2017 CYBER AND PRIVACY FORUM - Wiggin and Dana LLP · Mergers and Acquisitions Education Health Care Health Care Compliance Health Information Technology HIPAA Insurance Outsourcing

2017 CYBER AND

PRIVACY FORUM2018 and Beyond: The Evolving Cybersecurity and Privacy Landscape

S E P T E M B E R 1 4 , 2 0 1 7

Omni New Haven Hotel at Yale

155 Temple Street , New Haven, Connect icut

www.wiggin.com

A. Agenda

B. Publications and Resources

• Uber-FTCSettlementHighlightstheFTC’sFocusonAligningSecurityPromiseswithSecurityPractices• AlthoughDelayed,NewYork’sAggressiveCybersecurityLawExpectedtoAffectFinancialServicesand InsuranceFirms• CNNInterviewwithDavidHall–ReportonCrack99,abookbyWigginandDanaPartner,DavidHall• WigginandDanaWebinar–InformationSecurityandThirdPartyServiceProviders:WhatYouDon’t KnowCanHurtYou• CybersecurityPreparednessChecklist• GeneralDataPrivacyandCybersecurityDiligenceRequest• CybersecurityDueDiligenceQuestionnaire• “CybersecurityandPrivacyinBusinessTransactions:ManagingDataRiskinDeals,”BNAPrivacy&DataSecurity PracticePortfolioServices,PortfolioNo.540(availableonlineathttps://www.bna.com/privacy-data-security/)

C. PowerPoint Presentations

•RecentU.S.PrivacyLawDevelopmentsandKeyTakeaways• HybridCloudSecurityforFinancialServices• AddressingCyberRisksinVendorContracts• CybersecurityRiskinMergersandAcquisitions

D. Speaker Biographies

E. Wiggin and Dana

CybersecurityandPrivacy EUGDPRServices IncidentResponseServices Corporate EmergingCompanies MergersandAcquisitions Education HealthCare HealthCareCompliance HealthInformationTechnology HIPAA Insurance OutsourcingandTechnology

Table of Contents

2017 CYBER AND PRIVACY FORUM

SEPTEMBER 14 , 2017 I OMNI NEW HAVEN HOTEL AT YALE 8:00 a.m. - 2:30 p.m.

www.wiggin.com

2018 AND BEYOND: THE EVOLVING CYBERSECURITY AND PRIVACY LANDSCAPE

8:00 - 8:30 Registration and Breakfast

8:30 - 8:50 Cyber Threat, Threat Actors and Best Practices for Mitigating the Risk Keynote Speaker: Mr. John Boles, Director at Navigant

8:50 - 9:40 General Session Panel #1 – The Current Threat Environment, Response Strategies, and Mitigation

Wiggin and Dana Moderator: Michael Menapace

Panelists: John Boles, Navigant; Jessica Block, Ankura Consulting Group; David Hall, Wiggin and Dana

9:40 - 9:55 Break and Networking

10:00 - 10:50 General Session Panel #2 – Recent U.S. Privacy Law Developments and Key Takeaways

Panelists: Michael Kasdan, Wiggin and Dana; John Kennedy, Wiggin and Dana

10:50 - 11:40 General Session Panel #3 – Globalization & GDPR

Wiggin and Dana Moderator: Michelle DeBarge

Panelists: Nicole Wolters Ruckert, Kennedy Van der Laan; Denise Tessier, IBM; Volker Wodianka, SKW Schwarz

11:40 - 12:00 Networking

Breakout Sessions: *Optional Programs*

12:00 - 12:30 Lunch (must be registered separately for lunch and afternoon breakout sessions)

12:30 - 2:30 GDPR Intensive

Wiggin and Dana Moderator/Presenter: Michelle DeBarge

Panelists: Nicole Wolters Ruckert, Kennedy Van der Laan; Denise Tessier, IBM; Volker Wodianka, SKW Schwarz

12:30 - 1:45 Addressing Cyber and Privacy Risks in Deals: M&A, Cloud, BPO Services and Smaller Deals

Wiggin and Dana Moderator/Presenter: John Kennedy

Panelists: Evan Kipperman, Wiggin and Dana; Michael Menapace, Wiggin and Dana; Kishore Ramchandani, IBM


SEPTEMBER 14 , 2017 I OMNI NEW HAVEN HOTEL AT YALE 8:00 a.m. - 2:30 p.m.

www.wiggin.com

Uber-FTC Settlement Highlights the FTC’s Focus on Aligning Security Promises with Security Practices

The Federal Trade Commission (“FTC”) announced this week its settlement with Uber Technologies, Inc. (“Uber”) related to certain alleged deceptive data security practices at Uber. The settlement continues the FTC’s now years-long focus on alleged deceptive and unfair data security practices.

The FTC’s essential allegations in its complaint were that Uber had engaged in deceptive data security and privacy practices, “[f]irst by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data.”1 As part of the settlement (or “Consent Agreement”), Uber is required to implement (a) a comprehensive privacy program, and (b) for the next twenty years, be subject to biennial third party privacy audits and maintain records and file reports confirming compliance with the Consent Agreement. The Consent Agreement includes Uber’s statement that it neither admits nor denies any of the FTC’s allegations in the complaint.

What At t racted FTC Scrut iny

Uber’s security systems were compromised in May 2014, resulting in unauthorized access of over 100,000 drivers’ license

information, including names and social security numbers. The breach was discovered in September 2014. At the time, Uber had publicized its privacy policy (via its website and dissemination to the press) as follows:

“Uber has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data. The only exception to this policy is for a limited set of legitimate business purposes. Our policy has been communicated to all employees and contractors…The policy is also clear that access to rider and driver accounts is being closely monitored and audited by data security specialists on an ongoing basis, and any violations of the policy will result in disciplinary action, including the possibility of termination and legal action.” 2

The FTC’s complaint alleged that, in contrast to these security promises, Uber “has not always closely monitored and audited its employees’ access to Rider and Driver accounts since November 2014.” Indeed, the FTC alleged that Uber’s automated system for monitoring employee access to consumer personal information in December 2014 “was not designed or staffed to effectively handle ongoing review of access to data by

CONTINUED ON NEXT PAGE

© 2017 Wiggin and Dana llp In certain jurisdictions this may constitute attorney advertising.

A U G U S T 2 0 1 7

1 https://www.ftc.gov/news-events/press-releases/2017/08/uber-settles-ftc-allegations-it-made-deceptive-privacy-data2 See FTC’s Complaint, In the Matter of Uber Technologies, Inc., paragraph 11, copy available at https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_complaint.pdf

If you have any questions about this Advisory, please contact:

JOHN KENNEDY [email protected]

AARTHI S. [email protected]


w w w . w i g g i n . c o m

A U G U S T 2 0 1 7 I A D V I S O R Y

CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH

“Personal Information” means individually identifiable information collected or received, directly or indirectly, by Respondent from or about an individual consumer, including: (a) a first and last name; (b) a physical address; (c) an email address; (d) a telephone number; (e) a Social Security number; (f) a driver’s license or other government-issued identification number; (g) a financial institution account number; (h) persistent identifiers associated with a particular consumer or device; or (i) precise geo-location data of an individual or mobile device, including GPS-based, WiFi-based, or cell-based location information.

Respondent’s thousands of employees and contingent workers.” And although Uber implemented a new automated monitoring system in August 2015, the FTC alleged that Uber still failed to monitor its employees comprehensively for potential misuse of consumer personal information, except for specific employee-generated reports about inappropriate access to co-workers.

Based on these allegations, the FTC’s complaint charged that Uber’s security policy was deceptive.

Key Terms of the Consent Agreement

1. Comprehensive Privacy Program Under the Consent Agreement, Uber is required to establish and maintain a comprehensive privacy policy that: (1) addresses “privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of Personal Information.”3 The Consent Agreement includes all of the FTC’s standard injunctive measures for settlements of this kind, including: • thedesignationofanemployeeor employees responsible for the privacy program; • theidentificationofreasonablyforesee- able risks, both internal and external, that could result in the unauthorized collection, use, or disclosure of Personal Information

and an assessment of the sufficiency of any safeguards in place to control these risks; • thedesignandimplementationof reasonable controls and procedures to address such risks and regular testing or monitoring of the effectiveness of those controls and procedures; • selectingandretainingserviceproviders capable of protecting the privacy of Personal Information and requiring service providers, by contract, to implement and maintain privacy protections; and • evaluationandadjustmentoftheprivacy program in light of the results of the testing and monitoring efforts and any changes to operations that may have an impact on the effectiveness of the privacy program. 2. Third Party Audits for 20 yearsUber is also required to obtain initial and biennial assessments (“Assessments”) to be completed by a “qualified, objective, independent third-party professional” approved by the FTC. After an initial report covering the first 6 months after the order, biennial reports are required for the next 20 years.

The inclusion of mandated security programs subject to a 20-year audit require-ment is a standard FTC measure and has been included in most of its settlements in recent years.

CONTINUED ON NEXT PAGE

Takeaways f rom the Uber Consent Agreement

The FTC’s settlement with Uber underscores the significance that the FTC attaches to misalignments between the security and privacy commitments made by businesses in their public disclosures in website and app privacy policies, on the one hand, and the implementation of those commitments in practice, on the other. And, as the allegations in the FTC’s Uber complaint indicate, the FTC will closely scrutinize the degree to which companies abide by their privacy and security promises to consumers.

For example, the FTC investigation in this case delved not only into Uber’s access control security measures with a third party (Amazon’s S3 DataStore) for stored user and driver data, but also examined the company’s various privacy and data security claims and statements over a two-year period. The FTC noted4 that, during this period, communications from Uber’s customer service representatives included claims such as:

“Your information will be stored safely and used only for purposes you’ve authorized.”We use the most up to date technology and services to ensure that none of these are compromised.”

“I understand that you do not feel comfortable sending your personal information via online. However, we’re extra vigilant in protecting all private and personal information.”

“All of your personal information, including payment methods, is kept secure and encrypted to the highest security standards available.”

Statements of this kind are frequently included in generic statements put out by companies in responding to customer concerns. The FTC is now closely looking at such statements and does not confine its review of privacy claims merely to formal company disclosures such as published privacy policies.

In light of the Uber Consent Agreement and other similar FTC actions in recent years, businesses are well-advised (1) to conduct periodic reviews of how well their public privacy and security claims fit within the context of their actual privacy and security processes and third party relationships (including as these evolve over time), and (2) to be aware that the FTC’s review of such claims will reach beyond the four corners of even carefully crafted privacy policies.


w w w . w i g g i n . c o m

A U G U S T 2 0 1 7 I A D V I S O R Y

This publication is a summary of legal principles. Nothing in this article constitutes legal advice, which can only be obtained as a result of a personal consultation with an attorney. The information published here is believed accurate at the time of publication, but is subject to change and does not purport to be a complete statement of all relevant issues.

CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH

4 FTC Complaint, paragraph 17, available at https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_complaint.pdf.

Advisory

© 2017 Wiggin and Dana llp In certain jurisdictions this may constitute attorney advertising.

J A n u A r y 2 0 1 7

Although Delayed, New York’s Aggressive Cybersecurity Law Expected to Affect Financial Services and Insurance Firms

CoNtINuED oN NExt PAgE

If you have any questions about this Advisory, please contact:

CYBERSECURITYAND PRIVACY PRACTICE GROUP

MICHELLE [email protected]

JoHN [email protected]

tIMotHY [email protected]

INSURANCE PRACTICE GROUP

JoSEPH [email protected]

MICHAEL [email protected]

the regulatory environment for cybersecurity is rapidly changing, and state legislatures are not waiting for Congress to act. on December 28, 2016, the New York State Department of Financial Services (“NYDFS”) revised a proposed rule that imposes new cybersecurity requirements on individuals and entities operating under the New York banking law, insurance law, or financial services law (“covered entities”). Don’t stop reading if your company is not a covered entity, because the regulation also burdens third party providers with downstream requirements. Importantly, the rule covers nonpublic information, which is broader than you think. It includes personal information, health data, and sensitive business information. Although the proposed rule was expected to be implemented on January 1, 2017, it has been delayed two months and is currently in a final 30-day comment period. the final rule—which may be different than the revised proposed rule—will now become effective on March 1, 2017. Entities have 180 days after the effective date to comply. Depending on how NYDFS addresses comments from the public, the final rule is poised to become one of the most detailed and aggressive cyber laws in the country.

Broadly speaking, the rule requires covered entities to establish comprehensive data security programs, draft written policies, hire adequate personnel, and report any incidents within 72 hours. Additional requirements include maintaining detailed records and preserving data logs. the detailed nature of the requirements draws immediate similarities to the NISt Security Framework, which is increasingly

becoming the industry standard for data security programs. But, as discussed below, some elements of the rule are new and go far beyond what it required of financial institutions under existing law. Many institutions, however, may already be addressing these requirements, but it is important for covered entitles to review the law in detail to ensure that they are in compliance. It would be a mistake, for example, for a covered entity to assume that because it has gramm-Leach-Bliley-based data security measures in place, the NYDFS rule can be ignored.

IMPoRtANt ELEMENtS oF tHE PRoPoSED NY RuLE

1. Cybersecurity Program

the proposed rule requires covered entities to establish a “cybersecurity program” that preserves the confidentiality of their information and assesses risk. At a minimum, the program needs to identify internal and external cyber risks, protect an entity’s nonpublic information and information systems, detect and respond to cybersecurity events, and fulfill reporting requirements. Additionally, the program needs to include (1) annual penetration testing, (2) audit trail systems, (3) limits on user access and data retention, (4) personnel training, and (5) multifactor authentication.

2. Cybersecurity Policy

A key component of the cybersecurity program is a written cybersecurity policy that lays out all of the company’s data-related procedures. Be aware, the policy

http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf

J A n u A r y 2 0 1 7 I A d v I s o r y


must go beyond a simple recitation of physical and technical safeguards that the company has implemented. Among other things, the policy must address risk assessment, data governance, data classification, vendor provider management, and incident response. After a policy is formulated, a senior officer or the company’s board of directors needs to approve the policy.

3. Designation of a Chief Information Security Officer

Recognizing the importance of top-down leadership, NYDFS also included a provision in the rule requiring covered entities to designate a Chief Information Security officer (CISo). A CISo is tasked with “overseeing and implementing the . . . cybersecurity program and enforcing [the] cybersecurity policy.” the regulation permits a company to outsource the role to a third party, subject to certain conditions.

4. Third-Party Service Provider Requirements

Similar to other state and federal laws and regulations, the rule also addresses cyber risks in a company’s supply chain. Covered entities must implement policies and procedures to ensure that third-party service providers are adequately protecting nonpublic information. these polices need to include:

n A risk assessment of third parties;

n Minimum cybersecurity practices required to be met by third parties;

n Due diligence to evaluate the adequacy of third-party cybersecurity practices; and

n Periodic assessments of the adequacy of third-party practices.

Furthermore, covered entities need to include provisions in third-party contracts that address, if applicable, (1) multifactor authentication, (2) encryption technologies, (3) notification requirements following a breach, and (4) additional representations and warranties covering cybersecurity.

5. Incident Reports

Perhaps the most onerous—and controversial—requirement, covered entities must report to the Superintendent of Financial Services within 72 hours after discovering an incident. An incident refers to any event that is required to be reported under existing law or “that has a reasonable likelihood of materially harming any material part of the normal operation of the Covered Entity.” this requirement suggests that the entity must report information without having a complete understanding of what happened, what data was disclosed, and whether the breach was contained.

HoW DoES tHE PRoPoSED RuLE DIFFER FRoM ExIStINg LAWS?

As it stands now, New York’s proposed rule is a significant departure from existing federal law. By way of background, there are several regulations that currently affect financial institutions. Regulation S-P of the Securities and Exchange Commission, which implements the Security Rule of the gramm-Leach-Bliley Act (gLBA), requires registered advisors, broker-dealers, private funds, and other financial institutions to develop adequate physical, administrative, and technical safeguards to protect customer information. Section 404 of the Sarbanes-oxley Act of 2002 (Sox) requires public companies to assess their “internal

2

CoNtINuED oN NExt PAgE

J A n u A r y 2 0 1 7 I A d v I s o r y

3

This publication is a summary of legal principles. Nothing in this article constitutes legal advice, which can only be obtained as a result of a personal consultation with an attorney. The information published here is believed accurate at the time of publication, but is subject to change and does not purport to be a complete statement of all relevant issues.

CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH www.wiggin.com

controls,” including It controls, that protect their financial reporting and accounting. Also, the Financial Industry Regulatory Authority mandates that its members establish supervisory controls to ensure they are complying with applicable laws, including Regulation S-P. Lastly, New York has another data-related law; most New York companies must securely destroy records containing a customer’s personal information when the records are no longer needed.

the proposed rule goes much further than these existing regulations. First, the scope of the covered data is much broader. As discussed above, the rule covers “nonpublic information,” which includes certain nonpublic personal information, health information, and business information, whereas Regulation S-P and New York’s data destruction law only cover a customer’s personal information. Second, the proposed rule imposes a more detailed cybersecurity program. Conversely, Regulation S-P allows entities to design their own programs as long as they ensure the confidentiality of consumer records and protect against threats and unauthorized access. Moreover, other major elements of the rule, including the designation of a CISo, are completely new.

WHAt SHouLD CovERED ENtItIES Do?

Assuming the NYDFS proposed rule becomes final without meaningful changes, covered entities should take proactive steps now to ensure compliance.

n Determine if your company is covered under the rule.

n Compare the rule’s requirements against those under existing laws to discern what additional steps your company must take to comply.

n tailor your existing cybersecurity policy and program to align with the particular specifications of the rule.

n If you don’t already have one, designate someone to act as CISo. that person will be instrumental in managing a cybersecurity policy and program, and should be involved in the planning process.

n Review your service vendor and provider arrangements, and determine which third parties will be covered and determine how to cover them contractually and operationally. Some contracts may need to be amended to address compliance with the rule.

n Also, as noted above, because the NISt Framework is increasingly being used as an industry benchmark, consider adding any additional features to meet the Framework’s requirements.

n Confirm that your insurance coverage adequately covers cyber threats and data breaches.

For more information on New York’s proposed rule, please contact Michelle DeBarge, John Kennedy, or Timothy Wright.


S E P T E M B E R 2 0 1 7

Firm News

CNN Reports on Crack 99, a Book by Wiggin and Dana Partner David Hall

Wiggin and Dana partner David L. Hall was featured on the CNN program “Declassified” on Saturday, September 2 at 9 p.m. The episode focused on the CRACK99 Chinese cyber piracy investigation and prosecution led by Hall as a federal prosecutor.

David L. Hall is a partner in the Litigation Department, including the International Trade Compliance, the White Collar Defense, Government Investigations, and Corporate Compliance, the Cybersecurity and Privacy, the Unmanned Aerial Systems, and the Art Law and Museum practice groups. Before joining Wiggin and Dana, he served as a federal prosecutor for 23 years. His book, CRACK99: The Takedown of a $100 Million Chinese Software Pirate (Norton), tells the gripping tale of the largest software piracy case ever prosecuted by the U.S. Department of Justice.

To read the CNN online article, please click on this link: http://www.cnn.com/2017/08/31/us/cyber-pirate-sting-operation-crack99-author-davidhall-declassified/index.html

Contact:

DAVID L. HALL [email protected]

w w w . w i g g i n . c o mCONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH

© 2017 Wiggin and Dana llp

In certain jurisdictions this may

constitute attorney advertising.

WEBINARInformation Security and

Third-Party Service Providers: What You Don’t Know

Can Hurt YouWhether you are a company contracting with a third party or the third-party service provider, understanding the privacy and information security regulatory and risk management implications associated with your contractual arrangements is critical. What you do not know prior to entering into and during the service arrangement can mean a world of hurt down the road. And to avoid additional pitfalls, proper planning in advance for when the arrangement ends must be considered thoughtfully as well. In this presentation, Wiggin and Dana Partners John Kennedy, Michelle DeBarge and Michael Menapace will identify the regulatory require-ments and risks from both sides of the arrangement, discuss practical considerations for managing the various and increasingly granular legal requirements, and tips for prioritizing efforts where budgetary or time constraints impose operational challenges. Industry-specific requirements will be highlighted such as HIPAA requirements and privacy and information security requirements for companies in the financial sector. Special considerations will be addressed in regard to small service providers.

