Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Data Privacy and Security Compliance:
Lessons for Corporate Counsel After
Recent High Profile Breaches Proactive Strategies to Avoid and Respond to a Data Breach or Cyber Attack
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
TUESDAY, NOVEMBER 11, 2014
Presenting a live 90-minute webinar with interactive Q&A
Robert D. Brownstone, Technology & eDiscovery Counsel, Fenwick & West LLP,
Mountain View, Calif.
Brent E. Kidwell, Partner, Jenner & Block LLP, Chicago
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-961-8499 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
For CLE purposes, please let us know how many people are listening at your
location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of
attendees at your location
• Click the SEND button beside the box
If you have purchased Strafford CLE processing services, you must confirm your
participation by completing and submitting an Official Record of Attendance (CLE
Form).
You may obtain your CLE form by going to the program page and selecting the
appropriate form in the PROGRAM MATERIALS box at the top right corner.
If you'd like to purchase CLE credit processing, it is available for a fee. For
additional information about CLE credit processing, go to our website or call us at
1-800-926-7926 ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
EIM
G
RO
UP
©
© © 5
Data Privacy and Security Compliance:
Lessons for Corporate Counsel After Recent High Profile Breaches
Webinar – November 11, 2014
Brent E. Kidwell Robert D. Brownstone
EIM
G
RO
UP
©
© © 6
Agenda
INTRO
I. Legal Rules/Regimes – Overview
• INTRO to Risks/Leakages
• A. Default Regimes/Risks – US & Int’l
• B. Contracts’ Ability to Reallocate Risks
II. Proactive Prevention
III. Reactive Remediation – Top Ten
Q&A/CONCLUSION
EIM
G
RO
UP
©
© © 7
1 threat alone attacked 1K+ businesses ‘13-’14
U.S. Secret Service, Backoff Malware: Infection Assessment,
Dep’t of Homeland Security (8/22/14)
Staples, Sears (Kmart), affected Target,
Supervalu, Home Depot, Sally Beauty Supply,
Neiman Marcus, United Parcel Service, Michaels
Stores, Albertsons, Dairy Queen and P. F. Chang
Nicole Perlroth, Staples Is Latest Retailer Hit by Hackers,
NYT (10/21/14) (“entry point for each ... differed”)
Introduction – Breaches’ Prevalence
EIM
G
RO
UP
©
© © 8
Should only retailers be worried? NO
What kind of risky info. is “targeted”?
“mailing and email addresses, phone numbers or
names . . . data routinely collected . . . during
interactions like shopping online or volunteering a
phone number when using a call center”
“hackers could . . . piece together customers’ stolen
information for identity theft or for use in a . . .
spear phishing attack . . .”
• Elizabeth A. Harris & Nicole Perloth, For Target, the
Breach Numbers Grow, NYT (1/10/14)
Intro (c’t’d) – Breaches
EIM
G
RO
UP
©
© © 9
Intro (c’t’d) – Breaches
Metrics
• “Chronology of Data Breaches” for 4/20/05 – 11/3/14 (≈ 930 M records; ≈ 4,400 incidents)
• “Office of Inadequate Security”
• PricewaterhouseCoopers LLP (pwc), U.S. Secret Service al., US cybercrime: Rising risks, reduced readiness: Key findings from the 2014 US State of Cybercrime Survey (June 2014)
• Ponemon Inst. o/b/o HP Enterprise Security, Cyber Crime Costs Continue to Grow (2014)
EIM
G
RO
UP
©
© © 10
Intro (c’t’d) – Breaches
TO LEARN MORE
• NIST, Framework for Improving Critical
Infrastructure Cybersecurity (2/12/14)
• Marcus P. Zillman, Internet of Things [“IoT”]
Resources, LLRX (10/11/14)
• Brownstone, Heartbleed: It’s 10 PM; Do You
Know Where Your Data is? ITLawToday (5/6/14)
EIM
G
RO
UP
©
© © 11
I. Law Overview INTRO – Risks/Leakages
1. Intentionally Harmful Intentional Disclosures
2. Inadvertently Harmful Intentional Disclosures (“Netiquette”; Loose Lips; Social-Media; Sock-Puppeting; P2P)
3. Unintentional Losses of Sensitive Info. = primary focus of this webinar
BUT some Exs. of Category 2 ...
EIM
G
RO
UP
©
© © 12
Category 2 – Don’t people know better?!
(Spear-)phishing?
