contractors to universities tohigh-tech start-ups.
4
w w w .w igg in .com
EDUCATION PRACTICE GROUP
Provide advice on the interpretation of regulatoryrequirements under the International Traffic inArms Regulations (ITAR), Export AdministrationRegulations (EAR), regulations administered bythe Bureau of Alcohol, Tobacco, Firearms, andExplosives, and multiple economic sanctionsregimes implemented by the Office of ForeignAssets Control (OFAC) Audit, create, or refine institutional policies and
procedures to ensure compliance with ITAR, EAR,BATFE, and OFAC requirements Conduct internal training Assist in classifying commodities, data and
software under the ITAR and the EAR Prepare or assist in preparation of applications to
the Departments of States, Commerce, Treasuryor BATFE for licenses/permits authorizing theexport/import of controlled commodities, data, orservices, or transactions with sanctioned personsor places Conduct internal investigations into potential
violations of the ITAR, EAR, BATFE or OFACrequirements Prepare voluntary and directed disclosures
Litigation
Litigation in state and federal courts, appeals,arbitration, and mediation
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH W W W .W I G G I N . C O M ©2017 Wiggin and Dana LLP
HEALTH CARE DEPARTMENT
For decades, Wiggin and Dana has been home to one of the largest, most extensive and experienced health law practices in the region. Health care organizations and providers of all types—as well as state and national associations and professional societies active in health care policy issues—count on us to provide general and special counsel across a wide spectrum of issues.
Wiggin and Dana’s health care department has consistently been ranked in Band 1 of the Chambers USA Guide. Quotes from clients include: "they are technically excellent but they also understand the practical implications" and "the breadth of their knowledge and the depth of their bench is excellent." Attorneys recognized are Maureen Weaver, Melinda Agsten and Michelle Wilcox DeBarge.
Our clients include academic medical centers, hospitals and hospital systems; long-term care facilities; continuing care retirement communities; assisted living facilities; ambulatory care facilities; PACE organizations; home health care agencies; hospices; pharmaceutical manufacturers and retail pharmacies; ambulance providers; durable medical equipment suppliers; specialty payors; preferred provider organizations and benefits management companies; physicians and other individual practitioners. We also serve as counsel to health-care focused associations, such as the Connecticut Hospital Association, LeadingAge Connecticut, the Connecticut State Dental Association and the National PACE Association. In addition to health care providers and provider associations, we counsel entities involved in various aspects of health care delivery and administration, such as health plans and health networks; third-party administrators; wellness providers; tele-health and information technology companies; data management and analytics firms; and mobile and digital health organizations.
In helping our clients, we address a full range of laws that affect health care, including licensure, change of ownership, certificates of need, patient care, risk management, fraud and abuse and reimbursement and payor matters. Our attorneys appear regularly before the United States Department of Health and Human Services' Centers for Medicare and Medicaid Services, the Connecticut Office of Health Care Access, and Connecticut Departments of Public Health, Social Services, Mental Health and Addiction Services, and Children and Families.
Our team also includes seasoned corporate lawyers with health care experience who handle transactional matters for health care providers
G R O U P C O N T A C T
MAUREEN WEAVER 203.498.4384 [email protected]
W W W .W I G G I N . C O M
HEALTH CARE DEPARTMENT
of all kinds. These range from employment relationships to complex collaboration arrangements to full corporate affiliations via merger, acquisition or member substitution.
Practice concentrations within the Health Care Department include:
Academic Medical Centers, Health Systems and Hospitals
Clinical Research Regulation and Compliance
Health Care Business Transactions
Health Care Compliance Fraud and Abuse
Health Information Technology
HIPAA
Home Health Care and Hospice
Long Term Care and Senior Living
Medicare and Medicaid Reimbursement
Tax Exempt Health Care Organizations
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH W W W .W I G G I N . C O M ©2017 Wiggin and Dana LLP
HEALTH CARE COMPLIANCE, FRAUD AND ABUSE PRACTICE GROUP
G R O U P C O N T A C T
MAUREEN WEAVER 203.498.4384 [email protected]
For many years, health care fraud and abuse has been a top government enforcement priority. Now, the stakes are going up. The federal government has announced and implemented initiatives to strengthen its efforts to combat fraud, waste and abuse in federal health care programs. State Medicaid programs have embarked on their own initiatives focused on Medicaid integrity. What's more, federal and state laws provide a substantial financial incentive to employees, competitors, suppliers and others to initiate civil proceedings alleging fraudulent and abusive practices through "whistleblower" actions. Health care providers, pharmaceutical companies, ambulance companies and providers of durable medical equipment have paid billions of dollars in restitution, penalties and fines as a result of governmental and private enforcement efforts, and many providers have entered into corporate integrity agreements with federal and state enforcement authorities.
