Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Legal Issues in Data Privacy and Security: Response Readiness Before the Breach

114 views

Published on

This was presented by three Frost, Brown &Todd Attorneys at the TALK Cybersecurity Summit 2018. A handout on the subject is included.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Legal Issues in Data Privacy and Security: Response Readiness Before the Breach

  1. 1. Legal Issues In Data Privacy & Security: Anticipating, Then Responding To The Breach Robert W. Dibert Connie Wilkinson-Tobbe Lindsay P. Graves Alison P. Howard June 14, 2018 1 Views expressed in these materials are those of the authors individually, and do not constitute legal or any other formal advice. Presentation for the Technology Assoc. of Louisville Kentucky, Cybersecurity Summit
  2. 2. 2  “the relevant inquiry here is a cost-benefit analysis, that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.” FTC v. Wyndham Worldwide Corp., No. 14-3514, Slip Op. at 39-40 (3rd Cir. 8/24/2015)  Defendant “has made a supplemental production of the approximately 15,000 additional documents inadvertently omitted from its prior production. However, at least 500 pages have been inadvertently omitted from that production as well. No later than August 23, 2010, defendant … will produce the omitted pages. Defense counsel will personally supervise the preparation of this production and will assure the completeness of the production.” Chubb Custom Ins. Co. v. Grange Mut. Cas. Co., No. 2:07-cv-1285 (S.D. Ohio 8/19/10).  “The defendants are to provide [one defendant]’s wife[‘s] computer image to the plaintiffs. Mr. Dibert will communicate with the defendants’ IT personnel for the information”). PPG Indus. v. Payne, No. 3:10-cv-73 (E.D. Tenn. 5/21/10).  In re Seroquel Products Liab. Lit., No. 06-md-1769, Slip Op. at 26 (M.D. Fla. 8/21/07) (“a party is responsible for the errors of its vendors”). Why Are Lawyers Here?!?!?
  3. 3. 3 Why? (2) Defendants, must … establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about U.S. consumers … Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to Defendants’ size and complexity, the nature and scope of Defendants’ activities, and the sensitivity of the personal information collected from or about consumers, including: A. the designation of an employee or employees to coordinate and be responsible for the information security program; B. the identification of internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. … C. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures; D. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from Defendants, and requiring service providers, by contract, to implement and maintain appropriate safeguards; and E. the evaluation and adjustment of the information security program in light of the results of the testing and monitoring required by sub-Section C, … or any other circumstances that Defendants know or have reason to know may have an impact on the effectiveness of the information security program. FTC v Ruby Corp., No. 1:16-cv-02438, Dkt. 1-9 at 4-5 (D.D.C. 12/14/2016) (“Ashley Madison”)
  4. 4. 4 Why? (3)
  5. 5. 5 And Who? …
  6. 6. 6 Will Read The Fine Print ...? <Vendor> AND <Vendor>’S LICENSORS, RESELLERS AND/OR DISTRIBUTORS MAKE NO OTHER WARRANTY OR CONDITION, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, REGARDING THE SERVICES, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT ERROR FREE OPERATION OR NON- INTRUSION DUE TO HACKING OR OTHER SIMILAR MEANS OF UNAUTHORIZED ACCESS. FURTHER <Vendor> DOES NOT GUARANTY THAT ... THE SERVICES WILL MEET YOUR REQUIREMENTS, SPECIFICATIONS OR EXPECTATIONS. ... NO REPRESENTATION OR OTHER AFFIRMATION OF FACT, INCLUDING BUT NOT LIMITED TO STATEMENTS REGARDING CAPACITY, SUITABILITY FOR USE OR PERFORMANCE OF ANY SERVICES ... WHICH IS NOT CONTAINED IN THIS AGREEMENT, WILL BE DEEMED TO BE A WARRANTY BY <Vendor> FOR ANY PURPOSE OR GIVE RISE TO ANY LIABILITY OF <Vendor> WHATSOEVER. YOU ACKNOWLEDGE THAT IT IS IMPOSSIBLE UNDER ANY AVAILABLE TECHNOLOGY FOR ANY APPLICATION TO IDENTIFY AND ELIMINATE ALL MALWARE.
