MARCHMADNESS:EMERGINGLEGALISSUESANDTRENDS

Session 4: 12:00-1:00 Presented by Farella Braun + Martel

Title:

Prepare, Prevent, Respond: In-House Counsel's Vital Role and Responsibility

Regarding Cyber and Information Security

Speakers:

Tyler Gerking - Partner, Farella Braun + Martel Rick Doten - Chief, Cyber and Information

Security, Crumpton Group Jessica Nall - Partner, Farella Braun + Martel

Tyler Gerking represents corporate policyholders in complex, high-stakes insurance matters. He helps clients negotiate favorable policy terms that match their unique risk profiles, shepherds clients through the claim process and pursues breach of contract and bad faith claims against insurance companies. He is chair of Farella's Insurance Recovery Group and co-chair of its Privacy & Cybersecurity Group. Mr. Gerking proactively maximizes the value of his clients’ insurance assets with approaches tailored to their needs and goals. He reviews and negotiates insurance policy terms, particularly in the cyber insurance, technology errors & omissions (Tech E&O) and directors & officers liability (D&O) areas, to ensure his clients buy policies that fit their unique risks as closely as possible before claims arise. Mr. Gerking also seeks to maximize insurance recovery in a variety of claim settings. He pursues cyber, Tech E&O and CGL insurance for data security breaches, product liability litigation, privacy litigation, and intellectual property and other product development disputes; D&O insurance for investigations and litigation involving securities law violation allegations, as well as trade secret misappropriation and investor disputes for private and public companies and venture capital funds; employment practices liability (EPL) insurance for employment-related disputes; and coverage for first-party losses under property and crime insurance policies. Mr. Gerking is well versed in insurers’ defense obligations and assists clients in resolving defense cost issues with their insurance companies. He has extensively litigated issues relating to insurers’ duty to defend and bad faith.

He won a bench trial in California state court against a D&O insurer that breached its duty to defend a securities class action lawsuit and successfully defended the result in the California Court of Appeal.

He won summary judgment in U.S. District Court for a technology company against its insurer for breach of the duty to defend, also establishing that the breach prevented the insurer from compelling arbitration of a billing rate dispute under Cal. Civ. Code section 2860.

He has often persuaded courts to stay insurer-initiated declaratory relief actions while the underlying lawsuits proceed, protecting his clients from having to fight “two-front wars.”

Mr. Gerking is a barrister in the Edward J. McFetridge American Inn of Court, and serves on the board of directors for the Law Center to Prevent Gun Violence and the board of directors for the Boalt Hall Alumni Association, where he has chaired the Boalt Hall Partners in Leadership Campaign. Mr. Gerking is recognized by Chambers USA as an “up and coming” attorney in California in the Insurance Policyholder practice area (2014-2016). He also has been recognized among Super Lawyers' Northern California Rising Stars and Super Lawyers (2010–2016). He received his J.D. from the University of California at Berkeley School of Law in 2002. He was a judicial extern for Magistrate Judge Maria-Elena James of the U.S. District Court for the Northern District of California in San Francisco. He received a B.A. from the University of Montana in 1999. Mr. Gerking is proficient in German and Spanish, and conversant in Farsi-Dari.

TYLER C. GERKING

Partner 415.954.4968 tgerking@fbm.com

SPEAKER BIO: RICK DOTEN

Rick Doten, Chief, Cyber and Information Security Crumpton Group, LLC Mr. Doten leads Crumpton Group’s cyber and information security practice. He brings to CG’s clients over 25 years of experience in the IT industry, the last 18 of which focused specifically on cyber security as the CISO of a multinational corporation and also as a management consultant, performing risk management, risk engineering, ethical hacking, forensics and incident response projects. His work has focused on improving security and privacy for almost every commercial industry, the US Government, and international companies. Mr. Doten is often cited in leading industry publications and appears on television, commenting on issues relating to cyber security, risk management, and mobile security. He serves on the Intel Corporation Board of Advisors; the Council on Cyber Security, 20 Critical Security Controls Editorial Panel; the CyberMontgomery (Maryland) Advisory Board; and as a Contributor Board Member of the Trusted Computing Group. He holds a patent for Wireless Intrusion Detection technology. Prior to joining Crumpton Group, Mr. Doten was Vice President, CISO of Digital Management, Inc. In establishing the CISO position, he developed the corporate security architecture and maintained a secure infrastructure while the company tripled in size through acquisitions and organic growth. At Lockheed Martin, Mr. Doten was Chief Scientist, Center for Cyber Security Innovation and assisted in developing the company’s cyber security business and marketing strategies. He performed due diligence for potential tech company acquisitions and investments, and developed and led training programs for cyber security staff. While at Verizon Business, Mr. Doten served in several roles in the larger corporation, as well as subsidiaries acquired by Verizon. As Director, Managing Principal, Professional Security Services, he was responsible for the technical management of a team of managers and security professionals in an $8‐10 million business line. He also managed a Security Incident Response program and worked closely with the Forensics Team. Prior to that, he was Director, Security Assessments, at NetSec (acquired by MCI and then Verizon), where he reported to the CEO and managed the security assessment team – scoping projects, preparing proposals, and managing a staff of experienced security professionals for both public and private sector clients. While with SAIC and its subsidiaries, Mr. Doten was a Managing Consultant, Predictive Systems Global Integrity Security Services, where he managed a team of “ethical hackers” to perform vulnerability assessments and provided project management for large financial and health care clients. Mr. Doten is CISSP Certified and has IAPP Privacy Training. He earned his BA in English from Flagler College.

