Your SlideShare is downloading. ×

Cyber Security and Data Privacy: Views on Article III Standing LIVE Webcast

239
views

Published on

As cyber security and data privacy concerns continue to evolve, security experts must keep themselves up to date to combat increasingly sophisticated threats to protect their firms and clients. In a …

As cyber security and data privacy concerns continue to evolve, security experts must keep themselves up to date to combat increasingly sophisticated threats to protect their firms and clients. In a two-hour LIVE webcast, a panel of distinguished professionals will address significant issues that will shape up cyber security and data privacy in 2014 along with practical guidance. Our speakers will address the following key issues:

Article III Standing
Latest theories of liability arising out of data breaches and claims of invasion of privacy
Issues surrounding cyber security and data privacy
Best practices to counteract cyber security and data privacy threats
Latest regulatory updates


To view the webcast go to this link: http://youtu.be/Kkyieu9njdw


To learn more about the webcast please visit our website: http://theknowledgegroup.org

Published in: Education, Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
239
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. June 25, 2014 1 Thank you for logging into today’s event. Please note we are in standby mode. All Microphones will be muted until the event starts. We will be back with speaker instructions @ 11:55am. Any Questions? Please email: Info@knowledgecongress.org Group Registration Policy Please note ALL participants must be registered or they will not be able to access the event. If you have more than one person from your company attending, you must fill out the group registration form. We reserve the right to disconnect any unauthorized users from this event and to deny violators admission to future events. To obtain a group registration please send a note to info@knowledgecongress.org or call 646.202.9344. Presented By: Partner Firms: Speaker Firms and Organization: Proofpoint, Inc. Patrick Wheeler Director of Data Privacy & Encryption Quarles & Brady LLP Bradley Vynalek Partner Perkins Coie LLP Amelia M. Gerlicher Counsel
  • 2. June 25, 2014 2 Follow us on Twitter, that’s @Know_Group to receive updates for this event as well as other news and pertinent info.  If you experience any technical difficulties during today’s WebEx session, please contact our Technical Support @ 866-779-3239.  You may ask a question at anytime throughout the presentation today via the chat window on the lower right hand side of your screen. Questions will be aggregated and addressed during the Q&A segment.  Please note, this call is being recorded for playback purposes.  If anyone was unable to log in to the online webcast and needs to download a copy of the PowerPoint presentation for today’s event, please send an email to: info@knowledgecongress.org. If you’re already logged in to the online webcast, we will post a link to download the files shortly.  If you are listening on a laptop, you may need to use headphones as some laptops speakers are not sufficiently amplified enough to hear the presentations. If you do not have headphones and cannot hear the webcast send an email to info@knowledgecongress.org and we will send you the dial in phone number.
  • 3. June 25, 2014 3  About an hour or so after the event, you'll be sent a survey via email asking you for your feedback on your experience with this event today - it's designed to take less than two minutes to complete, and it helps us to understand how to wisely invest your time in future events. Your feedback is greatly appreciated. If you are applying for continuing education credit, completions of the surveys are mandatory as per your state boards and bars. 6 secret words (3 for each credit hour) will be given throughout the presentation. We will ask you to fill these words into the survey as proof of your attendance. Please stay tuned for the secret word.  Speakers, I will be giving out the secret words at randomly selected times. I may have to break into your presentation briefly to read the secret word. Pardon the interruption.
  • 4. June 25, 2014 4 Welcome to the Knowledge Group Unlimited Subscription Programs. We have Two Options Available for You: FREE UNLIMITED: This program is free of charge with no further costs or obligations. It includes:  Unlimited access to over 15,000 pages of course material from all Knowledge Group Webcasts.  Subscribers to this program can download any slides, white papers, or supplemental material covered during all live webcasts.  50% discount for purchase of all Live webcasts and downloaded recordings. PAID UNLIMITED: Our most comprehensive and cost-effective plan, for a one-time fee:  Access to all LIVE Webcasts (Normally $199 to $349 for each event without a subscription). Including: Bring-a-Friend – Invite a client or associate outside your firm to attend for FREE. Sign up for as many webcasts as you wish.  Access to all of Recorded/Archived Events & Course Material includes 1,500+ hours of audio material (Normally $299 for each event without a subscription).  Free CLE/CPE/CE Processing (Normally $49 Per Course without a subscription).  Access to over 15,000 pages of course material from Knowledge Group Webcasts.  Ability to invite a guest of your choice to attend any live webcast Free of charge (Exclusive benefit only available for PAID UNLIMITED subscribers).  6 Month Subscription is $299 with No Additional Fees Other options are available.  Special Offer: Sign up today and add 2 of your colleagues to your plan for free Check the “Triple Play” box on the sign-up sheet contained in the link below. https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964
  • 5. June 25, 2014 5 Knowledge Group UNLIMITED PAID Subscription Programs Pricing: Individual Subscription Fees: (2 Options) Semi-Annual: $299 one-time fee for a 6 month subscription with unlimited access to all webcasts, recordings, and materials. Annual: $499 one-time fee for a 12 month unlimited subscription with unlimited access to all webcasts, recordings, and materials. Group plans are available. See the registration form for details. Best ways to sign up: 1. Fill out the sign up form attached to the post conference survey email. 2. Sign up online by clicking the link contained in the post conference survey email. 3. Click the link below or the one we just posted in the chat window to the right. https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964 Discounts: Enroll today and you will be eligible for the “Triple Play” program and 3% off if you pay by credit card. Also we will waive the $49 CLE/CPE processing fee for today’s conference. See the form attached to the post conference survey email for details. Questions: Send an email to: info@knowledgecongress.org with “Unlimited” in the subject.
