Preparing for a Cybersecurity Event - The In-house … · Preparing for a Cybersecurity Event January 17, 2017 ... and vastly cheaper data storage ... Discussions with the insurance

12017 ACC-SoCal In-House Counsel Conference #IHCC17

Preparing for a Cybersecurity Event

January 17, 2017

Universal City, California

Sponsored by Sidley Austin LLP

Moderator: Kush Desai, Group Vice President, Legal Affairs, Beachbody

Panelists: Ed McNicholas, Partner, Sidley Austin LLP

Amy Lally, Partner, Sidley Austin LLP

#IHCC12

http://itunes.apple.com/us/app/twitter/id333903271?mt=8


090701_2 2

#IHCC172017 ACC-SoCal In-House Counsel Conference

Sector-specific federal legislation (financial services,

health care, and education) and marketing restrictions.

State laws fill gaps or raise standards (e.g., consumer

privacy, breach notification, and data security).

Industry standards, voluntary codes, and government

guidance also play key role.

Various state and federal agencies enforcing privacy

laws, including the Federal Trade Commission (FTC),

the Federal Communications Commissions (FCC),

Health and Human Service (HHS), and State Attorneys

General.

U.S. Regime – Sectoral Approach To Privacy And Cybersecurity



090701_3 3


State law

– States Attorneys General / “Mini FTC Acts”

– Tort law

– State data breach notifications laws (including some specific to

medical data)

– State general data security/secure disposal laws

– State specific data security laws (e.g., 201 MA 17.00 regulations

from Massachusetts Office of Consumer Affairs and Business

Regulations [MA 201])

– State biometrics laws (Texas, Illinois)

– State laws relating to social media privacy (employees)

– State medical privacy laws

– State genetic information privacy laws

Sources Of U.S. Privacy Law And Regulation



090701_4 4


Potential Sources Of Liability

Mental legal checklist

Statutory Obligations

(Federal and State)

Civil Obligations

Tort Law Reasonableness

(Negligence)

Regulatory Obligations

Direct or customer’s

Contractual Obligations

Corporate Governance

StandardsBest

Practices



090701_5 5


Connections – And Attack Vectors – Are Growing Exponentially

5

Connected

Car

Connected

Health

Connected

Home



090701_6 6


Trends Enabling Or Affecting Cybersecurity

• Ability to generate, collect, communicate, share, and access data from more people, devices, and sensors

• Devices and consumer transactions capture more kinds of information than ever before• More powerful computing, and vastly cheaper data storage• Data science developing quickly, and improving algorithms

Technological Developments

• Mobile, location tracking, Social Media, Cloud

• Sharing information increasingly common and more comprehensive

• Media (and some consumers) voicing amorphous privacy concerns (often conflating governmental surveillance and commercial privacy)

Consumer Trends

• Providing personalized, tailored services• Desire to monetize data and deploy more sensors

• Deliver more tailored experiences

• Anticipate consumer desires

Business Trends

• Big Data can help save money, save lives, defend the homeland, etc.

• Fear of unknown implications

• Balancing innovation and consumer protection

Government Trends



090701_7 7


Valuable IP assets, proprietary information,

business, transaction and negotiating records, financial data, electronic funds, business functionality and

continuity

Personal information;

Account information; access to accounts

Disruption of business;

denial of service; cyber-extortionconsumer confidence

Critical infrastructure and essential services

Communication systems

Supply chain management

SCADA (supervisory control and data

acquisition):industrial control systems (ICS): computer systems that monitor

and control industrial, infrastructure, or facility-based

processes

What’s At Stake?