  7. 7. 7 I. Three-dimensional Data (And, Therefore, Threats) … A. What Is The Environment/What Are The Odds? B. What Is The Environment/What Are The Costs? II. Anticipating Threats A. Legal Duties B. The NIST Framework C. Cyber Insurance D. GDPR E. Data Mapping III. Incident Response A. Applying Laws & Frameworks B. Time For Compliance 1. Notice requirements 2. Courts accelerate compliance 3. Examples of cyber-evidence Today’s Agenda
  8. 8. 8 “In 2015, 43 percent of all attacks were directed at small businesses. … 42 percent of small businesses surveyed by the National Small Business Association (NSBA) reported being a victim of a cyber- attack, with cyber-attacks cost an average $32,021 for companies whose business banking accounts were hacked, and $7,115 on average for small businesses overall.” R. Luft (on behalf of NSBA), “Protecting Small Businesses from Cyber Attacks: the Cybersecurity Insurance Option” at 2,3; Hearing before the House Small Business Committee (7/26/2017). I. Three-D Data And, Therefore, Threats ...
  9. 9. 9 What is the Environment/What are the Odds? The Global Risks Landscape 2018, World Economic Forum, Global Risks Report 2018 (1/17/2018)
  10. 10. 10 Environment/Odds (2) Ponemon Institute, 2017 Cost of Data Breach Study at 14 (6/6/2017).
  11. 11. 11 Environment/Odds (3) Verizon 2018 Data Breach Investigations Report at 5 (4/2018).
  12. 12. 12 What Are The Costs?  “Almost half of organizations represented in this research (47 percent) identified the root cause of the data breach as a malicious or criminal attack and the average cost was approximately $156 [per compromised record]. In contrast system glitches and human error or negligence averaged approximately $128 and $126, respectively.” Ponemon, supra at 4 (6/6/2017).  “Third party involvement in a breach and extensive cloud migration at the time of the breach increases the cost.” Id., at 6.  Small to medium-sized businesses may face cyber incident losses ranging in the tens of thousands of dollars per incident. See The Hiscox Cyber Readiness Report 2017, at 5 (Forrester Research survey found an average cost per incident of $35,967 for businesses with fewer than 99 employees).  Example cyber insurance annual premiums may range from hundreds (for $1-2 million coverage on a small business) to more than $40,000 (for $5-10 million coverage on a medium-sized business)  The average cyber insurance claim may average $250,000.  “Expenses/fines related to breach of customer/personal information is the primary driver for purchasing a cyber insurance policy. Conversely, just 10 percent of respondents identified business interruption as the primary reason for purchasing the cover.” Information Security And Cyber Risk Management Survey 4 (Advisen/Zurich North America Oct. 2017)
  13. 13. 13 A. General Legal Duties: Beyond Sectors B. The NIST Framework C. Cyber Insurance D. GDPR E. Data Mapping II. Anticipating Threats
  14. 14. 14 General Legal Duties: Beyond Sectors  Common law fiduciary duties to protect non-public information: Attorney-client; employer-employee … see also, Savidge v Pharm-Save, Inc., 2017 WL 5986972 (W.D. Ky. 12/1/2017) (“the Court can draw the reasonable inference that, because [the employee] Plaintiffs' information was released to unauthorized individuals, Defendants breached their duties to safeguard that information ... Defendants' motion to dismiss will be denied with respect to Plaintiffs' negligence claim.”); id. (“these facts [of employees providing ‘personal information for tax purposes and to receive employment and benefits’] are sufficient for the Court to draw the reasonable inference that Defendants impliedly assented to protect Plaintiffs' information ... Plaintiffs have adequately pled the existence of an implied contract”).  General statutory duty to protect confidentiality of non-public citizen data: “At least 13 states now have general information security laws that require reasonable measures to protect defined categories of personal information (including Arkansas, California, Connecticut, Illinois, Maryland, Massachusetts, Nevada, New Jersey, New York, Oregon, Rhode Island, Texas, and Utah). ... ‘personal information’is usually defined to include general or specific facts about an identifiable individual.” I. Hemmans & D. Ries, Cybersecurity: Ethically Protecting Your Confidential Data in a Breach-A-Day World, at 25 (ABA Law Prac. Div. 4/27/2016).  Mandatory, secure disposal of records containing “personal information” when their legal or business retention has expired. KRS 365.725.  Duty to notify individuals of a data security breach: “All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.” Nat’l Conf. of State Legislatures (NCSL), Security Breach Notification Laws, http://www.ncsl.org/research/telecommunications-and-information- technology/security-breach-notification-laws.aspx (3/29/2018) (last visited 4/17/2018).
