Post on 22-Feb-2017
www.solidcounsel.com
www.solidcounsel.com
• Board of Directors & General Counsel, Cyber Future Foundation • Board of Advisors, North Texas Cyber Forensics Lab • Cybersecurity & Data Privacy Law Trailblazers, National Law Journal (2016) • SuperLawyers Top 100 Lawyers in Dallas (2016) • SuperLawyers 2015-16 (IP Litigation) • Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law) • Council, Computer & Technology Section, State Bar of Texas • Privacy and Data Security Committee of the State Bar of Texas • College of the State Bar of Texas • Board of Directors, Collin County Bench Bar Foundation • Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association • Information Security Committee of the Section on Science & Technology
Committee of the American Bar Association • North Texas Crime Commission, Cybercrime Committee • Infragard (FBI) • International Association of Privacy Professionals (IAPP) • Board of Advisors Office of CISO, Optiv Security • Editor, Business Cybersecurity Business Law Blog
Shawn Tuma Cybersecurity Partner Scheef & Stone, L.L.P. 214.472.2135 shawn.tuma@solidcounsel.com @shawnetuma blog: www.shawnetuma.com web: www.solidcounsel.com
Cybersecurity: A Legal Issue?
www.solidcounsel.com
“Security and IT protect companies’ data; Legal protects companies from their data.”
www.solidcounsel.com
Legal Schizophrenia • 1st Defense: Adequate Cybersecurity • 2nd Defense: Deterrence by Law
• Public Confusion • “Security Research”
• IoT / implanted medical devices?
www.solidcounsel.com
Data Breach v. Unauthorized Access Relationship between unauthorized access and breach notification laws? 2 sides of same coin. Unauthorized access: prohibits actor from harming
company’s network or data, company is victim. Breach notification: mandates actions by company after
having a breach, company transformed into wrongdoer.
Texas and Federal “Hacking” Laws
www.solidcounsel.com
Key Computer Unauthorized Access Laws Computer Fraud and Abuse Act (Federal) Breach of Computer Security (Texas) Harmful Access by Computer Act (Texas) Unauthorized access / “hacking” laws Focus on the device / network See Federal Computer Fraud and Abuse Act and Texas Computer
Crimes Statutes, http://www.slideshare.net/shawnetuma/federal-computer-fraud-and-abuse-act-and-texas-computer-crime-statutes
www.solidcounsel.com
Key Computer Unauthorized Access Laws Elements: Broadest CFAA Claim Intentionally access protected computer; Without authorization or exceeding authorized access; Obtained information from any protected computer; and Victim incurred a loss to one or more persons during any
1-year period of at least $5,000
www.solidcounsel.com
Key Computer Unauthorized Access Laws Texas Hacking Laws Breach of Computer Security (BCS)
Criminal law – Tex Penal Code § 33.02
Harmful Access by Computer Act (HACA) Civil action – Tex Civ Prac Rem § 143.001 Broader language More claimant friendly than CFAA Generally follows CFAA on access
Attorney’s fees recoverable Injunctive relief, maybe exemplary dmgs
www.solidcounsel.com
Key Computer Unauthorized Access Laws Key Elements knowingly and intentionally accesses a computer, computer network, or
computer system; without the effective consent of the owner, or In violation of clear and conspicuous prohibition or agreement Consent is not effective if: induced by deception or coercion; used for a purpose other than that for which the consent was given; (others excluded)
The Cybersecurity Risks
Cause for Concern • 62% of Cyber Attacks → SMBs • Odds: Security @100% v. Hacker @1 • ACC Study (9/15) = #2 Concern
Keeping CLO’s awake at night • Dyn & IoT?
www.solidcounsel.com
Legal Obligations International Laws Safe Harbor Privacy Shield
Federal Laws & Regs. HIPAA, GLBA, FERPA FTC, FCC, SEC
State Laws 47 states (AL, NM, SD)
Industry Groups PCI, FINRA, etc.
Contracts 3rd Party Bus. Assoc. Data Security Addendum
www.solidcounsel.com
Ethics & Strategy – Specific Attorney Risks. Law firm cybersecurity – this applies to law firms and attorneys. Clients are demanding adequate security (firms are their third-party risk). Law firms are an increasingly popular target. Value and sensitivity of data. Data for multiple clients.
“A lawyer should preserve the confidences and secrets of a client.” Ethics Opinion 384 (Sept. 1975) Canon No. 4, Code of Professional Responsibility Disciplinary Rule (DR) 4-101 (A) and (B)
www.solidcounsel.com
The real-world threats are not so sophisticated.
