Data Privacy and Security Compliance After the Target Breach: Lessons for Corporate Counsel Proactive Strategies to Avoid and Respond to a Data Breach or Cyber Attack

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

TUESDAY, FEBRUARY 11, 2014

Presenting a live 90-minute webinar with interactive Q&A

Robert D. Brownstone, Technology & eDiscovery Counsel, Fenwick & West, Mountain View, Calif.

Brent E. Kidwell, Partner, Jenner & Block, Chicago

Tips for Optimal Quality

Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-888-601-3873 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of attendees at your location

• Click the word balloon button to send

FOR LIVE EVENT ONLY

EIM

GR

OU

P

©

© © 4

Data Privacy & Security for Corporate Counsel –

Lessons Learned from

Target and Other Data Breaches

Webinar – February 11, 2014

Brent E. Kidwell Robert D. Brownstone

EIM

GR

OU

P

©

© © 5

Agenda

INTRO

I. Legal Rules/Regimes – Overview • INTRO to Risks/Leakages

• A. Default Regimes/Risks – US & Int’l

• B. Contracts’ Ability to Reallocate Risks

II. Proactive Prevention

III. Reactive Remediation – Top Ten

Q&A/CONCLUSION

EIM

GR

OU

P

©

© © 6

Introduction – The Target Breach

WHO? 70M to 110M people

WHAT? • “mailing and email addresses, phone numbers or

names, the kind of data routinely collected from customers during interactions like shopping online or volunteering a phone number when using a call center.”

WHY WORRY? • “hackers could potentially piece together customers’

stolen information for identity theft or for use in a . . . spear phishing attack . . .”

Harris & Perloth, For Target, the Breach Numbers Grow, NYT (1/10/14)

EIM

GR

OU

P

©

© © 7

Intro (c’t’d) – Breaches

The future? All American Credit Cards Will Disappear In 2015 And Be Replaced With This New Tech, Yahoo Finance (2/8/14)

In any event, . . .

Breaches’ Prevalence • “Chronology of Data Breaches” for 4/20/05 –

12/31/13 (≈ 663 M records; ≈ 4,100 incidents)

• “Neiman Marcus Data Breach…,” NYT (1/23/14)

• “Coca-Cola Laptop Breach...,” CRN (1/27/14)

EIM

GR

OU

P

©

© © 8

I. Law Overview INTRO – Risks/Leakages

1. Intentionally Harmful Intentional Disclosures

2. Inadvertently Harmful Intentional Disclosures (“Netiquette”; Loose Lips; Social-Media; Sock-Puppeting; P2P)

3. Unintentional Losses of Sensitive Info. = primary focus of this webinar

BUT some Exs. of Category 2 ...

EIM

GR

OU

P

©

© © 9

Category 2 – Don’t people know better?!

Commuter Indiscretions

David Lat, A Funny Thing Happened on the Way to New York (Or: Pillsbury associates, brace yourselves.), Above The Law (2/19/09)

Bob Lewis, Computer security when travelling by train– an expert’s observation, Computer Weekly (10/21/08)

General Do’s/Don'ts:

Business Travel Security Holes – and How to Plug Them, Executive Counsel, at 32-34 (June/July 2011); AND

Loose Lips Sink Company Trips, NYT (5/3/12)

I. Law Overview – INTRO to Risks (c’t’d)

EIM

GR

OU

P

©

© © 10

Do our country’s leaders know better? Ex-CIA Director David “All In” Petraeus

See articles at footnote 6 of Brownstone, eWorkplace Materials, National Employment Law Institute (NELI) (11/18/13)

What was his name . . . ? “[T]he man whose name is so perfect for the

scandal . . . that it rekindled my faith in God.” John Oliver, The Daily Show (7/17/13)

MUST READ! Steven Levy, How Early Twitter Decisions Led to Anthony Weiner’s Dickish Demise , Wired (6/13/11)

