Upload
summit-professional-networks
View
117
Download
2
Embed Size (px)
DESCRIPTION
Citation preview
PRIVILEGED & CONFIDENTIAL
Privacy and Cybersecurity Regulatory Update
Women, Influence & Power in Law Annual ConferenceWashington DC
Melissa H. Cozart, AIG Life & RetirementLeslie T. Thornton, Washington GasMary Jane Wilson-Bilik, SutherlandSeptember 19, 2014
24496382.1
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
Presenters
2
Melissa H. CozartChief Privacy OfficerAIG Life & Retirement
MJ Wilson-BilikPartnerSecurities and Insurance RegulationSutherland Asbill & Brennan LLP
Leslie T. ThorntonVice President, General Counsel & Corporate SecretaryWGL Holdings, Inc. & Washington Gas Light Company
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
Roadmap to Today’ Discussion
• Background on Data Breaches
• Current Regulatory Landscape
• What to Expect from Regulators
• Best Practices
3
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
Threats In the News
• “Investigators Target eBay Over Massive Data Breach,” Time, 5/23/14 100 Million user passwords stolen (failure to protect)
• “Target Missed Signs of Data Breach,” NY Times, 3/13/14 Malware in system for several years (failure to detect)
• “Target Earnings Show Pain of Data Breach,” Business Week, 5/21/14 16% plunge in earnings (threat to going concern)
• “Target Fires Executives Over Data Breach,” Business Week, 5/23/14 CIO, CEO and head of operations in Canada dismissed
4
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
The Context
• Exponential increase in use, transmission and storage of electronic data (records, laptops, ipads, iphones, social media, the cloud) Increasing number of breaches Growing use of malware to disrupt operations
New generation of computers
• Increased awareness of Privacy• Growing body of law and regulation to protect
personal and confidential information and systems Expanding number of regulations governing how companies
collect, use and store personal information Heightened national security concerns
5
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
Root Causes of Data Breaches
Root Causes of a Data Breach
Per Capita Cost for Each Root
Cause
Source: 2014 Cost of Data Breach Study: Global AnalysisSponsored by IBM, Conducted by Ponemon Institute LLC
6
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
Costs of a Data Breach
• Detection or Discovery• Escalation• Notification• Post Data Breach• Opportunity Costs
Turnover of Existing Customers Diminished Customer Acquisition
7
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
Types of Threats
• Criminals Former employees/ Teenagers on a dare Cyber-extortion – gang in Eastern Europe, etc.
• Hackivists Intent is to embarrass corporate leadership
• Espionage Will disrupt a company’s operations by planting malware
that lays dormant for years to steal secrets and create havoc -- deleting information, etc.
• National Security Threats to critical infrastructure have drawn the attention of
Homeland Security, CIA, FBI
8
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
Targets
• Critical infrastructure• Financial information (SSNs, IDs)• Trading information• Health data • Intellectual property• Logons and Passwords
9
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
The Attack Profile
• Many attacks now are specifically targeted Phishing (spear phishing, whaling) Water-holing
• Advanced Persistent Threats (APT) Hackers lying in wait Selling time on your computers
• We have met the enemy and he is us Employees and contractors already have access They do not need malicious intent to be a problem
10
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
Layers of Regulation
• International Commissions• Federal
Executive Order/ Homeland Security/ CIA/ FBI National Cyber Investigative Joint Task Force (NCIJTF) Commerce: NIST (National Institute of Standards and
Technology) Federal Trade Commission (Gramm Leach Bliley) HHS (HIPAA) U.S. Securities and Exchange Commission, FINRA
• State State data breach laws State GLB laws
11
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
Federal: Gramm-Leach-Blileyand HIPAA
• FTC issued two rules: Privacy Rule: must notify customers when their information
is shared with others; opt-out rights; annual notice/ Reg. S-P Safeguards Rule: must develop a written information
security plan describing how company will protect the security, confidentiality and integrity of customer information Tailored to company’s size and complexity Nature and scope of company’s activities
• HIPAA: Privacy Rule: Protect individual health data Security Rule: Perform risk assessment, develop policies
and procedures to address potential threats to data security of electronic protected health data
12
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
Federal: SEC Rules and Guidance
• SEC Reg. S-P Broker-dealers, investment advisers and investment
company must have written policies and procedures to ensure confidentiality of personal information, protect against unauthorized access, and protect against anticipated threats and hazards to security and integrity of data
• SEC Guidance for public companies (2011): Identified cybersecurity risks and incidents as potential
material information to be disclosed to investors Encourages companies to assess their risks of cyber
incidents and review impact on a company’s operations, liquidity and financial condition
A blueprint for assessing cyber risk exposures and determining what must be disclosed
13
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
The 2013 Executive Order
• Feb. 12, 2013: President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity”
Calls for development of voluntary cybersecurity framework Provide a flexible, performance-based, cost-efficient
approach to manage cybersecurity risk
14
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
NCIJTF
• National Cyber Investigative Joint Task Force Tracks, attributes and takes action against terrorists, spies
and criminals who exploit our cyber systems If a significant breach occurs, a team of experts from
NCIJTF will offer to help the target company with vulnerability mitigation plans
FBI may request permission to monitor specific networks in the company to capture information about the intruder
Critical for GC to handle her company’s “consent” and negotiate the agreement with the FBI
