May 13-11-30 am-primer-to-cyber-security-(topical issues)

  • 192 views
Uploaded on

 

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
192
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. v
  • 2. Topics For Discussion • What is a “data security breach”? • Why do you need a response plan? • Responding to a data security breach • State statutory requirements • Regulatory (and quasi-regulatory) update • Regulatory enforcement actions and litigation 2
  • 3. 2013 Statistics • In 2013, there were 63,437 security incidents and 1,367 confirmed data breaches (which represents a 120% increase from the number of data breaches reported in 2012). – Web App Attacks (35%) – Cyber-espionage (22%) – Point-of-Sale Intrusions (14%) – Card Skimmers (9%) – Insider Misuse (8%) Source: Verizon 2014 Data Breach Investigations Report. 3
  • 4. 2012 Statistics • According to a survey of 583 U.S. companies, in 2013: – 90% reported being hacked in the past year – 59% reported being hacked two or more times in the past year – 41% reported damages in excess of $500,000 – 52% reported that 10% or less of their budget dedicated to security Source: Study conducted by Ponemon Institute on behalf of Juniper Networks 4
  • 5. 2013 Statistics • The FTC filed 79 consumer protection enforcement actions. • The FTC obtained 137 consumer protection orders. • The FTC ordered civil penalties totaling $20 million. • Identity theft represents the largest category of consumer complaint received by the FTC (approximately 14%). Source: Federal Trade Commission’s 2013 Annual Highlights. 5
  • 6. Cost Of A Data Security Breach • In 2013, data breaches cost organizations an average of $5.9 million, up from $5.4 million in 2012. – $201 per record – Includes direct costs (communications, investigations, legal) and indirect costs (lost business, public relations) – Compare to costs of having preventative measures in place (e.g., policies related to passwords, firewalls, mobile devices), training employees and encrypting sensitive information Source: 2014 Cost of Data Breach Study: United States. Sponsored by IBM. Study independently conducted by Ponemon Institute LLC. . 6
  • 7. Cost Of A Data Security Breach • Data breaches resulting from a malicious attack yielded the highest cost. – $246 per record • Organizations that had a formal incident response plan in place before the incident reduced the cost by approximately $17 per record. Source: 2014 Cost of Data Breach Study: United States. Sponsored by IBM. Study independently conducted by Ponemon Institute LLC. . 7
  • 8. Types Of Data Security Breaches • Hacking • Devices are lost or stolen • Insider or employee misuse • Unintended disclosure • Security patches are not installed • Malware 8
  • 9. What Is The Objective? Fill In The Gap • Protection/Security • Compliance • Audits • Criminal prosecution • Civil liability How to Manage the Data Security Breach 9
  • 10. Why Do You Need A Response Plan? Thoughtful and Prepared Reaction Better Decision Making Minimized Risk and Loss 10
  • 11. Collect Relevant Information • Data location lists • Confidentiality agreements • Customer contracts • Third-party vendor contracts • Privacy policy • Information security policy • Ethics policy • Litigation hold template • Response team contact list 11
  • 12. Create A First Response Team • Information technology (computer & technology resources) • Information security (physical security & access) • Human resources (private employee information - health & medical, SSN(s), payroll, tax, retirement) 12
  • 13. Create A First Response Team • Legal counsel (in-house and/or outside counsel) • Compliance • Business heads (consumer and customer information) • Public relations/investor relations 13
  • 14. Assign Tasks To Members Of The First Response Team • Establish a point person • Identify key personnel for each task • Prioritize and assign tasks • Calculate timelines and set deadlines • Communicate with management • Establish attorney-client privilege for investigation and communications Project Management Is Critical 14
  • 15. Determine The Nature And Scope Of The Breach • Investigate facts • Interview witnesses • Notify law enforcement, FBI, USSS, State AG(s) Preserve Company’s Assets, Reputation and Integrity 15
  • 16. Determine The Nature And Scope Of The Breach • Determine type of information that may have been compromised; ongoing threat • Identify and assess potential kinds of liability • Identify individuals potentially at risk and determine state or country of residence Preserve Company’s Assets, Reputation and Integrity 16