I. Law Overview – INTRO to Risks (c’t’d)

EIM

GR

OU

P

©

© © 11

I. U.S. & Int’l Legal Rules A. Default in U.S. & EU

1. U.S. Law

Data presumptively not protected unless rendered otherwise by specific rule of law

Federal law examples:

Health/medical = HIPAA (60 days notice)

covered entities and business associates

HITECH ACT expansion Jan. ’09

HHS Final Regs. Sep. ‘13

Financial services = Gramm-Leach-Bliley

Consumer credit reports, etc. = FCRA/FACTA

EIM

GR

OU

P

©

© © 12

Potential Liability government inquiries/suits

(FTC, HHS, State AG’s)

consumer and/or employee class actions

corporate customer suits

shareholder derivative suits

bad press and/or blog buzz

reputational hit

I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)

EIM

GR

OU

P

©

© © 13

Overview of Notice-of-Breach Laws:

Based on state of residence of affected person (identity theft)

Cal. statutes & Mass. regs. strict

Electronic information

Unencrypted

only Mass. regs. require encryption

others: “get out of notice” card (unless key also compromised)

I(A)(1). States’ Notice-of- Breach Laws

EIM

GR

OU

P

©

© © 14

NOTE: law doesn’t necessarily require” encrypting lists of names, addresses, telephone numbers and SSN’s

BUT, it’s advisable to encrypt SSN’s and to encrypt or password-protect lists of witnesses, deponents, experts, etc.

AND, again, there is sensitive/ proprietary/IP/products data

I(A)(1). States’ Notice-of- Breach Laws

EIM

GR

OU

P

©

© © 15

Specific combo of elements – expanded in California 1/1/14 by SB 46's amendment to Cal. Civ. Code § 1798.82:

• SB 46 – Amendment to California’s Data Breach Notification Law, F&W Privacy Alert (10/28/13)

Trigger usually automatic (as in Cal. )

Notice requirements

• If > X no. of people affected, tell AG

• Might have to describe circumstances

I(A)(1). States’ Notice-of- Breach Laws

EIM

GR

OU

P

©

© © 16

Potential Liability (c’t’d)

Difficulty in proving “injury” (damages): Even CFAA claim in suit against hacker “loss” hard to show remediation and down-time?

“Standing” (”Injury”) difficult to show based on mere concern data will be used: trade secrets damages theory identity-theft theory, incl. recent Cal.

decision re: Cal. Medical Information Act (CMIA) – Cal. Civ. Code 56.36

I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)

EIM

GR

OU

P

©

© © 17

Potential Liability (c’t’d)

• BUT SEE recent negligence decisions

Edward R. McNicholas & Catherine M. Valerio Barrad, Federal Appellate Opinion May Expand Cybersecurity Liability, law360 (9/23/13), discussing: Lone Star National Bank, N.A. v. Heartland

Payment Systems, Inc., --- F.3d ----, 2013 WL 4728445 (5th Cir. Sep. 3, 2013)

Patco Construction Co. v. People’s United Bank, 684 F.3d 197, 78 UCC Rep.Serv.2d 6 (1st Cir. July 3, 2012)

I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)

EIM

GR

OU

P

©

© © 18

Potential Liability (c’t’d)

Aside from viability of legal theories, custom and usage has been . . . . Potential monetary liability for a breach of

unsecured personally identifiable information (PII) is often $130 to $380 per affected person

A recent study pegged average U.S. amount at $188 per person. See Ponemon Institute, 2013 Cost of Data Breach Study: Global Analysis, Symantec and Larry Ponemon (May 30, 2013)

Per these data breach calculators

<http://www.tech-404.com/calculator.html>

<http://databreachcalculator.com> . . .