Wiggin and Dana's Health Care Compliance Practice Group brings together the firm's substantive knowledge in health care law and reimbursement with our extensive experience in internal and government investigations. Wiggin and Dana has one of the largest health care practices in the region with breadth and range of experience at both the federal and state levels. In addition, our White Collar, Internal Investigations and Government Investigations Practice Group includes seasoned former federal prosecutors with the essential skills and insights to protect and advance clients' interests during government investigations. Our experienced and well-respected team has worked together on many occasions to handle a wide-variety of complex health care compliance matters where we craft effective strategies for responding to investigations and working with government attorneys and regulators to bring investigations and cases to successful conclusions. We have the track record to prove it. We also work closely with clients to develop and monitor compliance programs that help our clients avoid government scrutiny and whistle blower actions in the first instance.
We work with a variety of health care providers in connection with compliance initiatives and governmental and internal investigations. Wiggin and Dana's lawyers represent health care providers, pharmaceutical companies and durable medical equipment providers during investigations and enforcement activities on the federal level before the Department of Justice, U.S. Attorney's Offices around the country, the Department of Health and Human Services' Office of Inspector General and various federal agencies and contractors. We also represent providers in state enforcement actions, and we have a particularly strong history of representing providers before the
HEALTH CARE COMPLIANCE, FRAUD AND ABUSE PRACTICE GROUP
W W W .W I G G I N . C O M
Connecticut Attorney General's Office, Chief States' Attorney's Office and various other state agencies.
Current engagements include representing hospitals, nursing homes, home-care, hospice and physical-therapy providers, ambulance companies, physician groups, pharmaceutical companies and durable medical equipment providers. Here are some of the ways we help our clients succeed:
Advise clients on the development, operation and ongoing monitoring of corporate compliance programs—consulting on structure, policy content, procedures, codes of conduct, and other materials
Conduct reviews and audits of compliance program effectiveness
Serve as counsel to compliance officers, compliance committees and board audit and compliance committees
Assist in due diligence on compliance-related matters for corporate transactions
Advise clients on healthcare regulatory and reimbursement questions
Counsel clients on Stark law and Anti-Kickback statute
Represent pharmaceutical clients in government investigation of off-label marketing
Provide counsel on Foreign Corrupt Practices Act matters
Represent clients in Medicare and Medicaid audits, including Recovery Audit Contractor (RAC) audits
Represent clients when they detect potential compliance issues: retention of internal and/or external auditors and consultants, conducting and managing the investigation, and assessment of options, including whether and how matter should be self-reported to government
Represent clients in their participation in the government's self-disclosure protocol
Represent clients (both corporate clients and individuals) in state and federal civil and criminal audits and investigations
Consult with clients on issues relating to the privacy and security of health information, including compliance with HIPAA privacy and security regulations, and representation in internal investigations and in federal and state government investigations relating to HIPAA and other privacy law violations
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH W W W .W I G G I N . C O M ©2017 Wiggin and Dana LLP
HEALTH INFORMATION TECHNOLOGY PRACTICE GROUP
G R O U P C O N T A C T
MICHELLE WILCOX DEBARGE 860.297.3702 [email protected]
From data security to government compliance to quick response in the IT marketplace, Wiggin and Dana's Health Information Technology Group blends our extensive health care regulatory experience with a sophisticated IT practice. That enables us to provide sound, practical counsel on health care related information technology legal issues—real-world solutions sensitive to your operational needs, goals and priorities, as well as to state and federal regulatory requirements.
We serve a diverse group of health care IT clients. Our clients include health care providers, systems and networks; provider associations; health plans; e-commerce businesses; software developers; data clearinghouses and networks; web designers; IT vendors; suppliers; consultants; and application service-providers.
