cybersecurity: legal perspectives · the average cost of a data breach in the study was . $6.5...
TRANSCRIPT
Cybersecurity: Legal Perspectives
Mackenzie S. Wallace, Thompson & Knight LLP Craig C. Carpenter, Thompson & Knight LLP
Thompson & Knight Data Privacy and Cybersecurity Practice
Texas Society of Certified Public Accountants, Fort Worth Chapter - Sept. 23, 2015
Personally Professionally
Why is this important?
● The average cost of a data breach in the study was $6.5 Million.
● The average cost per stolen record has increased from $201 last year, to $217 per record.
● Heavily regulated industries (such as healthcare, financial, energy and transportation) tend to have higher costs.
● Malicious attacks were the primary cause of the attacks studied, followed by attacks due to negligent employees.
● Effective preparation can reduce the cost of a data breach.
3
Why is this important?
(Source: Ponemon 2015 Cost of Data Breach Study: United States (sponsored by IBM))
THREATS
Insider Breaches
E-mail or Spear
Phishing
Accidental Breaches
Corporate Espionage
What is the threat?
● Bad actors look for weaknesses
● Credentials
● Vulnerable software versions
● Misconfigured settings
● Intrusion
● Malware insertion
● Extraction of valuable information
● Covering tracks
6
Anatomy of a Breach
Step 1 • Become aware of threats
Step 2 • Analyze vulnerabilities
Step 3 • Inventory data
Step 4 • Understand the standard of care
Step 5 • Meet the standard of care
Step 6 • Develop and implement a security program
What should you do about it?
“Reasonable” Cybersecurity
Practices
Common Law
Statutory Law Industry/NIST
Global Framework
What is the standard of care?
● Statutory law
● Common law
● Industry Standards
● Global framework
Current State of the Law
Know your data
Safeguards
Secure Vendors
Data Security Policies
How to meet the standard of care
● What types of data:
● Employee PII
● Client PII
● Financial Data, Trade Secrets
● Data flow
● Collection, storage, transmission
● Data retention
● Destruction
11
Know Your Data
● Physical
● Locks and safes, fencing, walls, surveillance systems, intrusion detectors, alarms and cameras, key cards
● Technical
● Passwords, firewalls, unique user identifications, automatic logoffs, and encryption and decryption of information
● Administrative
● Training, background checks, exit interviews, need-to-know
12
Data Security Safeguards
13
Data Breach
“There are two types of companies, those that have been hacked and those that will be.” Robert Muller, Director, FBI
“Any company that is patting itself on the back and saying that they are not a target or not susceptible to attack is in complete and utter denial.” Roger Cressey, Sr. VP Booz Allen Hamilton
What is a breach?
• Hacking • Phishing • Malware • Theft • Misuse
How does a breach occur?
• Motive • Opportunity • Weak
security • Weak
policies
Now what?
• Respond quickly
• Respond appropriately
• Preserve evidence
Breach & Breach Reporting
Steps in a Breach Response
• Identify the incident or potential incident. • Immediately report the incident or threat to the proper party.
Discovery & Reporting
• Secure and isolate affected systems to limit further data loss. • Preserve evidence. Convene the Incident Response Team in
accordance with this Plan. • Know your role. Coordinate investigation and remediation.
Initial Response
• Gather information on the incident. • Consider involving forensics team and outside counsel. • Analyze the cause of the incident and the affected systems. • Analyze legal requirements and liabilities going forward.
Investigation
• Comply with legal requirements including breach notification. • Remove known vulnerabilities; repairing systems. • Respond to third party inquiries. Consider contacting law enforcement.
Remediation
• Review analysis and notes regarding the incident. • Improve practices as necessary. • Improve policies as necessary.
Post-Incident Review
16
Data Breach Damages
Reputational
Hardware/Software
Compliance
Claims
Financial Information
• FTC Safeguard Rule • Gramm-Leach-Bliley • SEC Health Information
• HIPAA
Additional Responsibilities
18
Additional Responsibilities
SEC Guidance
Disclosure Guidance No. 2 (Oct. 13, 2011)
Roundtable (Mar. 26, 2014)
Risk Alert and Cybersecurity Initiative (Apr. 15, 2014)
Legal and Regulatory Obligations
● Risk Factors
● Management’s Discussion and Analysis
● Description of Business and Legal Proceedings
● Financial Statement Disclosures
● External Auditors
● Center for Audit Quality Alert #2014-3 (Mar. 21, 2014)
● Internal Auditors
● Protiviti 2015 Internal Audit Capabilities and Needs Survey
20
Additional Responsibilities
● State Law Developments
● Texas HB 896 – Signed in to law May 28, 2015
● Effective September 1, 2015
● Amends the breach of computer security law provisions relating to the prosecution of the offense of breach of computer security—expands provisions related to unauthorized access of computer systems
● Texas Penal Code § 33.02 – Breach of Computer Security
21
Recent Developments
● Wyndham – FTC jurisdiction
● FTC v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug. 24, 2015).
22
Recent Developments
23
Recent Developments—Litigation Landscape
Settlement
Damages
Standing
24
Questions?
http://www.tkcybersecurityblog.com/
Craig C. Carpenter (214) 969-1154 [email protected] Mackenzie S. Wallace (214) 969-1404 [email protected]
http://www.tklaw.com/data-privacy-and-cybersecurity/