  • 17. Understand Data Breach Notice Laws • State laws: – What constitutes personal information? – When is a notice required? – Who must be notified? (e.g., State Attorney General) – Timing? – What information must be included in the notice? – Method of delivering notice? – Other state specific requirements? • Applicable industry-specific laws • Applicable international laws 17
  • 18. Determine Appropriate Notices • Consumers • Employees • Law enforcement (Federal/State) • Federal regulatory agencies • State agencies (State Attorney General) • Consumers reporting agencies • Business partners • Insurers • Media 18
  • 19. Data Security Breach Notification • Alabama, New Mexico and South Dakota are the only states that do not have a data security breach notification statute. • California statute served as a model for later state statutes. – State involvement began in California, after series of breaches received national attention. – Passed in 2002, went into effect in mid-2003. 19
  • 20. Data Security Breach Notification • “Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” See Cal. Civ. Code § 1798.29. 20
  • 21. Data Security Breach Notification • “Personal information” – First name or initial and last name with one or more of the following (when either name or data element is not encrypted): • Social Security number; • Driver’s license number; • Credit card or debit card number; or • Financial account number with information such as PINs, passwords or authorization codes. 21
  • 22. Data Security Breach Notification • Some states have expanded the definition of “personal information” to include: – California: Medical information or health insurance information; – Indiana: Biometric data; – North Dakota: Mother’s maiden name, birth/death/marriage certificate and electronic signature. 22
  • 23. Data Security Breach Notification • On September 27, 2013, California’s governor signed S.B. 46 to expand the definition of “personal information” to include: – “a username or email address, in combination with a password or security question and answer that would permit access to an online account.” – S.B. 46 became effective January 1, 2014. 23
  • 24. Data Security Breach Notification • “Breach of the security of the system” – Some states expressly require notice of unauthorized access to non-computerized data. • Hawaii: includes “personal information in any form (whether computerized, paper, or otherwise).” 24
  • 25. Data Security Breach Notification • Generally, only need “reasonable” belief the information has been acquired by unauthorized person to trigger notification requirements. – Certain states require harm • Arkansas: no notice if “after a reasonable investigation the person or business determines that there is no reasonable likelihood of harm to customers.” • Michigan: no notice if “not likely to cause substantial loss or injury to, or result in identity theft.” 25
  • 26. Data Security Breach Notification • Distinguish between entity that “owns or licenses” data and entity that “maintains” data. – Data owner has ultimate responsibility to notify consumers of a breach. – Non-owners required to notify owners. 26
  • 27. Prepare State Law Notices • General description of the incident • Type of information that may have been compromised • Steps to protect information from further unauthorized access • Contact information (e.g., email address; 1-800 number) • Advice to affected individuals (e.g., credit reporting, review account activity) 27
  • 28. Prepare State Law Notices • Delivery method (e.g., certified letters, email, website) • Timing of notices • Tailor notices based on recipient • Use single fact description for all notices 28
  • 29. Prepare Answers To Inquiries • Draft FAQs with responses • Establish hotline • Assign group of contact employees • Train employees to respond to inquiries • Develop clear escalation path for difficult questions • Track questions and answers 29
  • 30. Prepare Press Release • Include the following information: – Facts surrounding the incident – Actions to prevent further unauthorized access – Steps to prevent future data security breaches – Contact information for questions • Review by legal counsel 30
  • 31. Consider Offering Assistance To Affected Individuals • Free credit reporting • Free credit monitoring with alerts • ID theft insurance • Access to fraud resolution specialists • Toll-free hotline 31
  • 32. Regulatory Update NIST And The Framework • On February 12, 2013, President Obama signed an Executive Order titled “Improving Critical Infrastructure Cybersecurity.” • The Executive Order directed the National Institute of Standards and Technology (NIST) to work with relevant stakeholders to develop a voluntary framework for reducing cyber risks to Critical Infrastructure. 32