Easily preventable
• 90% in 2014
• 91% in 2015
• 63% confirmed breaches from weak, default, or stolen passwords
• Data is lost over 100x more than stolen
• Phishing used most to install malware
Easily preventable
• 90% in 2014
• 91% in 2015
www.solidcounsel.com
Cybersecurity needs for companies (and firms). Strong cybersecurity basics. Policies and procedures focused on cybersecurity. Social engineering. Password and security questions
Training of all employees. Phish all employees (esp. executives). Signature based antivirus and malware detection. Multi-factor authentication. Backups segmented from the network. Incident response plan.
Encryption for sensitive and air-gap for hypersensitive data. Adequate logging and retention. Third-party security and supply chain risk management.* Intrusion detection and intrusion prevention systems.*
Data Breach Response
Breach! Immediate Priorities • Leadership!
• Assess the situation
• Be a counselor
• Instill confidence
• Bring peace
• Facilitate rational thought & rational behavior
www.solidcounsel.com
Data Breach Response Is the cyber event an incident or a breach? Event: any occurrence. Incident: an event that actually or potentially jeopardizes
the confidentiality, integrity, or availability of the system, data, policies, or practices. Breach: actual loss of control, compromise, unauthorized
disclosure, acquisition or access of data. Ransomware? Encryption safe harbor?
www.solidcounsel.com
Data Breach Response The difference between reporting, disclosing, notifying? Used interchangeably, not official – just used for clarity.
Reporting: to report a crime to law enforcement. OPTIONAL, MAYBE. Disclosing: to disclose (notify) to a state or federal
regulator of a data breach. NOT OPTIONAL. Notification: to notify the data subjects of a data breach.
NOT OPTIONAL.
www.solidcounsel.com
Data Breach Response Breach Notification Laws No national breach notification law Laws governing types of data and industry (HIPAA, GLB, etc) 47 States w/ laws + DC, PR, VI (≠ AL, NM, SD) Data subjects’ residence determines + state doing bus. Some consistency but some not (e.g., MA & CA)
See Guide to Reporting Cybersecurity Incidents to Law Enforcement and Governmental Agencies, https://shawnetuma.com/cyber-law-resources/guide-reporting-cybersecurity-incidents-law-enforcement-governmental-regulatory-agencies/
www.solidcounsel.com
Texas Breach Notification Law Breach of System Security: “unauthorized acquisition ...
compromises the security, confidentiality, or integrity of” SPI. Employee leaving with customer data?
Applies to anyone doing business in Texas. Notify any individual whose SPI “was, or is reasonably believed to
have been, acquired by an unauthorized person.” When: “as quickly as possible” but allows for LE delay Penalty: $100 per individual per day for delayed time, not to
exceed $250,000 for a single breach (AG / no civil remedy)
www.solidcounsel.com
Texas Breach Notification Law Notification Required Following Breach of Security of Computerized Data, Tex. Bus. Comm. Code § 521.053 “A person who | conducts business in this state | and owns or
licenses computerized data that includes sensitive personal information (SPI) | shall disclose any breach of system security, after discovering or receiving notification of the breach, | to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
Recent Legal Developments
“An ounce of prevention is cheaper than the first day of litigation.”
www.solidcounsel.com
Peters v. St. Joseph Services (S.D. Tex. 2015)
Remijas v. Neiman Marcus Group, LLC (7th Cir. 2015)
Whalen v. Michael Stores Inc. (E.D.N.Y. 2015)
In re SuperValu, Inc. (D. Minn. 2016)
Anthem Data Breach Litigation (N.D. Cal. 2016) (Koh)
Data Breach Consumer Litigation Battleship
Spokeo v. Robins, 136 S.Ct. 1540 (2016) Tangible or intangible harm but concrete & particularized
Lewert v. P.F. Chang’s China Bistro Inc. (7th Cir. 2016)
Galaria v. Nationwide Mutual Ins. Co. (6th Cir. 2016)
www.solidcounsel.com
Recent Legal Developments Takeaway: Standard is reasonableness. • In re Target Data Security Breach Litigation (Financial
Institutions) (Dec. 2, 2014)
• Companies have a duty to be reasonably informed and take reasonable measures to protect against cybersecurity risks.
• It’s the diligence, not the breach, that counts.