  • 6. Partner Firms: June 25, 2014 6 Proofpoint Inc. (NASDAQ:PFPT) is a leading security-as-a-service provider that focuses on cloud-based solutions for threat protection, compliance, archiving and governance, and secure communications. Organizations around the world depend on Proofpoint’s expertise, patented technologies and on-demand delivery system to protect against phishing, malware and spam, safeguard privacy, encrypt sensitive information, and archive and govern messages and critical enterprise information. More information is available atwww.proofpoint.com. Quarles & Brady LLP exists to help our clients succeed. An area of particular focus for the firm is data privacy and security where our multi-disciplinary team of lawyers helps businesses understand the laws and take steps to protect themselves by successfully developing, implementing, and maintaining comprehensive privacy and security compliance programs. Our clients include major national and multinational corporations, high-tech companies, educational and research institutions, municipalities and government agencies, charitable organizations, industry executives and high-net-worth individuals. Founded in 1892, Quarles & Brady is a multidisciplinary, cross-office legal services provider with more than 450 attorneys practicing at the top of the profession in Chicago, Illinois; Milwaukee and Madison, Wisconsin; Indianapolis, Indiana; Naples and Tampa, Florida; Phoenix and Tucson, Arizona; and Washington, D.C.
  • 7. Partner Firms: June 25, 2014 7 Perkins Coie has more than 950 lawyers in 19 offices across the United States and Asia. We provide a full array of corporate, commercial litigation and intellectual property legal services to a broad range of clients, from FORTUNE 50 corporations to small, independent start-ups, as well as public and not-for-profit organizations. Perkins Coie’s Privacy & Security group represents some of the world’s leading Internet companies, wired and wireless communications providers, brick-and-mortar retailers and emerging online businesses on issues including: Product and General Privacy and Security Counseling; Electronic Surveillance and User Information Requests; Online and Mobile Advertising; Privacy Reviews, Assessments and Data Transfers; Network Intrusions and Data Breaches; Privacy Litigation and Regulatory Investigations; and Cyber Enforcement.
  • 8. Brief Speaker Bios: Patrick Wheeler Over almost fifteen years in information security at industry leaders, Patrick Wheeler has held roles in Product Management and Product Marketing for a wide range of enterprise solutions, including network and endpoint security, vulnerability management, data loss prevention and mobile. June 25, 2014 8 Bradley Vynalek Brad Vynalek is a partner in Quarles & Brady's Commercial Litigation Group. He works with financial service, banking, high tech, internet, software, manufacturing, e-commerce, health care, start-up, and tech transfer clients. Most recently, he created and moderated a privacy/cyber security panel presentation for the Arizona Bankers Association, was a panelist for “Cloud: Technology to Grow Your Business” (Phoenix Bus. Journal), and presenter of "The Hidden Side of Technology" (Trans-West/CloudNet/AZ Tech Council). Within the firm, Brad holds national roles ranging from client service team leader to national strategy partner.