  • 33. Regulatory Update NIST And The Framework • On October 29, 2013, NIST issued the Preliminary Cybersecurity Framework, which outlines a customizable set of steps that entities may use to assess and prioritize potential cybersecurity risks, as well as identify ways to improve defenses and responses to outside intrusions. – Relies on existing standards, guidance, and best practices. – Complements (does not replace) an organization’s existing risk management process. 33
  • 34. Regulatory Update NIST And The Framework • Stakeholders had an opportunity to comment on the Preliminary Cybersecurity Framework. – The public comment period closed on December 13, 2013. – 2,500 public comments received by NIST – all are available on its website. • NIST used these comments to prepare the Final Cybersecurity Framework. – Issued on February 12, 2014. 34
  • 35. Regulatory Update NIST And The Framework • Generally, Critical Infrastructure includes: – Communications – Manufacturing – Energy – Food and agriculture – Financial – Healthcare and public health – Information technology – Transportation 35
  • 36. Regulatory Update NIST And The Framework • The Framework is organized into five core functions: – Identify: Institutional understanding to manage risks to data. – Protect: Safeguards to ensure delivery of critical infrastructure services. – Detect: Activities to identify the occurrence of a cybersecurity event. – Respond: Actions in response to a detected cybersecurity event. – Recover: Activities to restore capabilities impaired as a result of cybersecurity event. 36
  • 37. Regulatory Update NIST And The Framework • Within each of these five core functions – Cybersecurity activities are split into categories: • e.g., Awareness and training – And then categories are split into subcategories: • e.g., Third-party stakeholders must understand roles and responsibilities – Each subcategory is tied to an Informative Reference, which provides current industry best practices for that cybersecurity activity – Informative References refer to one of five existing standards 37
  • 38. Regulatory Update NIST And The Framework • Informative References: – Council on CyberSecurity Critical Security Controls (CCS CSC) – Control Objectives for Information and Related Technology (COBIT) – International Society of Automation (ISA) 99.02.01 – International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001 – NIST Special Publications 38
  • 39. Regulatory Update NIST And The Framework • Framework is “voluntary.” – However, many (or all) these best practices may develop into de facto standards through: • Governmental incentives (e.g., federal grants); • Sector-specific regulation; or • Private litigation. – If Framework is widely adopted, it may be viewed as what constitutes “reasonable security practices” in the industry. 39
  • 40. Regulatory Update NIST And The Framework • Recommended Actions – Conduct a self-assessment • Based upon the Framework, identify gaps and prioritize remediation efforts – Promote adoption of the Framework internally – Continue to improve upon cybersecurity activities – Work with industry colleagues and government organizations 40
  • 41. Regulatory Update California’s Do-Not-Track Law • Assembly Bill 370 • Went into effect on January 1, 2014 • First state in the country to adopt do-not-track disclosure law • Requires operators of websites, online services and mobile applications to amend their privacy policies 41
  • 42. Regulatory Update California’s Do-Not-Track Law • Requires operators’ privacy policies to: – Disclose how they respond to do-not-track signals from Internet browsers or other consumer choice mechanisms regarding the collection of behavioral tracking data; -OR- – Link to an online location containing a description of a consumer choice program the operator follows and explain the effects of this program. • Requires operators to disclose the type and nature of any third-party tracking on their sites, services or apps. 42
  • 43. Regulatory Update California’s Do-Not-Track Law • Best practices (suggested by AG Staff): – Disclosures should not be limited to tracking for online behavioral advertising purposes, but should extend to other purposes for which behavioral data is collected by a website, online service or app (e.g., market research, fraud detection, website analytics). – Include language explaining the effects of any opt-out options (e.g., opt-out of targeted advertising, but continue to track for fraud). • AG plans to release a Best Practices Guideline. 43
  • 44. Regulatory Update California’s Right To Know Act • Assembly Bill 1291. • Would require businesses that collect consumer information to provide customers with the names and addresses of all data brokers, advertisers and others who were granted access to the information, as well as details regarding the data that was disclosed. • Businesses would have 30 days to answer a request for the information. 44
