the latest on cybersecurity, data loss prevention and data ...€¦ · the security rule requires...

© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. ebglaw.com

The Latest on Cybersecurity,Data Loss Prevention andData Breach/Privacy Litigation

August 17, 2016

© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com

Presented by

Anthony J. Laura

Member of the Firm

[email protected]

973.639.8267

2

Brian G. Cesaratto

Member of the Firm

[email protected]

212.351.4921

mailto:[email protected]

mailto:[email protected]


Agenda

3

1. Overview and State of Corporate Data Security

i. Statistics and Examples

ii. Anatomy of a Breach

2. Legal and Enforcement Overview

3. Litigation

4. Preparation

i. Auditing and Monitoring

ii. Education and Training

iii.Incident Response


Overview


The New Reality/Companies Under Attack

5

•https://www.youtube.com/watch?v=7vBHJ4E6nis PrivacyRights.org

• 899,587,955 records breached, from 4,973 data breaches made public since 2005

IBM’s and Ponemon Institute’s 2016 Cost of Data Breach Study

• U.S. companies pay an average of just over $7M for standard data breach

oStandard = fewer than 100,000 records compromised

o$221/record

• Malicious attacks most common cause/costly

Deloitte’s “Beneath the Surface of a Cyberattack: A Deeper Look atBusiness Impacts”

• 95% of cyberattack costs take place over 5 year period after attack

o Lost contract revenues and customer relationships > reimbursing and litigation


The New Reality/Social Engineering

6

•https://www.youtube.com/watch?v=7vBHJ4E6nis In November 2014, Sony was the victim of a cyber-attack, possibly related tothe production of a movie that parodied North Korean leader Kim Jong Un

• Hackers allegedly stole PII of at least 15,000 current and former employees andposted info online

• Plaintiffs claimed Sony failed to implement and maintain adequate securitymeasures to protect employees’ PII and improperly waited 3 weeks to notify

• Breach apparently resulted from social engineering- Phising/Passwords

Takeaways:

• Risk assessment: Companies must understand where sensitive data resides andwhat threats and vulnerabilities may exist to that data

• Must train employees to be responsible stewards of data

• Be prepared for when the breach happens


The New Reality/Physical Security

7

•https://www.youtube.com/watch?v=7vBHJ4E6nis Putative class action against Coca-Cola alleging between 2007-2013, anotheremployee stole 50+ laptops containing SSNs, DLNs, bank account info andother sensitive data on at least 74K employees at largest bottling operation

October 2015, court dismissed negligence, fraud and other similar claims,but found breach of contract, unjust enrichment and restitution claimssufficient

Unlike other cases where harm was speculative, named plaintiff sufferedpalpable harm, including alleged theft of funds from his bank accounts

Takeaways:

• Physical security

• Asset management

• Encryption


Anatomy of a Breach/Verizon Breach Report

8


Anatomy of a Breach/Why are PII Breaches Different?

• Security is relatively new for a lot of companies and they are all scrambling toprotect themselves

• Client HR systems are insecure

oMost, but not all PII, is stored in a central repository, such as PeopleSoft, whichdesigned to be relatively open and share information quickly, appropriatepermissions not set.

o In house developed systems that were designed without security in mind

– Many HR functions run off open file shares

oMore troubling are the systems that individuals create, that the Company maynot be aware of.

– Managers and supervisors possess PII about which companies do not know

• HR lacks the IS resources, program maturity/ processes

• Paper programs with no operational effectiveness

oThe HR cabinet needs to go

9


Education & Training

Historical delta between IT and Legal, Compliance, and HR)

• Weak understanding of the IT world and risks

• Little ability to “speak the language”

• Weak processes to keep legal decision makers informed

10


Education and Training

Paper legal and compliance programs

• Template compliance policies that are totally removed from company operation

• Operational policies and processes that violate the law

Employee training

• Nearly every major breach has had some form of social engineering

• Employees are not prepared by compliance training to respond effectively

Little Ability to Respond to Emergencies

• Common fact patterns involve weeks of delay before forensics or incidentresponse team triggered

