cyber breaches safeguarding your firm and clients

Cyber Breaches Safeguarding Your Firm and

Clients

Prepared by: Herbert L. Jamison & Co., L.L.C., jointly with CNA Insurance Company, Wilson Elser Law Firm, & FTI Consulting2

Speaker Introduction

Josh. M. Kantrow is Co-Chair of Wilson Elser’s Data Security & Cyber Liability practice with a focus on computer-related liabilities including privacy, data security and technology litigation. He is an experienced litigator and savvy negotiator often retained by clients in crisis management situations. Josh has been a featured speaker at approximately 30 legal and insurance seminars, including seminars conducted in London, Paris, New York, Las Vegas, Philadelphia and Chicago. His recent presentations at major conferences have focused on crisis management litigation strategies, technology issues, resolving claims made under cyber risk policies, and healthcare privacy and security. Josh has been interviewed by Business Insurance and Metropolitan Corporate Counsel and also has published articles on cyber liability and litigation tactics.


Speaker Introduction

Ian Matyjewicz is an Assistant Vice President with Jamison Risk Services, a division of Herbert L. Jamison & Co., L.L.C., an AssuredPartners company (“Jamison”), focused on the risk management and insurance needs of law firms throughout the country. Prior to joining Jamison, Ian practiced for 15 years as a litigator in Chicago and then in New York. During that time period, he was lead counsel in over 50 cases tried to verdict.

Daniel Roffman is a Managing Director in FTI Consulting’s computer forensics lab in Chicago. Daniel specializes in providing consulting services to corporations and their counsel involving digital investigations and eDiscovery matters. Daniel's client engagements span both civil and criminal matters and he regularly provides expert analysis on highly complex electronic evidence issues. He also advises corporations on best practices relating to litigation preparedness. In this role, he emphasizes steps corporations can take to limit the cost of eDiscovery and also limit the corporation’s exposure to other electronic issues, including data breaches and IP theft. Prior to joining FTI, Daniel was employed by the Criminal Division of the United States Department of Justice.


Today’s Overview

I. Why do Breaches Matter to Law Firms?

II. How do Breaches Happen?

III. Steps for Combating Breaches

IV. How to Protect the Bottom Line from Breaches


Digital Information Explosion

• 99.9% of new information is stored digitally

• 3,000,000 (x) Total amount of information in all books ever written

• Worldwide information is more than doubling every two years, with 1.8 zettabytes or 1.8 trillion gigabytes projected to be created and replicated in 2011

• Facebook collects an average of 15 TB of data every day or 5000+ TB per year

– That’s equivalent to the amount of paper stored in the beds of 15 pickup trucks PER DAY!


Breach Explosions

• Less than a third of the information in the digital universe has at least minimal security or protection; Only about half of the data that should be protected is

• Privacy breaches are occurring more often - more than once a day.

-The average rate of publicly reported privacy breaches has grown from about 5 per month in 2005 to a peak of about 60 per month in 2008

- By 2009 the 5 year average was about 40 per month.

• They’re getting bigger too.

-The number of records compromised grew from 9.6M to over 723M in the same period.

6

individuals affected per breach

-

200,000

400,000

600,000

800,000

1 2 3 4

year

# o

f in

divid

uals

affected

Series2

2006 2007 2008 2009

96K

586K


Recent Study

• FTI Consulting co-sponsored a recent (2012) study with Corporate Board Member. 1,957 general counsel and 11,340 corporate directors at public companies responded that data security was their top risk concern.

• 33 percent of GCs “believe their board is not effective at managing cyber risk.”

• When asked whether their company had a crisis management plan in place to respond to a cyber attack, only 42% of respondents said yes.

7


Information Explosion Implications for Traditional Law Firm Practices:

• What’s easier?

– Hacking into a highly secure financial firm to access sensitive data

OR

– Hacking into an ill-prepared law firm’s network and obtaining a copy of highly sensitive information produced from that same financial firm?



• What’s easier?

– Hacking into a highly secure financial firm to access sensitive data

OR

– Finding an associate’s cell phone left in a coffee shop containing highly sensitive emails from that same financial firm?



• Letters require partner signature but

– Emails, Facebook, LinkedIn, and Twitter do not

• Publications require partnership approval but

– Emails, Facebook, LinkedIn, and Twitter do not



• Partners make or closely supervise communications with clients, business partners, competitors and opponents– But Email, Facebook, LinkedIn, Twitter establish

non-mentored/monitored relationships without partner participation, possibly without partner knowledge.