  • 45. Regulatory Update California’s Right To Know Act • Applies to businesses who “retain” personal data or disclose the information to a third party. • Defines “retain” to mean “store or otherwise hold personal information” whether the information is collected or obtained directly from the consumer or any third party. 45
  • 46. Regulatory Update California’s Right To Know Act • Faced opposition by companies such as Google and Facebook. • Assemblywoman Bonnie Lowenthal delayed action on the bill by turning it into a two-year bill. • Lowenthal plans to spend the remainder of the year educating her colleagues about the importance of the proposed legislation. • Assembly will consider AB 1291 again in 2014. 46
  • 47. Regulatory Update California’s Data Breach Report • On July 1, 2013, the California Attorney General released a report that provides a summary of the types of breaches reported to her office during 2012, as well as recommendations about how to decrease the likelihood of experiencing a data breach. 47
  • 48. Regulatory Update California’s Data Breach Report • Key Findings: – 131 data breaches affecting more than 500 California residents – Average incident involved information relating to 22,500 individuals – More than 2.5 million California residents at risk because of data breaches in 2012 48
  • 49. Regulatory Update California’s Data Breach Report (cont’d) • Key Findings: – More than 1.4 million of those California residents would not be at risk, if the data had been encrypted – More than half of the breaches were the result of intentional intrusions by outsiders or by unauthorized insiders – The average reading level of the breach notices submitted was 14th grade 49
  • 50. Regulatory Update California’s Data Breach Report • Recommendations: – Encrypt personal information when in transit, on portable devices or in emails – Review and strengthen security controls used to protect personal information – Prepare breach notification letters in an easy-to- understand format 50
  • 51. Regulatory Update California’s Data Breach Report • Recommendations (cont’d): – Offer mitigation products to victims of breaches that involve Social Security numbers or driver’s license numbers – Consider amending breach notification laws to require reporting of breaches that involve usernames and passwords 51
  • 52. Enforcement Actions • Federal Trade Commission – Section 5 of FTC Act – Enforce privacy policies and challenge data security practices deemed “deceptive” or “unfair” • State Attorney General – State Notification Statutes – Connecticut: “Failure to comply . . . shall constitute an unfair trade practice . . .” – Virginia: “The Attorney General may bring an action to address violations.” Moreover, “nothing in this section shall limit an individual from recovering direct economic damages.” • Litigation in federal and state courts. 52
  • 53. Federal Trade Commission • In June 2012, the FTC instituted litigation in federal court against Wyndham Worldwide Corporation. • In its complaint, the FTC alleges that, beginning in April 2008 and through January 2010, cybercriminals hacked into Wyndham’s computer network and the networks of certain Wyndham hotels, exposing credit card information of hotel guests. 53
  • 54. Federal Trade Commission • The FTC alleges that hackers compromised administrator accounts and installed memory- scraping malware to access credit card information. • The FTC contends that hackers compromised more than 619,000 credit card account numbers and that the incidents caused more than $10.6 million in fraud losses. 54
  • 55. Federal Trade Commission • Under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices,” the FTC alleges that: – Wyndham’s data security protections amounted to “unfair” trade practices because they were not “reasonable and appropriate”; and – Wyndham “deceived” consumers by stating on its website that it used “commercially reasonable efforts” to secure credit card information that it collects from consumers. 55
  • 56. Federal Trade Commission • In an unprecedented move, Wyndham refused to settle this dispute and filed a motion to dismiss the complaint. – Wyndham argues that the FTC is overreaching its authority because “Section 5’s prohibition on ‘unfair’ trade practices does not give the FTC authority to prescribe data-security standards for all private businesses.” – Wyndham argues that, because Congress has not yet passed data security legislation, the FTC has the authority to regulate data security in limited contexts (e.g., Gramm- Leach-Bliley Act). 56