Jessica Nall leads Farella Braun + Martel's well-regarded White Collar Crime and Corporate Investigations practice. Ms. Nall has extensive experience in the area of internal corporate investigations, having conducted dozens of investigations for corporate entities (both public and private, large and small) across a wide range of industries. She brings a combination of this varied experience and innate creativity to each investigation, assisting clients with key issues like scoping, conducting, and defending the credibility of investigation findings. She has a strong grasp of the subtleties of communication required in diverse and multi-cultural environments, allowing her to achieve effective and time-efficient results in internal investigations. Ms. Nall is a dedicated advocate for individual executives and entities facing regulatory and criminal investigations and prosecutions brought by federal enforcement entities including the SEC, DOJ, and California Attorney General's Office, and related complex civil litigation. She is especially accomplished in defending individuals (including Korean and Japanese nationals) in DOJ criminal antitrust investigations and prosecutions. Ms. Nall has developed significant sub-specialties in the areas of health care fraud defense, environmental criminal defense, and federal cannabis defense. Among other bar committees and initiatives, Ms. Nall co-chairs the ABA White Collar Committee for the Northern District of California, serves as vice-chair of the ABA White Collar Women Committee, and is a founding member and City Leader of the San Francisco Bay Area White Collar Women Association, a professional support and networking organization for female white collar defense attorneys. In 2015, Ms. Nall was appointed to the prestigious Criminal Justice Act Panel for the Northern District of California and defends federal criminal cases appointed by that court. Ms. Nall was named among the “Top 40 Under 40” lawyers by the San Francisco Business Times (2013), the "Women Leaders in Law" in California by The Recorder (2012) and as one of the "Top 20 Under 40" attorneys in California by the Daily Journal (2010). She has been listed by Super Lawyers in both the Northern California Rising Stars (2009 - 2012) and Northern California Super Lawyers (2013-2016) in the area of White Collar Crime. Ms. Nall earned her J.D. from Harvard Law School in 2001, where she was correspondence editor and articles editor for Harvard Women’s Law Journal and president of the Harvard Law Quilter’s Society. She received a B.A., with highest honors from the University of California at Berkeley in 1998, where she was the valedictorian of the Legal Studies Department and a member of Phi Beta Kappa.

JESSICA K. NALL

Partner 415.954.4468 jnall@fbm.com

Notable Experience: Criminal Defense Individual Representations U.S. v. Moynihan: Representing defendant in mortgage fraud and money laundering prosecution by U.S. Attorneys’ Office in Northern District of California. Negotiated a favorable sentence. U.S. v. Abrams: Representing former CFO in U.S. DOJ prosecution and parallel SEC case relating to alleged backdating of stock option grants and tax evasion counts. Though she faced a potential sentence of up to six years, Ms. Abrams ultimately received a much more favorable sentence of only four months in custody. U.S. v. Anderson: Represented a former metals-refinery executive in a prosecution by the U.S. Attorney’s Office in Knoxville, Tennessee and the DOJ’s Washington, D.C. Environment and Natural Resources Division, for alleged violations of the Clean Air Act. Negotiated a favorable sentence involving no incarceration. Internal Investigations: NASDAQ-traded Silicon Valley Software Company Internal Investigation: Representing a NASDAQ-traded Silicon Valley Software Company’s Audit Committee in a three-month investigation regarding accounting issues and related SEC informal inquiry. Ms. Nall handled interviews of more than fifty employees, management, and executives on three continents to assist the Audit Committee in understanding and addressing whistleblower allegations regarding financial reporting. Solar Company Internal Investigation:Hired as investigation counsel to a large California solar corporation regarding whistleblower allegations regarding potential environmental crimes. Ms. Nall composed and executed a unique strategy to uncover potential issues and in the process interviewed more than thirty employees and management of a company contractor. Based on her review, the client was able to make appropriate personnel changes and institute new compliance procedures to prevent future issues. Private Technology Company Financial Statements SEC Investigation: Represented a large private technology company (public company merger target) to conduct internal investigation regarding accuracy of financial statements. Ms. Nall lead the investigation, which uncovered issues in the handling of Marketing Development Funds (MDF), and handled the company’s response to the follow-on informal SEC inquiry. Based on Ms. Nall’s review, the client made appropriate personnel and procedural changes and received a “no action” letter when the SEC closed its informal investigation. Large Public Corporation Internal Investigation: Hired to act as independent counsel to a large public corporation’s Board of Directors in an internal investigation of matters at issue in a shareholder derivative lawsuit against the corporation, including alleged False Claims Act violations. Antitrust Auto Parts Investigations: Representing several individuals in the ongoing antitrust investigations into alleged collusion in the auto parts industry. U.S. v. Yang: Represented Korean national, Woo Jin Yang of HLDS in U.S. DOJ antitrust price-fixing investigation and prosecution in the Optical Disk Drives industry. Mr. Yang was recently sentenced to six months imprisonment, the lowest sentence of any alleged cartel participant in the investigation. California Real Estate Antitrust Investigation (corporate representation): Represented a California real estate investment company in investigation regarding alleged collusion in the area of foreclosure auctions.