With extensive experience in the technical, regulatory, business, and practical considerations shaping IT in the health care world, we not only help clients manage the business risks and legal issues associated with health care related IT systems, we also help our clients find creative and efficient ways to make the most out of IT opportunities.
Our Health Information Technology team can help you:
Manage the legal risks associated with health care-related IT systems and services including the electronic exchange of health information and data, e-commerce and intranet and Internet activities; the creation, storage, transmission, disclosure, ownership, use, confidentiality, and security of health information and data, integrating numerous legal, regulatory and practical considerations
Develop policies, procedures, notices, contracts and other documentation required under HIPAA, HITECH, and other federal and state laws regarding security, privacy and other government requirements for health information management
Comply with Federal Trade Commission (FTC) and Food and Drug Administration (FDA) requirements
Establish intellectual property protections in new media
Assist clients in developing long-term strategies for using the Internet and other IT initiatives to their advantage
HEALTH INFORMATION TECHNOLOGY PRACTICE GROUP
W W W .W I G G I N . C O M
Aid our clients in finding creative and efficient ways to make the most of new IT opportunities while managing the associated legal issues, applying our comprehensive knowledge of the health care and technology sectors
Advise clients concerning electronic health and medical records; health claims information and health information exchange; the collection and electronic transmission of confidential patient information; the delivery of Internet-based health services; and other health care e-commerce
Negotiate complex outsourcing arrangements for administrative and IT functions
Assist in the creation and operation of electronic databases and repositories
Help structure Internet-based services and assist with e-commerce ventures and other entrees into the digital world
Advise clients on the digitization of medical imaging and the development of telemedicine
Draft, review and negotiate software development and licensing contracts
Audit processes, contractual arrangements, services and products for compliance with federal and state requirements
Provide ongoing advice concerning health information technology issues by keeping abreast of legislative and regulatory changes and industry developments
Prepare written testimony and work on strategic efforts relating to legislative and regulatory issues, proposals and changes affecting our clients
Provide in-service and other educational information and programs for our clients' staff, consultants, vendors and customers
HIPAA PRACTICE GROUP
G R O U P C O N T A C T
MICHELLE WILCOX [email protected]
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH W W W .W I G G I N. CO M
©2017 Wiggin and Dana LLP
Wiggin and Dana's knowledgeable HIPAA (Health Insurance Portabilityand Accountability Act) team helps clients nationwide develop andimplement practical, tailored strategies to stay compliant with the far-reaching and complex requirements of HIPAA and HITECH (HealthInformation Technology for Economic and Clinical Health Act). OurHIPAA team also helps clients address other privacy and securityrequirements that may apply to them.
For decades we have worked with noted health care providers, payersand clearinghouses – and vendors that provide IT (informationtechnology), consulting and other services to these entities – employingour deep understanding of privacy, security and data exchange issues.We have also counseled local health information exchanges and RHIOS(regional health information organizations) on the complex array ofregulatory and contracting matters applicable to those arrangements.
Renowned academic medical centers, hospitals, health care systemsand networks, provider associations, large employers with self-insuredhealth plans, and others rely on our know-how in both informationtechnology (IT) law and HIPAA/HITECH.