  • 57. Federal Trade Commission • Wyndham (cont’d) – Wyndham further argues that Section 5 of the FTC Act “provides no meaningful notice to regulated parties” because it does not contain any guidance about what practices might be deemed “unfair” or “deceptive.” – Similarly, the FTC has not published any rules or regulations “explaining what data security practices a company must adopt to be in compliance with the statute.” – As such, “businesses are left to guess as to what they must do to comply with the law.” 57
  • 58. Federal Trade Commission • Case is pending in the U.S. District Court for the District of New Jersey (Civ. A. No. 13-01887). • In November 2013, the Court held a hearing on Wyndham’s motion to dismiss the case. • Although to date the Court has not issued an opinion, the Court expressed some skepticism about Wyndham’s argument stating: – “ . . . if Congress never intended to give authority to the FTC [to regulate data security under Section 5], why would Congress not have acted years ago.” 58
  • 59. Federal Trade Commission • This is the first litigated case challenging the FTC’s authority under Section 5 of the FTC Act related to data security. • Generally, FTC enforcement actions result in a settlement. – FTC provides a defendant with a proposed draft complaint. – FTC “negotiates” the terms of a consent order. 59
  • 60. Federal Trade Commission Recent Enforcement Actions • FTC v. LabMD Inc., (N.D. Ga. 2012): – In 2009, the FTC learned that PII belonging to consumers was publicly available on peer-to-peer file sharing networks (P2P) including, but not limited to, a spreadsheet that contained information related to approximately 9,000 of LabMD’s customers. – The FTC issued civil investigative demands (CIDs) to LabMD. – LabMD refused to respond to CIDs. 60
  • 61. Federal Trade Commission Recent Enforcement Actions • FTC v. LabMD Inc., (N.D. Ga. 2012): – In the U.S. District Court for the Northern District of Georgia, FTC filed a petition to enforce CIDs. – LabMD answered the petition stating that the FTC lacks statutory authority to tell companies how to secure their data. – Court granted petition and ordered LabMD to respond to CIDs. 61
  • 62. Federal Trade Commission Recent Enforcement Actions • FTC v. LabMD Inc., (N.D. Ga. 2012): – The Court held, in part, “[a]lthough the Court finds there is significant merit to Respondents’ argument that Section 5 does not justify an investigation into data security practices and consumer privacy issues, it is a plausible argument to assert that poor data security and consumer privacy practices facilitate and contribute to predictable and substantial harm to consumers in violation of Section 5 because it is disturbingly commonplace for people to wrongfully exploit poor data security and consumer privacy practices to wrongfully acquire and exploit personal consumer information.” 62
  • 63. Federal Trade Commission Recent Enforcement Actions • In the Matter of LabMD Inc., No. 102 9357 – On August 29, 2013, the FTC instituted a formal enforcement action and filed an administrative complaint against LabMD. – In its complaint, the FTC alleges that a LabMD employee installed LimeWire on his computer, which exposed a report containing personal information of 9,300 consumers. – The FTC alleges that LabMD failed to reasonably protect consumers’ personal information. 63
  • 64. Federal Trade Commission Recent Enforcement Actions • In the Matter of LabMD Inc., No. 102 9357 – In the enforcement action, LabMD challenged the FTC’s authority to regulate data security practices under the “unfair” prong of Section 5 of the FTC Act. – LabMD filed a motion to dismiss the administrative complaint. – On January 16, 2014, the FTC unanimously denied LabMD’s motion. – LabMD has decided to wind down its operations citing “years of debilitating investigation and litigation” with the FTC. 64
  • 65. Federal Trade Commission Recent Enforcement Actions • In the Matter of LabMD Inc., No. 102 9357 – In its decision, the FTC stated: • The fact that Section 5 does not “explicitly authorize” the FTC to regulate data security matters is irrelevant. • "Congress could not possibly have had any 'specific intent' to deny the FTC authority over data security practices.” • Instead, Congress intended “to delegate broad authority to the FTC to address emerging business practices — including those that were unforeseeable when the statute was enacted.” 65
  • 66. Federal Trade Commission Recent Enforcement Actions • In the Matter of TrendNet, No. 122 3090 – TrendNet sells Internet-connected video cameras. – FTC alleges that TrendNet’s improper security measures allowed hackers to webcast live feeds from hundreds of its customers’ homes. – TrendNet agreed to settle this action by entering into a consent order with the FTC. • Consent order contains a requirement that TrendNet notify customers involved in the incident (which the FTC has only recently begun including in its consent orders). 66