11


Education & Training

Economic Consequences

• Credit monitoring

• Legal fees/Litigation

• Employee time

Lost business opportunities

• Hard to get business

• Hard to sell business

Reputational Damages

• Public relations “nightmare”

• Lost client confidence

• Increased Regulatory Scrutiny

12


Legal and EnforcementOverview


Overview

14

HumanResources

PrivacyRule

SecurityRule

StateLaw

FTC


Overview/LegalHIPAA Privacy Rule:The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other protected healthinformation. The Rule requires appropriate safeguards to protect the privacy of protected health information, and sets limits andconditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also givespatients rights over their health information, including rights to examine and obtain a copy of their health records, and to requestcorrections.

HIPAA Security Rule:The HIPAA Security Rule establishes national standards to protect individuals’ electronic protected health information that iscreated, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical andtechnical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

State Law:Forty-seven states have enacted legislation requiring private or government entities to notify individuals of security breaches ofinformation involving personally identifiable information. Security breach laws typically have provisions regarding who must complywith the law (e.g., businesses, data/ information brokers, government entities, etc.); definitions of “personal information” (e.g.,name combined with SSN, drivers license or state ID, account numbers, medical information etc.); what constitutes a breach (e.g.,unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions(e.g., for encrypted information).

FTC:The Federal Trade Commission has the authority under Section 5 of the FTC Act to enforce against entities engaged in unfair ordeceptive practices. Recently, the FTC has used this authority to bring enforcement actions against entities who violate consumerprivacy rights or fail to maintain appropriate security for private consumer information, including health care entities. The FTC alsoenforces against entities who do not obey their own stated privacy or security policies.

15


Litigation


High Profile Data Breaches in recent years

• Sony PlayStation, affecting up to 102,000,000 users

• TD Bank, affecting up to 1,400,000 customers

• LinkedIn, affecting 6,500,000 users

• Living Social, affecting up to 50,000,000 customers

• Target, affecting up to 70,000,000 customers

• eBay, affecting up to 145,000,000 users

• AOL, affecting up to 2,400,000 customers

• Home Depot, affecting up to 56,000,000 customers

• JP Morgan Chase, affecting up to 76,000,000 customers

• Anthem, affecting up to 80,000,000 customers

What result do most of these breaches, and those less notable, have in common?……..

Litigation Consequences of a Data Breach


Litigation or Governmental Investigations

• In re Sony Gaming Networks And Customer Data Security Breach Litigation, MDLNo. 2268, concluded with $15 million settlement approved Jul. 10, 2014

• TD Bank - Investigations by, and settlements with, NY and MA Attorneys Generalfor a total payout of $1,675,000 plus remedial measures

• Wright v. LinkedIn Corp., Case No. 12-cv-03088-EJD (N.D. Cal.), $1.25 millionsettlement granted preliminary approval on Jan. 29, 2015

• LivingSocial – Investigations by CT and MD Attorneys General

• In re Target Corp. Customer Data Security Breach Litigation, MDL No. 2522, with$10 million settlement granted preliminary approval on Mar. 19, 2015

• Green v. eBay, Inc. , No. 2:14-cv-01688 (E.D. La.) – Motion to Dismiss pending

• In re The Home Depot, Inc. Customer Data Security Breach Litigation, MDL No.2583, with Rule 12(b) motions due to be filed by May 2015

• D’Angelo v. Anthem, Inc., 1:15-cv-00371 (N.D. Ga.) (one of at least 8 pending suits)

Litigation Consequences of a Data BreachContinued


Data breach litigation and government enforcement actions have been goingon for more than a decade. You may remember….

