Upload
lefty
View
25
Download
1
Embed Size (px)
DESCRIPTION
Cybersecurity Stuff Happens: A Corporate Counsel's Primer for Security. Albert Gidari Jill Chasson February 19, 2008. INTRODUCTION. Security - a corporate counsel’s full time job It should keep you up at night – a security breach is your worst nightmare - PowerPoint PPT Presentation
Citation preview
Cybersecurity Stuff Happens: Cybersecurity Stuff Happens: A Corporate Counsel's Primer A Corporate Counsel's Primer
for Securityfor Security
Albert GidariJill Chasson
February 19, 2008
INTRODUCTIONINTRODUCTION
Security - a corporate counsel’s full time job
It should keep you up at night – a security breach is your worst nightmare
Total number of records lost in security breaches in U.S. since 2005 = 218,202,156 http://www.privacyrights.org/ar/ChronDataBreaches.htm
#2008
Total cost per record = $197 2007 Ponemon Institute Study www.ponemon.org
INCIDENT RESPONSE PLANNINGINCIDENT RESPONSE PLANNING
Cradle-to-Grave Security Plan
Combine SOX, PCI, and other regulatory drivers for holistic plan
Organize IRP team with key stakeholders and conduct periodic meetings
Training
Audit/Assessment/Corrective Action Plan
ANATOMY OF INCIDENT RESPONSEANATOMY OF INCIDENT RESPONSE
Fix the Breach
Preserve Evidence
Document Response Costs
Law Enforcement Referral
Initiate Customer/Employee/State Notice Call center
Credit monitoring
Notice letter
Defensive/Remedial Action Plan
LITIGATIONLITIGATION
Most common claim in security breach class action is for negligence
Classic negligence formula applies: duty, breach, causation and damages
Almost universally, companies have won (but, agency enforcement actions are another story)
Stollenwerk v. Tri-West Health CareStollenwerk v. Tri-West Health Care
Beneficiaries of government health insurance program brought action against local manager of the program for negligently failing to secure their personal information following burglary of computer servers containing hard drives with beneficiaries' personal information.
District Court granted SJ, finding cost of credit monitoring service not cognizable damage under AZ law. (2005 WL 2465906, Sept. 6, 2005)
Ninth Circuit affirms and adds that cost of premium monitoring was not a necessary cost, but reverses and remands on causation grounds as to one party who experienced post-burglary incidents of identity theft. (2007 WL 4116068, 9 th Cir. Nov. 20, 2007)
Guin v. Brazos Higher Ed. Svc. Corp.Guin v. Brazos Higher Ed. Svc. Corp. Claim: Employer negligently allowed employee to keep unencrypted
nonpublic customer data on laptop that was stolen from employee's home during burglary; argued that GLBA applied to financial information. GLBA does not prohibit someone from working with sensitive data on
a laptop computer in a home office. GLBA does not require PII to be encrypted on laptop. Reasonable care standard met – employee had permission to work at
home, lived in a safe neighborhood. No evidence that plaintiff’s identity “transferred, possessed, or used”
by a third party “with the intent to commit, aid, or abet any unlawful activity.”
No other evidence of damages. Intervening criminal act of another negates causation.
2006 WL 288483 (D. Minn. Feb. 7, 2006)
Pisciotta v. Old National BancorpPisciotta v. Old National Bancorp Putative class asserted negligence and breach of implied
contract claims against bank and its website hosting facility for allowing PII collected through bank's marketing web site to be accessed via database security breach; sought recovery of costs associated with credit monitoring services.
No claim for credit monitoring available under Indiana common law because damages were speculative (no existing injury); "compensable damage requires more than an exposure to a future potential harm."
Indiana Code provision defined database owner's disclosure duties narrowly and provided state-enforced penalties as the exclusive remedy for violations of such duties.
499 F.3d 629 (7th Cir. 2007)
FTC ACTIONSFTC ACTIONS
Section 5 of the FTC Act provides that "unfair or deceptive acts or practices in or affecting commerce are declared unlawful."
FTC actions based on “deception” prong – material representation or omission that is likely to mislead consumers acting reasonably under the circumstances
FTC CONSENT DECREE ELEMENTSFTC CONSENT DECREE ELEMENTS
Establish, implement & maintain comprehensive information security program reasonably designed to protect security, confidentiality & integrity of PII collected from or about consumers
Security Policy in writing
Designate Responsible Employee for Security Program
Third Party Audit every 2 years
Make all audits available to FTC for 5 years
20 years of FTC oversight
See e.g., Cardsystems Solution Settlement (2006) at: http://www.ftc.gov/os/caselist/0523148/0523148consent.pdf
EMPLOYEE ISSUESEMPLOYEE ISSUES
Leading cause of security breaches is employee negligence or dishonesty
Confidentiality Agreement/Policy
Network Access and Use Policy
Disciplinary process for failure to follow policy (e.g., leaving laptop unsecured in hotel room)
PCI DATA SECURITY STANDARDSPCI DATA SECURITY STANDARDS
Consists of 12 basic requirements (the "Digital Dozen") in 6 key areas Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy
Compliance may include third party audit or self-assessment, submission of ROC to Visa, quarterly scans
Merchants liable for failures of their service providers
FINANCIAL PRIVACYFINANCIAL PRIVACYPCI DATA SECURITY STANDARDSPCI DATA SECURITY STANDARDS
Compliance Penalties – If a merchant or service provider does not comply with the security requirements or fails to rectify a security issue, Visa may:
Fine the acquiring member
Impose restrictions on the merchant or its agent, or
Permanently prohibit the merchant or its agent from participating in Visa programs
Members receive protection from fines for merchants or service providers that have been compromised but found to be CISP-compliant at the time of the security breach
Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not CISP-compliant at the time of the incident
Horror Stories – BJ's, CardServices, and more
CONTRACTING FOR SECURITYCONTRACTING FOR SECURITY
Contracting: Vendors
Require vendors who hold data to represent adequate security, indemnify for breaches, and be obligated to give immediate notice of breach and cooperate in investigation
Reserve your rights to audit and to control any litigation Lessons from HIPAA Business Associate Agreements and GLB Security
Safeguard Rule – flowing down security Customer Terms of Use
Include limits on liability and arbitration clause with waiver of class action right, specify that the service is provided “as is”, disclaim warranty of security
Privacy Policy Be certain not to over-promise and under-deliver Be certain to keep current on security and known security risks
LAWS AND REGULATIONS LAWS AND REGULATIONS
Section 501(b) of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801(b) Implementing regulations: FTC Safeguards Rule,
16 C.F.R. Part 314 HIPAA
Implementing regulations: HHS Security Rule, 45 C.F.R. Parts 160, 162, and 164
Section 404 of the Sarbanes-Oxley Act of 2002, 15 U.S.C. § 7262
FTC Data Destruction Rule, 16 C.F.R. § 682 State security breach laws
http://www.perkinscoie.com/files/upload/securitybreach.pdf