SlideShare a Scribd company logo

Cyber security legal and regulatory environment - Executive Discussion

Joe Nathans
Joe Nathans

What will you do when a breach occurs, and critical, confidential information has been publicly disclosed? • FBI, Law Enforcement or Reporter Calls • You become the Top News Story • Investors need answers • Regulatory Agencies are asking questions • Your Customers, Suppliers, and Employees are affected, concerned, and need information • The Breach becomes your only priority and you don’t know: o What happened and what was disclosed? o Who is responsible for resolution and who is on our team? o What are our legal responsibilities? o How will we manage the surge volume of communications, discovery and analysis? o Who will pay? The following presentation begins to address some of the legal and regulatory issues that are involved. The presentation is for discussion purposes only and should not be considered legal advice.

Technology
1 of 30
Download to read offline
Cybersecurity: Legal and Regulatory Environment The emerging legal implications of cyber risks and the role of the FTC.
Disclaimer NEXTLEVEL IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL ADVICE THE FOLLOWING PRESENTATION IS FOR AWARENESS AND DISCUSSION PURPOSES ONLY CONSULT YOUR GENERAL COUNSEL FOR ADVICE
Types of Cybersecurity Breach Litigation • State and Federal Regulatory Actions • Enforcement actions by governmental agencies invoking their regulatory authority under relevant state or federal laws. • Federal Statutes • Federal Trade Commission Act • Gramm-Leach-Bliley Act • Fair Credit Reporting Act • Children's Online Privacy Protection Act • HIPAA/HITECH • State Statutes • Consumer Protection Acts • Data Breach Notification Statutes • Consumer Class Action Lawsuits • By outside customers or business partners whose sensitive or personal information was compromised • Shareholder Derivative Actions to recover for losses in stock value • Securities Fraud Class Action Lawsuits to recover for the diminution in stock value following a cyber breach
The FTC uses its authority under § 45(a) – “unfair or deceptive acts or practices” to: • Order “Comprehensive Security Programs” • Seek monitory penalties • Control company actions and communications for 20 years with biennial recertification Confidential 4
FTC Enforcement Actions: Protecting consumers’ privacy and personal information Confidential 5 Control Failure1, 2 Wyndham CVSCaremark Petco Twitter Uber Taxslayer Not Educating Employees ✓ ✓ ✓ ✓ ✓ ✓ Not requiring strong passwords ✓ Providing Admin Control to All Employees ✓ ✓ Not Changing Default Passwords for Management Systems ✓ Not controlling release of sensitive information ✓ ✓ Not Protecting Web Sites against Code Injection/List Validation Attacks ✓ ✓ Not Encrypting Payment Card Information ✓ ✓ ✓ Storing PII/PHI in Clear Text ✓ ✓ Not Segregating Networks (e.g. Food Service) ✓ Not controlling/destroying paper and other records ✓ 1See Appendix for details 2Based on Reading FTC Complaint
FTC Complaints How the FTC uses company statements in its enforcement activities Confidential 6
CVS Caremark FTC MATTER 072-3119 7 • Company Statement: o “CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information.” • Meanwhile: o “its pharmacies were throwing trash into open dumpsters that contained ➢ … patient names, addresses, prescribing physicians’ names, medication and dosages; ➢ …employment applications, including social security numbers; payroll information; and ➢ …credit card and insurance card information, including, in some cases, account numbers and driver’s license numbers.” • https://www.ftc.gov/news-events/press-releases/2009/02/cvs-caremark- settles-ftc-chargesfailed-protect-medical-financial Confidential
CVS Caremark - HIV • In late July or early August 2017, a letter containing membership cards, information about the CVS program and how to access their HIV medications was mailed to an estimated 6,000 participants in OhDAP. • According to the lawsuit, the letter’s clearly showed the recipient’s HIV status through the envelope window above the patient’s name and address. https://abcnews.go.com/beta-story-container/Health/cvs-health- unintentionally-revealed-hiv-status-6000-customers/story?id=54095674
Twitter FTC MATTER 092 3093 9 • Company Statement: • “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.” • Meanwhile: • “Twitter granted almost all of its employees administrative control of the Twitter system, [including] ➢ …ability to: reset a user’s account password, ➢ …view …nonpublic tweets ➢ …send tweets on behalf of a user.” • https://www.ftc.gov/sites/default/files/documents/cases/2011/03/110311 twittercmpt.pdf Confidential
Communications Pitfalls How communication errors affect litigation. Confidential 10
Key Communication Issues Confidential 11 Shaping the message When to disclose What to disclose Correcting inaccuracies Credit Monitoring
Home Depot Lawsuit “As the Company’s CEO admitted after the breach occurred, “if we rewind the tape, our security systems could have been better. Data security just wasn’t high enough in our mission statement.” He even acknowledged that HD’s systems were “desperately out of date” at the time of the attack.”1 1IN RE THE HOME DEPOT, INC. SHAREHOLDER DERIVATIVE LITIGATION Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 9 of 49
Wendy’s Lawsuit The suit criticized Wendy’s transparency about the breach. • Although the breach was disclosed in January … [Wendy’s] didn’t report on how many stores were impacted until May. • At that time, it reported that the breach affected 300 Wendy’s franchises. • That estimate was then increased to 1,025 in July. • https://www.dataprivacyandsecurityinsider.com/2016/12/shar eholders-derivative-suit-filed-against-wendys-for-data-breach/ Confidential