090701_8 8


Internal investigations

Costly internal investigation (including potential insider

attack sources)

Litigation

Consumer class action litigation

Shareholder derivative action alleging failure of Board

oversight

Potential litigation brought by recent purchasers of

securities

Potential litigation with the credit card brands

Data Breach Consequences



090701_9 9


Regulator investigations

Multistate AG investigations

FTC/CFPB/OCR/other sector specific investigations

SEC investigation

International regulators—data protection authorities

Industry self-regulators, e.g., PCI DSS

Law enforcement investigation of cybercriminals




090701_10 10


Other inquiries and issues

Congressional hearings and inquiries

Media / analyst / blog scrutiny and stories

Shareholder activism

Public communications strategies regarding customer

trust

Discussions with the insurance carrier about coverage

Implication under business partner contracts




090701_11 11


Review/refine information governance structure

– Assign board committee responsibility; require ongoing review

and reporting of information risks/controls

– Provide adequate budget and operational resources

– Consider appointing CISO and CPO

– Develop and approve appropriate cybersecurity protocols and

safeguards; increase internal awareness

Evaluate cyber-insurance coverage

Evaluate deployment of best practices and available

tools, safeguards and patches

Enhancing Board/CEO Attention



090701_12 12


Develop cybersecurity and data protection risk

assessment; understand vulnerabilities/plan for

possible “persistent” threats

Understand exposure to third parties and service

providers

Monitor legislative, policy, industry, contractual,

litigation, marketplace, consumer and employee

developments and expectations

– Address legal compliance and reporting responsibilities

– Consider SEC issues

Enhancing Board/CEO Attention



090701_13 13


Reserve time on meeting agendas for cybersecurity

– Receive quarterly reports on cyber risks; discuss as part of

strategy discussions if IT is critical

Consider delegating cybersecurity oversight to a committee

– Conduct in-depth audit of IT policies/cybersecurity programs

– Review budgets and increase IT resources if necessary

– Implement preventative measures to ward off attacks (keep

sensitive data offline, put a firewall curtain around vulnerable

locations, proactively hunt for in-network intruders)

Engage third-party cybersecurity experts as needed

Educate a tech-savvy director on cybersecurity or consider

recruiting a new director with IT or cyber risk expertise

Evaluate adequacy of cyber liability insurance coverage

Recommended Actions For Boards



090701_14 14


1. Develop and follow information governance

controls

– Establish procedures, responsibilities, and

expectations re: Board and Management oversight and

reporting

– Ensure clear designations and resources provided

– Memorialize Board oversight

Cyber Legal Preparedness



090701_15 15


2. Identify, map and assess compliance with legal and

regulatory obligations and determine cyber

vulnerabilities and risks

– Identify applicable legal and third party obligations

– Assess compliance with industry standards (e.g., CIP

Standards, NIST, ISO, COBIT, etc.)

– Identify potentially material vulnerabilities and cyber-risk

factors; conduct a risk assessment (and periodically thereafter)

– Identify and prioritize systems and databases that contain

sensitive or protected information; assess whether such

information is adequately protected

– Coordinate review with Audit, Compliance, IT, and other

relevant departments; report to Board




090701_16 16


3. Establish a work plan for cybersecurity crisis

prevention and management

– No one-size-fits-all approach; focus on remedying

vulnerabilities and risks identified by the compliance review

– Develop and maintain policies, procedures, and training (see

below)

– Comply with filing disclosures regarding cyber risks and

security breaches

– Implement strategies for industry information sharing and

government and law enforcement coordination (e.g., ES-ISAC,

Infragard, etc.)

– Consider whether to adopt cybersecurity insurance

– Memorialize Board review and approval; maintain privilege




090701_17 17


4. Develop and maintain written policies and procedures

– Develop and implement:

Comprehensive written information security policy

Incident response plan that covers: containment, government and

other required reporting, forensic consultants, PR

communications, regulatory and litigation counsel

Internal and external privacy policies

Defined cybersecurity roles / responsibilities for users,

administrators, and managers

– Vet policies with relevant departments and Board;

maintain privilege

– Maintain accountability standards for violations of

policies




090701_18 18


5. Develop and maintain training programs for employees

and contractors

6. Deploy appropriate information security safeguards for

vendors/service providers, including reporting and due

diligence

– Ensure the agreements adequately protect the firm’s

cybersecurity interests and provide appropriate indemnification

– Identify data security and reporting requirements imposed

upon the firm by contract

– Consider whether auditing is appropriate and/or review vendors

for compliance with relevant security standards




090701_19 19


7. Implement secure technology design

– Implement defense in depth

– Ensure system is capable of effective network-level

monitoring; continuously monitor network intrusion

detection systems

– Select and implement appropriate encryption standard

– Conduct regular testing and system updates

– Create authentication process to enroll and verify

authorized users; employ physical and technical

authentication mechanisms




090701_20 20


8. Identify consulting and other outside resources

– Consider use of computer forensic resources for prevention,

detection, and remediation

– Develop protocol and budget for use of legal and PR services

– Identify and pre-engage suitable PR and communications

specialists, legal specialists, etc.