Develop policies and procedures for compliance with the HIPAAPrivacy and Security Rule, HITECH, and other applicable privacy andsecurity laws
Review and update existing policies and procedures to ensure ongoingcompliance with HIPAA and HITECH, and other applicable privacy andsecurity laws
Assist covered entities and business associates with reviewing andnegotiating agreements and resolving legal issues and questionsarising in business associate-covered entity relationships
Perform audits to determine an organization's compliance with privacyand security requirements and develop and implement remediationplans to address areas of non-compliance
Assist with the development of auditing tools and ongoing monitoringand compliance programs and provide overall coordination of internalauditing and monitoring efforts
HIPAA PRACTICE GROUP
www. wigg in . com
Consult on interpretative questions arising in day-to-day operations or from compliance auditsDevelop training materials and programs toeducate your organization's workforce about legalrequirements related to information privacy andsecurity
Draft and/or negotiate contracts between coveredentities and security consultants and computer,telecommunications, security system, encryptionand other infrastructure vendors
Provide counsel on the implications of operationaland system changes and changes in legalrequirements that may affect your organization'scompliance with privacy and security requirements
Assist with investigating and mitigating privacy andsecurity breaches
Advise on breach notification obligations andprovide guidance on reports to, and interactionswith, affected individuals, Health and HumanServices Office for Civil Rights (OCR), stateattorneys general and the media
Provide counsel on government investigations andresponding to complaints filed with OCR, stateagencies, the office of the state attorney general,and others
Interpret and incorporate applicable state dataprivacy and security laws relevant to yourorganization's information security, policies andprocedures and use of information technologysystems
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH W W W .W I G G I N. CO M
©2017 Wiggin and Dana LLP
INSURANCE PRACTICE GROUP
G R O U P C O N T A C T S
TIMOTHY A. [email protected]
JOSEPH G. [email protected]
MICHAEL P. [email protected]
The Wiggin and Dana Insurance Practice Group provides international,national and regional insurers, reinsurers, brokers, other professionalsand industry trade groups with effective and efficient representation. OurGroup members regularly advise clients in connection with coverageissues, defense and monitoring of complex claims, policy wordings,internal business practices, and state and federal investigations. We alsodefend clients faced with individual lawsuits and class actions –– both attrial and on appeal, and represent clients in insurance and reinsurancearbitrations. We have broad experience in many substantive areas,including property, commercial general liability, inland marine includingfine art and specie, and ocean marine, reinsurance, professional liability,environmental, and aviation.
We bring our substantial knowledge and experience to bear in providingour clients sound and efficient counsel. Group members frequentlypublish and lecture to industry trade groups, conduct workshops forunderwriters and claims professionals, and instruct in law schools oninsurance law and issues. Group members also serve as arbitrators ininsurance and reinsurance matters. We are proud to serve as counsel toboth the American Institute of Marine Underwriters and the Inland MarineUnderwriters Association.
The Group is led by partners Joe Grasso, Timothy Diemand and MichaelThompson. In addition to his experience in private practice, Joe workedin the General Counsel's office of a premier Lloyd's of London syndicate.Joe has been nationally recognized as a leading insurance lawyer inseveral publications, including Best's Directory of RecommendedInsurance Attorneys, Who's Who Legal, and The Legal 500. Tim hasextensive experience representing clients both domestically and abroadin high profile and cutting edge litigation and has worked overseas inboth London and the Middle East. Michael has represented numerousinsurers and reinsurers in coverage, claims and regulatory mattersacross several business lines. He has appeared before courts andarbitration panels throughout the United States and in front of varioustribunals in Bermuda and the United Kingdom where he practiced forseveral years.
To ensure comprehensive representation of our insurance industryclients, we work closely with other Wiggin and Dana practice groupswhere appropriate to bring together the right team of professionals.
INSURANCE PRACTICE GROUP
2
W WW .W IGGIN.COM
Representative Insurance Matters
While we have a broad range of experience acrossmany lines of insurance and reinsurance, following isa summary of the firm's capabilities in certain lines ofbusiness.
Appellate
Submitted amici briefs to United States SupremeCourt, Connecticut Supreme Court and New YorkState Court of Appeals on behalf of major insuranceindustry trade associations on various issuesincluding reinsurance insolvency, bad faith, punitivedamages, unfair trade practices, and antitrustissues.
Represented insurer on appeals to Ninth Circuit onfederal/state jurisdictional issues.
Represented insurer in federal and state appeals onchallenges to statutory limitations on insureroperations and constitutional issues.
Represented insurer on appeal to ConnecticutSupreme Court on reinsurance coverage issuesarising out of asbestos claims.
Aviation
Defended a helicopter manufacturer in a wrongfuldeath action brought by a secret service agentarising out of the crash of the President's helicopterin the Caribbean. Defense verdict after an 8 weektrial and verdict upheld by the Second Circuit.
Defended an engine manufacturer in a wrongfuldeath action involving the crash of an F-16 in Egypt.Settled on the eve of trial for a nominal amount.
Defended a manufacturer of jet fuel tanks in awrongful death action arising out of the crash of a
helicopter in Germany. Settled for nominal amountafter arguing (but before court ruled) a motion forsummary judgment (government contract defense).Case was thereafter tried and lost by the helicoptermanufacturer for 24 million dollars.
