CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT...
Transcript of CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT...
![Page 1: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/1.jpg)
CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS
First Run Broadcast: February 14, 2020
1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m. M.T./10:00 a.m. P.T. (60 minutes)
Every company that stores files in the cloud, has a Web site, or engages in e-commerce is a data
breach waiting to happen. Cyberattacks have become more frequent and more sophisticated,
breaching even federal security agencies and global finance companies. Every smaller company
is constructively on notice that they may the next victim of a malicious breach. When that happens,
clients often turn to their lawyers and ask, what now and are we liable? This program will provide
lawyers with a real-world guide to advising clients about data breaches – what they are, how to
protect themselves legally, and what to do if it’s too late.
• Framework of law of cybersecurity – sources of liability under federal and state law
• What constitutes a data breach and your client’s obligation to protect against breaches
• Data breach notification laws – what must you disclose and when
• Risk of private causes of action and best practices to avoid
• Policies, processes and agreements to protect against – or respond to a data breach
Speaker:
Sue C. Friedberg is a partner in the Pittsburg office of Buchanan, Ingersoll & Rooney, PC, where
she is co-chair of Buchanan’s Cybersecurity and Data Protection Group. She advises clients about
rapidly evolving standards of care for safeguarding confidential information and responding
effectively to security incidents that threaten to compromise their valuable or protected
information. She helps clients assess their data security risks and capabilities, develop information
security programs, design incident response plans and prepare and update contracts. Ms. Friedberg
earned her B.S., magna cum laude, from Georgetown University and her J.D., cum laude, from the
University of Pittsburg School of law.
![Page 2: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/2.jpg)
VT Bar Association Continuing Legal Education Registration Form
Please complete all requested information, print this application, and fax with credit info or mail it with payment to: Vermont Bar Association, PO Box 100, Montpelier, VT 05601-0100. Fax: (802) 223-1573 PLEASE USE ONE REGISTRATION FORM PER PERSON. First Name ________________________ Middle Initial____ Last Name__________________________
Firm/Organization _____________________________________________________________________
Address ______________________________________________________________________________
City _________________________________ State ____________ ZIP Code ______________________
Phone # ____________________________Fax # ______________________
E-Mail Address ________________________________________________________________________
Basics of Cyber-Attack Liability and Protecting Clients Interests Teleseminar
February 14, 2020 1:00PM – 2:00PM
1.0 MCLE GENERAL CREDITS
PAYMENT METHOD:
Check enclosed (made payable to Vermont Bar Association) Amount: _________ Credit Card (American Express, Discover, Visa or Mastercard) Credit Card # _______________________________________ Exp. Date _______________ Cardholder: __________________________________________________________________
VBA Members $75 Non-VBA Members $115
NO REFUNDS AFTER February 7, 2020
![Page 3: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/3.jpg)
Vermont Bar Association
CERTIFICATE OF ATTENDANCE
Please note: This form is for your records in the event you are audited Sponsor: Vermont Bar Association Date: February 14, 2020 Seminar Title: Basics of Cyber-Attack Liability and Protecting Clients Interests Location: Teleseminar - LIVE Credits: 1.0 MCLE General Credit Program Minutes: 60 General Luncheon addresses, business meetings, receptions are not to be included in the computation of credit. This form denotes full attendance. If you arrive late or leave prior to the program ending time, it is your responsibility to adjust CLE hours accordingly.
![Page 4: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/4.jpg)
Basics of Cyber-attack Liability and Protecting Clients Sue Friedberg | Co-chair, Cybersecurity and Data Protection
[email protected] / 412-562-8436
![Page 5: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/5.jpg)
AGENDA
1. What keeps clients—and lawyers—up at night?
2. What is a data breach and how can you help your client—if not
avoid—at least reduce the risks and mitigate the consequences?
Cybersecurity Law Landscape
Federal laws
The patchwork of state laws
Industry standards
Private litigation and government enforcement
3. Cybersecurity incident scenario—ransomeware attack
4. How lawyers can help
2
![Page 6: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/6.jpg)
3
Cybersecurity Law Landscape
![Page 7: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/7.jpg)
Why Are Clients Up at Night?