Social Engineering?
I. Law Overview – INTRO to Risks (c’t’d)
EIM
G
RO
UP
©
© © 13
I. U.S. & Int’l Legal Rules
A. Default in U.S. & EU
1. U.S. Law
Data presumptively not protected unless
rendered otherwise by specific rule of law
Federal law examples:
Health/medical = HIPAA (60 days notice)
covered entities and business associates
HITECH ACT expansion Jan. ’09
HHS Final Regs. Sep. ‘13
Financial services = Gramm-Leach-Bliley
Consumer credit reports, etc. = FCRA/FACTA
EIM
G
RO
UP
©
© © 14
Potential Liability
Gov’t proceedings (FTC, HHS, State AG’s)
FTC – see D.N.J. (Wyndham) and FTC (LabMD) decisions re: FTC enforcement authority (each on appeal to a Circuit Court)
HHS (under HIPAA), even re: public sector:
State (2012)
• Alaska Dep’t of Health & Social Servs.
Local (2014)
• Skagit County, WA
I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)
EIM
G
RO
UP
©
© © 15
Potential Liability (c’t’d)
consumer and/or employee
class actions
corporate customer suits
shareholder derivative suits
bad press and/or blog buzz
reputational hit
I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)
EIM
G
RO
UP
©
© © 16
Overview of Notice-of-Breach Laws:
Based on state of residence of affected person (identity theft)
Cal. statutes & Mass. regs. strict
Electronic information
Unencrypted
only Mass. regs. require encryption
others: “get out of notice” card (unless key also compromised)
I(A)(1). States’ Notice-of- Breach Laws
EIM
G
RO
UP
©
© © 17
NOTE: law doesn’t necessarily require”
encrypting lists of names, addresses,
telephone numbers and SSN’s
BUT, it’s advisable to encrypt SSN’s and
to encrypt or password-protect lists of
witnesses, deponents, experts, etc.
AND, again, there is sensitive/
proprietary/IP/products data
I(A)(1). States’ Notice-of- Breach Laws
EIM
G
RO
UP
©
© © 18
Specific combo of elements – expanded in California 1/1/14 by SB 46's amendment to Cal. Civ. Code § 1798.82:
• SB 46 – Amendment to California’s Data Breach Notification Law, F&W Privacy Alert (10/28/13)
Trigger usually automatic (as in Cal. )
Notice requirements
• If > X no. of people affected, tell AG
• Might have to describe circumstances
I(A)(1). States’ Notice-of- Breach Laws
EIM
G
RO
UP
©
© © 19
Potential Liability (c’t’d)
Difficulty in proving “injury” (damages):
Even CFAA claim in suit against hacker
“loss” hard to show
remediation and down-time?
“Standing” (”Injury”) difficult to show based on mere concern data will be used:
trade secrets damages theory
identity-theft theory, including recent theft decisions re: Cal. Medical Info. Act (CMIA) – Cal. Civ. Code 56.36 . . .
I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)
EIM
G
RO
UP
©
© © 20
ID-theft-concern Standing Theory (c’t’d)
Sutter Health v. Superior Court, 227 Cal. App. 4th
1546, 174 Cal. Rptr. 3d 653 (7/21/14) (stolen PC; no
“reasonable possibility they can amend to allege an
actual breach of confidentiality”)
Regents v. Super. Ct. (Platter), 220 Cal. App. 4th 549,
163 Cal. Rptr. 3d 205 (Cal. App. 2 Dist. 10/15/13), as
amended (11/13/13) (drive + key)
Compare In re Science Applications Int’l Corp. (SAIC)
Backup Tape Data Theft Litigation, 2014 WL 1858458
(D.D.C. 5/9/14)
I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)
EIM
G
RO
UP
©
© © 21
ID-theft-concern Theory (c’t’d)
But see this California Customer Records Act (CRA) federal decision:
In re Adobe Systems, Inc. Privacy Litigation, 2014 WL 4379916 (N.D. Cal. 9/4/14)
TO LEARN MORE:
Practical Law, Data Breach Litigation: The Standing and Injury Hurdle (10/14/14)
Richard Kellner, Losing Medical Records in 'The Cloud’, Recorder (6/26/14)
it-LEX, “Mere Loss Of Data” In A Breach Is Not Enough To Confer Standing (5/20/14)
I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)
EIM
G
RO
UP
©
© © 22
Potential Liability (c’t’d)
• BUT SEE these negligence decisions
Lone Star Nat’l Bank v. Heartland Payment
Systems, 729 F.3d 421 (5th Cir. 9/3/13)
Resnick v. AvMed, 693 F.3d 1317 (11th Cir.