We invite you to log and view this webinar recently hosted by the Cybersecurity Group. If you would like to receive a link to the webinar or want more information, please email Elizabeth Keane at [email protected]

w w w . w i g g i n . c o mCONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH

CONTINUED

Cybersecurity Preparedness Checklist

Data breaches come in many forms. With hackers and their attack strategies constantly changing, organizations must be cybersecurity-prepared and constantly vigilant against all forms of cyber breaches and attacks. Also, in most data breach incidents, the time between initial attack and data exfiltration is just minutes. The time from initial compromise to discovery, however, could be several months, and the time from a data breach discovery to its containment could be days, weeks or months. Just as the United States government has recognized that cybersecurity threats place the Nation’s security, economy, and public safety at risk, so too should private businesses confront and address cybersecurity risks. It is important to recognize how cybersecurity hazards may threaten an organization’s valuable data assets, compromise workforce and customer privacy, and harm an organization’s bottom line by driving up costs, driving down revenue, and diminishing the organization’s ability to gain and maintain customers.

Cybersecurity is not a fixed state but an ongoing process. Even if an organization has previously addressed cyber-preparedness in a written plan, the organization should conduct a periodic review of the plan’s effectiveness and make changes where necessary in light of changing risk.

Effective cybersecurity preparedness requires a thoughtful and coordinated top to bottom risk management approach involving the organization’s governing authority, high-level executives, and legal counsel, as well as information technology, human resources and public relations personnel.

This checklist addresses the key components that should be considered in developing effective cybersecurity risk mitigation strategies and procedures.

MAP AND CLASSIFY THE SENSITIVITY, PROPRIETARY VALUE AND CRITICALITY OF YOUR DATA

n Identify types and amounts of data collected, stored, accessed, and transferred

n Classify information into categories, for example:

• Personallyidentifiable/non-personallyidentifiable • Sensitive/non-sensitive • Informationsubjecttospecificstatutory/regulatory

requirements • Medicalinformation • Financialinformation • Proprietaryinformation • Informationcollectedfromminors

n Prioritize data by criticality, sensitivity and value to the organization

MAP YOUR DATA FLOWS, SYSTEMS AND SECURITY CONTROLS

n Document how information is being created, received, used, managed,disclosed,anddestroyed/disposedofbyyourorganization

• Examplesofquestionsthatshouldbeansweredwhen mapping data flows:

- What information is moving and being accessed intra- departmentally or intra-personally within your organization?

- What information is moving from your organization to third parties?

- What information is your organization receiving from third parties?

- Whatrelevantinformationismovingacrossstate/national boundaries?

• Theanswerstothesequestionswilldeterminethelevelof privacy and security-related exposure, and should inform organizational privacy and security strategy

n Identify and document systems containing data identified as “priority” and the organization’s existing administrative, technical and physical security controls for that data

CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH www.wiggin.com

www.wiggin.com

PERFORM RISK ASSESSMENTS AGAINST APPLICABLE LEGAL REQUIREMENTS AND INDUSTRY STANDARDS AND GUIDELINES

n Conduct risk assessments to identify risks and vulnerabilities to data and data-processing systems

• Initialandthenperiodic,basedonoperationalchangesand

new threats to the security, integrity and availability of priority data. Operational changes may include mergers, acquisitions, system upgrades, mobile device deployment, new online marketing campaigns, etc.

• Ongoingassessmentsshouldalsoaddressevolvinglegal requirements and industry security standards applicable to the organization

ADDRESS SECURITY GAPS AND DEVELOP WRITTEN INFORMATION SECURITY PROGRAM

n Identify gaps in technical, administrative and physical safeguards that do not meet legal requirements, appropriate industry standards or risk management priorities based on the sensitivity and criticality of the data. Assess requirements domestically and abroad, in all relevant jurisdictions.

n Identify weaknesses in security practices, for example:

• Notdevelopingsecuritypoliciesorfailingtoimplement policies

• Notdesignatingspecificworkforcememberstomaintainand implement the program

• Permittinghaphazardcollection/sharingofdatainconsistent with policy requirements

• Notupdatingpoliciesandpracticesasbusiness’sinformation practices and laws change

• Notupdatingpoliciesandpracticestoaddressthecollection of changes in the type and extent of data collected

• Notknowingwhatdataisstoredbythecompanyandits location(s)

• Retentionofdatalongerthannecessarytocarryoutthe original business purpose

• Improperdisposalofdatathatisnolongerneeded

n Implement additional safeguards and modify practices to address gaps

n Draft or revise written information security program

• Reviewrequirementsofapplicablelawsandregulationsas well as industry requirements or standards

• Ensuretheprogramisenterprise-wide(notjustconfinedto the company’s IT group)

• Establishpoliciesthatdetailinformationsecurityrequirements, including appropriate administrative, physical and technical safeguards

n Consider researching, analyzing, and purchasing a cybersecurity liability insurance coverage policy, which can help mitigate losses from a variety of cyber incidents (including data breaches, network damage, and business interruption)

ENSURE EFFECTIVE GOVERNANCE INFRASTRUCTURE FOR CYBERSECURITY, INCLUDING EXECUTIVE MANAGEMENT AND BOARD OVERSIGHT

n Appoint a Security Officer who is accountable for the implementation and oversight of the information security program

• Addressthechartersandfunctionsofthepositionandthe interaction between the privacy compliance, the Board and oversightcommittees/teams

• Ensurethereisanappropriatejobdescriptionthatholds the Security Officer accountable for the security program

n Include information security as a priority within the organization’s overall corporate compliance program

CONTINUED2


www.wiggin.com

n Designateaninternalsecurity/datagovernancecommittee • teamtaskedwithreviewingsecuritygovernancepractices • requiresecurityauditsandreportstobeateameffort

involving representatives from each relevant business division, IT, human resources, legal and senior management

n Ensure Board involvement in the oversight of information security practices. Consider designating a Board member who is sufficiently technically educated to lead Board discussions and questions on information security

ADOPT AND TEST INCIDENT RESPONSE PLANS

n Data incident response plans

• Implementaclearlydefinedandreadilyavailabledata incident response plan in place that outlines:

- Team representatives from operational groups within your organization, including IT, human resources, legal, and public relations departments

- Up-to-date24/7contactinformationforallmembersoftheteam - Standard conference line and notification procedure timeline - Hierarchy for decision-making and external communications

regarding an incident - External forensics technical contacts - Dos and don’ts for evidence preservation and general

incident team e-mails - Required documentation addressing Who, What, Where,

Why, and How

n Perform mock incident response events to ensure readiness

MANAGE VENDOR RISKS: VENDOR CONTRACTING AND SECURITY DUE DILIGENCE PROCESSES

n Assess the organization’s relationships, including business partners, strategic partners, co-branded sites, third party vendors and other external service providers (including cloud services) that might involve the use, disclosure, creation, transmission or maintenance of priority data on the organization’s behalf

n Document the names of relevant vendors and partners, and clearly articulate the details of those relationships as they affect data flows

n For each identified vendor or partner, determine level of security due diligence that should be implemented based on the nature of the relationship and risks and vulnerabilities to your data and systems

n Ensure that contractual provisions are in place to address, as appropriate, network security, application security, data security, data destruction, security breach notification, vendor data use, subcontractor data security requirements

n Consider whether ongoing monitoring and inspection rights are appropriate to enforce security measures; include a right to conduct compliance audits

n Implement security due diligence, contractual and operational requirements for new vendor and partner relationships

ADOPT “SECURITY BY DESIGN”

n The best defense is a good offense - prepare to embed security into the design of your organization’s technology, including new products, systems, and operations

n Consider security as a fundamental, foundational component of all of the organization’s functions, services, and products, as opposed to a concern that is addressed only on the back-end, as an add-on, or worse, not at all

3


CONTINUED

www.wiggin.com

TRAIN YOUR WORKFORCE

n Ensure workforce members are trained upon hire and ongoing regarding general security awareness and corporate security policies

n Confirm employees are aware of and comply with the organization’s security policies

n Ensure workforce members have the necessary tools to help the organization identify, prevent and address security issues, including:

• Accesscontrolsandpermissionstolimitaccessonneed-to- know basis

• Policiesthatareup-to-date,clearandcomprehensibletoall employees

• Policiesthataddresstheissueofemployeesbringingtheir own devices, remote-access, and social media

KEEP ABREAST OF CURRENT ENFORCEMENT PRIORITIES AND ABSORB LESSONS FROM RECENT ENFORCEMENT ACTIONS

n Federal Trade Commission, Enforcement,http://www.ftc.gov/enforcement

n Homeland Security, Office of Cybersecurity and Communications, http://www.dhs.gov/office-cybersecurity-and-communications

n United States Department of Justice, Cyber Crime,http://www.justice.gov/usao/briefing_room/cc/

n United States Department of Health and Human Services Office for Civil Rights (HHS-OCR), Enforcement,http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html

n Federal Communication Commission, Enforcement Bureau, http://transition.fcc.gov/eb/

KEEP INFORMED ABOUT CYBER RISKS; BECOME INVOLVED IN OUTSIDE SECURITY COMMUNITY ( INFORMATION SHARING NETWORKS)

n United States Computer Readiness Team, Information Sharing Specifications for Cybersecurity,http://www.us-cert.gov/Information-Sharing-Specifications-Cybersecurity [links to free, community-driven technical specifications designed to enable automated information sharing for cybersecurity situational awareness, real-time network defense and sophisticated threat analysis]

n DDOSAttackProtection,Top100+CyberSecurityBlogs,http://ddosattackprotection.org/blog/cyber-security-blogs/

n SANSTop20CriticalSecurityControls,http://www.sans.org/critical-security-controls

n United States Department of Health and Human Services Office of the National Coordinator for Health Information Technology (HHS-ONC), Health Information Privacy, Security, and Your EHR,http://www.healthit.gov/providers-professionals/ehr-privacy-security

n NIST’sCybersecurityFramework,http://www.nist.gov/cyberframework


4

Group Contacts

JOHN KENNEDY [email protected]

MICHELLE DEBARGE [email protected]

DAVID HALL [email protected]

© 2017 Wiggin and Dana llp

CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH W W W .W IG GI N .C O M

General Data Privacy and Cybersecurity Diligence Request

Please provide the following materials and information:

1. A copy of all company written policies and disclosures related to protecting the

information privacy of employees, customers, consumers and other individuals,

including:

all policies governing information privacy in the company, including rights and

expectations of employees and other persons working with the company (e.g.,

independent contractors, temporary employees); and

all disclosures to customers, consumers and third parties of the company’s privacy

practices.

2. A copy of each policy relating to information security within the company, i.e., policies

that address protection of the confidentiality, integrity and availability of the company’s

data (including personal data) and protection of all administrative, physical and electronic

systems and facilities used in connection with the collection, use, storage, transfer,

retention and disposal of the company’s information, including personal data.

3. A copy of any policy addressing the company’s preparation for or response to

cybersecurity incidents, including data breaches.

4. A list of any standards or frameworks (e.g., ISO, COBIT, HIPAA Privacy and Security

Rules, the GLBA Privacy and Security Rules, the NIST Cybersecurity Framework, PCI

DSS) that are adopted or implemented in the company’s information security program.

5. Identify by name and title the persons in the company who have primary responsibility

for the oversight and implementation of its information privacy and information

security programs.

6. A copy of any privacy and/or security compliance risk assessments and compliance

audits conducted in the last [X] years, including (i) audit results of internal information

and systems controls, (ii) compliance certifications issued by third parties (e.g.,

TrustE), (iii) privacy impact assessments, (iv) penetration tests, social engineering tests

or other cybersecurity-related testing. Where any assessments or audit findings have

included exceptions or deficiencies, include a description of how these were corrected.

7. A copy of any privacy and cybersecurity awareness training materials that have been

used with company personnel, including senior management and the board of directors,

in the last [X] years and indicate when and how often such training is conducted.


8. Describe any cybersecurity incidents, including actual or suspected data breaches, in

the last [X] years that involved actual or suspected unauthorized access to or use of (i)

company information (including personal data of company employees, customers or

other individuals) and (ii) company information systems or computing and network

devices (including systems and devices managed by any third party on the company’s

behalf), and describe the resolution of such incidents or to proprietary company systems

or data.

9. A copy of any legally-required notices to consumers or government authorities in

connection with any prior cybersecurity incident or data breach involving company

information or systems (including information and systems managed by any third party

on the company’s behalf).

10. List the company’s current registrations with any data protection authorities or similar

privacy-related registrations with government authorities (e.g., the U.S.-EU and/or

Swiss Privacy Shield, any EU data protection authority).

11. A copy of any required disclosures to or filings with regulatory authorities made in the

last two [X] years with regard to the company’s information security risks, information

security practices and/or privacy practices (e.g., cybersecurity disclosures made in

filings with the Securities and Exchange Commission, filings with primary federal or

state regulators, filings with data protection authorities outside the U.S., required filings

to any enforcement agency such as the FTC, state attorneys general offices, primary

financial regulators, the Department of Health and Human Services, state public

utilities commissions, etc.)

12. Identify and describe for the last [X] year period any litigation, claims, investigations,

demands, court or administrative order, notices of inquiry, settlements, consent decrees

or other proceedings, actual, pending or threatened, which relate to or arise out of the

company’s privacy and cybersecurity policies or practices.

13. To the extent not described in materials requested above, provide a copy of any

company policy addressing the management of third party privacy and cybersecurity

risks with the company’s suppliers, vendors, business partners and third party service

providers.

14. Describe all insurance coverage (including primary and excess layers) for first and third

party losses related to or arising from privacy and cybersecurity incidents (including

losses arising from data breaches) and other loss, theft, corruption or unavailability of

data.


©2017 Wiggin and Dana LLP

SAMPLE POLICY STATEMENT FOR REQUIRING VENDORS TO COMPLETE PRIVACY AND CYBERSECURITY DUE DILIGENCE QUESTIONNAIRE [Company] Procurement Guidelines for Vendors Providing Products or Services Affecting [Company] Data and/or Information Systems Whenever [Company] bids for or engages vendors whose products or services involve access to or use of (i) [Company] data (including sensitive company data and personally-identifying data of [Company] employees, customers or other natural persons) and/or (ii) [Company]’s computers, networks, mobile devices and other information systems (whether owned, leased or outsourced), vendors shall be required to:

1. Complete the standard [Company] Vendor Data Privacy and Cybersecurity Questionnaire as part of any RFP or other due diligence process; and

2. Accept [Company]’s standard Vendor Data Privacy and Cybersecurity Contract Terms included in [Company]’s RFP package.

When These Guidelines Apply to Procurement by [Company] The types of Vendor products or services that are subject to the foregoing Guidelines include contracts where product functions or vendor services involve one or more of the following types of activity:

software products or services (including cloud-based services) that will store or process sensitive [Company] data or personal data of individuals

procurement or disposal of computer hardware used to store or process [Company] data or manage [Company] information systems;

ISP, network management, network security or telecommunications services;

data storage or warehousing (including for purposes of disaster recovery and business continuity);

data brokerage services, data compilation or aggregation services; outsourced processing of customer or employee data (e.g., customer

transaction records, financial records, HR records, recruiting services); payment services, including credit and debit card and mobile payments

processing services; data analytics and data mining services; data verification, data cleansing, data conversion, data enrichment, data

disposal or data migration services;



background or credit check services or other services for investigation of individuals, such as potential employee hires;

advertising, profiling and marketing services involving personal data (e.g., through e-mail, telephone, social media or text campaigns);

designing or operating a website, mobile app or social media presence for the company;

hosting the company’s public website, intranet or extranet; cross-border data transfers in transactions such as outsourcing,

consulting and cloud computing; developing, upgrading, consolidating or replacing computer systems

and/or software (including IT outsourcing and systems integration work); any consulting services or employment agreement involving access to

personal data of employees, clients or customers of the company; purchasing, servicing, recycling or otherwise accessing company

equipment containing stored electronic data (including IT desktop and laptop support services, hardware maintenance, data sanitizing services);

managing company mailing and e-mailing lists for customers, clients or employees;

purchase, sale or other transfer of company data in an acquisition, merger or reorganization;

any vendor services that include access to the [Company] network or include other [Company] systems use privileges for vendors, including physical access to facilities that house [Company] information systems containing sensitive [Company] data and/or personal data;

use of subcontractors in connection with any of the foregoing.

1

General Session Panel #2

Recent U.S. Privacy Law

Developments and Key Takeaways

Panelists: John Kennedy & Michael Kasdan

Connecticut Privacy and Cybersecurity Forum

September 14, 2017

© 2

017 W

iggin

and D

ana

LLP

2

1. Selected Recent Cases in Privacy and Takeaways

2. Location Tracking for Apps: Best Practices for Tech Companies

3. Data Collection in the Era of the IoT and Intelligent Products: Best Practices for Mitigating Privacy and Security Risk

4. Privacy and Security Risks in the Growing Use of Big Data Analytics: Emerging Best Practices

Agenda/Discussion Roadmap

AGENDA - ROADMAP

3

© 2

017 W

iggin

and D

ana

LLP

Round-up of Recent Cases

• Standard Innovation (‘smart’ vibrators) case on data

collection

• Facebook and Google cases on biometric privacy

• Update on FTC/Lab MD case on data security

FTC Privacy Enforcement Activity and Directions under the New Commission

1. Selected Recent Cases and

Enforcement in Privacy: Takeaways

SELECTED RECENT PRIVACY CASES

2

4

© 2

017 W

iggin

and D

ana

LLP

Standard Innovation, maker of ‘smart’ vibrators, settled a class action lawsuit earlier this year for $3.75M.

Suit alleged “Standard Innovation collected individual-level usage information – often tied to users’ personally identifiable addresses,” they said, adding that the firm “breached its customers’ trust, devalued their purchases” and “violated federal and state law in the process.”

Takeaways: Clear notice, security, disclosure/choice re: data shared by customers

Standard Innovation: Data Collection


We-Vibe: ‘Smart’ vibrator

product allows users to

remotely “turn on your lover”

via Bluetooth connection using

We-Connect mobile app.

5

© 2

017 W

iggin

and D

ana

LLP

Licata et al. v. Facebook

• A number of Facebook users (now

consolidated into a class) sued the

social media giant in 2016 claiming it

violated the Illinois Biometric

Information Privacy Act of 2008 by

collecting and retaining information

about the geometry of users’ faces from

their uploaded photographs without

written notice or informed consent.

• The BIPA says no private entity can

gather and keep an individual’s

“biometric identifiers” without prior

notification and written permission from

that person.

Facebook and Google Cases:

Biometric Data Collection


6

© 2

017 W

iggin

and D

ana

LLP

Rivera et al. v. Google• Similarly, a number of Google users in 2016 claiming it violated the Illinois

Biometric Information Privacy Act of 2008 by automatically uploading

plaintiffs’ mobile photos and allegedly scanning them to create unique face

templates (or “faceprints”) for subsequent photo-tagging without consent.

Takeaways

• Both the Facebook and Google cases have survived motions to dismiss.

• They are part of a recent wave of suits employing BIPA claims against social

media and photo-sharing companies

• Social media companies have sought to push back against the law, pushing

an amendment that would specifically exempt physical and digital

photographs and biometric information derived from them from BIPA.

Facebook and Google Cases:

Biometric Data Collection


3

7

© 2

017 W

iggin

and D

ana

LLP

A grueling, epic litigation saga since 2013

• The FTC’s history of data security complaints under the

“unfairness” prong of Section 5 of the FTC Act

• Lab MD’s basic challenge to enforcement authority

• Where the case stands today

Recent arguments before the 11th Circuit in June 2017

• The court: FTC approach to Section 5 harms: “as nebulous as

you can get”

Implications of an FTC loss at the 11th Circuit

Update on FTC/Lab MD Litigation: Limits on the

FTC’s Data Security Enforcement Authority?


