View
778
Download
0
Category
Tags:
Preview:
DESCRIPTION
Citation preview
Data Breaches at Home and Abroad:This Can Mean You Too!
Lessons Learned from the Past, and What’s ComingUp in the Future for US and Multi-National Entities
Mark E. Schreiber, Chair, Privacy and Data Protection GroupTheodore P. Augustinos, Co-ChairLaurie A. Kamaiko, Co-ChairDavid S. SzaboSocheth Sor
1
Agenda
Current Breach Landscape
Breach Response Tips
Massachusetts Data Security Requirements: Update
Credit Card Issues
HIPAA and HITECH Developments
Data Breach Litigation
Cyber Risk Insurance
Foreign and International Data breach Considerations
2
Current Breach Landscape
Company records containing personal information ofindividuals
increasingly exposed to malevolent or inadvertentdisclosures
costs going up drastically
96% avoidable through simple to intermediate securitycontrols
88% of U.S. companies said to have experienced databreach in 2010
some multiple times
About 40% of executives in one recent Deloitte survey saidthey expected their company to have an electronic securitybreach in next 12 months
Roughly ½ said they were not adequately prepared for it
3
Cost of Breaches Increasing
2011 had troubled beginning 9.5M records exposed (excluding 100M plus in Sony) Sony Google Epsilon Citibank Anonymous/LulzSec Massachusetts Executive Office of Labor and Workforce
Development and other government agencies Multiple Hospitals and other Healthcare providers
Average total cost per US company: $7.2 M (2010) up from $6.75 M(2009) $3.4 M in Germany, $2.5 M in UK and France (2009)
329 organizations reported 86,455 laptops lost (2010) Avg. cost of $6.4 million per company
222 million records repeatedly compromised in US in 2009 (likelyundercounts)
10 million patient records in 272 events (OCR report) $6B cost annuallyPonemon, 2010 Annual Study: U.S. Cost of a Data Breach; Global 2009 Annual Study on Cost of a Data BreachVerizon, April 2011: 2011 Data Breach Investigations Report
4
Responsibility for Breaches
According to Ponemon Studies:
Third Party Outsourcers – 39% of breaches (slight declinefrom 2009), but cost up 39%.
Lost/Stolen laptops and other mobile devices – 35% (36%in 2009, but cost up 15%).
Systems failure – 27%, a 9% decline as companies workharder on prevention and more technologies are available.
Negligence – 41% (1% increase); costs up 27%.
Malicious/Criminal – 31% (7%/highest increase)2010 was first time malicious attacks are not least frequentcause. They are the most expensive; increasingly stealthyand successful, requiring more resources.
5
Breach Response Tips
Assemble the team
Decision-maker level of management
IT
Data Forensics
Legal Counsel
Breach Response Services
Call center
Processing
Mailing
Customer, Public, Media and Governmental Relations
Containment
Find and stop the cause of the breach.
First priority is to stop the loss of data, preferably bytaking steps that will preserve the information needed forthe investigation
6
Breach Response Tips (cont.)
Investigation
What happened?
What information was affected?
Where do affected individuals reside?
Analysis – Review results of the investigation underapplicable requirements, and contractual requirements,including PCI-DSS.
Remediation
Choice of products and services to be offered to affectedindividuals, if any
Credit Monitoring
Credit Restoration Services
Credit Insurance
Other
7
Breach Response Tips (cont.)
Communication
Affected Individuals
State Agencies
FTC, HHS, as appropriate.
Card Brands, Merchant Bankers and CardProcessors
Employees
Other Constituents
Reaction to Inquiries
Affected Individuals and other consumers or clients
Media
Governmental Agencies
8
Breach Response Tips (cont.)
Experience at all levels is critical (even the call center)
Benefits of a third-party forensics team
Credible third party assessment
Reliable Chain of Custody
Backups of all pertinent system logs
Attorney-client privilege
Review availability of insurance coverage and affect anyrequired notification.