Banner Health Class Action Lawsuit August 3, 2016 • “Banner Health announced [it] suffered a massive cyberattack [on June 23rd] that may affect 3.7 million people [and] learned of the attack on July 7, 2016”1 August 23, 2016 • Class Action Complaint filed in the United States District Court, Arizona District • From the complaint: • To date, Banner Health – without providing any details – has merely identified that it has “launched an investigation, hired a leading forensics firm, took steps to block the cyber attackers and contacted law enforcement” and that it “is working to enhance the security of its systems in order to help prevent this from happening in the future.” 1. https://www.courtlistener.com/recap/gov.uscourts.azd.994095/gov.uscourts.azd.994095.1.0.pdf Confidential 14
Uber • Admits concealing a 2016 breach that exposed the data of 57 million Uber customers and drivers, failing to disclose the hack to regulators or affected individuals.1 • The company paid a $100,000 ransom to the hackers to destroy the information and keep the breach quiet.1 • “This is one of the most egregious cases we’ve ever seen in terms of notification; a yearlong delay is just inexcusable,” Lisa Madigan, the Illinois attorney general, told the Associated Press3 • Today [11/21/17] Uber fired the CISO and a deputy of the CISO because of their role in covering up the breach.4 • The company just settled with all 50 states and Washington, D.C. for a cool $148 million.2 1. https://www.theguardian.com/technology/2017/nov/21/uber-data-hack-cyber-attack 2. https://www.healthcareitnews.com/news/how-not-handle-data-breach-brought-you-uber-equifax-and-many-others 3. https://www.theguardian.com/technology/2018/sep/26/uber-hack-fine-driver-data-breach 4. https://www.whitehatsec.com/blog/uber-security-breach Confidential 15
Uber FTC MATTER 152 3054 16 • Uber Customer Service Statements • “Your information will be stored safely and used only for purposes you’ve authorized. We use the most up to date technology and services to ensure that none of these are compromised.” • “All of your personal information, including payment methods, is kept secure and encrypted to the highest security standards available.” • Meanwhile: • “Uber… stored sensitive personal information in the Amazon S3 Datastore in clear, readable text…rather than encrypting the information.” • [Provided] “all programs and engineers … full administrative privileges over all data in the Amazon S3 Datastore” • [An Uber Engineer] publicly posted to GitHub …a key granting “full administrative privileges to all data and documents stored within … Amazon S3 ” • https://www.ftc.gov/system/files/documents/cases/1523054_uber_techn ologies_complaint.pdf Confidential
Premera • Premera said [they have] not been able to determine if any data was removed from the company's systems and that there's no evidence records have been used inappropriately.1 • Lawyers for the breach victims filed a motion Aug. 30 in the case seeking sanctions against the health insurer for “misconduct” in destroying a computer hard drive and logs that contained evidence related to the theft of data by hackers.2 • “By willfully destroying: (a) a computer that the hackers used in the data breach and which may have held evidence of data exfiltration; and (b) data loss prevention software logs that may have shown evidence of data exfiltration, Premera spoliated key evidence and prejudiced Plaintiffs’ ability to achieve a rightful decision in this case,” according to the motion, a copy of which was obtained by HealthITSecurity.com. 2 • In the data breach’s aftermath, class-action lawsuits were filed in US District Court in Seattle on behalf of breach victims and subsequently consolidated into one case. The lawsuit claims that Premera was negligent, breached its contract with customers, and violated privacy laws by failing to disclose the breach in a timely manner. 3 1. https://www.modernhealthcare.com/article/20150317/NEWS/150319904 2. https://healthitsecurity.com/news/premera-accused-of-trashing-computer-in-health-data-breach-lawsuit 3. https://healthitsecurity.com/news/premera-accused-of-trashing-computer-in-health-data-breach-lawsuit Confidential17
Anthem A Positive Communications Example Confidential 18 Fred Cate, a law professor and cybersecurity expert at Indiana University Praised Anthem for taking the “unusual and quite laudable step in coming forward quite quickly,” Cautioned that company officials might not know the scope of the attack at this point. 1 FBI "Anthem's initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances," the FBI said. "Speed matters when notifying law enforcement of an intrusion.” 2 Jenifer Groth, Director, Indiana Department of Insurance “Anthem was proactive about addressing this breach and notifying individuals who may have been affected by it,” 3 1. https://www.nytimes.com/2015/02/06/business/experts-suspect-lax-security-left- anthem-vulnerable-to-hackers.html 2. https://money.cnn.com/2015/02/04/technology/anthem-insurance-hack-data- security/ 3. https://www.modernhealthcare.com/article/20160330/NEWS/160339997
Communication Tips 19 Confidential
Use the correct terminology to avoid employees and the media from concluding that sensitive information has been disclosed Confidential 20 Event oAn attempt to obtain data from an organization or a situation in which data might be exposed. Incident oAn event where there is a greater likelihood that data has left, or will leave, the organization, but uncertainty remains Breach oSubset of security incidents where the organization discovers that sensitive information has been accessed or acquired by an unauthorized party and that acquisition has created the possibility that an employee or a consumer might be harmed by the disclosure.