8

© 2

017 W

iggin

and D

ana

LLP

Commissioner Olhausen’s Agenda for Privacy and Data Security Enforcement

• Section 5 unfairness focus on consumer harm and Commission

“transparency”

Recent FTC Privacy and Security Actions and Takeaways

• Uber (data security/cloud/employee access)

• Lenovo (OEM-installed adware compromising security)

• Taxslayer (alleged Safeguards Rule violations in tax prep service)

• Blue Global (failure to secure sensitive consumer information in

deceptive loan application scheme)

• Credit Acceptance Corporation (investigation re: use of GPS Data)

FTC Privacy Enforcement Activity and

Directions under the New Commission

FTC ENFORCEMENT ACTIVITY AND GUIDANCE

9

© 2

017 W

iggin

and D

ana

LLP

What is the Issue?

FTC and Industry Guidance

Best Practices for Companies

2. Location Tracking for Apps: Best

Practices for Tech Companies

LOCATION TRACKING FOR APPS: BEST PRACTICES

4

10

© 2

017 W

iggin

and D

ana

LLP

Collecting and tracking geo-location data is increasingly a feature of mobiles devices and apps

• Examples: Apple/Google, SnapChat Maps, Facebook, FourSquare

What Is The Issue?


11

© 2

017 W

iggin

and D

ana

LLP

Tracking websites visited, consumer purchases, consumer attributes and behaviors enables access to very useful and private data

Access to specific and continuous geo-location data enables tracking at an even deeper level

Increase ability for advertisers/companies to target users based on their behaviors and locations in the world

Increased “creepiness factor”?

Safety issues re: presence in real world

Concerns as to how companies and their partners use this very intimate data

What Is The Issue?


12

© 2

017 W

iggin

and D

ana

LLP

FTC Guidance

• Basic Principles

o Privacy by Design

o Increased Transparency

o Simplified Customer choice re data collected and shared

• “Opt in” affirmative express consent (not opt out)

• Clear just-in-time disclosures so customers understand what is

collected/shared and with whom.

Industry Self Regulation Guidelines

• Digital Advertising Alliance (DAA): Transparency and Control

• Network Advertising Initiative (NAI): Opt in consent and Reasonable Access

to customer’s own data

FTC and Industry Guidance


5

13

© 2

017 W

iggin

and D

ana

LLP

Understand exactly how the tracking technology works, including what data it collects, where it sends data, and who can see the collected data. Establish robust privacy by design practices within the business.

Conduct privacy impact reviews before using or deploying new tracking technologies.

Privacy issues, like tracking consumers, are not just legal issues. They also impact customer relations.

• When deploying tracking technologies, companies should consider industry

best practices and customer expectations. Customer relations may require

the company to go beyond what US law requires.

Ensure all privacy notices or customer-facing statements accurately reflect the tracking technologies used.



14

© 2

017 W

iggin

and D

ana

LLP

Before using tracking technologies to collect precise geolocations, biometric data or other highly sensitive personal information:

• obtain the person's affirmative opt-in consent; and

• establish data security measures appropriate to the data's sensitivity

level.

Companies using tracking technologies outside of the US must consider the impact of potentially stricter foreign data privacy laws.

• The benefits of establishing uniform tracking technology and

personal data use policies may lead a company to adopt a stricter

procedure or policy approach than US laws require.

• Foreign laws may also apply if companies transfer personal data

across borders.



15

© 2

017 W

iggin

and D

ana

LLP

What is the Issue?

• New class of devices

collecting and using personal

data in variety of ways

• Billions of distributed,

embedded, data-collecting,

Internet-connected devices

with little or no user interface

for disclosing privacy practices

3. Data Collection in the Era of the IoT and

Intelligent Products: Best Practices for

Privacy and Security

DATA COLLECTION IN ERA OF IIOT/INTELLIGENT PRODUCTS

6

16

© 2

017 W

iggin

and D

ana

LLP

Some Recent Examples

• Roomba, IoT, automotive industry collection of data in cars,

recent controversy of UnRoll.Me selling data, Google’s recent

decision to stop scanning email for ads

• Cybersecurity botnet attacks such as Mirai attack, fall 2016

What is the Issue?


‘Your Roomba May Be Mapping Your Home, Collecting Data That Could Be Shared’ – NYT (July 25, 2017)

‘Unroll.me Service Faces Backlash Over a Widespread Practice: Selling User Data’ – NYT (April 24, 2017)

‘Cars Suck Up Data About You. Where Does It All Go?’ – NYT (July 27, 2017)

17

© 2

017 W

iggin

and D

ana

LLP

Federal and state enforcement activity involving IoT

• FTC cases: e.g., TrendNet, Asus, D-Link

• New York AG: SafeTech Products settlement

Proposed legislation

• California’s S.B. 37 (“Teddy Bear and Toaster Act”)

• U.S. Senate Bill, “Internet of Things (IoT) Cybersecurity

Improvement Act of 2017”

Recent Enforcement Activity/Legislation


18

© 2

017 W

iggin

and D

ana

LLP

Several U.S. federal agencies have offered compliance guidance for IoT market participants (e.g., NTIA, FTC, DHS, NIST)

Guidance Highlights:

• Follow “security by design” and “defense in depth” principles and build on

recognized security practices

• Stay on top of security patches and vulnerability management and

communicate patch and update policies

• Focus on secure authentication and secure interfaces with other devices and

services

• Default settings should favor consumer privacy and choice

• Be transparent about data collection and use practices

• Build communication channels with security researchers and users

Best Practices to Address

Regulatory Scrutiny and Consumer Complaints


7

19

© 2

017 W

iggin

and D

ana

LLP

4. Privacy and Security Risks in the Growing Use

of Big Data Analytics: Emerging Best Practices

PRIVACY/SECURITY RISKS IN GROWING USE OF BIG DATA ANALYTICS

20

© 2

017 W

iggin

and D

ana

LLP


‘Big Data’ is Not Always ‘Smart’ DataPer Capita Cheese Consumption

Correlates with

Number of people who died by becoming tangled in their bedsheets

28.5

30

31.5

33

34.5

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

Chee

se C

onsu

med

Bedsheet Tanglings Cheese Consumed

21

© 2

017 W

iggin

and D

ana

LLP

Regulators are Paying Attention


8

22

© 2

017 W

iggin

and D

ana

LLP

What Laws Apply to Big Data Today?

Black Letter Law


Financial, healthcare, genetic and other data privacy

and data security laws (state and federal)

State-regulations, such as insurance laws regulating

underwriting, rating, claims handling

Anti-discrimination laws

Consumer protection laws

Gaps?

23

© 2

017 W

iggin

and D

ana

LLP

Basic Questions for Due Diligence and

Risk Assessment in Data Analytics


How do we embed (i)

regulatory compliance and (ii) fidelity to

our data policies into

algorithms and

predictive models?

Who ownsall of this data?

How do analytics

projects affect

our cybersecurity risk?

What are the legal

ground rules for

using and sharinginternal customer data in

analytics projects?

What rules govern

use

of data sourced fromthird-party sources

(e.g., data brokers,

IoT devices,

social platforms)?

24

© 2

017 W

iggin

and D

ana

LLP

Best Practices: Ethics and Codes of Conduct


Prevent discriminatory impact and bias

Demonstrate respect for consumer privacy

Enforce accountability

Build in transparency, auditability of scoring models

Assure data quality and relevance

9

Questions?

© 2

017 W

iggin

and D

ana

LLP

This presentation is a summary of legal principles.

Nothing in this presentation constitutes legal advice, which can only be

obtained as a result of a personal consultation with an attorney.

The information published here is believed accurate at the time of

publication, but is subject to change and does not purport to be a

complete statement of all relevant issues.

1

Hybrid Cloud Security forFinancial ServicesKISHORE RAMCHANDANI

September 14, 2017

IBM Proprietary

2 Security IBM Proprietary

Financial services companies are becoming more data-centric and it is important to understand their top security drivers

6. Data protection and encryption

7. Application security

8. Visibility and intelligence

9. Workload-centric capabilities

10. Cloud-agnostic managed security

services

1. Regulatory and compliance alignment

2. Standard security frameworks, detection

capabilities and response controls

3. Rigorous monitoring of regulatory changes

4. Access management

5. Network security

3 IBM Security IBM Proprietary

This is what a typical hybrid cloud environment looks like

PUBLIC CLOUDVIRTUAL PRIVATE COMPUTING

ON-PREMISE DATA CENTERPRIVATE CLOUD

2

Regulators expect the same level of control in a cloud environment

Regulators require financial services firms to review the following before deciding to use cloud services

• Location of data and the related legal jurisdiction

• Identity and access management

• Auditability

• Availability

• Data classification

• Encryption management

• Security incident management

• Business continuity


Key considerations for mass hybrid cloud adoption

• Design and implement a controls framework to

comply with multiple regulatory requirements

• Implement processes to continuously monitor

and adjust to regulations changes

• Accelerators and Cloud intellectual property

• Deploy cloud-agnostic security

• Implement an end-to-end approach to security

controls and continuous compliance monitoring


6 Security IBM ProprietaryIBM Proprietary

3

STRATEGY

Set the overall strategic approach to

assessing and managing risk, and the risk

appetite that fits with business goals and the

firm’s environment

Outline the budget, roadmap

and implementationapproach


CONTROLS

Define the control environment that

delivers the chosen risk appetite and

enforces the policy framework

MONITORING, MEASURING AND

MANAGEMENT INFORMATION

Monitor threats, incidents and the

performance of controls

Track the performance of risk

management against risk appetite,

using quantitative metrics where

possible

GOVERNANCE

Define organizational roles and

responsibilities, policy framework

and arrangements for oversight of

the risk profile and risk

management framework

Feedback loop – from

front line controls to

overall strategy

EXTERNAL COMMUNICATION AND

STAKEHOLDER MANAGEMENT

Manage external reporting

requirements and requests,and

engagement with external

stakeholders such as regulators

Any Move to Cloud Needs an Effective Control Framework

Cloud Security Approach

Cloud is more than a technology change!

It is a cultural change to organizations that impacts:

• Security Strategy

Service Consumption

IaaS, PaaS, SaaS

Time Horizon


6 “Must Have” Capabilities for Hybrid Cloud Security

ACCESS

MANAGEMENT

QUESTIONS TO ADDRESS

How do you…

• Secure access to hybrid apps?

• Onboard and manage users?

• Ensure only the right users have access?

VISIBILITY AND

INTELLIGENCE

• Discover cyber threats?

• Respond to cyber threats?

DATA

PROTECTION

• Visualize and lock down sensitive data?

• Ensure that all cloud-bound sensitive data is

encrypted?

• Manage ShadowIT?

NETWORK

SECURITY• Efficiently protect the extended network?

APPLICATION

SECURITY

• Discover and remediate application security

risks?

WORKLOAD

SECURITY MGMT

• Secure cloud workloads and the devices

accessing them?


4

Shared security model has expectations of the customerThis is extremely important point to understand when engaging clients in the

discussion of security for the cloud

CLOUD SERVICE PROVIDER CUSTOMER RESPONSIBILITY

Security IN the CloudSecurity OF the Cloud

Virtualization

Infrastructure

Network

Infrastructure

Physical

Layer

NGFW UTM IDPS VPN

- Threat Intelligence

- Event Visibility

- Data Protection

- Identity &Access

- Application Security

- Network Controls


1

Afternoon Breakout Session #2

Addressing Cyber Risks in

Vendor Contracts

Privacy and Cybersecurity Practice Group


September 14, 2017

© 2

017 W

iggin

and D

ana

LLP

2

Increased reliance on third parties

• The Target example: HVAC

Relevant contract types

Does the service provider have access to:

• proprietary or regulated data?

• company systems?

• facilities housing company data or systems?

• other contractors with such access?

Service Provider Risk in an

Outsourced World• Outsourcing• Cloud• Apps• Managed

security• Advertising• Payments• Big data• Consulting• Facilities• Lawyers,

accountants

© 2

017 W

iggin

and D

ana

LLP

3

1. Conduct meaningful due diligence on service providers who will access company data or systems

2. Obligate service providers by contract to provide appropriate levels of security to company data and systems

3. Carry out meaningful supervision, monitoring and oversight of the service provider’s performance of its obligations respecting company data and systems

The Basic Message from Regulators

2

© 2

017 W

iggin

and D

ana

LLP

4

Use a security practices questionnaire/audit form

– Identify gaps with regulatory and company standards

– Include appropriate in-house technical experts, and/or

an outside cybersecurity consultant, on the diligence

team

– Conduct inspections and tests as appropriate

Assess the service provider’s cybersecurity track record and customer references

Get input from all key stakeholders in the diligence process

o Legal, compliance, audit, risk management, HR,

procurement

Cybersecurity Due Diligence

© 2

017 W

iggin

and D

ana

LLP

5

Define the relevant data sets

o “Customer Data” v. “Service Provider Data”

o “Personal data", "sensitive data”, “PHI”, etc.

o “Aggregated data”, “de-identified data”, “anonymized data”

o “Derived data”

Be clear about roles and who owns what data

o Processor vs. controller (EU)

o Ownership issues:

– Customer-provided data

– Secondary or derivative data

– Service Provider meta-data and “usage” data

1. Key Deal Terms: Identify the Data

© 2

017 W

iggin

and D

ana

LLP

6

What processing by the service provider is authorized?

• Details may be set out in a statement of work

• What restrictions apply to the processing?

Where will processing take place?

• Have the data flows been mapped?

o Collection, storage, enhancement, transfer/sharing, return,

disposal, destruction

o Shared processing with customer?

o Jurisdictions implicated for cross-border transfers?

– Required data transfer agreements?

2. Key Deal Terms: Specify Data Uses

3

© 2

017 W

iggin

and D

ana

LLP

7

Is there an applicable legal, industry or other security standard?

o E.g., HIPAA Security Rule, GLBA Security Rule, NYS Cybersecurity

Rule, state minimum security laws, etc.

o ISO family of standards, PCI DSS, NIST Cybersecurity Framework*

(*not a ‘standard’)

o Key items: encryption, de-identification, access controls

o Be wary of bare “industry standards” or “industry best practices”

How and where are security requirements documented?

o Level of detail required

o Security schedules, attached policies, SLAs

Changes in law, security requirements or methods

3. Key Deal Terms: Security Levels

© 2

017 W

iggin

and D

ana

LLP

8

Is ‘security breach’ defined broadly or narrowly?

What are the service provider’s incident response obligations?

• Incident response plan, timing of vendor notice, cooperation, access,

investigation, interviews, reporting, remediation

• Customer control over communications and notices

Who pays and how much?

• Allocating financial responsibility for security incidents and breaches

• Specifying the breach cost components and any caps on liability

4. Key Deal Terms: Clarify Incident and

Breach Response Obligations

© 2

017 W

iggin

and D

ana

LLP

9

Customers should supervise service providers with access to data and systems

Regulatory and internal audit requirements related to service provider security controls

o Reporting standards (e.g., ISAE 3402, HIPAA Security Rule, PCI DSS,

AICPA, COBIT)

o Spot and emergency audits

o Audit frequency; audit conditions; cost-shifting

o Response to audit deficiency findings

Reports, SLAs and monitoring

Flow-through requirements for subcontractors

5. Key Deal Terms: Specify Audit and

Monitoring Rights

4

© 2

017 W

iggin

and D

ana

LLP

10

Balance aggregate cyber risk with the commercial stakes

Will direct damages be capped or uncapped?

Will all forms of indirect damages be excluded?

Common exceptions to the cap:

• IP indemnities, confidentiality

Enhanced caps for data breaches?

Carve outs for ‘deemed’ direct damages

Scope of indemnification for data breaches

6. Key Deal Terms: Define Liability and

Indemnification Terms

© 2

017 W

iggin

and D

ana

LLP

11

Representations and warranties:

o Compliance with laws and service provider policies

o No malware

o No data breaches

Personnel background checks

Subcontractor approvals and flow-down terms

Termination assistance and data disposition

Cyber liability insurance coverage

7. Other Key Contract Terms

© 2

017 W

iggin

and D

ana

LLP

12

Not all service providers will negotiate away from their forms

• E.g., some public cloud providers

• Required “flow-down” terms from third-party platform providers

What to do?

• Keep shopping the work

• Negotiate an exceptions rider to the service provider’s paper

for material terms

• Exclude sensitive data and functions if necessary

• Get required internal approvals supported by a risk analysis

‘Take it or Leave It’ Contracts

5

© 2

017 W

iggin

and D

ana

LLP







1

Afternoon Breakout Session #2

Cybersecurity Risk

in Mergers and Acquisitions

Privacy and Cybersecurity Practice Group


September 14, 2017

© 2

017 W

iggin

and D

ana

LLP

2

Cyber Risk: The New Normal

Ashley Madison

Mossack FonsecaCy

be

roa

mJP

Mo

rga

n

HACKEDRSA

© 2

017 W

iggin

and D

ana

LLP

3

Lost IP

Lawsuits

Regulatory fines

Lost revenues

Breach notification costs

Lost customers, goodwill

Lost time and productivity

Cost of security products/services

Cost of outside consultants, attorneys

Out-of-pocket costs to make breach victims whole

These costs can strip value from or even scuttle a deal


2

© 2

017 W

iggin

and D

ana

LLP

4

Privacy and cyber regulation have evolved in a piecemeal manner in the U.S. based on industry sectors

• In contrast, e.g., the EU treats privacy as a fundamental human right

• Applicable U.S. laws reflect a strong bias to be “technology neutral” in order not to stifle

innovation

As a result, there are few specific, prescriptive minimum cybersecurity mandates on private businesses

• For example, for most U.S. businesses there is no legally specified standard for minimum

encryption strength or type, even where encryption of data is required by law

o Exceptions include: HIPAA Security Rule, government contracting requirements (e.g.,

DoD)

• An adequate security practice will be considered what is reasonable under the

circumstances in view of the (1) sensitivity of the data, (2) commercially available risk

mitigation measures, and (3) relevant industry practices

The U.S. Cyber Regulatory Approach:

Largely Sector-Specific

© 2

017 W

iggin

and D

ana

LLP

5

Federal Trade Commission

Securities Exchange Commission

Federal banking regulators

Food and Drug Administration

Federal Communications Commission

Department of Energy

Department of Defense

Department of Homeland Security

State Attorneys General (e.g., California)

U.S. Regulators are Increasingly

Focused on Cyber Risk

© 2

017 W

iggin

and D

ana

LLP

6

Consumer Data: FTC Act

Health Data: HIPAA

Financial Data: GLBA

Consumer Credit Data: FCRA

Federal Agencies: FISMA

Credit Card Data: PCI-DSS

Defense Data: DFARS

U.S. Regulators are Increasingly

Focused on Encryption

3

© 2

017 W

iggin

and D

ana

LLP

7

SEC’s OCIE

• Conducted cybersecurity examination of 49 investment advisers in

2015

• Most firms reported cyber-related incident

• Issued Risk Alert indicating second round of investigations

• SEC’s Division of Enforcement

First-ever cyber-related enforcement action


© 2

017 W

iggin

and D

ana

LLP

8

Acquirer assumes some or all of target’s

• Network and systems

• Data

• Products/services

• Third party relationships

Both sides represent target of opportunity and increased risk

M&A Cyber Considerations

© 2

017 W

iggin

and D

ana

LLP

9

Until recently, cybersecurity risks were not part of core due diligence protocols in M&A

• Cybersecurity diligence tended to be light and left to the ‘techies’

• One recent survey:

o 78% of respondent firms noted cyber risk is not fully assessed

o But 83% said that cyber concerns could reduce deal valuations or even be deal-killers

This complacent mindset is changing in light of:

• Overwhelming evidence that cybercrime is now a global underground industry

• Cyber attacks from criminals, hackers and state-backed enterprises that grow more

sophisticated and relentless

• Economic losses to private business reaching hundreds of billions annually across all

industry sectors

• Increased regulatory attention to private sector cybersecurity failures and related

enforcement actions and fines

• Class action litigation targeting businesses for lax cybersecurity

Cybersecurity Due Diligence:

Moving to Front and Center in M&A?

