What will you do when a breach occurs, and critical, confidential information has been publicly disclosed?
• FBI, Law Enforcement or Reporter Calls
• You become the Top News Story
• Investors need answers
• Regulatory Agencies are asking questions
• Your Customers, Suppliers, and Employees are affected, concerned, and need information
• The Breach becomes your only priority and you don’t know:
o What happened and what was disclosed?
o Who is responsible for resolution and who is on our team?
o What are our legal responsibilities?
o How will we manage the surge volume of communications, discovery and analysis?
o Who will pay?
The following presentation begins to address some of the legal and regulatory issues that are involved. The presentation is for discussion purposes only and should not be considered legal advice.
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Cyber security legal and regulatory environment - Executive Discussion
1. Cybersecurity: Legal and Regulatory Environment
The emerging legal implications of
cyber risks and the role of the FTC.
2. Disclaimer
NEXTLEVEL IS NOT A LAW FIRM AND
DOES NOT PROVIDE LEGAL ADVICE
THE FOLLOWING PRESENTATION IS FOR
AWARENESS AND DISCUSSION
PURPOSES ONLY
CONSULT YOUR GENERAL COUNSEL
FOR ADVICE
3. Types of Cybersecurity
Breach Litigation
• State and Federal Regulatory Actions
• Enforcement actions by governmental agencies invoking their regulatory authority under relevant state or
federal laws.
• Federal Statutes
• Federal Trade Commission Act
• Gramm-Leach-Bliley Act
• Fair Credit Reporting Act
• Children's Online Privacy Protection Act
• HIPAA/HITECH
• State Statutes
• Consumer Protection Acts
• Data Breach Notification Statutes
• Consumer Class Action Lawsuits
• By outside customers or business partners whose sensitive or personal information was compromised
• Shareholder Derivative Actions to recover for losses in stock value
• Securities Fraud Class Action Lawsuits to recover for the diminution in stock value following a cyber breach
4. The FTC uses its authority
under § 45(a) – “unfair or
deceptive acts or practices” to:
• Order “Comprehensive Security Programs”
• Seek monitory penalties
• Control company actions and communications
for 20 years with biennial recertification
Confidential 4
5. FTC Enforcement Actions:
Protecting consumers’ privacy and personal information
Confidential 5
Control Failure1, 2
Wyndham
CVSCaremark
Petco
Twitter
Uber
Taxslayer
Not Educating Employees ✓ ✓ ✓ ✓ ✓ ✓
Not requiring strong passwords ✓
Providing Admin Control to All Employees ✓ ✓
Not Changing Default Passwords for Management Systems ✓
Not controlling release of sensitive information ✓ ✓
Not Protecting Web Sites against Code Injection/List Validation Attacks ✓ ✓
Not Encrypting Payment Card Information ✓ ✓ ✓
Storing PII/PHI in Clear Text ✓ ✓
Not Segregating Networks (e.g. Food Service) ✓
Not controlling/destroying paper and other records ✓
1See Appendix for details 2Based on Reading FTC Complaint
6. FTC Complaints
How the FTC uses company statements
in its enforcement activities
Confidential 6
7. CVS Caremark
FTC MATTER 072-3119
7
• Company Statement:
o “CVS/pharmacy wants you to know that nothing is more
central to our operations than maintaining the privacy of your
health information.”
• Meanwhile:
o “its pharmacies were throwing trash into open dumpsters
that contained
➢ … patient names, addresses, prescribing physicians’ names,
medication and dosages;
➢ …employment applications, including social security
numbers; payroll information; and
➢ …credit card and insurance card information, including, in
some cases, account numbers and driver’s license numbers.”
• https://www.ftc.gov/news-events/press-releases/2009/02/cvs-caremark-
settles-ftc-chargesfailed-protect-medical-financial
Confidential
8. CVS Caremark - HIV
• In late July or early August 2017, a letter
containing membership cards,
information about the CVS program and
how to access their HIV medications was
mailed to an estimated 6,000 participants
in OhDAP.