Lost productivity
Physical damage
and bodily injury
CYBER
EXTORTION
CYBER TERRORISM
Theft of intellectual property
LEGAL ACTIONS
FINANCIAL COSTS (response, remediation)
Business Interruption
Reputational Damage
![Page 8: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/8.jpg)
Threats all around
Insider accidents or ignorance Improper disposal of
personal information
Lack of education and awareness
Negligence/indifference Precaution failures
Lost mobile devices
Insider malicious conduct
Vendors with access—accidents, ignorance, negligence, indifference
Hackers and Phishers
Identity thieves
Organized crime
Nation-state actors
Hactivists
Business espionage
5
Internal threats External threats
![Page 9: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/9.jpg)
How we set ourselves up:
Too much data
Retained indefinitely
Too many copies in too many places
Stored on too many devices
Too many people have access
Too easy to transmit
Data is a very valuable asset
6
![Page 10: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/10.jpg)
Sources of duty to protect information Federal information security laws and regulations
Federal consumer protection laws
Federal employment laws with privacy protections
State breach notification laws
State information security laws
State consumer protection laws
State privacy protections
Industry-mandated standards
Contractual obligations: to comply with whatever laws, regulations, and standards apply to the contract parties
7
![Page 11: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/11.jpg)
Thrust of Information Security Laws
Security
Confidentiality
Integrity
Availability
Unauthorized disclosure
Unauthorized access
Unauthorized use
Alteration
Destruction
Loss
8
PROTECT: AGAINST:
![Page 12: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/12.jpg)
9
Federal Laws
![Page 13: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/13.jpg)
Healthcare: HIPAA, HITECH, HHS Rules Security Rule, Privacy Rule, Breach Notification Rule Enforced by:
Health & Human Services, Office of Civil Rights
State attorneys general
Most entities that come into contact with electronic health information (ePHI) are likely required to comply with the Security Rule: Covered entities: health care providers, health plans and
health care clearinghouses
Business associates
Subcontractor to business associates
10
![Page 14: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/14.jpg)
Security Rule: Required Safeguards for ePHI
Administrative
Risk analysis to identify vulnerabilities and threats to ePHI
Policies and procedures
Workforce conduct management—training and awareness
Physical
Access controls (badges, visitor logs)
Machine controls and data storage protections
Technical
Unique passwords
Audit controls to monitor systems activity
Encryption
11
![Page 15: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/15.jpg)
What is a risk analysis?
Identify what ePHI is created, received, maintained or transmitted
Identify and document potential threats and vulnerabilities—internal and external
Assess risk level:
Likelihood that a threat will occur or vulnerability will be exploited, and
Degree of severity of impact on business if it occurs
Assess scope/adequacy/effectiveness of current security measures;
Identify gaps between vulnerabilities and security measures
Develop and document Risk Management Plan to address gaps—setting priorities and timeline
Repeat
12
![Page 16: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/16.jpg)
HIPAA Privacy Rule
Applies to protected health information in all forms—electronic, written, oral (“PHI”)
Strictly limits the ways covered entities may use or disclose PHI without patient authorization
Example: covered entity or business associate that uses or discloses more than the minimum amount of PHI necessary to serve the purpose potentially has violated the Privacy Rule.
