Upload
doannguyet
View
219
Download
5
Embed Size (px)
Citation preview
12017 ACC-SoCal In-House Counsel Conference #IHCC17
Preparing for a Cybersecurity Event
January 17, 2017
Universal City, California
Sponsored by Sidley Austin LLP
Moderator: Kush Desai, Group Vice President, Legal Affairs, Beachbody
Panelists: Ed McNicholas, Partner, Sidley Austin LLP
Amy Lally, Partner, Sidley Austin LLP
#IHCC12
090701_2 2
#IHCC172017 ACC-SoCal In-House Counsel Conference
Sector-specific federal legislation (financial services,
health care, and education) and marketing restrictions.
State laws fill gaps or raise standards (e.g., consumer
privacy, breach notification, and data security).
Industry standards, voluntary codes, and government
guidance also play key role.
Various state and federal agencies enforcing privacy
laws, including the Federal Trade Commission (FTC),
the Federal Communications Commissions (FCC),
Health and Human Service (HHS), and State Attorneys
General.
U.S. Regime – Sectoral Approach To Privacy And Cybersecurity
090701_3 3
#IHCC172017 ACC-SoCal In-House Counsel Conference
State law
– States Attorneys General / “Mini FTC Acts”
– Tort law
– State data breach notifications laws (including some specific to
medical data)
– State general data security/secure disposal laws
– State specific data security laws (e.g., 201 MA 17.00 regulations
from Massachusetts Office of Consumer Affairs and Business
Regulations [MA 201])
– State biometrics laws (Texas, Illinois)
– State laws relating to social media privacy (employees)
– State medical privacy laws
– State genetic information privacy laws
Sources Of U.S. Privacy Law And Regulation
090701_4 4
#IHCC172017 ACC-SoCal In-House Counsel Conference
Potential Sources Of Liability
Mental legal checklist
Statutory Obligations
(Federal and State)
Civil Obligations
Tort Law Reasonableness
(Negligence)
Regulatory Obligations
Direct or customer’s
Contractual Obligations
Corporate Governance
StandardsBest
Practices
090701_5 5
#IHCC172017 ACC-SoCal In-House Counsel Conference
Connections – And Attack Vectors – Are Growing Exponentially
5
Connected
Car
Connected
Health
Connected
Home
090701_6 6
#IHCC172017 ACC-SoCal In-House Counsel Conference
Trends Enabling Or Affecting Cybersecurity
• Ability to generate, collect, communicate, share, and access data from more people, devices, and sensors
• Devices and consumer transactions capture more kinds of information than ever before• More powerful computing, and vastly cheaper data storage• Data science developing quickly, and improving algorithms
Technological Developments
• Mobile, location tracking, Social Media, Cloud
• Sharing information increasingly common and more comprehensive
• Media (and some consumers) voicing amorphous privacy concerns (often conflating governmental surveillance and commercial privacy)
Consumer Trends
• Providing personalized, tailored services• Desire to monetize data and deploy more sensors
• Deliver more tailored experiences
• Anticipate consumer desires
Business Trends
• Big Data can help save money, save lives, defend the homeland, etc.
• Fear of unknown implications
• Balancing innovation and consumer protection
Government Trends
090701_7 7
#IHCC172017 ACC-SoCal In-House Counsel Conference
Valuable IP assets, proprietary information,
business, transaction and negotiating records, financial data, electronic funds, business functionality and
continuity
Personal information;
Account information; access to accounts
Disruption of business;
denial of service; cyber-extortionconsumer confidence
Critical infrastructure and essential services
Communication systems
Supply chain management
SCADA (supervisory control and data
acquisition):industrial control systems (ICS): computer systems that monitor
and control industrial, infrastructure, or facility-based
processes
What’s At Stake?