Email Communications • Put “Attorney Client Communication: Information Requested By Counsel.” in the subject line • This helps make sure that anyone who reads the email at a later time understands the context in which it was sent, the purpose for which the information was collected, and the fact that the communication may be privileged and exempt from disclosure outside of the organization. Confidential
When to Disclose • The longer companies wait to notify their customers, the greater the chance criminals will be able to use stolen data.1 • Equifax was blasted for taking six weeks • Target didn’t comment on their breach until nearly a week after it was reported by security blogger Brian Krebs. • The SEC waited a full year before disclosing information about its breach. • Uber Technologies Inc. will pay $148 million for failing to disclose a massive data breach in 2016 • Whole Foods had a solid plan in place and reported the breach five days after discovery2 • 1 https://hbr.org/2017/11/the-avoidable-mistakes-executives-continue-to-make-after-a-data-breach • 2https://media.wholefoodsmarket.com/news/whole-foods-market-payment-card-investigation-notification Confidential
Summary • Immediately work to remediate the issue. • Disclose as soon as feasible • Be honest and accurate • Commit to continual updates • Actively involve legal counsel, forensics and public relations Confidential
Appendix Confidential24
CVS Caremark FTC MATTER 072-3119 25 • Company Statement: o “CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information.” • Meanwhile: o “its pharmacies were throwing trash into open dumpsters that contained ➢ … patient names, addresses, prescribing physicians’ names, medication and dosages; ➢ …employment applications, including social security numbers; payroll information; and ➢ …credit card and insurance card information, including, in some cases, account numbers and driver’s license numbers.” • https://www.ftc.gov/news-events/press-releases/2009/02/cvs-caremark- settles-ftc-chargesfailed-protect-medical-financial Confidential
PETCO.com FTC MATTER 032 3221 26 • Company Statement: o “At PETCO.com our customers’ data is strictly protected against any unauthorized access. PETCO.com also provides a “100% Safeguard Your Shopping Experience Guarantee” so you never have to worry about the safety of your credit card information.” • Meanwhile: o “In truth and in fact, the personal information respondent obtained “from PETCO.com” ➢ ...was not maintained in an encrypted format ➢ …was accessible to persons other than the consumer providing the information. ➢ …was decrypted [on receipt] and maintained in clear readable text. ➢ … a visitor could (and did) use a commonly known attack to manipulate respondent’s web application and obtain access…to sensitive personal information ... including, … consumer names and credit card numbers and expiration dates.” • https://www.ftc.gov/sites/default/files/documents/cases/2005/03/050308 comp0323221.pdf Confidential
Twitter FTC MATTER 092 3093 27 • Company Statement: • “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.” • Meanwhile: • “Twitter granted almost all of its employees administrative control of the Twitter system, [including] ➢ …ability to: reset a user’s account password, ➢ …view …nonpublic tweets ➢ …send tweets on behalf of a user.” • https://www.ftc.gov/sites/default/files/documents/cases/2011/03/110311 twittercmpt.pdf Confidential
Uber FTC MATTER 152 3054 28 • Uber Customer Service Statements • “Your information will be stored safely and used only for purposes you’ve authorized. We use the most up to date technology and services to ensure that none of these are compromised.” • “All of your personal information, including payment methods, is kept secure and encrypted to the highest security standards available.” • Meanwhile: ➢ “Uber… stored sensitive personal information in the Amazon S3 Datastore in clear, readable text…rather than encrypting the information.” ➢ [Provided] “all programs and engineers … full administrative privileges over all data in the Amazon S3 Datastore” ➢ [An Uber Engineer] publicly posted to GitHub …a key granting “full administrative privileges to all data and documents stored within … Amazon S3 ” • https://www.ftc.gov/system/files/documents/cases/1523054_uber_techn ologies_complaint.pdf Confidential
TAXSLAYER FTC MATTER 162 3063 29 • Company: • Failed to provide consumers with an initial and annual privacy notice. (GLBA violation) • Meanwhile: ➢ Respondent did not require consumers to choose strong passwords ➢ [Did not] prevent remote attackers using lists of stolen login credentials to access accounts. ➢ [Did not] inform TaxSlayer … users when a material change was made to the mailing address, password, ... bank account routing number or the payment method ➢ Failed .. to prevent devices …from attempting to access an unlimited number of TaxSlayer Online accounts in rapid succession through a list validation attack. • https://www.ftc.gov/system/files/documents/cases/1623063_c4626_taxsl ayer_complaint.pdf Confidential
Oracle FTC MATTER 132 3115 30 • Company Statement • [When updating Java] consumers … encounter a series of installation screens, which stated that “Java provides safe and secure access to the world of amazing Java content,” and that Java SE updates and a consumer’s “system” … would have “the latest . . . security improvements.” • Meanwhile: • “Oracle did not inform consumers that Java SE updates automatically removed only the most recent prior iteration of Java SE • …. Therefore, after the update process, consumers could still have … insecure iterations of Java SE on their computers.” • Note: In late 2010, Oracle acknowledged that exploit kits for at least 44 Java SE vulnerabilities were publicly available. For example, …key loggers. • https://www.ftc.gov/system/files/documents/cases/160329oraclecmpt.pdf Confidential