• Partners hold and protect client contact details – Contacts are collected automatically from emails by Facebook and

LinkedIn without partner approval or knowledge.


Social Media

• A recent study (co-sponsored by FTI Consulting and Corporate Board Member) of 1,957 general counsel and 11,340 corporate directors at public companies asked:

– Does your company have a good handle on the risks associated with corporate social media?

– 60% of directors believe their board does not fully understand the risks surrounding social media.


Social Media

• A recent study (co-sponsored by FTI Consulting and Corporate Board Member) of 1,957 general counsel and 11,340 corporate directors at public companies asked:

– Does your company have a social media Policy?

– Only 39% of companies responded that they have a social media policy.


Our Computer Systems are Secure:What is the leading cause of data breaches?

• Network hacking

OR

• Non-network breach


Our Computer Systems are Secure:What is the leading cause of data breaches?

Non-network breach responsible for

69% of breaches

31% Network Hacking orMalicious Breach

69% Non-network Breach


Our Computer Systems are Secure:Your Systems Aren’t (always) the Issue!

30- 40% of all breaches are caused by vendors

for which you are vicariously liable.9

Who has access to your data?

-Litigation support

-Transcription

-Off-site storage

-Disaster recovery back up tapes/archives

-Mail room/courier/photocopy/shredding service

-Cleaning service


Nobody would want our information:What do you keep?

• Client information:

– Health information

– Sensitive business information: intellectual property, and insider information

– Tax information including social security number and banking information

– Bank accounts for wire transfers

– Other parties’ information obtained due to retention by client

• Employee information

– Payroll and benefits information

• Applicant information

– Information needed for background check


How Do Breaches Happen?

• Traditional “Hacking”

– Number of Attacks Increasing & Sophistication of Attacks Increasing

• China (in some cases, state sponsored)

• Eastern Europe

• Africa

– The security firm Mandiant estimated that 80 major U.S. law firms were hacked in 2011.

– Action Items:

• Improve Network Security Policies/Procedures

• Encryption of Sensitive Information

• Penetration Testing

• Breach Response Plan and Testing


Examples of Hacking Against Law Firms

• February 2012: Anonymous stole 2.6 gigabytes of e-mail belonging to Puckett Faraj, a law firm that represents Staff Sgt. Frank Wuterich, who is accused of leading the group of Marines in Haditha." (As reported by Time and other news sources, this 2005 raid resulted in the deaths of 24 unarmed Iraqi civilians.)

– Puckett & Faraj is now awaiting advice from the Virginia Bar so that it can properly inform former and current clients about the hacking incident.

• February 2012: Disclosure of several Canadian law firms being hacked by Chinese in 2011

• September 2010: ACS Law, a law firm involved in anti-piracy work, had their email server hacked.



• Social Engineering

– Obtaining sensitive information by trickery, often using information obtained from social media

– Very easy for criminals

• Action Items:

– Employee training

– Social media policy


Fraudulent Schemes:

• Law firms are becoming targets of schemes that could allow a hacker access to valuable information

– Often socially engineered

• Example

– 2011 Potash Corp. takeover attempts scuttled by Chinese hackers who spoofed emails to law firms handling the case.

– After clicking on a link, spyware was installed and documents were disclosed to third parties.



• Theft by Individuals with Access

– Employee

– Vendors

• Outsourced IT

• Cleaners

• Accountants/Consultants/Experts

• Action Items:

– For employees, address with employment contract and employee handbook

– For business partners and vendors:

• Encrypt sensitive data

• Indemnification by contract

• Address breach response in contract

• Require cyber insurance to ensure funding by at fault vendor


Steps for Combating Breaches

• Technical Steps:

– Strong and complex passwords & encryption

– Monitoring software

– Bottom-up security approach – allowing employees access to the required set of resources to perform their job function

– Regular Implementation of security patches and updates

– Threat assessments

a. Proactively look for potential risks

b. Review logs proactively

c. Intrusion / penetration testing

d. Independent testing of security protocols


Steps for Combating Breaches

• Risk Management Steps:

– Evaluate Breach Exposure as an Enterprise Risk

– What Policies/Procedures Protect Network and Sensitive Information?

– Form Breach Response Team

• Stakeholders

• Internal Communication

• External Communication

• Compliance

• Brand/Reputation Protection

– Periodically Test Breach Response and Revise as Warranted


Nobody would want our information:What do you keep?

• Practice areas that MAY elevate exposure:

– Litigation - e.g. personal injury or mass tort related health info, even litigation strategy is sensitive and confidential.