I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)

EIM

GR

OU

P

©

© © 19

Custom/usage (c’t’d)

Typical expense items

I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)

EIM

GR

OU

P

©

© © 20

I(A). Law (c’t’d) – 2. Int’l

Privacy protected more, e.g.: • Europe: France Germany Italy UK

• Elsewhere: Israel Ukraine

EIM

GR

OU

P

©

© © 21

I(A)(2). Law (c’t’d) – Int’l (c’t’d)

Brazil contemplating strict rules:

• “Marco Civil”

English translation

• To Learn More:

Bruce Douglas, Brazil debates internet law

in wake of NSA scandal, BBC (11/11/13)

Loretta Chao, Amid NSA Tensions, Brazil May

Change Its Internet Laws, WSJ (9/17/13)

EIM

GR

OU

P

©

© © 22

I(A)(2). Laws Overseas (c’t’d)

DATA-BREACH NOTIFICATION LAWS less diffused, broader in scope & often shorter/clearer deadlines . . . e.g.

• Chile

• Germany

• India

• Korea

• Mexico

• Qatar

• Russia

EIM

GR

OU

P

©

© © 23

I(A)(2). EU Data Directive Compliance

EU, Directive 95/46/EC (1995) “on the protection of individuals with regard to the processing of personal data and on the free movement of such data”

PLUS laws of individual EU countries

BROAD definitions of “personal data,” “processing” and “transfer”

EIM

GR

OU

P

©

© © 24

I(A)(2). European Rules (c’t’d)

Amendments to make EU Directive STRICTER pending since ‘12

Big developments last fall. See: • EU Parliament Q&A

• Civil Liberties MEPs pave the way for stronger data protection in the EU

• MEPs tighten up draft data privacy rules after Snowden revelations

EIM

GR

OU

P

©

© © 25

I. Law (c’t’d) – B. Contracts’ Ability to Reallocate Risks

Defaults can change based on:

Relative sizes and bargaining power

Industry of prospective customer

Location of data (who stores/hosts it)

EIM

GR

OU

P

©

© © 26

II. Proactive Prevention

Aggregation of Marginal Gains (security is a “game of inches”)

Data Protection Infrastructure

Protecting Data at Rest

Protecting Data in Motion

EIM

GR

OU

P

©

© © 27

Aggregation of Marginal Gains

Security is a “game of inches” - “fight for those inches.”

“Large” changes are often challenging to implement and suffer organization friction

Many “small” changes to your security posture may compound into significant overall improvements

See http://jamesclear.com/marginal-gains

EIM

GR

OU

P

©

© © 28

http://blogs.rsa.com/wp-content/uploads/APT-chart1.jpg

EIM

GR

OU

P

©

© © 29

Data Protection Strategy

People Process

Policy Technology

EIM

GR

OU

P

©

© © 30

Data Protection – People

Executive leadership – security as an organizational priority

Identified personnel with specific roles, accountability and responsibility

Cross-disciplinary security or “information governance” teams provide better vision into data/security protection (and instill organizational ownership of security)

Improve communication and training about security with all personnel

Human vectors continue to be key security exploit route

See, e.g., RSA breach resulting from phishing

EIM

GR

OU

P

©

© © 31

Data Protection – Process

Plan and document security procedures; for example:

Identify the location and content of your data assets, specifically PII or other “sensitive” collections

Routinize security assessments conducted by internal and external experts

Employ incident response drills and training

Develop procedures for the ingestion, storage, security and destruction of data

EIM

GR

OU

P

©

© © 32

Data Protection – Policy

Organizational security/data protection policies:

General security, confidentiality, acceptable use and information governance policies

Special policies may be required for special data (e.g., HIPAA/PHI)

Incident response and breach notification policies

Records and information retention policies should be evaluated to minimize retention of risky data

Establish a regular policy review cycle

Enforcement and consistent application of policies is key

EIM

GR

OU

P

©

© © 33

Data Protection – Technology

Security of Existing Technology Base

Periodic re-examination of security posture of existing systems recommended

Cloud-based systems require contractual protections and due diligence

Specialized Security/Data Protection Tools

Technology is not a security “silver bullet”

Even the best technology requires trained personnel to monitor, analyze and address identified anomalies

EIM

GR

OU

P

©

© © 34

Protecting Data at Rest I

Perimeter Defenses (Incoming & Outgoing)

Firewall

IDS/IPS

Multi-Factor Authentication

Malware Filtering

Data Loss Prevention (DLP)

Access Rights – “Need to Know”

Electronic data destruction (anything with storage)

EIM

GR

OU

P

©

© © 35

Protecting Data at Rest II

Logging and Analysis of Security Events

Security Information and Event Management (SIEM)

Provides analytical view into organizational security using a longer-term baseline for anomaly identification

Don’t Forget Paper Documents

Appropriate destruction – shredding, PII bins, etc.

