When not if

Get your
CyberEbola Vaccine NOW!
It’s no longer IF your customer or employee data will be hacked; it’s WHEN.
While you are waiting for the program to begin,
Take the 5-minute pre-quiz!!
You can find it in the attached materials.

David L. Fleck, Esq.
• White Collar Crime Prosecutor
• 10 Years
• Los Angeles District Attorney’s Ofc.
• 53 jury trials
• Private Practice
• Fraud and Cybersecurity
• Prevention and Litigation
• Key Expertise
• Communicating complex material to
students, juries, and clients
• College Professor – Civil Litigation
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 2

AGENDA: Preparing for a Cyber Attack
Part 1
State of CyberSecurity in Business Today
Part 2
Case Studies and the Law
Part 3
Action Items

1) State of Cyber Security
in Business Today
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929

Top Hacks of 2015

HackMaggeddon.com
72
69
87
80
73
91
85
70
87
89
58
74
0 10 20 30 40 50 60 70 80 90 100
Aug-14
Sep-14
Oct-14
Nov-14
Dec-14
Jan-15
Feb-15
Mar-15
Apr-15
May-15
Jun-15
Jul-15
Known Breaches Per Month
935 known
data
breaches in
12 month
period
6

Affect on Breached Companies
US$3,800,000.00*
US$154.00 per stolen record
*Does not include megabreaches like Target ($148M).

Exception: Healthcare Companies
• Average cost per stolen record: US$363
• Medical records are most valuable
• Easy to get – many hospitals use old software
• Used to create fake profiles to:
• Buy medical equipment for resale
• File false claims with Medicare
• Long shelf life – can’t replace like credit card
• Bundle of 10 medical records – US$4700
• Utah Medical Group: 1000s of attempts/week

Direct Costs of Breach
• Investigating the cause of the breach
• Fixing the breach
• Setting up hotlines for customers
• Free credit monitoring for victims
• Legal costs
David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929David L. Fleck, Esq. - Fraud & Cybersecurity Litigation (Local & International) - David@RudoyFleck.com, (818) 268-5929 9

Indirect Costs of Breach
• Loss of business because of wary customers
• Loss of reputation and customer loyalty
• Marketing expenses to redevelop goodwill

2) Case Studies
And the Law

The Houstonian Hotel
• Luxury hotel in Houston, Texas
• George HW Bush used Hotel as his
voting residence in 1980s
• By founder of Browning-Ferris
Industries
• Marketed as destination “for
business executives trying to shed
pounds and rediscover their inner
velociraptor.”

The Breach
• Lasted 6 months
• Possibly affected 10,000 customers;
actual number unknown
• Credit card POS devices
• NOT detected by hotel
• Notified by Secret Service

Impact
• Customers angry about delayed
notice
• Direct costs
• “forensic investigators”
• New POS system
• Credit monitoring
• No lawsuit (yet?)
• 10,000 X $154 = $1,540,000
• Marketing
• Rebuild trust
• Rebuild brand loyalty

Lessons Learned from Houstonian Breach
1. CIO/CISO must develop a strategy to detect data
breaches.
• If caught early, less damage.
2. Give notice to affected customers as soon as possible.
• Possible reasons for delay
Criminal investigation
Want to develop strategy before announcing breach
• Anticipate breach and plan ahead

PNI Digital Media
• Founded in 1995
• Operates on-line photo websites
• Operates photo centers in:
• Walmart Canada
• Sam’s Club
• CVS
• Costco
• Rite Aid
• Owned by Staples since 2014

The Breach
• Third-party vendor breach
• Data includes
• Names
• Addresses
• Email Addresses
• Phone Numbers
• Credit Card Numbers & Verif. Codes
• Passwords
• “Breach Window” - July & Aug. 2015
• Number of Customers Unknown

Impact
• Loss of All Major Clients
• Probably Enough to Destroy
Company
• But it gets worse…
• CLASS ACTION LAWSUIT!!
• The Settlement will be
Six Figures At least
• Plus attorney’s fees
• Even a weak case will cost at least
US$1,000,000.00!

Lessons Learned from PNI Media Breach
1. Do you Cyber Due Diligence on the data security strategies of your
3rd Party Vendors.
2. Do you Cyber Due Diligence on the data security strategies of
companies you acquire. (Consider: Experian)
3. Troubles don’t end when you fix the breach
4. Your breach strategy should include plans for business continuity
after breach
5. Data Breaches are expensive
Will PNI survive?

