Mitigating D&O Liability Exposure for Data Privacy and...

Mitigating D&O Liability Exposure for

Data Privacy and Cybersecurity Breaches Reducing D&O Risk With Internal Controls, Insurance,

and Indemnification; Defending Derivative Lawsuits

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

TUESDAY, JULY 8, 2014

Presenting a live 90-minute webinar with interactive Q&A

Sharon R. Klein, Partner, Pepper Hamilton, Irvine, Calif.

Christopher Rittinger, Complex Claims Director, AIG Insurance, New York

Angelo A. Stio, III, Partner, Pepper Hamilton, Princeton, N.J.

J. Bradley Vatrt, Senior Complex Claims Director, AIG Insurance, New York

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-961-8499 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail [email protected] immediately so we can

address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

For CLE purposes, please let us know how many people are listening at your

location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of

attendees at your location

• Click the SEND button beside the box

If you have purchased Strafford CLE processing services, you must confirm your

participation by completing and submitting an Official Record of Attendance (CLE

Form).

You may obtain your CLE form by going to the program page and selecting the

appropriate form in the PROGRAM MATERIALS box at the top right corner.

If you'd like to purchase CLE credit processing, it is available for a fee. For

additional information about CLE credit processing, go to our website or call us at

1-800-926-7926 ext. 35.

FOR LIVE EVENT ONLY

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

Sharon R. Klein, Angelo A. Stio III, Christopher Rittinger, J. Bradley Vatrt

Mitigating D&O Liability Exposure For Data Privacy And Cybersecurity Breaches

Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches

6

TOPICS

• Recent focus on data privacy and security issues

− The Target Breach

− Consequences of Breach

• Duties of Directors and Officers

− Duty to Warn

− Duty to Protect

• Class Actions and Derivative Suits

• Insurance

• Practical Considerations


7

TOPICS





− Duty to Warn

− Duty to Protect


• Insurance


Recent Focus on Data Privacy and Security Issues

8

Chair Mary Jo White - SEC Cybersecurity Roundtable – March 26, 2014

− “This is a global threat. Cyber threats are of extraordinary and long-term seriousness. They are first on the Division of Intelligence’s list of global threats, even surpassing terrorism. And Jim Comey, director of the FBI, has testified that resources devoted to cyber-based threats are expected `to eclipse’ resources devoted to terrorism.”

SEC Commissioner Luis Aguilar – Cyber Risks and the Boardroom Conference – June 14, 2014

− 42% increase between 2011 and 2012 in the number of successful cyber-attacks per week.

− “[B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”


9

TOPICS





− Duty to Warn

− Duty to Protect


• Insurance


Target Breach

10

Target Breach

11

• Target system compromised for 19 consecutive days.

• Information of 110 Million people compromised.

• 11 GB of data stolen.

Target Breach: Consequences

12

− $100M effort to move to chip-based payment cards

− $5M to a campaign to raise awareness on cybersecurity issues

− Overhaul of information security and compliance structure.

− Company has acknowledged failure to adequately handle call volume regarding this incident; increased hiring for phone centers

− Fourth-quarter profit slumped 46% while revenue slid 5.3%

− Reputational Damage

− $61 million in hacking-related expenses

− VP Technology / CIO resigns

Target Breach: Tip of the Iceberg

13


14

TOPICS





− Duty to Warn

− Duty to Protect


• Insurance


Data Breach Consequences

15

• Direct financial impact

• Diversion of resources

• Derivative lawsuits

• Class action lawsuits

• Reputational damage

• Regulatory exposure

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&docid=81jkqvzobFyGRM&tbnid=0tHfXFzKf0YvAM:&ved=0CAUQjRw&url=http://www.dreamstime.com/illustration/breach.html&ei=dke1U_SYHM2VyASMp4GQBw&bvm=bv.70138588,d.aWw&psig=AFQjCNH4o763iFcokeASbvsQryCDnzZdDg&ust=1404475540782067


16

TOPICS





− Duty to Warn

− Duty to Protect


• Insurance


Duties of Directors and Officers

17

• Directors are liable for oversight of Company affairs due to their fiduciary duties of loyalty and due care

• Cyber liability due to disclosure of personally identifiable information and trade secrets are known material risks

• Standard of Care as to cyber liability generally can be categorized into regulations dealing with:

− Duty to warn

− Duty to protect

Duty to Warn

18

• SEC Guidance

• Data Breach Laws and Regulatory Requirements

Duty to Warn: SEC Guidance

19


20

SEC Guidance: Disclosure

• Cybersecurity risks and cyber incidents are required to be disclosed when:

• Necessary in order to make other required disclosures not misleading.