  • 9. Brief Speaker Bios: Amelia M. Gerlicher Amelia Gerlicher, Counsel at Perkins Coie LLP, assists clients in addressing issues arising from their possession of personal data, from its collection and use through the aftermath of security breach incidents. A member of the firm’s Privacy & Security group, her privacy-related litigation experience includes actions arising from a variety of online activity, brought under the federal Wiretap Act, the Stored Communications Act, the Computer Fraud and Abuse Act, and state privacy laws. She also works with clients on consumer protection, intellectual property and contract issues arising from a wide variety of online activities, including defending clients against illegal malicious behavior that interfere with their websites. June 25, 2014 9 ► For more information about the speakers, you can visit: http://theknowledgegroup.org/event_name/cyber-security-and-data-privacy-views-on-article-iii-standing-live-webcast/
  • 10. As cyber security and data privacy concerns continue to evolve, security experts must keep themselves up to date to combat increasingly sophisticated threats to protect their firms and clients. In a two-hour LIVE webcast, a panel of distinguished professionals will address significant issues that will shape up cyber security and data privacy in 2014 along with practical guidance. Our speakers will address the following key issues: - Article III Standing - Latest theories of liability arising out of data breaches and claims of invasion of privacy - Issues surrounding cyber security and data privacy - Best practices to counteract cyber security and data privacy threats - Latest regulatory updates June 25, 2014 10
  • 11. Featured Speakers: June 25, 2014 11 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc. SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 12. Introduction Over almost fifteen years in information security at industry leaders, Patrick Wheeler has held roles in Product Management and Product Marketing for a wide range of enterprise solutions, including network and endpoint security, vulnerability management, data loss prevention and mobile. June 25, 2014 12 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc.
  • 13. June 25, 2014 13 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc.
  • 14. Regulations Are Having Broad Impact Regulation of Sensitive information is required in many cases June 25, 2014 14 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc. Source: ESG Research, Ferris Research
  • 15. Data Breaches Continue June 25, 2014 15 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc.
  • 16. Multiple Drivers for Data Privacy June 25, 2014 16 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc. • Mobility & “cloudization” of data are inevitable • Controlling this data in transit is critical to managing risk Data Risks are Multiplying Personally owned devices that can be remotely wiped in BYOD situations2 24% Data breaches on data hosted externally (in cloud environments) in 20123 26%Enterprises with users that use G-Docs & Dropbox-like services without IT blessing1 44% Sources: 1,2: Osterman Report 2012 - Why Securing Communications and Content is a Critical Best Practice; 3. Verizon 2012 Breach Report
  • 17. How Do Breaches Occur? June 25, 2014 17 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc. • Email Communication is crucial for conducting business • Email Security is crucial for maintaining business Mistakes Happen Enterprises impacted by improper exposure of data2 35% Breaches from actions by insiders & insider devices1 58%Sensitive data exposed through email; Email #1 inadvertent risk vector3 70% Sources: 1. Forrester - Understand The State Of Data Security And Privacy: 2012 To 2013; 2. Proofpoint Survey 2011 - Outbound Email and Data Loss Prevention in Today’s Enterprise; 3. ESG Research, Ferris Research
  • 18. Evolving Regulatory Landscape June 25, 2014 18 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc. Gramm-Leach-Bliley Act Requires financial institutions to explain their data-sharing practices to customers and to safeguard sensitive data. FACTA Measures to prevent identity theft and make improvements in the usage and management of consumer credit records.FINRA Regulates virtually every aspect the securities business & fines where necessaryHIPAA/HITECH Provisions for privacy & security concerns associated with electronic transmission of health information and record managementFERPA Protects privacy of education records and applies to all schools receiving funding from the U.S. Dept of Ed. Massachusetts Data Privacy Law Prescriptive standards for the protection of resident personal information.Nevada Senate Bill 227 Encryption mandates for Nevada state entities managing customer and non- customer personal data. • Data proliferation and consumerization of IT grows; • Regulation and Enforcement will continue to evolve as well Compliance Gets Tougher Enterprises that are concerned that stricter regulations will drive increased litigation1 30% HIPAA violation complaints investigated by Office of Civil Rights2 47%Percent of US states that now have a data breach and notification law 94% Sources: 1. US Enterprises - Fulbright & Jaworski, 8th Annual Litigation Trends Report/Survey, 2: HHS.gov 2012
  • 19. Data Is Everywhere, Control Is Difficult June 25, 2014 19 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc. Key Partners Challenges 44x growth projected over next 10 years (Source: IDC) Social, IM, Mobile, Files, SharePoint Keep everything, search for it later MOBILE USERS PARTNERS THE ENTERPRISE CUSTOMERS FILE STORES MAIL SERVERS Internet
  • 20. Tool Time: Where, What and How to Enforce June 25, 2014 20 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc. Data in Motion Data in Use Data at Rest Where to monitor? Network Endpoint Discovery What to monitor? • Email • Web • IM & Social • File sync & sharing • Collaboration • PC • USB drives • CD/DVD • Smartphones & tablets • External HDD • Printing • Mail archives • Mobile • Databases • Network shares Enforcement tools • Mail encryption • Network and messaging DLP • Social media DLP and archiving • Endpoint and removable media encryption Content discovery: - Network-based - Agent-based 10101101010010101 01010011011100011 10011010011101000
