government notification of data breach

www.solidcounsel.com


“Security and IT protect companies’ data;Legal protects companies from their data.”


Legal Schizophrenia

• 1st Defense: Adequate Cybersecurity

• 2nd Defense: Deterrence by Law• Public Confusion

• “Security Research”

• IoT / implanted medical devices?

Cause for Concern

• 62% of Cyber A� acks → SMBs

• Odds: Security @100% v. Hacker @1

• ACC Study (9/15) = #2 ConcernKeeping CLO’s awake at night

• Dyn & IoT?


Cost of a Data Breach – US (Ponemon Inst.)2013 Cost• $188 per record• $5.4 million = total avg. cost paid by organizations

2014 Cost $201 per record $5.9 million = total avg. cost paid by organizations

2015 Cost $217 per record $6.5 million = total avg. cost paid by organizations


Legal Obligations

International Laws

Safe Harbor

Privacy Shield

Federal Laws & Regs.

HIPAA, GLBA, FERPA

FTC, FCC, SEC

State Laws

47 states (AL, NM, SD)

Industry Groups

PCI, FINRA, etc.

Contracts

3rd Party Bus. Assoc.

Data Security Addendum

Immediate Priorities

• Leadership!

• Assess the situation

• Be a counselor

• Instill confidence

• Bring peace

• Facilitate rational thought &rational behavior


Response Process

• Appendix A

• Goal is to execute IRP

• This is check list, notan IRP

• How detailed?

• Tabletop exercises


Data Breach FoundationsIs the cyber event an incident or a breach?

Event: any occurrence.

Incident: an event that actually or potentially jeopardizesthe confidentiality, integrity, or availability of the system,data, policies, or practices.

Breach: actual loss of control, compromise, unauthorizeddisclosure, acquisition or access of data.

Ransomware? Encryption safe harbor?


Data Breach FoundationsIs the cyber event caused by criminal or negligent actions?

Hacker stealing IP from network.

Employee misplaces unencrypted USB drive with PII.

Focus on the action – why was it done?

Report criminal events to law enforcement, not usuallywith negligent.


Data Breach FoundationsThe difference between reporting, disclosing, notifying?

Used interchangeably, not official – just used for clarity.

Reporting: to report a crime to law enforcement.

Disclosing: to disclose (notify) to a state or federalregulator of a data breach.

Notification: to notify the data subjects of a data breach.


Data Breach FoundationsRelationship between unauthorized access and breachnotification laws?

2 sides of same coin.

Unauthorized access: prohibits actor from harmingcompany’s network or data, company is victim.

Breach notification: mandates actions by company afterhaving a breach, company transformed into wrongdoer.


Reporting to Law Enforcement Role of law enforcement.

When to report to law enforcement?

Federal, state, or local law enforcement?

When will law enforcement not get involved (usually)?


Reporting to Law Enforcement Is it mandatory to report to law enforcement?

State breach notification presume reporting.

DOJ, NIST, FTC (“we’d view that company morefavorably than a company that hasn’t”)

US Senate (Yahoo) – when did you report to lawenforcement or other government authorities?

Credibility – the “state sponsored” “unprecedented”game.


Reporting to Law EnforcementBenefits of reporting to law enforcement.

Agencies can compel info from 3rd parties.

Can work with foreign counterparts.

Viewed favorably by regulators, shareholders, public.

Can request delay of reporting.

Result in successful prosecution.

Resources, expertise, institutional knowledge, your $$$


The FBI is not there to re-victimize the victim. –Richard Murray, FBI

We try to be fair and know that we must be fair because that will getaround and we want to work with companies. –Shamoil Shipchandler, SEC


Reporting to Law EnforcementDispelling myths of reporting to law enforcement.

Reporting to law enforcement is not same as disclosingto regulators.

Doesn’t “take over” your operations, not like regulatoryenforcement action.

Law enforcement uses discretion, doesn’t tattle on you.

Company is still viewed as the victim.

Use hypotheticals, if needed.


