@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE Cyber Liability Insurance Counseling and Breach Response
Elizabeth RogersGreenberg Traurig, LLP
[email protected]@Lonestar_Lawyer
Shawn TumaScheef & Stone, LLP
@shawnetuma
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Breach! Immediate Priorities
• Leadership!
• Assess the situation
• Be a counselor
• Instill confidence
• Bring peace
• Facilitate rational thought & rational behavior
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Data Breach Foundations
Is the cyber event an incident or a breach?
▪ Event: any occurrence.
▪ Incident: an event that actually or potentially jeopardizes the confidentiality, integrity, or availability of the system, data, policies, or practices.
▪ Breach: actual loss of control, compromise, unauthorized disclosure, acquisition or access of data.
▪ Ransomware? Encryption safe harbor?
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Data Breach Foundations
Is the cyber event caused by criminal or negligent actions?
▪ Hacker stealing IP from network.
▪ Employee misplaces unencrypted USB drive with PII.
▪ Focus on the action – why was it done?
▪ Report criminal events to law enforcement, not usually with negligent.
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Data Breach Foundations
The difference between reporting, disclosing, notifying?
▪ Used interchangeably, not official – just used for clarity.
▪ Reporting: to report a crime to law enforcement.
▪ Disclosing: to disclose (notify) to a state or federal regulator of a data breach.
▪ Notification: to notify the data subjects of a data breach.
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Disclosure to Government Regulators
▪ Remember our fiction: reporting / notifying / disclosing
▪ What type of data was breached? (PII, PHI, Fin. Data, PCI)
▪ Which laws apply?
▪ Regulated industry? (HHS, SEC, FDIC, FINRA)
▪ i.e., Health → HHS, then ≥ 500 = 60 days to report< 500 = annual report
▪ State jurisdictions?
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Data Breach Response
The difference between reporting, disclosing, notifying?
▪ Used interchangeably, not official – just used for clarity.
▪ Reporting: to report a crime to law enforcement.OPTIONAL, MAYBE.
▪ Disclosing: to disclose (notify) to a state or federal regulator of a data breach. NOT OPTIONAL.
▪ Notification: to notify the data subjects of a data breach. NOT OPTIONAL.
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Disclosure to Government Regulators
Breach Notification Laws
▪ No national breach notification law
▪ 47 States w/ laws + DC, PR, VI (≠ AL, NM, SD)
▪ Data subjects’ residence determines + state doing bus.
▪ Some consistency but some not (e.g., MA & CA)
▪ Review each time – constantly changing.
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Disclosure to Government Regulators
▪ Is it a triggering “breach” under each relevant states’ laws?
▪ Which states’ laws require disclosure to their AG?
▪ Most, under certain circumstances (not TX).
▪ Which require pre-notice of a breach notification?
▪ CA, CT, NH, NJ, NY, NC, PR, WA
▪ When must disclosures be made? (w/ notif. 30/45/reas.)
▪ How must disclosure be made? (template / portal)
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Texas Breach Notification Law
Notification Required Following Breach of Security of Computerized Data, Tex. Bus. Comm. Code § 521.053
▪ “A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” (See Appendix B)
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Texas Breach Notification Law
▪ Breach of System Security: “unauthorized acquisition ... compromises the security, confidentiality, or integrity of” SPI. Employee leaving with customer data?
▪ Applies to anyone doing business in Texas.
▪ Notify any individual whose SPI “was, or is reasonably believed to have been, acquired by an unauthorized person.”
▪ When: “as quickly as possible” but allows for LE delay
▪ Penalty: $100 per individual per day for delayed time, not to exceed $250,000 for a single breach (AG / no civil remedy)
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
first name or
first initial
last name
SSN
DLN or
GovtID
data breach
first name or
first initial
last name
Acct or Card #
Access or Security
Code
data breach
Info that IDs
Individ.