– Transactional - custody of non-public transaction info, due diligence, deal info.

– Intellectual property - custody of trade secret, pre-patent invention, pre-publication works of authorship (e.g. software).

– Securities - data in preparation for securities filings/registration, “quiet period” restrictions on release.

– Taxation - financial information.

– Trusts and Estates - high net worth client data.


Data Privacy Laws/Regulations Don’t Apply to Us: But--

• FTC’s Red Flags Rule

– On appeal; other forms of enforcement actions remain

• HIPPA HITECH Act

– Applies to HIPPA Business Associates

• State laws [47 breach notice; 25 merchant]

– No exclusion of professional firms

• Professional rules

– Confidentiality requirements


Data Privacy Laws/Regulations Don’t Apply to Us: But - FTC Enforcement is on the rise.

• Since 2005, the FTC has settled 30 cases against companies for issues ranging from failure to safeguard private information to failure to comply with their own privacy policies.

• Not even small “do good” firms escape the FTC’s reach.

• Take away: The FTC could audit your firm for many years to come if it finds you failed to safeguard your client’s information.


Data Privacy Laws/Regulations Don’t Apply to Us: But - Malpractice Liability – Rules of Professional Conduct

ABA Rule: An attorney has an ethical obligation to maintain confidential client communications and information. Under the ABA Model Rules of Professional Conduct a lawyer is required to take reasonable precautions to safeguard client’s electronic files and information. All attorneys have an ethical obligation to disclose security breaches to those who may be adversely affected by such breaches.

• The Rules of Professional Conduct in many states incorporate the comment to Rule 1.6 of the ABA Model Rules in its own Rule 1.6.

• Balancing test to determine lawyer’s reasonableness in securing information

• Rules 5.1 and 5.3: duty to supervise non-lawyers

Prepared by: Jamison Risk Services, A Division of Herbert L. Jamison & Co., L.L.C.


Data Privacy Laws/Regulations Don’t Apply to Us: But –Rules of Professional Conduct & Malpractice• Violation of an ethics rule could mean malpractice

• RPC admissible as evidence of breach of standard of care (majority rule) e.g., New Jersey, Maryland, District of Columbia, Illinois, Nevada

• RPC is inadmissible as evidence of breach of standard of care (minority rule) e.g., Alabama, Washington

• RPC is admissible as rebuttable presumption of standard of care (outlying rule) e.g., Michigan

• New York law unclear


Applies to “any business that conducts business in the state that “compiles or maintains computerized records that include personal information.”•Triggered by a “breach of security” that involves “personal information.”

•“Personal information” is defined as the individual’s first name or first initial and last name linked with one or more of the following:

– the individual’s Social Security number;

– driver’s license number;

– account number; and

– credit or debit card account number in combination with any required access code.

Data Privacy Laws/Regulations Don’t Apply to Us, But…State Breach Acts - Scope


Data Privacy Laws/Regulations Don’t Apply to Us, But… State Breach Acts – Breach of Security

A “breach of security” occurs upon “unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity” of personal information that has not been encrypted or made unreadable or unusable by similar technology.


Data Privacy Laws/Regulations Don’t Apply to Us, But… State Breach Acts – Disclosure Requirements• Any “breach of security” must be disclosed to any “customer” who

resides in the state “whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person.”

• The disclosure must be made within the most “expedient time possible and without unreasonable delay.”

• A “customer” is an individual who has provided personal information.


Data Privacy Laws/Regulations Don’t Apply to Us, But… State Breach Acts – Disclosure to Law Enforcement and Credit Bureaus

• Before notifying customers, a business must report a breach to the Division of State Police in the Department of Law and Public Safety.

• A law enforcement agency may then determine that notification to customers be delayed if it would impede an investigation.


Data Privacy Laws/Regulations Don’t Apply to Us, But… State Breach Acts – Third Party Vendors• If you are compiling or maintaining computerized

information “on behalf of another business or public entity,” then you must notify that business or public entity of any breach of security.

• The obligation to notify customers rests with the business or public entity that has the customer relationships.


Data Privacy Laws/Regulations Don’t Apply to Us, But… State Breach Acts – Destruction of Records

Destruction of records must be effectuated “through generally available means,” either directly or by arrangement with another party, “by shredding, erasing, or otherwise modifying” the information in the records to make it “unreadable, undecipherable or nonreconstructable.”