090701_8 8
#IHCC172017 ACC-SoCal In-House Counsel Conference
Internal investigations
Costly internal investigation (including potential insider
attack sources)
Litigation
Consumer class action litigation
Shareholder derivative action alleging failure of Board
oversight
Potential litigation brought by recent purchasers of
securities
Potential litigation with the credit card brands
Data Breach Consequences
090701_9 9
#IHCC172017 ACC-SoCal In-House Counsel Conference
Regulator investigations
Multistate AG investigations
FTC/CFPB/OCR/other sector specific investigations
SEC investigation
International regulators—data protection authorities
Industry self-regulators, e.g., PCI DSS
Law enforcement investigation of cybercriminals
Data Breach Consequences
090701_10 10
#IHCC172017 ACC-SoCal In-House Counsel Conference
Other inquiries and issues
Congressional hearings and inquiries
Media / analyst / blog scrutiny and stories
Shareholder activism
Public communications strategies regarding customer
trust
Discussions with the insurance carrier about coverage
Implication under business partner contracts
Data Breach Consequences
090701_11 11
#IHCC172017 ACC-SoCal In-House Counsel Conference
Review/refine information governance structure
– Assign board committee responsibility; require ongoing review
and reporting of information risks/controls
– Provide adequate budget and operational resources
– Consider appointing CISO and CPO
– Develop and approve appropriate cybersecurity protocols and
safeguards; increase internal awareness
Evaluate cyber-insurance coverage
Evaluate deployment of best practices and available
tools, safeguards and patches
Enhancing Board/CEO Attention
090701_12 12
#IHCC172017 ACC-SoCal In-House Counsel Conference
Develop cybersecurity and data protection risk
assessment; understand vulnerabilities/plan for
possible “persistent” threats
Understand exposure to third parties and service
providers
Monitor legislative, policy, industry, contractual,
litigation, marketplace, consumer and employee
developments and expectations
– Address legal compliance and reporting responsibilities
– Consider SEC issues
Enhancing Board/CEO Attention
090701_13 13
#IHCC172017 ACC-SoCal In-House Counsel Conference
Reserve time on meeting agendas for cybersecurity
– Receive quarterly reports on cyber risks; discuss as part of
strategy discussions if IT is critical
Consider delegating cybersecurity oversight to a committee
– Conduct in-depth audit of IT policies/cybersecurity programs
– Review budgets and increase IT resources if necessary
– Implement preventative measures to ward off attacks (keep
sensitive data offline, put a firewall curtain around vulnerable
locations, proactively hunt for in-network intruders)
Engage third-party cybersecurity experts as needed
Educate a tech-savvy director on cybersecurity or consider
recruiting a new director with IT or cyber risk expertise
Evaluate adequacy of cyber liability insurance coverage
Recommended Actions For Boards
090701_14 14
#IHCC172017 ACC-SoCal In-House Counsel Conference
1. Develop and follow information governance
controls
– Establish procedures, responsibilities, and
expectations re: Board and Management oversight and
reporting
– Ensure clear designations and resources provided
– Memorialize Board oversight
Cyber Legal Preparedness
090701_15 15
#IHCC172017 ACC-SoCal In-House Counsel Conference
2. Identify, map and assess compliance with legal and
regulatory obligations and determine cyber
vulnerabilities and risks
– Identify applicable legal and third party obligations
– Assess compliance with industry standards (e.g., CIP
Standards, NIST, ISO, COBIT, etc.)
– Identify potentially material vulnerabilities and cyber-risk
factors; conduct a risk assessment (and periodically thereafter)
– Identify and prioritize systems and databases that contain
sensitive or protected information; assess whether such
information is adequately protected
– Coordinate review with Audit, Compliance, IT, and other
relevant departments; report to Board
Cyber Legal Preparedness
090701_16 16
#IHCC172017 ACC-SoCal In-House Counsel Conference
3. Establish a work plan for cybersecurity crisis
prevention and management
– No one-size-fits-all approach; focus on remedying
vulnerabilities and risks identified by the compliance review
– Develop and maintain policies, procedures, and training (see
below)
– Comply with filing disclosures regarding cyber risks and
security breaches
– Implement strategies for industry information sharing and
government and law enforcement coordination (e.g., ES-ISAC,
Infragard, etc.)
– Consider whether to adopt cybersecurity insurance
– Memorialize Board review and approval; maintain privilege
Cyber Legal Preparedness
090701_17 17
#IHCC172017 ACC-SoCal In-House Counsel Conference
4. Develop and maintain written policies and procedures
– Develop and implement:
Comprehensive written information security policy
Incident response plan that covers: containment, government and
other required reporting, forensic consultants, PR
communications, regulatory and litigation counsel
Internal and external privacy policies
Defined cybersecurity roles / responsibilities for users,
administrators, and managers
– Vet policies with relevant departments and Board;
maintain privilege
– Maintain accountability standards for violations of
policies
Cyber Legal Preparedness
090701_18 18
#IHCC172017 ACC-SoCal In-House Counsel Conference
5. Develop and maintain training programs for employees
and contractors
6. Deploy appropriate information security safeguards for
vendors/service providers, including reporting and due
diligence
– Ensure the agreements adequately protect the firm’s
cybersecurity interests and provide appropriate indemnification
– Identify data security and reporting requirements imposed
upon the firm by contract
– Consider whether auditing is appropriate and/or review vendors
for compliance with relevant security standards
Cyber Legal Preparedness
090701_19 19
#IHCC172017 ACC-SoCal In-House Counsel Conference
7. Implement secure technology design
– Implement defense in depth
– Ensure system is capable of effective network-level
monitoring; continuously monitor network intrusion
detection systems
– Select and implement appropriate encryption standard
– Conduct regular testing and system updates
– Create authentication process to enroll and verify
authorized users; employ physical and technical
authentication mechanisms
Cyber Legal Preparedness
090701_20 20
#IHCC172017 ACC-SoCal In-House Counsel Conference
8. Identify consulting and other outside resources
– Consider use of computer forensic resources for prevention,
detection, and remediation
– Develop protocol and budget for use of legal and PR services
– Identify and pre-engage suitable PR and communications
specialists, legal specialists, etc.