• They are such that a reasonable investor would consider important to an investment decision.

• No existing specific disclosure requirement.

• Registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.


21


• Places reporting companies may need to include disclosure:

− Risk Factors

− MD&A

− Description of the Business

− Legal Proceedings

− Financial Statement Disclosures

− Disclosure Controls and Procedures

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&docid=yO-VE4jXCJrcsM&tbnid=zD44X4brc2gA4M:&ved=0CAUQjRw&url=http://www.canstockphoto.com/illustration/closure.html&ei=CEy1U8S7IMedyATo_4GoAg&bvm=bv.70138588,d.aWw&psig=AFQjCNF7dR-K7vDjdvFNwnSpTrdReHORNA&ust=1404476758225896


22


• Is a Form 8-K required after a breach? No (not yet)

• Some companies have elected to file under item 8.01 (Other Information)

• Some companies have taken the position that they notify the public of a breach in other ways and an 8-K is unnecessary.

− Pros: Eliminate any potential insider trading, don’t raise flags with the SEC, disclosure can be copied from breach notices

− Cons: Imperfect information

Duty to Warn: Target Breach

23

SEC Disclosure

− Filed an 8-K in late February in connection with its earnings release

• Updated risk factors that could affect forward-looking statements in the release (including cybersecurity risks)

• Total of 18 risk factors, 5 relating to the incident

− Filed 10-K on March 14.

• Disclosures re breach included in: Risk Factors, Legal Proceedings, MD&A (executive summary subpart) and Financial Statement footnotes (commitments and contingencies)

• Target recorded $61 million in breach-related expenses, with insurance covering $44 million for net expenses of $17 million

• Did not estimate losses resulting from litigation, enforcement and related fines


24

Target 8-K: Risk Factors

− Our continued success is substantially dependent on positive perceptions of Target which, if eroded, could adversely affect our business and our relationships with our guests and team members.

− The data breach we experienced in 2013 has resulted in government inquiries and private litigation, and if our efforts to protect the security of personal information about our guests and team members are unsuccessful, future issues may result in additional costly government enforcement actions and private litigation and our sales and reputation could suffer.


25


− Our failure to comply with federal, state, local and international laws, or changes in these laws could increase our costs, reduce our margins and lower our sales.

− A significant disruption in our computer systems and our inability to adequately maintain and update those systems could adversely affect our operations and our ability to maintain guest confidence.


26


− We experienced a significant data security breach in the fourth quarter of fiscal 2013 and are not yet able to determine the full extent of its impact and the impact of government investigations and private litigation on our results of operations, which could be material.

SEC Cybersecurity Risk Alert

27

• The SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert on its cybersecurity initiative on April 15, 2014.

• The OCIE will initially examine 50+ broker-dealers and registered investment advisers re cybersecurity issues, with a focus on the following issues:

− Cybersecurity governance; identification & assessment of cybersecurity risks; protection of networks & information; remote customer access and funds transfers; vendors & third parties; detection of unauthorized activity; and experiences with certain cybersecurity threats.

SEC Cybersecurity Risk Alert

• OCIE included a sample questionnaire that closely tracked the NIST Framework released in February.

• Focus on written policies:

− Information security policy

− Business continuity plan

− Guidance for employees re security risks/responsibilities

− Data destruction policy

− Cybersecurity incident response policy

− Vendor and business partner security policy.

28

Duty to Warn: Data Breach Law and Regulatory Requirements

• State Privacy Laws

− 47 States have data breach notification legislation

− Identity theft legislation including protection of Social

Security Numbers

− State legislation on protection of personal information

broader than federal (CA, MA, NV)

− Federal privacy legislation generally does not

control/preempt state laws.