9/5/12); led to settlement discussed here
Patco Constr. Co. v. People’s United Bank, 684
F.3d 197 (1st Cir. 7/3/12)
• See also Edward R. McNicholas & Catherine M. Valerio Barrad, Federal Appellate Opinion May
Expand Cybersecurity Liability, law360 (9/23/13)
I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)
EIM
G
RO
UP
©
© © 23
Potential Liability (c’t’d)
Aside from viability of legal theories, custom and usage has been . . . .
Potential monetary liability for a breach of
unsecured personally identifiable information (PII)
is often $130 to $380 per affected person
Average U.S. amount ≈ $188 per person. See
Ponemon Institute, 2013 Cost of Data Breach Study:
Global Analysis, Symantec & Ponemon (5/30/13)
Per these data breach calculators
<http://www.privacyrisksadvisors.com/data-breach-
toolkit/data-breach-calculators/>
<http://databreachcalculator.com> . . .
I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)
EIM
G
RO
UP
©
© © 24
Custom/usage (c’t’d)
Typical expense items (from here)
I(A)(1). Law (c’t’d) – U.S. Defaults (c’t’d)
EIM
G
RO
UP
©
© © 25
I(A). Law (c’t’d) – 2. Int’l
Privacy protected more, e.g.:
• Europe (EU):
France/Germany/Italy/UK
• Elsewhere:
Brazil
“Marco Civil”
Israel
Ukraine
EIM
G
RO
UP
©
© © 26
I(A)(2). Laws Overseas (c’t’d)
DATA-BREACH NOTIFICATION LAWS
less diffused, broader in scope & often
shorter/clearer deadlines . . . e.g.
• Chile
• Germany
• India
• Korea
• Mexico
• Qatar
• Russia
EIM
G
RO
UP
©
© © 27
I(A)(2). EU Data Directive Compliance
EU, Directive 95/46/EC (1995) “on the
protection of individuals with regard to
the processing of personal data and on
the free movement of such data”
PLUS laws of individual EU countries
BROAD definitions of “personal data,”
“processing” and “transfer”
Amendments to make EU Directive
STRICTER pending since ‘12
EIM
G
RO
UP
©
© © 28
I. Law (c’t’d) – B. Contracts’ Ability to Reallocate Risks
Defaults can change based on:
Relative sizes and bargaining power
Industry of prospective customer
Location of data (who stores/hosts it)
EIM
G
RO
UP
©
© © 29
II. Proactive Prevention
Aggregation of Marginal Gains (security
is a “game of inches”)
Data Protection Infrastructure
Protecting Data at Rest
Protecting Data in Motion
EIM
G
RO
UP
©
© © 30
Aggregation of Marginal Gains
Security is a “game of inches” - “fight for those
inches.”
“Large” changes are often challenging to
implement and suffer organization friction
Many “small” changes to your security posture
may compound into significant overall
improvements
See http://jamesclear.com/marginal-gains
EIM
G
RO
UP
©
© © 31
http://blogs.rsa.com/wp-content/uploads/APT-chart1.jpg
EIM
G
RO
UP
©
© © 32
Data Protection Strategy
People Process
Policy Technology
EIM
G
RO
UP
©
© © 33
Data Protection – People
Executive leadership – security as an organizational priority
Identified personnel with specific roles, accountability and
responsibility
Cross-disciplinary security or “information governance”
teams provide better vision into data/security protection
(and instill organizational ownership of security)
Improve communication and training about security with all
personnel
Human vectors continue to be key security exploit route
See, e.g., RSA breach resulting from phishing
EIM
G
RO
UP
©
© © 34
Data Protection – Process
Plan and document security procedures; for
example:
Identify the location and content of your data
assets, specifically PII or other “sensitive”
collections
Routinize security assessments conducted by
internal and external experts
Employ incident response drills and training
Develop procedures for the ingestion, storage,
security and destruction of data
EIM
G
RO
UP
©
© © 35
Data Protection – Policy
Organizational security/data protection policies:
General security, confidentiality, acceptable use and
information governance policies
Special policies may be required for special data (e.g.,
HIPAA/PHI)
Incident response and breach notification policies
Records and information retention policies should be
evaluated to minimize retention of risky data
Establish a regular policy review cycle
Enforcement and consistent application of policies
Consider certifications, such as ISO 27001
EIM
G
RO
UP
©
© © 36
Data Protection – Technology
Security of Existing Technology Base
Periodic re-examination of security posture of existing
systems recommended
Cloud-based systems require contractual protections
and due diligence
Specialized Security/Data Protection Tools
Technology is not a security “silver bullet”
Even the best technology requires trained personnel to
monitor, analyze and address identified anomalies
EIM
G
RO
UP
©
© © 37
Protecting Data at Rest I
Perimeter Defenses (Incoming & Outgoing)
Firewall
IDS/IPS
Multi-Factor Authentication
Malware Filtering
Data Loss Prevention (DLP)
Access Rights – “Need to Know”
Electronic data destruction (anything with storage)
EIM
G
RO
UP
©
© © 38
Protecting Data at Rest II
Logging and Analysis of Security Events
Security Information and Event Management (SIEM)
Provides analytical view into organizational security using a
longer-term baseline for anomaly identification
Don’t Forget Paper Documents
Appropriate destruction – shredding, PII bins, etc.