– Pre-position credit monitoring, mailing, and call center services
9. Regularly test and update all assessments,
safeguards, and protocols
– Keep up with fast-moving changes in technology and security
– Be aware of which practices are standard and which are state
of the art
Cyber Legal Preparedness
090701_21 21
#IHCC172017 ACC-SoCal In-House Counsel Conference
10.Monitor and communicate periodic alerts on new
and existing threats throughout organization
– ES-ISAC, DHS, etc.
11.Maintain confidentiality
– Classify program controls as highly confidential (or
formally classified where appropriate); details not
disclosed outside the firm, need to know basis
internally
Cyber Legal Preparedness
090701_22 22
#IHCC172017 ACC-SoCal In-House Counsel Conference
Do we know what systems, IP assets, trade secrets, account
records, consumer data could be subject to cyber attack?
What past incidents have we experienced? Are our incident
response procedures effective and well understood
throughout the organization?
Do we have an up-to-date cybersecurity risk assessment in
hand? Written information security plan?
Who is responsible for cybersecurity; sufficient resources?
Is Board of Directors adequately focused on cybersecurity;
has it established satisfactory internal controls and
governance structures?
Key Cybersecurity Questions To Ask
090701_23 23
#IHCC172017 ACC-SoCal In-House Counsel Conference
What do we need to include in our SEC filings on
cybersecurity?
Do we know what existing and prospective laws apply to
cybersecurity?
Do we know what our contracts say about cybersecurity; do
our existing customer / vendor contracts protect us on
cybersecurity?
Are we participating in appropriate information sharing?
Who is monitoring NIST developments and best industry
practices?
Key Cybersecurity Questions To Ask
090701_24 24
#IHCC172017 ACC-SoCal In-House Counsel Conference
Key Legal Defense To Consumer Class Actions – Standing
Spokeo v. Robbins and Article III Standing
– Plaintiff bears the burden of proving standing by
demonstrating, among other things, injury in fact. The
injury-in-fact requires a plaintiff to show:
(1) he/she suffered “an invasion of a legally protected interested”
that is
(2) “concrete and particularized” and
(3) “actual or imminent, not conjectural or hypothetical”
090701_25 25
#IHCC172017 ACC-SoCal In-House Counsel Conference
Key Legal Defense To Consumer Class Actions – Standing
What constitutes a “concrete” injury?
– Under Spokeo, it is “concrete” if it is “‘de facto’; that is,
it must actually exist” rather than being only “abstract”
090701_26 26
#IHCC172017 ACC-SoCal In-House Counsel Conference
Key Legal Defense To Consumer Class Actions – Standing
Statutory violation is not enough
– Violation of a privacy statute itself without proving any
additional harm is not sufficient to prove “concrete
injury.”
– Circuits leaning towards this thought
DC Circuit
Seventh Circuit
Eighth Circuit
090701_27 27
#IHCC172017 ACC-SoCal In-House Counsel Conference
Key Legal Defense To Consumer Class Actions – Standing
Statutory violation is enough
– Violation of a privacy statute itself without substantial
additional harm is sufficient to prove intangible, de
facto concrete injury.
– Circuits who follow this thought:
Third Circuit
Sixth Circuit
Eleventh Circuit
090701_28 28
#IHCC172017 ACC-SoCal In-House Counsel Conference
Moderator - Kush Desai
– Beachbody, Group Vice President, Legal Affairs, [email protected]
Ed McNicholas
– Sidley Austin LLP, Partner, [email protected]
Amy Lally
– Sidley Austin LLP, Partner, [email protected]
Panelists
090701_29 29
#IHCC172017 ACC-SoCal In-House Counsel Conference
Sidley Austin LLP
Beijing Chicago Houston New York Singapore
Boston Dallas London Palo Alto Sydney
Brussels Geneva Los Angeles San Francisco Tokyo
Century City Hong Kong Munich Shanghai Washington, D.C.
1,900 LAWYERS and 20 OFFICES
located in commercial, financial
and regulatory centers
around the world
000000_30
13th Annual In-House Counsel Conference
January 17, 2017 (Universal City, CA)
#IHCC1730
www.acc.com/chapters/socal/