Freight Forwarding Antitrust Investigation (individual representation): In a price-fixing case against a Japanese national airline executive related to the airline’s freight forwarding business, Ms. Nall helped convince the DOJ Antitrust Office in Washington, D.C. that the client, initially faced with indictment in the investigation, was more appropriately a witness, and secured a complete victory with no prosecution. CRT Antitrust Investigation (individual representation): In a price-fixing case against a Korean national Samsung executive related to its CRT products, Ms. Nall helped convince the DOJ that the client, initially considered a carve-out in the investigation, was more appropriately a witness, and secured a complete victory with no prosecution. LCD Antitrust Investigation (individual representation): In a price-fixing case against a Japanese national Hitachi executive related to its LCD products, Ms. Nall helped convince the DOJ that her client, initially considered a target of the investigation, was more appropriately a witness, and secured a complete victory with no prosecution. In re DOJ Antitrust Subpoena: Representing public agency in internal investigation and response to subpoena from U.S. DOJ Antitrust Division in relation to alleged collusion in municipal bond issuance. SRAM Antitrust Investigation (individual representation): Successfully represented an executive with a U.S. semiconductor company, Cypress, in a DOJ Antitrust Division criminal investigation for alleged price-fixing in the SRAM industry violation of the Sherman Act, Section 1. Successful negotiations with the DOJ cleared the client, resulting in no prosecution. Marine Wire and Harness Antitrust Investigation (individual representation): Represented a Bay Area business owner in a bid-rigging and kick-backs investigation by the DOJ Antitrust Office in Washington, D.C. Though the executive faced potentially several years in prison, helped negotiate a non-incarceration sentence of only four months. U.S. v. Sun Woo Lee: Represented a high-level Korean national executive at Samsung in one of the first in a recent spate of prosecutions by the DOJ Antitrust Division for violation of the Sherman Antitrust Act, Section 1, through participation in alleged cartel conspiracy to fix prices for DRAM semiconductors sold in the United States. Securities and Exchange Commission Investigations/Enforcement Actions Individual Representation in SEC Insider Trading Investigation: Representing public company general counsel in SEC investigation regarding potential insider trading by former outside counsel to public company. Public Corporation Insider Trading SEC Investigation: Representing a green energy public company with respect to an SEC investigation into possible insider trading by executives. Private Company Insider Trading SEC Investigation: Represented a large private medical insurance company in an SEC investigation into potential insider trading by executives of a recently acquired public company. In Re Insider Trading Investigation by U.S. Attorney in New York: Representing hedge fund manager in insider trading investigation by U.S. Attorney in New York. SEC Investigation re: Quantitative Analysis Fund: Represented individual in SEC investigation into potential wrongdoing by hedge fund including failure to disclose errors in quantitative analysis model. Successfully negotiated with the SEC that the client be viewed as a witness and not a target of the investigation.