Data Privacy Laws/Regulations Don’t Apply to Us, But… State Breach Acts – Social Security Numbers• Prohibited Social Security number disclosure:

– the display of four or more consecutive digits;

– printing social security numbers on mailers or publicly disclosing under most circumstances;

– requiring in any way that an individual transmit heir or her social security number over the internet unless the connection is secure, the number is encrypted or authentication is required; and

– can be used to for internal and administrative verification purposes.


Data Privacy Laws/Regulations Don’t Apply to Us, But… State Breach Acts – Penalties

• Breach of Social Security number or security breach disclosure provisions can trigger penalties under the Consumer Fraud Act, which includes treble damages.

• The Attorney General may seek injunctive relief and assess fines.


Data Privacy Laws/Regulations Don’t Apply to Us, But… Federal laws protecting personal information:• F.A.C.T.A. “Red Flag” Rule: Rules that require financial institutions and creditors to

develop and implement written identity theft prevention programs.

• H.I.P.A.A. Security Rule: Require appropriate administrative, physical and technical safeguard to insure confidentiality, integrity and security of electronic protected health information.

• H.I.T.E.C.H. Law: Extends the scope of HIPAA requirements to the business associates of covered entities. This also expands the regulations to include mandatory breach notifications, heightened enforcement, increased penalties and patient rights.

• Gramm-Leach-Biley Act: Requires financial institutions to have in place standards which protect the security of the their banking customers’ nonpublic information.

• I.T.E.R.A.: The Identity Theft Enforcement and Restitution Act amends the federal criminal code to authorize criminal restitution orders in identity theft cases.


Data Privacy Laws/Regulations Don’t Apply to Us, But … Common Law causes of action:• Malpractice

• Negligence

• Breach of fiduciary duty

• Fraud


Data Privacy Laws/Regulations Don’t Apply to Us, But… Negligence

Negligence:

• Duty to take reasonable steps to protect sensitive information that would not have been provided absent belief that the information would be kept secure.

• Failed to take commercially reasonable steps to protect the sensitive information.

• Failure to protect the information resulted in the breach.

• Plaintiff was damaged as:

– the sensitive information was not kept private.

– plaintiff has experienced or may experience identity theft.

– other adverse consequences may result (e.g. discrimination

due to HIV positive status).


Data Privacy Laws/Regulations Don’t Apply to Us, But…

Violation of Deceptive Trade Practices or Consumer Protection Laws:

• Communications/Web Site Privacy Policy or other materials viewed or received by plaintiff caused plaintiff to believe that his/her information would be kept private

• Plaintiff was misled, provided the information, and was deceived because the information was not kept private

– Frequently sought because a prevailing plaintiff recovers trebledamages and attorneys’ fees


Data Privacy Laws/Regulations Don’t Apply to Us, But…

Fraud [Not a good headline!]: • Material misrepresentation by defendant (that information

would be kept private) induced plaintiff to provide private

information, reasonably believing that it would be kept

private.

• Plaintiff was damaged because the information was not kept private.


CYBER LIABILITY INSURANCE COVERAGE


Insurance Coverage

• Your Lawyers Professional Liability Insurance Policy may respond to a malpractice claim for a data breach.

• It will not respond to:

– Expenses related to responding to an injunction

– Costs associated with sending out notification letters

– Punitive and/or treble damages

– Costs associated with a Bar complaint (depending on the policy)

– Loss of business income

– Costs, including defense expenses, associated with responding to a regulatory investigation

– Costs associated with bringing the system into compliance

– Future audits conducted by State and/or Federal authorities

If the FTC or State Attorney General find that your privacy and security controls fail to comply with the standard of care, then you may be required to have a security audit every two years for the next 20 years.


Insurance Coverage

• Cyber Liability Coverage may respond to:

• Privacy Injury

– Personal Information

– Corporate Confidential Information

• Media Liability

• Network Security Liability

• Privacy Regulation Proceeding

• Notification Costs

• Extortion

• Network Business Interruption


Questions?


Contact Information

• Josh Kantrow, Partner and Co-Chair of Data Security and Cyber Litigation Practice Wilson Elser Moskowitz Edelman & Dicker LLP55 West MonroeChicago, IL 60603p 312-821-6163f [email protected]

• Dan Roffman, Managing Director FTI Consulting227 West Monroe, Suite 900Chicago, IL 60606p 312-252-9377m [email protected]

Ian T. Matyjewicz, Esq.Jamison Risk Services100 Executive Drive West Orange, NJ 07052p 973-669-2346m [email protected]

• David Hallstrom.CNA Insurance 333 S. Wabash Avenue Chicago, IL 60604p 312-822-6263m [email protected]

cyber breaches safeguarding your firm and clients

Documents