Recommended

HealthCo Accelerate 2016 speaker deck #2
HealthCo Accelerate 2016 speaker deck #2HealthCo Accelerate 2016 speaker deck #2
HealthCo Accelerate 2016 speaker deck #2HealthCo Information Systems
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryEMC
 
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Shawn Tuma
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009canadianlawyer
 
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossLeadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossShawn Tuma
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Amy Purcell
 
Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...
Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...
Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...Shawn Tuma
 

Recommended

HealthCo Accelerate 2016 speaker deck #2
HealthCo Accelerate 2016 speaker deck #2HealthCo Accelerate 2016 speaker deck #2
HealthCo Accelerate 2016 speaker deck #2HealthCo Information Systems
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryEMC
 
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Shawn Tuma
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009canadianlawyer
 
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossLeadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossShawn Tuma
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Amy Purcell
 
Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...
Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...
Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...Shawn Tuma
 
Cybersecurity Issues All Lawyers Should Know -- Especially Litigators
Cybersecurity Issues All Lawyers Should Know -- Especially LitigatorsCybersecurity Issues All Lawyers Should Know -- Especially Litigators
Cybersecurity Issues All Lawyers Should Know -- Especially LitigatorsShawn Tuma
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
Computer Fraud and Abuse Act CLE - Dallas Bar Ass'n (8.22.11)
Computer Fraud and Abuse Act CLE - Dallas Bar Ass'n (8.22.11)Computer Fraud and Abuse Act CLE - Dallas Bar Ass'n (8.22.11)
Computer Fraud and Abuse Act CLE - Dallas Bar Ass'n (8.22.11)Shawn Tuma
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-dataNumaan Huq
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA ComplianceRaffa Learning Community
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityPaul Ferrillo
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7
 
Cloud primer
Cloud primerCloud primer
Cloud primerZeno Idzerda
 
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?Resilient Systems
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraRapid7
 
Cybersecurity & Computer Fraud - The Convergence
Cybersecurity & Computer Fraud - The ConvergenceCybersecurity & Computer Fraud - The Convergence
Cybersecurity & Computer Fraud - The ConvergenceShawn Tuma
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industryNumaan Huq
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Cybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsCybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsZuckerman Law Whistleblower Protection Law Firm
 
Hot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationHot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationBradley Arant Boult Cummings LLP
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
IT Security in Higher Education
IT Security in Higher EducationIT Security in Higher Education
IT Security in Higher EducationRapid7
 
The Evolving Computer Fraud and Abuse Act
The Evolving Computer Fraud and Abuse ActThe Evolving Computer Fraud and Abuse Act
The Evolving Computer Fraud and Abuse ActShawn Tuma
 
Data Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationData Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationBradley Arant Boult Cummings LLP
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...- Mark - Fullbright
 
The Changing Landscape of Cyber Liability
The Changing Landscape of Cyber LiabilityThe Changing Landscape of Cyber Liability
The Changing Landscape of Cyber LiabilityRachel Hamilton
 
Data Privacy
Data PrivacyData Privacy
Data Privacycliff_rudolph
 

More Related Content

What's hot

Cybersecurity Issues All Lawyers Should Know -- Especially Litigators
Cybersecurity Issues All Lawyers Should Know -- Especially LitigatorsCybersecurity Issues All Lawyers Should Know -- Especially Litigators
Cybersecurity Issues All Lawyers Should Know -- Especially LitigatorsShawn Tuma
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
Computer Fraud and Abuse Act CLE - Dallas Bar Ass'n (8.22.11)
Computer Fraud and Abuse Act CLE - Dallas Bar Ass'n (8.22.11)Computer Fraud and Abuse Act CLE - Dallas Bar Ass'n (8.22.11)
Computer Fraud and Abuse Act CLE - Dallas Bar Ass'n (8.22.11)Shawn Tuma
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-dataNumaan Huq
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA ComplianceRaffa Learning Community
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityPaul Ferrillo
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7
 
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?Resilient Systems
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraRapid7
 