  15. 15. 15 The NIST Framework “This voluntary framework provides a much needed roadmap for improving the cybersecurity of our most critical infrastructure… Companies now have a common, but flexible path forward to better secure their systems, and also a meaningful way to measure their progress. We must now focus like a laser on ensuring widespread implementation of the framework in order to effectively protect our national and economic security.” - Senator Tom Carper (D-DE), Chairman of the Committee on Homeland Security and Governmental Affairs: Image Credit: https://www.nist.gov/cyberframework/new-framework “The release of the Cybersecurity Framework is a helpful step forward in providing guidance and best practices to help companies, particularly small and medium sized companies, grappling with today's cyber threats.” - Michael Chertoff, Secretary of Homeland Security under President George W. Bush and Chairman of the Chertoff Group
  16. 16. 16 Image Credits: https://www.nist.gov/cyberframework/online-learning/components- framework The NIST Framework: Implementation Tiers
  17. 17. 17 Image Credits: https://www.nist.gov/cyberframework/online-learning/components- framework The NIST Framework: Core
  18. 18. 18 Nat’l Inst. for Standards & Technology (“NIST”), Framework for Improving Critical Infrastructure Cybersecurity) at 23, App. A/Table 1 ((ver. 1.1; 4/16/2018). The NIST Framework: 5 Core Functions
  19. 19. 19Image Credit: https://www.nist.gov/cyberframework/online-learning/components-framework NIST Core Functions (cont.)
  20. 20. 20 Image Credits: https://www.nist.gov/cyberframework/online-learning/components- framework The NIST Framework: Profiles
  21. 21. 21 The NIST Framework: Core Implementation
  22. 22. 22 Cyber Insurance • Compliance = Policies & procedures. • Risk = Loss, theft, or damage to irreplaceable data (ex. customer lists), sensitive customer information (ex. social security numbers, credit information), intellectual property (ex. the secret recipe….yours, or the customer’s). • Loss = liability to others and/or business losses. • Insurance = Part of Compliance and Mitigating Risk of Loss. • Consider Insurance in Policies & Response Protocol. This presentation provides a brief overview of insurance considerations based on our legal experience and observations. Please consult with a licensed agent to determine your specific coverage needs and available options.
  23. 23. This Photo by Unknown Author is licensed under CC BY-NC This Photo by Unknown Author is licensed under CC BY-NC-SA • Require service providers to demonstrate adequate security policies and procedures? • Require 3rd party indemnification? • Restrict employee access to personally identifiable information on a business-need to know basis? • Implement an identity theft program (aka FTC “Red Flags”)? • Have a written Intellectual Property clearance procedure? • Were such policies reviewed by a qualified attorney? • Have a designated Chief Security Officer? Chief Privacy Officer? • Have a disaster recovery plan? Business continuity plan? • Have an incident response plan for network intrusions and virus incidents? • How often are such plans tested? • Conduct training for every employee user regarding security events and procedures? • Encrypt data stored on laptop computers, back-up tapes? Application: First Considerations 23
  24. 24.  Do existing E&O, CGL, Crime, etc. coverages … have: _____?  Review a sample copy of any Policy you consider purchasing: The Writing controls the coverage! • Theft and Fraud – Destruction or loss of policyholder’s data • Forensic Investigation • Business Continuity – Cyber events and data loss = investigation, reporting, lost income and costs • Extortion (Ransomware) – Pay the ransom? • Computer data loss and restoration • 3rd party claims (privacy injury, identity theft, etc.) • Network damage (damage due to viruses), • Loss or theft of data, including propriety information. • Costs to comply with “duty to notify” laws • Crisis Management/Public Relations • Regulatory expenses, fines and penalties • Legal counsel – yours? Or panel counsel? • Custom coverage – livestock, golf course, etc. Application: Some Coverage Options 24
  25. 25. Mapping Your Cyber Insurance Needs 25
  26. 26. 26 When – Not “If” – A Cyber Incident Occurs: STOP … THINK ... what insurance could apply? E&O? Crime? Cyber?  Know your Duties: (1) Policy (or Policies); and (2) Written Incident Response Plan  Policy Duties -- Follow written procedures preserve coverage. Triggers for incident response? Definition of “claim”? Concerned about premium effects? Any “pre-notice” or “pre-claim provisions”? Notification/reporting requirements? Term? Business changes/insurance revisions?  Incident Response Plan Duties -- Is Insurance Addressed? There may be coverage for immediate steps following a cyber incident…i.e. forensic investigator, legal counsel, compliance with notification laws, etc.  Seek Legal Help -- Consult counsel or a designated incident response officer BEFORE notifying anyone else .
