Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Data breaches at home and abroad


Published on

Published in: Technology, Business
  • Be the first to like this

Data breaches at home and abroad

  1. 1. Data Breaches at Home and Abroad: This Can Mean You Too!Lessons Learned from the Past, and What’s Coming Up in the Future for US and Multi-National EntitiesMark E. Schreiber, Chair, Privacy and Data Protection GroupTheodore P. Augustinos, Co-ChairLaurie A. Kamaiko, Co-ChairDavid S. SzaboSocheth Sor
  2. 2. Agenda Current Breach Landscape Breach Response Tips Massachusetts Data Security Requirements: Update Credit Card Issues HIPAA and HITECH Developments Data Breach Litigation Cyber Risk Insurance Foreign and International Data breach Considerations 1
  3. 3. Current Breach Landscape Company records containing personal information of individuals  increasingly exposed to malevolent or inadvertent disclosures  costs going up drastically  96% avoidable through simple to intermediate security controls 88% of U.S. companies said to have experienced data breach in 2010  some multiple times About 40% of executives in one recent Deloitte survey said they expected their company to have an electronic security breach in next 12 months Roughly ½ said they were not adequately prepared for it 2
  4. 4. Cost of Breaches Increasing 2011 had troubled beginning  9.5M records exposed (excluding 100M plus in Sony)  Sony  Google  Epsilon  Citibank  Anonymous/LulzSec  Massachusetts Executive Office of Labor and Workforce Development and other government agencies  Multiple Hospitals and other Healthcare providers Average total cost per US company: $7.2 M (2010) up from $6.75 M (2009)  $3.4 M in Germany, $2.5 M in UK and France (2009) 329 organizations reported 86,455 laptops lost (2010)  Avg. cost of $6.4 million per company 222 million records repeatedly compromised in US in 2009 (likely undercounts) 10 million patient records in 272 events (OCR report)  $6B cost annually Ponemon, 2010 Annual Study: U.S. Cost of a Data Breach; Global 2009 Annual Study on Cost of a Data Breach 3 Verizon, April 2011: 2011 Data Breach Investigations Report
  5. 5. Responsibility for BreachesAccording to Ponemon Studies: Third Party Outsourcers – 39% of breaches (slight decline from 2009), but cost up 39%. Lost/Stolen laptops and other mobile devices – 35% (36% in 2009, but cost up 15%). Systems failure – 27%, a 9% decline as companies work harder on prevention and more technologies are available. Negligence – 41% (1% increase); costs up 27%. Malicious/Criminal – 31% (7%/highest increase) 2010 was first time malicious attacks are not least frequent cause. They are the most expensive; increasingly stealthy and successful, requiring more resources. 4
  6. 6. Breach Response Tips Assemble the team  Decision-maker level of management  IT  Data Forensics  Legal Counsel  Breach Response Services  Call center  Processing  Mailing  Customer, Public, Media and Governmental Relations Containment  Find and stop the cause of the breach.  First priority is to stop the loss of data, preferably by taking steps that will preserve the information needed for the investigation 5
  7. 7. Breach Response Tips (cont.) Investigation  What happened?  What information was affected?  Where do affected individuals reside? Analysis – Review results of the investigation under applicable requirements, and contractual requirements, including PCI-DSS. Remediation  Choice of products and services to be offered to affected individuals, if any  Credit Monitoring  Credit Restoration Services  Credit Insurance  Other 6
  8. 8. Breach Response Tips (cont.) Communication  Affected Individuals  State Agencies  FTC, HHS, as appropriate.  Card Brands, Merchant Bankers and Card Processors  Employees  Other Constituents Reaction to Inquiries  Affected Individuals and other consumers or clients  Media  Governmental Agencies 7
  9. 9. Breach Response Tips (cont.) Experience at all levels is critical (even the call center) Benefits of a third-party forensics team  Credible third party assessment  Reliable Chain of Custody  Backups of all pertinent system logs  Attorney-client privilege Review availability of insurance coverage and affect any required notification. Conduct the Investigation Legal, Analysis and Decision-Making Draft and Effect Required Notices 8
