Embed Size (px)
Citation preview
Attorney Session: Sources of Data Breach
Liability
Presented to:Georgia Hospital Association
December 7, 2017
Presented by:Larry H. KuninMorris, Manning & Martin, LLP
Today’s Presenter
Larry H. KuninPartner & Chair, Data Protection & Breach PracticePartner, Technology DisputeMorris, Manning & Martin, LLPDirect: [email protected]
Data Breaches Are Increasing
“Not if, but when… and how.”
• Average cost is $4 million per breach.
• Average cost per stolen record is $158.
• Guidance follows this position.
• Given the magnitude of the issue, hospital brands are paying attention.
• Expect to see additional requirements for compliance efforts.
Who Is Being Impacted…and How
Affected Entity Type of Breach Result/ Obligations
Anthem
Systema (AWS)
Millennium Hotels
Medical records
1.5 Million, mostly Kansas medical records
Hacked food-and-beverage POS at 14 hotels.
$115 Million Settlement
Wyndham Hacked – multiple times.§2008 – hacked property management through local hotels§March 2009 – compromised service provider’s administrator account in Wyndham data center §Late 2009 - Compromised administrator account
• Millions of dollars in fraud losses• Litigation• Consumer notices• Consumer credit monitoring• FTC!!!
Orient Express Unauthorized access to 7 corporate email accounts with payment card data
• Notices to State AG• Notices to consumers• Notice of available Credit Check service
Target Hackers – stole credentials of a HVAC contractor • Executive resignation• Consumer notification• Consumer credit monitoring• Litigation
Types of Data Breaches
• Online hacking/Malware• Misconfigured Databases• Intercepting data transmissions• Lost/stolen equipment • Accidental disclosure• Storage media, etc.• “White hat” hackers• Phishing
Where Does Threat of Liability Come From?
• Department of Health & Human Services (HIPAA)• Individual Victims, including Class actions• FTC• SEC• Banks and Their Regulators• State Regulators• Investors• Contract Parties/Card Processors
Officer/Director/Manager Liability
• Officers/Directors have fiduciary duty to monitor cybersecurity risks.
• Directors can face personal liability by failing to report issues, or consciously failing to monitor systems and controls.
• Risks often arise not in company’s systems, but in vendor systems. Board should make sure entire ecosystem is reviewed.
• Directors should (i) regularly review cybersecurity protocols;; (ii) review assessments of cybersecurity program;; (iii) get regular reports from senior management;; (iv) ensure the conducting of annual tests;; (v) review insurance coverage;; (vi) keep minutes on these issues.
• SEC is getting more active with review of cybersecurity disclosures, at least with regard to public companies.
Why Should You Care About Data Breaches and PCI Compliance?
• Lost business
• Reputational damage (unflattering Sony emails disclosed)
• Loss of right to accept credit cards!
• FTC enforcement action –Wyndham decision• “unfair”• Privacy policy
• HHS enforcement action
• M&A risk
Why Should You Care About Data Breaches and PCI Compliance?
• Cost of Forensic audit• Cost of remediation• Cost of notices• Contract costs• Fines and Penalties• HIPAA• State administrative agencies• FTC/SEC
Data Types and Related Liability
• Electronic personally identifiable information is subject to:
• A patchwork of federal and state legislation
• Layers of liability based on the type of data
• Payment card information
• Consumer personally identifiable information
• Individual health information (HIPAA)
• Other non-public personal information
• State notification requirements are based on residency – challenging for your industry.
• PCI focuses on credit cards – other payment transactions, such as ACH & debit, have additional regulatory overlay.
What is Personally Identifiable Information?
• Name
• Address
• Telephone number
• Email address
• Credit card information
• Bank account information
• Government issues identification number (social security number)
• Credit history
• Medical records
• Similar information that is not publicly available
Note: requirements may change per each state’s definition
What is PCI?
• Payment Card Industry
• It is NOT law, but required by contract
• PCI Security Standards Council
• PCI Data Security Standard (PCI-DSS)
PCI DSS 3.2 –Overview of Requirements
• Make security “business as usual.” • Build and maintain a security network and systems. Be password-smart.
• Protect/Encrypt data • Protect systems against malware/Regular anti-virus updates• Regularly monitor and test networks.• Maintain an information security policy.• Maintain instructional documentation and training programs
Basic Steps to Improve Security
• Provide secure authentication features.
• Log payment application activity.
• Log Medical record activity.
• Develop secure payment applications.
• Protect wireless transmissions.
• Test payment and medical record applications to address vulnerabilities.