• BJ’s Wholesale Club

oFTC enforcement action in 2005

oCredit card issuer cases followed suit (by BankNorth and Sovereign)

• TJX Companies in 2006

o30 state AGs and the FTC pursued investigations

oConsumer class actions in the D. Mass.

oMass. Banking Assn. pursued claims on behalf of its constituents

• An empirical analysis of data breach litigation published in 2012 reported thatfrom 2005 to 2011, 230 such actions were initiated in US federal courts alone (plusan untold number of state court suits)



The primary claims of consumer Plaintiffs:

• Violation of state consumer protection/UDAP statutes

• Violation of state data privacy statutes

• Violation of federal statutes – FCRA, Video Privacy Protection Act

• Negligence

• Invasion of Privacy

• Breach of express (Privacy Policy) or implied contract to safeguard information

• Negligent or Intentional Misrepresentation (viz. published “Commitment to DataSecurity” or “Protecting Your Personal Information” statements)

• Negligent Bailment of electronic data

What avenues of defense to these claims exist?



• Lack of StandingoSpeculative future harm is insufficient under Article III

oBolstered by SCOTUS in Clapper v. Amnesty Int’l, 133 S.Ct 1138 (2013)(reiterating Art. III standing requires “certainly impending” injury)

oArticulated well in the data breach context by In re SAIC Backup Tape DataTheft Litigation, MDL No. 2360 (D.D.C . May 9, 2014)

– Mere loss of data without evidence of misuse is insufficient– Allegation that plaintiffs were 9.5 times more likely to suffer misuse is

irrelevant– the inquiry is whether injury is certainly impending– What role did the circumstances of the breach (car break-in) play in the

decision?

o Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (pre-Clapper and Spokeo).– Rejecting claims of future identity theft as too speculative and hypothetical



oThe first and only Circuit Court to tackle standing in the data breach contextand find in Plaintiffs’ favor is the 7th Circuit in Remijas v. Neiman MarcusGroup, LLC, 794 F. 3d 688 (7th Cir. 2015).

oWhat injuries were alleged there?

– Costs incurred in resolving fraudulent charges and protecting againstfuture loss

– Increased risk of future fraudulent charges and identity theft

oCourt used Neiman’s remedial measures as a sword

– Neiman offered one year free credit monitoring and identity theftprotection services, leading court to note that Neiman must believe someof the injuries are concrete

– Neiman’s actions “adequately raise the plaintiffs’ right to relief above thespeculative level.”

22



• The 7th Circuit followed its own lead in deciding Lewert v. PF Chang’s China Bistro,No. 14-3700 (7th Cir. Apr. 14, 2016)

oAgain found standing based upon costs and efforts undertaken to reverse orfurther prevent fraudulent charges

oFound imminent threat of identity theft by virtue of PF Chang’s own statementto its customers to monitor their credit reports

o Interesting precursor to 7th Circuit’s current position: Pisciotta v. Old Nat.Bancorp., 499 F.3d 629 (7° Cir. 2007)– finding that threat of future identitytheft was sufficient ‘injury’ to warrant standing, but dismissing case on themerits because ‘credit monitoring’ was not then a recognized cause of actionunder Indiana law

Number of other Circuits since Clapper to analyze standing in pure data breachcases-- 0

23



• Circuits since Clapper that have analyzed Standing in Data Privacy context

oSterk v. Redbox Automated Retail, LLC, 770 F.3d 618, 623 (7th Cir. 2014)

o In re Google Inc. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125(3d Cir. 2015)

o In re Nickelodeon Consumer Privacy Litigation, No. 15-1441 (Jun. 27, 2016)

oCarlsen v. Gamestop Inc., No. 15-2453 (8th Cir. Aug. 16, 2016)

• Impact of Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016)oBoth sides claim some measure of victory.o Language in opinion helps both sides.oArt. III injury must be “concrete” and “particularized” (good for defendants),

but can be also be “intangible” (good for plaintiffs).oTension still exists- is the intangible risk of future harm by way of identity theft

or other misuse of data sufficient? No direct answer from SCOTUS.o Interesting to note about Gamestop – Majority makes no reference to Spokeo,

and dissent says it is dispositive of standing argument.