Clean desk policies

Locked offices, drawers and cabinets

Physical Security

EIM

GR

OU

P

©

© © 36

Protecting Data In Motion I

Laptops (endpoints)

AV/Malware Detection

Firewall

Data Encryption (FDE)

Passwords, screensavers, etc.

BYOD Issues

Storage Devices/Tools

Encryption – flash drives, DVDs, etc.

Restrictions on use of cloud storage services (Dropbox, etc.)

EIM

GR

OU

P

©

© © 37

Mobile Device Security – Survey

http://www.informationweek.com/security/mobile-security/infographic-mobile-security-run-amok/d/d-id/1113675

EIM

GR

OU

P

©

© © 38

Mobile Device Security – Survey

EIM

GR

OU

P

©

© © 39

Protecting Data in Motion II

Handheld Devices

Encryption

Remote Wiping

Mobile Device Management

BYOD Issues

Backup Tapes

Email encryption

Metadata Scrubbing Tools

Proper Redaction Tools/Methods

EIM

GR

OU

P

©

© © 40

Top Ten

FOLLOW PROCESS (IF ANY!) . . .

10. Policy/Protocols/Checklists

Internal team leaders members ID’d,

e.g. InfoSec, Legal & Public Relations

Outside contacts listed, e.g., Counsel,

Law enforcement & Insurance carrier

III. Reactive Remediation – Incident Response

EIM

GR

OU

P

©

© © 41

III. Incident- Response (c’t’d)

10. Big-Picture Process (c’t’d)

• Categories defined?

• Data- and machine- handling protocol

• Workflow/Communication chart re:

Discover/Assess/Contain

Remediate/Close/Mitigate

EIM

GR

OU

P

©

© © 42

FACT INTAKE . . . 4 W’s-plus

9. Who, what, where, when re: info.?

8. Encrypted?

7. If encrypted, key compromised?

V. TOP TEN TIPS (c’t’d)

EIM

GR

OU

P

©

© © 43

GET YOUR BEARINGS . . .

6. If a contractual relationship:

Look at the contract

Decide if will try to negotiate re: notice

5. If law enforcement is involved, open a dialogue

4. See if, under strictest statute, notice trigger(s) have kicked in

V. TOP TEN TIPS (c’t’d)

EIM

GR

OU

P

©

© © 44

TO GIVE NOTICE OR NOT TO GIVE NOTICE. . . 3. If MUST give notice, address required:

Method and Contents

» Eff. 1/1/12 = Cal. SB 24 (specifying some required contents of notice of breach of PII or PHI under Cal. Civ. Code). Text is HERE or HERE. Legislative history HERE.

Recipients (might include an AG., e.g.)

Timing (might be OK, under law, to delay)

2. If COULD give notice, discuss customer-relations with C level

1. If WILL give notice, work with PR as to theme(s), timing & press release (if any)

V. TOP TEN TIPS (c’t’d)

EIM

GR

OU

P

©

© © 45

Q&A/Conclusion/ Resources . . .

Robert D. Brownstone, Esq.

Fenwick & West LLP

<rbrownstone@fenwick.com>

<tinyurl.com/Bob-Brownstone-Bio>

<www.ITLawToday.com>

Brent E. Kidwell, Esq.

Jenner & Block

<bkidwell@jenner.com>

<www.jenner.com/people/BrentKidwell>

<jenner.com/people/BrentKidwell/library>