  27. 27. 27 What is the GDPR?
  28. 28. 28 The GDPR – Bigger Than Beyoncé Image Credit: Jason Karaian
  29. 29. 29 GDPR Impact Image Credit: Marcel Freinbichler
  30. 30. 30 U.S. /EU, Pre-GDPR Web Performance Image Credit: Marcel Freinbichler
  31. 31. 31 GDPR: EU Performance Impact Image Credit: Marcel Freinbichler
  32. 32. 32 The GDPR Requires That “Personal Data” Shall Be:
  33. 33. 33 Does The GDPR Apply To My Business?
  34. 34. 34 Benefits Of Complying With The GDPR 1 Reduce Reputational Risks 2 Reduce Financial Risks 3 Organize Your Data 4 Build Trust 5 Reduce Chaos 6 Peace of Mind
  35. 35. 35 Steps To Compliance – IT 2 3 4 5 6
  36. 36. 36 Anticipating Threats: Data Mapping  “Knowing the type of data collected, where it is being held, with whom it is being shared, and how it is being transferred is a central component of most data privacy and data security programs. The process of answering these questions is often referred to as a ‘data map’ or a ‘data inventory.’” D. Zetoony, Data Privacy and Security: A Practical Guide for In-House Counsel 1 (Wash. Legal Foundation, May 2016).  How is a data map compiled?  System inventories  Organization charts  Classification systems?  How frequently is a map updated?
  37. 37. 37 Mapping Systems
  38. 38. 38 Mapping Types
  39. 39. 39 Mapping Locations
  40. 40. 40 Mapping Content
  41. 41. 41 Cybersecurity: Summary Retention & Compliance Issues  How and Where are your records for customer & employee financial & health data created, communicated & stored?  Who are the custodians responsible for the security of that data?  Where are the records to define the reasonable administrative, physical & technical safeguards that protect Critical Cyber Assets, as well as employee & customer financial & health data?  Are the records identifiable within the general categories of administrative, physical & technical safeguards?  Are the classifications of technical records (such as system security logs) NIST-consistent, and do they include logs of internet access & use of connected facilities?  Does your RIM taxonomy account for specific jurisdictional requirements (e.g., Massachusetts encryption and WISP requirements for personal data)?  Who are the custodians responsible for maintaining and updating those records?  How frequently are systems mapped, or otherwise tested, to validate the continuing accuracy of the records classifications?
  42. 42. A. Applying Laws & Frameworks B. Time For Compliance 1. Notice Requirements 2. Courts accelerate compliance 3. Examples of cyber-evidence III. Incident Response 42
  43. 43. 43 (Choice of) Laws & Frameworks  Whose Law Controls? “Kentucky has adopted the ‘most significant relationship’test to resolve choice of law issues relating to contract disputes. … ‘[t]he rights and duties of the parties with respect to an issue in contract are determined by the local law of the state which, with respect to that issue, has the most significant relationship to the transaction and the parties …’ Kentucky will override the outcome of the ‘most significant relationship’test and apply its own laws if ‘a clear and certain statement of strong public policy in controlling laws or judicial precedent’would be violated in applying another state's laws.“ Henry v. Travelers Personal Security Insurance Co., 2016-CA- 001939-MR (Ky. App. 2/2/2018) (unpublished) (citations omitted). “Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. … extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation.” GDPR, at Recital (115). ∑ Is There a Race to an Agency or Courthouse?  What are the Facts Supporting One Choice Over Another?  Does the Framework Provide Early Answers?