24



Additional Defenses

oEconomic Loss Doctrine

– No recovery for purely economic loss in negligence and negligentmisrepresentation claims – In re Michaels Stores, 830 F. Supp. 2d 518,(N.D. Ill. 2011)

– Applicable in some states but not in others (some have exceptions basedupon “independent duty”)- see In Re Target, MDL No. 2522 (Dec. 18,2014)

25



• Preemption

o Industry specific preemption arguments– Pro (Financial Services Industry): Willey v. JP Morgan Chase, 09-cv-1397

(S.D.N.Y. Jul. 7, 2009) (OCC regulations regarding data security under FCRApreempts state law claims regarding disposal of customer data)

– Contra (Health Care Industry): Byrne v. Avery Center for Obstetrics andGynecology, P.C. (Conn. Nov. 11, 2014) (Claims of negligent disclosure ofPHI by medical practice not preempted by HIPPA, which has no privateright of action)

o Most proposed federal data breach legislation contains preemption provisions

26



Primary claims of non-consumer Plaintiffs (Banks and Credit Card Issuersthat refund/cover consumer losses)

• Negligence

oDuties arise from foreseeability of harm and from privacy laws

• Negligent or Intentional Misrepresentation

• Breach of Contract (Direct and/or as Third Party Beneficiary)

• Violation of state consumer protection/UDAP statutes

• Violation of state data privacy statutes

• See In re Target

27



Principal defenses to non-consumer Plaintiff claims

• No duty to third party bank/credit card issuer in absence of “special relationship”

• No reasonable reliance by bank/credit card issuer on “privacy protection”statements made to consumers

• No standing for bank/credit card issuer to recover under consumer protectionlaws

• Contributory negligence in alleged lax security across credit card network

28



Can Investor and Shareholder Derivative Claims Be Far Behind?

• Consequences of data breach resulted in decrease in stock price

• Company’s Board breached its fiduciary duty by failing to take sufficientprecautions to prevent or mitigate data breach

• Company’s public statements on its cybersecurity policies and procedures werefalse or misleading

• Corporate waste or gross mismanagement claims

“[B]oards that choose to ignore, or minimize, the importance of cybersecurityresponsibility do so at their own peril.” SEC Commissioner Luis A. Aguilar, Boards ofDirectors, Corporate Governance and Cyber-Risks: Sharpening the Focus, Speech atthe New York Stock Exchange (June 10, 2014).

29



What do these data breaches cost?

Estimates are:

• $1 per customer notification

• $10 per credit monitoring (accepted by roughly 15% of customers)

• $3 per new card issued

• Costs of investigatory/remediation efforts, business interruption, legal fees andsettlement amounts are widely variant

Aon Survey – average cost of data breach is $7 mm

• 80% of data breaches result in < $1 mm in costs

• 15% of data breaches cost between $1 mm - $20 mm

• 5% of data breaches cost > $20 mm

30



“Who pays for all this?” (aside from 3d party indemn.)o Insurance

– Cybersecurity Policy

» Typically cafeteria style coverage

» First-party coverage (business interruption/response)

» Third-party coverage, aka “security and privacy liability” coverage,covers defense costs and adverse outcome

» Usually requires cyber audit by underwriters

– Traditional CGL Policy

» May be triggered under third party “Property Damage” and “Personaland Advertising Injury” coverages

» Recent NY case holds no coverage under standard CGL policy (ZurichAm. Ins. Co. v. Sony Corp. of Am., No. 651982/2011 (N.Y. Sup. 2/21/14)

» As of May 1, 2014, ISO form CGL policies now contain cyber exclusionendorsement CG 21 06 05 14

31



State and Federal Statutes Governing Data Breaches

Federal statutes

• In a 2013 Report to Congress, the Congressional Research Service reported thatmore than 50 federal statutes address various aspects of cybersecurity eitherdirectly or indirectly, but there is no overarching framework legislation in place.

oThe Famous Ones:

– Gramm-Leach-Bliley –mandating investigation, determination of possiblemisuse and resulting notification to affected customers

– HIPAA and HITECH – safeguarding PHI

oThe Not So Famous Ones typically pertain to federal agencies’ ownimplementation of cybersecurity, not to securing customer info

• FTC has successfully asserted jurisdiction over cybersecurity breaches underSection 5 of the FTCA, which prohibits unfair and deceptive practices

oSee FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (2015)

32



State and Federal Statutes Governing Data Breaches, cont.