• The court found duties to • Reasonably protect others’ data • Not disable security devices (i.e., if have it, use it) • Respond when alerted of an attack
www.solidcounsel.com
Recent Legal Developments Takeaway: Must have basic IT security. • F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug.
24, 2015).
• The FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a) of the FTC Act.
• Companies have fair notice that their specific cybersecurity practices could fall short of that provision.
• 3 breaches / 619,000 records / $10.6 million in fraud • Rudimentary practices v. 2007 guidebook • Website Privacy Policy misrepresentations
www.solidcounsel.com
Recent Legal Developments Takeaway: Must have internal network controls. • F.T.C. v. LabMD (July 2016 FTC Commission Order)
• LabMD had 1 employee using LimeWire, Tiversa obtained file with PHI information and provided to the FTC.
• “LabMD’s data security practices constitute an unfair act or practice within the meaning of Section 5 of the FTC Act. We enter an order requiring that LabMD notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.”
www.solidcounsel.com
Recent Legal Developments Takeaway: Must have written policies & procedures. • S.E.C. v. R.T. Jones Capital Equities Management, Consent
Order (Sept. 22, 2015).
• “R.T. Jones failed to adopt written policies and procedures reasonably designed to safeguard customer information.”
• R.T. Jones violated the Securities Act’s “Safeguards Rule” • 100,000 records vulnerable; no reports of actual harm • $75,000 penalty • Cease and desist having any future violations
www.solidcounsel.com
Recent Legal Developments Takeaway: Must have written incident response plan. • S.E.C. v. R.T. Jones Capital Equities Management,
Consent Order (Sept. 22, 2015).
• Firms “need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
www.solidcounsel.com
Response Process • Goal is to execute IRP • This is check list, not
an IRP • How detailed? • Tabletop exercises Download here: www.shawnetuma.com @shawnetuma
www.solidcounsel.com
Recent Legal Developments Takeaway: Must evaluate third-parties’ security. • In re GMR Transcription Svcs., Inc., Consent Order (Aug. 14,
2014).
• FTC’s Order requires business to follow 3 steps when working with third-party service providers:
• Investigate before hiring data service providers • Obligate data service providers to adhere to the appropriate
level of data security protections • Verify (AUDIT!) that the data service providers are complying
with obligations (contracts)
www.solidcounsel.com
Recent Legal Developments Takeaway: Know your contractual obligations. • Addendum to business contracts
• Common names: Data Security & Privacy Agreement; Data Privacy; Cybersecurity; Privacy; Information Security
• Common features: • Defines subject “Data” being protected in categories • Describes acceptable and prohibited uses for Data • Describes standards for protecting Data • Describes obligations and responsibility for breach of Data • Requires binding third-parties to similar provisions
KEY POINT: Attorney’s may have privilege “Target has demonstrated . . . that the work of the Data Breach Task Force was focused not on remediation of the breach . . . but on informing Target’s in-house and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation that was already pending and was reasonably expected to follow.” In re Target Corp. Customer Data Breach Litigation
Recent Legal Developments
Officer & Director Liability
www.solidcounsel.com
Officer & Director Liability KEY POINT: “boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.” SEC Commissioner Luis A. Aguilar, June 10, 2014.
• Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham • Derivative claims premised on the harm to the company from data breach. • Caremark Claims: Premised on lack of oversight = breach of the duty of loyalty and good faith Cannot insulate the officers and directors = PERSONAL LIABILITY! Standard:
(1) “utterly failed” to implement reporting system or controls; or (2) “consciously failed” to monitor or oversee system.
$4.8 Billion Deal?
Cyber Insurance
www.solidcounsel.com
Cyber Insurance – Key Questions • Even know if you have it?
• What period does the policy cover?
• Are Officers & Directors Covered?
• Cover 3rd Party Caused Events?
• Social Engineering coverage?
• Cover insiders intentional acts (vs. negligent)
• Contractual liability?
• What is the triggering event?
• What types of data are covered?
• What kind of incidents are covered?
• Acts of war?
• Required carrier list for attorneys & experts?
• Other similar risks?
Virtually all companies will be breached. Will they be liable?
It’s not the breach; it’s their diligence and response that matters most.
Companies have a duty to be reasonably informed of and take reasonable measures to protect against cybersecurity risks.
www.solidcounsel.com
Cyber Risk Assessment
Strategic Planning
Deploy Defense Assets
Develop, Implement & Train on
P&P
Tabletop Testing
Reassess & Refine
Cybersecurity Risk Management Program