New World Cyber Threats – Having a Good IG Foundation Can Help ARMA & IBM IG Track – Panel # 2 – July 14, 2015

Discussion Leader:

Robert D. Brownstone Fenwick & West LLP

Panelists: Cary Calderone SandHill Law Sylvia Johnson Wells Fargo Tyler Newby Fenwick & West LLP James Schellhase IBM

July 13-14, 2015 San Francisco- Hyatt Regency

1

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

Outline/ Agenda

INTRODUCTION –Anthem & Sony Post-Mortems

I. Liability Risks

II. Proactive Preventative Measures

III. Frameworks/Resources

IV. Reactive Remediation (Incident-Response)

CONCLUSION/Questions 2

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

INTRODUCTION – Anthem & Sony Post-Mortems

Breach Prevalence

• “Chronology of Data Breaches” for 4/20/05 – 6/4/15

(≈ 816 M records; > 4,500 incidents)

• “Office of Inadequate Security”

• PricewaterhouseCoopers LLP (pwc), U.S. Secret

Service al., US cybercrime: Rising risks, reduced

readiness: Key findings from the 2014 US State of

Cybercrime Survey (June 2014)

• Ponemon Inst. o/b/o HP Enterprise Security, Cyber

Crime Costs Continue to Grow (2014)

3

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

INTRO (c’t’d) – Anthem & Sony Post-Mortems

Diagnoses of Causes of:

• Anthem Breach

Eduard Kovacs, Industry Reactions to

Anthem Data Breach (Security Week 2/6/15)

Joseph Conn, Legal liabilities in recent data breach

extend far beyond Anthem, ModernHealthcare (2/23/15)

• Sony Pictures Hack

Overview at below Slides 5-9

Sources at Slide 10 4

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

INTRO (c’t’d) – Sony Breach

WHEN? • Started over a year before Dec ’14

WHO? • Might be combination . . .

• Likely not nation-state (North Korea)

• Attackers only latched onto “The Interview” after the media did (Rogers)

• Skilled hackers use proxy machines and false IP addresses to cover their tracks or plant false clues inside their malware

• Noisy announcement of themselves, including image of blazing skeleton posted to infected computers 5

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

INTRO (c’t’d) – Sony (c’t’d)

WHO (c’t’d)? • Likely hacktivists:

• One theory is that disgruntled former employees were involved;

• Alternate theories of outsiders who disagreed with company’s policies and practices

• Data dumped (posted to Pastebin, unofficial cloud repository of hackers) rather than IP sold or $ stolen from financial accounts . . .

• VERY savvy re: web & social media 6

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

INTRO (c’t’d) – Sony (c’t’d)

WHAT (in addition to emails)? • PII and PHI (SSN’s, DOB’s, medical conditions, etc.)

• Lots of documents exfiltrated List of employee salaries and bonuses

HR – employee performance reviews, criminal background checks and termination records

IP (script; films)

• Twitter accounts taken over

• Data destroyed (overwritten) by malware Some wiped via commercially available product (RawDisk)

7

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

INTRO (c’t’d) – Sony Breach

HOW? • Phishing?

• Website vulnerabilities exploited

• Means to achieve ends: Hundreds of employees’ usernames and passwords

RSA SecurID tokens and certificates

Sensitive info. about network architecture

Masset list mapping the location of the company’s databases and servers around the world

List of routers, switches and load balancers and usernames and passwords administrators used to manage them

8

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

INTRO (c’t’d) – Sony Breach

HOW (c’t’d)? • Inability of traditional AntiVirus to detect bespoke malware

• Whatever Data Loss Prevention (DLP) solution Sony used missed transfers of terabytes of data out of the network

• On-premise perimeter security appliances missed:

huge anomalies in network traffic, machine usage & host relationships

Sony’s own edge being hijacked and used as public bittorrent servers aiding the exfiltration of data?

