Data Privacy and Security Compliance After the Target...
Transcript of Data Privacy and Security Compliance After the Target...
Data Privacy and Security Compliance After the Target Breach: Lessons for Corporate Counsel Proactive Strategies to Avoid and Respond to a Data Breach or Cyber Attack
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
TUESDAY, FEBRUARY 11, 2014
Presenting a live 90-minute webinar with interactive Q&A
Robert D. Brownstone, Technology & eDiscovery Counsel, Fenwick & West, Mountain View, Calif.
Brent E. Kidwell, Partner, Jenner & Block, Chicago
Tips for Optimal Quality
Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-888-601-3873 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail [email protected] immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of attendees at your location
• Click the word balloon button to send
FOR LIVE EVENT ONLY
EIM
GR
OU
P
©
© © 4
Data Privacy & Security for Corporate Counsel –
Lessons Learned from
Target and Other Data Breaches
Webinar – February 11, 2014
Brent E. Kidwell Robert D. Brownstone
EIM
GR
OU
P
©
© © 5
Agenda
INTRO
I. Legal Rules/Regimes – Overview • INTRO to Risks/Leakages
• A. Default Regimes/Risks – US & Int’l
• B. Contracts’ Ability to Reallocate Risks
II. Proactive Prevention
III. Reactive Remediation – Top Ten
Q&A/CONCLUSION
EIM
GR
OU
P
©
© © 6
Introduction – The Target Breach
WHO? 70M to 110M people
WHAT? • “mailing and email addresses, phone numbers or
names, the kind of data routinely collected from customers during interactions like shopping online or volunteering a phone number when using a call center.”
WHY WORRY? • “hackers could potentially piece together customers’
stolen information for identity theft or for use in a . . . spear phishing attack . . .”
Harris & Perloth, For Target, the Breach Numbers Grow, NYT (1/10/14)
EIM
GR
OU
P
©
© © 7
Intro (c’t’d) – Breaches
The future? All American Credit Cards Will Disappear In 2015 And Be Replaced With This New Tech, Yahoo Finance (2/8/14)
In any event, . . .
Breaches’ Prevalence • “Chronology of Data Breaches” for 4/20/05 –
12/31/13 (≈ 663 M records; ≈ 4,100 incidents)
• “Neiman Marcus Data Breach…,” NYT (1/23/14)
• “Coca-Cola Laptop Breach...,” CRN (1/27/14)
EIM
GR
OU
P
©
© © 8
I. Law Overview INTRO – Risks/Leakages
1. Intentionally Harmful Intentional Disclosures
2. Inadvertently Harmful Intentional Disclosures (“Netiquette”; Loose Lips; Social-Media; Sock-Puppeting; P2P)
3. Unintentional Losses of Sensitive Info. = primary focus of this webinar
BUT some Exs. of Category 2 ...
EIM
GR
OU
P
©
© © 9
Category 2 – Don’t people know better?!