13
![Page 17: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/17.jpg)
Financial Services
Gramm Leach Bliley Act—privacy and administrative, technical and physical security
Consumer privacy and security
Enforced by FTC and CFPB
Fair Credit Reporting Act—affirmative duties to report accurately and protect confidentiality
Fair and Accurate Credit Transactions Act —Red Flags identity theft protection programs
Banking institutions—enforced by banking agencies (FDIC, FRB, OCC, et al )
Investment institutions—enforced by SEC, FFIEC, FINRA
14
![Page 18: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/18.jpg)
Breach under HIPAA
Breach =
(i) acquisition, access, use or disclosure
(ii) Of unsecured PHI
(iii) that is not permitted under HIPAA; and
(iv) compromises the security or privacy of the protected health information
Unauthorized access is presumed to be a breach unless organization can show “low probability of compromise”
Breach notification within maximum 60 days to affected individuals and Office of Civil Rights of HHS
Enforcement by OCR through investigations, fines and civil actions
15
![Page 19: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/19.jpg)
Safeguards Rule: requires comprehensive information security program
Designate program coordinator(s)
Conduct risk assessment
Implement safeguards to address risks identified in risk assessment
Oversee service providers
Evaluate and revise program in light of material changes to the business
Employee management and training
Information systems
Detecting and managing system failures
16
Key elements High risk areas
![Page 20: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/20.jpg)
FTC guidance Financial Institutions and Customer Information: Complying
with the Safeguards Rule
https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying
All industries: Start with Security: A Guide for Business
https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business
17
![Page 21: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/21.jpg)
Federal government contractors Critical infrastructure industries
Viewed as targets for cyber exploitation (e.g. financial, utilities, energy, transportation)
National Institute of Standards and Technology (NIST) Cybersecurity Framework
https://www.nist.gov/cyberframework/framework
Core cybersecurity functions: Identify, Protect, Detect, Respond, Recover
18
![Page 22: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/22.jpg)
Federal government contractors
Department of Defense
Defense Federal Acquisition Regulation Supplement (DFARS)—all DOD contractors including small business
(1) Provide adequate security for defense information that resides in or transits through internal unclassified information systems from unauthorized access and disclosure; and
(2) Rapidly report cyber incidents and cooperate with DOD to respond to these security incidents, including access to affected media
NIST published standards apply—14 categories of controls
19
![Page 23: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/23.jpg)
NIST categories for security controls
20
![Page 24: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/24.jpg)
FTC consumer protections
Fair Credit Reporting Act (FCRA)
Requires credit reporting agencies to use “reasonable procedures” to protect “the confidentiality, accuracy, relevancy and proper utilization” of consumer information
Prohibits employers from procuring a consumer credit report for employment purposes without prior disclosure and authorization
Fair and Accurate Credit Transactions Act of 2003 (“FACTA”)
Secure disposal of credit information
Children’s Online Privacy Protection Act of 1998 (“COPPA”)
Parental consent for data from children under 13
21
![Page 25: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/25.jpg)
Federal privacy protections with security aspects
Workplace privacy and anti-discrimination laws EEOC administered
Title VII Civil Rights Act, ADA, Age Discrimination in Employment Act
Electronic surveillance and communications laws: Wiretap Act
Electronic Communications Privacy Act
Stored Communications Act
Children’s Online Privacy Protection Act (COPPA)
22
![Page 26: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/26.jpg)
Industry standards for security controls Payment Card Industry Data Security Standard (PCI DSS)
Developed by Council of major payment card brands
Global standards for all entities that process, store, or transmit cardholder data
Enforced by contracts between payment card issuers and merchants and transaction processors
Accounting (AICPA)
System and Organization Controls (SOC) examination
Design and/or effectiveness of cybersecurity risk management program
Internationally recognized security certifications:
IS0 270001 (International Organization for Standardization)
COBIT (Control Objectives for Information and Related Technologies developed by IT professionals)
23
![Page 27: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/27.jpg)
24
State Laws with Security Standards
![Page 28: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/28.jpg)
States with substantive security requirements
Arkansas
California
Connecticut
Florida
Indiana
Kansas
Maryland
Massachusetts
Minnesota
Nevada
Oregon
Rhode Island
Texas
Utah
25
![Page 29: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/29.jpg)
California
First state to impose information security standard on businesses that own or license personal information about California residents
Implement and maintain reasonable security procedures and practices appropriate to the nature of the information and to protect the information from unauthorized access, destruction, use, modification, or disclosure
If personal information is disclosed to third parties, they must be contractually required to meet the same standard
CA Attorney General list of minimum Critical Security Controls https://oag.ca.gov/breachreport2016#appendixes.