  10. 10. Breach Response Tips (cont.) Top Five Ways to Avoid a Breach  Assemble the Team and Assess the Data  Develop Policies and Procedures  Control Hardware and Software  Mitigate Risk  Train, Test, Update and Monitor. Repeat 9
  11. 11. Breach Response Tips (cont.) Top Five Ways to Respond to a Breach  Assemble the Response Team  Do the Forensics and Assess the Data  Develop and Effectuate Remediation  Draft and Effect Notices  Review Preventative Measures 10
  12. 12. Massachusetts Data SecurityRequirements: Update State of the Art in Policies and Procedures  Massachusetts requirements for comprehensive written information security programs are both more broad and more specific than those of other states  More Broad – Extend to areas not covered by others  Written Policy Requirements  Technology and other security requirements  Vendor Contracts  More Specific – Impose specific requirements for security  Encryption  Specific requirements for vendor selection, contracting and management  Different – Unique breach notice requirements and limitations 11
  13. 13. Massachusetts Data Security Requirements:Update (cont.) State of the Art in Enforcement?  Briar Group, LLC  Chain of restaurants and bars allegedly suffered malware intrusion  Allegedly continued to accept credit cards after knowledge of attack and prior to effective remediation, without notifying patrons of risk  Consent order entered by Mass AG included significant fine  Breach pre-dated MA Data Security Regulation  Enforcement pursued under general consumer protection statute  Enforcement posture based in part on apparent position that failure to comply with PCI-DSS = violations of consumer protection statute  Effectively adopts PCI-DSS as legal standard of conduct in the Commonwealth? 12
  14. 14. Credit Card Issues PCI-DSS  Industry Standard imposed by merchant banking contracts  Incorporated into Nevada law by statute  Imposed by Massachusetts enforcement posture? Credit Card Breaches  Brand, Merchant Bank and Processor Notifications  Involvement of QIRA and QSA  Self-Assessment Questionnaire and Certification 13
  15. 15. HIPAA Enforcement Cignet Healthcare -- $4.3 million penalty Partners Health Care System -- $1 million settlement Interesting Questions  What is an “ongoing violation?”  How should penalties be calculated?  Does the statute authorize daily penalties? 14
  16. 16. Resolution Agreements Five agreements on OCR website Settlements range from $35,000 to $2.25 million Four are fundamentally based on security failures (lost or stolen information, improper disposal of information). One is predominantly a privacy case (unauthorized use of PHI for marketing). All have a corrective action plan. Terms for CAPs are three years (4) and two years (1). 15
  17. 17. HITECH Rulemaking Accounting for Disclosures—proposed rule issued May 31, 2011. Includes two rights: right to an accounting of disclosures, and right to receive an electronic medical records access report  Period for accounting reduced to three years from six years.  Disclosures to be accounted for to be explicitly listed in the final rule. Comment is requested on specific items to be added or excluded from the list. 16
  18. 18. HITECH Rulemaking (cont.) Access Reports  OCR proposes a report of every time a person accesses electronic data in a designated record set, whether a disclosure is made or not.  OCR takes the position that access logs already are required by the Security Rule—such that the regulation only requires access to a document that should be readily available.  Individuals can request reports reflecting access on specific dates or by specific individuals.  Reports must be aggregated if data resides on more than one information system (EMR, billing, etc). 17
  19. 19. HITECH Rulemaking (cont.) Still pending: Final rule for a large number of other HITECH mandated changes, including:  Marketing Authorizations  Business Associate Agreements  Transition Provisions  Sale of PHI  Research Authorizations  Decedents  Immunizations  Minimum Necessary  Fundraising  Notice Requirements 18  Access Rights for Individuals
  20. 20. Data Breach LitigationArticle III Standing Required Data breach class actions  Tend to be in federal court due to Class Action Fairness Act. 28 U.S.C. § 1332(d)  If in state court, may be removable Federal lawsuits must satisfy Article III standing requirement  Requires a “case or controversy” requiring an injury in fact that is actual or imminent, not conjectural or hypothetical. 19