Cybersecurity & Computer Fraud - The Convergence
Cybersecurity & Computer Fraud - The ConvergenceCybersecurity & Computer Fraud - The Convergence
Cybersecurity & Computer Fraud - The ConvergenceShawn Tuma
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industryNumaan Huq
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
IT Security in Higher Education
IT Security in Higher EducationIT Security in Higher Education
IT Security in Higher EducationRapid7
 
The Evolving Computer Fraud and Abuse Act
The Evolving Computer Fraud and Abuse ActThe Evolving Computer Fraud and Abuse Act
The Evolving Computer Fraud and Abuse ActShawn Tuma
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...- Mark - Fullbright
 

What's hot (20)

Cybersecurity Issues All Lawyers Should Know -- Especially Litigators
Cybersecurity Issues All Lawyers Should Know -- Especially LitigatorsCybersecurity Issues All Lawyers Should Know -- Especially Litigators
Cybersecurity Issues All Lawyers Should Know -- Especially Litigators
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?
 
Computer Fraud and Abuse Act CLE - Dallas Bar Ass'n (8.22.11)
Computer Fraud and Abuse Act CLE - Dallas Bar Ass'n (8.22.11)Computer Fraud and Abuse Act CLE - Dallas Bar Ass'n (8.22.11)
Computer Fraud and Abuse Act CLE - Dallas Bar Ass'n (8.22.11)
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-data
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government Sector
 
Cloud primer
Cloud primerCloud primer
Cloud primer
 
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH Era
 
Cybersecurity & Computer Fraud - The Convergence
Cybersecurity & Computer Fraud - The ConvergenceCybersecurity & Computer Fraud - The Convergence
Cybersecurity & Computer Fraud - The Convergence
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
Cybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsCybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower Protections
 
Hot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationHot Topics in Data Breach Litigation
Hot Topics in Data Breach Litigation
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
 
IT Security in Higher Education
IT Security in Higher EducationIT Security in Higher Education
IT Security in Higher Education
 
The Evolving Computer Fraud and Abuse Act
The Evolving Computer Fraud and Abuse ActThe Evolving Computer Fraud and Abuse Act
The Evolving Computer Fraud and Abuse Act
 
Data Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationData Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident Simulation
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
 

Similar to Cyber security legal and regulatory environment - Executive Discussion

The Changing Landscape of Cyber Liability
The Changing Landscape of Cyber LiabilityThe Changing Landscape of Cyber Liability
The Changing Landscape of Cyber LiabilityRachel Hamilton
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Servicegorsline
 
Protecting Consumer Information: Can a Breach be Prevented?
Protecting Consumer Information: Can a Breach be Prevented?Protecting Consumer Information: Can a Breach be Prevented?
Protecting Consumer Information: Can a Breach be Prevented?- Mark - Fullbright
 
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...Shawn Tuma
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarDon Grauel
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsCyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsShawn Tuma
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data PrivacyIFLP
 
Gdpr and usa data privacy issues
Gdpr and usa data privacy issuesGdpr and usa data privacy issues
Gdpr and usa data privacy issuesStefan Schippers
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6seadeloitte
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Michael C. Keeling, Esq.
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White PaperTodd Ruback
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paperspencerharry
 
Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...
Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...
Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...Shawn Tuma
 

Similar to Cyber security legal and regulatory environment - Executive Discussion (20)

The Changing Landscape of Cyber Liability
The Changing Landscape of Cyber LiabilityThe Changing Landscape of Cyber Liability
The Changing Landscape of Cyber Liability
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
 
IDT Red Flags White Paper By Wrf
IDT Red Flags White Paper By WrfIDT Red Flags White Paper By Wrf
IDT Red Flags White Paper By Wrf
 
Cloud Security Law Issues--an Overview
Cloud Security Law Issues--an OverviewCloud Security Law Issues--an Overview
Cloud Security Law Issues--an Overview
 
Protecting Consumer Information: Can a Breach be Prevented?
Protecting Consumer Information: Can a Breach be Prevented?Protecting Consumer Information: Can a Breach be Prevented?
Protecting Consumer Information: Can a Breach be Prevented?
 
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOT
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsCyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data Privacy
 
Gdpr and usa data privacy issues
Gdpr and usa data privacy issuesGdpr and usa data privacy issues
Gdpr and usa data privacy issues
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1
 
Data Privacy Compliance
Data Privacy ComplianceData Privacy Compliance
Data Privacy Compliance
 
Cyber Facts and Prevention Presentation Gianino
Cyber Facts and Prevention Presentation GianinoCyber Facts and Prevention Presentation Gianino
Cyber Facts and Prevention Presentation Gianino
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
 
Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...
Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...
Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...
 

