Data Privacy and Security Compliance:

Lessons for Corporate Counsel After

Recent High Profile Breaches Proactive Strategies to Avoid and Respond to a Data Breach or Cyber Attack

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

TUESDAY, NOVEMBER 11, 2014

Presenting a live 90-minute webinar with interactive Q&A

Robert D. Brownstone, Technology & eDiscovery Counsel, Fenwick & West LLP,

Mountain View, Calif.

Brent E. Kidwell, Partner, Jenner & Block LLP, Chicago

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-961-8499 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail sound@straffordpub.com immediately so we can

address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

For CLE purposes, please let us know how many people are listening at your

location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of

attendees at your location

• Click the SEND button beside the box

If you have purchased Strafford CLE processing services, you must confirm your

participation by completing and submitting an Official Record of Attendance (CLE

Form).

You may obtain your CLE form by going to the program page and selecting the

appropriate form in the PROGRAM MATERIALS box at the top right corner.

If you'd like to purchase CLE credit processing, it is available for a fee. For

additional information about CLE credit processing, go to our website or call us at

1-800-926-7926 ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

EIM

G

RO

UP

©

© © 5

Data Privacy and Security Compliance:

Lessons for Corporate Counsel After Recent High Profile Breaches

Webinar – November 11, 2014

Brent E. Kidwell Robert D. Brownstone

EIM

G

RO

UP

©

© © 6

Agenda

INTRO

I. Legal Rules/Regimes – Overview

• INTRO to Risks/Leakages

• A. Default Regimes/Risks – US & Int’l

• B. Contracts’ Ability to Reallocate Risks

II. Proactive Prevention

III. Reactive Remediation – Top Ten

Q&A/CONCLUSION

EIM

G

RO

UP

©

© © 7

1 threat alone attacked 1K+ businesses ‘13-’14

U.S. Secret Service, Backoff Malware: Infection Assessment,

Dep’t of Homeland Security (8/22/14)

Staples, Sears (Kmart), affected Target,

Supervalu, Home Depot, Sally Beauty Supply,

Neiman Marcus, United Parcel Service, Michaels

Stores, Albertsons, Dairy Queen and P. F. Chang

Nicole Perlroth, Staples Is Latest Retailer Hit by Hackers,

NYT (10/21/14) (“entry point for each ... differed”)

Introduction – Breaches’ Prevalence

EIM

G

RO

UP

©

© © 8

Should only retailers be worried? NO

What kind of risky info. is “targeted”?

“mailing and email addresses, phone numbers or

names . . . data routinely collected . . . during

interactions like shopping online or volunteering a

phone number when using a call center”

“hackers could . . . piece together customers’ stolen

information for identity theft or for use in a . . .

spear phishing attack . . .”

• Elizabeth A. Harris & Nicole Perloth, For Target, the

Breach Numbers Grow, NYT (1/10/14)

Intro (c’t’d) – Breaches

EIM

G

RO

UP

©

© © 9

Intro (c’t’d) – Breaches

Metrics

• “Chronology of Data Breaches” for 4/20/05 – 11/3/14 (≈ 930 M records; ≈ 4,400 incidents)

• “Office of Inadequate Security”

• PricewaterhouseCoopers LLP (pwc), U.S. Secret Service al., US cybercrime: Rising risks, reduced readiness: Key findings from the 2014 US State of Cybercrime Survey (June 2014)

• Ponemon Inst. o/b/o HP Enterprise Security, Cyber Crime Costs Continue to Grow (2014)

EIM

G

RO

UP

©

© © 10

Intro (c’t’d) – Breaches

TO LEARN MORE

• NIST, Framework for Improving Critical

Infrastructure Cybersecurity (2/12/14)

• Marcus P. Zillman, Internet of Things [“IoT”]

Resources, LLRX (10/11/14)

• Brownstone, Heartbleed: It’s 10 PM; Do You

Know Where Your Data is? ITLawToday (5/6/14)

EIM

G

RO

UP

©

© © 11

I. Law Overview INTRO – Risks/Leakages

1. Intentionally Harmful Intentional Disclosures

2. Inadvertently Harmful Intentional Disclosures (“Netiquette”; Loose Lips; Social-Media; Sock-Puppeting; P2P)

3. Unintentional Losses of Sensitive Info. = primary focus of this webinar

BUT some Exs. of Category 2 ...

EIM

G

RO

UP

©

© © 12

Category 2 – Don’t people know better?!