26
![Page 30: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/30.jpg)
PCI DSS codified in Nevada and Minnesota
Nevada:
codified entire Payment Card Industry Data Security Standards (PCI DDS) in statute
Encryption required for transmitting electronic data that is not payment card out of control of data collector (or storage contractor)
Compliance = safe harbor against liability for breach (except gross negligence or intentional misconduct)
Minnesota: codified some portions of PCI DSS that limit time period for retaining payment card usage data
27
![Page 31: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/31.jpg)
Massachusetts: detailed security requirements
Implement formal Written Information Security Program—similar to federal standards
Designate employees to maintain the information security program
Identify and assess reasonably foreseeable internal and external security risks and the effectiveness of current safeguards, and upgrading safeguards as necessary
Develop security policies for employees relating to the storage, access and transportation of records containing personal information
Impose disciplinary measures for violations
Restrict access of terminated employees to records containing personal information
Oversee service providers by:
Restricting physical access to records
Using reasonable due diligence to select and retain service providers; and
Contractually requiring service providers to maintain appropriate security measures
Review security measures at least annually
Document actions taken in response to security breaches and hold post-incident review
28
![Page 32: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/32.jpg)
Five states have laws requiring businesses to have policies designed to prevent unlawful disclosure of SSNs by:
Ensuring confidentiality
Limiting access
Describing proper disposal
SSN Laws
![Page 33: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/33.jpg)
Hard copy destruction laws
At least 30 states have enacted laws that require the secure disposal of paper and electronic records containing personal information
Disposal laws generally require any party holding personal information of state residents to destroy, erase or make unreadable such data prior to disposal
![Page 34: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/34.jpg)
31
State Breach Notification Laws
![Page 35: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/35.jpg)
Overview: State Breach Notification Laws
• 50 states plus U.S. territories have separate and different laws requiring notification of “breach” of “personally identifiable information”
• Each state protects its own residents regardless of where the responsible party is located
• Generally cover businesses and government agencies
• Not industry specific
• Most states exempt breaches subject to notification under HIPAA or GLBA Safeguards Rule
32
![Page 36: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/36.jpg)
“Typical” State Breach Notification Law An entity that maintains computerized “personal information”
Must disclose a “security breach” to any state resident whose unencrypted, unredacted personal information
Was, or is reasonably believed to have been, acquired by an unauthorized person.
Reasonable likelihood that access has or will result in loss or harm
Any vendor that maintains data must provide notice to the entity that manages the data
Safe harbor for encrypted data
Excludes good faith acquisition of personal information by an employee or agent if the personal information is not used and is not subject to further unauthorized disclosure
![Page 37: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/37.jpg)
Be Careful with the Word “Breach””
“Breach” is a legal conclusion not a description
General elements:
Unauthorized access and/or acquisition of computerized data
Compromises the security, confidentiality or integrity of PII
Reasonable belief that access has caused or will cause loss
Encryption is usually a defense (unless—in CA—reasonable belief that key or access credential also compromised)
Overuse of "breach" could lead public and regulators to think client is ignoring security
34
![Page 38: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/38.jpg)
State laws vary significantly: What is considered to be “personally identifiable information”
What is a “breach”
Whether reasonable likelihood of harm is required before notice is required
Method and content of required notice
When notice must be given
Who gets notice
Whether paper records are covered
Penalties imposed
35
![Page 39: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/39.jpg)
What is “Personally Identifiable Information?”
Name + Another Sensitive Data Element = Personally Identifiable Information (PII)
Social Security number
Driver’s License or state-issued ID number
Account, credit or debit card number with security code, access code, password of PIN needed to access
Online Account access information (user name + password)
Date of birth
Health Insurance Card
Medical Records
Biometric data
36
![Page 40: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/40.jpg)
When must notice be given?
Data owners:
Most states: without unreasonable delay
Specified period (30/45/60/90 days) from “discovery”
Discovery not always defined
Delay usually permitted:
if law enforcement authorities request a delay
to restore the security of the affected system
to determine the scope of the breach.
Service providers to data owners: immediately” or “as soon as practicable”
Some states publish all breach notifications online
37
![Page 41: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/41.jpg)
Who should receive breach notification?