29

Duty to Warn: Data Breach Law and Regulatory Requirements

− Federal Agencies impose

specific requirements on

content and timeframe of

Data Breach notification:

• Office of the Comptroller

of Currency (OCC)

• Federal Deposit

Insurance Corporation

(FDIC)

• Department of Health and

Human Services (HHS)

• Federal Trade

Commission (FTC)

30

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&docid=pRcTliuWO_6n6M&tbnid=-jbU_BF9tbiLDM:&ved=0CAUQjRw&url=http://www.gograph.com/stock-illustration/caution-sign.html&ei=CEm1U-XEH5CvyASUn4LwBQ&bvm=bv.70138588,d.aWw&psig=AFQjCNHCOxXjI54dfX0LwACesbboLbEr3w&ust=1404475752420238


31

TOPICS





− Duty to Warn

− Duty to Protect


• Insurance


Duty to Protect

• Company safeguards for consumer data

• Third party scrutiny

32

Duty to Protect

U.S. Federal Laws

− FTC Regulations (all)

− NIST Security/Privacy Framework (all)

− Gramm-Leach-Bliley Act (financial)

− HIPAA / HITECH (healthcare)

− COPPA (children)

33

FTC Report - Protecting Consumer Privacy in an Era of Rapid Change (March ‘12)

• Congress has been unable to pass a Federal Privacy Bill

• FTC Report is a blue print for self-regulatory best practices.

• (1) “Privacy by Design”: − Promote privacy throughout the organization and at

every stage of development of products and services − Delete consumer data no longer needed and allow

consumers to do the same − Provide reasonable security for data − Limit collection of data (consistent with context of

particular transaction) − Implement reasonable data retention and disposal

policies − Maintain reasonable accuracy of data

34

FTC Report - Protecting Consumer Privacy in an Era of Rapid Change (March ‘12)

• (2) Simplify Consumer Choice: − Provide consumer choice for any communications not

related to original transaction − “Do Not Track” mechanisms allow consumer to

control collection and use of their online data − Certain choices require consumer to “opt in”

• (3) Improve Transparency to Consumers: − Clearer and shorter privacy notices − Provide access to consumer data − Educate consumers about company’s data privacy

practices

35

NIST Framework

• Provides standards and best practices for organizations to:

− Describe their current cybersecurity posture;

− Describe their target state for cybersecurity;

− Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;

− Assess progress toward the target state;

− Communicate among internal and external stakeholders about cybersecurity risk.

36

NIST Framework: Core

• Identify

− Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities

• Protect

− Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

• Detect

− Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event in a timely manner.

37

NIST Framework: Core

• Respond

− Develop and implement the appropriate activities to take action regarding a detected cybersecurity event and contain its impact.

• Recover

− Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event

38

Scrutiny of Third Party Relationships

• Liability the same as if company performed activity

• Risk Management Process

− Risk assessment

− Due diligence in third party selection

− Contract structuring

− Oversight/audit

39

Target Breach

40


• Contract Structuring

− Compliance with all laws/regulations

− Access to records by company and its regulators

− Prohibition on subcontracting

− Performance standards/SLAs

− Monitoring/audits

41


• Contract Structuring (con’t.)

− Compliance with company’s privacy/security policies

− Business continuity/disaster recovery plans

− Indemnification

− Exclusion of data breach from the limitation of liability

− Insurance coverage

42


43

TOPICS





− Duty to Warn

− Duty to Protect


• Insurance


Class Actions and Derivative Suits

44

• Historically, courts have been skeptical about data breach claims.

− Body of case law exists where dismissal of claims on lack of standing where no actual damages – fear of identity theft/purchasing credit monitoring not enough. See Clapper v. Amnesty International, Inc., 133 S.Ct. 1138 (2013); In re: Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation, No. 12-347 (D.C. May 9, 2014).

− Typical claims include: negligence, UDTPA violations, invasion of privacy, unfair competition, violation of state data notification laws.


45

More and more class actions being filed as Plaintiffs’ bar gets more creative

• Valdez v. Quantcast, MTV, NBC Universal et al. (CD.Cal. 2010)

− Violation of Computer Fraud and Abuse Act, 16 U.S.C. § 1030

− Violation of Electronic Communications Privacy Act, 18 U.S.C. § 2510

− Violation of Video Privacy Protection Act, 18 U.S.C. § 2710

− Violation of California’s Computer Crime Law, Penal Code § 502

− Violation of California’s Invasion Of Privacy Act, California Penal Code § 630

− Violation of UCL, Bus & Prof. Code § 17200

− Violation of CLRA

− Unjust Enrichment


46

In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 2014 U.S. Dist. LEXIS 7353 (S.D. Cal. 2014))

• Putative class action based on a data breach.