(Spear-)phishing?

Social Engineering?

I. Law Overview – INTRO to Risks (c’t’d)

EIM

G

RO

UP

©

© © 13

I. U.S. & Int’l Legal Rules

A. Default in U.S. & EU

1. U.S. Law

Data presumptively not protected unless

rendered otherwise by specific rule of law

Federal law examples:

Health/medical = HIPAA (60 days notice)

covered entities and business associates

HITECH ACT expansion Jan. ’09

HHS Final Regs. Sep. ‘13

Financial services = Gramm-Leach-Bliley

Consumer credit reports, etc. = FCRA/FACTA

EIM

G

RO

UP

©

© © 14

Potential Liability

Gov’t proceedings (FTC, HHS, State AG’s)

FTC – see D.N.J. (Wyndham) and FTC (LabMD) decisions re: FTC enforcement authority (each on appeal to a Circuit Court)

HHS (under HIPAA), even re: public sector:

State (2012)

• Alaska Dep’t of Health & Social Servs.

Local (2014)

• Skagit County, WA

I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)

EIM

G

RO

UP

©

© © 15

Potential Liability (c’t’d)

consumer and/or employee

class actions

corporate customer suits

shareholder derivative suits

bad press and/or blog buzz

reputational hit

I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)

EIM

G

RO

UP

©

© © 16

Overview of Notice-of-Breach Laws:

Based on state of residence of affected person (identity theft)

Cal. statutes & Mass. regs. strict

Electronic information

Unencrypted

only Mass. regs. require encryption

others: “get out of notice” card (unless key also compromised)

I(A)(1). States’ Notice-of- Breach Laws

EIM

G

RO

UP

©

© © 17

NOTE: law doesn’t necessarily require”

encrypting lists of names, addresses,

telephone numbers and SSN’s

BUT, it’s advisable to encrypt SSN’s and

to encrypt or password-protect lists of

witnesses, deponents, experts, etc.

AND, again, there is sensitive/

proprietary/IP/products data

I(A)(1). States’ Notice-of- Breach Laws

EIM

G

RO

UP

©

© © 18

Specific combo of elements – expanded in California 1/1/14 by SB 46's amendment to Cal. Civ. Code § 1798.82:

• SB 46 – Amendment to California’s Data Breach Notification Law, F&W Privacy Alert (10/28/13)

Trigger usually automatic (as in Cal. )

Notice requirements

• If > X no. of people affected, tell AG

• Might have to describe circumstances

I(A)(1). States’ Notice-of- Breach Laws

EIM

G

RO

UP

©

© © 19

Potential Liability (c’t’d)

Difficulty in proving “injury” (damages):

Even CFAA claim in suit against hacker

“loss” hard to show

remediation and down-time?

“Standing” (”Injury”) difficult to show based on mere concern data will be used:

trade secrets damages theory

identity-theft theory, including recent theft decisions re: Cal. Medical Info. Act (CMIA) – Cal. Civ. Code 56.36 . . .

I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)

EIM

G

RO

UP

©

© © 20

ID-theft-concern Standing Theory (c’t’d)

Sutter Health v. Superior Court, 227 Cal. App. 4th

1546, 174 Cal. Rptr. 3d 653 (7/21/14) (stolen PC; no

“reasonable possibility they can amend to allege an

actual breach of confidentiality”)

Regents v. Super. Ct. (Platter), 220 Cal. App. 4th 549,

163 Cal. Rptr. 3d 205 (Cal. App. 2 Dist. 10/15/13), as

amended (11/13/13) (drive + key)

Compare In re Science Applications Int’l Corp. (SAIC)

Backup Tape Data Theft Litigation, 2014 WL 1858458

(D.D.C. 5/9/14)

I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)

EIM

G

RO

UP

©

© © 21

ID-theft-concern Theory (c’t’d)

But see this California Customer Records Act (CRA) federal decision:

In re Adobe Systems, Inc. Privacy Litigation, 2014 WL 4379916 (N.D. Cal. 9/4/14)

TO LEARN MORE:

Practical Law, Data Breach Litigation: The Standing and Injury Hurdle (10/14/14)

Richard Kellner, Losing Medical Records in 'The Cloud’, Recorder (6/26/14)

it-LEX, “Mere Loss Of Data” In A Breach Is Not Enough To Confer Standing (5/20/14)

I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)

EIM

G

RO

UP

©

© © 22

Potential Liability (c’t’d)

• BUT SEE these negligence decisions

Lone Star Nat’l Bank v. Heartland Payment

Systems, 729 F.3d 421 (5th Cir. 9/3/13)

Resnick v. AvMed, 693 F.3d 1317 (11th Cir.

