Government Notification of Data Breach
-
Upload
shawn-tuma -
Category
Law
-
view
38 -
download
0
Transcript of Government Notification of Data Breach
www.solidcounsel.com
www.solidcounsel.com
“Security and IT protect companies’ data;Legal protects companies from their data.”
www.solidcounsel.com
Legal Schizophrenia
• 1st Defense: Adequate Cybersecurity
• 2nd Defense: Deterrence by Law• Public Confusion
• “Security Research”
• IoT / implanted medical devices?
Cause for Concern
• 62% of Cyber A� acks → SMBs
• Odds: Security @100% v. Hacker @1
• ACC Study (9/15) = #2 ConcernKeeping CLO’s awake at night
• Dyn & IoT?
www.solidcounsel.com
Cost of a Data Breach – US (Ponemon Inst.)2013 Cost• $188 per record• $5.4 million = total avg. cost paid by organizations
2014 Cost $201 per record $5.9 million = total avg. cost paid by organizations
2015 Cost $217 per record $6.5 million = total avg. cost paid by organizations
www.solidcounsel.com
Legal Obligations
International Laws
Safe Harbor
Privacy Shield
Federal Laws & Regs.
HIPAA, GLBA, FERPA
FTC, FCC, SEC
State Laws
47 states (AL, NM, SD)
Industry Groups
PCI, FINRA, etc.
Contracts
3rd Party Bus. Assoc.
Data Security Addendum
Immediate Priorities
• Leadership!
• Assess the situation
• Be a counselor
• Instill confidence
• Bring peace
• Facilitate rational thought &rational behavior
www.solidcounsel.com
Response Process
• Appendix A
• Goal is to execute IRP
• This is check list, notan IRP
• How detailed?
• Tabletop exercises
www.solidcounsel.com
Data Breach FoundationsIs the cyber event an incident or a breach?
Event: any occurrence.
Incident: an event that actually or potentially jeopardizesthe confidentiality, integrity, or availability of the system,data, policies, or practices.
Breach: actual loss of control, compromise, unauthorizeddisclosure, acquisition or access of data.
Ransomware? Encryption safe harbor?
www.solidcounsel.com
Data Breach FoundationsIs the cyber event caused by criminal or negligent actions?
Hacker stealing IP from network.
Employee misplaces unencrypted USB drive with PII.
Focus on the action – why was it done?
Report criminal events to law enforcement, not usuallywith negligent.
www.solidcounsel.com
Data Breach FoundationsThe difference between reporting, disclosing, notifying?
Used interchangeably, not official – just used for clarity.
Reporting: to report a crime to law enforcement.
Disclosing: to disclose (notify) to a state or federalregulator of a data breach.
Notification: to notify the data subjects of a data breach.
www.solidcounsel.com
Data Breach FoundationsRelationship between unauthorized access and breachnotification laws?
2 sides of same coin.
Unauthorized access: prohibits actor from harmingcompany’s network or data, company is victim.
Breach notification: mandates actions by company afterhaving a breach, company transformed into wrongdoer.
www.solidcounsel.com
Reporting to Law Enforcement Role of law enforcement.
When to report to law enforcement?
Federal, state, or local law enforcement?
When will law enforcement not get involved (usually)?
www.solidcounsel.com
Reporting to Law Enforcement Is it mandatory to report to law enforcement?
State breach notification presume reporting.
DOJ, NIST, FTC (“we’d view that company morefavorably than a company that hasn’t”)
US Senate (Yahoo) – when did you report to lawenforcement or other government authorities?
Credibility – the “state sponsored” “unprecedented”game.
www.solidcounsel.com
Reporting to Law EnforcementBenefits of reporting to law enforcement.
Agencies can compel info from 3rd parties.
Can work with foreign counterparts.
Viewed favorably by regulators, shareholders, public.
Can request delay of reporting.
Result in successful prosecution.
Resources, expertise, institutional knowledge, your $$$
www.solidcounsel.com
The FBI is not there to re-victimize the victim. –Richard Murray, FBI
We try to be fair and know that we must be fair because that will getaround and we want to work with companies. –Shamoil Shipchandler, SEC
www.solidcounsel.com
Reporting to Law EnforcementDispelling myths of reporting to law enforcement.
Reporting to law enforcement is not same as disclosingto regulators.
Doesn’t “take over” your operations, not like regulatoryenforcement action.