• According to the lawsuit, the letter’s
clearly showed the recipient’s HIV status
through the envelope window above the
patient’s name and address.
https://abcnews.go.com/beta-story-container/Health/cvs-health-
unintentionally-revealed-hiv-status-6000-customers/story?id=54095674
9. Twitter
FTC MATTER 092 3093
9
• Company Statement:
• “Twitter is very concerned about safeguarding the
confidentiality of your personally identifiable information. We
employ administrative, physical, and electronic measures
designed to protect your information from unauthorized
access.”
• Meanwhile:
• “Twitter granted almost all of its employees administrative
control of the Twitter system, [including]
➢ …ability to: reset a user’s account password,
➢ …view …nonpublic tweets
➢ …send tweets on behalf of a user.”
• https://www.ftc.gov/sites/default/files/documents/cases/2011/03/110311
twittercmpt.pdf
Confidential
12. Home Depot Lawsuit
“As the Company’s CEO admitted after the breach occurred,
“if we rewind the tape, our security systems could have been
better.
Data security just wasn’t high enough in our mission statement.”
He even acknowledged that HD’s systems were “desperately out of
date” at the time of the attack.”1
1IN RE THE HOME DEPOT, INC. SHAREHOLDER DERIVATIVE
LITIGATION Case 1:15-cv-02999-TWT Document 52 Filed 06/30/16
Page 9 of 49
13. Wendy’s Lawsuit
The suit criticized Wendy’s transparency about the
breach.
• Although the breach was disclosed in January …
[Wendy’s] didn’t report on how many stores
were impacted until May.
• At that time, it reported that the breach affected
300 Wendy’s franchises.
• That estimate was then increased to 1,025 in
July.
• https://www.dataprivacyandsecurityinsider.com/2016/12/shar
eholders-derivative-suit-filed-against-wendys-for-data-breach/
Confidential
14. Banner Health Class Action Lawsuit
August 3, 2016
• “Banner Health announced [it] suffered a massive cyberattack [on June 23rd] that may
affect 3.7 million people [and] learned of the attack on July 7, 2016”1
August 23, 2016
• Class Action Complaint filed in the United States District Court, Arizona District
• From the complaint:
• To date, Banner Health – without providing any details – has merely identified that it has
“launched an investigation, hired a leading forensics firm, took steps to block the cyber attackers
and contacted law enforcement” and that it “is working to enhance the security of its systems in
order to help prevent this from happening in the future.”
1. https://www.courtlistener.com/recap/gov.uscourts.azd.994095/gov.uscourts.azd.994095.1.0.pdf
Confidential 14
15. Uber
• Admits concealing a 2016 breach that exposed the data of 57 million Uber customers
and drivers, failing to disclose the hack to regulators or affected individuals.1
• The company paid a $100,000 ransom to the hackers to destroy the information and
keep the breach quiet.1
• “This is one of the most egregious cases we’ve ever seen in terms of notification; a
yearlong delay is just inexcusable,” Lisa Madigan, the Illinois attorney general, told the
Associated Press3
• Today [11/21/17] Uber fired the CISO and a deputy of the CISO because of their role in
covering up the breach.4
• The company just settled with all 50 states and Washington, D.C. for a cool $148 million.2
1. https://www.theguardian.com/technology/2017/nov/21/uber-data-hack-cyber-attack
2. https://www.healthcareitnews.com/news/how-not-handle-data-breach-brought-you-uber-equifax-and-many-others
3. https://www.theguardian.com/technology/2018/sep/26/uber-hack-fine-driver-data-breach
4. https://www.whitehatsec.com/blog/uber-security-breach
Confidential 15
16. Uber
FTC MATTER 152 3054
16
• Uber Customer Service Statements
• “Your information will be stored safely and used only for
purposes you’ve authorized. We use the most up to date
technology and services to ensure that none of these are
compromised.”
• “All of your personal information, including payment methods, is
kept secure and encrypted to the highest security standards
available.”
• Meanwhile:
• “Uber… stored sensitive personal information in the Amazon S3
Datastore in clear, readable text…rather than encrypting the
information.”