• Plaintiffs’ allegations that their personal information was collected by defendant and then wrongfully disclosed as a result of the intrusion was sufficient to establish Article III standing at the motion to dismiss stage.

• Plaintiffs claim economic injury in form of (1) loss of the unencumbered use of their passwords; (2) their passwords were obtained by a third party without their consent; (3) they were unable to access Sony Online Services during the time the play station was temporarily disabled; (4) certain applications and products that can only be accessed via the network were rendered worthless during the brief interruption in play station service; and (5) their Consoles diminished in value as a result of Sony's failure to secure the network and/or the extended time during which the network was disabled.

• Consumer protection law statutes allowed to survive motion to dismiss.


47

Target Class Actions

• Approximately 70 pending in 21 states

• Consumers asserting claims for negligence, breach of fiduciary duty, and violations of consumer protection laws

• Banks and Credit Unions seeking damages for, among other things, cost of notifying customers about compromised debit cards, closing customer accounts and reissuing new cards

• April 2, 2014, transfer order by Judicial Panel on Multi-District Litigation entered transferring all class actions to District of Minnesota and assigned to District Judge Paul A. Magnuson.

• The U.S. Department of Justice and State Attorneys General, led by Illinois and Connecticut, are investigating the matter.


48

SHAREHOLDER DERIVATIVE SUITS

• In re Heartland Payment Sys., Inc. Sec. Litig., 2009 U.S. Dist. LEXIS 114866 (D.N.J. Dec. 7, 2009)

− December 2007, cyber attack on Heartland computer system that infects the entire payment processing system.

− Loss of personal information on 130 million credit and debit card owners.

− Heartland did not discover this breach until early 2009.

− Heartland's stock falls by a total of 80%, resulting in a suit by shareholders who purchased stock in 2008.


49



− Investors allege fraud on the basis that Heartland misrepresented the state of its computer network security.

− The claims based on Heartland publicly stating it was committed to maintaining high levels of data security, after Heartland discovered the breach but before the breach was disclosed to the public.


50



− On motion to dismiss Court finds that the security breach alone did not demonstrate that the company failed to “place significant emphasis on maintaining a high level of security.”

− Plaintiffs could not allege Heartland knew or had reason to suspect that its security systems were so deficient that it was false to say that Heartland “place[s] significant emphasis on maintaining a high level of security.”

− “[A]fter-the-fact speculation by a handful of lower-level employees does not support the inference that Heartland and its corporate officers were consciously or recklessly dissembling when they stated that the company treated security as one of its central concerns.”


51


• Palkon v. Wyndham Worldwide, et al., 2:14-cv-01234 (D.N.J. May 2, 2014)

− Derivative suit against officers and directors of Wyndham related to three data breaches between April 2008 and January 2010.

− 619,000 consumer payment card account numbers are compromised.

− Suit alleges that officers and directors failed to ensure that Wyndham and its subsidiaries implemented adequate information security policies and procedures, used an out-of-date network and then failed to timely disclose breaches in Company filings.

− Asserts claims for breach of fiduciary duty (loyalty and care), corporate waste and unjust enrichment and seeks to recover damages suffered by company, remedial action with respect to corporate governance and internal procedures and disgorgement of profits and compensation.

− Motion to dismiss has been filed.


52


• Kulla v. Target Corp., et al., 0:14-cv-00203 (D.Minn. Jan. 21, 2014)

• Collier v. Target Corp. et al., 0:14-cv-00266 (D.Minn. Jan. 29, 2014)

− Derivative suits against officers and directors of Target arising from largest data breach in history.

− 619,000 consumer payment card account numbers are compromised.

− Suit alleges that officers and directors were aware of importance of security of customer information and risks a data breach could present, yet failed to take reasonable steps to maintain its customers’ personal financial information and failed to implement internal controls to detect and prevent a breach. Complaint also contends defendants failed to take proper steps to respond.