Defended a manufacturer of private aircraft in anumber of separate wrongful death actions over theyears, all of which were settled on favorable terms.
Defended a French helicopter manufacturer in awrongful death action.
Succeeded in having a number of wrongful deathactions arising out of aviation accidents transferredto the foreign jurisdictions where the accidentsoccurred. Without exception, the cases thereafterwere settled for much less than plaintiffs haddemanded when the actions were pending in theUnited States. In one of these cases, an appeal wastaken that resulted in the leading ConnecticutSupreme Court decision on this subject.
Represented owner and insurer of a private jet inobtaining favorable settlement of claims (near100%) for damage to jet and diminution in marketvalue resulting from collision at regional airport.Aircraft had been damaged while being towed fromhangar. Recovered from airport entire amount forphysical damage to aircraft and 90% of claimeddiminution in market value.
Represented reinsurers of owner and operator of acorporate jet that crashed on take-off from aregional airport resulting in fatalities of allpassengers and crew on board. Consulted withdirect insurers and their counsel on defense ofclaims by estates of passengers, litigation overparties' respective rights and obligations underaircraft interchange agreement and subrogatedclaim for loss of aircraft against municipal airportparties.
3
W WW .W IGGIN.COM
INSURANCE PRACTICE GROUP
Worked on defense of manufacturer of couplingadapter for helicopter engine that allegedly failedduring flight resulting in crash of aircraft andfatalities of all on board. Co-defendants includedhelicopter manufacturer, engine manufacturer andoriginal designer of coupling adapter. Work includedassessment of GARA defense.
Represented Swiss aircraft componentmanufacturer and its insurers in claims for wrongfuldeath arising from crash of private aircraft. Obtaineddismissal for client after filing motion for summaryjudgment.
Worked on defense of owner of jet service in claimsof aiding and abetting kidnapping by charterer.
Bad Faith and Extra Contractual Damages
Represented insurers in broad range of bad faith,alleged wrongful denial of coverage and punitivedamages claims.
Defended insurer accused of fraud in its acquisitionof insurance assets out of liquidation.
Brokers/Agents
Represented broker in complex Connecticut statecourt case related to pharmaceutical product liabilitycoverage.
Represented broker in dispute regarding handling ofmarine cargo insurance claims.
Represented broker in federal court actions relatedto pooling arrangements by life and health insurersfor workers compensation.
Represented London reinsurance broker inConnecticut state court action seeking severalmillion dollars in unpaid commissions from its U.S.-based client.
Claims Handling
Conducted investigation of insurer's internal claims-handling procedures.
Developed manuals/procedures for insurer's claimshandling.
Managed experts on claims-handling issues andacted as expert witness.
Authored articles on claims handling.
Generally advised insurers on claims-handlingprocedures.
Class Action Defense
Represented property/casualty insurer in federalcourt securities class actions related to alleged non-disclosure of contingent compensationarrangements.
Represented personal lines insured in federal, stateand national proposed class-actions by healthservice providers seeking additional fees.
Obtained denial of class certification in action byprovider of medical equipment in New York Statecourt; obtained dismissal for group of insurers attrial court and on appeal.
Represented insurer in federal court antitrust andRICO actions.
W WW .W IGGIN.COM
4
INSURANCE PRACTICE GROUP
D&O, E&O and Professional Liability
Represented insurer in state and federal courtactions in professional liability coverage forworldwide construction program.
Advised on current D&O issues relating to privateequity and hedge fund acquisitions.
Advised and represented insurers in broad range ofdisputes involving questions of coverage for E&Oclaims.
Defended attorneys, architects and health careprofessionals and their insurers in high exposureE&O claims.
Represented insurer in resolving disputes as tocoverage among insured, surety and professionalliability insurer with respect to design and planningof Metro-North communications system.
Represent a number of major financial institutions ina broad range of litigation and investigatory matters.
Defense of a class action brought againstinternational insurer for alleged violations of ERISAin connection with investments in the company'sstock, which was negatively impacted by thefinancial crisis in the financial services andinsurance industries.