• [Provided] “all programs and engineers … full administrative
privileges over all data in the Amazon S3 Datastore”
• [An Uber Engineer] publicly posted to GitHub …a key granting “full
administrative privileges to all data and documents stored within
… Amazon S3 ”
• https://www.ftc.gov/system/files/documents/cases/1523054_uber_techn
ologies_complaint.pdf
Confidential
17. Premera
• Premera said [they have] not been able to determine if any data was removed from the
company's systems and that there's no evidence records have been used inappropriately.1
• Lawyers for the breach victims filed a motion Aug. 30 in the case seeking sanctions against the
health insurer for “misconduct” in destroying a computer hard drive and logs that contained
evidence related to the theft of data by hackers.2
• “By willfully destroying: (a) a computer that the hackers used in the data breach and which may
have held evidence of data exfiltration; and (b) data loss prevention software logs that may have
shown evidence of data exfiltration, Premera spoliated key evidence and prejudiced Plaintiffs’
ability to achieve a rightful decision in this case,” according to the motion, a copy of which was
obtained by HealthITSecurity.com. 2
• In the data breach’s aftermath, class-action lawsuits were filed in US District Court in Seattle on
behalf of breach victims and subsequently consolidated into one case. The lawsuit claims that
Premera was negligent, breached its contract with customers, and violated privacy laws by failing
to disclose the breach in a timely manner. 3
1. https://www.modernhealthcare.com/article/20150317/NEWS/150319904
2. https://healthitsecurity.com/news/premera-accused-of-trashing-computer-in-health-data-breach-lawsuit
3. https://healthitsecurity.com/news/premera-accused-of-trashing-computer-in-health-data-breach-lawsuit
Confidential17
18. Anthem
A Positive Communications Example
Confidential 18
Fred Cate, a law professor and
cybersecurity expert at Indiana
University
Praised Anthem for taking the “unusual and quite
laudable step in coming forward quite quickly,”
Cautioned that company officials might not know
the scope of the attack at this point. 1
FBI
"Anthem's initial response in promptly notifying the
FBI after observing suspicious network activity is a
model for other companies and organizations facing
similar circumstances," the FBI said. "Speed matters
when notifying law enforcement of an intrusion.” 2
Jenifer Groth, Director, Indiana
Department of Insurance
“Anthem was proactive about addressing this breach
and notifying individuals who may have been
affected by it,” 3
1. https://www.nytimes.com/2015/02/06/business/experts-suspect-lax-security-left-
anthem-vulnerable-to-hackers.html
2. https://money.cnn.com/2015/02/04/technology/anthem-insurance-hack-data-
security/
3. https://www.modernhealthcare.com/article/20160330/NEWS/160339997
20. Use the correct terminology to avoid employees and the media
from concluding that sensitive information has been disclosed
Confidential 20
Event
oAn attempt to obtain data from an organization or a situation in which data might be
exposed.
Incident
oAn event where there is a greater likelihood that data has left, or will leave, the
organization, but uncertainty remains
Breach
oSubset of security incidents where the organization discovers that sensitive information has
been accessed or acquired by an unauthorized party and that acquisition has created the
possibility that an employee or a consumer might be harmed by the disclosure.
21. Email Communications
• Put “Attorney Client Communication: Information
Requested By Counsel.” in the subject line
• This helps make sure that anyone who reads the email at
a later time understands the context in which it was sent,
the purpose for which the information was collected, and
the fact that the communication may be privileged and
exempt from disclosure outside of the organization.
Confidential
22. When to Disclose
• The longer companies wait to notify their customers, the greater the chance criminals will be able to use
stolen data.1
• Equifax was blasted for taking six weeks
• Target didn’t comment on their breach until nearly a week after it was reported by security blogger
Brian Krebs.
• The SEC waited a full year before disclosing information about its breach.
• Uber Technologies Inc. will pay $148 million for failing to disclose a massive data breach in 2016
• Whole Foods had a solid plan in place and reported the breach five days after discovery2
• 1 https://hbr.org/2017/11/the-avoidable-mistakes-executives-continue-to-make-after-a-data-breach
• 2https://media.wholefoodsmarket.com/news/whole-foods-market-payment-card-investigation-notification
Confidential
23. Summary
• Immediately work to remediate the issue.
• Disclose as soon as feasible
• Be honest and accurate
• Commit to continual updates
• Actively involve legal counsel, forensics and public
relations
Confidential
25. CVS Caremark
FTC MATTER 072-3119
25
• Company Statement:
o “CVS/pharmacy wants you to know that nothing is more
central to our operations than maintaining the privacy of your
health information.”