  • 21. Enterprises Still Challenged Why isn’t everyone using encryption and DLP today? June 25, 2014 21 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc. Complex • Two words: “key management” • Solutions often part of larger, complicated and mostly unused encryption suite Inaccurate • User-driven client-based email encryption circumvented network DLP controls • Error-prone and inconsistent Avoided! • Required change in user behavior for email • Poor experience for sender and recipient, and source of constant frustration
  • 22. Email Encryption: Low-Hanging Fruit? Email is a Business Enabler • Ubiquitous and mission-critical to communication Over 70% of intellectual property can be found in the email system Greatest risk, usually from unintentional sending of sensitive information June 25, 2014 22 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc. Memos File systems DBs Other email
  • 23. The Ideal Solution Easy to set up and administer Accurate for sensitive content identification Transparent with no reason to avoid using June 25, 2014 23 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc. Easy. Accurate. Transparent. Enable Communication, Maintain Security & Compliance
  • 24. Best Practice #1 Automated Policy Enforcement June 25, 2014 24 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc. End users should not be trusted with policy enforcement nor bothered by key management Automated action is critical and depends upon data identification technology capable of minimizing false positives Auditing and disposition for violations caught must be efficient to save administration time
  • 25. Best Practice #2 Ongoing Message Control June 25, 2014 25 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc. Messages that are sensitive may benefit from auto-expiration of access • Reduces risk exposure and unknowns Encrypted messages must be revocable On-Demand if required • Protects against changing scenarios and roles • Should be revocable at user and message level to offer options on granularity
  • 26. Best Practice #3 Must Support Mobile Experience June 25, 2014 26 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc. One-Click Access to Encrypted Messages on Mobile • Should not require forwarding an email • Should not cause loss of security Must be cross-platform • Frustration in user experience will cause lack of adoption
  • 27. Information Governance: Where Do You Begin? June 25, 2014 27 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc. Defensibly Dispose the ROT Control High Value Content Enterprise Archive • Retention according to policy • Securely manage legal holds Enterprise Governance • Preserve documents for eDiscovery or records mgmt • Enterprise Governance – Classify, track, monitor content via DigitalThreadTM – Enable document disposition – Impact storage volume/cost On Legal Hold Has Business Value Legally Obligated to Keep Outdated Transitory Redundant
  • 28. Enterprise Governance Use Case: Regulated Industries June 25, 2014 28 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc. 1 File Created .xyz Files Tracked 3 Report & Analyze 5 Governance Applied 4 Govern informatio n in place Retention schedule: Billings: 10 years General: 2 years Classification Applied 2 Private M&A General X Y Move records to RM system X Y
  • 29. Proofpoint Portfolio of Services June 25, 2014 29 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc.
  • 30. Introduction Brad Vynalek is a partner in Quarles & Brady's Commercial Litigation Group. He works with financial service, banking, high tech, internet, software, manufacturing, e-commerce, health care, start-up, and tech transfer clients. Most recently, he created and moderated a privacy/cyber security panel presentation for the Arizona Bankers Association, was a panelist for “Cloud: Technology to Grow Your Business” (Phoenix Bus. Journal), and presenter of "The Hidden Side of Technology" (Trans-West/CloudNet/AZ Tech Council). Within the firm, Brad holds national roles ranging from client service team leader to national strategy partner. Outside the firm, Brad has served in the following leadership roles: Chair of Make-A-Wish Arizona, President of University of Arizona's Law College Association, and Co-Chair of the ABA 2014 Sec. of Litigation Annual Conference. Brad earned his B.A. from Stanford ('95) and J.D. from the Univ. of Arizona James E. Rogers College of Law ('99). June 25, 2014 30 SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP
  • 31. June 25, 2014 31 SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP Cyber Security and Data Privacy: Views on Article III From the Business-to-Business Perspective C. Bradley Vynalek, Partner
  • 32. Overall Context of our Cool New World June 25, 2014 32 SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP
  • 33. The Basics  Constitutional Standards  Interaction with statutory standing  Claim Requirements for damages/injury June 25, 2014 33 SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP
  • 34. Article III of the Constitution  Provides federals courts power to adjudicate certain cases/controversies  This is the key to standing and subject matter jurisdiction  “Injury in fact” (typical privacy scenario is misappropriation of personal information)  Standing versus Success on the Merits June 25, 2014 34 SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP
  • 35. Probable Types of Claims in B2B Privacy Cases Possible Theories  Generalized theory of negligence in construction of IT system & maintenance of data.  A few states have statute-based liability (e.g., Minnesota, where retailers must comply with credit and security standards, such as prohibitions on retaining sensitive account data).  Improper storage of sensitive financial and credit data of customers may violate federal law as well. June 25, 2014 35 SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP
