502 protecting-data-in-unlikely-places wipl-10-27-15-(4)
TRANSCRIPT
Presented By:
Protecting Data in Unlikely Places
Presented By:
KristyBrown
Alston & Bird
Your Panelists
2
CherylCall
Blackbaud
Devika Kornbacher
Vinson & Elkins
Estela Valdez
Browz
Presented By:
• Data Stats
• The Evolving Legal Landscape
• Information Security Programs– Development of the Program– Implementation considerations
• Incident Response– Development of the Plan– Enforcement Actions and Third Party Claims
Discussion Points
3
25 BILLIONconnected devices by
2020
2.5 QUINTILLIONbytes of data created
daily
90 percentgenerated in the
last two years
7
8
Presented By:
9
The Evolving Legal Landscape
Presented By:
• Location of data and user impacts applicable laws– Laws related to jurisdictional reach are in flux– Sparse guidance from courts regarding enforceability of laws
applicable to data of residents of states where company does not conduct business
• Multiple applicable legal regimes – States and U.S. Territories– Federal– Foreign
Legal Landscape
10
Presented By:
• FTC and state unfair and deceptive practice statutes– Applies to use of consumer data not in compliance with posted data
use/collection policies– Third Circuit recently confirmed that FTC has authority to investigate and
charge companies with unfair trade practices for failure to protect customers from the theft of on-line data
– Since January 2015, FTC has brought over 50 enforcement actions involving data security
• SEC regulations– SEC recently charged 32 defendants with violations of the federal antifraud
laws and corresponding SEC rules for allegedly trading on non-public information obtained by hacking into the computer networks of three newswire services
• Breach notification laws
11
Legal Landscape
Presented By:
State, Federal and International Laws and Regulations• HIPAA (HITECH) (governs duties related to protected health information (PHI))
• Americans with Disabilities Act (provisions related to protection of health and disability data)
• FCC requirements (govern activities of interstate telecommunications companies)
• State and federal requirements for banks and financial institutions (e.g., Gramm–Leach–Bliley Act)
• Children’s Online Privacy Protection Act (applies to information collected from children under the age of 13)
12
Legal Landscape
Presented By:
State, Federal and International Laws and Regulations• EU Data Protection Directive– requires Member States to protect its
peoples’ fundamental rights and freedomsand in particular their right to privacy withrespect to the processing of personal data
– “Personal Data” is any information relating to an identified or identifiable natural person
– requires that Member States prohibit the transfer of personal data to any country outside the EU that does not “ensure adequate level of protection.”• Only 11 countries provide adequate protection of EU citizen data• The U.S. is not one of the 11
13
Legal Landscape
Presented By:
State, Federal and International Laws and Regulations• Safe Harbor Framework: approved by European Commission in July 2000 to allow companies to transfer EU citizens’ data to U.S. through a voluntary self-certification program.– Safe Harbor administered by U.S. Dept. of Commerce– Companies must certify compliance annually– Invalidated by opinion issued by European Court of Justice in
October 2015
14
Legal Landscape
Presented By:
15
Information Security Programs
Policies
Testing
Monitoring
Audits
Presented By:
for information only – not legal advice
Policies and Practices• Prevent, detect, respond, preserve
• Consider ISO 27000 standards, NIST Framework for Improving Critical Infrastructure Cybersecurity (Feb. 2014), or DOJ Guidance on “Best Practices” for Cyber-Incident Response Plan (Apr. 2015)
• Cover all bases– Human (e.g., chief information security officer (CISO))– Physical (e.g., off-site redundancy) – Digital (e.g., two-factor authentication)
• Only as good as the implementation and education
16
Policies
Presented By:
for information only – not legal advice
Testing• Periodic penetration testing
by outside vendors
• Phake phishing, etc. to testeffectiveness of training
• Trial runs of incident responseplans
17
Testing
Presented By:
for information only – not legal advice
Monitoring and Audits• Traditional monitoring (e.g., cameras
and access logs)
• Technological monitoring (e.g., managed security services)
• Audits:– Statement on Standards for Attestation Engagements 16
(SSAE-16), SOC-2– NIST, ISO, PCI-DSS, HIPAA, etc.
18
Monitoring & Audits
Presented By:
19
Incident Response
Presented By:
for information only – not legal advice
Incident Response Plans: What to include• Monitoring, Detection and Escalation– IT system data security programs and controls– Incident detection– Who is to be notified, when and how
• Incident Response Team– Identify roles and responsibilities for incident response team members and
specify who will handle: • managing incident detection, investigation and response• system restoration and business continuity• breach determinations and notifications• cyber insurance coverage and coordination• law enforcement notification and involvement• media and crisis communications
20
Incident Response
Presented By:
for information only – not legal advice
• Mitigate and stop incident; activate plan to continue operations during incident– Actionable responses processes for anticipated breach scenarios– Internal and external business continuity resources identified
• Notify and communicate with partners, authorities, customers and the public– Clear communications plan for each constituency– Detail notification requirements for affected individuals in compliance with
applicable federal, state and contractual requirements
• Recover normal operations– Systems repair and restoration
21
Incident Response
Presented By:
for information only – not legal advice
• Post-incident Review– Incident Response Team review after an incident
» Lessons learned » Did the organization follow the plan? » Opportunities for improvement» Remediation plan
• Testing– Requirement to conduct exercises to simulate cybersecurity incidents
» Involve the entire incident response team» Scheduled and unscheduled testing
22
Incident Response
Presented By:
Internal teamIncident leadLeadership representativeOperationsPublic relationsIT and SecurityLegal and PrivacyCustomer Relations
External teamContractorsVendorsOutside CounselLaw Enforcement
The Incident Response team
Incident Response
23
Presented By:
Incident ResponseData Breaches Lead to a Multi-Front War• Consumer class actions/MDLs• Financial institution class actions/MDLs• Securities class actions/MDLs• SEC investigation• FTC investigation• Multistate AG investigations• Congressional investigation• Disputes with card brands
Presented By:
Target Breach
3 Days• Senate requests the FTC launch an investigation into breach
4 Days• Three class actions filed and four state AGs launch investigation into breach
5 Days• Class actions filed reach 15
1 Week• Class actions filed reach 40
• Dec. 19, 2013: Target announces breach of 40M debit and credit card accounts
Presented By:
Target Breach• Jan. 10, 2014: Target announces an additional 70M debit
and credit card accounts stolen
3 Days• Financial institutions class action filed
19 Days• Shareholder derivative suit filed
1 Month
• Target EVP/CFO testifies before Senate Judiciary
2 ½ Months
• FTC confirms its investigation of Target data breach
• Total Number of Class Actions Filed = 68+
Presented By:
Target Breach• All told, Target incurred approximately $252 million in
costs associated with its data breach.– Consumer class action settled for $10 million (plus
$6.75 million in attorneys fees and injunctive relief)– Visa settlement -- $67 million
Presented By:
Recent Developments
• Erosion of positive precedent holding that consumers lack standing to assert claims based on a data breach– Target– Neiman Marcus
• Increasing focus on financial institution claims• Certification of financial institution class in Target
Data Breach Class Actions
Presented By:
Questions?
29