Reporting to Law EnforcementTips for reporting:

Unified Fed. Guide (D)

Use and maintainlogging.

Have relationship orwork with someonewho does.

Best Practices (C)


Disclosure to Government Regulators Remember our fiction: reporting / notifying / disclosing

What type of data was breached? (PII, PHI, Fin. Data, PCI)

Which laws apply?

Regulated industry? (HHS, SEC, FDIC, FINRA)

i.e., Health → HHS, then ≥ 500 = 60 days to report< 500 = annual report

State jurisdictions?


Disclosure to Government RegulatorsBreach Notification Laws

No national breach notification law

47 States w/ laws + DC, PR, VI (≠ AL, NM, SD)

Data subjects’ residence determines + state doing bus.

Some consistency but some not (e.g., MA & CA)

Review each time – constantly changing.


Disclosure to Government Regulators Is it a triggering “breach” under each relevant states’ laws?

Which states’ laws require disclosure to their AG?

Most, under certain circumstances (not TX).

Which require pre-notice of a breach notification?

CA, CT, NH, NJ, NY, NC, PR, WA

When must disclosures be made? (w/ notif. 30/45/reas.)

How must disclosure be made? (template / portal)


Texas Breach Notification LawNotification Required Following Breach of Security ofComputerized Data, Tex. Bus. Comm. Code § 521.053

“A person who conducts business in this state and owns orlicenses computerized data that includes sensitive personalinformation shall disclose any breach of system security, afterdiscovering or receiving notification of the breach, to anyindividual whose sensitive personal information was, or isreasonably believed to have been, acquired by an unauthorizedperson.” (See Appendix B)


firstname or

first initiallast name

SSN

DLN or

GovtID

databreach

firstname or

first initial

lastname

Acct orCard #

Accessor

SecurityCode

databreach

Info thatIDs

Individual

Health-care,

provided,or pay

databreach

Duty to notify when “unauthorized acquisition of computerized data that compromises the security,confidentiality, or integrity of sensitive personal information …” Tx. Bus. Comm. Code § 521.053

CIVIL PENALTY $100.00 perindividual per day for notificationdelay, not to exceed $250,000 forsingle breach § 521.151


Texas Breach Notification Law Breach of System Security: “unauthorized acquisition ...

compromises the security, confidentiality, or integrity of” SPI. Employee leaving with customer data?

Applies to anyone doing business in Texas.

Notify any individual whose SPI “was, or is reasonably believed tohave been, acquired by an unauthorized person.”

When: “as quickly as possible” but allows for LE delay

Penalty: $100 per individual per day for delayed time, not toexceed $250,000 for a single breach (AG / no civil remedy)


Cyber RiskAssessment

StrategicPlanning

DeployDefenseAssets

Develop,Implement& Train on

P&P

TabletopTesting

Reassess &Refine

Cybersecurity RiskManagement Program


“You don’t drown byfalling in the water;

You drown by stayingthere.”


• Board of Directors & General Counsel, Cyber Future Foundation

• Board of Advisors, North Texas Cyber Forensics Lab

• Cybersecurity & Data Privacy Law Trailblazers, National Law Journal (2016)

• SuperLawyers Top 100 Lawyers in Dallas (2016)

• SuperLawyers 2015-16 (IP Litigation)

• Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law)

• Council, Computer & Technology Section, State Bar of Texas

• Privacy and Data Security Committee of the State Bar of Texas

• College of the State Bar of Texas

• Board of Directors, Collin County Bench Bar Foundation

• Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association

• Information Security Committee of the Section on Science & TechnologyCommittee of the American Bar Association

• North Texas Crime Commission, Cybercrime Committee

• Infragard (FBI)

• International Association of Privacy Professionals (IAPP)

• Board of Advisors Office of CISO, Optiv Security

• Editor, Business Cybersecurity Business Law Blog

Shawn TumaCybersecurity PartnerScheef & Stone, [email protected]@shawnetumablog: www.shawnetuma.comweb: www.solidcounsel.com