EEI: Cybersecurity Law Conference

Lisa J. SottoHunton & Williams LLP(212) 309-1223lsotto@hunton.comwww.huntonprivacyblog.com

October 24, 2014

Paul M. TiaoHunton & Williams LLP(202) 955-1618ptiao@hunton.com

The Privacy and Cybersecurity Teamat Hunton & Williams

• Over 25 privacy professionals in the U.S., EU and Asia• Our privacy clients have included 6 of the Fortune 10• Representing clients across multiple industry sectors, including

energy, retail, transportation, consumer products, publishing, financial services, technology, advertising, health care and pharmaceutical

• Centre for Information Policy Leadership at Hunton & Williams• www.HuntonPrivacyBlog.com• @hunton_privacy

Roadmap

• Introduction• Cyber Threat Landscape – Setting the Stage• The Legal and Policy Environment

– U.S.– EU

• Lessons Learned

3

A Sampling of Recent Global Headlines

4

1 August 2013Another wave of DDOS attacks on Financial Institutions launched but deemed to have little impact

2 December / January 2013

Several U.S. retailers and a UK announce significant credit card breaches

6 May 2014

Ebay Breach – investigations in the US and UK anticipated

4 April 2014 Target CEO resigns; the company’s breach response cited as a contributing factor

7 May 20143 April 2014Heartbleed bug announced – related breaches uncovered

5 May 2014French Telco reports 2nd breach in past several months

Worst data breach in German history identified; 18+ million email passwords compromised

The Cyber Threat Landscape

• Threat Actors• Threat Vectors• Targeted Information and Systems

5

A Year In Review• Recent Compromises

– Target – Neiman Marcus– Michaels– The UPS Store– Goodwill– The Home Depot– JPMorgan Chase

• Recent Government Activity– Congressional inquiries– Calls for FTC action– PLA indictment

6

Legislative and Policy Environment

• Congressional attempts to pass cybersecurity legislation– Numerous efforts to pass a cybersecurity law– Key legislative issues – Failure to pass legislation in 2012 provided impetus for the 2013

Executive Order on Improving Critical Infrastructure Cybersecurity

7

Executive Order on Improving Critical Infrastructure Cybersecurity

• Cybersecurity Framework – Voluntary program, including incentives

• Information sharing• Identification of critical infrastructure for which a cybersecurity attack

could have catastrophic effects• Agencies to determine whether existing regulations are sufficient and

take regulatory action to address deficiencies• Use of the federal procurement process to encourage contractors to

enhance information security practices• Consideration of privacy and civil liberties issues

8

Cybersecurity Framework• NIST published final version of Cybersecurity Framework on Feb. 12, 2014

– Framework Core– Implementation Tiers– Framework Profile– Privacy appendix in preliminary Framework (Oct. 2013) stricken from final

• Extensive public input– Five widely-attended workshops– Request for Information– Many comments on the preliminary version of the Framework

• Likely benchmark in regulatory, enforcement and litigation context• Future workshops and versions

9

A Life-Cycle Methodology

10

Function Categories

6 Functions, 22 Categories, 98 Sub Categories

Identify – Asset management, business environment, governance, risk assessment, risk management

Protect – Access control, awareness & training, data security, process & procedures, maintenance, protective technologies

Detect – Anomalies & events, continuous monitoring, detection processes

Respond – Response planning, communications, analysis, mitigation, improvement

Recover - Recovery planning, improvements, communications11

Framework Profile

12

* This same roadmap visualization can be applied to the categories and sub-categories within each function.