• Meanwhile:
o “its pharmacies were throwing trash into open dumpsters
that contained
➢ … patient names, addresses, prescribing physicians’ names,
medication and dosages;
➢ …employment applications, including social security
numbers; payroll information; and
➢ …credit card and insurance card information, including, in
some cases, account numbers and driver’s license numbers.”
• https://www.ftc.gov/news-events/press-releases/2009/02/cvs-caremark-
settles-ftc-chargesfailed-protect-medical-financial
Confidential
26. PETCO.com
FTC MATTER 032 3221
26
• Company Statement:
o “At PETCO.com our customers’ data is strictly protected against any
unauthorized access. PETCO.com also provides a “100% Safeguard Your
Shopping Experience Guarantee” so you never have to worry about the
safety of your credit card information.”
• Meanwhile:
o “In truth and in fact, the personal information respondent obtained “from
PETCO.com”
➢ ...was not maintained in an encrypted format
➢ …was accessible to persons other than the consumer providing the
information.
➢ …was decrypted [on receipt] and maintained in clear readable text.
➢ … a visitor could (and did) use a commonly known attack to
manipulate respondent’s web application and obtain access…to
sensitive personal information ... including, … consumer names and
credit card numbers and expiration dates.”
• https://www.ftc.gov/sites/default/files/documents/cases/2005/03/050308
comp0323221.pdf
Confidential
27. Twitter
FTC MATTER 092 3093
27
• Company Statement:
• “Twitter is very concerned about safeguarding the
confidentiality of your personally identifiable information. We
employ administrative, physical, and electronic measures
designed to protect your information from unauthorized
access.”
• Meanwhile:
• “Twitter granted almost all of its employees administrative
control of the Twitter system, [including]
➢ …ability to: reset a user’s account password,
➢ …view …nonpublic tweets
➢ …send tweets on behalf of a user.”
• https://www.ftc.gov/sites/default/files/documents/cases/2011/03/110311
twittercmpt.pdf
Confidential
28. Uber
FTC MATTER 152 3054
28
• Uber Customer Service Statements
• “Your information will be stored safely and used only for purposes you’ve
authorized. We use the most up to date technology and services to ensure
that none of these are compromised.”
• “All of your personal information, including payment methods, is kept
secure and encrypted to the highest security standards available.”
• Meanwhile:
➢ “Uber… stored sensitive personal information in the Amazon S3 Datastore
in clear, readable text…rather than encrypting the information.”
➢ [Provided] “all programs and engineers … full administrative privileges over
all data in the Amazon S3 Datastore”
➢ [An Uber Engineer] publicly posted to GitHub …a key granting “full
administrative privileges to all data and documents stored within …
Amazon S3 ”
• https://www.ftc.gov/system/files/documents/cases/1523054_uber_techn
ologies_complaint.pdf
Confidential
29. TAXSLAYER
FTC MATTER 162 3063
29
• Company:
• Failed to provide consumers with an initial and annual
privacy notice. (GLBA violation)
• Meanwhile:
➢ Respondent did not require consumers to choose strong
passwords
➢ [Did not] prevent remote attackers using lists of stolen
login credentials to access accounts.
➢ [Did not] inform TaxSlayer … users when a material
change was made to the mailing address, password, ...
bank account routing number or the payment method
➢ Failed .. to prevent devices …from attempting to access an
unlimited number of TaxSlayer Online accounts in rapid
succession through a list validation attack.
• https://www.ftc.gov/system/files/documents/cases/1623063_c4626_taxsl
ayer_complaint.pdf
Confidential
30. Oracle
FTC MATTER 132 3115
30
• Company Statement
• [When updating Java] consumers … encounter a series of
installation screens, which stated that “Java provides safe and
secure access to the world of amazing Java content,” and that
Java SE updates and a consumer’s “system” … would have
“the latest . . . security improvements.”
• Meanwhile:
• “Oracle did not inform consumers that Java SE updates
automatically removed only the most recent prior iteration of
Java SE
• …. Therefore, after the update process, consumers could still
have … insecure iterations of Java SE on their computers.”
• Note: In late 2010, Oracle acknowledged that exploit kits for
at least 44 Java SE vulnerabilities were publicly available. For
example, …key loggers.
• https://www.ftc.gov/system/files/documents/cases/160329oraclecmpt.pdf
Confidential