Upload
shawn-tuma
View
9
Download
2
Embed Size (px)
Citation preview
Shawn Tuma Cybersecurity Partner Scheef & Stone, L.L.P. 214.472.2135 [email protected] @shawnetuma blog: www.shawnetuma.com web: www.solidcounsel.com
This information provided is for educational purposes only, does not constitute legal advice, and no attorney-client relationship is created by this presentation.
Shawn Tuma is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and around the world. Board of Advisors, North Texas Cyber Forensics Lab Board of Directors & General Counsel, Cyber Future Foundation Cybersecurity Law Trailblazer, National Law Journal Texas SuperLawyers 2015-17 (IP Litigation) Best Lawyers in Dallas 2014-17, D Magazine (Digital Information Law) Council, Computer & Technology Section, State Bar of Texas College of the State Bar of Texas Privacy and Data Security Committee, Litigation, Intellectual
Property Law, and Business Sections of the State Bar of Texas Information Security Committee of the Section on Science &
Technology Committee of the American Bar Association North Texas Crime Commission, Cybercrime Committee Infragard (FBI) International Association of Privacy Professionals (IAPP) Information Systems Security Association (ISSA) Board of Advisors, Optiv Security Editor, Business Cybersecurity Business Law Blog
www.shawnetuma.com
www.solidcounsel.com
“Security and IT protect companies’ data; Legal protects companies from their data.” -Shawn E. Tuma
Immediate Priorities
• Assess the situation
• Be a counselor
• Instill confidence
• Bring peace
• Facilitate rational thought & behavior
www.solidcounsel.com
Who are targets? Key Point: We are all targets Your clients’ businesses Your law firms Big firms (give examples) James Shelton Example Rural Texas solo practitioner Employee left, didn’t change password or disable acct Hackers accessed, spoofed email, sent “pleadings” all over,
including other countries
www.solidcounsel.com
Privilege / Work Product KEY POINT: Attorney’s may have privilege “Target has demonstrated . . . that the work of the Data Breach Task Force was focused not on remediation of the breach . . . but on informing Target’s in-house and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation that was already pending and was reasonably expected to follow.”
In re Target Corp. Customer Data Breach Litigation
www.solidcounsel.com
ACC Study (Sept ‘15)
What concerns keep Chief Legal Officers awake at night? #2 = Data Breaches
82% consider as somewhat, very, or extremely important
www.solidcounsel.com
Cost of a Data Breach – US
2013 Cost • $188.00 per record • $5.4 million = total average cost paid by organizations
2014 Cost • $201 per record • $5.9 million = total average cost paid by organizations
2015 Cost • $217 per record • $6.5 million = total average cost paid by organizations
(Ponemon Institute Cost of Data Breach Studies)
www.solidcounsel.com
Legal Obligations International Laws
Safe Harbor Privacy Shield
Federal Laws & Regs HIPAA, GLBA, FERPA FTC, FCC, SEC
State Laws 47 states (Ala, NM, SD) Fla (w/in 30 days) OH & VT (45 days)
Industry Groups PCI, FINRA, etc.
Contracts Vendors & Suppliers
Business Partners
Data Security Addendum
www.solidcounsel.com
Ancient Cybersecurity Wisdom Water shapes its course
according to the nature of the ground over which it flows; the soldier works out his victory in relation to the foe whom he is facing.”
“In all fighting the direct method may be used for joining battle, but indirect methods will be needed to secure victory.”
www.solidcounsel.com
Consumer Litigation
Peters v. St. Joseph Services, 74 F.Supp.3d 847 (S.D. Tex. Feb. 11, 2015)
Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 693 (7th Cir. 2015)
Whalen v. Michael Stores Inc., 2015 WL 9462108 (E.D.N.Y. Dec. 28, 2015)
In re SuperValu, Inc., 2016 WL 81792 (D. Minn. Jan. 7, 2016)
In re Anthem Data Breach Litigation, 2016 WL 589760 (N.D. Cal. Feb. 14, 2016) (J. Lucy Koh)
www.solidcounsel.com
Regulatory & Administrative - FTC KEY POINT: You must have basic IT security F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24, 2015).
The FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a) of the Federal Trade Commission Act.
Companies have fair notice that their specific cybersecurity practices could fall short of that provision.