Defended financial services company and itsofficers and directors in securities class actions andderivative cases related to stock price drops in thewake of government investigations into brokercontingent commissions.
Represented life insurance company and its officersand directors in consumer class action related tostructured settlements.
Represented broker in action related to broker'splacement of transit and marine insurance forchemical company and broker's claims handling ofrail car chemical shipment accidents.
Represented international specialty insurancecompany in bench trial in action concerningreinsurance brokerage, broker misfeasance,adequacy of reinsurance treaties procured andbreach of fiduciary duties.
Obtained summary judgment for a D&O excesscarrier in a high-profile dispute involving excesscoverage for the former directors and officers of amajor financial institution.
Successfully defended claims in Bermuda Formarbitration against D&O excess carrier by its insuredseeking over $18 million in expenses and attorneysfees related to losses incurred in multiple securitiesclass actions arising from the insured's allegedmanipulation of the California energy market.
Successfully led the defense of a major aviationinsurance consortium against U.S. antitrust claimsalleging boycott in the denial of coverage and failureto renew launch and orbit satellite policies.
Environmental
Represented and advised environmental liabilityinsurers in disputes in state and federal courts,including declaratory judgment actions and disputeswith insureds and other carriers regarding coverageand defense of environmental matters.
Defended large industrial companies in classactions alleging environmental pollution.
Defended members of prominent P&I club inenvironmental class actions stemming from oilspills.
5
W WW .W IGGIN.COM
INSURANCE PRACTICE GROUP
Investigations
Conducted internal investigation of national insurer'sregional office claims handling procedures andpolicies, and state regulatory review.
Represented insurers in multi-state AttorneysGeneral investigations and civil proceedings oncontingent commissions and related issues.
Represented insurers in numerous statereinsurance and antitrust investigations.
Marine
Represented insurers of automated underwatervehicle in salvage dispute concerning extent ofdamage caused by collision.
Represented hull and machinery and increasedvalue underwriters of general cargo vessel whichcaught fire resulting in a constructive total loss. Fileddeclaratory judgment action against insured ownerand mortgagee, and obtained favorable settlementfollowing two-week bench trial and post-trialsubmissions.
Represented owners and insurers of custom-builtracing yacht in claims against shipyard,classification society and others for defects indesign and construction.
Represented owners and insurers of yachts invarious claims involving hull and machinerydamage, salvage, personal injuries sustained bycrew members, passengers and third parties.
Represented reinsurers of a shipyard in disputeconcerning claim for defects in construction ofvessels, relating to proportion of risk ceded underreinsurance contract.
Represented various hull and machinery, war risk,and kidnap and ransom underwriters in connectionwith seizures of various vessels by pirates off thecoast of Somalia.
Represented insurers of an integrated tug-bargeunit in connection with claim for CTL due to damageto barge only.
Represented cargo underwriters and cargocontingent liability underwriters in numerous cargodamage claims.
Represented owners and insurers of containervessels in claims against shipyard for defectiverepairs.
Represented insurers of cargo vessels in claimsagainst shippers for damage to vessel and cargocaused by improper stowage.
Represented charterers legal liability underwriters inlitigation against shippers of project cargo whichbroke loose during ocean voyage causing damageto vessels and other cargo.
Successfully defended London market reinsurers inFlorida proceeding concerning scope andapplicability of offset provision in marine excess ofloss treaty with solvent European subsidiary of U.S.cedent in liquidation.
Represented London reinsurers regarding theproper application of quota share and facultativereinsurances to extra-contractual losses arising outof the settlement of a multi-million verdictconcerning the death of two teenagers who werekilled when the underlying insured's boat collidedwith their jet ski.
W WW .W IGGIN.COM
6
INSURANCE PRACTICE GROUP
Successfully represented London market insurancesyndicates seeking to recover damages in excess of$40 million, following the alleged fraud by theirinsured, a broker of marine cargo based in NewYork.
Reinsurance
Represented property/casualty insurer (as amember or a reinsurance pool) in a New York statecourt reinsurance dispute related to $1 billionasbestos settlement.
Represented party to a reinsurance arbitrationrelated to flooding at an industrial facility.
Represented cedant in recovery of claims againstreinsurers in Europe and South America in globalreinsurance program.