  • 36. Liability Theories (cont.)  Violation of standards to protect confidential data imposed by the credit or debit card agreements with the retailer.  Negligence on the specific facts of the data breach (e.g., in Target, an allegation that Target negligently permitted outside vendor access to its computer network, which was allegedly connected to the hackers’ break-in). June 25, 2014 36 SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP
  • 37. Liability Theories (cont.)  Claims against vendors who allegedly wrongly certified compliance of the compromised system, or who failed to detect the breach even with 24/7 monitoring services, which are employed by many major retailers. June 25, 2014 37 SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP
  • 38. Who Can Sue?  Customers and Commercial Parties (CP) damaged by the alleged negligence or other breach of obligation by the retailer. The CP often has contractual claims based on, e.g., the VISA, MASTERCARD or other Network agreements with the other CP. And the duty of care by one CP may well be held to run to the other CP, based on foreseeability of harm. June 25, 2014 38 SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP
  • 39. Who Can Sue? (cont.)  Actions against third-party vendors, as in the Target case, may be more difficult for CP’s, since they have no contractual relationship nor is the duty of care as clearly directed toward CP’s in these cases. May still be able to maintain suits based on “reasonable and foreseeable reliance” theory, however.  All of this currently being litigated in the many Target cases now occurring. June 25, 2014 39 SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP
  • 40. For What Harm Can CP’s Recover?  For costs of re-issuance of cards.  For amounts paid to reimburse CP’s customers for fraudulent charges.  Possibly for amounts lost owing to customers being afraid to use their cards (consequential, and much more speculative - would not think courts will go for this very often, but perhaps in egregious cases). June 25, 2014 40 SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP
  • 41. For What Harm CP’s Recover? (cont.)  In big breaches, the vast majority of damages will be in fraudulent charges, rather than costs of reissuance. E.g., in recently filed purported class action in Chicago Federal court on behalf of bank plaintiffs, the estimate of bank costs of reissuance are $172MM, while total losses are estimated at potentially $18BB, about 100 times the cost of reissuance. June 25, 2014 41 SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP
  • 42. History of Settlements and Payments by CP’s  TJX (parent of TJ Maxx) spent a reported $256MM in settlements with banks and others in 2007.  Heartland Payment Systems paid $140MM in 2009, and litigation over the breach continues. June 25, 2014 42 SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP
  • 43. The Unbelievably Well-Timed June 16, 2014 Order Out of Pennsylvania  Citizens Bank of Pennsylvania v. Reimbursement Technologies, Inc., et al, US District Court for the Eastern District of Pennsylvania  2014 WL 2738220 (E.D.Pa.)  Background (Bank, physician billing/management company, former employee, and a third party fraud ring)  Procedural History  Decision (dismissal of common law and statutory negligence, equitable subrogration, fraud, unjust enrichment, and SCA claims with no leave to amend for a third time) June 25, 2014 43 SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP
  • 44. Key Language in Decision  "third party fraud ring“  "fraudulent withdrawals“  “former employee“  "coincidence"  "wrongful acts by intervening third parties“  "The Court cannot hold defendant responsible for the acts of the fraud ring or the tellers at plaintiff's bank branches.“  "unclean hands" June 25, 2014 44 SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP
  • 45. The Real Go Forward Action and the What ifs in the B2B World  Industry Groups  Contracts/Negotiation  Indemnity  Insurance Contracts  Risk Avoiding and Shifting (Review and Exclusion fights)  In-House Law and Compliance Departments  Press  Reputational Realities  Executives Suites  Directors and Concerns  Notification rules June 25, 2014 45 SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP
  • 46. The Real Go Forward Action and the What ifs in the B2B World (cont’d)  Breach Costs and Play Into Negotiations  Guidelines vs. Law  SEC Guidelines  HIPAA  M&A – diligence/disclosure  Vendor Review  41% of breaches attributed to 3rd parties  Data breaches in cloud 3X more costly (amount of stuff)  Data Center – leases/defaults/who owns/etc.  Privacy and Security Audits  FTC  Opt In and Opt Out June 25, 2014 46 SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP
  • 47. Ultimately, it’s all about friction and joint oil  “Everything is new, but nothing changes.” -Dr. Kotofski June 25, 2014 47 SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP
  • 48. Introduction Amelia Gerlicher, Counsel at Perkins Coie LLP, assists clients in addressing issues arising from their possession of personal data, from its collection and use through the aftermath of security breach incidents. A member of the firm’s Privacy & Security group, her privacy-related litigation experience includes actions arising from a variety of online activity, brought under the federal Wiretap Act, the Stored Communications Act, the Computer Fraud and Abuse Act, and state privacy laws. She also works with clients on consumer protection, intellectual property and contract issues arising from a wide variety of online activities, including defending clients against illegal malicious behavior that interfere with their websites. Amelia also counsels clients in issues related to the collection and use of personal information that implicate a number of federal and state privacy laws, including disclosure obligations, security requirements, and data breach notification and response. June 25, 2014 48 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 49. June 25, 2014 49 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP Amelia M. Gerlicher June 25, 2014