Conduct the Investigation
Legal, Analysis and Decision-Making
Draft and Effect Required Notices
9
Breach Response Tips (cont.)
Top Five Ways to Avoid a Breach
Assemble the Team and Assess the Data
Develop Policies and Procedures
Control Hardware and Software
Mitigate Risk
Train, Test, Update and Monitor. Repeat
10
Breach Response Tips (cont.)
Top Five Ways to Respond to a Breach
Assemble the Response Team
Do the Forensics and Assess the Data
Develop and Effectuate Remediation
Draft and Effect Notices
Review Preventative Measures
11
Massachusetts Data SecurityRequirements: Update
State of the Art in Policies and Procedures
Massachusetts requirements for comprehensive writteninformation security programs are both more broad andmore specific than those of other states
More Broad – Extend to areas not covered by others
Written Policy Requirements
Technology and other security requirements
Vendor Contracts
More Specific – Impose specific requirements forsecurity
Encryption
Specific requirements for vendor selection,contracting and management
Different – Unique breach notice requirements andlimitations
12
Massachusetts Data Security Requirements:Update (cont.)
State of the Art in Enforcement?
Briar Group, LLC
Chain of restaurants and bars allegedly sufferedmalware intrusion
Allegedly continued to accept credit cards afterknowledge of attack and prior to effective remediation,without notifying patrons of risk
Consent order entered by Mass AG includedsignificant fine
Breach pre-dated MA Data Security Regulation
Enforcement pursued under general consumerprotection statute
Enforcement posture based in part on apparentposition that failure to comply with PCI-DSS =violations of consumer protection statute
Effectively adopts PCI-DSS as legal standard ofconduct in the Commonwealth?
13
Credit Card Issues
PCI-DSS
Industry Standard imposed by merchant bankingcontracts
Incorporated into Nevada law by statute
Imposed by Massachusetts enforcement posture?
Credit Card Breaches
Brand, Merchant Bank and Processor Notifications
Involvement of QIRA and QSA
Self-Assessment Questionnaire and Certification
14
HIPAA Enforcement
Cignet Healthcare -- $4.3 million penalty
Partners Health Care System -- $1 million settlement
Interesting Questions
What is an “ongoing violation?”
How should penalties be calculated?
Does the statute authorize daily penalties?
15
Resolution Agreements
Five agreements on OCR website
Settlements range from $35,000 to $2.25 million
Four are fundamentally based on security failures (lostor stolen information, improper disposal of information).
One is predominantly a privacy case (unauthorized useof PHI for marketing).
All have a corrective action plan. Terms for CAPs arethree years (4) and two years (1).
16
HITECH Rulemaking
Accounting for Disclosures—proposed rule issued May31, 2011. Includes two rights: right to an accounting ofdisclosures, and right to receive an electronic medicalrecords access report
Period for accounting reduced to three years fromsix years.
Disclosures to be accounted for to be explicitly listedin the final rule. Comment is requested on specificitems to be added or excluded from the list.
17
HITECH Rulemaking (cont.)
Access Reports
OCR proposes a report of every time a personaccesses electronic data in a designated record set,whether a disclosure is made or not.
OCR takes the position that access logs already arerequired by the Security Rule—such that theregulation only requires access to a document thatshould be readily available.
Individuals can request reports reflecting access onspecific dates or by specific individuals.
Reports must be aggregated if data resides on morethan one information system (EMR, billing, etc).
18
HITECH Rulemaking (cont.)
Still pending: Final rule for a large number of otherHITECH mandated changes, including:
Marketing Authorizations
Business Associate Agreements
Transition Provisions
Sale of PHI
Research Authorizations
Decedents
Immunizations
Minimum Necessary
Fundraising
Notice Requirements
Access Rights for Individuals
19
Data Breach LitigationArticle III Standing Required
Data breach class actions
Tend to be in federal court due to Class ActionFairness Act. 28 U.S.C. § 1332(d)
If in state court, may be removable
Federal lawsuits must satisfy Article III standingrequirement
Requires a “case or controversy” requiring aninjury in fact that is actual or imminent, notconjectural or hypothetical.