  • 67. Federal Trade Commission Recent Enforcement Actions • In the Matter of Accretive Health, No. 122 3077: – In 2013, the FTC instituted an enforcement action against Accretive Health alleging that, in July 2011, an employee’s laptop computer was stolen from his car. – The laptop computer contained personal information (including sensitive health information) relating to 23,000 of Accretive’s patients. 67
  • 68. Federal Trade Commission Recent Enforcement Actions • In the Matter of Accretive Health, No. 122 3077: – The FTC alleges that Accretive: • Created unnecessary risks by transporting laptops that contained personal information in a way that left them vulnerable to theft. • Failed to employ reasonable procedures to ensure that employees removed consumers’ personal information from their computers after they no longer needed such information. • Failed to restrict adequately employee access to consumers’ personal information. – On December 31, 2013, Accretive Health agreed to settle the action. 68
  • 69. State Attorney General Recent Actions • Target Corp. – On December 19, 2014, Target announced that hackers had stolen data from approximately 40 million debit and credit card users who visited its stores between November 27th and December 15th. • Target made announcement 4 days after it “confirmed the issue.” – On January 10, 2014, Target stated that hackers also stole personal information from 70 million of its customers. 69
  • 70. State Attorney General Recent Actions • Target Corp. – Connecticut Attorney General leading a coalition of more than 30 states investigating the incident. • State Attorneys General asked Target for information about the incident including, but not limited to, information about how many of their citizens may have been victims. • State Attorneys General stated that one area of major concern is the timeliness and adequacy of Target’s notification to consumers and appropriate government authorities. 70
  • 71. State Attorney General Recent Actions • Kaiser Foundation Health Plan Inc. – In January 2014, the California Attorney General instituted a state court action against Kaiser alleging that the company waited too long to notify more than 20,000 current and former employees about a data breach. • In September 2011, Kaiser learned that an unencrypted hard drive containing Social Security numbers and other personal information related to its current and former employees was purchased at a public thrift shop. • On March 19, 2012, Kaiser notified its current and former employees. 71
  • 72. State Attorney General Recent Actions • Kaiser Foundation Health Plan Inc. – The Attorney General contends that, by December 2011, Kaiser completed an initial forensic examination of the hard drive and confirmed that the hard drive contained Social Security numbers and other personal information. – The Attorney General alleges that, although Kaiser continued to inventory the hard drive until February 2012, the company had “sufficient information” to identify and notify “at least some individuals” between December 2011 and February 2012. 72
  • 73. State Attorney General Recent Actions • Kaiser Foundation Health Plan Inc. – The Attorney General seeks: • An injunction to permanently enjoin Kaiser from committing any acts of unfair competition; • An order requiring Kaiser to pay $2,500 for each violation of the California data breach notification law (or approximately $50 million); and • An order requiring Kaiser to pay the state’s costs of litigation and investigation of the matter. 73
  • 74. State Attorney General Recent Actions • Google Inc. – In March 2013, a group of State Attorneys General settled with Google for $7 million in connection with its alleged unauthorized collection of personal data from unsecured Wi-Fi networks through Google’s Street View. – In September 2013, Google agreed to pay $17 million to a separate group of State Attorneys General over its alleged circumvention of Apple Inc.’s Safari browser privacy settlings. 74
  • 75. State Attorney General • In May 2013, the Connecticut and Maryland Attorneys General questioned LivingSocial Inc. about the details of a data breach that exposed the personal information of approximately 50 million users. • The Connecticut and Maryland Attorneys General issued to LivingSocial 15 written questions regarding the scope of the breach, as well as its privacy and security policies. 75