– Pre-position credit monitoring, mailing, and call center services

9. Regularly test and update all assessments,

safeguards, and protocols

– Keep up with fast-moving changes in technology and security

– Be aware of which practices are standard and which are state

of the art




090701_21 21


10.Monitor and communicate periodic alerts on new

and existing threats throughout organization

– ES-ISAC, DHS, etc.

11.Maintain confidentiality

– Classify program controls as highly confidential (or

formally classified where appropriate); details not

disclosed outside the firm, need to know basis

internally




090701_22 22


Do we know what systems, IP assets, trade secrets, account

records, consumer data could be subject to cyber attack?

What past incidents have we experienced? Are our incident

response procedures effective and well understood

throughout the organization?

Do we have an up-to-date cybersecurity risk assessment in

hand? Written information security plan?

Who is responsible for cybersecurity; sufficient resources?

Is Board of Directors adequately focused on cybersecurity;

has it established satisfactory internal controls and

governance structures?

Key Cybersecurity Questions To Ask



090701_23 23


What do we need to include in our SEC filings on

cybersecurity?

Do we know what existing and prospective laws apply to

cybersecurity?

Do we know what our contracts say about cybersecurity; do

our existing customer / vendor contracts protect us on

cybersecurity?

Are we participating in appropriate information sharing?

Who is monitoring NIST developments and best industry

practices?

Key Cybersecurity Questions To Ask



090701_24 24


Key Legal Defense To Consumer Class Actions – Standing

Spokeo v. Robbins and Article III Standing

– Plaintiff bears the burden of proving standing by

demonstrating, among other things, injury in fact. The

injury-in-fact requires a plaintiff to show:

(1) he/she suffered “an invasion of a legally protected interested”

that is

(2) “concrete and particularized” and

(3) “actual or imminent, not conjectural or hypothetical”



090701_25 25



What constitutes a “concrete” injury?

– Under Spokeo, it is “concrete” if it is “‘de facto’; that is,

it must actually exist” rather than being only “abstract”



090701_26 26



Statutory violation is not enough

– Violation of a privacy statute itself without proving any

additional harm is not sufficient to prove “concrete

injury.”

– Circuits leaning towards this thought

DC Circuit

Seventh Circuit

Eighth Circuit



090701_27 27



Statutory violation is enough

– Violation of a privacy statute itself without substantial

additional harm is sufficient to prove intangible, de

facto concrete injury.

– Circuits who follow this thought:

Third Circuit

Sixth Circuit

Eleventh Circuit



090701_28 28


Moderator - Kush Desai

– Beachbody, Group Vice President, Legal Affairs, [email protected]

Ed McNicholas

– Sidley Austin LLP, Partner, [email protected]

Amy Lally

– Sidley Austin LLP, Partner, [email protected]

Panelists



090701_29 29


Sidley Austin LLP

Beijing Chicago Houston New York Singapore

Boston Dallas London Palo Alto Sydney

Brussels Geneva Los Angeles San Francisco Tokyo

Century City Hong Kong Munich Shanghai Washington, D.C.

1,900 LAWYERS and 20 OFFICES

located in commercial, financial

and regulatory centers

around the world



000000_30

13th Annual In-House Counsel Conference

January 17, 2017 (Universal City, CA)

#IHCC1730

www.acc.com/chapters/socal/

http://www.google.com/url?url=http://itunes.apple.com/us/app/twitter/id333903271?mt=8&rct=j&sa=X&ei=Q3XZTvH7E-OkiQLOhMy4CQ&sqi=2&ved=0CGQQ-ggwCA&q=twitter&usg=AFQjCNHUaJhzwsQtoevCWzzy23oRObZGWQ










Documents

Preparing for a Cybersecurity Event - The In-house … · Preparing for a Cybersecurity Event January 17, 2017 ... and vastly cheaper data storage ... Discussions with the insurance