when not if

Get your CyberEbola Vaccine NOW!It’s no longer IF your customer or employee data will be hacked; it’s WHEN.

While you are waiting for the program to begin, Take the 5-minute pre-quiz!! You can find it in the attached materials.

2

David L. Fleck, Esq.• White Collar Crime Prosecutor

• 10 Years• Los Angeles District Attorney’s

Ofc.• 53 jury trials

• Private Practice• Fraud and Cybersecurity• Prevention and Litigation

• Key Expertise• Communicating complex

material to students, juries, and clients

• College Professor – Civil Litigation

David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929

3

AGENDA: Preparing for a Cyber Attack

Part 1State of CyberSecurity in Business Today

Part 2Case Studies and the Law

Part 3Action Items


1) State of Cyber Security in Business Today


5

Top Hacks of 2015


6

HackMaggeddon.com

Aug-14

Sep-14

Oct-14

Nov-14

Dec-14

Jan-15

Feb-15

Mar-15

Apr-15

May-15

Jun-15

Jul-15

0 10 20 30 40 50 60 70 80 90 10072

69

87

80

73

91

85

70

87

89

58

74

Known Breaches Per Month


935 known data breaches in 12 month period

7

Affect on Breached Companies

US$3,800,000.00*US$154.00 per stolen record

*Does not include megabreaches like Target ($148M).David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected],

(818) 268-5929

8

Exception: Healthcare Companies• Average cost per stolen record: US$363• Medical records are most valuable• Easy to get – many hospitals use old software• Used to create fake profiles to:• Buy medical equipment for resale• File false claims with Medicare

• Long shelf life – can’t replace like credit card• Bundle of 10 medical records – US$4700

• Utah Medical Group: 1000s of attempts/weekDavid L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected],

(818) 268-5929

David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - [email protected], (818) 268-5929 9

Direct Costs of Breach• Investigating the cause of the breach• Fixing the breach• Setting up hotlines for customers• Free credit monitoring for victims• Legal costs


10

Indirect Costs of Breach• Loss of business because of wary customers• Loss of reputation and customer loyalty• Marketing expenses to redevelop goodwill


2) Case StudiesAnd the Law


12

The Houstonian Hotel• Luxury hotel in Houston, Texas• George HW Bush used Hotel

as his voting residence in 1980s

• By founder of Browning-Ferris Industries

• Marketed as destination “for business executives trying to shed pounds and rediscover their inner velociraptor.”


13

The Breach• Lasted 6 months• Possibly affected 10,000

customers; actual number unknown

• Credit card POS devices• NOT detected by hotel• Notified by Secret Service


14

Impact• Customers angry about

delayed notice• Direct costs

• “forensic investigators”• New POS system• Credit monitoring• No lawsuit (yet?)• 10,000 X $154 = $1,540,000

• Marketing• Rebuild trust• Rebuild brand loyalty


15

Lessons Learned from Houstonian Breach

1. CIO/CISO must develop a strategy to detect data breaches.• If caught early, less damage.

2. Give notice to affected customers as soon as possible.• Possible reasons for delay

Criminal investigationWant to develop strategy before announcing breach

• Anticipate breach and plan ahead


16

PNI Digital Media• Founded in 1995• Operates on-line photo

websites• Operates photo centers in:

• Walmart Canada• Sam’s Club• CVS• Costco• Rite Aid

• Owned by Staples since 2014


17

The Breach• Third-party vendor breach• Data includes

• Names• Addresses• Email Addresses• Phone Numbers• Credit Card Numbers & Verif.

Codes• Passwords

• “Breach Window” - July & Aug. 2015

• Number of Customers Unknown


18

Impact• Loss of All Major Clients

• Probably Enough to Destroy Company

• But it gets worse…• CLASS ACTION LAWSUIT!!• The Settlement will be

Six Figures At least• Plus attorney’s fees• Even a weak case will cost

at least US$1,000,000.00!


19

Lessons Learned from PNI Media Breach

1. Do you Cyber Due Diligence on the data security strategies of your 3rd Party Vendors.

2. Do you Cyber Due Diligence on the data security strategies of companies you acquire. (Consider: Experian)

3. Troubles don’t end when you fix the breach4. Your breach strategy should include plans for business

continuity after breach5. Data Breaches are expensive

Will PNI survive?