4

© 2

017 W

iggin

and D

ana

LLP

10

Technology and security companies are not exempt

o E.g., attacks in recent years against Adobe, Microsoft, RSA, Kaspersky Labs

and other technology and security companies

Companies entering the U.S. cybersecurity market should expect heightened due diligence from U.S. buyers, investors and business partners

• No one wants to buy a costly and embarrassing data security disaster, especially in the

cybersecurity sector.

An additional concern: many cybersecurity incidents go unreported

• Cyber risks can be well hidden and latent in a business partner

• Technology companies are favored targets of the cybercrime community

• Accordingly, there is a strong incentive for buyers and investors to ‘dig deep’

into cyber diligence


Moving to Front and Center in M&A?

© 2

017 W

iggin

and D

ana

LLP

11

Existing or continuing data breach

Undiscovered prior breaches

Malware-ridden environment

Weak internal security policies and practices (technical and administrative)

• Including inadequate security design and testing protocols

Lack of corporate data governance and accountability

Misleading marketing claims for security or privacy features (e.g., FTC v Facebook)

Loose controls over subcontractors and third party providers who have access to data and/or systems

Major Types of Cyber Risk in Deals

© 2

017 W

iggin

and D

ana

LLP

12

Treat cybersecurity as an independent category of deal risk

Use a security practices questionnaire/audit form

Interview key executives and subject matter experts at the target (e.g., CISO, CIO, CPO)

Include appropriate in-house technical experts, or a reputable outside cybersecurity consultant, on the diligence team

• Integrate the technical diligence with the full diligence report (i.e., don’t isolate or

overlook critical technical findings)

Review recent compliance audits

Address non-technical cyber risks

• E.g., insider risks, company security and disaster recovery policies, data security

governance program

Assess deal risks/deal valuation/deal terms in light of diligence findings


Basic Steps in the Process

5

© 2

017 W

iggin

and D

ana

LLP

13

Current U.S. cybersecurity diligence requests in M&A and investment deals are likely to include some or all of the following items:

• Provide all company written policies related to the security of

company systems, data and products and the privacy of personal data

• Disclose internal and external audit results related to the security of

company systems, data and products over the past [x] years

• Disclose security testing protocols employed in the development

and maintenance of company products and services

• Identify all security standards adopted in company operations and all

security-related certifications of the company and its personnel

Basic Cybersecurity Questions to

Expect in U.S.-based Deals (I)

© 2

017 W

iggin

and D

ana

LLP

14

• Disclose any non-trivial security incidents in the past [x] years involving

company systems, data or products and how incidents were resolved

o Incidents include those involving personal information and trade secrets

or other intellectual property

• Identify the management team accountable for the company’s security

policies and practices (e.g., CISO, CIO, CPO) and describe the security

governance program

• Disclose the company’s cyber risk management policies for vendors

and subcontractors

• Describe the company’s employee training and awareness programs

for managing cyber risks


Expect in U.S.-based Deals (II)

© 2

017 W

iggin

and D

ana

LLP

15

• Disclose findings of the company’s most recent cybersecurity

risk assessment of its operations and products

• Disclose the company’s incident response and disaster

recovery policies

• Disclose any claims asserted against the company for

alleged violations of privacy, security or other applicable laws

arising from company products or services

• Disclose the company’s liability insurance coverage related

to cyber losses


Expect in U.S.-based Deals (III)

6

© 2

017 W

iggin

and D

ana

LLP

16

Financial services

Healthcare

Medical devices

Energy and utilities

Telecommunications

Payment Systems

Security products and services (e.g., identity management, managed network security, cloud and mobile security)

Government procurement (e.g., Defense

Expect Extra Scrutiny from Buyers, Investors and

Commercial Partners in Certain Sectors

© 2

017 W

iggin

and D

ana

LLP

17

2003: Seisint, Inc. (data broker used by businesses to locate people, assets) breached

2004: Reed Elsevier, Inc. (REI) acquires Seisint

• REI is unaware of the breach

• Post-acquisition, REI integrates Seisint’ s data

Case Study 1: Reed Elsevier (I)

© 2

017 W

iggin

and D

ana

LLP

18

2008:

• FTC complaint alleges violation of 5(a) of FTC Act

• Respondents failed to employ reasonable and appropriate

measures to prevent unauthorized access to sensitive

consumer information . . . . Respondents’ practices caused,

or are likely to cause, substantial injury to consumers . . . .

This practice was, and is, an unfair act or practice.

• REI and FTC settle matter in consent decree

Case Study 1: Reed Elsevier (II)

7

© 2

017 W

iggin

and D

ana

LLP

19

April 15, 2015: Telstra acquires Pacnet for $697 million

April 16, 2015: Pacnet informs Telstra that Pacnet’s network had been breached two weeks prior

May 2015: Telstra is forced to foot bill for system assessment and Pacnet’s response

Case Study 2: Telstra

© 2

017 W

iggin

and D

ana

LLP

20

FIN4 acquires information about M&A discussions

Identifies involved stakeholders

Uses SEC and M&A-themed visuals to capture usernames/passwords

Case Study 3: FIN4

With access gained, FIN4 has real-time access to deal timing

FIN4 steals actual deal discussion docs and weaponizes them

Focus on healthcare and pharma—stocks move dramatically based on news

© 2

017 W

iggin

and D

ana

LLP

21

Massive, years-long data breach revealed at Yahoo! between signing and closing of acquisition by Verizon

Resulting deal revaluation to the tune of $350MM

Other fallout:

• Multiple class actions and regulatory investigations

• Resignation of general counsel (without severance)

• Resignation of CISO

• Millions spent to cover legal defense, investigation and forensic

costs

Case Study 4: Yahoo/Verizon

8

© 2

017 W

iggin

and D

ana

LLP

22

Know

• Firms going through M&A have disrupted biz ops processes—security suffers

o 2x exposure risk: both buyer and seller

o Info sent to lawyers, consultants 3rd parties for DD

o Insider risk (disenfranchised and easier to “turn”)

• Hackers may reside in network for months/years without detection—allocate

risk accordingly

Do

• Look for cyber “red flags”

• Take attacker’s perspective

• Conduct cyber due diligence (thorough/early)

Lessons Learned

© 2

017 W

iggin

and D

ana

LLP







JESSICA BLOCK

Jessica Block is a Senior Managing Director at Ankura Consulting Group based in the Washington, DC office and leads the firm’s data governance practice within the Regulatory & Contractual Compliance group. She has more than a decade of experience helping companies face complex information management challenges. Ms. Block specializes in applying technology to unlock the value of data and decrease the burden of compliance. Ms. Block has led consulting efforts across the lifecycle of various litigations, arbitrations, investigations and transactions. She also strategizes with key internal and external stakeholders to craft resilient policies and standards in readiness for such events and in support of ongoing business operations.

Ms. Block’s professional experience includes:

•MultinationalAnti-Bribery/Anti-CorruptionInvestigation–Ledalarge-scaledocumentrevieweffortforaglobal pharmaceuticalcompanyfacingUSandinternationalregulatoryinvestigationinmultiplejurisdictions.Guidedamulti- disciplinary team of several dozen professionals supporting the processing and production of multiple terabytes of data. Staffed hundreds of English and foreign language lawyers conducting document review of the millions of files implicated by the production demands of various authorities and investigative needs of the company. Coordinated in-countryforensiccollectionandmobiledocumentreviewtoaccommodaterestrictionsondatamovement.•GulfOilSpillInvestigation–Supportedamajordefendantinlitigationandinvestigationresponseresultingfromevent. Ledtheteamresponsibleformanagingdataprocessing,documentreviewworkflowdevelopment,andmultiple terabytes of incoming and outgoing production volumes. •SEC/DOJInvestigation–Architectedalarge-scaledataconversionefforttomergelegacyeDiscoverydatabasesfora largefinancialinstitutionrespondingtoSECandDOJinvestigation.Designedandimplementedcustomprocessto reduce overlapping email information from various, disparate data sources to minimize the cost of compliance. •Multi-DistrictLitigation–Ledteamsintheacquisition,review,andproductionofovermultipleterabytesof electronically stored information for a large pharmaceutical manufacturer. Supported over 1,200 attorneys reviewing data simultaneously. Participated alongside counsel in negotiating production format and defending eDiscovery efforts to a court appointed special master. •PreferredPartnership–FosteredongoingpreferredeDiscoveryproviderpartnershipswithmultiplemajorcorporations. Participate in team conferences with inside legal team and outside counsel to implement best practices, data reuse, and efficient working methods. Supported development of centralized playbook for different matter scenarios and data types.Facilitatedefficientworkingmethodsacrossaportfolioofhundredsofactivemattersofvaryingsizesand complexities.IndustriessupportedincludePharmaceutical,Energy,andHospitality.•LitigationReadinessExerciseforRegionalHospitalSystem–Supporteddevelopmentofcomprehensivedatarisk assessment plan and systems inventory for litigation readiness. Conducted interviews of relevant system owners and document details in formal data map.

JOHN BOLES

AsDirectorintheGlobalLegalTechnologySolutions,InformationSecuritysub-practice,JohnBolescollaborateswith clients to address their information and data security needs and to ensure their cyber risks are identified and managed. AsaformernationalsecurityandcyberexecutivewiththeFBI,John’suniqueexperienceprovidestheexpertiseclientsneed to protect their business or recover from an incident.

CONTINUED

Biographies


www.wiggin.com


www.wiggin.com

JohnandtheNavigantteamconductcyberinvestigationsworldwide,performingforensicanalysistodeterminehowanincident occurred, assess whether data was at risk, and identify affected individuals. Combining operational experience with computer forensic expertise, modern technical data mining, endpoint monitoring, and industry knowledge, John provides expert information security solutions to companies, law firms, cyber insurers, and health care brokers.

Johnisrecognizedasanexpertincyberoperationsandsecurity,hacking,andinternationaloperations.Hehasdirectedandlednationalsecurityandcyberinvestigationsaroundtheworld,inpartnershipwithforeigngovernments,Fortune50companies,theU.S.IntelligenceCommunity,andotherU.S.stateandfederalagencies.HehastestifiedbeforetheU.S.CongressandadvisedtheWhiteHouseandNationalSecurityCounciloncyber-relatedissuesandpolicies.

Johnservedover20yearsintheFBI,includingpoststoUSEmbassiesinUkraine,Belarus,andRussia.In2006,John receivedtheSuperiorHonorAwardfromtheUSDepartmentofStateforhisperformanceasLegalAttachéinKiev,Ukraine.AsDeputyAssistantDirector,hemanagedanddirectedtheFBI’scyberoperations,investigations,andcriticalincidentresponse.HealsoledtheNationalCyberInvestigativeJointTaskForce,a19-memberagencyteamresponsibleforUScybernationalsecurityinvestigations.HisfinalassignmentintheBureauwasAssistantDirector,responsibleforallFBIoperationsoverseas.PriortojoiningNavigant,JohnwasSeniorVicePresident,RegionsBank,directingcyberfraud and international investigations.

MICHELLE WILCOX DEBARGE

MichelleWilcoxDeBargeisapartnerinWigginandDana’sHealthCareDepartment.ShechairstheHIPAAPracticeGroupandtheClinicalResearchRegulationandCompliancePracticeGroup.Shealsoco-chairstheCybersecurityandPrivacyGroupandisamemberofthefirm’sBiotechnologyandLifeSciencesPracticeGroup.

Michelleadvisesnationalandinternationalbusinesses,healthcareorganizations,andpharmaceutical/biotechnologycompaniesonawide-rangeofhealthcareregulatory,healthinformationtechnology,privacy/securityandclinicalresearch issues.Withovertwentyyearsofexperience,sheregularlyadvisesclientsonHIPAAandotherstateandfederalprivacyandsecurityrequirements;databreachandincidentresponse;healthinformationexchange,includingdatamanagementandexchangeissuesinthecontextofaccountablecareandhealthcareintegrationandaffiliations.Herpracticealsofocuses on Medicare and Medicaid compliance and audits, including fraud, waste and abuse obligations of federal and downstreamcontractors;clinicalresearchregulationandclinicalresearchcontracting;evolvingthird-partyreimburse-mentmodels;andgeneraloperationalmattersinthehealthcareregulatoryarea.Michellelecturesfrequentlyonboththestateandnationallevel.Sheisaco-authorofthe“HIPAAHandbook:ImplementingtheFederalPrivacyRuleinaLong-TermCareSetting,”publishedbyTheAmericanAssociationofHomesandServicesfortheAgingandistheauthorof“HIV-infectedPhysicians:TheDutytoDiscloseundertheInformedConsentDoctrine,”publishedintheUniversity of ConnecticutLawReview.

Before practicing law, Michelle was a program director with the American Cancer Society, where she worked with physicians, nurses, and other health professionals to implement rehabilitation and educational programs for cancer patients, health professionals, and the general public. Before joining Wiggin and Dana, she also supervised the communications programofacommunity-basedhealthandsocialserviceagency.

MichelleisamemberoftheInternationalAssociationofPrivacyProfessionals(IAPP),AppliedResearchEthicsNationalAssociation,andtheAmericanHealthLawyersAssociation.

CONTINUED


www.wiggin.com

Michelle is also a member and former Chair of the Advisory Committee on Patient Privacy and Security to the State of Connecticut’sHealthInformationandTechnologyExchange.ShepreviouslyservedontheLegalandPolicySubcommitteeoftheConnecticutHealthInformationandTechnologyExchangeandontheBoardofDirectorsoftheConnecticutHealthLawyersAssociation.MichellehasbeenrecognizedbyChambers USA in the category of health care lawyers. Clients indicatethatsheis“veryresponsiveandefficient”andhas“verygoodnegotiationskills”and“awillingnesstofind solutions.”SheisalsolistedinTheBestLawyersinAmericasince2006andasaConnecticut“SuperLawyer” since 2007. Michelle was also named by BestLawyersasHartfordlegalcommunity’s“HealthCareLawLawyeroftheYear” for2012and2016.

MichellereceivedaB.A.fromWilliamsCollege,studiedabroadattheUniversityofKentinCanterbury,England,andreceivedherJ.D.withHighHonorsfromtheUniversityofConnecticutSchoolofLawwhereshewasEditor-in-Chiefof the UniversityofConnecticutLawReview.MichellealsoholdsthecertificationofCIPP/USandCIPP/E(CertificationInformationPrivacyProfessional/USandEurope),acertificationgrantedbytheInternationalAssociationof Privacy Professionals.

DAVID L. HALL

DavidL.HallisapartnerintheLitigationDepartment,includingtheInternationalTradeCompliance,theWhiteCollarDefense,GovernmentInvestigations,andCorporateCompliance,theCybersecurityandPrivacy,theUnmannedAerialSystems,andtheArtLawandMuseumpracticegroups.

David is a seasoned trial lawyer who represents corporations and individuals in complex civil litigation and in investigationsandprosecutionsconductedbytheDepartmentofJusticeandotherfederalandstateagencies.Heconducts internal investigations and corporate compliance assessments for companies, including those in the defense, financial, andhealthcareindustries.DavidadvisesclientsconcerningtheForeignCorruptPracticesActandcybersecurityand dataprivacy,includingassessmentsofpoliciesandprocedures,anddatabreachpreparationandresponse.Heassistsclientsintheunmannedaerialsystemsindustryregardingtheregulatoryrequirementsoffederalagencies.Davidhassuccessfully defended individuals and companies under investigation by the federal government for a wide range of suspectedunlawfulactivity,includingbankfraud,securitiesfraud,politicalcorruption,unlawfulsalesofartandantiquities, fraud against the government, and unlawful exports.

In2013,DavidretiredfromtheUnitedStatesDepartmentofJusticeafteradistinguished23-yearcareerasanAssistantUnited States Attorney. While in federal service, David received the Director’s Award for Superior Performance, numerous SpecialActAwards,andotherawardsandcommendationsfromgovernmentagencies,includingtheFBI,CIA,DEA,andATF.HehasalsobeenrecognizedwiththeDHS/ICEExcellenceinLawEnforcementAward,theDHS/ICEInternational AchievementAward,andtheSAFEBeaconAward.

DavidservedintheUnitedStatesNavyReserveasanintelligenceofficerforthirtyyears,retiringattherankofCaptain.Heis the author of CRACK99:TheTakedownofa$100MillionChineseSoftwarePirate,publishedbyW.W.Nortonin2015.

MICHAEL J. KASDAN

Michaelisapartnerinthefirm’sIntellectualPropertyPracticeandisamemberoftheDiversityCommittee.Hehasnegotiated,defendedandassertedIPrightsinthenumerousfederalcourts,theUSPatentandTrademarkOffice,theInternationalTradeCommissionandinprivatearbitrationsandmediations.Asanadvisor,hehasworkedwithbothestablishedcompaniesandstart-upstoobtain,evaluatevalue,licenseanddeveloppatentportfoliosandtrademarks.

CONTINUED


www.wiggin.com

Trainedinelectricalengineeringandwithabusinessbackgroundasatechnologyconsultant,Michaelworkswithabroad range of technologies, including consumer electronics, wireless devices, medical products and devices, computer architecture,softwareandnetworks,open sourceissues,semiconductorchipsandInternetande-commerceplatforms.

Hisclientsrelyonhimtoresolvebothlargeandsmallpatent,trademark,andcopyrightcasesefficientlyandcost- effectively.Forexample:

Inafast-movingITCcase,hespearheadedthetwokeyclaimconstructionissuesforthejointdefensegroup.The AdministrativeLawJudgetooktheunusualstepofagreeingtostagetheclaimconstructionphaseonpotentiallydispositive termsearlyinthecase.ThesuccessingettingtheCourttoagreetoanearlyclaimconstructionphasedrovefavorableearly settlements for numerous defendants.

Inacompetitorsemiconductorcasebroughtaspartofaglobalpatentwarinvolvingthemajorelectronicscompanies,hewasinstrumentalinthedefenseofpatentinfringementclaimsandhelpedtoobtainajuryverdictofnon-infringementforhis client.

Michael was involved in the defense of a series of patent claims asserting infringement of mechanical processes, inspection processes and the materials structure of diaper and training pants products, among two competitors in the field.

Michael also counsels clients on strategic patent prosecution and portfolio development, and provides opinions and analyses on various patent issues, including patent infringement, validity and enforceability.

During2008-2009,hewassecondedtoPanasonicCorporationinJapan.Asin-housepatentcounselinPanasonic’s licensingcenter,heactedasleadcounselrepresentingthecompanyinnumerousthird-partypatentassertionsandlicense negotiations, where he was responsible for developing substantive defensive positions. Michael also provided legal opinions across a broad set of technology areas and in many facets of patent law, and negotiated complex agreements, includingportfoliocross-licenseagreements.Inaddition,heworkedwiththecompany’smanagersandengineerstoidentify high value patents and to strengthen their protection and mitigate exposure to infringement claims.

MichaelfrequentlywritesandspeaksonarangeoftopicsincludingIPlitigation,standardessentialpatents,patentmonetization,valuationandlicensingpractices,howtoaddressIPissuesforstart-upandearlystagecompanies,patenteligibility,patentexhaustion,willfulinfringement,patentmisuse,patentvaluationandinequitableconduct.Hisarticleshavebeenpublishedinleadingpublications,includingLEXIS,PracticalLawCompany,IPLAW360,Bloomberg/BNA,andManagingIPMagazine.MichaelisthesoleauthorofPracticalLawCompany’sPracticeNoteonPatentLawandtheLexisPracticeAdvisoronPatentLicensing.HewasselectedtoauthorthechapteronPatentLicensingandMonetizationoftheOxfordHandbookofIntellectualPropertyLaw(OxfordPress,2017).Michaelhasalsobeenthekeynotespeakeratcon-ferencesaddressingtopicssuchasdiversityandmentorship.Inaddition,hewasinterviewedonCNBC’spublictelevisionNightlyBusinessReportregardingtheMapsfeaturesofSnapchatanditsprivacyimplications.