Recently uploaded

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

Cyber security legal and regulatory environment - Executive Discussion

  • 1. Cybersecurity: Legal and Regulatory Environment The emerging legal implications of cyber risks and the role of the FTC.
  • 2. Disclaimer NEXTLEVEL IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL ADVICE THE FOLLOWING PRESENTATION IS FOR AWARENESS AND DISCUSSION PURPOSES ONLY CONSULT YOUR GENERAL COUNSEL FOR ADVICE
  • 3. Types of Cybersecurity Breach Litigation • State and Federal Regulatory Actions • Enforcement actions by governmental agencies invoking their regulatory authority under relevant state or federal laws. • Federal Statutes • Federal Trade Commission Act • Gramm-Leach-Bliley Act • Fair Credit Reporting Act • Children's Online Privacy Protection Act • HIPAA/HITECH • State Statutes • Consumer Protection Acts • Data Breach Notification Statutes • Consumer Class Action Lawsuits • By outside customers or business partners whose sensitive or personal information was compromised • Shareholder Derivative Actions to recover for losses in stock value • Securities Fraud Class Action Lawsuits to recover for the diminution in stock value following a cyber breach
  • 4. The FTC uses its authority under § 45(a) – “unfair or deceptive acts or practices” to: • Order “Comprehensive Security Programs” • Seek monitory penalties • Control company actions and communications for 20 years with biennial recertification Confidential 4
  • 5. FTC Enforcement Actions: Protecting consumers’ privacy and personal information Confidential 5 Control Failure1, 2 Wyndham CVSCaremark Petco Twitter Uber Taxslayer Not Educating Employees ✓ ✓ ✓ ✓ ✓ ✓ Not requiring strong passwords ✓ Providing Admin Control to All Employees ✓ ✓ Not Changing Default Passwords for Management Systems ✓ Not controlling release of sensitive information ✓ ✓ Not Protecting Web Sites against Code Injection/List Validation Attacks ✓ ✓ Not Encrypting Payment Card Information ✓ ✓ ✓ Storing PII/PHI in Clear Text ✓ ✓ Not Segregating Networks (e.g. Food Service) ✓ Not controlling/destroying paper and other records ✓ 1See Appendix for details 2Based on Reading FTC Complaint
  • 6. FTC Complaints How the FTC uses company statements in its enforcement activities Confidential 6
  • 7. CVS Caremark FTC MATTER 072-3119 7 • Company Statement: o “CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information.” • Meanwhile: o “its pharmacies were throwing trash into open dumpsters that contained ➢ … patient names, addresses, prescribing physicians’ names, medication and dosages; ➢ …employment applications, including social security numbers; payroll information; and ➢ …credit card and insurance card information, including, in some cases, account numbers and driver’s license numbers.” • https://www.ftc.gov/news-events/press-releases/2009/02/cvs-caremark- settles-ftc-chargesfailed-protect-medical-financial Confidential
  • 8. CVS Caremark - HIV • In late July or early August 2017, a letter containing membership cards, information about the CVS program and how to access their HIV medications was mailed to an estimated 6,000 participants in OhDAP. • According to the lawsuit, the letter’s clearly showed the recipient’s HIV status through the envelope window above the patient’s name and address. https://abcnews.go.com/beta-story-container/Health/cvs-health- unintentionally-revealed-hiv-status-6000-customers/story?id=54095674
  • 9. Twitter FTC MATTER 092 3093 9 • Company Statement: • “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.” • Meanwhile: • “Twitter granted almost all of its employees administrative control of the Twitter system, [including] ➢ …ability to: reset a user’s account password, ➢ …view …nonpublic tweets ➢ …send tweets on behalf of a user.” • https://www.ftc.gov/sites/default/files/documents/cases/2011/03/110311 twittercmpt.pdf Confidential
  • 10. Communications Pitfalls How communication errors affect litigation. Confidential 10
  • 11. Key Communication Issues Confidential 11 Shaping the message When to disclose What to disclose Correcting inaccuracies Credit Monitoring
  • 12. Home Depot Lawsuit “As the Company’s CEO admitted after the breach occurred, “if we rewind the tape, our security systems could have been better. Data security just wasn’t high enough in our mission statement.” He even acknowledged that HD’s systems were “desperately out of date” at the time of the attack.”1 1IN RE THE HOME DEPOT, INC. SHAREHOLDER DERIVATIVE LITIGATION Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16 Page 9 of 49
  • 13. Wendy’s Lawsuit The suit criticized Wendy’s transparency about the breach. • Although the breach was disclosed in January … [Wendy’s] didn’t report on how many stores were impacted until May. • At that time, it reported that the breach affected 300 Wendy’s franchises. • That estimate was then increased to 1,025 in July. • https://www.dataprivacyandsecurityinsider.com/2016/12/shar eholders-derivative-suit-filed-against-wendys-for-data-breach/ Confidential
  • 14. Banner Health Class Action Lawsuit August 3, 2016 • “Banner Health announced [it] suffered a massive cyberattack [on June 23rd] that may affect 3.7 million people [and] learned of the attack on July 7, 2016”1 August 23, 2016 • Class Action Complaint filed in the United States District Court, Arizona District • From the complaint: • To date, Banner Health – without providing any details – has merely identified that it has “launched an investigation, hired a leading forensics firm, took steps to block the cyber attackers and contacted law enforcement” and that it “is working to enhance the security of its systems in order to help prevent this from happening in the future.” 1. https://www.courtlistener.com/recap/gov.uscourts.azd.994095/gov.uscourts.azd.994095.1.0.pdf Confidential 14