20

Settlements AvMed 1 Million Records

SSNs and Medical Records$3.1M

Stanford University 20,000Medical Records

$4.1M

Schnucks (grocery) 2.4 MillionCredit Cards

$2.1M

Vendini (ticketing system)

3 MillionCredit Cards

$3M

Sony (PlayStation) 77 MillionLogin Credentials, Credit Cards

$5M

LinkedIn 6.4 MillionLogin Credentials

$1.25M

Sony Pictures 50,000 $8M

Target 40 MillionCredit Cards

$67M


21

• Causes of Action: sets of facts sufficient to justify a right to sue1. Negligence2. Breach of Implied Contract3. Breach of Contract4. Bailment5. Violation of State Statute About Privacy6. Unjust Enrichment

T.A.N., an individualv.

PNI Digital Media, Inc.


22

NEGLIGENCE: Requires a Duty to Act/Not Act

• Duty to exercise reasonable care in safeguarding/protecting info.

• Duty to design, maintain, and test security systems and take other reasonable security measures to secure personal information

• Duty to implement processes to detect breaches

• Duty to make timely disclosure of breach


23

SOURCES OF DUTY (Part One)• COMMON LAW• Reasonable Care: the degree of

caution an ordinarily prudent and rational person would.

• Consider:1. Foreseeable likelihood of

breach2. Foreseeable severity of harm3. Burden of taking precautions


24

SOURCES OF DUTY (Part Two)• State Statutes• PNI – Georgia• Sony – California & Virginia

• US Statutes• HIPAA – Medical Data• COPPA – Children’s Data

• International Agreements• US-EU Safe Harbor

Frameworks• APEC Privacy Framework


25

Examples of Negligence from Lawsuits• Failure to develop and implement adequate security

protections• Ignoring recommendations of employees and

consultants• Misleading consumers about level of security• Not having or not following cybersecurity protocol• Executives and Board Members uninformed on issue of

cybersecurity• Taking too long to give notice to customers about breach


3) Action Items


27

Personally Identifiable Information (PII)“Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.”• First name or initial plus last

name and any of the following:• SSN• Date of Birth• Financial Numbers• Medical Record

• Definition varies from state to state


28

STEP 1:Survey Your Employees

• Data Landscape in Your Company • What data does your company collect from employees,

customers, vendors, etc.?• How is the data used?

• Security Measures• What security measures and procedures

are in place?• Who has access to the data?• What security measures do your

competitors, affiliates and vendors have in place?


29

STEP 1:Survey Your Employees

• Weak Points• Employee Access?

• Who has access to the data?• Who needs access to the data?• How do you verify the ID of the employee

before they access the data/• External Threats

• Hackers• Dumpster Divers

• Third-Parties• Vendors• Acquired Companies


30

STEP 2:Survey the Law

• Which Privacy Statutes Apply to your Industry?• Medical Record Statutes – Health Insurance Portability and

Accountability Act (HIPAA), Medical Information Privacy and Security Act (MIPSA)

• Financial Privacy Laws – Right to Financial Privacy Act, Dodd-Frank Act, Gramm-Leach-Bliley Act

• Privacy of Children – Children’s Online Privacy Protection Act (COPPA)

• Consumer Privacy Laws• Statutes in your State or Country• International Statutes and Agreements

• What requirements do the statutes impose on your company?


31

STEP 3:Develop your Company Policies

• Before a Breach• Provide Notice to Customers of Privacy Protections (if

required by law)• Implement multi-layered strategy to prevent breach• Establish procedures to detect data breaches• Purchase CyberInsurance• Look first at your Commercial General Liability (CGL) policy• If CGL has data breach exclusions, perchase “cyber” insurance as

needed.


32

STEP 3:Develop your Company Policies

• In Preparation for a Breach• Draft a Data Breach Response Manual• Develop Breach Chain of Command and Crisis Communication

Channels• Create Plan to Document details of the breach and its discovery• Develop Plan to preserve documentation• Develop a relationship with law enforcement• Develop plan for giving notice to customers whose data was

affected


33

1. A data breach is almost inevitable in today’s business world

2. The cost can be devastating

3. Preparation can:1. Reduce the likelihood of

breach2. Reduce your liability3. Ensure that your company

continues to exist


Thank you.

35

David L. FleckAttorney-at-

Law

www.RudoyFleck.com

(818) 268-5929