WHAT NOW? • start over (every password key and certificate tainted)

From below Rogers article 9

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

INTRO (c’t’d) – Sony Breach

Sources for the above slides 5-9:

• Zetter, Sony Got Hacked Hard: What We Know

and Don’t Know So Far, Wired (12/3/14)

• Sony Pictures, Dear SPR Employees (12/8/14) (letter

now posted on Cal. Attorney General’s website)

• Rogers, Why the Sony hack is unlikely to be the work

of North Korea, Marc’s Security Ramblings (12/18/14)

• Zetter, The Evidence That North Korea

Hacked Sony Is Flimsy, Wired (12/18/14)

• Wikipedia, Sony Pictures Entertainment hack (1/22/15) 10

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

I. Liability Risks Litigation is just one expense

• Business downtime

• Infrastructure replacement

• Loss of customer goodwill and contracts

• Outside forensics

• Notification costs

• Contractual indemnities

• Regulatory investigations 11

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

I. Liability Risks

Response & remediation costs are

growing with size of breaches

• Sony Pictures: $100+ million

• Target: $138+ million

• eBay: Expenses affected operating

margin by 1.9%

• Home Depot: $43 million

• Sony PSN (2011): $171 million 12

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

I. Liability Risks

Lawsuits – Consumer class actions

are just one of Hydra’s heads

• Consumer class action settlement agreement

with Target for $10 million, but . . .

• MasterCard, Target breach $19M

settlement agreement fell apart

• Lawyers for the banks did not think it was enough!

13

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

I. Liability Risks (c’t’d)

Mastercard/Target (c’t’d)

• Lawyers for the banks have estimated the total losses at more than

$160 million, with approximately half that amount lost to fraud and

half to the cost of reissuing nearly 9 million credit cards

• In 2013, Target said the breach during the holiday shopping season

compromised at least 40 million credit cards and may have resulted in

the theft of personal information from as many as 110 million people

• Target is still negotiating with Visa Inc. over losses from the breach

Joseph Ax, MasterCard, Target data breach

settlement falls apart, Reuters (May 22, 2105) 14

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

I. Liability Risks (c’t’d)

FTC Enforcement

• BJ’s Wholesale (FTC enforcement action): Companies with

customer or employee info have a general obligation to protect PII

with reasonable and appropriate security practices

• FTC v. Wyndham Worldwide Corp.: FTC has authority to bring an

enforcement action under Section 5 of the FTC Act

• LabMD:

FTC has authority to investigate data security with

investigative requests (Civil Investigative Demands)

FTC must share its standards with LabMD 15

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

I. Liability Risks (c’t’d)

Plaintiffs suing for data breaches use several different legal theories:

• negligence

• breach of express or implied contract

• breach of express or implied warranty

• unfair and deceptive trade practices act

• data breach notification laws

Many suits fail early because plaintiffs cannot establish:

• standing to sue

• damages

• causation 16

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

II. Proactive Preventative/ Precautionary Measures

Access Restrictions

Passwords

Encryption

Written Policies AND Training

Network Monitoring & Pen(etration) Tests

Cyber-Insurance . . . . 17

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

II. Proactive Measures (c’t’d)

18

Does your Commercial General Liability

(CGL) Policy have you covered?

• Probably not

• IBM case - Recall Total Information Management Inc. v.

Federal Insurance Co., 317 Conn. 46 (May 26, 2015)

• Sony PlayStation case - Zurich American Insurance Co.

v. Sony Corp. of America, 2014 WL 3253541 (Sup. Ct.

N.Y. Cty. Feb. 24, 2014), appeal withdrawn on

stipulation, 127 A.D. 3d 662 (Apr. 30, 2015)

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

Cyber-Insurance . . .

First Party Coverage? Third Party Coverage (clients, vendors, employees, etc.)?

Covered by Prop. Ins. Policy? CGL Policy?

Covered by D&O and/or E&O?

If not, get separate/special coverage?

Depends at least in part on: • Industry

• Data types and volumes 19

II. Proactive Measures (c’t’d)

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

Lawyer’s Role in a Security Program

• Understand the program’s core elements

• Draft/review/update policies and procedures

• Develop training program

• Investigate potential policy violations and breaches

• Develop vendor and customer contract requirements

• Influence legislative and rulemaking processes 20

II. Proactive Measures (c’t’d)

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

Lawyer’s Incident Response Playbook

• Preselect law firm(s) and forensic investigator(s)

(see insurer’s panel, PCI approved list)

• Preselect notification and call support vendor

• Engage law firm(s)

• Engage forensic investigator(s)

21

II. Proactive Measures (c’t’d)

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

• APEC

APEC Privacy Framework

• COBIT 5 – ISACA

• ISO/IEC 27001 – “Information security management”

LegalSECTM – ILTA

• NIST, Framework for Improving Critical

Infrastructure Cybersecurity (2/12/14), per Pres.