Michaelalsoteachesasanadjunctprofessorathisalmamater,NYU,aswellasatNewYorkLawSchool,addressingtopicssuchasIPlicensing,globalpatentlitigation,patentexhaustion,andinequitableconduct.HehasalsoguestlecturedattheNYUBusinessandLawClinic,theNYUSchoolofMedicine,andatNewYorkLawSchoolandSetonHallLawSchool.HeclerkedfortheHonorableJudgeRoderickR.McKelvieintheUnitedStatesDistrictCourtfortheDistrictof Delaware.

CONTINUED


www.wiggin.com

Michael received his J.D. magna cum laude,fromNewYorkUniversitySchoolofLaw.HewasamembertheNYULawReview,theOrderofTheCoif,andwasFish&NeaveFellowfortheEngelbergCenteronInnovationLawandPolicy,andservedasPresidentoftheIntellectualPropertyandEntertainmentLawSociety.HeistheCo-ChairoftheMediaCommittee fortheNYIPLA(NYIPLawyersBarAssociation)andalsoservesasamemberoftheLegislativeActionCommittee.

Michael also received a B.S.E. in Electrical Engineering, magna cum laude,fromtheUniversityofPennsylvania.HewasamemberofEtaKappaNuandTauBetaPi,EngineeringHonorSocieties,andamemberofPennParliamentaryDebateTeam.

Outsideofwork,MichaelservesastheDirectorofCommunicationsandDevelopmentofthenon-profitMyChild’sCancer.HealsoservesontheBoardoftheSouthNextFestival.HewasformerlytheChairmanoftheBoardofthenon-profitCity-Science,whichfocusesonimprovingSTEMEducationinourcities.HeisalsoacontributorforTheGoodMenProject. Hehasspokenonavarietyofissuesonmajormedianetworks,includingCNNHeadlineNews,AlJazeeraAmerica,NPR,andCBCRadio,andhiswritingshaveappearedinwell-knownpublicationssuchasTheHuffingtonPost,Salon,TheBBC,TheDailyDot,MoneyandRedbook.

JOHN B. KENNEDY

JohnKennedyisapartnerinWigginandDana’sCorporateDepartmentandamemberoftheInformationTechnologyandOutsourcing,andPrivacyandInformationSecurityGroups.

In25yearsofpractice,Johnhasfocusedontransactionsandcounselinginthelawofinformationtechnology,dataprivacyandsecurity,intellectualpropertyande-commerce.Histransactionalpracticeincludesoutsourcing,softwaredevelopmentandlicensing,e-commercetransactions,technologytransferandintellectualproperty-intensiveM&A,divestitures,jointventuresandre-structurings.HisclientshaveincludedFortune500aswellasemergingcompaniesinthe financial services, technology, communications, media, energy and consumer products sectors.

Johnhasnegotiatedcomplexinformationtechnology(IT)outsourcingservicesagreementsinvolvingcloudcomputing,ITinfrastructureandsoftwareprocurement,systemsintegration,softwaredevelopmentandmaintenance,voiceanddataservicesanddisasterrecoveryandbusinesscontinuity.Hehasalsonegotiatedbusinessprocessoutsourcing(BPO)agreements for call centers and customer support services, finance and accounting services, human resources adminis-tration, enterprise procurement services, government passport and visa services, research and development services and supplychainmanagement.Hisworkinthisareaincludesadvisingclientsonallstagesofthecontractprocess,includingRFPpreparationandevaluation,vendordiligence,negotiationofdefinitiveagreementsandongoingadviceconcerninggovernance, dispute management and amendments.

InJohn’sextensivepracticeininformationprivacyandsecuritylaw,hehasrepresentedclientsinconnectionwithriskand compliance assessments of data privacy policies and practices, data breach preparedness and response, regulatory investigations of data practices, behavioral advertising campaigns and ‘privacy by design’ analyses of products and services insocialmediaandmobilee-commerce,corporateinformationgovernanceprograms,internationaldatatransfersandcompliancewithU.S.stateandfederaldataprivacyandinformationsecuritylaws.Hisclientsinthisareaincludecompanies inthefinancialservices,technology,media,energyandconsumerproductsindustries.Heistheauthorofnumerousarticlesonprivacyanddatasecurityandsince2000hasco-chairedPracticingLawInstitute’sAnnualPrivacyandDataSecurityLawInstitute.BloombergBNArecentlypublishedJohn’sPrivacy & Data Security Practice Portfolio Series, CybersecurityandPrivacyinBusinessTransactions:ManagingDataRiskinDeals(March2015).

CONTINUED


www.wiggin.com

HehasbeennamedintheWho’sWhoofBusinessLawyersfor2012forInternet,e-CommerceandDataProtection.Chambers USA ranksJohnnationallyintheirOutsourcingcategory.TheBestLawyersinAmerica has named him for his workinInformationTechnologyLawsince2009.RecentlyhewaselectedtoTheAmericanLawInstitute,theleadingindependent organization in the United States producing scholarly work to clarify, modernize, and otherwise improve the law.

JohnreceivedhisJ.D.fromColumbiaLawSchool.HewasaWilliamRaineyHarperFellowattheUniversityofChicago,whereheearnedanM.A.inEnglishandAmericanLiterature,andgraduatedmagna cum laude from Carleton College.

EVAN S. KIPPERMAN

EvanKippermanisapartnerinthefirm’sCorporateDepartmentandco-chairofitsEmergingCompaniesandVenture Capitalpracticegroup.Evan’spracticeisfocusedoncorporatefinancetransactions,mergersandacquisitions,venture capital financing, securities law, licensing arrangements and general corporate matters across a broad range ofindustries,includingsoftware/informationtechnology,lifesciences,digitalmedia,financialservices,manufacturing,educational technology, consumer products and food and beverages, among others. Evan’s clients, include early stage companies,publiclyheldmiddle-marketcompanies,familyoffices,high-networthindividualsandprivateequityfirms. Heregularlyservesasoutsidegeneralcounselforprivatelyheldcompaniesatvariousstagesofdevelopment,ensuringthattheyareappropriatelystructured,scalableandpositionedforgrowth,whileleveragingthemulti-disciplinarycapabilities ofWigginandDanatoofferhisclientsone-stopservicesfortheirlegalneeds.AsanactivememberofthebusinessandinvestmentcommunityintheheartoftheBostontoNewYorkcorridor,EvanispartofanetworkthatincludesorganizationssuchasCrossroadsVentureGroup,ConnecticutTechnologyCouncil,CURE,MITEnterpriseForum,AngelInvestorForumandtheAssociationforCorporateGrowth,aswellasacademicinstitutionsincludingColumbiaUniversity,NewYorkUniversity,UniversityofConnecticutandYaleUniversity,amongothers.

BeforejoiningWigginandDana,EvanpracticedataprominentNewYorklawfirmwherehegainedextensiveexperienceadvising U.S. and international public and private companies in a wide range of industries with regard to mergers and acquisitions,securitiestransactionsandgeneralcorporatematters.

EvanreceivedhisJ.D.fromtheUniversityofPennsylvaniaLawSchoolwherehewasasenioreditoroftheJournalofInternationalEconomicLaw.HereceivedhisB.A.inbothInternationalRelationsandPoliticalSciencefromtheUniversityof Pennsylvania.

EvanisadmittedtopracticeinConnecticutandNewYork.

MICHAEL MENAPACE

Michael represents insurers in state and federal courts as well as in arbitrations across the country. Michael has litigated disputes concerning bad faith, insurance coverage, reinsurance, premium calculations, allocation among policies, utility andenergyinfrastructureconstruction,securitiesclassactions,andmergerandacquisitionclaims.LeadinginsuranceindustrytradegroupshaveengagedMichaeltorepresentthemonmattersofindustry-wideimportancebeforetrialandappellatecourts.Hehastriednumerouscasesthroughfinalverdict.

CONTINUED


www.wiggin.com

Michael advises insurers on policy construction, coverage, compliance and regulatory issues and often represents stock, mutual, and captive insurers on their dealings with state regulators, including proceedings concerning rates, applications foracquisitionofcontrol,andmarketconductexams.Inaddition,Michaeladvisescompaniesonavarietyofprivacyanddata protection issues, and defends companies facing potential data breach liability. Michael also advises clients in connectionwithinternalinvestigationsandresponsestogovernmentinquiriesandsubpoenas,includingfederalandstateinquiriesintoforcedplacedinsurance,contingentcommissions/brokercompensation,andfinitereinsurancetransactions. Withregardtohisclassactionexperience,Michaelhasrepresenteddefendantsinawiderangeofsuits.Hisexperienceincludesdefendingactionsallegingviolationsoffederalsecuritieslaws,federalandstateenvironmentallaws,ERISA,andtheAlienTortAct.

Michaellecturesandpublishedregularly.HeteachesinsurancelawattheQuinnipiacUniversitySchoolofLaw,is co-editorofTheHandbookonAdditionalInsureds,publishedbytheAmericanBarAssociation(2012),andco-authorofTheReferenceHandbookontheCGLPolicy–CoverageAPrincipalExclusions,2nded.,publishedbytheABA(2014).

Michaelbeganhislegalcareerintheinsurance/reinsurancepracticegroupofamajorinternationallawfirm.Heis admittedtopracticeinConnecticutandNewYork.HegraduatedwithaB.M.fromUniversityofHartford/TheHarttSchoolofMusicandreceivedhisJ.D.fromQuinnipiacUniversitySchoolofLaw.

MichaelistheTreasurerandanExecutiveCommitteememberoftheBoardofDirectorsoftheHartfordCountyBarAssociationandisCo-ChairofTheHarttSchool’sBoardofTrustees.HewastherecipientoftheNewLeadersoftheLawAward from the ConnecticutLawTribunein2005.Beforepracticinglaw,Michaelwasacollegemusicprofessorandadministrator with an active U.S. and international music performance schedule, including as saxophonist with theHartfordSymphonyOrchestra.

KISHORE RAMCHANDANI

KishoreRamchandaniisanInsuranceIndustryExecutiveinIBMAnalytics,wherehefocusesonleadingedgeAnalyticsandCognitivesolutionsfortheInsuranceindustry.Previously,hewastheLeaderofIBM’sGlobalInsuranceIndustryCenterofCompetence,specializinginInformationTechnologyandBusinessStrategyandTransformation.HeledIBM’sefforttocreatetheInsuranceIndustryComponentBusinessModel(CBM)mapsandisthefocalpointforlinkingthesemapstotheindustryspecificServiceOrientedArchitecture(SOA).HeleadshighperformanceteamsthatassistclientsindevelopingacomprehensiveInformationTechnologystrategythatistightlylinkedtothebusinessplanandinEnterprisebusinesstransformation.Hehasmanagedseverallarge,complexprojectsthathaveincludedbusinessprocessredesignbasedonbestpractices,architectureassessment,applicationassessments,businessneedsanalysis,systemdesign/developmentandimplementation,ITorganizationdesign,M&Aduediligencestudies,legacysystemstransformation,feasibilitystudies,requestforproposalpreparation,andvendorselection.Hehasover30yearsofexperiencewithclientsintheinsurance,banking,financialmarkets,andhealthcareservicesindustriesandinthepublicsector.HeisasubjectmatterexpertinLifeInsuranceandisoftencalledupontoleadIBM’sglobalinsuranceinitiatives.

HeisamemberoftheexclusiveIBMIndustryAcademytowhichhewasadmittedbyIBMExecutiveManagementbasedonhisInsuranceexpertiseandeminence.HeisaMemberoftheInstituteofManagementConsultantsandisaFellowoftheLifeManagementInstitute(LOMA).

CONTINUED


www.wiggin.com

NICOLE WOLTERS RUCKERT

NicoleWoltersRuckertjoinedKennedyVanderLaanin2004.ShefirstreceivedherlawdegreeinBelgiumandthen tookaMastersinInternationalBusinessLawandTransactionsattheAmsterdamNyenrodeLawSchoolinAmsterdam.

Nicoleisamemberoftheprivacypractice.Nicole’spracticefocusesonthecommercialuseofpersonaldata;e.g. e-marketing,onlineadvertisingandBigData. ForMarketingFacts.nlNicoleregularlywritesaboutthecookielawandotherdevelopmentsinthefieldofprivacy.

Nicole’sBelgian‘roots’haveledhertoappreciategoodfoodandwine.Sheknowsthebestnewrestaurantsin Amsterdam.Theater,filmsandbookssatisfyherculturalhunger.Sheisaskierinwinterandanenthusiasticrunner all year around.

DENISE TESSIER

DeniseTessierisaRegulatoryComplianceProjectExecutiveforIBM’sGlobalTechnologyServicesdivision,whichprovidesoutsourcing,infrastructure,cloud,mobilityandother“backoffice”servicestosomeoftheworld’slargestcompanies. She provides regulatory compliance advice to highly regulated clients such as those in the financial services industry.HerfocusiscurrentlyonglobalprivacyandtheEUGeneralDataProtectionRegulation(GDPR),CybersecurityandRiskManagement(ERMorGRC)issues,anddataresidencygenerally.PriortojoiningIBM,shehadover25yearsof legalandregulatoryexperienceintheInsuranceindustry.ShehasbeeninGeneralCounselandComplianceOfficerroles withtheAspenInsuranceGroup,andwascounselforTheHartfordInsuranceGroups,handlingawidevarietyofinsurance coverage,claimandcomplianceissues.SheisagraduateofWesternNewEnglandUniversityandProvidenceCollege,and is admitted to the Bar in Connecticut and Massachusetts.

VOLKER WODIANKA, LL.M.

Dr.VolkerWodiankaspecializesindataprotectionlawandadvisesoncomplexprocesslaunchesincorporategroups,conceptualandoperationalsupportofdataprotectionprojectsinIT&DigitalBusiness,lifesciences&healthcare,aswellasinindustryandstart-ups.Ininternationaldataprotection,heisanexpertfortheimplementationoftheGeneralDataProtectionRegulationaswellastherequirementsofcross-borderdatatraffic(PrivacyShield,EUstandardcontractclauses).Asalectureratauniversityandin-houseseminars,heoffersbestpracticerecommendationsinthetrend topicsofcloudcomputingandInternetofThings(IoT).

CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH W W W .W I G G I N. CO M


CYBERSECURITY AND PRIVACY PRACTICE GROUP

G R O U P C O N T A C T S

JOHN B. [email protected]

DAVID L. [email protected]

MICHELLE WILCOX [email protected]

What is "cybersecurity" and why is it relevant to your business?

Broadly speaking, "cybersecurity" refers to public and private sectorefforts to secure the nation's infrastructure against attacks designedto cripple government, defense, commerce, power grids,transportation and/or other basic services critical to the nation'sinfrastructure. At one extreme, cybersecurity refers to national cyber-defense strategy against concerted cyber-attacks by foreign powersor terrorists (a/k/a "cyber-warfare"). At the other extreme, the termrefers to persistent, sophisticated cyber-hacking, cyber-espionageand cyber-terrorism events, large and small, targeting individualgovernment agencies and private corporations for purposes ofsabotage or for acquiring sensitive intelligence information,government secrets and/or commercial trade secrets. These incidentsdo not only target the Fortune 500 businesses; small to medium-sizedbusinesses have been a major target of cybercrime in recent years.

The Cybersecurity Framework

The Obama Administration's recent executive order has launched aneffort to promulgate a voluntary national framework under whichgovernment agencies and private sector businesses can establishand maintain minimum cybersecurity standards and practices. Asproposed, adoption of the framework by private sector businesseswould be accompanied with various incentives for investment incybersecurity and sharing information with the government. For somemonths, a draft Cybersecurity Framework has been open for publiccomment by the national institute for standards and technology. Afinal, revised version is scheduled for release in February 2014.Numerous bills pending in Congress, if enacted, would serve furtherto "federalize" the area of private sector cybersecurity standards,especially for industries designated as critical to the country'sinfrastructure (such as public utilities, communications networks anddefense contractors). Regardless of the final form of any agreed uponcyber risk framework, government cybersecurity regulations andguidance are likely to issue.

Businesses in all sectors, not only in defense and utilities, havereason to prepare for the impending U.S. cybersecurity regime. As asenior government official recently put it, "There are two kinds ofbusinesses today: those that know they have been hacked, and thosethat don't know it yet." Any business that relies on networks and ondigital systems to conduct operations and store information assets isexposed to cyber-risk. The unfolding federal cybersecurity


w w w .w igg in .com

2

"framework" is likely to expand through federal andstate regulatory structures and lead to multiple newcompliance mandates and guidelines for all majoreconomic sectors. Recently, the Department ofDefense issued new regulatory guidance to addresscybersecurity in defense procurement contracts,likely signaling a larger trend across all federalprocurement requirements. Recently the Departmentof Defense and the Government Services Agencyissued a recommendation for enhancedcybersecurity compliance by federal contractors.Evolving federal cybersecurity standards may alsoaffect standards for civil liability associated withmaintaining information systems and for theinsurability of cyber-risks. Businesses will ignorethese developments at their peril.

What services does Wiggin and Dana providerelating to cybersecurity?

Risk Assessments and Compliance: Thefoundation of cybersecurity preparedness is acomprehensive risk assessment. And riskassessments need to be informed by anorganization's particular legal and regulatorycompliance posture and liability exposures. Workingwith clients and in some cases technical consultants,firm lawyers help structure risk assessments andthen prepare and help clients implementcybersecurity compliance programs. Areas ofcompliance may include not only primarycybersecurity rules and guidelines but also suchmatters as export compliance, privacy and datasecurity, computer crime laws, SEC disclosurerequirements, health care legal requirements,employment practices, fraud prevention and otheragency and industry ‘best practices.'

Internal Investigations: Cybersecurity incidents,threatened incidents, data breaches and evenroutine compliance efforts may reveal circumstancesthat call for sensitive internal investigations. Wigginand Dana's litigation, White Collar and Regulatory

Compliance practices have extensive experience insuch investigations, and our team includes severalpartners with substantial prior governmentexperience, including Global Information AssuranceCertification in data security investigations.

Government Investigations: Governmentregulators and state attorneys general areincreasingly focused on security lapses in the privatesector. The Federal Trade Commission, for example,has brought over a hundred enforcement actions inthe last few years directed at private sector privacyand security practices. Government contractingpractices are under increased scrutiny for theirsecurity implications. This compliance andenforcement environment translates into moreinvestigations of data security incidents, databreaches and other corporate missteps involvingsecurity systems or government data. As withinternal investigations, our litigation, white collar andcompliance attorneys have extensive experienceadvising clients in their responses to suchinvestigations.

Corporate Information Security Policies,Employee Awareness, Governance and BoardEducation Programs: The adoption of appropriate,written cybersecurity policies will be a cornerstonefor corporate compliance efforts, including employeetraining programs and for overall enterprisegovernance of cybersecurity practices. Wiggin andDana's privacy and data security lawyers havesubstantial experience in this kind of policydevelopment work and in ‘best practices'approaches to information security governance andtraining.

Security Incident and Breach Preparedness andResponses: Data security incidents are routine andpervasive, but, increasingly, businesses are alsofalling victim to sophisticated cyber-attacks (or"advanced persistent threats") designed not to stealcustomer data but to acquire company assets or toseize control of systems and disrupt business

3



operations. Clients typically require outside legaladvice in responding to these incidents, in managingthe multiple consumer and regulatory noticeobligations imposed by state and federal law and inmitigating litigation risk. Our litigators, privacy andhealth care lawyers have extensive experience indata breach preparedness and response programs.Often these services are coupled with assistance indeveloping relevant client security and incidentresponse policies.

Litigation: Although it remains to be seen whethercybersecurity regulations will create a new field forcivil litigation, there is already a thriving class actionindustry in data breach litigation under existing stateand federal laws. However, standards of liability forsecurity lapses are likely to be affected ascybersecurity law and policy evolve. Businesses thatare victims of cyber-attacks will likely findthemselves sued in addition to their othercompliance related problems. Litigators at Wigginand Dana have extensive litigation experience indefending consumer protection and privacy claimsand in handling complex class action cases.