  44. 44. 44 Compliance: Notice Requirements  Nature of the Incident? • Which sector? • Are specific contracts or other duties implicated?  Time to Notify? • State data breach notification laws may provide for notice within anywhere from 14-90 days after discovery of the incident. • GDPR compresses the notice timeframe to 72 hours (Art. 33:1)  Manner of Notice?  Does the Framework Provide Early Answers?
  45. 45. 45  Courts expect parties to have document & data retention practices in order: See Rules 16(b)(2); 26(f)(1) (requiring pre-discovery conference & scheduling order within 90-120 days of the beginning of an action); In re Direct Southwest, Inc. FLSA Litigation, 2009 U.S. Dist. LEXIS 69142 (E.D. La.) (requiring execution of supplemental search terms, production of documents & production of privilege log within 10 days).  [Defendant] “was ordered to “provide a data-map of the ESI involved in this litigation for in-camera review ... If no data-map exists, then …[defendant] [was to] to explain why no ESI data-map exist[ed] and how Counsel ... educated themselves about [defendant’s] information and record keeping systems.” Small v. Univ. Med. Center of Southern Nevada, 2:13-cv-00298 (D. Nev. 8/18/2014). Id., at n. 15 (Court- appointed Special Master “was forced to create his own data map ... from scratch, by synthesizing testimony from IT personnel and other employees”).  “[T]he parties have fifteen (15) business days from the date of this order to exchange information regarding the location and existence of electronic data sources that may contain discoverable ESI (the "Data Map"), including information regarding the parties' policies and/or procedures regarding data retention; their computer servers and back-up and archival sources that store ESI; all computers, phones, tablets, and other storage devices issued to the Custodians or used by the Custodians for business purposes; all email accounts and cloud-storage/file-sharing service accounts used by the Custodians for business purposes; and any data source that the party identifies as not reasonably accessible pursuant to Fed. R. Civ. P. 26(b)(2).” Hydrochem LLC v. Duplessis, Civil No. 14-264 (M.D. La. 5/28/2015). Courts Accelerate Compliance
  46. 46. 46 Examples Of Cyber Evidence  Logs of internet URL/domain access. Microsoft Corp. v. John Does 1-5, No. 15-cv-6565 (E.D.N.Y. 11/23/2015)  Server login records. Tyan v Garcia, No. 15-cv-05443 (C.D. Cal. 5/2/2017)  “more than 42, 000 files on appellant’s computer were intentionally overwritten on February 6, 2011, using [XXXXXX], a program designed to permanently delete and overwrite files. [Defendants’ expert] was unable to restore or retrieve the content of the overwritten files. In addition, certain files one would expect to find (such as “Recent Folder Activity, Link Files, Recycle Bin Info Files, Temp Folders, and Internet Cache Folders”) were missing and could not be restored or retrieved. [The expert] found remnants of other files …” Braun v. Toyota Motor Sales, U.S.A., Inc., No. B234212 (Cal. App. 2d Dist. 2/13/2013) (unpublished)  “Defendants have … failed to ascertain that third-party service providers implemented reasonable security measures to protect personal information.” FTC v Ruby Corp., No. 1:16-cv- 02438, Dkt. 1 at 9, ¶31 (D.D.C. 12/14/2016) (“Ashley Madison”). Cf. Board of Trustees of Ibew Local 43 Electrical Contractors Health v. D'Arcangelo & Co., LLP, 1 N.Y.S. 3d 659, 124 A.D.3d 1358 (4th Dept. 1/2/2015) (motion to dismiss denied where negligence claim was based on alleged failure to obtain an audit report)
  47. 47. 47 Evidence (2)
  48. 48. 48 Evidence (3) Excerpt from https://www.minerva.kgi.edu/cookies/ (last visited 6/12/2018)
  49. 49. 49 (Today’s) Conclusions  Cyber privacy & security must balance economic, human and technology resources. Balance is essential to preserve, identify, collect & produce material information in an appropriate form, that is reasonably necessary to resolve a privacy/security incident or any other matter.  Educated, empowered and accountable employees are a company’s ultimate defense against threats to data integrity and security.  An integrated privacy & security program must establish reasonable standards, verify their implementation, and validate their effectiveness on a regular basis.  Attorneys will be held responsible for assessing and defending “reasonable” privacy and security standards in particular matters.
