• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Data breaches at home and abroad

Data breaches at home and abroad






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.


11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Useful survey data on how companies in the US are approaching data security:

    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Data breaches at home and abroad Data breaches at home and abroad Presentation Transcript

    • Data Breaches at Home and Abroad: This Can Mean You Too!Lessons Learned from the Past, and What’s Coming Up in the Future for US and Multi-National EntitiesMark E. Schreiber, Chair, Privacy and Data Protection GroupTheodore P. Augustinos, Co-ChairLaurie A. Kamaiko, Co-ChairDavid S. SzaboSocheth Sor
    • Agenda Current Breach Landscape Breach Response Tips Massachusetts Data Security Requirements: Update Credit Card Issues HIPAA and HITECH Developments Data Breach Litigation Cyber Risk Insurance Foreign and International Data breach Considerations 1
    • Current Breach Landscape Company records containing personal information of individuals  increasingly exposed to malevolent or inadvertent disclosures  costs going up drastically  96% avoidable through simple to intermediate security controls 88% of U.S. companies said to have experienced data breach in 2010  some multiple times About 40% of executives in one recent Deloitte survey said they expected their company to have an electronic security breach in next 12 months Roughly ½ said they were not adequately prepared for it 2
    • Cost of Breaches Increasing 2011 had troubled beginning  9.5M records exposed (excluding 100M plus in Sony)  Sony  Google  Epsilon  Citibank  Anonymous/LulzSec  Massachusetts Executive Office of Labor and Workforce Development and other government agencies  Multiple Hospitals and other Healthcare providers Average total cost per US company: $7.2 M (2010) up from $6.75 M (2009)  $3.4 M in Germany, $2.5 M in UK and France (2009) 329 organizations reported 86,455 laptops lost (2010)  Avg. cost of $6.4 million per company 222 million records repeatedly compromised in US in 2009 (likely undercounts) 10 million patient records in 272 events (OCR report)  $6B cost annually Ponemon, 2010 Annual Study: U.S. Cost of a Data Breach; Global 2009 Annual Study on Cost of a Data Breach 3 Verizon, April 2011: 2011 Data Breach Investigations Report
    • Responsibility for BreachesAccording to Ponemon Studies: Third Party Outsourcers – 39% of breaches (slight decline from 2009), but cost up 39%. Lost/Stolen laptops and other mobile devices – 35% (36% in 2009, but cost up 15%). Systems failure – 27%, a 9% decline as companies work harder on prevention and more technologies are available. Negligence – 41% (1% increase); costs up 27%. Malicious/Criminal – 31% (7%/highest increase) 2010 was first time malicious attacks are not least frequent cause. They are the most expensive; increasingly stealthy and successful, requiring more resources. 4
    • Breach Response Tips Assemble the team  Decision-maker level of management  IT  Data Forensics  Legal Counsel  Breach Response Services  Call center  Processing  Mailing  Customer, Public, Media and Governmental Relations Containment  Find and stop the cause of the breach.  First priority is to stop the loss of data, preferably by taking steps that will preserve the information needed for the investigation 5
    • Breach Response Tips (cont.) Investigation  What happened?  What information was affected?  Where do affected individuals reside? Analysis – Review results of the investigation under applicable requirements, and contractual requirements, including PCI-DSS. Remediation  Choice of products and services to be offered to affected individuals, if any  Credit Monitoring  Credit Restoration Services  Credit Insurance  Other 6
    • Breach Response Tips (cont.) Communication  Affected Individuals  State Agencies  FTC, HHS, as appropriate.  Card Brands, Merchant Bankers and Card Processors  Employees  Other Constituents Reaction to Inquiries  Affected Individuals and other consumers or clients  Media  Governmental Agencies 7
    • Breach Response Tips (cont.) Experience at all levels is critical (even the call center) Benefits of a third-party forensics team  Credible third party assessment  Reliable Chain of Custody  Backups of all pertinent system logs  Attorney-client privilege Review availability of insurance coverage and affect any required notification. Conduct the Investigation Legal, Analysis and Decision-Making Draft and Effect Required Notices 8