  • 76. State Attorney General • Examples of questions posed by Attorneys General include: – Detailed timeline of the incident – Number of affected individuals in each state – Types of personal information compromised – Steps taken to determine that no financial or credit card information was compromised – Steps taken to protect user passwords – How the company collects user data and how long it retains such data – Copies of any privacy policies – Plans developed to prevent another breach 76
  • 77. State Attorney General • Both Connecticut and Maryland have statutes that require a company to report a data security breach to the Attorney General, as well as to individual consumers. • Questions posed by these Attorneys General provide guidance on issues companies should consider in responding to a data security breach. 77
  • 78. State Attorney General Recent Action • State of Connecticut v. Citibank, N.A.: – Citibank’s Account Online banking system permitted hackers to access multiple user accounts. – Hackers accessed accounts by logging in with account number and password, and then changing a few characters in the URL bar to access additional accounts. – Exposed personal information of 360,000 Citibank customers, including 5,066 Connecticut residents. 78
  • 79. State Attorney General Recent Action • State of Connecticut v. Citibank, N.A.: – Vulnerability may have existed since 2008. – Citibank discovered breach on May 10, 2011. – Fixed vulnerability on May 27, 2011, but did not begin notifying consumers until June 3, 2011. – Citibank settled action and agreed to: • Pay $55,000 fine. • Obtain a third-party data security audit of its online credit card account system. 79
  • 80. Litigation Typical Claims By Plaintiffs • Plaintiffs (consumers or employees) typically allege the following causes of action: – Negligence, breach of contract, breach of implied covenant or breach of fiduciary duty. – Violations of state consumer protection statutes – deceptive/unfair trade practices acts. – Violations of Computer Fraud and Abuse Act, Electronic Communications Privacy Act or Stored Communications Act. 80
  • 81. Litigation Typical Claims By Plaintiffs • Historically, courts dismissed data breach cases because plaintiffs failed to allege: – Standing: “credible threat of harm” that is “both real and immediate, not conjectural or hypothetical.” • e.g., increased risk of identity theft – Damages: “cognizable injury” (i.e., economic injury or actual pecuniary loss). • e.g., financial fraud, un-reimbursed charges 81
  • 82. Litigation Plaintiffs Lack Standing • In re LinkedIn User Privacy Litig. (N.D. Cal.): – Plaintiffs filed complaint against LinkedIn over a data breach incident in which approximately 6.5 million users’ passwords and email addresses were stolen and posted on the Internet. – Plaintiff argued that they had standing to sue because they suffered economic harm by not receiving the full benefit of the bargain they paid for premium memberships. – On March 6, 2013, the Court granted LinkedIn’s motion to dismiss the complaint. 82
  • 83. Litigation Plaintiffs Lack Standing • In re LinkedIn User Privacy Litig. (N.D. Cal.): – The Court held that, “[t]o satisfy Article III standing, plaintiff must allege: • an injury-in-fact that is concrete and particularized, as well as actual and imminent; • that injury is fairly traceable to the challenged action of the defendant; and • that it is likely (not merely speculative) that injury will be redressed by a favorable decision.” 83
  • 84. Litigation Plaintiffs Lack Standing • In re LinkedIn User Privacy Litig. (N.D. Cal.): – Plaintiffs failed to allege that “included in Plaintiffs’ bargain for premium membership was the promise of a particular (or greater) level of security that was not part of the free membership.” – Plaintiffs did not allege that they relied upon (or even read) LinkedIn’s representations regarding safeguarding personal information. – Plaintiffs’ allegation that their LinkedIn passwords were “publicly posted on the Internet” does not amount to a “legally cognizable injury, such as, for example, identity theft or theft of personally identifiable information.” 84
  • 85. Litigation Plaintiffs Lack Standing • In re Barnes & Noble Pin Pad Litigation (N.D. Ill.): – Skimmers placed on PIN pad devices at 63 locations. – Plaintiffs argued a wide variety of damages: • Increased risk of identity theft • Untimely and inadequate notification • Improper disclosure of PII • Invasion of privacy • Decreased value of PII • Anxiety and emotional distress • Overpayment for products 85
  • 86. Litigation Plaintiffs Lack Standing • In re Barnes & Noble Pin Pad Litigation (N.D. Ill.): – Relying on the U.S. Supreme Court decision in Clapper v. Amnesty Int’l USA Inc., No. 11-1025 (2013), the Court granted Barnes & Noble’s motion to dismiss. • Clapper: Held that private citizens lacked standing to challenge 2008 amendments to the Foreign Intelligence Surveillance Act because they could not show the government had actually spied on them. 86