Cyber-risk in Procurement, OutsourcingTransactions and Supply Chains: As morecompanies outsource or send parts of theiroperations into ‘the cloud', procurement increasinglybecomes a cybersecurity risk vector. Howcompanies go about buying technology andtechnology-related services can have a significantimpact on their cyber-risk profile. Many existingregulations obligate businesses to engage inreasonable due diligence and obtain appropriate,written contractual terms from vendors that haveaccess to company systems and data. With therecent issuance of Department of Defensecybersecurity guidelines for procurement,businesses that contract with the federalgovernment can expect cybersecurity to be aprominent requirement for certain federal awards.Any comprehensive approach to managing cyberrisk will involve appropriate procurement and supply

chain management policies and practices. Lawyersin Wiggin and Dana's outsourcing and technologygroup regularly advise clients on these issues inconnection with individual transactions andprocurement policies.

Cyber-liability Insurance Products: Lawyers in thefirms insurance and litigation practices haveextensive experience in advising on insurancecoverage disputes. Our insurance lawyers have alsohelped insurers develop new cyber-liabilityinsurance products.

What kinds of businesses should be addressingcybersecurity risks?

Businesses in economic sectors identified by thegovernment as "critical infrastructure", include publicutilities, defense contractors, health care,manufacturers, technology companies, banking andfinancial services companies and transportationbusinesses.

All other businesses that:

maintain substantial proprietary information andintellectual property on information systems,whether internal or outsourced;

contract with, or are otherwise in the supply chainfor, "critical infrastructure" businesses or thegovernment, and therefore need to keep pace withthe evolving requirements for the criticalinfrastructure;

are already subject to state or federal regulatoryrequirements pertaining to information security(e.g., financial services, health care, education);

are critically dependent upon the security of theirdata and information systems to operate andmaintain business continuity, or

4



for reputational, risk management and brand-protection reasons, seek to limit their exposure topublic data breach and cyber-hacking incidents.

What about small and medium-sized businesses?

Smaller and mid-sized businesses may assume thatthey can avoid serious cyber-risk if they just sitquietly and keep their heads down. But the factsindicate otherwise; several major industry studieshave emphasized that cyber-assailants are findingsome of their richest targets in smaller, and lessprepared, businesses. The answer for suchbusinesses is not ‘zero preparation' but appropriatepreparation.

MICHELLE DeBARGE, CIPP/US, CIPP/[email protected]

JOHN [email protected]

Contacts:

www.wiggin.comC O N N E C T I C U T | N E W Y O R K | P H I L A D E L P H I A | WA S H I N G T O N , D C | PA L M B E A C H

ARE YOU READY FOR THE EU GDPR?

The deadline is May 25, 2018, and if you are subject to the GDPR, you have a lot to do between

now and then. Even if you are not currently subject to the European Union (EU) Data

Directive, you may be subject to the GDPR, given its broader territorial scope and that data

processors are now directly regulated. In addition, the GDPR broadens pre-existing data

processing requirements and includes tougher sanctions for non-compliance.

What is the GDPR?

The GDPR is a European regulation that governs the processing of personal data (data

concerning a natural person). “Processing” includes the collection, storage, use, disclosure,

or retrieval of personal data. It also contains provisions giving personal data subjects certain

individual rights in connection with their personal data.

What is Personal Data?

The definition of “personal data” is broad. It includes virtually any information related to an

identified or identifiable natural person (a “data subject”).

CONTINUED

Cybersecurity and Privacy Group:EU General Data Protection Regulation (GDPR) Services

WHO MUST COMPLY WITH THE GDPR?

You may be subject to the GDPR even if you do not have a physical establishment in the EU. The GDPR applies to:

(1) controllers (those who determine the purposes and means of the processing of personal data) and processors (those that processes personal data on behalf of a controller) with an establishment in the EU regardless of whether the processing takes place in the EU.

and

(2) a person or entity that offers goods or services to data subjects in the EU or that monitors their behavior as far as their behavior takes place in the EU, regardless of whether the person or entity has an establishment in the EU.

An establishment is not defined by a particular presence or legal form. According to the recitals in the GDPR, establishment “implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”

WHAT DOES THE GDPR REQUIRE?

Controller Obligations:

n Obtain consent for or document other justification for processing activities and provide notice of processing activities

n Implement special processes to address data collection and processing for children under 16

n Maintain appropriate data security measures

n Implement “privacy by design and privacy by default”

n Notify data protection agencies and data subjects of breaches

n Perform Privacy Impact Assessments (PIAs, for short) and consult with regulators before performing certain processing activities

n Honor and implement processes to address individual rights

n Implement appropriate processes and data use agreements in connection with third-party data processors

n Maintain documentation of processing and compliance activities

n Comply with cross-border transfer restrictions

n Appoint a Data Protection Officer, if required

n Cooperate with supervisory authorities

CONTINUED

www.wiggin.com

C Y B E R S E C U R I T Y A N D P R I V A C Y G R O U P : E U G E N E R A L D A T A P R O T E C T I O N R E G U L A T I O N

Processor Obligations

n Maintain appropriate data security measures

n Notify controllers of breaches

n Assist with PIAs

n Assist with processes to address individual rights

n Obtain consent from controllers for arrangements with sub-processors, Implement appropriate processes and data use agreements in connection with sub-processors

n Maintain documentation of processing and compliance activities

n Ensure personal data is deleted or returned when processing activities end

n Comply with cross-border transfer restrictions

n Appoint a Data Protection Officer, if required

n Cooperate with supervisory authorities

WHAT ARE THE PENALTIES FOR NON-COMPLIANCE?

Penalties for non-compliance can be as high as €20 million or 4% of total global turnover from the prior year, whichever is higher. The penalties are clearly severe and if imposed could threaten the viability of many companies. Data subjects also are entitled to specific remedies under the regulation.

HOW CAN WE HELP?

We offer a full range of GDPR support services, including initial assessments and development of a comprehensive implementation plan for those not previously subject to EU data protection require-ments. We have a team of attorneys who can assist with GDPR data privacy and security implementation and compliance, led by partners Michelle DeBarge and John Kennedy. Michelle has 24 years of privacy experience and holds both an IAPP/US and IAPP/E certification. John Kennedy is a recognized leader in the privacy and cybersecurity legal field with nearly 20 years of experience advising clients on a full range of privacy and security matters. Our team includes a deep bench of individuals with specialized knowledge in the area of breach response, health care services, life sciences, financial services, outsourcing, insurance, and information technology. We coordinate our services with local counsel in EU Member States to ensure additional privacy and security requirements of individual Member States are considered.

We also can serve as a company’s DPO (Data Protection Officer) both in the U.S. and abroad for companies who do not have internal DPO expertise or whose operations do not require a full-time DPO.

For more information on our GDPR services, contact Michelle DeBarge at 860.297.3702 or at [email protected]

www.wiggin.com


New Haven OfficeOne Century Tower265 Church StreetP.O. Box 1832New Haven, Connecticut 06508-1832p 203.498.4400f 203.782.2889

Greenwich Office30 Milbank AvenueGreenwich, Connecticut 06830p 203.363.7600f 203.363.7676

Hartford Office20 Church StreetHartford, Connecticut 06103p 860.297.3700f 860.525.9380

Stamford OfficeTwo Stamford Plaza281 Tresser BoulevardStamford, Connecticut 06901p 203.363.7600f 203.363.7676

New York Office437 Madison Avenue, 35th FloorNew York, New York 10022-7001p 212.490.1700f 212.490.0536

Philadelphia OfficeTwo Liberty Place50 S. 16th Street, Suite 2925Philadelphia, Pennsylvania 19102p 215.988.8310f 215.988.8344

Washington, DC Office1350 I Street, NWWashington, D.C. 20005-3305p 202.800.2470

Palm Beach Office231 Bradley PlaceSuite 202Palm Beach, Florida 33480p 561.701.8700

WIGGIN AND DANA OFFICE LOCATIONS

www.wiggin.com© 2017 Wiggin and Dana llp In certain jurisdictions this may constitute attorney advertising.


CONTINUED

We have successfully worked with our clients to prepare for and respond to data breach and cybersecurity events in multiple industry sectors.

Group Contacts:

JOHN [email protected]

DAVID [email protected]

MICHELLE [email protected]

Cybersecurity Group: Incident Response Services

Data incident response is a critical component of an organization’s risk mitigation strategy

and arguably more important than ever. There were over 64,000 data security incidents in

2015 alone that compromised organizational data confidentiality, integrity, or availability.

These include 2,260 instances of confirmed unauthorized disclosure.

Companies must be prepared at a moment’s notice to handle data incident investigation,

forensics, remediation, crisis team management, regulatory inquiries, and internal

communications. Moreover, a company that fails to have a comprehensive data incident

response plan in place or that is not prepared to follow the plan in the event of an incident,

faces significant legal risk of a regulator’s enforcement action or a civil lawsuit. Simply having

a well-written incident response plan is not enough preparation for today’s cyber threats.WIGGIN AND DANADATA BREACH

TOLL-FREE HOTLINE 1-844-9BREACH

CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH www.wiggin.com www.wiggin.comC O N N E C T I C U T | N E W Y O R K | P H I L A D E L P H I A | WA S H I N G T O N , D C | PA L M B E A C H

Cybersecurity and Privacy Group:Incident Response Services

www.wiggin.com

C Y B E R S E C U R I T Y G R O U P : I N C I D E N T R E S P O N S E S E R V I C E S

OUR SERVICES

Given the growing number of data breaches and the substantial cost to contain, investigate, and respond to them, your organization should be prepared with an effective incident response program, including fully ready relationships with external providers, including data breach counsel. As part of our privacy and cybersecurity legal services, Wiggin and Dana offers our clients a comprehensive set of security incident and data breach preparation and response services, including:

n developing client incident response plans and providing related training;

n helping assemble a team of other external advisors and service providers, including forensic consultants, providers of notification and credit monitoring services and public relations/media consultants;

n advising a client’s internal breach response team, working with forensic investigators and coordinating overall incident response measures;

n legal analysis and preparation of applicable consumer and regulatory notification requirements;

n managing relationships with law enforcement officials;

n representation in regulatory and attorney general office inquiries and investigations; and

n defense in civil suits and class action litigation.

Our privacy lawyers have helped clients prepare for, respond to, and defend lawsuits and regulatory investigations arising from a wide variety of data security incidents, ranging from sophisticated external attacks on client systems to internal failures of security risk management.

In the current technological and legal environment, companies that own or control significant data assets are exposed to a myriad of persistent and sophisticated security threats that can lead to costly litigation, long-term regulatory scrutiny, substantial fines and lingering reputational damage. These concerns are particularly pressing for regulated entities that are in relationships of trust with consumers, such as insurance companies. High-profile data breaches show that any business can be “hit” by outside hacking or internal security failures, making it all the more critical that a business can demonstrate, at a minimum, that it was reasonably prepared and capable of a timely and effective response.

OUR EXPERIENCE

We have worked with our clients in the insurance, healthcare, technology, financial services, and public utilities sectors to prepare for and respond to data breach and cybersecurity events with the following:

n appropriate written information security and incident response policies and the development of client teams to manage these policies;

n training and testing exercises that simulate security incidents and reveal administrative and technical vulnerabilities;

n improved vendor and supply chain risk management procedures;

n improved cyber risk assessments and information sharing regarding the threat environment; and

n proactive and informed involvement of senior management and the board in the oversight of cybersecurity risk management.

Additionally, our data breach coaching lawyers have handled scores of data security incidents for our clients in multiple industry sectors. This experience ranges from small but sensitive spills of personal data, to reportable breaches involving millions of customer records to advanced persistent threats that target trade secrets and data on key personnel.

RECENT PROJECTS

Our recent data incident projects have included:

n representing a public utility in its response to a data breach involving loss of a significant amount of current and former employee data and in making notifications to residents, state regulators and law enforcement agencies across the country;

CONTINUED

www.wiggin.com

C Y B E R S E C U R I T Y A N D P R I V A C Y G R O U P : I N C I D E N T R E S P O N S E S E R V I C E S

www.wiggin.com


www.wiggin.com

n representing a national property and casualty insurer in its response to a breach involving social engineering exploits with its employees and the compromise of computers, customer accounts and credit card data at one of

its affiliates;

n representing a health care insurer in connection with a security lapse at a third party vendor which potentially exposed protected health information and other customer records to public access and data thieves;

n representing an institution of higher education in its response to a data breach involving the loss of sensitive data related to students, faculty and staff;

n advising one of the country’s largest insurers in connection with the Anthem breach, its responses to state and federal regulators and its compliance obligations concerning affected group plans at

Anthem which are underwritten by the insurer;

n assisting an insurer in a sensitive internal investigation involving potential employee violations of internal security policies and unauthorized use of data;

n selection by Zurich, N.A. to be among the law firms on its roster of approved data breach coaches for insureds; and

n investigation and analysis of numerous potential security incident fact patterns and advising insurance clients on whether a reportable event has occurred under applicable notification laws.

OUR TEAM

Our team is cross-disciplinary - leveraging our attorneys who specialize in privacy compliance, cybersecurity regulation, defense litigation, insurance law and information technology law. This group is deeply familiar with the varied requirements and nuances of state and federal breach notification laws and is seasoned in managing the investigations, regulatory inquiries, and civil suits that often follow security incidents.

John Kennedy, Partner and Co-Chair, Cybersecurity and Privacy Group (U.S. state and federal data privacy and cybersecurity matters; data

breach management; privacy and data security policies and governance; transactional matters involving data privacy and security; international data transfers)

David Hall, Partner and Co-Chair, Cybersecurity and Privacy Group (Cybersecurity and related compliance matters, internal and external

investigations)

Michelle DeBarge, Partner and Co-Chair, Cybersecurity and Privacy Group (HIPAA matters and related compliance and policy advice;

OCR audits and investigations; and state AG investigations)

Aaron Bayer, Partner (data breach defense litigation; state and federal regulatory inquiries and investigations)

Michael Menapace, Partner (Insurance law matters, cybersecurity insurance coverage)

Jody Erdfarb, Associate (HIPAA matters and related compliance and policy advice; privacy and security awareness training)


New Haven OfficeOne Century Tower265 Church StreetP.O. Box 1832New Haven, Connecticut 06508-1832p 203.498.4400f 203.782.2889

Greenwich Office30 Milbank AvenueGreenwich, Connecticut 06830p 203.363.7600f 203.363.7676

Hartford Office20 Church StreetHartford, Connecticut 06103p 860.297.3700f 860.525.9380

Stamford OfficeTwo Stamford Plaza281 Tresser BoulevardStamford, Connecticut 06901p 203.363.7600f 203.363.7676

New York Office437 Madison Avenue, 35th FloorNew York, New York 10022-7001p 212.490.1700f 212.490.0536

Philadelphia OfficeTwo Liberty Place50 S. 16th Street, Suite 2925Philadelphia, Pennsylvania 19102p 215.988.8310f 215.988.8344

Washington, DC Office1350 I Street, NWWashington, D.C. 20005-3305p 202.800.2470

Palm Beach Office231 Bradley PlaceSuite 202Palm Beach, Florida 33480p 561.701.8700

WIGGIN AND DANA OFFICE LOCATIONS

www.wiggin.com© 2017 Wiggin and Dana llp In certain jurisdictions this may constitute attorney advertising.


www.wiggin.com

n representing a national property and casualty insurer in its response to a breach involving social engineering exploits with its employees and the compromise of computers, customer accounts and credit card data at one of

its affiliates;

n representing a health care insurer in connection with a security lapse at a third party vendor which potentially exposed protected health information and other customer records to public access and data thieves;

n representing an institution of higher education in its response to a data breach involving the loss of sensitive data related to students, faculty and staff;

n advising one of the country’s largest insurers in connection with the Anthem breach, its responses to state and federal regulators and its compliance obligations concerning affected group plans at

Anthem which are underwritten by the insurer;

n assisting an insurer in a sensitive internal investigation involving potential employee violations of internal security policies and unauthorized use of data;

n selection by Zurich, N.A. to be among the law firms on its roster of approved data breach coaches for insureds; and

n investigation and analysis of numerous potential security incident fact patterns and advising insurance clients on whether a reportable event has occurred under applicable notification laws.

OUR TEAM

Our team is cross-disciplinary - leveraging our attorneys who specialize in privacy compliance, cybersecurity regulation, defense litigation, insurance law and information technology law. This group is deeply familiar with the varied requirements and nuances of state and federal breach notification laws and is seasoned in managing the investigations, regulatory inquiries, and civil suits that often follow security incidents.

John Kennedy, Partner and Co-Chair, Cybersecurity and Privacy Group (U.S. state and federal data privacy and cybersecurity matters; data

breach management; privacy and data security policies and governance; transactional matters involving data privacy and security; international data transfers)

David Hall, Partner and Co-Chair, Cybersecurity and Privacy Group (Cybersecurity and related compliance matters, internal and external

investigations)

Michelle DeBarge, Partner and Co-Chair, Cybersecurity and Privacy Group (HIPAA matters and related compliance and policy advice;

OCR audits and investigations; and state AG investigations)

Aaron Bayer, Partner (data breach defense litigation; state and federal regulatory inquiries and investigations)

Michael Menapace, Partner (Insurance law matters, cybersecurity insurance coverage)

Jody Erdfarb, Associate (HIPAA matters and related compliance and policy advice; privacy and security awareness training)


CORPORATE DEPARTMENT

G R O U P C O N T A C T

WILLIAM A. PERRONE, CHAIR 203.363.7604 [email protected]

CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH W W W .W I G G I N . C O M ©2017 Wiggin and Dana LLP

We act as trusted advisors to clients large and small by learning their businesses, gaining their confidence and earning their trust. We believe that our familiarity with clients, their businesses and their industries gives us a solid foundation to render the sound legal advice and practical business counsel that helps them clarify goals, find solutions and achieve results. Our corporate lawyers advise clients in industries as diverse as biotechnology, cannabis, pharmaceuticals, medical devices, software, and internet of things, telecommunications, health care, financial services, energy and utilities, outsourcing, specialty chemicals, high-tech and traditional manufacturing and retail.

Wiggin and Dana serves as outside general counsel or as special counsel to clients from publicly traded corporations (including Fortune 500 Companies) to emerging and entrepreneurial companies and their investors. Our clients do business globally and we assist them with transactions in North and South America, Europe, India, China, Japan and the Middle East.

We regularly advise clients on a wide variety of commercial and financial matters, including mergers and acquisitions, joint ventures, strategic alliances, public and private debt and equity financing, outsourcing, entity formation, creation and protection of intellectual property, licensing and distribution, franchising and workouts and restructuring. These projects and transactions range from million to billion dollar values. Accordingly, we know how to deliver sophisticated and efficient counsel in both small and large transactions.

While we provide a broad array of corporate legal services, here are some of the specific areas in which we can serve you:

Clean Technology

Cybersecurity and Privacy

Digital Media and Technology

Education

CORPORATE DEPARTMENT

W W W .W I G G I N . C O M

Emerging Companies and Venture Capital

Finance and Restructuring and Workouts

Franchise and Distribution

India Practice Group

Intellectual Property

Life Sciences

Medical Cannabis

Mergers and Acquisitions

Patent Prosecution

Securities and Capital Markets

Software and Internet

Tax Exempt Organizations

Taxation

Technology and Outsourcing

Trademark and Copyright

EMERGING COMPANIES AND VENTURE CAPITAL PRACTICE GROUP


EVAN S. [email protected]

PAUL A. [email protected]



Wiggin and Dana attorneys have a deep understanding of the issuesfaced by emerging growth companies and investors alike. Our business-minded approach has won the trust of numerous emerging growthcompanies at all stages of their life cycles, as well as investors of alltypes — from angel investors and venture capitalists, to family offices,traditional private equity firms and other strategic and financial investors.