Health-care,
provided, or pay
data breach
Duty to notify when “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information …” Tx. Bus. Comm. Code § 521.053
CIVIL PENALTY $100.00 per individual per day for notification delay, not to exceed $250,000 for single breach §521.151
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Reporting to Law Enforcement
▪ Role of law enforcement.
▪ When to report to law enforcement?
▪ Federal, state, or local law enforcement?
▪ When will law enforcement not get involved (usually)?
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Reporting to Law Enforcement
▪ Is it mandatory to report to law enforcement?
▪ State breach notification presume reporting.
▪ DOJ, NIST, FTC (“we’d view that company more favorably than a company that hasn’t”)
▪ US Senate (Yahoo) – when did you report to law enforcement or other government authorities?
▪ Credibility – the “state sponsored” “unprecedented” game.
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Reporting to Law Enforcement
Benefits of reporting to law enforcement.
▪ Agencies can compel info from 3rd parties.
▪ Can work with foreign counterparts.
▪ Viewed favorably by regulators, shareholders, public.
▪ Can request delay of reporting.
▪ Result in successful prosecution.
▪ Resources, expertise, institutional knowledge, your $$$
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Reporting to Law Enforcement
Dispelling myths of reporting to law enforcement.
▪ Reporting to law enforcement is not same as disclosing to regulators.
▪ Doesn’t “take over” your operations, not like regulatory enforcement action.
▪ Law enforcement uses discretion, doesn’t tattle on you.
▪ Company is still viewed as the victim.
▪ Use hypotheticals, if needed.
Cyber Insurance
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Cyber Insurance – Key Questions
• Even know if you have it?
• What period does the policy cover?
• Are Officers & Directors Covered?
• Cover 3rd Party Caused Events?
• Social Engineering coverage?
• Cover insiders intentional acts (vs. negligent)
• Contractual liability?
• What is the triggering event?
• What types of data are covered?
• What kind of incidents are covered?
• Acts of war?
• Required carrier list for attorneys & experts?
• Other similar risks?
10 Key Issues in Cybersecurity Insurance Policies
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
1. What period does the policy cover?
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
2. Will Officers & Directors fall into the gap?
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
3. Does policy exclude liability for injuries arising from breach of contract?
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
4. Does policy cover actions caused by your vendors and contractors?
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
5. Does policy provide excess coverage with a drop-down provision?
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
6. Does policy provide coverage for insiders’ intentional acts – as opposed to negligent acts?
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
7. What is the triggering event for coverage?
Data
Sources
Company Data
Workforce Data
Customer / Client Data
Other Parties’
Data
3rd Party Business
Associates’ Data
Outsiders’ Data
8. What types of data are covered?
Threat Vectors
Network
Website
BYOD
USBGSM
Internet Surfing
Business Associates
People
9. What kinds of breach events are covered?
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
10. How are exclusions for “cyber acts of war” and “cyber terrorism” treated?
Additional Cybersecurity Insurance Considerations
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Contracts
• 3rd party liability
• Healthcare (BA)
• Software license audit
• Permissible access & use in policies, BYOD
• EULA / TOS
Marketing
• FTC Act § 5
• SPAM laws
• NLRB rules
• CDA § 230
• Website audits
• IP issues
• Acct ownership
Privacy
• Privacy policies
• Privacy & data practices
• Destruction policies
• Monitoring workforce
• Business intelligence
Industry Regulation
• PCI (Payment Card Industry)
• FFIEC (Federal Financial Institution Examination Council)
• FINRA (Financial Industry Regulatory Authority)
• SIFMA (Securities Industry and Financial Markets Association)
What other cyber risks events are covered?
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
What coverage do you need, and how much?
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Should you agree to using the carrier’s list of attorneys and experts?
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
QUESTIONS?
@Lonestar_Lawyer @shawnetuma @TexasBarCLE #TBCLE
Shawn TumaScheef & Stone, LLP
Frisco, Texas214.472.2135
www.shawnetuma.com (blog)@shawnetuma
Elizabeth RogersGreenberg Traurig, LLP
Austin, Texas512.320.7256
@Lonestar_Lawyer
Top Related