Affected individuals—customers, employees, others
Attorney General or other state regulators
National consumer credit bureaus (large breaches)
Local and/or Federal law enforcement
Payment card issuers
If public company—possibly SEC and shareholders
Contract parties to whom client has breach notification
obligation
38
![Page 42: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/42.jpg)
State law workplace protections Although privacy-directed, also involve confidentiality
and security expectations for information collected
Anti-discrimination laws (restrict, regulate, and/or
mandate certain information gathering)
Restrictions on employee monitoring and surveillance
Drug testing
State wiretapping acts
39
![Page 43: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/43.jpg)
EU General Data Protection Regulation (GDPR) effective May 25, 2018
Personal data = any information relating to an identified or identifiable natural person (‘data subject’)
Scope includes any “processing” of personal data by person without an EU presence involving:
Offering of goods or services to data subjects in EU, or
Monitoring of behavior of data subjects in EU
A few highlights:
Right to protection of personal data is fundamental right
Disclosure of what data is processed, why, with whom shared, retained
Data minimization and privacy by design
Extensive rights of data subjects to consent to processing and control data
Extensive record keeping requirements
40
![Page 44: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/44.jpg)
Cyber-attack Scenario
![Page 45: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/45.jpg)
Ransomeware Attack
One Monday morning afternoon at 8:00 AM, your client calls:
Company may be the victim of a ransomware attack.
All employees are locked out of their computers and unable to work.
All databases are inaccessible and the landline phone system isn’t working.
The bad actors are demanding payment of 20 bitcoin to restore the network.
Your client wants to know whether to pay the ransom.
What should you do?
42
![Page 46: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/46.jpg)
First, ask questions: Do you have cyber-liability insurance?
Do you have an Information Security Incident Response Plan?
Who manages your IT infrastructure—inhouse or outsourced?
Do you have backups to try to restore the data?
Do you know what personally identifiable information is stored in your system (customers, employees, job applicants, contractors, former of all of these)?
43
![Page 47: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/47.jpg)
What advice should you give the client?
If client has a Plan, convene the Incident Response Team
If client does not have a Plan, convene a crisis team including senior management, IT, communications, HR
Notify the carrier
Engage breach response counsel and they will engage a forensic investigator
Instruct IT to try to restore using the backup system
Centralize and control all company and public communications with a designated spokesperson
44
![Page 48: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/48.jpg)
Planning for Ransomeware
Employ a secure data back-up and recovery plan for business critical data
Test the back-up system periodically
Have and test an Incident Response Plan
Train all personnel to know: What a security incident is
How and to whom to report an incident
Identify breach response counsel and forensic expert
Regularly patch operating systems and ensure up to date anti virus anti malware
![Page 49: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/49.jpg)
46
Litigation and
Enforcement
![Page 50: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/50.jpg)
FTC Enforcement Actions Section 5 of the FTC Act (15 U.S.C. § 45)
“unfair or deceptive business practices”
>60 enforcement actions for cybersecurity failings since 2002
Broad range of industries affected
Repeat offenders targeted
Focus on disparity between security promised / security delivered
Severe sanctions including 20-year consent decrees to maintain extensive data security protections
Consent decrees are major source for FTC view of “reasonable and necessary” security measures
Ongoing battle over FTC authority to regulate cybersecurity
47
![Page 51: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/51.jpg)
What FTC considered to be unreasonable in 2017? Uber: failed to control who could access data; not requiring multi-factor
authentication; storing database backup in plain readable text in cloud
Lenovo: used the same, easy-to-crack password on laptops allowing attackers to intercept communications
D-Link: Touted security of routers, but not protecting against well-known, easily prevented security flaws
Turn Inc.: deceptive Privacy Policy that falsely claimed that consumers could reduce tracking online and on mobile devices
Vizio: failed to disclose that smart TVs were tracking viewers, combining their viewing with demographic data to sell to advertisers
BLU: failed to adequately manage third party provider that pre-installed software on mobile devices that transmitted call and text numbers and logs to undisclosed third party
48
![Page 52: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/52.jpg)
Enforcement by State Attorneys General
State penalties some >$500,000 per failure to give breach notification
Authorized to enforce HOPAA, FCRA, and TCPA violations
Frequently work together to investigate and bring civil enforcement actions for major data breaches resulting in major settlements: Target, Anthem, Nationwide Mutual
49
![Page 53: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/53.jpg)
Civil litigation
Some states (14) provide some form of private right of action under breach notification statutes
Negligence, breach of contract, breach of fiduciary duty, invasion of privacy, breach of a duty of confidentiality and conversion
Plaintiffs face difficult issues of standing, injury, causation, and class certification
Defense is expensive, even if cases are dismissed
50
![Page 54: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/54.jpg)
Allegations in Data Breach Litigation
Private litigants typically allege that defendants:
Failed to safeguard information, such as
Failed to have appropriate encryption or other technical controls
Failed to train personnel with access
Failed to have adequate data security program
Failed to monitor vendor security
Privacy Policy misrepresented data security provided or inadequately disclosed data security risks; or
Failed to respond adequately to the breach.