Law enforcement uses discretion, doesn’t tattle on you.
Company is still viewed as the victim.
Use hypotheticals, if needed.
www.solidcounsel.com
Reporting to Law EnforcementTips for reporting:
Unified Fed. Guide (D)
Use and maintainlogging.
Have relationship orwork with someonewho does.
Best Practices (C)
www.solidcounsel.com
Disclosure to Government Regulators Remember our fiction: reporting / notifying / disclosing
What type of data was breached? (PII, PHI, Fin. Data, PCI)
Which laws apply?
Regulated industry? (HHS, SEC, FDIC, FINRA)
i.e., Health → HHS, then ≥ 500 = 60 days to report< 500 = annual report
State jurisdictions?
www.solidcounsel.com
Disclosure to Government RegulatorsBreach Notification Laws
No national breach notification law
47 States w/ laws + DC, PR, VI (≠ AL, NM, SD)
Data subjects’ residence determines + state doing bus.
Some consistency but some not (e.g., MA & CA)
Review each time – constantly changing.
www.solidcounsel.com
Disclosure to Government Regulators Is it a triggering “breach” under each relevant states’ laws?
Which states’ laws require disclosure to their AG?
Most, under certain circumstances (not TX).
Which require pre-notice of a breach notification?
CA, CT, NH, NJ, NY, NC, PR, WA
When must disclosures be made? (w/ notif. 30/45/reas.)
How must disclosure be made? (template / portal)
www.solidcounsel.com
Texas Breach Notification LawNotification Required Following Breach of Security ofComputerized Data, Tex. Bus. Comm. Code § 521.053
“A person who conducts business in this state and owns orlicenses computerized data that includes sensitive personalinformation shall disclose any breach of system security, afterdiscovering or receiving notification of the breach, to anyindividual whose sensitive personal information was, or isreasonably believed to have been, acquired by an unauthorizedperson.” (See Appendix B)
www.solidcounsel.com
firstname or
first initiallast name
SSN
DLN or
GovtID
databreach
firstname or
first initial
lastname
Acct orCard #
Accessor
SecurityCode
databreach
Info thatIDs
Individual
Health-care,
provided,or pay
databreach
Duty to notify when “unauthorized acquisition of computerized data that compromises the security,confidentiality, or integrity of sensitive personal information …” Tx. Bus. Comm. Code § 521.053
CIVIL PENALTY $100.00 perindividual per day for notificationdelay, not to exceed $250,000 forsingle breach § 521.151
www.solidcounsel.com
Texas Breach Notification Law Breach of System Security: “unauthorized acquisition ...
compromises the security, confidentiality, or integrity of” SPI. Employee leaving with customer data?
Applies to anyone doing business in Texas.
Notify any individual whose SPI “was, or is reasonably believed tohave been, acquired by an unauthorized person.”
When: “as quickly as possible” but allows for LE delay
Penalty: $100 per individual per day for delayed time, not toexceed $250,000 for a single breach (AG / no civil remedy)
www.solidcounsel.com
Cyber RiskAssessment
StrategicPlanning
DeployDefenseAssets
Develop,Implement& Train on
P&P
TabletopTesting
Reassess &Refine
Cybersecurity RiskManagement Program
www.solidcounsel.com
“You don’t drown byfalling in the water;
You drown by stayingthere.”
www.solidcounsel.com
• Board of Directors & General Counsel, Cyber Future Foundation
• Board of Advisors, North Texas Cyber Forensics Lab
• Cybersecurity & Data Privacy Law Trailblazers, National Law Journal (2016)
• SuperLawyers Top 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-16 (IP Litigation)
• Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law)
• Council, Computer & Technology Section, State Bar of Texas
• Privacy and Data Security Committee of the State Bar of Texas
• College of the State Bar of Texas
• Board of Directors, Collin County Bench Bar Foundation
• Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association
• Information Security Committee of the Section on Science & TechnologyCommittee of the American Bar Association
• North Texas Crime Commission, Cybercrime Committee
• Infragard (FBI)
• International Association of Privacy Professionals (IAPP)
• Board of Advisors Office of CISO, Optiv Security
• Editor, Business Cybersecurity Business Law Blog
Shawn TumaCybersecurity PartnerScheef & Stone, [email protected]@shawnetumablog: www.shawnetuma.comweb: www.solidcounsel.com