Commuter Indiscretions
David Lat, A Funny Thing Happened on the Way to New York (Or: Pillsbury associates, brace yourselves.), Above The Law (2/19/09)
Bob Lewis, Computer security when travelling by train– an expert’s observation, Computer Weekly (10/21/08)
General Do’s/Don'ts:
Business Travel Security Holes – and How to Plug Them, Executive Counsel, at 32-34 (June/July 2011); AND
Loose Lips Sink Company Trips, NYT (5/3/12)
I. Law Overview – INTRO to Risks (c’t’d)
EIM
GR
OU
P
©
© © 10
Do our country’s leaders know better? Ex-CIA Director David “All In” Petraeus
See articles at footnote 6 of Brownstone, eWorkplace Materials, National Employment Law Institute (NELI) (11/18/13)
What was his name . . . ? “[T]he man whose name is so perfect for the
scandal . . . that it rekindled my faith in God.” John Oliver, The Daily Show (7/17/13)
MUST READ! Steven Levy, How Early Twitter Decisions Led to Anthony Weiner’s Dickish Demise , Wired (6/13/11)
I. Law Overview – INTRO to Risks (c’t’d)
EIM
GR
OU
P
©
© © 11
I. U.S. & Int’l Legal Rules A. Default in U.S. & EU
1. U.S. Law
Data presumptively not protected unless rendered otherwise by specific rule of law
Federal law examples:
Health/medical = HIPAA (60 days notice)
covered entities and business associates
HITECH ACT expansion Jan. ’09
HHS Final Regs. Sep. ‘13
Financial services = Gramm-Leach-Bliley
Consumer credit reports, etc. = FCRA/FACTA
EIM
GR
OU
P
©
© © 12
Potential Liability government inquiries/suits
(FTC, HHS, State AG’s)
consumer and/or employee class actions
corporate customer suits
shareholder derivative suits
bad press and/or blog buzz
reputational hit
I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)
EIM
GR
OU
P
©
© © 13
Overview of Notice-of-Breach Laws:
Based on state of residence of affected person (identity theft)
Cal. statutes & Mass. regs. strict
Electronic information
Unencrypted
only Mass. regs. require encryption
others: “get out of notice” card (unless key also compromised)
I(A)(1). States’ Notice-of- Breach Laws
EIM
GR
OU
P
©
© © 14
NOTE: law doesn’t necessarily require” encrypting lists of names, addresses, telephone numbers and SSN’s
BUT, it’s advisable to encrypt SSN’s and to encrypt or password-protect lists of witnesses, deponents, experts, etc.
AND, again, there is sensitive/ proprietary/IP/products data
I(A)(1). States’ Notice-of- Breach Laws
EIM
GR
OU
P
©
© © 15
Specific combo of elements – expanded in California 1/1/14 by SB 46's amendment to Cal. Civ. Code § 1798.82:
• SB 46 – Amendment to California’s Data Breach Notification Law, F&W Privacy Alert (10/28/13)
Trigger usually automatic (as in Cal. )
Notice requirements
• If > X no. of people affected, tell AG
• Might have to describe circumstances
I(A)(1). States’ Notice-of- Breach Laws
EIM
GR
OU
P
©
© © 16
Potential Liability (c’t’d)
Difficulty in proving “injury” (damages): Even CFAA claim in suit against hacker “loss” hard to show remediation and down-time?
“Standing” (”Injury”) difficult to show based on mere concern data will be used: trade secrets damages theory identity-theft theory, incl. recent Cal.
decision re: Cal. Medical Information Act (CMIA) – Cal. Civ. Code 56.36
I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)
EIM
GR
OU
P
©
© © 17
Potential Liability (c’t’d)
• BUT SEE recent negligence decisions
Edward R. McNicholas & Catherine M. Valerio Barrad, Federal Appellate Opinion May Expand Cybersecurity Liability, law360 (9/23/13), discussing: Lone Star National Bank, N.A. v. Heartland
Payment Systems, Inc., --- F.3d ----, 2013 WL 4728445 (5th Cir. Sep. 3, 2013)
Patco Construction Co. v. People’s United Bank, 684 F.3d 197, 78 UCC Rep.Serv.2d 6 (1st Cir. July 3, 2012)
I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)
EIM
GR
OU
P
©
© © 18
Potential Liability (c’t’d)
Aside from viability of legal theories, custom and usage has been . . . . Potential monetary liability for a breach of
unsecured personally identifiable information (PII) is often $130 to $380 per affected person
A recent study pegged average U.S. amount at $188 per person. See Ponemon Institute, 2013 Cost of Data Breach Study: Global Analysis, Symantec and Larry Ponemon (May 30, 2013)
Per these data breach calculators
<http://www.tech-404.com/calculator.html>
<http://databreachcalculator.com> . . .