51
![Page 55: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/55.jpg)
Threshold Question = Standing
Common defense to most data breach class actions is failure to establish an injury-in-fact sufficient to support Article III standing.
Did plaintiff suffer an injury-in-fact?
Is heightened risk of future harm because of breach (i.e. possible identity theft) sufficient injury-in-fact?
Do statutes that create a private right of action for data breach convey standing without showing injury-in-fact?
52
![Page 56: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/56.jpg)
Standing: Supreme Court on Injury-in-Fact
Injury-in-fact is an invasion of a legally-protected interest that is:
1. Concrete and particularized
2. Actual or imminent, and
3. Not conjectural or hypothetical
Spokeo, Inc. v, Robbins, 136 S. Ct. 1540 (2016)
Supreme Court on risk of future injury: standing does not exist if:
Plaintiff relying on a speculative chain of possibilities
Plaintiff does not show feared future injury was certainly impending.
Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1143, 1147-50 (2013)
53
![Page 57: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/57.jpg)
Is increased risk of future harm sufficient to show injury-in-fact? Four Circuits have held that increased risk of future harm can
confer standing if plaintiff pleads sufficient facts to show identity theft or other concrete injury is a real possibility:
DC, Third, Sixth, Seventh, Ninth
Increased risk of future harm not sufficient to confer standing:
Second, Fourth, Eighth
But, in “not sufficient” cases, facts seem arguably very speculative—at least as described in opinions
Next hurdle: Barnes & Noble is a “fellow victim of the data thieves,” so difficult to get class certification Dieffenbach v. Barnes & Noble, Inc.(7th Cir. 2018)
54
![Page 58: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/58.jpg)
55
How we can help clients reduce
—or at least mitigate— the risk of a damaging
cyber-attack
![Page 59: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/59.jpg)
Strong words to follow….
1. Figure out: What protected and other sensitive data you have, where it is located, who
can access it?
Do you really need to have it? How long do you need to keep it?
2. Cybersecurity left to the IT Department is inadequate security: Over-reliance on technical “solutions” and ignoring equally if not more critical
role of “governance” misses all prevailing standards of care
Inherent conflict of interest—need to ask hard questions and expect straight
answers about encryption, secure document transmission, known gaps
3. Adopt at least a basic governance program: Written Information Security Program (Massachusetts model)
Incident Response Plan
Personal device and other remote access
56
![Page 60: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/60.jpg)
More strong words….
4. Manage employee-related security risks—“need to know” access, exit protocols, regular security training, background checks, confidentiality agreements
5. Get back with IT for “technical solutions”: encryption; access controls; password management; multi-factor authentication; patch management; network segmentation; download/upload controls; vulnerability/penetration testing
6. Manage third party (vendor) security risks: Due diligence in selecting and retaining
Confidentiality and security obligations in service provider contracts
7. Actually implement a document retention and destruction plan
57
![Page 61: CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS First Run Broadcast: February 14, 2020 1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m.](https://reader035.fdocuments.in/reader035/viewer/2022081517/5f92bead8432f517f404cca5/html5/thumbnails/61.jpg)
If there isn’t time for your question, please contact me…
Sue Friedberg
Co-chair Cybersecurity and Data Protection Group
Buchanan Ingersoll & Rooney PC
412-562-8436
58