• Facilitate secure network implementation.
Basic Steps to Improve Security
• Do not store cardholder data on a server connected to the internet.
• Facilitate secure remote software updates.
• Facilitate secure remote access to payment application.
• Encrypt sensitive traffic over public networks.
• Encrypt all non-console administrative access.
• Employee training and workflow procedures.
• Minimize the “stupid” moment.
Common Risk Points
• Incorrectly configured software
• Shared or weak passwords
• Insecure computer servers
• Information residing on unprotected mobile devices
• Insecure wi-fi access points
• Untrained employees
• Poor destruction/disposal procedures
Becoming PCI Compliant (and Generally Secure)
• Acceptable Use Policy
• Use of company computer systems designed to protect from compromise of network systems and services
• Mobile device policy
• Obligation to report suspected tampering or unauthorized access
• Operational Policies
• Data retention and storage – what are you keeping, is it necessary for your business, how long are you storing, in what formats, storage, control and disposal of media, data destruction policy
• Credit Card and Medical Record Handling Discipline Policy
• Incident Response Plan (“IRP”) (IT infrastructure vs. field incident response)
• Train employees – based on role. POS personnel new hire & annual training
How is Breach Discovered?
• Notice from vendor
• Notice from bank
• Notice from patient
• Notice from Secret Service
• Common Point of Purchase Analysis
• IT red flags/alarms
• Suspicion and investigation
Security Incident Response Plan (IRP)
• IRP first steps include:
• Incident Response Team. At least call legal to establish privilege.
• Contact insurance carrier, including addressing action plan.
• NOTE: Cyber Coverage may not be same as E&O.
• Contact the FBI or other law enforcement.
• Contact bank/processor/card brands
• Initiate internal investigation into: Cause, source, cure, data affected, persons affected, third parties.• Source of breach may be with vendor/management company
Security Incident Response Plan (IRP)
• Call your lawyer - determine if notification requirements triggered (either in contract or under law).
• Notice under HIPAA
• Notice to state administrative agencies.
• Notice to potentially affected persons.
• States differ, including process and content.
• Contact public relations agency to manage media message as appropriate.
• Follow procedures to preserve electronic evidence.
Data Breach Event– Statutory Notices
• 47 States have breach laws – Not consistent• Apply to unencrypted data• Apply to different entities (i.e. Georgia law applies only to entities that maintain data for third parties)
• Timing is usually as soon as reasonable, allowing time for investigation (Minnesota requires 48 hours!)
• 14 States require notice to various state agencies• Content of notice varies and may conflict• Fines• Think about paying third party to handle notice and provide credit monitoring.
Data Breach Event– Contract Notices
•Credit Card Processors/Banks
• Processing contracts have notice requirements in the event of data breach
• Hefty fines in the event of failure to give notice
• Liability may exist even with notice, but failure to give notice is worse
•Managers (and vice/versa).
•Vendors (and vice-versa).
Data Breach Event– HIPAA Notices
• Individuals• US Mail or email if permission obtained without delay or at least within 60 days.• Describe the breach and type of information involved• Permitted to delegate to business associate
• Media: If more than 500 affected in any state• Secretary: > 500 people, reasonable time;; <500, annually
• Fines range from $100/violation to $50,000/violation.
Operational Contract Issues
• Review existing contracts
• Prepare standard provisions for third party vendors/business associates
• Include Reps & Warranties and Indemnification for security compliance
Vendor/Business Associate Management
• Due diligence/security questionnaire or proscribed minimum security requirements for all vendors.
• Confirmation of on-going security compliance.
• Annual questionnaire
• Onsite audits
• Subcontractors must be subject to security compliance obligations.
• Contractual allocation of risk.
• Reps and Warranties
Thank You
Please contact our presenters with any questions about today’s presentation.
Lawrence H. KuninPartner & Co-Chair,
Data Protection & Breach PracticeMorris, Manning & Martin, LLP1600 Atlanta Financial Center3343 Peachtree Road, NEAtlanta, Georgia 30326Direct: [email protected]
Disclaimer
The materials and information presented and contained within this document are provided by MMM as general information only, and do not, and are not intended to constitute legal advice.
Any opinions expressed within this document are solely the opinion of the individual author(s) and may not reflect the opinions of MMM, individual attorneys, or personnel, or the opinions of MMM clients.
The materials and information are for the sole use of their recipient and should not be distributed or repurposed without the approval of the individual author(s) and Morris, Manning & Martin LLP.
This document is Copyright ©2014 Morris, Manning & Martin, LLP. All rights reserved worldwide.