I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)
EIM
GR
OU
P
©
© © 19
Custom/usage (c’t’d)
Typical expense items
I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)
EIM
GR
OU
P
©
© © 20
I(A). Law (c’t’d) – 2. Int’l
Privacy protected more, e.g.: • Europe: France Germany Italy UK
• Elsewhere: Israel Ukraine
EIM
GR
OU
P
©
© © 21
I(A)(2). Law (c’t’d) – Int’l (c’t’d)
Brazil contemplating strict rules:
• “Marco Civil”
English translation
• To Learn More:
Bruce Douglas, Brazil debates internet law
in wake of NSA scandal, BBC (11/11/13)
Loretta Chao, Amid NSA Tensions, Brazil May
Change Its Internet Laws, WSJ (9/17/13)
EIM
GR
OU
P
©
© © 22
I(A)(2). Laws Overseas (c’t’d)
DATA-BREACH NOTIFICATION LAWS less diffused, broader in scope & often shorter/clearer deadlines . . . e.g.
• Chile
• Germany
• India
• Korea
• Mexico
• Qatar
• Russia
EIM
GR
OU
P
©
© © 23
I(A)(2). EU Data Directive Compliance
EU, Directive 95/46/EC (1995) “on the protection of individuals with regard to the processing of personal data and on the free movement of such data”
PLUS laws of individual EU countries
BROAD definitions of “personal data,” “processing” and “transfer”
EIM
GR
OU
P
©
© © 24
I(A)(2). European Rules (c’t’d)
Amendments to make EU Directive STRICTER pending since ‘12
Big developments last fall. See: • EU Parliament Q&A
• Civil Liberties MEPs pave the way for stronger data protection in the EU
• MEPs tighten up draft data privacy rules after Snowden revelations
EIM
GR
OU
P
©
© © 25
I. Law (c’t’d) – B. Contracts’ Ability to Reallocate Risks
Defaults can change based on:
Relative sizes and bargaining power
Industry of prospective customer
Location of data (who stores/hosts it)
EIM
GR
OU
P
©
© © 26
II. Proactive Prevention
Aggregation of Marginal Gains (security is a “game of inches”)
Data Protection Infrastructure
Protecting Data at Rest
Protecting Data in Motion
EIM
GR
OU
P
©
© © 27
Aggregation of Marginal Gains
Security is a “game of inches” - “fight for those inches.”
“Large” changes are often challenging to implement and suffer organization friction
Many “small” changes to your security posture may compound into significant overall improvements
See http://jamesclear.com/marginal-gains
EIM
GR
OU
P
©
© © 28
http://blogs.rsa.com/wp-content/uploads/APT-chart1.jpg
EIM
GR
OU
P
©
© © 29
Data Protection Strategy
People Process
Policy Technology
EIM
GR
OU
P
©
© © 30
Data Protection – People
Executive leadership – security as an organizational priority
Identified personnel with specific roles, accountability and responsibility
Cross-disciplinary security or “information governance” teams provide better vision into data/security protection (and instill organizational ownership of security)
Improve communication and training about security with all personnel
Human vectors continue to be key security exploit route
See, e.g., RSA breach resulting from phishing
EIM
GR
OU
P
©
© © 31
Data Protection – Process
Plan and document security procedures; for example:
Identify the location and content of your data assets, specifically PII or other “sensitive” collections
Routinize security assessments conducted by internal and external experts
Employ incident response drills and training
Develop procedures for the ingestion, storage, security and destruction of data
EIM
GR
OU
P
©
© © 32
Data Protection – Policy
Organizational security/data protection policies:
General security, confidentiality, acceptable use and information governance policies
Special policies may be required for special data (e.g., HIPAA/PHI)
Incident response and breach notification policies
Records and information retention policies should be evaluated to minimize retention of risky data
Establish a regular policy review cycle
Enforcement and consistent application of policies is key
EIM
GR
OU
P
©
© © 33
Data Protection – Technology
Security of Existing Technology Base
Periodic re-examination of security posture of existing systems recommended
Cloud-based systems require contractual protections and due diligence
Specialized Security/Data Protection Tools
Technology is not a security “silver bullet”
Even the best technology requires trained personnel to monitor, analyze and address identified anomalies
EIM
GR
OU
P
©
© © 34
Protecting Data at Rest I
Perimeter Defenses (Incoming & Outgoing)
Firewall
IDS/IPS
Multi-Factor Authentication
Malware Filtering
Data Loss Prevention (DLP)
Access Rights – “Need to Know”
Electronic data destruction (anything with storage)
EIM
GR
OU
P
©
© © 35
Protecting Data at Rest II
Logging and Analysis of Security Events
Security Information and Event Management (SIEM)
Provides analytical view into organizational security using a longer-term baseline for anomaly identification
Don’t Forget Paper Documents
Appropriate destruction – shredding, PII bins, etc.