• 47 states have some version of cybersecurity/privacy/data breach laws

oThey differ in a number of ways, including:

– Defining the protected data

– When notification is required (to public and state govt.)

» Unauthorized access trigger

» Risk of Harm trigger

– Whether they permit a private right of action

– Time period within which notification is required

– Whether there is a safe harbor (typ. based upon encryption)

» NY AG recently announced intention to introduce legislation providing asafe harbor presumption based upon meeting certain securitystandards

33



Auditing andMonitoring: Conductingthe Risk Assessment


What is a Risk Assessment

The Risk Assessment is the foundational step in any security managementprocess.

Requires regulated entities to conduct an accurate and thorough assessmentof the potential risks and vulnerabilities to the confidentiality, integrity, andavailability of sensitive information held by the entity.

Implement security measures sufficient to reduce risks and vulnerabilities toa reasonable and appropriate level.

Risk Assessments can be conducted using many different methodologies.

What is appropriate depends of the organization (HIMSS, NIST, Custom)

What you put in is what you get out

Physical, Technical, and Administrative

35


Risk Assessment Process

NIST 800-301. Scope the Assessment2. Gather Information3. Identify Realistic Threats4. Identify Potential

Vulnerabilities5. Assess Current Security

Controls6. Determine Likelihood and

Impact of Threat7. Determine the Level of Risk8. Recommend Security Controls9. Document Results

36



Scoping the Assessment

Identify where sensitive information is created, received, maintained,processed and transmitted

• Physical boundaries, technical environment, end user machines, paper storage,etc…

Goal: Understand where sensitive information and systems reside

Gather Information

Identify how sensitive information is created, received, maintained andprocessed

• Determine security controls in place to protect

Goal: Find hidden repositories of sensitive information or business processoutside of secure environment

37



Identify Realistic Threats

Identify potential threat sources to your sensitive information or systems

• Ex., Social engineering attacks on the rise in my industry

• Don’t forget about physical and environmental

Identify Potential Vulnerabilities Based on Threats

After identifying threats, document vulnerabilities that could be exploited bythe threats

• Ex., Employees have not been trained on social engineering

Assess Current Security Controls

Based on the threats and vulnerabilities, determine whether current securitycontrols are adequate to protect sensitive information

• Technical testing needed

38



Determine Likelihood and Impact of a Threat Exercising a Vulnerability

Prioritize the impact levels associated with a compromise based on aqualitative and quantitative assessment of the sensitivity and criticality ofthose assets

• Confidentiality, Integrity, Availability

• For example, could be harmed because of a loss of availability? Are denial ofservice attacks common?

Determine Risk

Operationalizes previous step by analyzing the likelihood of a threatoccurrence and the resulting impact

• If someone could be harmed because of a loss of availability, and denial of serviceattacks are common, then High threat likelihood and High impact

39



Recommend Security Controls

Based on the risk to the organization, recommend controls to reduce thelevel of risk to the IT systems and data to an acceptable level

It is not possible to implement all recommended security controls. Use a costbenefit analysis to demonstrate that the costs of implementing the controlscan be justified by the reduction in the level of risk

Document and Mitigate

Cyclical- process of mitigating and testing

40


Practical Considerations

Identify Realistic Threats and Vulnerabilities Not an exercise in one’s imagination Be careful of vendor chosen- get samples of product, mitigation plans

Don’t Create “Bad Paper” Attorney-Client Privilege Legal: applying fact to law

Not a Paper Process To understand technical risk, vulnerability and likely penetration testing

needed

Perform on a Regular Basis Choose your interval and document in policy Perform anytime change in environment: acquisitions, new infrastructure,

new business partner

41


Training


Practical Consideration/Training and Risk Mitigation

Many of the most damaging breaches have resulted from social engineeringor employees with their own processes or data repositories

• Organizations must assess whether their current training protects organization

• Identify employees with processes outside of workflow

Practice Tips

• Understand what company information is available to con artists (social media,org charts etc.)