  • 50. What do consumer privacy cases look like? June 25, 2014 50 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 51. Types of cases Traditional data breaches Hacks, theft, accidents Sensitive or not-so-sensitive data Product design complaints Data is being disclosed or used data contrary to policy or consumer expectations More or different data is being collected than consumer expected June 25, 2014 51 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 52. Types of Claims Common law torts Negligence, fraud/misrepresentation, trespass to chattels, breach of warranty, unjust enrichment Usually not traditional “right to privacy” torts Statutory claims State unfair competition claims State data breach/data security statutes Federal statutes often don’t fit, but might include FCRA, Wiretap Act June 25, 2014 52 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 53. Claimed Injuries Identity theft (fraudulent charges, new loans, medical fraud) Increased risk of identity theft Time and money spent preventing identity theft Increased price paid for security in product Unwanted telemarketing/spam Loss of services Loss of value of personal information June 25, 2014 53 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 54. Trends Plaintiffs either have difficulty tying incident to ID theft or must rely on risk of future harm Courts have been pretty skeptical on both fronts But some courts have found that wrongful disclosure, especially combined with facts suggesting identity theft was the goal, is sufficient for standing. But then they go on to find that the pled injuries are insufficient. Outcome is the same in the individual case, but gives plaintiffs openings for the future June 25, 2014 54 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 55. U.S. Supreme Court Weighs In June 25, 2014 55 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 56. Clapper v. Amnesty Int’l (2013) Lawyers, journalists, and others with overseas contacts challenged 2008 FISA amendments that permitted surveillance of foreign nationals. Asserted compromised communications, lost sources, costly measures to maintain confidentiality Held: Petitioners have no standing (Alito, J.) Theory of future standing is too speculative Asserted injury is not fairly traceable to the challenged law Plaintiffs cannot manufacture standing by spending money to avoid speculative harms June 25, 2014 56 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 57. “Certainly Impending” “[W]e have repeatedly reiterated that ‘threatened injury must be certainly impending to constitute injury in fact,’ and that ‘[a]llegations of possible future injury’ are not sufficient.” “The Second Circuit's ‘objectively reasonable likelihood’ standard is inconsistent with our requirement that ‘threatened injury must be certainly impending to constitute injury in fact.’” June 25, 2014 57 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 58. “Chain of Possibilities” “Respondents' theory of standing, which relies on a highly attenuated chain of possibilities, does not satisfy the requirement that threatened injury must be certainly impending.” Court saw theory as requiring numerous decisions on the government’s part to target Respondents’ contacts—none of which Respondents could know or control. “We decline to abandon our usual reluctance to endorse standing theories that rest on speculation about the decisions of independent actors.” June 25, 2014 58 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 59. “Manufactured standing” “Respondents' contention that they have standing because they incurred certain costs as a reasonable reaction to a risk of harm is unavailing — because the harm respondents seek to avoid is not certainly impending. In other words, respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” June 25, 2014 59 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 60. District Courts React Barnes & Noble: Cites Clapper to deny standing on a dozen claims—but plaintiffs could not plead any disclosure. (N.D. Ill. 2013) Galaria v. Nationwide – Plaintiffs alleged disclosure, but not identity theft. Standing rejected because injury was too uncertain. (S.D. Ohio 2014). In re SAIC Backup Tape Theft – Risk of harm was too attenuated when the underlying theft was for goods not data—but plaintiffs who alleged actual ID theft did have standing. (D.D.C. 2014) Stautins v. Trustwave – Standing rejected for a criminal hack where plaintiffs could not demonstrate information was taken. (N.D. Ill. 2014) June 25, 2014 60 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 61. But then there’s Sony Widely reported credit card breach that disrupted access to PlayStation Network and related services Original MTD granted, but court found standing based on allegations that information was disseminated, increasing the risk of future harm. Consistent with previous 9th Circuit precedent. New complaint, new MTD, Sony urged reconsideration in light of Clapper. June 25, 2014 61 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 62. Sony Claims Survive 9th Circuit, pre-Clapper: standing must be based on a “real and immediate” threat of harm. Clapper: Harm must be certainly impending. Sony: “real and immediate threat” = “certainly impending” Accordingly, allegations that information was wrongfully disclosed, causing a threat of harm, remain sufficient in the 9th Circuit to show standing. June 25, 2014 62 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 63. And they showed injury too Sony succeeded in getting 43 of 51 claims thrown out Most torts claimed insufficient injury, or injury that could not be supported by the facts Remaining claims: State Unfair Competition claims seeking injunctive relief Unfair Competition claims for damages based on omissions California data breach notice claim for injunctive relief Some of the remaining claims have attorney fees provisions Last week: Settlement filed for $15 million. June 25, 2014 63 