Electric Utility Issues

• Industrial Control Systems• Smart Grid• Information Sharing Groups

– Electricity Subsector ISAC– Downstream Natural Gas ISAC

• Cyber insurance for operational technology

13

Federal Agency Information-Sharing Programs

• DHS– National Cybersecurity and Communications Integration Center (NCCIC)

• US-CERT• ICS-CERT

– Cybersecurity Information Sharing and Collaboration Program (CISCP)• FBI

– Cyber Division & FBI Field Offices– National Cyber Investigative Joint Task Force– National Cyber and Forensics Training Alliance– Domestic Security Alliance Council– InfraGard

• DOE– Cybersecurity Risk Information Sharing Program (CRISP)

14

Public-Private Information Sharing Issues

• Standard Agreements– DHS Cooperative Research and Development Agreement– FBI Memorandum of Agreement and Non-Disclosure Agreements

• Information sharing rules and procedures• Information handling restrictions• Protection from disclosure under FOIA• Implications for regulatory enforcement• Prosecutorial implications• Privacy risks

15

Data Security Rules

• Federal Law– FTC Act– Gramm-Leach-Bliley– HIPAA/HITECH– FACTA Disposal Rule

• State Requirements– MA, NV, CA and progeny– Breach notification laws

• Industry Standards– PCI DSS – ISO– NIST

16

Utility-Specific Cybersecurity Requirements

• Version 5 Critical Infrastructure Protection Reliability Standards– Expanded scope of covered cyber systems– Categorization of systems by impact on reliability– Enforcement date – April 2016

• NERC Physical Security Standards

17

Legal Obligations• Understand your legal obligations arising out of a cyber event

– Breach notification and other obligations• State, federal, international law• Industry standards• Contractual obligations• SEC reporting

18

State Breach Notification Requirements

• Generally, the duty to notify arises when unencrypted computerized “personal information” was acquired or accessed by an unauthorized person

• “Personal information” generally is an individual’s name plus:– Social Security number– Driver’s license / state ID card number or– Account, credit or debit card number, along with password or

access code• Service providers must notify data owners of security breaches and

some states require “cooperation” with the data owner

19

Variations in State Breach Laws

– Definition of PI

– Computerized v. paper data

– Notification to state agencies

– Notification to CRAs

– Timing of individual notification

– Harm threshold

– Content of notification letter

– Preemption

– New CA requirements

20

SEC Cybersecurity Guidance

• Companies are not disclosing enough– The SEC is cracking down

• Vast majority of companies that did address cyber issues used only boilerplate language – Some hacking victims said nothing

• Disclosures often don’t give a genuine sense of the risk– Cyber attacks are included as one of many potentially

catastrophic events

21

SEC Enforcement Efforts

• SEC is now formally investigating companies’ cyber disclosures– Focused on whether investors appropriately informed– Probes are not public– Target is reported to be facing scrutiny– Prospect of enforcement actions

22

EU Cybersecurity: Regulatory Efforts

• On February 7, 2013, the EC issued a draft directive on cybersecurity • Once adopted, member states will have 18 months to implement the Directive• The aim of the Directive is to

– Achieve European cyber resilience– Drastically reduce European cybercrime– Develop common European cyber defense policies and resources– Establish a coherent European cyberspace policy and promote core EU values

• The Directive would require EU competent authorities to cooperate, share information, and coordinate responses

23

EU Cybersecurity: Breach Reporting

• The Directive would require companies in “critical” sectors to adopt strict network security standards and report “significant” cybersecurity incidents

• The proposals encompass a broad section of industry sectors, including non-essential services such as YouTube and Spotify

• The proposals do not clearly distinguish between targeted cybersecurity incidents and other types of breaches

• The breach reporting requirements are not harmonized with existing and anticipated breach reporting requirements under the EU E-Privacy Directive and the proposed EU General Data Protection Regulation

24

Global Breach Notification Requirements

• Breach notification requirements and guidance emerging across the world– 30+ countries outside the U.S. now require or strongly

recommend notification• Federal and provincial standards in Canada• Several countries in Europe (including Germany)• All major countries in Asia and Oceania (including Australia,

Hong Kong, India)

25

Data Breach Response Timeline

26

Event Mobilize Legal Posture Law Enforcement

Stabilize Investigate Legal Analysis Notify

Regulatory Response Lawsuits Review & Improve

1

2

8

7

6

5

4

3

9

10

11

27

Paul M. TiaoPartner

Hunton & Williams LLP(202) 955-1618

ptiao@hunton.com

Lisa J. SottoPartner

Chair, Privacy and Cybersecurity Practice

Hunton & Williams LLP(212) 309-1223

lsotto@hunton.com