9/5/12); led to settlement discussed here

Patco Constr. Co. v. People’s United Bank, 684

F.3d 197 (1st Cir. 7/3/12)

• See also Edward R. McNicholas & Catherine M. Valerio Barrad, Federal Appellate Opinion May

Expand Cybersecurity Liability, law360 (9/23/13)

I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)

EIM

G

RO

UP

©

© © 23

Potential Liability (c’t’d)

Aside from viability of legal theories, custom and usage has been . . . .

Potential monetary liability for a breach of

unsecured personally identifiable information (PII)

is often $130 to $380 per affected person

Average U.S. amount ≈ $188 per person. See

Ponemon Institute, 2013 Cost of Data Breach Study:

Global Analysis, Symantec & Ponemon (5/30/13)

Per these data breach calculators

<http://www.privacyrisksadvisors.com/data-breach-

toolkit/data-breach-calculators/>

<http://databreachcalculator.com> . . .

I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)

EIM

G

RO

UP

©

© © 24

Custom/usage (c’t’d)

Typical expense items (from here)

I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)

EIM

G

RO

UP

©

© © 25

I(A). Law (c’t’d) – 2. Int’l

Privacy protected more, e.g.:

• Europe (EU):

France/Germany/Italy/UK

• Elsewhere:

Brazil

“Marco Civil”

Israel

Ukraine

EIM

G

RO

UP

©

© © 26

I(A)(2). Laws Overseas (c’t’d)

DATA-BREACH NOTIFICATION LAWS

less diffused, broader in scope & often

shorter/clearer deadlines . . . e.g.

• Chile

• Germany

• India

• Korea

• Mexico

• Qatar

• Russia

EIM

G

RO

UP

©

© © 27

I(A)(2). EU Data Directive Compliance

EU, Directive 95/46/EC (1995) “on the

protection of individuals with regard to

the processing of personal data and on

the free movement of such data”

PLUS laws of individual EU countries

BROAD definitions of “personal data,”

“processing” and “transfer”

Amendments to make EU Directive

STRICTER pending since ‘12

EIM

G

RO

UP

©

© © 28

I. Law (c’t’d) – B. Contracts’ Ability to Reallocate Risks

Defaults can change based on:

Relative sizes and bargaining power

Industry of prospective customer

Location of data (who stores/hosts it)

EIM

G

RO

UP

©

© © 29

II. Proactive Prevention

Aggregation of Marginal Gains (security

is a “game of inches”)

Data Protection Infrastructure

Protecting Data at Rest

Protecting Data in Motion

EIM

G

RO

UP

©

© © 30

Aggregation of Marginal Gains

Security is a “game of inches” - “fight for those

inches.”

“Large” changes are often challenging to

implement and suffer organization friction

Many “small” changes to your security posture

may compound into significant overall

improvements

See http://jamesclear.com/marginal-gains

EIM

G

RO

UP

©

© © 31

http://blogs.rsa.com/wp-content/uploads/APT-chart1.jpg

EIM

G

RO

UP

©

© © 32

Data Protection Strategy

People Process

Policy Technology

EIM

G

RO

UP

©

© © 33

Data Protection – People

Executive leadership – security as an organizational priority

Identified personnel with specific roles, accountability and

responsibility

Cross-disciplinary security or “information governance”

teams provide better vision into data/security protection

(and instill organizational ownership of security)

Improve communication and training about security with all

personnel

Human vectors continue to be key security exploit route

See, e.g., RSA breach resulting from phishing

EIM

G

RO

UP

©

© © 34

Data Protection – Process

Plan and document security procedures; for

example:

Identify the location and content of your data

assets, specifically PII or other “sensitive”

collections

Routinize security assessments conducted by

internal and external experts

Employ incident response drills and training

Develop procedures for the ingestion, storage,

security and destruction of data

EIM

G

RO

UP

©

© © 35

Data Protection – Policy

Organizational security/data protection policies:

General security, confidentiality, acceptable use and

information governance policies

Special policies may be required for special data (e.g.,

HIPAA/PHI)

