Cybersecurity: Legal Perspectives

Mackenzie S. Wallace, Thompson & Knight LLP Craig C. Carpenter, Thompson & Knight LLP

Thompson & Knight Data Privacy and Cybersecurity Practice

Texas Society of Certified Public Accountants, Fort Worth Chapter - Sept. 23, 2015

Personally Professionally

Why is this important?

● The average cost of a data breach in the study was $6.5 Million.

● The average cost per stolen record has increased from $201 last year, to $217 per record.

● Heavily regulated industries (such as healthcare, financial, energy and transportation) tend to have higher costs.

● Malicious attacks were the primary cause of the attacks studied, followed by attacks due to negligent employees.

● Effective preparation can reduce the cost of a data breach.

3

Why is this important?

(Source: Ponemon 2015 Cost of Data Breach Study: United States (sponsored by IBM))

THREATS

Insider Breaches

E-mail or Spear

Phishing

Accidental Breaches

Corporate Espionage

What is the threat?

5

What is the Threat?

http://map.norsecorp.com/

● Bad actors look for weaknesses

● Credentials

● Vulnerable software versions

● Misconfigured settings

● Intrusion

● Malware insertion

● Extraction of valuable information

● Covering tracks

6

Anatomy of a Breach

Step 1 • Become aware of threats

Step 2 • Analyze vulnerabilities

Step 3 • Inventory data

Step 4 • Understand the standard of care

Step 5 • Meet the standard of care

Step 6 • Develop and implement a security program

What should you do about it?

“Reasonable” Cybersecurity

Practices

Common Law

Statutory Law Industry/NIST

Global Framework

What is the standard of care?

● Statutory law

● Common law

● Industry Standards

● Global framework

Current State of the Law

Know your data

Safeguards

Secure Vendors

Data Security Policies

How to meet the standard of care

● What types of data:

● Employee PII

● Client PII

● Financial Data, Trade Secrets

● Data flow

● Collection, storage, transmission

● Data retention

● Destruction

11

Know Your Data

● Physical

● Locks and safes, fencing, walls, surveillance systems, intrusion detectors, alarms and cameras, key cards

● Technical

● Passwords, firewalls, unique user identifications, automatic logoffs, and encryption and decryption of information

● Administrative

● Training, background checks, exit interviews, need-to-know

12

Data Security Safeguards

13

Data Breach

“There are two types of companies, those that have been hacked and those that will be.” Robert Muller, Director, FBI

“Any company that is patting itself on the back and saying that they are not a target or not susceptible to attack is in complete and utter denial.” Roger Cressey, Sr. VP Booz Allen Hamilton

What is a breach?

• Hacking • Phishing • Malware • Theft • Misuse

How does a breach occur?

• Motive • Opportunity • Weak

security • Weak

policies

Now what?

• Respond quickly

• Respond appropriately

• Preserve evidence

Breach & Breach Reporting

Steps in a Breach Response

• Identify the incident or potential incident. • Immediately report the incident or threat to the proper party.

Discovery & Reporting

• Secure and isolate affected systems to limit further data loss. • Preserve evidence. Convene the Incident Response Team in

accordance with this Plan. • Know your role. Coordinate investigation and remediation.

Initial Response

• Gather information on the incident. • Consider involving forensics team and outside counsel. • Analyze the cause of the incident and the affected systems. • Analyze legal requirements and liabilities going forward.

Investigation

• Comply with legal requirements including breach notification. • Remove known vulnerabilities; repairing systems. • Respond to third party inquiries. Consider contacting law enforcement.

Remediation

• Review analysis and notes regarding the incident. • Improve practices as necessary. • Improve policies as necessary.

Post-Incident Review

16

Data Breach Damages

Reputational

Hardware/Software

Compliance

Claims

Financial Information

• FTC Safeguard Rule • Gramm-Leach-Bliley • SEC Health Information

• HIPAA

Additional Responsibilities

18

Additional Responsibilities

SEC Guidance

Disclosure Guidance No. 2 (Oct. 13, 2011)

Roundtable (Mar. 26, 2014)

Risk Alert and Cybersecurity Initiative (Apr. 15, 2014)

Legal and Regulatory Obligations

● Risk Factors

● Management’s Discussion and Analysis

● Description of Business and Legal Proceedings

● Financial Statement Disclosures

● External Auditors

● Center for Audit Quality Alert #2014-3 (Mar. 21, 2014)

● Internal Auditors

● Protiviti 2015 Internal Audit Capabilities and Needs Survey

20

Additional Responsibilities

● State Law Developments

● Texas HB 896 – Signed in to law May 28, 2015

● Effective September 1, 2015

● Amends the breach of computer security law provisions relating to the prosecution of the offense of breach of computer security—expands provisions related to unauthorized access of computer systems

● Texas Penal Code § 33.02 – Breach of Computer Security

21

Recent Developments

● Wyndham – FTC jurisdiction

● FTC v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug. 24, 2015).

22

Recent Developments

23

Recent Developments—Litigation Landscape

Settlement

Damages

Standing

24

Questions?

http://www.tkcybersecurityblog.com/

Craig C. Carpenter (214) 969-1154 Craig.Carpenter@tklaw.com Mackenzie S. Wallace (214) 969-1404 Mackenzie.Wallace@tklaw.com

http://www.tklaw.com/data-privacy-and-cybersecurity/