  • 15. Uber • Admits concealing a 2016 breach that exposed the data of 57 million Uber customers and drivers, failing to disclose the hack to regulators or affected individuals.1 • The company paid a $100,000 ransom to the hackers to destroy the information and keep the breach quiet.1 • “This is one of the most egregious cases we’ve ever seen in terms of notification; a yearlong delay is just inexcusable,” Lisa Madigan, the Illinois attorney general, told the Associated Press3 • Today [11/21/17] Uber fired the CISO and a deputy of the CISO because of their role in covering up the breach.4 • The company just settled with all 50 states and Washington, D.C. for a cool $148 million.2 1. https://www.theguardian.com/technology/2017/nov/21/uber-data-hack-cyber-attack 2. https://www.healthcareitnews.com/news/how-not-handle-data-breach-brought-you-uber-equifax-and-many-others 3. https://www.theguardian.com/technology/2018/sep/26/uber-hack-fine-driver-data-breach 4. https://www.whitehatsec.com/blog/uber-security-breach Confidential 15
  • 16. Uber FTC MATTER 152 3054 16 • Uber Customer Service Statements • “Your information will be stored safely and used only for purposes you’ve authorized. We use the most up to date technology and services to ensure that none of these are compromised.” • “All of your personal information, including payment methods, is kept secure and encrypted to the highest security standards available.” • Meanwhile: • “Uber… stored sensitive personal information in the Amazon S3 Datastore in clear, readable text…rather than encrypting the information.” • [Provided] “all programs and engineers … full administrative privileges over all data in the Amazon S3 Datastore” • [An Uber Engineer] publicly posted to GitHub …a key granting “full administrative privileges to all data and documents stored within … Amazon S3 ” • https://www.ftc.gov/system/files/documents/cases/1523054_uber_techn ologies_complaint.pdf Confidential
  • 17. Premera • Premera said [they have] not been able to determine if any data was removed from the company's systems and that there's no evidence records have been used inappropriately.1 • Lawyers for the breach victims filed a motion Aug. 30 in the case seeking sanctions against the health insurer for “misconduct” in destroying a computer hard drive and logs that contained evidence related to the theft of data by hackers.2 • “By willfully destroying: (a) a computer that the hackers used in the data breach and which may have held evidence of data exfiltration; and (b) data loss prevention software logs that may have shown evidence of data exfiltration, Premera spoliated key evidence and prejudiced Plaintiffs’ ability to achieve a rightful decision in this case,” according to the motion, a copy of which was obtained by HealthITSecurity.com. 2 • In the data breach’s aftermath, class-action lawsuits were filed in US District Court in Seattle on behalf of breach victims and subsequently consolidated into one case. The lawsuit claims that Premera was negligent, breached its contract with customers, and violated privacy laws by failing to disclose the breach in a timely manner. 3 1. https://www.modernhealthcare.com/article/20150317/NEWS/150319904 2. https://healthitsecurity.com/news/premera-accused-of-trashing-computer-in-health-data-breach-lawsuit 3. https://healthitsecurity.com/news/premera-accused-of-trashing-computer-in-health-data-breach-lawsuit Confidential17
  • 18. Anthem A Positive Communications Example Confidential 18 Fred Cate, a law professor and cybersecurity expert at Indiana University Praised Anthem for taking the “unusual and quite laudable step in coming forward quite quickly,” Cautioned that company officials might not know the scope of the attack at this point. 1 FBI "Anthem's initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances," the FBI said. "Speed matters when notifying law enforcement of an intrusion.” 2 Jenifer Groth, Director, Indiana Department of Insurance “Anthem was proactive about addressing this breach and notifying individuals who may have been affected by it,” 3 1. https://www.nytimes.com/2015/02/06/business/experts-suspect-lax-security-left- anthem-vulnerable-to-hackers.html 2. https://money.cnn.com/2015/02/04/technology/anthem-insurance-hack-data- security/ 3. https://www.modernhealthcare.com/article/20160330/NEWS/160339997
  • 20. Use the correct terminology to avoid employees and the media from concluding that sensitive information has been disclosed Confidential 20 Event oAn attempt to obtain data from an organization or a situation in which data might be exposed. Incident oAn event where there is a greater likelihood that data has left, or will leave, the organization, but uncertainty remains Breach oSubset of security incidents where the organization discovers that sensitive information has been accessed or acquired by an unauthorized party and that acquisition has created the possibility that an employee or a consumer might be harmed by the disclosure.
  • 21. Email Communications • Put “Attorney Client Communication: Information Requested By Counsel.” in the subject line • This helps make sure that anyone who reads the email at a later time understands the context in which it was sent, the purpose for which the information was collected, and the fact that the communication may be privileged and exempt from disclosure outside of the organization. Confidential