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 64. Where are we? June 25, 2014 64 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 65. Injuries other than risk of harm Actual identity theft doesn’t always work Banks/cards cover most out of pocket losses from card theft Causation is a problem Time/aggravation not compensable Most other theories of injury work less well Loss of value of PII: Courts are skeptical individuals trade on their own information Loss of free services: No monetary damages Loss of privacy: Information is generally not truly private Preventative measures: Cut off in Clapper June 25, 2014 65 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 66. Top Risks for Breached Companies Breaches most likely to attract a lawsuit: Financial information Intentional theft by bad actors Known misuse of information Large breach with media attention June 25, 2014 66 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 67. Top Risks for Breached Companies Breaches most likely to survive a lawsuit (at least for a while): Known misuse of information Affected individuals with out of pocket costs Breach exploited security practices inconsistent with expectations Well-pled injunctive relief June 25, 2014 67 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 68. What to do? Before the breach: Know what you have Data Systems What are you saying about your security practices? You can’t lose information you don’t have June 25, 2014 68 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 69. What to do? During and after: Don’t say more than you know Understand as much as possible about who is affected Take advantage of the card companies’ protections Tailor your strategy to your customers and how they communicate Avoid out of pocket losses from those affected June 25, 2014 69 SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 70. June 25, 2014 70 CLE PROCESSING The Knowledge Group offers complete CLE processing solutions for your webcasts and land events. This comprehensive service includes everything you need to offer CLE credit at your conference:  Complete end-to-end CLE credit Solutions  Setting up your marketing collateral properly.  Completing and filing all of the applications to the state bar.  Guidance on how to structure content meet course material requirements for the state Bars.  Sign up forms to be used to check & confirm attendance at your event.  Issuing official Certificates of Attendance for credit to attendees. Obtaining CLE credit varies from state to state and the rules can be complex. The Knowledge Group will help you navigate the complexities via complete cost effective CLE solutions for your conferences. Most CLE processing plans are just $499 plus filing fees and postage. To learn more email us at info@knowledgecongress.org or CALL 646-202-9344
  • 71. June 25, 2014 71 PRIVATE LABEL PROGRAM & INTERNAL TRAINING The Knowledge Group provides complete private label webcasts and in-house training solutions. Developing and executing webcasts can be a huge logistical nightmare. There are a lot of moving parts and devolving a program that is executed smoothly and cost effectively can prove to be a significant challenge for companies who do not produce events on a regular basis. Live events require a high level of proficiency in order to execute proficiently. Our producers will plan and develop your webcast for you and our webcast technicians will execute your live event with expert precision. We have produced over 1000 live webcasts. Put our vast expertise to work for you. Let us develop a professional webcast for your firm that will impress all your clients and internal stakeholders. Private Label Programs Include:  Complete Project Management  Topic Development  Recruitment of Speakers (Or you can use your own)  Marketing Material Design  PR Campaign  Marketing Campaign  Event Webpage Design  Slides: Design and Content Development  Speaker coordination: Arranging & Executing Calls, Coordinating Slides & Content  Attendee Registration  Complete LIVE Event Management for Speaker and Attendees including: o Technical Support o Event Moderator o Running the Live event (All Aspects) o Multiple Technical Back-ups & Redundancies to Ensure a Perfect Live Event o Webcast Recording (MP3 Audio & MP4 Video) o Post Webcast Performance Survey  CLE and CPE Processing Private Label Programs Start at just $999
  • 72. June 25, 2014 72 RESEARCH & BUSINESS PROCESS OUTSOURCING The Knowledge Group specializes in highly focused and intelligent market and topic research. Outsource your research projects and business processes to our team of experts. Normally we can run programs for less than 50% of what it would cost you to do it in-house. Here are some ideal uses for our services:  Market Research and Production o List Research (Prospects, Clients, Market Evaluation, Sales Lists, Surveys) o Design of Electronic Marketing Collateral o Executing Online Marketing Campaigns (Direct Email, PR Campaigns) o Website Design o Social Media  Analysis & Research o Research Companies & Produce Reports o Research for Cases o Specialized Research Projects  eSales (Electronic Inside Sales – Email and Online) o Sales Leads Development o eSales Campaigns  Inside Sales people will prospect for leased, contact them and coordinate with your sales team to follow up.  Our Inside eSales reps specialize in developing leads for big-ticket enterprise level products and services. o Electronic Database Building – Comprehensive service which includes development of sales leads, contacting clients, scoring leads, adding notes and transferring the entire data set to you for your internal sales reps.  eCustomer Service (Electronic Inside Sales – Email and Online) o Real-Time Customer Service for Your clients  Online Chat  Email o Follow-Up Customer Service  Responds to emails  Conducts Research  Replies Back to Your Customer Please note these are just a few ways our experts can help with your Business Process Outsourcing needs. If you have a project not specifically listed above please contact us to see if we can help.