    • Breach Response Tips (cont.) Top Five Ways to Avoid a Breach  Assemble the Team and Assess the Data  Develop Policies and Procedures  Control Hardware and Software  Mitigate Risk  Train, Test, Update and Monitor. Repeat 9
    • Breach Response Tips (cont.) Top Five Ways to Respond to a Breach  Assemble the Response Team  Do the Forensics and Assess the Data  Develop and Effectuate Remediation  Draft and Effect Notices  Review Preventative Measures 10
    • Massachusetts Data SecurityRequirements: Update State of the Art in Policies and Procedures  Massachusetts requirements for comprehensive written information security programs are both more broad and more specific than those of other states  More Broad – Extend to areas not covered by others  Written Policy Requirements  Technology and other security requirements  Vendor Contracts  More Specific – Impose specific requirements for security  Encryption  Specific requirements for vendor selection, contracting and management  Different – Unique breach notice requirements and limitations 11
    • Massachusetts Data Security Requirements:Update (cont.) State of the Art in Enforcement?  Briar Group, LLC  Chain of restaurants and bars allegedly suffered malware intrusion  Allegedly continued to accept credit cards after knowledge of attack and prior to effective remediation, without notifying patrons of risk  Consent order entered by Mass AG included significant fine  Breach pre-dated MA Data Security Regulation  Enforcement pursued under general consumer protection statute  Enforcement posture based in part on apparent position that failure to comply with PCI-DSS = violations of consumer protection statute  Effectively adopts PCI-DSS as legal standard of conduct in the Commonwealth? 12
    • Credit Card Issues PCI-DSS  Industry Standard imposed by merchant banking contracts  Incorporated into Nevada law by statute  Imposed by Massachusetts enforcement posture? Credit Card Breaches  Brand, Merchant Bank and Processor Notifications  Involvement of QIRA and QSA  Self-Assessment Questionnaire and Certification 13
    • HIPAA Enforcement Cignet Healthcare -- $4.3 million penalty Partners Health Care System -- $1 million settlement Interesting Questions  What is an “ongoing violation?”  How should penalties be calculated?  Does the statute authorize daily penalties? 14
    • Resolution Agreements Five agreements on OCR website Settlements range from $35,000 to $2.25 million Four are fundamentally based on security failures (lost or stolen information, improper disposal of information). One is predominantly a privacy case (unauthorized use of PHI for marketing). All have a corrective action plan. Terms for CAPs are three years (4) and two years (1). 15
    • HITECH Rulemaking Accounting for Disclosures—proposed rule issued May 31, 2011. Includes two rights: right to an accounting of disclosures, and right to receive an electronic medical records access report  Period for accounting reduced to three years from six years.  Disclosures to be accounted for to be explicitly listed in the final rule. Comment is requested on specific items to be added or excluded from the list. 16
    • HITECH Rulemaking (cont.) Access Reports  OCR proposes a report of every time a person accesses electronic data in a designated record set, whether a disclosure is made or not.  OCR takes the position that access logs already are required by the Security Rule—such that the regulation only requires access to a document that should be readily available.  Individuals can request reports reflecting access on specific dates or by specific individuals.  Reports must be aggregated if data resides on more than one information system (EMR, billing, etc). 17
    • HITECH Rulemaking (cont.) Still pending: Final rule for a large number of other HITECH mandated changes, including:  Marketing Authorizations  Business Associate Agreements  Transition Provisions  Sale of PHI  Research Authorizations  Decedents  Immunizations  Minimum Necessary  Fundraising  Notice Requirements 18  Access Rights for Individuals
    • Data Breach LitigationArticle III Standing Required Data breach class actions  Tend to be in federal court due to Class Action Fairness Act. 28 U.S.C. § 1332(d)  If in state court, may be removable Federal lawsuits must satisfy Article III standing requirement  Requires a “case or controversy” requiring an injury in fact that is actual or imminent, not conjectural or hypothetical. 19