• Develop protocol for transmitting sensitive data or system credentials (e.g. IT willnever ask for this information)

• Train on identification of fraudulent communications

• Interview employees to determine whether secondary processes have beencreated

oEx., transmission, storage, and device

43


Practical Consideration/Training on Paper

There are two types of breaches:

1) large scale cyber attacks, and

2) small scale identity theft

Unclear which is more damaging to an organization

• Well publicized well documented breaches are not a great target for ID theft butare costly to remediate

• Small scale paper breaches are a better vehicle for ID theft

oHR knowledge can be used for damaging reputations

oEasier to prove harm in small scale breaches

Must train employees on proper handling of paper:

• Storage, Disposal, Creation, and Use of HR data

44


Practical Consideration/Culture of Compliance

Employees are your security perimeter: If you see something… say something!

• Consider an anonymous protocol for reporting violations

• Consider an FAQ document of common security questions posed

• Consider monthly security communications

• Consider town halls

• Praise employees (awards) who engage IS or compliance

Bottom line is that employees know before compliance

45


Incident Response


BIRP Plan/Mitigating Damage

Every organization will have a data breach. It’s not if...it’s when

The difference between a serious incident and a run-of-the-mill incident isoften the actions a Company takes immediately following the breach

• It is very difficult to effectively handle a breach on an ad hoc basis

• Some states have very short reporting timeline

Breach response should mirror disaster recovery and business continuityplans

• Contracts with potential vendors in place

• Test runs conducted

• Clear protocol for triggering response team

• Understand reporting obligations before needed

• Multidisciplinary- Must respond effectively while protecting organization

• Responsibility clearly defined

47


Certifications/Mitigating Damage

There are an infinite number of ways an organization can be breached

Organizations however have finite resources and must engage in a costbenefit analysis when implementing security controls

• End result is an ad hoc system of controls

Ultimately, someone's decision on why a security control was notimplemented will be challenged

Organizations should move from ad hoc security management program to amore defensible prescriptive standard

• HITRUST, ISO, NIST CyberSecurity Framework

48


Mobile Devices/Mitigating Damage

If a hacker can get physical access to a device it will be compromised

The most effective way to protect mobile devices is to encrypt them

• Windows and Macs come with encryption that can be turned on

There is no reason for users to have administrative access on companymachines

• Unknown software

• Disabling security features

Mobile Phones should be protected using a mobile device managementsolution

• Should wrap an encrypted container around company email

• Remote wipe should be available

49


Data Classification/Mitigating Damage

If IT is aware of sensitive data it can protect it

Organizations should create classifications of data and design storagemethods that are appropriate for the data

• It can be as simple as: High, Medium, and Low

oHigh Classification: Company trade secret- mandated encryption, C-suite onlyaccess, all access logged

oMedium-: PII, mandated encryption, access to HR group policy setting, allaccess logged

o Low: Emails not containing PII, open access, tracking not enabled

50


Reducing Attack Surface/Mitigating Damage

Breaches will happen. Organizations should therefore take steps to reducethe harm when a breach occurs

HR is full of PII that is no longer needed by the organization

Organizations should create a document retention and destruction plan

• Identify the legal retention requirements for each type of data they hold

• When no longer needed destroy

Conduct scans of known repositories of data to identify if data is notappropriately stored.

• Encrypt in place or destroy

51


Asset Management/Mitigating Damage

In addition to applying appropriate security controls, organizations musttrack their IT assets from cradle to grave

Good asset management will help track when things go missing

Liability exists for information on old computers and devices withoutencrypted hard drives

• Printers and copiers are often leased

• Lots of closet machines that were never destroyed

• Every server room has a box of hard drives

A certificate of destruction using a approved destruction method should bekept

52


Thank you


This presentation has been provided for informational purposes only and is notintended and should not be construed to constitute legal advice. Pleaseconsult your attorneys in connection with any fact-specific situation underfederal, state, and/or local laws that may impose additional obligations on youand your company.

Attorney Advertising

54

the latest on cybersecurity, data loss prevention and data ...€¦ · the security rule requires...

Documents