SEC Investigation re: Penny Stock Trading: In regard to an alleged insider trading lawsuit against a participant in several penny stock investment vehicles, successfully negotiated with the SEC that the client be viewed as a witness and not a target of the investigation. California Code Enforcement Defense People v. Pellarin Construction: Represented construction company in alleged disposal of toxic chemicals enforcement case brought by San Mateo District Attorney; negotiated favorable settlement. County of Napa v. JEP, LLC: Representing a Napa County land owner in code violations enforcement action brought by County of Napa. Negotiated a favorable settlement for client. People v. MJA Vineyards, LLC: Representing a Napa vineyard owner in code violations case for building wine cave without a permit. Negotiated a favorable civil settlement and avoided criminal charges. People v. Club Holdings LLC: Representing a Colorado corporation in code violations enforcement action brought by Napa County District Attorney. Negotiated a favorable settlement with the district attorney. Immigration Fraud Investigations Silicon Valley Software Company Immigration Fraud Investigation: Representing Silicon Valley private software company in ongoing federal investigation regarding alleged H-1 visa fraud. SEC Immigration Fraud Investigation: Representing immigration attorney in ongoing SEC Investigation regarding EB-5 visa promotions.

Rick Doten, Chief of Cyber and Information Security, Crumpton Group LLC

Jessica Nall, Chair of White Collar Crime Group, Farella Braun + Martel LLP

Tyler Gerking, Chair of Insurance Recovery Group, Farella Braun + Martel LLP

MARCH 24TH, 2017

Prepare, Prevent, Respond: In-House Counsel’s Vital Role and Responsibility Regarding Cyber and Information Security

Teamwork in cyber risk management

• Cyber and information security must involve members of various divisions of the company (e.g., IT, legal, finance, public relations)

• In-house counsel must play key roles in cyber security planning and event response

• Effective communication is vital

Trends demanding effective cross-functional teams

• Emerging cyber and information security threats, risks and trends

• Specific risks tied to high-profile executive leadership

2

TECHNOLOGY IS THE EASY PART

3� Crumpton Group LLC

Risk Management

If your organization is focusing more on buying security tools, and is pushing back on developing policies, procedures and standards, tracking assets, and maintaining constancy in their process, then you will have challenges.

Tools support a process, make sure your IT team is doing the basics well, before focusing on chasing latest “threat of the week.”

In IT Security, being compliant does not mean you are secure, compliance is just one risk to manage, the IT team should be aligned with business risks, not aiming to “check boxes.”

IT RISK MANAGEMENT IS ABOUT PROTECTING THE BUSINESS, NOT IT

4� Crumpton Group LLC

Need For IT Governance

IT Governance is critical because it connects Business Management with IT leadership, to socialize business risks, and establish priorities.

Technical people don’t make business decisions; they provide information on threats, their likelihood and perceived impact. Management decides true business impact, and chooses whether to Accept, Mitigate, or Transfer Risks

IT Risk Management is a Journey, not a Destination. Technology changes, and threats and threat actors change continuously. What worked last year, or even 6 months ago, might not be effective today.

POTENTIAL PRIVACY ISSUES YOUR IT DEPARTMENT MIGHT NOT REALIZE

5� Crumpton Group LLC

Privacy

IT departments struggle to understand Privacy. IT often considers privacy the same as Confidentiality. It’s important as In-House Counsel that you educate them on what data needs to be protected by privacy regulations.

There are many IT tools that collect and store every piece of data passing through the network, can view all data on every computer, read every email, track mobile devices, and know what applications are installed on those devices. IT needs to understand Privacy implications of these tools.

The Center for Information Security (CIS) cisecurity.org has new guidance to help bring together IT and in-house counsel to understand technical privacy issues:https://www.cisecurity.org/critical-controls/documents/Privacy%20Implications%20Guide%20for%20the%20CIS%20Critical%20Security%20Controls%2001052017%20with%20acknowledgments%20v1.3.pdf

Ensure in-house counsel’s seat at the table

• Ensure in-house counsel’s voice in cyber and information security planning.

• Define a cross-functional team and effective reporting structures, particularly to ensure that the information security team can communicate efficiently and directly with the in-house legal team.

• Involve and communicate with the board and management

6

Understand and manage cyber risks

• Thoroughly understand and prioritize risks

• Ensure and demonstrate compliance with evolving statutory, regulatory, contractual and industry requirements and standards

• Documentation, documentation, documentation

• Practice, improve, practice

7

Transfer cyber risks

• Insurance• Cyber insurance policies

• “Silent” cyber coverage in “traditional” policies

• Coverages• Response expenses

• Cyber extortion

• Business interruption

• Defense and indemnification of claims

8

Key cyber insurance issues

• Insurer notice and consent

• Choice of counsel

• Regulatory investigations and actions

• PCI-DSS assessments

• Property damage and bodily injury

• Contingent business interruption

• Social engineering losses

9

Contact Information

Tyler Gerking

415.954.4968

tgerking@fbm.com

www.fbm.com

Jessica Nall

415.954.4468

jnall@fbm.com

www.fbm.com

Rick Doten

703.906.1818

rdoten@crumptongroup.com

www.crumptongroup.com

NOTES

________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________