  • 73. ► You may ask a question at anytime throughout the presentation today. Simply click on the question mark icon located on the floating tool bar on the bottom right side of your screen. Type your question in the box that appears and click send. ► Questions will be answered in the order they are received. Q&A: June 25, 2014 73 SEGMENT 1: Patrick Wheeler Director of Data Privacy & Encryption Proofpoint, Inc. SEGMENT 2: Bradley Vynalek Partner Quarles & Brady LLP SEGMENT 3: Amelia M. Gerlicher Counsel Perkins Coie LLP
  • 74. June 25, 2014 74 Welcome to the Knowledge Group Unlimited Subscription Programs. We have Two Options Available for You: FREE UNLIMITED: This program is free of charge with no further costs or obligations. It includes:  Unlimited access to over 15,000 pages of course material from all Knowledge Group Webcasts.  Subscribers to this program can download any slides, white papers, or supplemental material covered during all live webcasts.  50% discount for purchase of all Live webcasts and downloaded recordings. PAID UNLIMITED: Our most comprehensive and cost-effective plan, for a one-time fee:  Access to all LIVE Webcasts (Normally $199 to $349 for each event without a subscription). Including: Bring-a-Friend – Invite a client or associate outside your firm to attend for FREE. Sign up for as many webcasts as you wish.  Access to all of Recorded/Archived Events & Course Material includes 1,500+ hours of audio material (Normally $299 for each event without a subscription).  Free CLE/CPE/CE Processing3 (Normally $49 Per Course without a subscription).  Access to over 15,000 pages of course material from Knowledge Group Webcasts.  Ability to invite a guest of your choice to attend any live webcast Free of charge. (Exclusive benefit only available for PAID UNLIMITED subscribers.)  6 Month Subscription is $299 with No Additional Fees. Other options are available.  Special Offer: Sign up today and add 2 of your colleagues to your plan for free. Check the “Triple Play” box on the sign- up sheet contained in the link below. https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964
  • 75. June 25, 2014 75 Knowledge Group UNLIMITED PAID Subscription Programs Pricing: Individual Subscription Fees: (2 Options) Semi-Annual: $299 one-time fee for a 6 month subscription with unlimited access to all webcasts, recordings, and materials. Annual: $499 one-time fee for a 12 month unlimited subscription with unlimited access to all webcasts, recordings, and materials. Group plans are available. See the registration form for details. Best ways to sign up: 1. Fill out the sign up form attached to the post conference survey email. 2. Sign up online by clicking the link contained in the post conference survey email. 3. Click the link below or the one we just posted in the chat window to the right. https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964 Discounts: Enroll today and you will be eligible for the “Triple Play” program and 3% off if you pay by credit card. Also we will waive the $49 CLE/CPE processing fee for today’s conference. See the form attached to the post conference survey email for details. Questions: Send an email to: info@knowledgecongress.org with “Unlimited” in the subject.
  • 76. June 25, 2014 76 ABOUT THE KNOWLEDGE GROUP, LLC. The Knowledge Group, LLC is an organization that produces live webcasts which examine regulatory changes and their impacts across a variety of industries. “We bring together the world's leading authorities and industry participants through informative two-hour webcasts to study the impact of changing regulations.” If you would like to be informed of other upcoming events, please click here. Disclaimer: The Knowledge Group, LLC is producing this event for information purposes only. We do not intend to provide or offer business advice. The contents of this event are based upon the opinions of our speakers. The Knowledge Congress does not warrant their accuracy and completeness. The statements made by them are based on their independent opinions and does not necessarily reflect that of The Knowledge Congress' views. In no event shall The Knowledge Congress be liable to any person or business entity for any special, direct, indirect, punitive, incidental or consequential damages as a result of any information gathered from this webcast. Certain images and/or photos on this page are the copyrighted property of 123RF Limited, their Contributors or Licensed Partners and are being used with permission under license. These images and/or photos may not be copied or downloaded without permission from 123RF Limited