Obama’s Executive Order 13636 (2/12/13) 22

III. Frameworks/ Resources (in alpha order)

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

23

III. Frameworks/ Resources (c’t’d)

• NIST

Special Publication 800-53, Revision 4 – Security

and Privacy Controls for Federal Information

Systems and Organizations (maps to ISO 27K)

Special Publication 800-61, Revision 2 – Computer

Security Incident Handling Guide

• SOC 2® Report — “Report on Controls at a Service

Organization Relevant to Security, Availability,

Processing Integrity, Confidentiality or Privacy” (AICPA)

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

24

III. Frameworks/ Resources (c’t’d)

Other Resources (in alpha order) . . .

• Brownstone:

• Data Security Breaches: Proactive Prevention and Reactive

Remedies, AudioSolutionz Webinar slides (5/14/15)

• Using Analytics to Clean Out the ESI Garage, Today’s

General Counsel (Oct./Nov. 2014) (co-author)

• Heartbleed: It’s 10 PM; Do You Know Where

Your Data is? ITLawToday (5/6/14)

• Cloud Security Alliance

• Schneier on Security

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

Lawyer’s Incident Response Playbook (c’t’d)

• Understand types of data that were compromised

(e.g., customer data, proprietary data, employee data)

• Contact regulators that require:

early warning, even before a breach is confirmed

notification after a breach is confirmed

• Contact law enforcement if necessary or advisable

• Contact Risk Management or notify insurer 25

IV. Reactive Remediation (Incident-Response)

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

Lawyer’s Incident Response Playbook (c’t’d)

• Draft any breach notice required by:

law

customer contracts

contract with a payment card acquiring bank

• Draft any required SEC material event disclosure

• Review external communications (press releases, press or

media standby statement, website content, social media) 26

IV. Incident- Response (c’t’d)

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

Lawyer’s Incident Response Playbook (c’t’d)

• Attorney-Client Privilege and Attorney Work-Product

May not be appropriate for all / small incidents

The activity/assessment was initiated

for the purpose of providing legal advice

The privilege is being claimed in an

adversarial proceeding (not against a regulator)

Reports and communications are selectively distributed 27

IV. Incident- Response (c’t’d)

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

Lawyer’s Incident Response Playbook (c’t’d)

• ACP & AWP (c’t’d)

An attorney or an attorney’s subordinate (e.g.,

Compliance) is involved in day-to-day

interactions (not sufficient to copy a lawyer)

The issue under review is selective and not

routine (because routine assessments are a

business function, not a legal function) 28

IV. Incident- Response (c’t’d)

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

• ACP & AWP (c’t’d)

Create templates of self-executing instructions to

incident-response (IR) team and PR team that

investigation and public statements will be

managed by counsel for the purpose of providing

legal advice and protecting legal interests

Designate legal point person leading investigation

Forensic investigators (internal and external)

should report results to counsel 29

IV. Incident- Response (c’t’d)

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

• ACP & AWP (c’t’d)

Templates of self-executing instructions (c’t’d)

External crisis management PR should be engaged

by counsel (in-house or outside) in a consulting role

Establish daily (or more frequently in early stages)

meetings attended by counsel for status reporting

PR strategy and statements should be

reviewed/approved by counsel

Consider creation of two forensic

incident reports 30

IV. Incident- Response (c’t’d)

Legaltech West Coast July 13-14, 2015 San Francisco- Hyatt Regency

CONCLUSION/ Questions

Sylvia Johnson

<Sylvia.Johnson@wellsfargo.com>

Cary Calderone

<cary@sandhilllaw.com>

Tyler Newby

<tnewby@fenwick.com >

31

Robert D. Brownstone

<rbrownstone@fenwick.com>

<tinyurl.com/Bob-Brownstone-Bio>

<www.ITLawToday.com>

James Schellhase <jaschell@us.ibm.com>

<ibmecmblog.com>

<@ibm_ecm>