3 breaches / 619,000 records / $10.6 million in fraud
Rudimentary practices v. 2007 guidebook
Website Privacy Policy misrepresentations
Jurisdiction v. set standard?
www.solidcounsel.com
The Basics
“Some people try to find things in this game that don’t exist but football is only two things – blocking and tackling.” -Lombardi
www.solidcounsel.com
The Basics Best Practices Documented Basic IT Security Basic Physical Security Security Focused P&P Company Workforce Network Website / Privacy / TOS Business Associates Social Engineering
Implementation Training
www.solidcounsel.com
Regulatory & Administrative – FTC KEY POINT: You must evaluate business partners’ security In re GMR Transcription Svcs, Inc., 2014 WL 4252393 (Aug. 14, 2014). FTC’s Order requires business to follow 3 steps when contracting with third party service providers:
1. Investigate before hiring data service providers.
2. Obligate their data service providers to adhere to the appropriate level of data security protections.
3. Verify that the data service providers are complying with obligations (contracts).
www.solidcounsel.com
Addendum to Business Contracts KEY POINT: Know your contractual obligations Common names for the Addendum: Data Security & Privacy; Data Privacy; Cybersecurity; Privacy;
Information Security.
Common features Defines subject “Data” being protected in categories. Describes acceptable and prohibited uses for Data. Describes standards for protecting Data. Describes requirements for deleting Data. Describes obligations if a breach of Data. Allocates responsibility if a breach of Data. Requires binding third parties to similar provisions.
www.solidcounsel.com
Regulatory & Administrative – SEC KEY POINT: You must have written (1) Policies &
Procedures and (2) Incident Response Plan
S.E.C. v. R.T. Jones Capital Equities Management, Consent Order (Sept. 22, 2015).
“Firms must adopt written policies to protect their clients’ private information”
“they need to anticipate potential cybersecurity events and
have clear procedures in place rather than waiting to react once a breach occurs.” violated this “safeguards rule 100,000 records (no reports of harm) $75,000 penalty
www.solidcounsel.com
Responding: Execute Response Plan
This is only a checklist – not a Response Plan
How Fast? • 45 days (most states) • 30 days (some states) • 3 days (fed contracts) • 2 days (bus expectation) • Immediately (contracts)
www.solidcounsel.com
Officer & Director Liability KEY POINT: “boards that choose to ignore, or minimize,
the importance of cybersecurity oversight responsibility, do so at their own peril.” SEC Commissioner Luis A. Aguilar, June 10, 2014. Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham
Derivative claims premised on the harm to the company from data breach. Caremark Claims:
Premised on lack of oversight = breach of the duty of loyalty and good faith
Cannot insulate the officers and directors = PERSONAL LIABILITY!
Standard:
(1) “utterly failed” to implement reporting system or controls; or
(2) “consciously failed” to monitor or oversee system.
www.solidcounsel.com
Officer & Director Liability Palkon v. Holmes, 2014 WL 5341880, *5-6 (D. NJ Oct. 20,
2014). Derivative action for failing to ensure Wyndham implemented
adequate security policies and procedures.
Order Dismissing: The board satisfied the business judgement rule by staying reasonably informed of the cybersecurity risks and exercising appropriate oversight in the face of the known risks.
Well-documented history of diligence showed Board
Discussed cybersecurity risks, company security policies and proposed enhancements in 14 quarterly meetings; and
Implemented some of those cybersecurity measures.
www.solidcounsel.com
Cyber Insurance – Key Questions Even know if you have it?
What period does the policy cover?
Are Officers & Directors Covered?
Cover 3rd Party Caused Events?
Social Engineering coverage?
Cover insiders intentional acts (vs. negligent)
Contractual liability?
What is the triggering event?
What types of data are covered?
What kind of incidents are covered?
Acts of war?
Required carrier list for attorneys & experts?
Other similar risks?
Virtually all companies will be breached. Will they be liable?
It’s not the breach; it’s their diligence and response that matter most.
Companies have a duty to be reasonably informed of and take reasonable measures to protect against cybersecurity risks.
Cyber Risk Assessment
Strategic Planning
Deploy Defense Assets
Develop, Implement & Train on
P&P
Tabletop Testing
Reassess & Refine
Cybersecurity Risk Management Program
3 Must-Haves for Every Organization
1. Basic IT Security
2. Written Policies & Procedures
3. Written Incident Response Plan
***Document3***