Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at

bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London

Cybersecurity

Shamoil T. ShipchandlerPartner, Bracewell & Giuliani LLP214.758.1048


• Are you susceptible to a data breach?

Setting expectations


October 7, 2014


Victim Perpetrator

Setting expectations


It’s only a matter of time





October 28, 2014



CyberEspionage

CyberActivism

Cyber Crime


Retail (B&M and ecommerce)

Financial Institutions

Healthcare

Higher Education

Governmental Entities

2005 Today

Defense and Aerospace

Technology

All employers

Energy/Utilities

Breach trends


Emerging risks

June 27, 2012


Emerging risks

October 16, 2014


17%

27%42%

14%

Insider theft

Hacking

Accidental exposure or negligence

Subcontractor

Breach Types – 2007 through 2013 (4215 breaches)



Re-setting expectations

Target Corp.’s cost so far: $236 million and more than 100 lawsuits

Average cost to respond to a data breach? $5.4 million($201 per record)

Analyst: Cost will exceed $1 billion


October 15, 2014


Part I: Cybersecurity and data breach law*

*The least entertaining part of the presentation.


Cybersecurity and data breach law

• The FTC, SEC, FCC, and NY

• Other federal statutes

• States


The FTC

• “The FTC conducts its data security investigations to determine whether a company’s data security measures are reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities. The Commission’s 50 settlements with businesses that it charged with failing to provide reasonable protections for consumers’ personal information have halted harmful data security practices; required companies to accord strong protections for consumer data; and raised awareness about the risks to data, the need for reasonable and appropriate security, and the types of security failures that raise concerns.”

— Edith Ramirez, FTC Chairwoman, Congressional testimony (April 2, 2014)


The FTC

• Example: What did TJX do wrong?

• Failed to implement measures to limit wireless access to its stores, allowing a hacker to connect wirelessly to its networks without authorization

• Did not require administrators to use strong passwords

• Failed to use a firewall or otherwise limit access to the internet on networks processing cardholder data

• Lacked procedures to detect and prevent unauthorized access, such as by updating antivirus software and responding on security warnings and intrusion alerts


The SEC

• “Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities. In addition to the threat of significant business disruptions, substantial response costs, negative publicity, and lasting reputational harm, there is also the threat of litigation and potential liability for failing to implement adequate steps to protect the company from cyber-threats. Perhaps unsurprisingly, there has recently been a series of derivative lawsuits brought against companies and their officers and directors relating to data breaches resulting from cyber-attacks. Thus, boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”

— Luis Aguilar, SEC Commissioner, speech given at NYSE on June 10, 2014


The SEC

An SEC comment:

“We note that your network-security insurance coverage is subject to a $10 million deductible. Please tell us whether this coverage has any other significant limitations. In addition, please describe for us the ‘certain other coverage’ that may reduce your exposure to Data Breach losses.” (Target Form 10-K, March 2014)


The SEC

Another SEC comment:“Please expand your risk factor disclosure to describe the cybersecurity risks that you face or tell us why you believe such disclosure is unnecessary. If you have experienced any cyber attacks in the past, please state that fact in any additional risk factor disclosure in order to provide the proper context. Please refer to the Division of Corporation Finance’s Disclosure Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm for additional information.” (Hilton Worldwide Holdings, Inc. S-1, October 2013)


The SEC

One more SEC comment:

“We note your disclosure that an unauthorized party was able to gain access to your computer network ‘in a prior fiscal year.’ So that an investor is better able to understand the materiality of this cybersecurity incident, please revise your disclosure to identify when the cyber incident occurred and describe any material costs or consequences to you as a result of the incident. Please also further describe your cyber security insurance policy, including any material limits on coverage.” (Alion Science and Technology Corp. S-1 filing, March 2014)


The FCC

• After levying a $10 million fine against two telecom companies for storing personally identifiable customer data online without firewalls, encryption, or password protection: “This is unacceptable.… This is the first data security enforcement action [by the FCC], but it will not be the last.”

