Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
F. Marshall [email protected]@NCCyberLawyer
“[I] am convinced that there are only two
types of companies: those that have been
hacked and those that will be. And even
they are converging into one category:
companies that have been hacked and will
be hacked again.”
Robert S. Mueller, III, Former FBI Director
F. Marshall [email protected]@NCCyberLawyer
NC Identity Theft Protection Act
What is a
"security breach"?
F. Marshall [email protected]@NCCyberLawyer
What is a security breach?
• Unauthorized access to AND acquisition of
• Unredacted AND unencrypted records or data
• Containing personal information
• Where illegal use of this data has occurred OR is reasonably likely to occur
• Creating a reasonable risk of material harm to a consumer
F. Marshall [email protected]@NCCyberLawyer
NOT a Breach
• If only encrypted data is taken and the
encryption key is not with the data, it is not
a data breach
• If the data was accessed but not
“acquired”, it is not a data breach
• If there is no risk of material harm to a
customer, it is not a data breach
F. Marshall [email protected]@NCCyberLawyer
NC Identity Theft Protection Act
What is the legal standard for
my company’s protection of
personal information?
F. Marshall [email protected]@NCCyberLawyer
NC Identity Theft Protection Act
• The Act requires that “reasonable care” be
used to protect data
• No further definition is given
• No published cases have evaluated what
is reasonable under North Carolina law
F. Marshall [email protected]@NCCyberLawyer
What is “personal information”?
A person's first name or first
initial and last name in
combination with other
information such as:
F. Marshall [email protected]@NCCyberLawyer
What is “personal information”?
• Social Security number
• Driver's license number
• Passport number
• Checking or savings account number
• Credit or debit card number
• PIN code
• Biometric data
• Passwords
F. Marshall [email protected]@NCCyberLawyer
How quickly must notice be given?
• There is no specific deadline for notice
• Notice must be “made without
unreasonable delay, consistent with the
legitimate needs of law enforcement.”
F. Marshall [email protected]@NCCyberLawyer
Who Gets Notice?
• Everyone whose personal information was
contained in the records
• The Consumer Protection Division of the
Attorney General’s staff
• If more than 1,000 people are affected by
the breach, notice must also be given to
the three major credit bureaus
F. Marshall [email protected]@NCCyberLawyer
What if customers live in other
States?
• Data protection statutes are specific to the
States where your customers live
• All 50 States – Alabama became the last
in March 2018 – the District of Columbia,
and Puerto Rico have their own statutes
• Notice requirements, including the time to
give notice, vary significantly
F. Marshall [email protected]@NCCyberLawyer
What if customers live in other
States?
THE BOTTOM LINE – if your customers are
in other States, you have to give notice
based on their State’s law
F. Marshall [email protected]@NCCyberLawyer
Who can sue?
• North Carolina allows a private right of
action, but only if the consumer can show
injury
• A cause of action under the Act cannot be
assigned
• A violation of the Act is an unfair or
deceptive trade practice under N.C. Gen.
Stat. § 75-1.1
F. Marshall [email protected]@NCCyberLawyer
Federal Trade Commission
• FTC has brought more than 50
enforcement actions
• Typically relies on Section 5 of the FTC
Act, which prohibits unfair and deceptive
trade practices
F. Marshall [email protected]@NCCyberLawyer
FTC
• Focus on whether companies are living up
to their stated privacy policies
– Ex) Wyndham Hotels case (Third Circuit
2015)
– https://www.ftc.gov/system/files/documents/ca
ses/150824wyndhamopinion.pdf
F. Marshall [email protected]@NCCyberLawyer
FTC
• Also examines what data companies keep,
how long they keep it, where they keep it,
and whether they should keep it in the first
place
F. Marshall [email protected]@NCCyberLawyer
FTC Enforcement Action
Examples• Pursued BJ’s Wholesale for keeping
customer credit card data for as long as 30
days – long after their transaction had
been processed
F. Marshall [email protected]@NCCyberLawyer
FTC Actions
• Brought an action against Twitter for
failing to suspend user’s access after a
certain number of failed log in attempts
and for allowing almost all of its
employees “administrative” access to
information in its system
F. Marshall [email protected]@NCCyberLawyer
FTC Actions
• Alleged that shoe retailer DSW failed to
segment its network by allowing stores to
connect with other stores and access data
there
F. Marshall [email protected]@NCCyberLawyer
FTC Actions
• Brought an enforcement action against
Snapchat when its promise that
messages would “disappear forever” but in
fact they did not
F. Marshall [email protected]@NCCyberLawyer
FTC Actions
• Pursued both CVS and Rite Aid for failing
to properly dispose of prescription
information
F. Marshall [email protected]@NCCyberLawyer
Securities and Exchange
CommissionWashington D.C., Sept. 22, 2015 — The Securities and Exchange Commission today announced that a St. Louis-based investment adviser has agreed to settle charges that it failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.
F. Marshall [email protected]@NCCyberLawyer
SEC
• This is the first enforcement action from SEC
• Found that the firm failed to have policies and procedures, failed to have a firewall, failed to encrypt data, and failed to have a response plan
• $75,000 fine
• Censure
• Cease and desist order
F. Marshall [email protected]@NCCyberLawyer
SEC
• Enforces the Gramm-Leach-Bliley Act
– Title V governs when non-public consumer
information may be disclosed
– Requires notice of privacy policies to customers
• Regulation S-P governs privacy of consumer
financial information
• Oversees broker-dealers and advisers,
among others
F. Marshall [email protected]@NCCyberLawyer
US Department of Health and
Human ServicesSeptember 2, 2015
$750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies
Cancer Care Group, P.C. agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR).
F. Marshall [email protected]@NCCyberLawyer
US DHHS
• Enforces compliance with HIPAA and
HITECH through the Office of Civil Rights
• HIPAA privacy rule applies to Protected
Health Information (PHI)
F. Marshall [email protected]@NCCyberLawyer
Avoiding Data Breach Incidents
• Prevent
• Detect
• Respond
F. Marshall [email protected]@NCCyberLawyer
Avoiding Data Breach Incidents
• Assess your systems, policies, and
procedures routinely
• Educate your employees – most cyber
incidents are the result of human error
• Outside testing of your security
• Determine what data you collect, where
and for how long you keep it, and why
F. Marshall [email protected]@NCCyberLawyer
Avoiding Data Breach Incidents
• Have an incident response plan and
PRACTICE it
• Restrict access
• Encrypt data
• Back up data continually
• Update your software
F. Marshall [email protected]@NCCyberLawyer
Avoiding Data Breach Incidents
• Require strong passwords and frequent
changes
• Segment your network
• Monitor network activity
• Remember – a data breach is not always
a cyber incident!
F. Marshall [email protected]@NCCyberLawyer
Cyber Liability Insurance
• Generally policies are designed to cover at least some of these risks:
– Hacking
– Denial of service attacks
– Web content liability
– Data breaches
– Damage to your network
F. Marshall [email protected]@NCCyberLawyer
What’s Covered?• MORE LIKELY
– Third-party claims and costs
Example – personal data for customers is accidentally released
• LESS LIKELY
– First-party claims
Network damage to your systems from a hacker attack may be insurable
Reputational damage to your company probably cannot be insured
Loss of intellectual property is often not covered by these policies
– Business interruption coverage for “cyber-losses”
Often capped or limited
• EXCLUDED
– State-sponsored attacks by other governments, usually
F. Marshall [email protected]@NCCyberLawyer
Questions?