Settlements
AvMed 1 Million Records
SSNs and Medical Records
$3.1M
Stanford University 20,000
Medical Records
$4.1M
Schnucks (grocery) 2.4 Million
Credit Cards
$2.1M
Vendini (ticketing system) 3 Million
Credit Cards
$3M
Sony (PlayStation) 77 Million
Login Credentials, Credit Cards
$5M
LinkedIn 6.4 Million
Login Credentials
$1.25M
Sony Pictures 50,000 $8M
Target 40 Million
Credit Cards
$67M

• Causes of Action: sets of facts sufficient to
justify a right to sue
1. Negligence
2. Breach of Implied Contract
3. Breach of Contract
4. Bailment
5. Violation of State Statute About Privacy
6. Unjust Enrichment
T.A.N., an individual
v.
PNI Digital Media, Inc.

NEGLIGENCE:
Requires a Duty to Act/Not Act
• Duty to exercise reasonable care in
safeguarding/protecting info.
• Duty to design, maintain, and test
security systems and take other
reasonable security measures to
secure personal information
• Duty to implement processes to
detect breaches
• Duty to make timely disclosure of
breach

SOURCES OF DUTY (Part One)
• COMMON LAW
• Reasonable Care: the degree of
caution an ordinarily prudent and
rational person would.
• Consider:
1. Foreseeable likelihood of breach
2. Foreseeable severity of harm
3. Burden of taking precautions

SOURCES OF DUTY (Part Two)
• State Statutes
• PNI – Georgia
• Sony – California & Virginia
• US Statutes
• HIPAA – Medical Data
• COPPA – Children’s Data
• International Agreements
• US-EU Safe Harbor Frameworks
• APEC Privacy Framework

Examples of Negligence from Lawsuits
• Failure to develop and implement adequate security protections
• Ignoring recommendations of employees and consultants
• Misleading consumers about level of security
• Not having or not following cybersecurity protocol
• Executives and Board Members uninformed on issue of
cybersecurity
• Taking too long to give notice to customers about breach

3) Action Items

Personally Identifiable
Information (PII)
“Information that can be used on its
own or with other information to
identify, contact, or locate a single
person, or to identify an individual in
context.”
• First name or initial plus last name
and any of the following:
• SSN
• Date of Birth
• Financial Numbers
• Medical Record
• Definition varies from state to state

STEP 1:
Survey Your Employees
• Data Landscape in Your Company
• What data does your company collect from employees, customers, vendors,
etc.?
• How is the data used?
• Security Measures
• What security measures and procedures
are in place?
• Who has access to the data?
• What security measures do your
competitors, affiliates and vendors have
in place?

STEP 1:
Survey Your Employees
• Weak Points
• Employee Access?
• Who has access to the data?
• Who needs access to the data?
• How do you verify the ID of the employee
before they access the data/
• External Threats
• Hackers
• Dumpster Divers
• Third-Parties
• Vendors
• Acquired Companies

STEP 2:
Survey the Law
• Which Privacy Statutes Apply to your Industry?
• Medical Record Statutes – Health Insurance Portability and Accountability Act
(HIPAA), Medical Information Privacy and Security Act (MIPSA)
• Financial Privacy Laws – Right to Financial Privacy Act, Dodd-Frank Act,
Gramm-Leach-Bliley Act
• Privacy of Children – Children’s Online Privacy Protection Act (COPPA)
• Consumer Privacy Laws
• Statutes in your State or Country
• International Statutes and Agreements
• What requirements do the statutes impose on your company?

STEP 3:
Develop your Company Policies
• Before a Breach
• Provide Notice to Customers of Privacy Protections (if required
by law)
• Implement multi-layered strategy to prevent breach
• Establish procedures to detect data breaches
• Purchase CyberInsurance
• Look first at your Commercial General Liability (CGL) policy
• If CGL has data breach exclusions, perchase “cyber” insurance as needed.

STEP 3:
Develop your Company Policies
• In Preparation for a Breach
• Draft a Data Breach Response Manual
• Develop Breach Chain of Command and Crisis Communication Channels
• Create Plan to Document details of the breach and its discovery
• Develop Plan to preserve documentation
• Develop a relationship with law enforcement
• Develop plan for giving notice to customers whose data was affected

1. A data breach is almost
inevitable in today’s
business world
2. The cost can be devastating
3. Preparation can:
1. Reduce the likelihood of
breach
2. Reduce your liability
3. Ensure that your company
continues to exist

David L. Fleck
Attorney-at-Law
www.RudoyFleck.com
(818) 268-5929

When not if

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (11)

Similar to When not if

Similar to When not if (20)

Recently uploaded

Recently uploaded (20)

When not if

Editor's Notes