Clean desk policies
Locked offices, drawers and cabinets
Physical Security
EIM
G
RO
UP
©
© © 39
Protecting Data In Motion I
Laptops (endpoints)
AV/Malware Detection
Firewall
Data Encryption (FDE)
Passwords, screensavers, etc.
BYOD Issues
Storage Devices/Tools
Encryption – flash drives, DVDs, etc.
Restrictions on use of cloud storage services (Dropbox, etc.)
EIM
G
RO
UP
©
© © 40
Mobile Device Security – Survey
http://www.informationweek.com/security/mobile-security/infographic-mobile-security-run-amok/d/d-id/1113675
EIM
G
RO
UP
©
© © 41
Mobile Device Security – Survey
EIM
G
RO
UP
©
© © 42
Protecting Data in Motion II
Handheld Devices
Encryption
Remote Wiping
Mobile Device Management
BYOD Issues
Backup Tapes
Email encryption
Metadata Scrubbing Tools
Proper Redaction Tools/Methods
EIM
G
RO
UP
©
© © 43
Top Ten
FOLLOW PROCESS (IF ANY!) . . .
10. Policy/Protocols/Checklists
Internal team leaders members ID’d, e.g.
InfoSec, Legal & Public Relations
Outside contacts listed, e.g., Information-
Security consulting firm, Counsel, Law
enforcement & Insurance carrier
III. Reactive Remediation – Incident Response
EIM
G
RO
UP
©
© © 44
III. Incident- Response (c’t’d)
10. Big-Picture Process (c’t’d)
• Categories defined?
• Data- and machine- handling protocol
• Workflow/Communication chart re:
Discover/Assess/Contain
Remediate/Close/Mitigate
EIM
G
RO
UP
©
© © 45
FACT INTAKE . . . 4 W’s-plus
9. Who, what, where, when re: info.?
8. Encrypted?
7. If encrypted, key compromised?
III. TOP TEN TIPS (c’t’d)
EIM
G
RO
UP
©
© © 46
GET YOUR BEARINGS . . .
6. If a contractual relationship:
Look at the contract
Decide if will try to negotiate re: notice
5. If law enforcement is
involved, open a dialogue
4. See if, under strictest statute,
notice trigger(s) have kicked in
III. TOP TEN TIPS (c’t’d)
EIM
G
RO
UP
©
© © 47
TO GIVE NOTICE OR NOT TO GIVE NOTICE. . .
3. If MUST give notice, address required:
Method and Contents
» E.g., Cal. SB 24 (specifying some required contents of
notice of breach of PII or PHI under Cal. Civ. Code)
Recipients (might include an AG., e.g.)
Timing (might be OK, under law, to delay)
2. If COULD give notice, discuss customer-relations with C level
1. If WILL give notice, work with PR as to theme(s), timing & press release (if any)
III. TOP TEN TIPS (c’t’d)
EIM
G
RO
UP
©
© © 48
Q&A/Conclusion/ Resources . . .
Robert D. Brownstone, Esq.
Fenwick & West LLP
<tinyurl.com/Bob-Brownstone-Bio>
<www.ITLawToday.com>
Brent E. Kidwell, Esq.
Jenner & Block LLP
<www.jenner.com/people/BrentKidwell>
<jenner.com/people/BrentKidwell/library>