Defended reinsurer against suit brought by cedinginsurance company on basis of cedant's faultyunderwriting practices.
Represented reinsurer in United States and UnitedKingdom litigation with reinsurance broker overpayment of fees, claims of bad faith and breach offiduciary duty.
Represented reinsurers in finite reinsurance stateand federal inquiries.
Prevailed on two summary judgments in federalcourt on behalf of reinsurer concerning the scope ofa pollution exclusion in a facultative reinsurancecontract and underlying allocation under the followthe fortunes doctrine.
Successfully represented reinsurer in an arbitrationconcerning its denial of a multi-million dollar medicalmalpractice loss ceded to it in a matter involving latenotice and bad faith claims handling.
Represented London reinsurers regarding theproper application of quota share and facultativereinsurances to extra-contractual losses arising outof the settlement of a multi-million verdictconcerning the death of two teenagers who werekilled when the underlying insured's boat collidedwith their jet ski.
Advised London reinsurers on whether damages toinsured's oil refinery facilities in Nigeria during run-up to national elections were ceded properly as "oneevent", and whether Political Risk, Terrorism andFinancial Guarantee and Credit Exclusions barredcoverage.
After three-week long hearing, won multi-milliondollar award for cedent in a highly contestedreinsurance dispute concerning the denial of a boilermachinery claim.
Prevailed on summary judgment in defense ofclaims against reinsurer by its cedent seekinglosses beyond the terms of multiple workers'compensation excess of loss treaties.
Successfully defended London market reinsurers inFlorida proceeding concerning scope andapplicability of offset provision in marine excess ofloss treaty with solvent European subsidiary of U.S.cedent in liquidation.
Represented major life insurance carrier in a disputewith its reinsurer regarding indemnification forlosses incurred as a result of its agent's fraudulentconduct in application and renewal process.
Advised London market reinsurers regardingdispute pending simultaneously in the UnitedKingdom and Puerto Rico, stemming from damagesto a racetrack in Puerto Rico caused by HurricaneGeorges.
7
W WW .W IGGIN.COM
INSURANCE PRACTICE GROUP
Successfully arbitrated rescission claim on behalf ofBermudian life reinsurer due to cedent's failure todisclose material facts during treaty negotiations.
Defended London reinsurers in dispute with cedentregarding whether reinsurer was entitled tosubstantial management fee rebate as a conditionprecedent to the restructuring and continuedreinsurance of specialized workers' compensationprogram.
Successfully prosecuted multiple claims on behalf ofcedent seeking indemnification from variousreinsurers related to multi-million dollar settlement ofinsured's asbestos exposure.
Fine Art, Specie
Represented a university in a dispute with a LatinAmerican government over archeological artifacts.
Advised insurers in connection with a university'sclaims for coverage for damage to "fine arts".
Represented a collector in disputes with dealersover provenance of artwork and furniture.
Represented a Manhattan gallery owner in a disputewith an investor over joint ventures in various worksof art.
Counseled art owner in analysis of claim by foreigncitizen to previously nationalized European art.
Represented art dealers in a dispute with the estateof a major artist over ownership and possession ofcommissioned art works.
Represented a major private art collector in adispute with a gallery over commissioned art works.
Liability
Represented underwriters of construction wrapliability policy in litigation/mediation of personalinjury claim in New York resulting from constructionaccident.
Represented liability insurers of municipal agency inmonitoring claim for brain injury to constructionworker, and coordinated successful mediation.
Represented excess liability insurers of U.S. oilmajor in connection with multiple death claims dueto fire.
Represented liability insurers of fuel supplier inconnection with claims by vessel owner for total lossof vessel following explosion and fire.
Represented liability underwriters (constructionwrap policy) of racing commission in connectionwith serious personal injury claim by employee ofcontractor.
Represented liability insurers of Europeanpetrochemical company in connection with coveragedispute following explosion at refining facility.
CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH W W W .W IG G I N. CO M ©2017 Wiggin and Dana LLP
OUTSOURCING AND TECHNOLOGY PRACTICE GROUP
Wiggin and Dana's Outsourcing and Technology Practice Group serves leading suppliers of IT, business process and other outsourced services worldwide. Few outside firms can match our depth of experience or knowledge of market standards – knowledge that helps clients succeed. Our business-savvy technology lawyers understand that legal advice is just one aspect of helping clients to achieve their financial, operational and strategic goals.