  • 87. Litigation Plaintiffs Lack Standing • In re Barnes & Noble Pin Pad Litigation (N.D. Ill.): – No proof that an “injury in fact” is “certainly impending.” • Speculation of future harm does not constitute actual injury. • Even if plaintiffs could prove statutory violations, such violations would be insufficient to establish standing without actual injury. • Increased identity theft expenses cannot establish standing for non-imminent harm. • Emotional distress insufficient absent any imminent threat to PII. • Fraudulent charges were reimbursed. 87
  • 88. Litigation Plaintiffs Have Standing • Harris v. comScore (N.D. Ill.): – Plaintiffs alleged that defendants improperly obtained and used personal information after consumers downloaded and installed company’s software. – comScore’s data collection violated the User License Agreement and the Downloading Statement. – Court found standing based upon statutory damages available under the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act and the Stored Communications Act. 88
  • 89. Litigation Plaintiffs Have Standing • Robins v. Spokeo, Inc. (9th Cir.): – Plaintiff filed complaint alleging that Spokeo violated the Fair Credit Reporting Act by publishing inaccurate personal information about him. – District Court granted motion to dismiss because plaintiff failed to prove an injury-in-fact and, thus, did not establish standing. – The Ninth Circuit Court of Appeals reversed the District Court’s decision and held that “the statutory cause of action [FCRA] does not require a showing of actual harm when a plaintiff sues for willful violations.” 89
  • 90. Litigation Plaintiffs Have Standing • In re: Sony Gaming Networks and Customer Data Security Breach Litig. (S.D. Cal.): – Hackers accessed the personal information of millions of Sony’s customers. – Based upon plaintiffs’ allegations in their original complaint, the Court found that plaintiffs did not have standing. – After filing an amended complaint, on January 21, 2014, the Court found that plaintiffs’ allegations “that their personal information was collected by Sony and then wrongfully disclosed . . . was sufficient to establish standing at this stage.” 90
  • 91. Litigation Plaintiffs Have Standing • In re: Sony Gaming Networks and Customer Data Security Breach Litig. (S.D. Cal.): – The Court held that plaintiffs “plausibly alleged a ‘credible threat’ of impending harm” and that plaintiffs were not required to allege that their data was actually accessed by a third party. – Although plaintiffs overcame the standing hurdle, the Court dismissed 43 of 51 of plaintiffs’ counts (including breach of contract and negligence claims) for failure to state a claim. • e.g., failed to prove causation and/or damages under common law claims 91
  • 92. Litigation Plaintiffs Have Standing • In re: Sony Gaming Networks and Customer Data Security Breach Litig. (S.D. Cal.): – The Court allowed claims under consumer protection statutes to proceed: • e.g., unfair competition, false advertising, deceptive and unfair trade practices. • Claims mainly based upon alleged misrepresentations regarding “reasonable security” and “industry-standard encryption.” • Misrepresentations caused plaintiffs to pay more for product than if accurately described. • The elements of statutory causes of action are different than the ones required for common law claims. 92
  • 93. Avoid Future Data Security Breaches • Understand what types of personal information is collected, how, where and how long it is stored, and who has access to it • Collect only personal information necessary to conduct business • Retain personal information for shortest time necessary to conduct business • Limit access to personal information • Encrypt data 93
  • 94. Avoid Future Data Security Breaches • Establish internal policies to protect personal information – e.g., robust passwords, usage policies for laptops and mobile phones, secure disposal policies • Comply with promises made to consumers or employees regarding privacy and security of personal information – Disclosures about collection, maintenance, use and dissemination of personal information must be accurate and complete 94
  • 95. Avoid Future Data Security Breaches • Train employees • Conduct periodic audits • Update and revise policies and procedures regularly • Enhance technology to strengthen security and reduce risk – e.g., strong firewalls, scans for vulnerabilities, up-to- date anti-virus software • Use care when engaging third-party vendors and hold them to high standards 95