  50. 50. 50 Lindsay Graves: Lindsay is a senior Attorney in the Electronic Data Discovery (“EDD”) Group of Frost Brown Todd, LLC. Her experience in the Group includes counseling clients on privacy policies and practices applicable to financial, healthcare, and retail consumer businesses. She also has worked with clients in the investigation of both internal and external/international data misappropriation incidents. Before joining the EDD Group, Lindsay represented individuals and businesses in commercial litigation, including real estate developers and brokers, title insurers and financial institutions. She helped those clients obtain successful outcomes in judicial/appellate, regulatory and mediation/arbitration proceedings throughout the Commonwealth of Kentucky. Alison Howard: Alison is a senior Attorney in the Electronic Data Discovery (“EDD”) Group of Frost Brown Todd, LLC. Her experience in the Group includes research, analysis and drafting for privacy policies and practices applicable to financial, insurance, land title and retail consumer businesses. Apart from her work with the Group, Alison has been an experienced litigator, a licensed insurance and real estate agent, and a licensed property and casualty adjuster. She also served as compliance counsel for a national real estate title company, and a conflicts counsel for Frost Brown Todd. Alison has authored and presented multiple official continuing education courses for real estate licensees and government regulators concerning liability insurance and claims experiences. Presenters
  51. 51. 51 Presenters (too) Connie Wilkinson-Tobbe: Connie is a senior Attorney in the Electronic Data Discovery (“EDD”) Group of Frost Brown Todd, LLC. Her experience in the Group includes counseling clients on privacy policy and practices applicable to financial, healthcare, and retail consumer businesses. She also has worked with clients in the investigation of both internal and external/international data misappropriation incidents. Before joining the EDD Group, Connie was a trial and compliance attorney for both individual and business clients. She helped those clients obtain successful outcomes in bench and jury trials, regulatory and grand jury proceedings, and mediation/arbitration proceedings in Kentucky state and federal courts. Robert Dibert: Bob is a Member of the Business Litigation and Electronic Data Discovery (“EDD”) groups at Frost Brown Todd, LLC. He has more than 30 years’ experience litigating commercial disputes, including cases based upon alleged fraud and racketeering violations. His data privacy/security experience began with HIPAA compliance issues in litigation, and has expanded over the last 10 years to include both counseling for breach preparedness and representation for incident response.
  52. 52. Views expressed in these materials are those of the authors individually, and do not constitute legal or any other formal advice. I. Identifying Threats A. Do we maintain an annual profile of predominant threats to our business sector? B. Do we maintain an annual profile of costs in our sector? 1. Costs/potential financial impact of predominant threats 2. Costs of safeguards to prevent or mitigate threats 3. Costs of insurance to offset impacts of threats II. Preparing For Threats A. Have we established a Framework to anticipate and respond to threats? 1. Does that Framework reasonably reflect the scope of our business & legal environment? 2. Do we verify our use and maintenance of that Framework? 3. Do we validate the scope and effectiveness of that Framework? B. Does our records retention & compliance program include categories for the profiles, Framework, and types of information likely to be necessary for incident response? III. Incident Response A. Have we identified a team for first response? B. Do we maintain a scope and choice of law analysis for how, and how quickly, responses must be made? C. Do we have data maps to help identify and contain the compromised area(s)? D. Do we have tools or providers necessary to preserve potentially relevant information from the compromised area(s)? Robert W. Dibert Connie Wilkinson-Tobbe Lindsay P. Graves Alison P. Howard June 14, 2018
  53. 53. frostbrowntodd.com Indiana | Kentucky | Ohio | Pennsylvania | Tennessee | Texas | Virginia | West Virginia. THIS IS AN ADVERTISEMENT. ©2018 Frost Brown Todd LLC All rights reserved. Frost Brown Todd’s (FBT) experienced team serves clients ranging from the Fortune 500 to small startups, including health care systems, financial institutions, schools and universities, emerging technology companies, and state and municipal entities. We provide seamless legal counsel on a wide variety of legal issues triggered by data protection and security obligations, and stand ready to assist clients when confronted with a data security incident. Our team has significant experience guiding clients through a data breach response by retaining third-party investigative resources, working with insurance representatives and regulators, and advising on and developing a notification plan. We also assist clients with addressing current and emerging data privacy and security issues, including cybersecurity preparedness via information security and privacy programs, incident response plans, disputes and litigation, regulatory investigations, and cyber insurance evaluation and claims. We advise clients on the implications of data security compliance obligations in mergers and acquisitions, such as corporate governance and risk management, vendor due diligence, and cross-border data transfers. Defending Your Company from a Data Breach The privacy and security landscape is changing more rapidly than ever before, and the threats to businesses’ confidential information, trade secrets, and other assets are only increasing. Each year, data breaches continue to escalate in scale and sophistication, and the methods used for infiltration of businesses’ systems continue to evolve. Regulators have responded to the threats with an extensive array of requirements and de facto standards. Now, more than ever, businesses must confront this risk head on and address the need to protect and defend their data– whether it is consumer or employee data, intellectual property, or product information. Concrete and practical steps must be taken to address not only the legal risks, but reputational risks as well.