− Claims for breach of fiduciary duty (loyalty and care), aiding and abetting, corporate waste and unjust enrichment and seeks to recover damages suffered by company, remedial action with respect to corporate governance and internal procedures and disgorgement of profits and compensation.


53


Common Themes:

• Duty to warn

• Duty to protect

− A sustained or systematic failure of the board to exercise oversight — such as an utter failure to attempt to assure a reasonable information and reporting system exists — will establish the lack of good faith. In re Caremark Int'l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996).


54


Potential Defenses:

• Lack of standing – no damage

• Failure to plead requirements of derivative suit

• Business judgment rule

• Director exculpation clause

• No misrepresentations/No Concealment

• Company has internal controls which Board oversees and monitors


55

TOPICS





− Duty to Warn

− Duty to Protect


• Insurance


Insurance

56

D & O Insurance

− Would a D & O Policy cover breach of fiduciary duty claims related to a data breach?

− Do any exclusions apply?

− What triggers coverage?

− What coverage is typically available?

• Derivative Actions

• Enforcement Actions

• Investigations

Insurance

57

Cyber-Insurance: Coverage

• Crisis Management Expenses

− Notification costs

− Credit monitoring costs

− PR costs

− Forensic examination costs

− Legal analysis costs

• Claim Expenses

− Costs of defending lawsuits

− Judgments and settlements

− Regulatory response/settlement costs

− Regulatory compliance costs

− PCI-DSS fines and penalties

Insurance

58

Cyber-Insurance: Other Coverage

• Network interruption

− Costs for insured’s loss of income and operating expenses due to a cyber event

− Loss includes: Lost income and normal operation expenses

− Public relations/legal assistance expense coverage

• Costs of restoring or recollecting

− Lost data

− Stolen data

− Damaged data

• Cyber-Extortion

− Network security demands related to extortion demands

• Legal, forensic costs of investigations to determine cause of breach and settlement of extortion demands


59

TOPICS





− Duty to Warn

− Duty to Protect


• Insurance


Practical Steps Companies Must Take

60

preparation

detection

analysis and

prioritization

investigation

and mitigation

notification

post-

incident

activity

http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=bvgnoKrnHxn9pM&tbnid=cDlN0NwSKirK0M:&ved=0CAgQjRwwAA&url=http://www.designedlykristi.com/tutorials/color_intro/color_theory2.html&ei=zaSkUa_MOKXN0wHE7oHQAw&psig=AFQjCNH-1easoQ311mOwsY6zGN5x0cSRXg&ust=1369830989984992

Practical Steps Companies Must Take

1. Preparation self-assessment know legal requirements

2. Detection monitor compliance

3. Analysis and Prioritization which states/countries which law enforcement/regulators

4. Investigation and Mitigation analyze root cause mitigate/remediate loss

5. Notification send individual, substitute notice engage public relations notify insurance carrier(s)

6. Post-incident activity incorporates lessons learned

61

Practical Steps: Preparation

• Set up an inter-disciplinary team

− IT

− Physical security

− Human resources

− Enterprise Risk

− Compliance

− Communications

− Legal

62

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&docid=qXgnAw88w5dD0M&tbnid=YZG0l3xSjqQm8M:&ved=0CAUQjRw&url=http://www.sensabilityuk.co.uk/2014/04/02/presenting-impact-1-preparation/&ei=DUq1U--7CIiayATlk4Fo&bvm=bv.70138588,d.aWw&psig=AFQjCNF7RdI9xSRLMti9ldTQzV8cueYzzQ&ust=1404476145508672


• Self Assessment:

− Analyze cyber risks throughout collection, transmission, use, storage, destruction

− Assess security infrastructure, connectivity, cloud for malware/misuse

− Audit third parties and applications

− Develop incident response programs

− Obtain consent for collection of personally identifiable information

63


• Establish written policies and procedures to regulate compliance

− Institute a privacy policy (data collection, sharing and retention/destruction)

− Adopt a BYOD policy and appropriate safeguards

− Institute a business continuity plan

• Put a cybersecurity insurance policy in place or review/upgrade current policy

64

Practical Steps: Detection

• Set up intrusion detection/firewalls and contract for technology to assist with detecting and managing risk

• Establish a process for reporting suspicious activity

• Assess and mitigate transactional risk

− Inheriting risks from a target in an acquisition; include appropriate counsel in diligence review

− Agreements with vendors/suppliers should include provisions safeguarding systems and data and appropriate SLAs

− Agreements with customers/client should address risks, allocate responsibility (for agreements with other businesses) and establish a venue for claims

65

Practical Steps: Analysis and Prioritization

• Identify all applicable laws and regulatory requirements

• Establish appropriate law enforcement contacts and relationships with the regulators

• Evaluate the current compliance structure

− Attorney-Client privilege protection for gap analysis

− Set up a system regulating the access to data OR

− Amend, expand or streamline existing system as needed.

