View
2
Download
0
Category
Preview:
Citation preview
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
F. Marshall Wall
Cranfill Sumner & Hartzog LLP
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
“[I] am convinced that there are only two
types of companies: those that have been
hacked and those that will be. And even
they are converging into one category:
companies that have been hacked and will
be hacked again.”
Robert S. Mueller, III, Former FBI Director
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
NC Identity Theft Protection Act
What is a
"security breach"?
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
What is a security breach?
• Unauthorized access to AND acquisition of
• Unredacted AND unencrypted records or data
• Containing personal information
• Where illegal use of this data has occurred OR is reasonably likely to occur
• Creating a reasonable risk of material harm to a consumer
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
NOT a Breach
• If only encrypted data is taken and the
encryption key is not with the data, it is not
a data breach
• If the data was accessed but not
“acquired”, it is not a data breach
• If there is no risk of material harm to a
customer, it is not a data breach
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
NC Identity Theft Protection Act
What is the legal standard for
my company’s protection of
personal information?
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
NC Identity Theft Protection Act
• The Act requires that “reasonable care” be
used to protect data
• No further definition is given
• No published cases have evaluated what
is reasonable under North Carolina law
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
What is “personal information”?
A person's first name or first
initial and last name in
combination with other
information such as:
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
What is “personal information”?
• Social Security number
• Driver's license number
• Passport number
• Checking or savings account number
• Credit or debit card number
• PIN code
• Biometric data
• Passwords
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
How quickly must notice be given?
• There is no specific deadline for notice
• Notice must be “made without
unreasonable delay, consistent with the
legitimate needs of law enforcement.”
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
Who Gets Notice?
• Everyone whose personal information was
contained in the records
• The Consumer Protection Division of the
Attorney General’s staff
• If more than 1,000 people are affected by
the breach, notice must also be given to
the three major credit bureaus
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
What if customers live in other
States?
• Data protection statutes are specific to the
States where your customers live
• All 50 States – Alabama became the last
in March 2018 – the District of Columbia,
and Puerto Rico have their own statutes
• Notice requirements, including the time to
give notice, vary significantly
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
What if customers live in other
States?
THE BOTTOM LINE – if your customers are
in other States, you have to give notice
based on their State’s law
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
Who can sue?
• North Carolina allows a private right of
action, but only if the consumer can show
injury
• A cause of action under the Act cannot be
assigned
• A violation of the Act is an unfair or
deceptive trade practice under N.C. Gen.
Stat. § 75-1.1
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
Federal Trade Commission
• FTC has brought more than 50
enforcement actions
• Typically relies on Section 5 of the FTC
Act, which prohibits unfair and deceptive
trade practices
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
FTC
• Focus on whether companies are living up
to their stated privacy policies
– Ex) Wyndham Hotels case (Third Circuit
2015)
– https://www.ftc.gov/system/files/documents/ca
ses/150824wyndhamopinion.pdf
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
FTC
• Also examines what data companies keep,
how long they keep it, where they keep it,
and whether they should keep it in the first
place
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
FTC Enforcement Action
Examples• Pursued BJ’s Wholesale for keeping
customer credit card data for as long as 30
days – long after their transaction had
been processed
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
FTC Actions
• Brought an action against Twitter for
failing to suspend user’s access after a
certain number of failed log in attempts
and for allowing almost all of its
employees “administrative” access to
information in its system
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
FTC Actions
• Alleged that shoe retailer DSW failed to
segment its network by allowing stores to
connect with other stores and access data
there
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
FTC Actions
• Brought an enforcement action against
Snapchat when its promise that
messages would “disappear forever” but in
fact they did not
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
FTC Actions
• Pursued both CVS and Rite Aid for failing
to properly dispose of prescription
information
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
Securities and Exchange
CommissionWashington D.C., Sept. 22, 2015 — The Securities and Exchange Commission today announced that a St. Louis-based investment adviser has agreed to settle charges that it failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
SEC
• This is the first enforcement action from SEC
• Found that the firm failed to have policies and procedures, failed to have a firewall, failed to encrypt data, and failed to have a response plan
• $75,000 fine
• Censure
• Cease and desist order
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
SEC
• Enforces the Gramm-Leach-Bliley Act
– Title V governs when non-public consumer
information may be disclosed
– Requires notice of privacy policies to customers
• Regulation S-P governs privacy of consumer
financial information
• Oversees broker-dealers and advisers,
among others
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
US Department of Health and
Human ServicesSeptember 2, 2015
$750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies
Cancer Care Group, P.C. agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR).
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
US DHHS
• Enforces compliance with HIPAA and
HITECH through the Office of Civil Rights
• HIPAA privacy rule applies to Protected
Health Information (PHI)
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
Avoiding Data Breach Incidents
• Prevent
• Detect
• Respond
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
Avoiding Data Breach Incidents
• Assess your systems, policies, and
procedures routinely
• Educate your employees – most cyber
incidents are the result of human error
• Outside testing of your security
• Determine what data you collect, where
and for how long you keep it, and why
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
Avoiding Data Breach Incidents
• Have an incident response plan and
PRACTICE it
• Restrict access
• Encrypt data
• Back up data continually
• Update your software
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
Avoiding Data Breach Incidents
• Require strong passwords and frequent
changes
• Segment your network
• Monitor network activity
• Remember – a data breach is not always
a cyber incident!
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
Cyber Liability Insurance
• Generally policies are designed to cover at least some of these risks:
– Hacking
– Denial of service attacks
– Web content liability
– Data breaches
– Damage to your network
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
What’s Covered?• MORE LIKELY
– Third-party claims and costs
Example – personal data for customers is accidentally released
• LESS LIKELY
– First-party claims
Network damage to your systems from a hacker attack may be insurable
Reputational damage to your company probably cannot be insured
Loss of intellectual property is often not covered by these policies
– Business interruption coverage for “cyber-losses”
Often capped or limited
• EXCLUDED
– State-sponsored attacks by other governments, usually
F. Marshall Wallmwall@cshlaw.com@NCCyberLawyer
Questions?
Recommended