  • 22. When to Disclose • The longer companies wait to notify their customers, the greater the chance criminals will be able to use stolen data.1 • Equifax was blasted for taking six weeks • Target didn’t comment on their breach until nearly a week after it was reported by security blogger Brian Krebs. • The SEC waited a full year before disclosing information about its breach. • Uber Technologies Inc. will pay $148 million for failing to disclose a massive data breach in 2016 • Whole Foods had a solid plan in place and reported the breach five days after discovery2 • 1 https://hbr.org/2017/11/the-avoidable-mistakes-executives-continue-to-make-after-a-data-breach • 2https://media.wholefoodsmarket.com/news/whole-foods-market-payment-card-investigation-notification Confidential
  • 23. Summary • Immediately work to remediate the issue. • Disclose as soon as feasible • Be honest and accurate • Commit to continual updates • Actively involve legal counsel, forensics and public relations Confidential
  • 25. CVS Caremark FTC MATTER 072-3119 25 • Company Statement: o “CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information.” • Meanwhile: o “its pharmacies were throwing trash into open dumpsters that contained ➢ … patient names, addresses, prescribing physicians’ names, medication and dosages; ➢ …employment applications, including social security numbers; payroll information; and ➢ …credit card and insurance card information, including, in some cases, account numbers and driver’s license numbers.” • https://www.ftc.gov/news-events/press-releases/2009/02/cvs-caremark- settles-ftc-chargesfailed-protect-medical-financial Confidential
  • 26. PETCO.com FTC MATTER 032 3221 26 • Company Statement: o “At PETCO.com our customers’ data is strictly protected against any unauthorized access. PETCO.com also provides a “100% Safeguard Your Shopping Experience Guarantee” so you never have to worry about the safety of your credit card information.” • Meanwhile: o “In truth and in fact, the personal information respondent obtained “from PETCO.com” ➢ ...was not maintained in an encrypted format ➢ …was accessible to persons other than the consumer providing the information. ➢ …was decrypted [on receipt] and maintained in clear readable text. ➢ … a visitor could (and did) use a commonly known attack to manipulate respondent’s web application and obtain access…to sensitive personal information ... including, … consumer names and credit card numbers and expiration dates.” • https://www.ftc.gov/sites/default/files/documents/cases/2005/03/050308 comp0323221.pdf Confidential
  • 27. Twitter FTC MATTER 092 3093 27 • Company Statement: • “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.” • Meanwhile: • “Twitter granted almost all of its employees administrative control of the Twitter system, [including] ➢ …ability to: reset a user’s account password, ➢ …view …nonpublic tweets ➢ …send tweets on behalf of a user.” • https://www.ftc.gov/sites/default/files/documents/cases/2011/03/110311 twittercmpt.pdf Confidential
  • 28. Uber FTC MATTER 152 3054 28 • Uber Customer Service Statements • “Your information will be stored safely and used only for purposes you’ve authorized. We use the most up to date technology and services to ensure that none of these are compromised.” • “All of your personal information, including payment methods, is kept secure and encrypted to the highest security standards available.” • Meanwhile: ➢ “Uber… stored sensitive personal information in the Amazon S3 Datastore in clear, readable text…rather than encrypting the information.” ➢ [Provided] “all programs and engineers … full administrative privileges over all data in the Amazon S3 Datastore” ➢ [An Uber Engineer] publicly posted to GitHub …a key granting “full administrative privileges to all data and documents stored within … Amazon S3 ” • https://www.ftc.gov/system/files/documents/cases/1523054_uber_techn ologies_complaint.pdf Confidential
  • 29. TAXSLAYER FTC MATTER 162 3063 29 • Company: • Failed to provide consumers with an initial and annual privacy notice. (GLBA violation) • Meanwhile: ➢ Respondent did not require consumers to choose strong passwords ➢ [Did not] prevent remote attackers using lists of stolen login credentials to access accounts. ➢ [Did not] inform TaxSlayer … users when a material change was made to the mailing address, password, ... bank account routing number or the payment method ➢ Failed .. to prevent devices …from attempting to access an unlimited number of TaxSlayer Online accounts in rapid succession through a list validation attack. • https://www.ftc.gov/system/files/documents/cases/1623063_c4626_taxsl ayer_complaint.pdf Confidential
  • 30. Oracle FTC MATTER 132 3115 30 • Company Statement • [When updating Java] consumers … encounter a series of installation screens, which stated that “Java provides safe and secure access to the world of amazing Java content,” and that Java SE updates and a consumer’s “system” … would have “the latest . . . security improvements.” • Meanwhile: • “Oracle did not inform consumers that Java SE updates automatically removed only the most recent prior iteration of Java SE • …. Therefore, after the update process, consumers could still have … insecure iterations of Java SE on their computers.” • Note: In late 2010, Oracle acknowledged that exploit kits for at least 44 Java SE vulnerabilities were publicly available. For example, …key loggers. • https://www.ftc.gov/system/files/documents/cases/160329oraclecmpt.pdf Confidential