Incident response and breach notification policies

Records and information retention policies should be

evaluated to minimize retention of risky data

Establish a regular policy review cycle

Enforcement and consistent application of policies

Consider certifications, such as ISO 27001

EIM

G

RO

UP

©

© © 36

Data Protection – Technology

Security of Existing Technology Base

Periodic re-examination of security posture of existing

systems recommended

Cloud-based systems require contractual protections

and due diligence

Specialized Security/Data Protection Tools

Technology is not a security “silver bullet”

Even the best technology requires trained personnel to

monitor, analyze and address identified anomalies

EIM

G

RO

UP

©

© © 37

Protecting Data at Rest I

Perimeter Defenses (Incoming & Outgoing)

Firewall

IDS/IPS

Multi-Factor Authentication

Malware Filtering

Data Loss Prevention (DLP)

Access Rights – “Need to Know”

Electronic data destruction (anything with storage)

EIM

G

RO

UP

©

© © 38

Protecting Data at Rest II

Logging and Analysis of Security Events

Security Information and Event Management (SIEM)

Provides analytical view into organizational security using a

longer-term baseline for anomaly identification

Don’t Forget Paper Documents

Appropriate destruction – shredding, PII bins, etc.

Clean desk policies

Locked offices, drawers and cabinets

Physical Security

EIM

G

RO

UP

©

© © 39

Protecting Data In Motion I

Laptops (endpoints)

AV/Malware Detection

Firewall

Data Encryption (FDE)

Passwords, screensavers, etc.

BYOD Issues

Storage Devices/Tools

Encryption – flash drives, DVDs, etc.

Restrictions on use of cloud storage services (Dropbox, etc.)

EIM

G

RO

UP

©

© © 40

Mobile Device Security – Survey

http://www.informationweek.com/security/mobile-security/infographic-mobile-security-run-amok/d/d-id/1113675

EIM

G

RO

UP

©

© © 41

Mobile Device Security – Survey

EIM

G

RO

UP

©

© © 42

Protecting Data in Motion II

Handheld Devices

Encryption

Remote Wiping

Mobile Device Management

BYOD Issues

Backup Tapes

Email encryption

Metadata Scrubbing Tools

Proper Redaction Tools/Methods

EIM

G

RO

UP

©

© © 43

Top Ten

FOLLOW PROCESS (IF ANY!) . . .

10. Policy/Protocols/Checklists

Internal team leaders members ID’d, e.g.

InfoSec, Legal & Public Relations

Outside contacts listed, e.g., Information-

Security consulting firm, Counsel, Law

enforcement & Insurance carrier

III. Reactive Remediation – Incident Response

EIM

G

RO

UP

©

© © 44

III. Incident- Response (c’t’d)

10. Big-Picture Process (c’t’d)

• Categories defined?

• Data- and machine- handling protocol

• Workflow/Communication chart re:

Discover/Assess/Contain

Remediate/Close/Mitigate

EIM

G

RO

UP

©

© © 45

FACT INTAKE . . . 4 W’s-plus

9. Who, what, where, when re: info.?

8. Encrypted?

7. If encrypted, key compromised?

III. TOP TEN TIPS (c’t’d)

EIM

G

RO

UP

©

© © 46

GET YOUR BEARINGS . . .

6. If a contractual relationship:

Look at the contract

Decide if will try to negotiate re: notice

5. If law enforcement is

involved, open a dialogue

4. See if, under strictest statute,

notice trigger(s) have kicked in

III. TOP TEN TIPS (c’t’d)

EIM

G

RO

UP

©

© © 47

TO GIVE NOTICE OR NOT TO GIVE NOTICE. . .

3. If MUST give notice, address required:

Method and Contents

» E.g., Cal. SB 24 (specifying some required contents of

notice of breach of PII or PHI under Cal. Civ. Code)

Recipients (might include an AG., e.g.)

Timing (might be OK, under law, to delay)

2. If COULD give notice, discuss customer-relations with C level

1. If WILL give notice, work with PR as to theme(s), timing & press release (if any)

III. TOP TEN TIPS (c’t’d)

EIM

G

RO

UP

©

© © 48

Q&A/Conclusion/ Resources . . .

Robert D. Brownstone, Esq.

Fenwick & West LLP

<rbrownstone@fenwick.com>

<tinyurl.com/Bob-Brownstone-Bio>

<www.ITLawToday.com>

Brent E. Kidwell, Esq.

Jenner & Block LLP

<bkidwell@jenner.com>

<www.jenner.com/people/BrentKidwell>

<jenner.com/people/BrentKidwell/library>