    • Data Breach LitigationArticle III Standing Required (cont.) Several lower federal courts have found that increased risk of identity theft as result of data breach not an injury in fact Two federal appellate courts found increased risk of identity theft satisfies injury in fact requirement Sixth Circuit suggested increased risk of identity theft too conjectural to be injury in fact 20
    • Data Breach LitigationCognizable Injury Also Required If standing requirements satisfied  Plaintiffs still need to allege injury for which state law provides remedy Injuries not cognizable (generally) under state common law:  Increased risk of identity theft  Time and effort spent closing accounts/protecting credit ratings Court finds cognizable injury in statutory claim  Doe 1 v. AOL LLC, 719 F.Supp.2d 1102 (N.D. Ca. 2010)  Claim under California Consumers Legal Remedy Act  Statute says consumer suffering “any damage” may bring a claim  Defendant exposed “highly sensitive” personal information of plaintiffs  Sufficient allegation of injury under statute Moral: state law on injury may determine outcome of motion 21 to dismiss
    • Data Breach LitigationClass Certification Plaintiffs’ attorneys need financial incentive of class action in order to pursue data breach action  Individual losses will generally be too small Court may not certify class May not be worth proceeding without class 22
    • Cyber Risk Insurance Specialty cyber risk/data protection/tech policies  Personal information breaches  Network security  Cyber extortion  Business Disruption Often can be sub-limits and other limitations on coverage Terms/Scope of coverage vary 23
    • Other Insurance Claims often made under more traditional lines (although frequently exclusions/coverage defenses apply)  Property  Crime/Fidelity  K&R  CGL  Coverage A –property damage/BI-emotional distress  Coverage B – injury arising out of publication that violated the data owners privacy  Professional liability  Lawyers, real estate agents, A&E, etc.  D&O  Approval/Lack of security plans  How a breach is handled  What is said about the cause and remediation 24
    • Other Insurance Issues Aggregation of risk on policies issued  The cyber hurricane (simultaneous attack on multiple targets)  Multiple insureds impacted  Multiple lines have claims made under them Regulatory scrutiny  Includes data security  Insurance depts. such as Connecticut want to know within 5 days of breach of insurer Increasing accumulation of protected information increase risk of breach of insurers  Medical records and PI of claimants/insureds/beneficiaries  Medicare secondary payer reporting requirements 25
    • Foreign and International BreachConsiderations Global Transactions, Operations, Data Processing and Storage U.S. – styled breach notice requirements are being adopted in EU and elsewhere  EU Data Protection Directive may change by year end  Art. 29 W.P., April 2011, recommends breach notification  Definition of Personal Information is broader than U.S. definitions India  New Data Security Rules issued under Information Technology Act of 2000 effective April 11, 2011  Requires “reasonable security practices” to protect “sensitive personal data” and  Imposes restrictions and requirements for  Collection of data  Disclosure of data  Transfer of data  Security practices and procedures 26
    • Foreign and International BreachConsiderations (cont.) Notification Considerations  Does the Company have operations there?  Is the Company a data controller or processor in the country?  Does DPA have jurisdiction?  Would it help mitigate reputational risk to notify affected individuals?  Would the Company’s posture in enforcement be improved by notifying government agencies?  Method of Notifying Individuals: Mail or Email: Translated or English? Remediation Issues  Limited credit monitoring  Call center operations: Toll free? Foreign language capabilities? 27
    • Thank youMark E. Schreiber, Partner Theodore P. Augustinos, Partner Laurie A. Kamaiko, Partnermschreiber@eapdlaw.com taugustinos@eapdlaw.com lkamaiko@eapdlaw.com 617.239.0585 860.541.7710 212.912.2768 David S. Szabo, Partner Socheth Sor, Associate dszabo@eapdlaw.com ssor@eapdlaw.com 617.239.0414 860.541.7773 28