We serve clients in the United States, Europe, Asia and Latin America, in a wide variety of markets, including:
Financial services Health care Transportation Telecommunications Business and technology consulting Insurance Pharmaceuticals Biotechnology and bioinformatics
In collaboration with the Privacy and Information Security Group and our clients' security professionals, we help clients comply with privacy and data security laws, manage and mitigate security risks and, if necessary, respond to incidents in order to minimize potential exposure, protect valuable data, preserve business relationships and protect reputations and goodwill.
Suppliers and Developers Our principal clients include global outsourcing companies and emerging and mid-cap technology companies, for whom we negotiate and document the full range of offshore and near-shore transactions, from pursuit through post-contract support and renewal or re-negotiation. We understand that effective counsel involves more than advice and drafting, and must complement sales teams' efforts to build enduring, successful relationships with their customers. Our experience includes:
Business Process Outsourcing - finance and accounting, source-to-pay and procurement, call center, collections, mortgage processing, human resources and other business functions.
G R O U P C O N T A C T
MARK W. HEAPHY 203.498.4356 [email protected]
OUTSOURCING AND TECHNOLOGY PRACTICE GROUP
2
W W W .W I G G I N . C O M
Information Technology Outsourcing - including data center services, cloud solutions, infrastructure management, workplace computing, network management and help desks.
Application Development and Maintenance - including software development, technical support, maintenance, production support and other ongoing IT support services.
Knowledge Process Outsourcing - including research and development, data analytics, business and technical analysis, business and market research, biotechnology informatics, medical services and training and learning solutions.
Business Process Re-Engineering - including strategic assessments, Six Sigma, Lean Sigma and other business process improvement projects.
We deliver real-world advice across the full spectrum of supplier and developer activities, providing suppliers and developers of technology and technology-enabled products and services with comprehensive legal counsel tailored to their business needs and objectives. Our work for emerging and mid-cap companies encompasses comprehensive, scalable and efficient legal representation and counseling tailored to the needs of early-stage and mid-tier technology companies, including:
Deal Support - negotiating the full range of license, services, joint marketing, co-development and strategic alliance transactions.
Best Practices - creating business development and RFP response best practices linked to compliance programs.
Process Integration - integrating contracts forms and processes with revenue recognition policies and financial reporting requirements.
Business Development - structuring agreements and processes for domestic or worldwide direct and channel strategies.
IP Management and Protection - establishing intellectual property protection programs with customers, employees, contractors and partners.
Risk Management - reviewing risk management policies.
Solution Development – supporting client teams in the development of contract documents and terms for "as a service" and other service offerings.
Offshore Strategy - analyzing and implementing off-shore and near-shore business strategies.
Dispute Resolution and Workouts - resolving contractual and business disputes arising from technology-related business relationships.
Customers and Users From long-term strategic implementations to day-to-day operational requirements, we provide customer-side clients with reliable, flexible and scalable legal services. Whether handling a specific single transaction or managing their entire portfolio of technology procurement and strategic sourcing, we adapt our involvement and billing arrangements to meet our clients' needs. We do our best work by forging long-term client relationships, building trust and rapport with their legal, business and technical teams and developing an in-depth understanding of their regulatory and compliance sensitivities. Our customer-side work includes:
OUTSOURCING AND TECHNOLOGY PRACTICE GROUP
Enterprise Transactions - negotiating and implementing large and mid-sized enterprise platform solutions from RFP through post-implementation.
Sourcing and Procurement - assisting with all aspects of the end-to-end sourcing process, including supplier selection, contract negotiations and relationship management.
Monetizing Technologies - assisting with post-implementation commercialization of technologies and supplier relationships.
M&A, Divestiture and Investment - analyzing intellectual property rights and related issues arising from corporate mergers, acquisitions and investments.
E-Business Ventures and Operations - helping create and execute go-to-market Internet and other electronic business strategies.
IT Governance and Regulatory Compliance - advising on compliance with legal and regulatory requirements related to privacy, data security, intellectual property, consumer protection and export controls.
3
W W W .W I G G I N . C O M