We are a value-added provider of mission-critical services. We offer aninvaluable perspective, putting to work our experience in representingboth companies and investors across a broad range of industries, suchas software/information technology, telecommunications, life sciences,financial services, clean technology, digital media, consumer products,education technology and health care services. Our attorneys work withemerging company clients to ensure that they are appropriatelystructured, scalable and positioned for growth and a liquidity event, whileavoiding obstacles and helping them withstand the rigorous duediligence scrutiny of investors, lenders, strategic partners andunderwriters. We work with venture capital clients and other investors tohelp review their targets, structure their investments and accomplish theirbusiness objectives. We strive to find creative solutions for our clientswith sound counsel that not only considers potential legal risks but alsomakes us trusted advisors.

We deliver enhanced one-stop services to our clients by leveraging ournetworks and our multidisciplinary capabilities. Our attorneys arefounders and leaders of the region’s most prominent technology, venturecapital and trade organizations, giving us a wide network of experienceto draw from to help our clients. Our networks include organizations suchas Crossroads Venture Group, Connecticut Technology Council, CURE,Angel Investor Forum and the Association for Corporate Growth, as wellas academic institutions including Columbia University, New YorkUniversity, University of Connecticut and Yale University, among others.

As a full-service law firm, we are ideally equipped to meet the needs ofour clients, and we routinely provide a full complement of interdisciplinarylegal services to effectively and efficiently address the issues our clientsface, including:

Enterprise formation and governance Venture capital and seed financing Intellectual property prosecution, strategy and litigation Tax structuring

EMERGING COMPANIES AND VENTURE CAPITAL PRACTICE GROUP

2

Licensing and distribution Collaborations and other strategic alliances Private placements Regulatory matters Cybersecurity International trade compliance Commercial litigation

Debt financings Employment, labor, benefits and immigration

matters Real estate matters Public offerings Mergers and acquisitions Investment adviser and broker dealer regulation

MERGERS AND ACQUISITIONS PRACTICE GROUP


MARK S. KADUBOSKI 203.363.7627 [email protected] SCOTT L. KAUFMAN 212.551.2639 [email protected]


Wiggin and Dana has recently assisted clients – operating in the U.S., Europe, the Middle East, the Americas and Asia – in over a hundred M&A deals worth billions of dollars.

We can handle all aspects of mergers and acquisitions, providing assistance with structuring and negotiating transactions, and advising on antitrust, securities, tax, labor, employment, environmental, and other matters. We also provide exceptional value to our clients thanks to the deep experience of our M&A lawyers, their acute business acumen and their practical approach to acquisition and divestiture work.

Our attorneys are experienced representing public companies, closely-held businesses and their owners, private equity funds and their portfolio companies and other institutions. We have experience in numerous industries – including biopharma/medical devices, chemicals, computer software/web technology, construction/ engineering, distribution, financial services, healthcare/healthcare services, manufacturing, media/publications, technology, and utilities/telecom.

Our work spans mergers, stock and asset purchases and dispositions, as well as other transactions that transfer business interests, including product-line acquisitions, joint ventures with purchase options and equity investments with purchase options. When we help acquire or sell public companies, we are equipped to advise on fiduciary issues, securities law compliance and stockholder matters. We also can advise on and provide all antitrust structuring and filings, intellectual property due diligence, tax structuring and other necessary support for our clients.

EDUCATION PRACTICE GROUP



Educational institutions today face unprecedented opportunities andchallenges — increased economic competition, continually changingregulatory requirements, complex labor and employment concerns,modifications in technology and data security, and the ever-evolving needsof students and faculty. Wiggin and Dana is well suited to help colleges,universities, and other educational institutions cope with these challenges.

For more than half a century, our firm has represented institutions of highereducation in Connecticut and other states on a wide array of educationmatters, including FERPA, Title IX, Clery Act, privacy and data security,intellectual property, art and museum law, labor and employment,affirmative action, immigration, charitable gifts and endowments, taxexemption, board governance, corporate organization and finance,commercial transactions and government contracts, construction and realestate outsourcing, health care, and export and sanctions compliance. Wehave guided educational institutions in responding to governmentinvestigations, conducted internal investigations for them, handled complexand highly sensitive lawsuits, and helped them negotiate critically importantstrategic alliances and affiliations.

Our Education Practice Group has long-standing relationships withcolleges and universities, independent and proprietary schools, andextensive experience counseling them on the full range of legal issues theyface. Our lawyers work closely with boards of trustees, presidents, senioradministrators, deans, department chairs, and in-house counsel to findpractical solutions to complex legal issues.

The head of our practice group is a former general counsel to a college. Heand the other lawyers in our group understand how educational institutionsoperate and how an institution's constituencies can influence decisionmaking.

Our higher education clients include:

Yale University Wesleyan University Connecticut College Princeton University Quinnipiac University University of New Haven University of Bridgeport Goodwin College


AARON S. [email protected]


2


We have also long represented independentschools, including:

Choate-Rosemary Hall The Hotchkiss School The Foote School

In addition, our firm has counseled proprietaryschools, including the Institute of Culinary Educationand Stone Academy.

Our firm has also represented organizations that areassociated with educational institutions, such as theGraustein Memorial Fund, Connecticut Conferenceof Independent Colleges, as well as other non-profitinstitutions and organizations whose missions areclosely aligned with education, such as theConnecticut Science Center, Mystic SeaportMuseum, and the Institute for Health CareCommunications.

We counsel colleges, universities, independentsecondary schools, proprietary schools and othereducational institutions on a full range of legalissues, including:

Labor, employment and employee benefits

Faculty employment, promotion, and tenure Immigration issues Personnel policies and manuals Defending claims of wrongful discharge,

discrimination and sexual harassment Design and implementation of employee benefits

plans and programs Qualified and non-qualified deferred compensation

and executive compensation

Student issues

Student disciplinary matters Disability accommodations Housing, academic and admissions issues International programs Student privacy (FERPA, HIPAA, and other

federal and state privacy laws) Online courses

Tax exemption and corporate governance

Charitable giving Endowment management Compliance with state charitable trust and

solicitation laws Governance and related Form 990 issues

(including conflicts of interest) Executive compensation Relationships with support organizations Tax exempt bond financing

Commercial contracting

Information technology (IT) licensing andimplementation Outsourcing Equipment leases Government contracts Car share program agreements Location agreements

3



Intellectual property

Copyright and trademark Development and implementation of policies

regarding invention disclosures, ownership ofinventions and patent protection, andcommercialization of IP Licensing arrangements and technology transfer

agreements Sponsored research, grants and consulting

arrangements Prosecution and litigation of patents, trade secrets,

trademarks, domain names, copyrights, and otherintellectual property rights

Real estate and facilities

Acquisition, sale, disposition, and leasing of realproperty Construction and design matters including

negotiation and drafting of contracts witharchitects, engineers, and contractors Telecommunications matters including distributed

antenna systems, dark fiber installations, and cellsite leasing and development Land use and zoning Environmental matters, alternative energy, onsite

power generation solutions, and green initiatives CHEFA financing and other tax exempt bond

issues Property tax valuation and exemption matters

Federal and state regulatory compliance

SEVIS reporting Campus safety and student right to know laws Data security and financial privacy laws Freedom of information laws (FOIA) Federal regulations governing human subject

research and scientific misconduct

Government investigations

Representation in state and federal investigations,including investigations and enforcement actionsby state attorneys general, state departments ofeducation, and the U.S. Department of Education Conducting internal investigations

Export and economic sanctions compliance

Compliance with US export and sanctions laws isanother area of growing concern for universities andresearch centers, which must grapple with the exportand sanctions compliance issues presented bypresentation of papers at international conferences,requests for academics to visit sanctioned countries,collaboration with foreign institutions/academics/students in an environment of increasing reliance onprivate sponsors who may wish to restrict publicationand thereby jeopardize universities’ use of exportexemptions for fundamental research, intentional orinadvertent exposure of research equipment andresults to international graduate students andfaculty, misdirected emails containing export-controlled information, the temptations and perils ofcloud computing, and research involving cuttingedge (and often export-controlled) technologies suchas unmanned aerial and submarine vehicles(drones). Our large and experienced team ofinternational trade compliance partners andassociates routinely provide counsel on these andother international trade compliance issues –including by providing interpretive advice, creating orimproving compliance policies, conducting trainings,internal audits, or investigations, assisting withlicense applications, and drafting voluntary ordirected disclosures – to clients ranging fromFortune 50 defense contractors to universities tohigh-tech start-ups.

4



Provide advice on the interpretation of regulatoryrequirements under the International Traffic inArms Regulations (ITAR), Export AdministrationRegulations (EAR), regulations administered bythe Bureau of Alcohol, Tobacco, Firearms, andExplosives, and multiple economic sanctionsregimes implemented by the Office of ForeignAssets Control (OFAC) Audit, create, or refine institutional policies and

procedures to ensure compliance with ITAR, EAR,BATFE, and OFAC requirements Conduct internal training Assist in classifying commodities, data and

software under the ITAR and the EAR Prepare or assist in preparation of applications to

the Departments of States, Commerce, Treasuryor BATFE for licenses/permits authorizing theexport/import of controlled commodities, data, orservices, or transactions with sanctioned personsor places Conduct internal investigations into potential

violations of the ITAR, EAR, BATFE or OFACrequirements Prepare voluntary and directed disclosures

Litigation

Litigation in state and federal courts, appeals,arbitration, and mediation


HEALTH CARE DEPARTMENT

For decades, Wiggin and Dana has been home to one of the largest, most extensive and experienced health law practices in the region. Health care organizations and providers of all types—as well as state and national associations and professional societies active in health care policy issues—count on us to provide general and special counsel across a wide spectrum of issues.

Wiggin and Dana’s health care department has consistently been ranked in Band 1 of the Chambers USA Guide. Quotes from clients include: "they are technically excellent but they also understand the practical implications" and "the breadth of their knowledge and the depth of their bench is excellent." Attorneys recognized are Maureen Weaver, Melinda Agsten and Michelle Wilcox DeBarge.

Our clients include academic medical centers, hospitals and hospital systems; long-term care facilities; continuing care retirement communities; assisted living facilities; ambulatory care facilities; PACE organizations; home health care agencies; hospices; pharmaceutical manufacturers and retail pharmacies; ambulance providers; durable medical equipment suppliers; specialty payors; preferred provider organizations and benefits management companies; physicians and other individual practitioners. We also serve as counsel to health-care focused associations, such as the Connecticut Hospital Association, LeadingAge Connecticut, the Connecticut State Dental Association and the National PACE Association. In addition to health care providers and provider associations, we counsel entities involved in various aspects of health care delivery and administration, such as health plans and health networks; third-party administrators; wellness providers; tele-health and information technology companies; data management and analytics firms; and mobile and digital health organizations.

In helping our clients, we address a full range of laws that affect health care, including licensure, change of ownership, certificates of need, patient care, risk management, fraud and abuse and reimbursement and payor matters. Our attorneys appear regularly before the United States Department of Health and Human Services' Centers for Medicare and Medicaid Services, the Connecticut Office of Health Care Access, and Connecticut Departments of Public Health, Social Services, Mental Health and Addiction Services, and Children and Families.

Our team also includes seasoned corporate lawyers with health care experience who handle transactional matters for health care providers


MAUREEN WEAVER 203.498.4384 [email protected]


HEALTH CARE DEPARTMENT

of all kinds. These range from employment relationships to complex collaboration arrangements to full corporate affiliations via merger, acquisition or member substitution.

Practice concentrations within the Health Care Department include:

Academic Medical Centers, Health Systems and Hospitals

Clinical Research Regulation and Compliance

Health Care Business Transactions

Health Care Compliance Fraud and Abuse

Health Information Technology

HIPAA

Home Health Care and Hospice

Long Term Care and Senior Living

Medicare and Medicaid Reimbursement

Tax Exempt Health Care Organizations


HEALTH CARE COMPLIANCE, FRAUD AND ABUSE PRACTICE GROUP


MAUREEN WEAVER 203.498.4384 [email protected]

For many years, health care fraud and abuse has been a top government enforcement priority. Now, the stakes are going up. The federal government has announced and implemented initiatives to strengthen its efforts to combat fraud, waste and abuse in federal health care programs. State Medicaid programs have embarked on their own initiatives focused on Medicaid integrity. What's more, federal and state laws provide a substantial financial incentive to employees, competitors, suppliers and others to initiate civil proceedings alleging fraudulent and abusive practices through "whistleblower" actions. Health care providers, pharmaceutical companies, ambulance companies and providers of durable medical equipment have paid billions of dollars in restitution, penalties and fines as a result of governmental and private enforcement efforts, and many providers have entered into corporate integrity agreements with federal and state enforcement authorities.

Wiggin and Dana's Health Care Compliance Practice Group brings together the firm's substantive knowledge in health care law and reimbursement with our extensive experience in internal and government investigations. Wiggin and Dana has one of the largest health care practices in the region with breadth and range of experience at both the federal and state levels. In addition, our White Collar, Internal Investigations and Government Investigations Practice Group includes seasoned former federal prosecutors with the essential skills and insights to protect and advance clients' interests during government investigations. Our experienced and well-respected team has worked together on many occasions to handle a wide-variety of complex health care compliance matters where we craft effective strategies for responding to investigations and working with government attorneys and regulators to bring investigations and cases to successful conclusions. We have the track record to prove it. We also work closely with clients to develop and monitor compliance programs that help our clients avoid government scrutiny and whistle blower actions in the first instance.

We work with a variety of health care providers in connection with compliance initiatives and governmental and internal investigations. Wiggin and Dana's lawyers represent health care providers, pharmaceutical companies and durable medical equipment providers during investigations and enforcement activities on the federal level before the Department of Justice, U.S. Attorney's Offices around the country, the Department of Health and Human Services' Office of Inspector General and various federal agencies and contractors. We also represent providers in state enforcement actions, and we have a particularly strong history of representing providers before the

HEALTH CARE COMPLIANCE, FRAUD AND ABUSE PRACTICE GROUP


Connecticut Attorney General's Office, Chief States' Attorney's Office and various other state agencies.

Current engagements include representing hospitals, nursing homes, home-care, hospice and physical-therapy providers, ambulance companies, physician groups, pharmaceutical companies and durable medical equipment providers. Here are some of the ways we help our clients succeed:

Advise clients on the development, operation and ongoing monitoring of corporate compliance programs—consulting on structure, policy content, procedures, codes of conduct, and other materials

Conduct reviews and audits of compliance program effectiveness

Serve as counsel to compliance officers, compliance committees and board audit and compliance committees

Assist in due diligence on compliance-related matters for corporate transactions

Advise clients on healthcare regulatory and reimbursement questions

Counsel clients on Stark law and Anti-Kickback statute

Represent pharmaceutical clients in government investigation of off-label marketing

Provide counsel on Foreign Corrupt Practices Act matters

Represent clients in Medicare and Medicaid audits, including Recovery Audit Contractor (RAC) audits

Represent clients when they detect potential compliance issues: retention of internal and/or external auditors and consultants, conducting and managing the investigation, and assessment of options, including whether and how matter should be self-reported to government

Represent clients in their participation in the government's self-disclosure protocol

Represent clients (both corporate clients and individuals) in state and federal civil and criminal audits and investigations

Consult with clients on issues relating to the privacy and security of health information, including compliance with HIPAA privacy and security regulations, and representation in internal investigations and in federal and state government investigations relating to HIPAA and other privacy law violations


HEALTH INFORMATION TECHNOLOGY PRACTICE GROUP


MICHELLE WILCOX DEBARGE 860.297.3702 [email protected]

From data security to government compliance to quick response in the IT marketplace, Wiggin and Dana's Health Information Technology Group blends our extensive health care regulatory experience with a sophisticated IT practice. That enables us to provide sound, practical counsel on health care related information technology legal issues—real-world solutions sensitive to your operational needs, goals and priorities, as well as to state and federal regulatory requirements.

We serve a diverse group of health care IT clients. Our clients include health care providers, systems and networks; provider associations; health plans; e-commerce businesses; software developers; data clearinghouses and networks; web designers; IT vendors; suppliers; consultants; and application service-providers.

With extensive experience in the technical, regulatory, business, and practical considerations shaping IT in the health care world, we not only help clients manage the business risks and legal issues associated with health care related IT systems, we also help our clients find creative and efficient ways to make the most out of IT opportunities.

Our Health Information Technology team can help you:

Manage the legal risks associated with health care-related IT systems and services including the electronic exchange of health information and data, e-commerce and intranet and Internet activities; the creation, storage, transmission, disclosure, ownership, use, confidentiality, and security of health information and data, integrating numerous legal, regulatory and practical considerations

Develop policies, procedures, notices, contracts and other documentation required under HIPAA, HITECH, and other federal and state laws regarding security, privacy and other government requirements for health information management

Comply with Federal Trade Commission (FTC) and Food and Drug Administration (FDA) requirements

Establish intellectual property protections in new media

Assist clients in developing long-term strategies for using the Internet and other IT initiatives to their advantage

HEALTH INFORMATION TECHNOLOGY PRACTICE GROUP


Aid our clients in finding creative and efficient ways to make the most of new IT opportunities while managing the associated legal issues, applying our comprehensive knowledge of the health care and technology sectors

Advise clients concerning electronic health and medical records; health claims information and health information exchange; the collection and electronic transmission of confidential patient information; the delivery of Internet-based health services; and other health care e-commerce

Negotiate complex outsourcing arrangements for administrative and IT functions

Assist in the creation and operation of electronic databases and repositories

Help structure Internet-based services and assist with e-commerce ventures and other entrees into the digital world

Advise clients on the digitization of medical imaging and the development of telemedicine

Draft, review and negotiate software development and licensing contracts

Audit processes, contractual arrangements, services and products for compliance with federal and state requirements

Provide ongoing advice concerning health information technology issues by keeping abreast of legislative and regulatory changes and industry developments

Prepare written testimony and work on strategic efforts relating to legislative and regulatory issues, proposals and changes affecting our clients

Provide in-service and other educational information and programs for our clients' staff, consultants, vendors and customers

HIPAA PRACTICE GROUP


MICHELLE WILCOX [email protected]



Wiggin and Dana's knowledgeable HIPAA (Health Insurance Portabilityand Accountability Act) team helps clients nationwide develop andimplement practical, tailored strategies to stay compliant with the far-reaching and complex requirements of HIPAA and HITECH (HealthInformation Technology for Economic and Clinical Health Act). OurHIPAA team also helps clients address other privacy and securityrequirements that may apply to them.

For decades we have worked with noted health care providers, payersand clearinghouses – and vendors that provide IT (informationtechnology), consulting and other services to these entities – employingour deep understanding of privacy, security and data exchange issues.We have also counseled local health information exchanges and RHIOS(regional health information organizations) on the complex array ofregulatory and contracting matters applicable to those arrangements.

Renowned academic medical centers, hospitals, health care systemsand networks, provider associations, large employers with self-insuredhealth plans, and others rely on our know-how in both informationtechnology (IT) law and HIPAA/HITECH.