  54. 54. Snooping is one of the most common causes of a HIPAA breach. This can occur in a HIPAA-covered entity if an employee looks at PHI beyond what is necessary to perform their responsibilities for the employer. Case Study: Compliance Following a HIPAA Privacy Breach This incident is a cautionary tale for HIPAA-covered entities (health care providers, insurers or group health plans sponsored by an employer) which may have access to HIPAA-protected information in their files. Incident: As part of her job responsibilities for a medical practice, “Employee A” reviews medical records for purposes of determining the proper charge for the services provided by the medical practice. One day, she realizes that the medical record she is reviewing is for a fellow employee, “Employee B,” who has received services by the medical practice. Instead of limiting her current review to the specific medical record for the recent office visit of “Employee B,” “Employee A,” apparently out of curiosity, looked at a number of other “Employee B” medical records. In a routine audit, the medical practice’s information technology staff determined that “Employee A” looked at numerous medical records on one specific date. Because “Employee A” has no legitimate reason to review the prior test information to perform her duties, this unauthorized use of protected health information (PHI) was a HIPAA breach required to be reported to the patient and to Health and Human Services in year-end breach reporting. Result: The medical practice had a robust HIPAA policy and practice, which lessens the risk of governmental penalties, but the employee involved was disciplined, as required by HIPAA. Routine review of records accessed is a best practice that should be used by all businesses that hold HIPAA- protected data. If a HIPAA-covered entity believes there has been an unauthorized use or disclosure of PHI as there was in the example above, the covered entity is required to investigate the matter and report a HIPAA breach. Representative Experience »» Assisted a national restaurant chain from start to finish with a credit card data breach in dozens of states with over one million card exposures. Responsibilities included emergency response coaching, breach evaluation, breach notification, breach vendor management, liability assessments, negotiations with processors, acquiring banks, issuing banks and card brands, and litigation support. »» Assisted a large multinational corporation with its evaluation of and response to a ransomware attack that crippled all corporate servers including human resources and payroll. »» Assisted a company with response and notification arising from infiltration of the company’s system that altered payroll files processed by a third-party payroll processor. Responsibilities included working with a forensics investigation firm, coordination of notification to employees, and negotiation with the cyber liability insurance provider. »» Consulted proactively with a national manufacturing business regarding appropriate privacy and security provisions for maintenance of employee personal information, both internally and for purposes of data sharing and transfer agreements. »» Advised a national restaurant chain regarding incident response for potential misuse of Wi-Fi services. Scope of the matter included working with the client’s information technology department to identify potential access and use of facilities in question, and response to information requests from law enforcement and private litigants. »» Consulted with an international manufacturing business regarding a "phishing" incident directed at employees' personal data. Scope of the matter included identification of the scope of attempted intrusion, analysis of potentially applicable law of multiple jurisdictions, and assessment of technological safeguards in place to prevent an actual breach of the security of information systems in question. »» Advised a mid-sized consumer retail services business on response to employee theft of personal information from company systems. The scope of the matter included working with the client’s information technology department to identify access and attempted misappropriation of information, and coordination with law enforcement for potential prosecution and assessment of any breach notification. Frost Brown Todd | Defending Your Company from a Data Breach