15
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
Federal: NIST at Commerce
• Feb. 21, 2014: National Institute of Standards and Technology (NIST) Cybersecurity Framework Year-long initiative of NIST and Homeland Security in
response to Executive Order Guidance to companies on how to manage the growing
cybersecurity threat Deter – identify risks Detect – unauthorized access and activity Protect – safeguards for systems, vendors Respond – response plan, communications, mitigation Recover – restore capabilities
Voluntary – but may give rise to new standard of care for corporate management – presented at NAIC
16
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
NIST Framework
• Corporate Governance Develop policies, procedures and processes to manage and
monitor the organization’s legal risk environment and operational requirements Establish information security policy Identify security roles and responsibility and align
internal roles and external partners Understand legal and regulatory requirements regarding
cybersecurity Including privacy and civil liberty obligations
Ensure governance and risk management processes address cybersecurity risks
17
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
SEC Begins Cybersecurity Exams
• March 26, 2014: SEC Cybersecurity Roundtable Chair Mary Jo White: compelling need for stronger
partnership between government and private sector to address cyber threats
Announced cybersecurity initiatives designed to assess cybersecurity preparedness in securities industry
• April 15, 2014: SEC Cybersecurity Initiatives OCIE conducting exams of 50+ broker-dealers and
investment advisers. Published list of 26 questions on Cybersecurity governance Protection of networks and information Risks associated with remote customer access, vendors Detecting unauthorized activity
18
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
Red Flags for SEC
• Weak IT Security Policy • Weak Incident Response Plan• Weak Training Programs• Weak Third Party Due Diligence• Weak Internal Controls and Protocols for Identity
Theft Poorly Documented Controls
• Weak Access Controls Weak Remote Access Security
• Excessive IT Cost Cutting• Poor Integration and Communications
19
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
State Data Breach Laws
20
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
State Data Breach Notification Laws
• 51 U.S jurisdictions (47 states, DC, Guam, PR and VI) have data breach notification laws (AL, NM and SD do not yet)
• Laws apply based on residence of individual whose data was compromised
• Laws have different triggers and specified content Varying definitions of PI Paper v. computerized Risk of harm exception Some states require notification within 5 days of breach Some require state attorneys general and state insurance
commissioner to be notified
21
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
State Data Security Requirements
• 7 States have data protection laws. Most comprehensive is Massachusetts’ Regulation. Applies to any company that uses or stores personal
information of Massachusetts residents Must adopt a comprehensive written information security
program that: Identifies and evaluates internal and external risks Monitors employee access to PI Service providers must comply
Must review security measures annually and upgrade safeguards
Establish continuing education program and training Develop procedures to take in response to breach.
22
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
State Data Security Requirements
Massachusetts Data Protection Regulation (cont’d)• Must establish and maintain a computer security
program, to the extent technically feasible, that requires: Encryption of transmitted records and records on laptops,
mobile devices User-authentication protocols and access-control measures Up-to-date firewalls, anti-virus and anti-malware programs
• No one-size fits all Reasonableness standard given current technology and
sophistication of organization
• MA Attorney General: will scrutinize any breach
23
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
Best Practices
• Prepare comprehensive enterprise-wide privacy and data safeguard policies and procedures Identify your IT assets and stakeholders Identify your risks and risk management strategy
• Institute reasonable security procedures Identify who has access to what and why Limit access (physical and remote) to personal information Recertify access periodically Training and awareness
24
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
Best Practices
• Ensure Data Security Data-in-transit, data at rest, data disposition Protection against data leaks (DLP and email monitoring)
and unauthorized access Testing and continuous improvement
• Detect anomalies and events Establish incident alert thresholds
• Educate company executives on applicable legal requirements regarding cyber risks and safeguards Importance of establishing a team of stakeholders to assess
risks and implement appropriate compliance procedures Chief Information Security Officer
25
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
Best Practices
• Consider data security in vendor/business partner selection and management and add to agreements Failure to conduct due diligence on service providers can
create unexpected risks
• Prepare a robust incident response plan Test your plan
• Mitigate damages and improve recovery/restoration/ resilience
• Cyber Insurance
26
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
Conclusion
• Data breaches will continue to extract costs throughout society Garnered the attention of top levels in government and
industry Increasingly rigorous regulatory requirements Significant risk exposures for companies to identify, mitigate
and manage
27
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
Contact Information
• Melissa H. Cozart, Chief Privacy Officer AIG Life & Retirement [email protected] (713) 831- 6371
• Leslie T. Thornton, Vice President & General Counsel WGL Holdings, Inc. and Washington Gar Light Company [email protected] (202) 624-6720
• Mary Jane Wilson-Bilik, Partner Sutherland Asbill & Brennan LLP [email protected] (202) 383-0660
28
©2014 Sutherland Asbill & Brennan LLP
PRIVILEGED & CONFIDENTIAL
Thank You
• Questions?
29