Develop policies and procedures for compliance with the HIPAAPrivacy and Security Rule, HITECH, and other applicable privacy andsecurity laws

Review and update existing policies and procedures to ensure ongoingcompliance with HIPAA and HITECH, and other applicable privacy andsecurity laws

Assist covered entities and business associates with reviewing andnegotiating agreements and resolving legal issues and questionsarising in business associate-covered entity relationships

Perform audits to determine an organization's compliance with privacyand security requirements and develop and implement remediationplans to address areas of non-compliance

Assist with the development of auditing tools and ongoing monitoringand compliance programs and provide overall coordination of internalauditing and monitoring efforts

HIPAA PRACTICE GROUP

www. wigg in . com

Consult on interpretative questions arising in day-to-day operations or from compliance auditsDevelop training materials and programs toeducate your organization's workforce about legalrequirements related to information privacy andsecurity

Draft and/or negotiate contracts between coveredentities and security consultants and computer,telecommunications, security system, encryptionand other infrastructure vendors

Provide counsel on the implications of operationaland system changes and changes in legalrequirements that may affect your organization'scompliance with privacy and security requirements

Assist with investigating and mitigating privacy andsecurity breaches

Advise on breach notification obligations andprovide guidance on reports to, and interactionswith, affected individuals, Health and HumanServices Office for Civil Rights (OCR), stateattorneys general and the media

Provide counsel on government investigations andresponding to complaints filed with OCR, stateagencies, the office of the state attorney general,and others

Interpret and incorporate applicable state dataprivacy and security laws relevant to yourorganization's information security, policies andprocedures and use of information technologysystems





TIMOTHY A. [email protected]

JOSEPH G. [email protected]

MICHAEL P. [email protected]

The Wiggin and Dana Insurance Practice Group provides international,national and regional insurers, reinsurers, brokers, other professionalsand industry trade groups with effective and efficient representation. OurGroup members regularly advise clients in connection with coverageissues, defense and monitoring of complex claims, policy wordings,internal business practices, and state and federal investigations. We alsodefend clients faced with individual lawsuits and class actions –– both attrial and on appeal, and represent clients in insurance and reinsurancearbitrations. We have broad experience in many substantive areas,including property, commercial general liability, inland marine includingfine art and specie, and ocean marine, reinsurance, professional liability,environmental, and aviation.

We bring our substantial knowledge and experience to bear in providingour clients sound and efficient counsel. Group members frequentlypublish and lecture to industry trade groups, conduct workshops forunderwriters and claims professionals, and instruct in law schools oninsurance law and issues. Group members also serve as arbitrators ininsurance and reinsurance matters. We are proud to serve as counsel toboth the American Institute of Marine Underwriters and the Inland MarineUnderwriters Association.

The Group is led by partners Joe Grasso, Timothy Diemand and MichaelThompson. In addition to his experience in private practice, Joe workedin the General Counsel's office of a premier Lloyd's of London syndicate.Joe has been nationally recognized as a leading insurance lawyer inseveral publications, including Best's Directory of RecommendedInsurance Attorneys, Who's Who Legal, and The Legal 500. Tim hasextensive experience representing clients both domestically and abroadin high profile and cutting edge litigation and has worked overseas inboth London and the Middle East. Michael has represented numerousinsurers and reinsurers in coverage, claims and regulatory mattersacross several business lines. He has appeared before courts andarbitration panels throughout the United States and in front of varioustribunals in Bermuda and the United Kingdom where he practiced forseveral years.

To ensure comprehensive representation of our insurance industryclients, we work closely with other Wiggin and Dana practice groupswhere appropriate to bring together the right team of professionals.


2

W WW .W IGGIN.COM

Representative Insurance Matters

While we have a broad range of experience acrossmany lines of insurance and reinsurance, following isa summary of the firm's capabilities in certain lines ofbusiness.

Appellate

Submitted amici briefs to United States SupremeCourt, Connecticut Supreme Court and New YorkState Court of Appeals on behalf of major insuranceindustry trade associations on various issuesincluding reinsurance insolvency, bad faith, punitivedamages, unfair trade practices, and antitrustissues.

Represented insurer on appeals to Ninth Circuit onfederal/state jurisdictional issues.

Represented insurer in federal and state appeals onchallenges to statutory limitations on insureroperations and constitutional issues.

Represented insurer on appeal to ConnecticutSupreme Court on reinsurance coverage issuesarising out of asbestos claims.

Aviation

Defended a helicopter manufacturer in a wrongfuldeath action brought by a secret service agentarising out of the crash of the President's helicopterin the Caribbean. Defense verdict after an 8 weektrial and verdict upheld by the Second Circuit.

Defended an engine manufacturer in a wrongfuldeath action involving the crash of an F-16 in Egypt.Settled on the eve of trial for a nominal amount.

Defended a manufacturer of jet fuel tanks in awrongful death action arising out of the crash of a

helicopter in Germany. Settled for nominal amountafter arguing (but before court ruled) a motion forsummary judgment (government contract defense).Case was thereafter tried and lost by the helicoptermanufacturer for 24 million dollars.

Defended a manufacturer of private aircraft in anumber of separate wrongful death actions over theyears, all of which were settled on favorable terms.

Defended a French helicopter manufacturer in awrongful death action.

Succeeded in having a number of wrongful deathactions arising out of aviation accidents transferredto the foreign jurisdictions where the accidentsoccurred. Without exception, the cases thereafterwere settled for much less than plaintiffs haddemanded when the actions were pending in theUnited States. In one of these cases, an appeal wastaken that resulted in the leading ConnecticutSupreme Court decision on this subject.

Represented owner and insurer of a private jet inobtaining favorable settlement of claims (near100%) for damage to jet and diminution in marketvalue resulting from collision at regional airport.Aircraft had been damaged while being towed fromhangar. Recovered from airport entire amount forphysical damage to aircraft and 90% of claimeddiminution in market value.

Represented reinsurers of owner and operator of acorporate jet that crashed on take-off from aregional airport resulting in fatalities of allpassengers and crew on board. Consulted withdirect insurers and their counsel on defense ofclaims by estates of passengers, litigation overparties' respective rights and obligations underaircraft interchange agreement and subrogatedclaim for loss of aircraft against municipal airportparties.

3

W WW .W IGGIN.COM


Worked on defense of manufacturer of couplingadapter for helicopter engine that allegedly failedduring flight resulting in crash of aircraft andfatalities of all on board. Co-defendants includedhelicopter manufacturer, engine manufacturer andoriginal designer of coupling adapter. Work includedassessment of GARA defense.

Represented Swiss aircraft componentmanufacturer and its insurers in claims for wrongfuldeath arising from crash of private aircraft. Obtaineddismissal for client after filing motion for summaryjudgment.

Worked on defense of owner of jet service in claimsof aiding and abetting kidnapping by charterer.

Bad Faith and Extra Contractual Damages

Represented insurers in broad range of bad faith,alleged wrongful denial of coverage and punitivedamages claims.

Defended insurer accused of fraud in its acquisitionof insurance assets out of liquidation.

Brokers/Agents

Represented broker in complex Connecticut statecourt case related to pharmaceutical product liabilitycoverage.

Represented broker in dispute regarding handling ofmarine cargo insurance claims.

Represented broker in federal court actions relatedto pooling arrangements by life and health insurersfor workers compensation.

Represented London reinsurance broker inConnecticut state court action seeking severalmillion dollars in unpaid commissions from its U.S.-based client.

Claims Handling

Conducted investigation of insurer's internal claims-handling procedures.

Developed manuals/procedures for insurer's claimshandling.

Managed experts on claims-handling issues andacted as expert witness.

Authored articles on claims handling.

Generally advised insurers on claims-handlingprocedures.

Class Action Defense

Represented property/casualty insurer in federalcourt securities class actions related to alleged non-disclosure of contingent compensationarrangements.

Represented personal lines insured in federal, stateand national proposed class-actions by healthservice providers seeking additional fees.

Obtained denial of class certification in action byprovider of medical equipment in New York Statecourt; obtained dismissal for group of insurers attrial court and on appeal.

Represented insurer in federal court antitrust andRICO actions.

W WW .W IGGIN.COM

4


D&O, E&O and Professional Liability

Represented insurer in state and federal courtactions in professional liability coverage forworldwide construction program.

Advised on current D&O issues relating to privateequity and hedge fund acquisitions.

Advised and represented insurers in broad range ofdisputes involving questions of coverage for E&Oclaims.

Defended attorneys, architects and health careprofessionals and their insurers in high exposureE&O claims.

Represented insurer in resolving disputes as tocoverage among insured, surety and professionalliability insurer with respect to design and planningof Metro-North communications system.

Represent a number of major financial institutions ina broad range of litigation and investigatory matters.

Defense of a class action brought againstinternational insurer for alleged violations of ERISAin connection with investments in the company'sstock, which was negatively impacted by thefinancial crisis in the financial services andinsurance industries.

Defended financial services company and itsofficers and directors in securities class actions andderivative cases related to stock price drops in thewake of government investigations into brokercontingent commissions.

Represented life insurance company and its officersand directors in consumer class action related tostructured settlements.

Represented broker in action related to broker'splacement of transit and marine insurance forchemical company and broker's claims handling ofrail car chemical shipment accidents.

Represented international specialty insurancecompany in bench trial in action concerningreinsurance brokerage, broker misfeasance,adequacy of reinsurance treaties procured andbreach of fiduciary duties.

Obtained summary judgment for a D&O excesscarrier in a high-profile dispute involving excesscoverage for the former directors and officers of amajor financial institution.

Successfully defended claims in Bermuda Formarbitration against D&O excess carrier by its insuredseeking over $18 million in expenses and attorneysfees related to losses incurred in multiple securitiesclass actions arising from the insured's allegedmanipulation of the California energy market.

Successfully led the defense of a major aviationinsurance consortium against U.S. antitrust claimsalleging boycott in the denial of coverage and failureto renew launch and orbit satellite policies.

Environmental

Represented and advised environmental liabilityinsurers in disputes in state and federal courts,including declaratory judgment actions and disputeswith insureds and other carriers regarding coverageand defense of environmental matters.

Defended large industrial companies in classactions alleging environmental pollution.

Defended members of prominent P&I club inenvironmental class actions stemming from oilspills.

5

W WW .W IGGIN.COM


Investigations

Conducted internal investigation of national insurer'sregional office claims handling procedures andpolicies, and state regulatory review.

Represented insurers in multi-state AttorneysGeneral investigations and civil proceedings oncontingent commissions and related issues.

Represented insurers in numerous statereinsurance and antitrust investigations.

Marine

Represented insurers of automated underwatervehicle in salvage dispute concerning extent ofdamage caused by collision.

Represented hull and machinery and increasedvalue underwriters of general cargo vessel whichcaught fire resulting in a constructive total loss. Fileddeclaratory judgment action against insured ownerand mortgagee, and obtained favorable settlementfollowing two-week bench trial and post-trialsubmissions.

Represented owners and insurers of custom-builtracing yacht in claims against shipyard,classification society and others for defects indesign and construction.

Represented owners and insurers of yachts invarious claims involving hull and machinerydamage, salvage, personal injuries sustained bycrew members, passengers and third parties.

Represented reinsurers of a shipyard in disputeconcerning claim for defects in construction ofvessels, relating to proportion of risk ceded underreinsurance contract.

Represented various hull and machinery, war risk,and kidnap and ransom underwriters in connectionwith seizures of various vessels by pirates off thecoast of Somalia.

Represented insurers of an integrated tug-bargeunit in connection with claim for CTL due to damageto barge only.

Represented cargo underwriters and cargocontingent liability underwriters in numerous cargodamage claims.

Represented owners and insurers of containervessels in claims against shipyard for defectiverepairs.

Represented insurers of cargo vessels in claimsagainst shippers for damage to vessel and cargocaused by improper stowage.

Represented charterers legal liability underwriters inlitigation against shippers of project cargo whichbroke loose during ocean voyage causing damageto vessels and other cargo.

Successfully defended London market reinsurers inFlorida proceeding concerning scope andapplicability of offset provision in marine excess ofloss treaty with solvent European subsidiary of U.S.cedent in liquidation.

Represented London reinsurers regarding theproper application of quota share and facultativereinsurances to extra-contractual losses arising outof the settlement of a multi-million verdictconcerning the death of two teenagers who werekilled when the underlying insured's boat collidedwith their jet ski.

W WW .W IGGIN.COM

6


Successfully represented London market insurancesyndicates seeking to recover damages in excess of$40 million, following the alleged fraud by theirinsured, a broker of marine cargo based in NewYork.

Reinsurance

Represented property/casualty insurer (as amember or a reinsurance pool) in a New York statecourt reinsurance dispute related to $1 billionasbestos settlement.

Represented party to a reinsurance arbitrationrelated to flooding at an industrial facility.

Represented cedant in recovery of claims againstreinsurers in Europe and South America in globalreinsurance program.

Defended reinsurer against suit brought by cedinginsurance company on basis of cedant's faultyunderwriting practices.

Represented reinsurer in United States and UnitedKingdom litigation with reinsurance broker overpayment of fees, claims of bad faith and breach offiduciary duty.

Represented reinsurers in finite reinsurance stateand federal inquiries.

Prevailed on two summary judgments in federalcourt on behalf of reinsurer concerning the scope ofa pollution exclusion in a facultative reinsurancecontract and underlying allocation under the followthe fortunes doctrine.

Successfully represented reinsurer in an arbitrationconcerning its denial of a multi-million dollar medicalmalpractice loss ceded to it in a matter involving latenotice and bad faith claims handling.

Represented London reinsurers regarding theproper application of quota share and facultativereinsurances to extra-contractual losses arising outof the settlement of a multi-million verdictconcerning the death of two teenagers who werekilled when the underlying insured's boat collidedwith their jet ski.

Advised London reinsurers on whether damages toinsured's oil refinery facilities in Nigeria during run-up to national elections were ceded properly as "oneevent", and whether Political Risk, Terrorism andFinancial Guarantee and Credit Exclusions barredcoverage.

After three-week long hearing, won multi-milliondollar award for cedent in a highly contestedreinsurance dispute concerning the denial of a boilermachinery claim.

Prevailed on summary judgment in defense ofclaims against reinsurer by its cedent seekinglosses beyond the terms of multiple workers'compensation excess of loss treaties.

Successfully defended London market reinsurers inFlorida proceeding concerning scope andapplicability of offset provision in marine excess ofloss treaty with solvent European subsidiary of U.S.cedent in liquidation.

Represented major life insurance carrier in a disputewith its reinsurer regarding indemnification forlosses incurred as a result of its agent's fraudulentconduct in application and renewal process.

Advised London market reinsurers regardingdispute pending simultaneously in the UnitedKingdom and Puerto Rico, stemming from damagesto a racetrack in Puerto Rico caused by HurricaneGeorges.

7

W WW .W IGGIN.COM


Successfully arbitrated rescission claim on behalf ofBermudian life reinsurer due to cedent's failure todisclose material facts during treaty negotiations.

Defended London reinsurers in dispute with cedentregarding whether reinsurer was entitled tosubstantial management fee rebate as a conditionprecedent to the restructuring and continuedreinsurance of specialized workers' compensationprogram.

Successfully prosecuted multiple claims on behalf ofcedent seeking indemnification from variousreinsurers related to multi-million dollar settlement ofinsured's asbestos exposure.

Fine Art, Specie

Represented a university in a dispute with a LatinAmerican government over archeological artifacts.

Advised insurers in connection with a university'sclaims for coverage for damage to "fine arts".

Represented a collector in disputes with dealersover provenance of artwork and furniture.

Represented a Manhattan gallery owner in a disputewith an investor over joint ventures in various worksof art.

Counseled art owner in analysis of claim by foreigncitizen to previously nationalized European art.

Represented art dealers in a dispute with the estateof a major artist over ownership and possession ofcommissioned art works.

Represented a major private art collector in adispute with a gallery over commissioned art works.

Liability

Represented underwriters of construction wrapliability policy in litigation/mediation of personalinjury claim in New York resulting from constructionaccident.

Represented liability insurers of municipal agency inmonitoring claim for brain injury to constructionworker, and coordinated successful mediation.

Represented excess liability insurers of U.S. oilmajor in connection with multiple death claims dueto fire.

Represented liability insurers of fuel supplier inconnection with claims by vessel owner for total lossof vessel following explosion and fire.

Represented liability underwriters (constructionwrap policy) of racing commission in connectionwith serious personal injury claim by employee ofcontractor.

Represented liability insurers of Europeanpetrochemical company in connection with coveragedispute following explosion at refining facility.

CONNECTICUT I NEW YORK I PHILADELPHIA I WASHINGTON, DC I PALM BEACH W W W .W IG G I N. CO M ©2017 Wiggin and Dana LLP

OUTSOURCING AND TECHNOLOGY PRACTICE GROUP

Wiggin and Dana's Outsourcing and Technology Practice Group serves leading suppliers of IT, business process and other outsourced services worldwide. Few outside firms can match our depth of experience or knowledge of market standards – knowledge that helps clients succeed. Our business-savvy technology lawyers understand that legal advice is just one aspect of helping clients to achieve their financial, operational and strategic goals.

We serve clients in the United States, Europe, Asia and Latin America, in a wide variety of markets, including:

Financial services Health care Transportation Telecommunications Business and technology consulting Insurance Pharmaceuticals Biotechnology and bioinformatics

In collaboration with the Privacy and Information Security Group and our clients' security professionals, we help clients comply with privacy and data security laws, manage and mitigate security risks and, if necessary, respond to incidents in order to minimize potential exposure, protect valuable data, preserve business relationships and protect reputations and goodwill.

Suppliers and Developers Our principal clients include global outsourcing companies and emerging and mid-cap technology companies, for whom we negotiate and document the full range of offshore and near-shore transactions, from pursuit through post-contract support and renewal or re-negotiation. We understand that effective counsel involves more than advice and drafting, and must complement sales teams' efforts to build enduring, successful relationships with their customers. Our experience includes:

Business Process Outsourcing - finance and accounting, source-to-pay and procurement, call center, collections, mortgage processing, human resources and other business functions.


MARK W. HEAPHY 203.498.4356 [email protected]


2


Information Technology Outsourcing - including data center services, cloud solutions, infrastructure management, workplace computing, network management and help desks.

Application Development and Maintenance - including software development, technical support, maintenance, production support and other ongoing IT support services.

Knowledge Process Outsourcing - including research and development, data analytics, business and technical analysis, business and market research, biotechnology informatics, medical services and training and learning solutions.

Business Process Re-Engineering - including strategic assessments, Six Sigma, Lean Sigma and other business process improvement projects.

We deliver real-world advice across the full spectrum of supplier and developer activities, providing suppliers and developers of technology and technology-enabled products and services with comprehensive legal counsel tailored to their business needs and objectives. Our work for emerging and mid-cap companies encompasses comprehensive, scalable and efficient legal representation and counseling tailored to the needs of early-stage and mid-tier technology companies, including:

Deal Support - negotiating the full range of license, services, joint marketing, co-development and strategic alliance transactions.

Best Practices - creating business development and RFP response best practices linked to compliance programs.

Process Integration - integrating contracts forms and processes with revenue recognition policies and financial reporting requirements.

Business Development - structuring agreements and processes for domestic or worldwide direct and channel strategies.

IP Management and Protection - establishing intellectual property protection programs with customers, employees, contractors and partners.

Risk Management - reviewing risk management policies.

Solution Development – supporting client teams in the development of contract documents and terms for "as a service" and other service offerings.

Offshore Strategy - analyzing and implementing off-shore and near-shore business strategies.

Dispute Resolution and Workouts - resolving contractual and business disputes arising from technology-related business relationships.

Customers and Users From long-term strategic implementations to day-to-day operational requirements, we provide customer-side clients with reliable, flexible and scalable legal services. Whether handling a specific single transaction or managing their entire portfolio of technology procurement and strategic sourcing, we adapt our involvement and billing arrangements to meet our clients' needs. We do our best work by forging long-term client relationships, building trust and rapport with their legal, business and technical teams and developing an in-depth understanding of their regulatory and compliance sensitivities. Our customer-side work includes:


Enterprise Transactions - negotiating and implementing large and mid-sized enterprise platform solutions from RFP through post-implementation.

Sourcing and Procurement - assisting with all aspects of the end-to-end sourcing process, including supplier selection, contract negotiations and relationship management.

Monetizing Technologies - assisting with post-implementation commercialization of technologies and supplier relationships.

M&A, Divestiture and Investment - analyzing intellectual property rights and related issues arising from corporate mergers, acquisitions and investments.

E-Business Ventures and Operations - helping create and execute go-to-market Internet and other electronic business strategies.

IT Governance and Regulatory Compliance - advising on compliance with legal and regulatory requirements related to privacy, data security, intellectual property, consumer protection and export controls.

3


Documents

2017 CYBER AND PRIVACY FORUM - Wiggin and Dana LLP · Mergers and Acquisitions Education Health Care Health Care Compliance Health Information Technology HIPAA Insurance Outsourcing