Cyber Security for Your Clients: Business Lawyers Advising Business Clients

www.solidcounsel.com


“Security and IT protect companies’ data;

Legal protects companies from their data.”

Recent Legal Developments

“An ounce of prevention is cheaper than the first day of litigation.”


KEY POINT: Attorney’s may have privilege

“Target has demonstrated . . . that the work of the Data Breach Task Force was focused not on remediation of the breach . . . but on informing Target’s in-house and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation that was already pending and was reasonably expected to follow.”

In re Target Corp. Customer Data Breach Litigation

A.C. Privilege / Work Product


Peters v. St. Joseph Services (S.D. Tex. 2015)

Remijas v. Neiman Marcus Group, LLC (7th Cir. 2015)

Whalen v. Michael Stores Inc. (E.D.N.Y. 2015)

In re SuperValu, Inc. (D. Minn. 2016)

Anthem Data Breach Litigation (N.D. Cal. 2016) (Koh)

Data Breach Consumer Litigation Battleship

Spokeo v. Robins, 136 S.Ct. 1540 (2016)

Tangible or intangible harm but concrete & particularized

Lewert v. P.F. Chang’s China Bistro Inc. (7th Cir. 2016)

Galaria v. Nationwide Mutual Ins. Co. (6th Cir. 2016)



Takeaway: Standard is reasonableness.

• In re Target Data Security Breach Litigation (Financial

Institutions) (Dec. 2, 2014)

• Companies have a duty to be reasonably informed and take

reasonable measures to protect against cybersecurity risks.

• It’s the diligence, not the breach, that counts.

• The court found duties to

• Reasonably protect others’ data

• Not disable security devices (i.e., if have it, use it)

• Respond when alerted of an attack



Takeaway: Must have basic IT security.

• F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug.

24, 2015).

• The FTC has authority to regulate cybersecurity under the

unfairness prong of § 45(a) of the FTC Act.

• Companies have fair notice that their specific cybersecurity

practices could fall short of that provision.

• 3 breaches / 619,000 records / $10.6 million in fraud

• Rudimentary practices v. 2007 guidebook

• Website Privacy Policy misrepresentations



Takeaway: Must have internal network controls.

• F.T.C. v. LabMD (July 2016 FTC Commission Order)

• LabMD had 1 employee using LimeWire, Tiversa obtained file

with PHI information and provided to the FTC.

• “LabMD’s data security practices constitute an unfair act or

practice within the meaning of Section 5 of the FTC Act. We

enter an order requiring that LabMD notify affected consumers,

establish a comprehensive information security program

reasonably designed to protect the security and confidentiality of

the personal consumer information in its possession, and obtain

independent assessments regarding its implementation of the

program.”



Takeaway: Must have written policies & procedures.

• S.E.C. v. R.T. Jones Capital Equities Management, Consent

Order (Sept. 22, 2015).

• “R.T. Jones failed to adopt written policies and procedures

reasonably designed to safeguard customer information.”

• R.T. Jones violated the Securities Act’s “Safeguards Rule”

• 100,000 records vulnerable; no reports of actual harm

• $75,000 penalty

• Cease and desist having any future violations



Takeaway: Must have written incident

response plan.

• S.E.C. v. R.T. Jones Capital Equities Management,

Consent Order (Sept. 22, 2015).

• Firms “need to anticipate potential cybersecurity events

and have clear procedures in place rather than waiting to

react once a breach occurs.”


Recent Legal DevelopmentsTakeaway: Must evaluate third-parties’ security.

• In re GMR Transcription Svcs., Inc., Consent Order (Aug. 14,

2014).

• FTC’s Order requires business to follow 3 steps when working

with third-party service providers:

• Investigate before hiring data service providers

• Obligate data service providers to adhere to the appropriate

level of data security protections

• Verify (AUDIT!) that the data service providers are complying

with obligations (contracts)


Recent Legal DevelopmentsTakeaway: Know your contractual obligations.

• Addendum to business contracts

• Common names: Data Security & Privacy Agreement; Data

Privacy; Cybersecurity; Privacy; Information Security

• Common features:

• Defines subject “Data” being protected in categories

• Describes acceptable and prohibited uses for Data

• Describes standards for protecting Data

• Describes obligations and responsibility for breach of Data

• Requires binding third-parties to similar provisions

KEY POINT: Attorney’s may have privilege

“Target has demonstrated . . . that the work of the Data Breach Task Force was focused not on remediation of the breach . . . but on informing Target’s in-house and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation that was already pending and was reasonably expected to follow.”

In re Target Corp. Customer Data Breach Litigation


Officer & Director Liability


Officer & Director LiabilityKEY POINT: “boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.” SEC Commissioner Luis A. Aguilar, June 10, 2014.

• Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham

• Derivative claims premised on the harm to the company from data breach.

• Caremark Claims:

▪ Premised on lack of oversight = breach of the duty of loyalty and good faith

▪ Cannot insulate the officers and directors = PERSONAL LIABILITY!

▪ Standard:

(1) “utterly failed” to implement reporting system or controls; or

(2) “consciously failed” to monitor or oversee system.

$4.8 Billion Deal?


Game Changer?


The Game Changer?New York Department of Financial Services Cybersecurity

Requirements for Financial Services Companies + [fill in]• All NY “financial institutions” + third party service providers

• Third party service providers – examine, obligate, audit

• Establish Cybersecurity Program (w/ specifics)

• Logging, Data Classification, IDS, IPS

• Pen Testing, Vulnerability Assessments, Risk Assessment

• Encryption, Access Controls

• Adopt Cybersecurity Policies

• Designate qualified CISO to be responsible

• Adequate cybersecurity personnel and intelligence

• Personnel Policies & Procedures, Training, Written IRP

• Board or Senior Officer Certify Compliance


“You don’t drown by falling in the water; You drown by staying there.” – Edwin Louis Cole


• Board of Directors & General Counsel, Cyber Future Foundation

• Board of Advisors, North Texas Cyber Forensics Lab

• Cybersecurity & Data Privacy Law Trailblazers, National Law Journal (2016)

• SuperLawyers Top 100 Lawyers in Dallas (2016)

• SuperLawyers 2015-16 (IP Litigation)

• Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law)

• Council, Computer & Technology Section, State Bar of Texas

• Privacy and Data Security Committee of the State Bar of Texas

• College of the State Bar of Texas

• Board of Directors, Collin County Bench Bar Foundation

• Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association

• Information Security Committee of the Section on Science & Technology Committee of the American Bar Association

• North Texas Crime Commission, Cybercrime Committee

• Infragard (FBI)

• International Association of Privacy Professionals (IAPP)

• Board of Advisors Office of CISO, Optiv Security

• Editor, Business Cybersecurity Business Law Blog

Shawn TumaCybersecurity PartnerScheef & Stone, [email protected]@shawnetumablog: www.shawnetuma.comweb: www.solidcounsel.com

Cyber Security for Your Clients: Business Lawyers Advising Business Clients

Law

Transcript of Cyber Security for Your Clients: Business Lawyers Advising Business Clients