  21. 21. Data Breach LitigationArticle III Standing Required (cont.) Several lower federal courts have found that increased risk of identity theft as result of data breach not an injury in fact Two federal appellate courts found increased risk of identity theft satisfies injury in fact requirement Sixth Circuit suggested increased risk of identity theft too conjectural to be injury in fact 20
  22. 22. Data Breach LitigationCognizable Injury Also Required If standing requirements satisfied  Plaintiffs still need to allege injury for which state law provides remedy Injuries not cognizable (generally) under state common law:  Increased risk of identity theft  Time and effort spent closing accounts/protecting credit ratings Court finds cognizable injury in statutory claim  Doe 1 v. AOL LLC, 719 F.Supp.2d 1102 (N.D. Ca. 2010)  Claim under California Consumers Legal Remedy Act  Statute says consumer suffering “any damage” may bring a claim  Defendant exposed “highly sensitive” personal information of plaintiffs  Sufficient allegation of injury under statute Moral: state law on injury may determine outcome of motion 21 to dismiss
  23. 23. Data Breach LitigationClass Certification Plaintiffs’ attorneys need financial incentive of class action in order to pursue data breach action  Individual losses will generally be too small Court may not certify class May not be worth proceeding without class 22
  24. 24. Cyber Risk Insurance Specialty cyber risk/data protection/tech policies  Personal information breaches  Network security  Cyber extortion  Business Disruption Often can be sub-limits and other limitations on coverage Terms/Scope of coverage vary 23
  25. 25. Other Insurance Claims often made under more traditional lines (although frequently exclusions/coverage defenses apply)  Property  Crime/Fidelity  K&R  CGL  Coverage A –property damage/BI-emotional distress  Coverage B – injury arising out of publication that violated the data owners privacy  Professional liability  Lawyers, real estate agents, A&E, etc.  D&O  Approval/Lack of security plans  How a breach is handled  What is said about the cause and remediation 24
  26. 26. Other Insurance Issues Aggregation of risk on policies issued  The cyber hurricane (simultaneous attack on multiple targets)  Multiple insureds impacted  Multiple lines have claims made under them Regulatory scrutiny  Includes data security  Insurance depts. such as Connecticut want to know within 5 days of breach of insurer Increasing accumulation of protected information increase risk of breach of insurers  Medical records and PI of claimants/insureds/beneficiaries  Medicare secondary payer reporting requirements 25
  27. 27. Foreign and International BreachConsiderations Global Transactions, Operations, Data Processing and Storage U.S. – styled breach notice requirements are being adopted in EU and elsewhere  EU Data Protection Directive may change by year end  Art. 29 W.P., April 2011, recommends breach notification  Definition of Personal Information is broader than U.S. definitions India  New Data Security Rules issued under Information Technology Act of 2000 effective April 11, 2011  Requires “reasonable security practices” to protect “sensitive personal data” and  Imposes restrictions and requirements for  Collection of data  Disclosure of data  Transfer of data  Security practices and procedures 26
  28. 28. Foreign and International BreachConsiderations (cont.) Notification Considerations  Does the Company have operations there?  Is the Company a data controller or processor in the country?  Does DPA have jurisdiction?  Would it help mitigate reputational risk to notify affected individuals?  Would the Company’s posture in enforcement be improved by notifying government agencies?  Method of Notifying Individuals: Mail or Email: Translated or English? Remediation Issues  Limited credit monitoring  Call center operations: Toll free? Foreign language capabilities? 27
  29. 29. Thank youMark E. Schreiber, Partner Theodore P. Augustinos, Partner Laurie A. Kamaiko, 617.239.0585 860.541.7710 212.912.2768 David S. Szabo, Partner Socheth Sor, Associate 617.239.0414 860.541.7773 28