— Travis LeBlanc, FCC’s top enforcement official (October 28, 2014)

28www.bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London


Other federal statutes

• HITECH (medical information)

• HIPAA (medical information)

• GLBA (financial institutions)

• FTCA (federal trade commission act)

• FERRPA (educational records)

• FCRA (consumer reporting agencies)

• COPPA (children’s information)


States

• There are 47 different state laws with different requirements, different definitions of whether notifications need to occur, and different timings for notifications.


States

• There are 47 different state laws with different requirements, different definitions of whether notifications need to occur, and different timings for notifications.• Some require harm to occur to trigger notification

• Some require notice to their attorneys general or agencies (some are before notice is sent to consumers, some are after)

• Some have a specific time frame

• Some permit a private right of action

• Some have different provisions for third parties that hold data.

How much of what you do crosses state lines?FUN FACT!


Washington state (HB 1078 – effective July 24, 2015)

• Among other provisions:

• Expands coverage to hard copy data.

• Requires notification to the Washington Attorney General if more than 500 Washington residents must be notified.

• Imposes a 45-day deadline for notification of affected consumers and/or the Washington Attorney General.

• Empowers the Washington Attorney General to enforce the statute by bringing actions under the state’s consumer protection act.

• Mandates certain content in the consumer notification.


Part II: What you should do right now*

*Well, not right now. But right after this presentation!


Get the Boards on … err … board.

• Ensure the company’s focus on cybersecurity

• Provide oversight of the risk management process

• Identify and empower their experts

• Include cybersecurity as a regular Board agenda item


Create an information security plan

• Why?

• Minimize employee-related breaches

• Reduce overall exposure• Reductions for CISO, information security program, strong security

• Legally important

• Increase customer trust and company reputation

• Don’t be a or a


Create an information security plan

“In November 2005, Jason Spaltro, executive director of information at Sony Pictures Entertainment [said], ‘There are decisions that have to be made. We’re trying to remain profitable for our shareholders, and we literally could go broke trying to cover for everything. So, you make risk-based decisions…. Legislative requirements are mandatory, but going the extra step is a business decision.’”

Your Guide to Good-Enough Compliance

CIO Magazine

April 6, 2007


Create an information security plan• Designate a lead

• Conduct a systems assessment

• Implement a security program – include “visual hacking” measures• Policies and training

• Thanks, Sony!

• Consider cyber insurance

• Review third party contracts

• Create and implement a crisis response plan and team

• Whistleblowers


Insurance

October 12, 2014


Create a crisis response team

• Identify the key constituents

• Recognize their motivations


Create a crisis response team

• Identify the key constituents

• Recognize their motivations

• Identify and empower the decision-maker


Part III: I’ve been breached (and I can’t get up)


Crisis response

Feel free to take all the time you need!

. . . yeah. Just kidding.

Clock starts ticking from DOB (discovery of breach**)

**Nobody else knows what this means, either.


Crisis response

• What did Part II give you?

• Faster reaction time

• More thorough reaction

• Ability to minimize risk and damage

• Without Part II . . .


Crisis response

• Coordinate first-response team (IT, HR, legal, PR, and business)

• Investigate, isolate, contain, and secure

• Notify (federal, state, int’l, individual, media, and other)

• Consider referral to law enforcement and/or civil remedy

• Re-evaluate


Crisis response





• Re-evaluate


Crisis response


• Investigate, isolate, contain, and secure• Retain forensic investigator• Interview witnesses• Preserve documents and systems• Identify what was compromised• Document everything

• Notify (federal, state, int’l, individual, media, and other)• Consider referral to law enforcement and/or civil remedy• Re-evaluate


Crisis response


• Investigate, isolate, contain, and secure• Notify (federal, state, int’l, individual, media, and other)

• Federal, state, international• Individuals• Insurers and credit card companies (PFI!)• Media• Employees

• Consider referral to law enforcement and/or civil remedy• Re-evaluate


Crisis response





• E.g., 18 U.S.C. § 1030

• Re-evaluate


Crisis response





• Re-evaluate

63www.bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London

The end.


Contact Information

Shamoil T. ShipchandlerPartner, Bracewell & Giuliani LLP

214.758.1048 | [email protected]

Documents

Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at