Clean desk policies
Locked offices, drawers and cabinets
Physical Security
EIM
GR
OU
P
©
© © 36
Protecting Data In Motion I
Laptops (endpoints)
AV/Malware Detection
Firewall
Data Encryption (FDE)
Passwords, screensavers, etc.
BYOD Issues
Storage Devices/Tools
Encryption – flash drives, DVDs, etc.
Restrictions on use of cloud storage services (Dropbox, etc.)
EIM
GR
OU
P
©
© © 37
Mobile Device Security – Survey
http://www.informationweek.com/security/mobile-security/infographic-mobile-security-run-amok/d/d-id/1113675
EIM
GR
OU
P
©
© © 38
Mobile Device Security – Survey
EIM
GR
OU
P
©
© © 39
Protecting Data in Motion II
Handheld Devices
Encryption
Remote Wiping
Mobile Device Management
BYOD Issues
Backup Tapes
Email encryption
Metadata Scrubbing Tools
Proper Redaction Tools/Methods
EIM
GR
OU
P
©
© © 40
Top Ten
FOLLOW PROCESS (IF ANY!) . . .
10. Policy/Protocols/Checklists
Internal team leaders members ID’d,
e.g. InfoSec, Legal & Public Relations
Outside contacts listed, e.g., Counsel,
Law enforcement & Insurance carrier
III. Reactive Remediation – Incident Response
EIM
GR
OU
P
©
© © 41
III. Incident- Response (c’t’d)
10. Big-Picture Process (c’t’d)
• Categories defined?
• Data- and machine- handling protocol
• Workflow/Communication chart re:
Discover/Assess/Contain
Remediate/Close/Mitigate
EIM
GR
OU
P
©
© © 42
FACT INTAKE . . . 4 W’s-plus
9. Who, what, where, when re: info.?
8. Encrypted?
7. If encrypted, key compromised?
V. TOP TEN TIPS (c’t’d)
EIM
GR
OU
P
©
© © 43
GET YOUR BEARINGS . . .
6. If a contractual relationship:
Look at the contract
Decide if will try to negotiate re: notice
5. If law enforcement is involved, open a dialogue
4. See if, under strictest statute, notice trigger(s) have kicked in
V. TOP TEN TIPS (c’t’d)
EIM
GR
OU
P
©
© © 44
TO GIVE NOTICE OR NOT TO GIVE NOTICE. . . 3. If MUST give notice, address required:
Method and Contents
» Eff. 1/1/12 = Cal. SB 24 (specifying some required contents of notice of breach of PII or PHI under Cal. Civ. Code). Text is HERE or HERE. Legislative history HERE.
Recipients (might include an AG., e.g.)
Timing (might be OK, under law, to delay)
2. If COULD give notice, discuss customer-relations with C level
1. If WILL give notice, work with PR as to theme(s), timing & press release (if any)
V. TOP TEN TIPS (c’t’d)
EIM
GR
OU
P
©
© © 45
Q&A/Conclusion/ Resources . . .
Robert D. Brownstone, Esq.
Fenwick & West LLP
<tinyurl.com/Bob-Brownstone-Bio>
<www.ITLawToday.com>
Brent E. Kidwell, Esq.
Jenner & Block
<www.jenner.com/people/BrentKidwell>
<jenner.com/people/BrentKidwell/library>