20
Data Breach LitigationArticle III Standing Required (cont.)
Several lower federal courts have found thatincreased risk of identity theft as result of databreach not an injury in fact
Two federal appellate courts found increased riskof identity theft satisfies injury in fact requirement
Sixth Circuit suggested increased risk of identitytheft too conjectural to be injury in fact
21
Data Breach LitigationCognizable Injury Also Required
If standing requirements satisfied
Plaintiffs still need to allege injury for which state lawprovides remedy
Injuries not cognizable (generally) under state common law:
Increased risk of identity theft
Time and effort spent closing accounts/protecting creditratings
Court finds cognizable injury in statutory claim
Doe 1 v. AOL LLC, 719 F.Supp.2d 1102 (N.D. Ca. 2010)
Claim under California Consumers Legal Remedy Act
Statute says consumer suffering “any damage” maybring a claim
Defendant exposed “highly sensitive” personal informationof plaintiffs
Sufficient allegation of injury under statute
Moral: state law on injury may determine outcome of motionto dismiss
22
Data Breach LitigationClass Certification
Plaintiffs’ attorneys need financial incentive of classaction in order to pursue data breach action
Individual losses will generally be too small
Court may not certify class
May not be worth proceeding without class
23
Cyber Risk Insurance
Specialty cyber risk/data protection/tech policies
Personal information breaches
Network security
Cyber extortion
Business Disruption
Often can be sub-limits and other limitations oncoverage
Terms/Scope of coverage vary
24
Other Insurance
Claims often made under more traditional lines(although frequently exclusions/coverage defenses apply)
Property
Crime/Fidelity
K&R
CGL
Coverage A –property damage/BI-emotional distress
Coverage B – injury arising out of publication thatviolated the data owners privacy
Professional liability
Lawyers, real estate agents, A&E, etc.
D&O
Approval/Lack of security plans
How a breach is handled
What is said about the cause and remediation
25
Other Insurance Issues
Aggregation of risk on policies issued
The cyber hurricane
(simultaneous attack on multiple targets)
Multiple insureds impacted
Multiple lines have claims made under them
Regulatory scrutiny
Includes data security
Insurance depts. such as Connecticut want to know within 5days of breach of insurer
Increasing accumulation of protected informationincrease risk of breach of insurers
Medical records and PI of claimants/insureds/beneficiaries
Medicare secondary payer reporting requirements
26
Foreign and International BreachConsiderations
Global Transactions, Operations, Data Processing andStorage
U.S. – styled breach notice requirements are being adoptedin EU and elsewhere EU Data Protection Directive may change by year end Art. 29 W.P., April 2011, recommends breach notification Definition of Personal Information is broader than U.S.
definitions India New Data Security Rules issued under Information
Technology Act of 2000 effective April 11, 2011 Requires “reasonable security practices” to protect
“sensitive personal data” and Imposes restrictions and requirements for Collection of data Disclosure of data Transfer of data Security practices and procedures
27
Foreign and International BreachConsiderations (cont.)
Notification Considerations
Does the Company have operations there?
Is the Company a data controller or processor in thecountry?
Does DPA have jurisdiction?
Would it help mitigate reputational risk to notify affectedindividuals?
Would the Company’s posture in enforcement beimproved by notifying government agencies?
Method of Notifying Individuals: Mail or Email:Translated or English?
Remediation Issues
Limited credit monitoring
Call center operations: Toll free? Foreign languagecapabilities?
28
Thank you
Mark E. Schreiber, Partnermschreiber@eapdlaw.com
617.239.0585
Theodore P. Augustinos, Partnertaugustinos@eapdlaw.com
860.541.7710
Laurie A. Kamaiko, Partnerlkamaiko@eapdlaw.com
212.912.2768
David S. Szabo, Partnerdszabo@eapdlaw.com
617.239.0414
Socheth Sor, Associatessor@eapdlaw.com
860.541.7773
Recommended