  55. 55. Jane Hils Shea | Member | jshea@fbtlaw.com | 513.651.6961 Jane leads FBT’s privacy and information security practice. She has significant experience in the law governing data privacy and information security, assisting clients with the development of written information security programs, the European Union’s General Data Protection Regulation (GDPR) compliance, appropriate internal policies and procedures, as well as incident response measures and data breach notification. Jane is a member of the International Association of Privacy Professionals and is a Certified Information Privacy Professional for the U.S. private-sector (CIPP/US). frostbrowntodd.com Michael T. Bindner I Member | mbindner@fbtlaw.com I 317.237.3863 Michael assist clients with various HIPAA privacy matters, including privacy training, investigating and reporting HIPAA privacy breaches, and with breaches of personal information. He speaks frequently on topics related to employee benefits, HIPAA and other health care issues. Robert W. Dibert | Member | bdibert@fbtlaw.com | 502.568.0379 Bob works with businesses in the educational, financial, health care, manufacturing, professional services, and consumer retail sectors on data privacy and security matters, beginning with the proactive incorporation of privacy/security-related records, procedures into retention and compliance programs, and breach notifications. The nature of incidents include commercial espionage, employee theft, lost or stolen devices, misuse of facilities by outsiders, and so-called “phishing” for personal information. Milton C. Sutton | Senior Associate | msutton@fbtlaw.com | 614.559.7271 Milton practices in FBT’s intellectual property and government services practice groups. His practice focuses on complex information technology matters including computer systems, telecommunications, data, software development, web hosting, licensing, cloud computing, cybersecurity and privacy. He is a Certified Information Privacy Professional for the U.S. private-sector (CCIP/US). He assists entities on general privacy issues, GDPR compliance, cybersecurity preparation as well as responding to large data breach incidents. Frost Brown Todd Data Breach Attorneys
  56. 56. THE FIRM at a glanceFrost Brown Todd (FBT) is a full-service law firm with offices in Indiana, Kentucky, Ohio, Pennsylvania, Tennessee, Texas, Virginia and West Virginia. With more than 500 lawyers across our eight-state footprint, FBT offers a deep, talented roster of legal professionals. Our services extend beyond our footprint, as we have attorneys licensed to practice law in 25 states and the District of Columbia. Our attorneys serve a diverse client base, from global multinationals to small, entrepreneurial companies. We integrate a powerful network of legal talent and business experience to provide our clients with innovative and comprehensive services. INDIANA Indianapolis KENTUCKY Florence Lexington Louisville OHIO Cincinnati Columbus West Chester PENNSYLVANIA Pittsburgh TENNESSEE Nashville TEXAS Dallas VIRGINIA Ashland (Richmond Area) WEST VIRGINIA Charleston Focused Legal Services Our attorneys advise and protect you in business transactions and litigation in industries including automotive, construction, energy, financial services, food and beverage, health care, technology, insurance, manufacturing, real estate and transportation. We deliver sound legal counsel, responsive service, concise communications and efficient representation. Diversity Inclusion Our program is constantly evolving to build a more vibrant and creative law firm for our employees, clients and communities. Our focus on inclusion extends beyond the firm. It includes partnering with our clients on unique programs to help them achieve their diversity and inclusion goals. It includes leading the way on numerous pipeline programs as well as investing in regional and national initiatives in our communities and beyond. CORE PRACTICES SERVICE AREAS Business Advertising Media Law Bankruptcy Restructuring Capital Transactions Governance Employee Benefits Entrepreneurial Business Services Estates, Trusts Wills Franchise Distribution Health Law Intellectual Property International Services Lending Commercial Services Mergers Acquisitions Public Finance Real Estate Regulated Business Tax Litigation Appellate Business Litigation Construction Environmental Government Services Insurance Tort Defense Labor Employment Product Liability Mass Tort frostbrowntodd.com Indiana | Kentucky | Ohio | Pennsylvania | Tennessee | Texas | Virginia | West Virginia. THIS IS AN ADVERTISEMENT. ©2018 Frost Brown Todd LLC All rights reserved.

×