66

Practical Steps: Investigation and Mitigation

• Undertake Fact-Finding Protected by Attorney-Client Privilege

• Work with Forensics Consultants/FGIS to Contain Breach

• Document Each Step of the Investigation Findings

• Technical Mitigation to Correct Cause of Breach

• Legal Mitigation to Update Policies/Procedures

• Address Personnel Issues—Educate Employees

67

Practical Steps: Notification

• Internal Notification

− Notify the Breach Incident Response Team

− Provide Employee Awareness

• External Notification

− Consumers whose data has been breached

− Law enforcement

− Attorney generals

− Consumer agencies

− Regulators

− Investors

− Data protection authorities

− Insurance

68

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&docid=WIGznl4ONa6BvM&tbnid=c-eMQJYL-TmRlM:&ved=0CAUQjRw&url=http://kpstuedappal.blogspot.com/2013/11/lss-uss-examination-2013.html&ei=sEq1U9aCJsy3yASuxIDADQ&bvm=bv.70138588,d.aWw&psig=AFQjCNEk-rDKiPAFldT-2yQ-b0m0Ub0OOQ&ust=1404476383978587

Practical Steps: Post Incident Activity

• Review and determine the adequacy of:

− Incident response team model

− Policies/procedures

− Response tools and resources

− Training of employees

− Integrity of third parties

− Documentation and reports

69

Speaker: Sharon R. Klein

949.567.3506 [email protected]

70

• Partner in the Corporate and Securities Practice Group

• Partner in charge of the firm’s Orange County office and chair of the Privacy, Security and Data Protection practice

• Handles a variety of corporate and intellectual property matters, in particular, helping information technology and telemedicine clients grow and succeed

• Commissioner of the Electronic Healthcare Network Accreditation Commission (EHNAC), a voluntary, self-governing standards development organization established to develop standard criteria and accredit organizations that electronically exchange health care data.

Speaker: Angelo A. Stio III


71

• Partner in the Litigation and Dispute Resolution Department of Pepper Hamilton LLP and a resident in the firm’s Princeton, New Jersey office.

• Member of the firm’s Privacy, Security and Data Protection group, and has counseled health care, financial services and educational institution clients on data privacy issues

• Practice focuses on complex commercial disputes, defending class actions and derivative suits, corporate governance issues, and the representation of colleges and universities.

Speaker: Christopher Rittinger

212.458.3264

[email protected]

72

• AIG Complex Claims Director in the Directors & Officers, National Accounts Group

• Mr. Rittinger has worked at AIG for the past 5 years and handles high-exposure claims from inception through conclusion.

• Mr. Rittinger is responsible for coverage analysis, litigation management, and litigation resolution strategy for matters submitted with a specific focus on derivative shareholder suits, securities class action suits, and regulatory investigations and enforcement actions.

• Before joining AIG, Chris was an assistant district attorney at the Brooklyn DA’s office for three years and worked as a litigator in private practice for 6 years.

Speaker: J. Bradley Vatrt


73

• Senior Complex Claims Director, Network Security/Media/Technology for AIG

• Mr. Vatrt evaluates coverage and drafts detailed analyses pursuant to security and privacy, crisis management, technology, media, internet, and miscellaneous professional liability policies.

• Mr. Vatrt advises senior management, underwriters, brokers and insureds regarding coverage, litigation / dispute resolution strategies, and the business impact of lawsuits.

• Mr. Vatrt serves as the Senior Complex Claim Director for AIG’s Kidnap and Ransom claims group.

• Mr. Vatrt joined AIG in 2008, after working as a litigator in New York for over six years.

Mitigating D&O Liability Exposure for Data Privacy and...

Documents

Transcript of Mitigating D&O Liability Exposure for Data Privacy and...