Cybersecurity Attorney Explains Data Breach Risks and Legal Obligations

“There are only two types of companies: those that have
been hacked, and those that will be.” –Robert Mueller

43% Business had Data Breach in 2014

TargetHome DepotNeiman MarcusMichael’sSpecsTJ MaxxeBaySally BeautyPF Chang’sUPSDairy QueenJimmy John’sJP Morgan ChaseKmartStaplesSonyAshley Madison

www.solidcounsel.com
Computer Fraud & Cybersecurity
 What is fraud?
 Fraud 2.0
 Intersection between computer fraud &
cybersecurity / data breach
 The irony of all of this …

Malicious
• compete
• newco
• sabotage
• disloyal insider
Negligence
• email
• usb
• passwords
Blended
• foot out the door
• misuse of network
• stealing data
• negligence with d
• violate use policie
Hacking /
Cracking
Social
Engineer
Malware
Stealing
Planting
Corrupting
Outsider & Insider Threats

Data
Sources
Company
Data
Workforce
Data
Customer /
Client Data
Other
Parties’
Data
3rd Party
Business
Associates’
Data
Outsiders’
Data

Threat
Vectors
Network
Website
Email
BYOD
USBGSM
Internet
Surfing
Bus.
Assoc.
People

Legal Obligations
 International Laws
 Safe Harbor
 Privacy Shield
 Federal Laws & Regs
 HIPAA, GLBA, FERPA
 FTC, FCC, SEC
 State Laws
 47 states (Ala, NM, SD)
 Fla (w/in 30 days)
 OH & VT (45 days)
 Industry Groups
 PCI, FINRA, etc.
 Contracts
 Vendors & Suppliers
 Business Partners
 Data Security Addendum

ACC Study (Sept ‘15)
What concerns keep
Chief Legal Officers
awake at night?
#2 = Data Breaches
82% consider as
somewhat, very, or
extremely important

Cost of a Data Breach – US
2013 Cost
• $188.00 per record
• $5.4 million = total average cost paid by organizations
2014 Cost
• $201 per record
2015 Cost
• $217 per record
(Ponemon Institute Cost of Data Breach Studies)

thinking about
security …
tactics change …
Water shapes its course according
to the nature of the ground over
which it flows; the soldier works
out his victory in relation to the
foe whom he is facing.”
-SunTzu, The Art ofWar

Latest Trends
 Ransom Ware
 Epidemic
 Healthcare Industry
 Evolving Threat

Latest Trends

Consumer Litigation
Peters v. St. Joseph Services, 74 F.Supp.3d 847
(S.D. Tex. Feb. 11, 2015)
Remijas v. Neiman Marcus Group, LLC, 794 F.3d
688, 693 (7th Cir. 2015)
Whalen v. Michael Stores Inc., 2015 WL 9462108
(E.D.N.Y. Dec. 28, 2015)
In re SuperValu, Inc., 2016 WL 81792
(D. Minn. Jan. 7, 2016)
In re Anthem Data Breach Litigation, 2016 WL
589760 (N.D. Cal. Feb. 14, 2016) (J. Lucy Koh)

Regulatory & Administrative – SEC
S.E.C. v. R.T. Jones Capital Equities Management, Consent
Order (Sept. 22, 2015).
 “Firms must adopt written policies to protect their clients’
private information”
 “they need to anticipate potential cybersecurity events
and
 have clear procedures in place rather than waiting to
react once a breach occurs.”
 violated this “safeguards rule
 100,000 records (no reports of harm)
 $75,000 penalty

Regulatory & Administrative – FTC
In re GMR Transcription Svcs, Inc., 2014 WL 4252393 (Aug. 14,
2014). FTC’s Order requires business to follow 3 steps when
contracting with third party service providers:
1. Investigate before hiring data service providers.
2. Obligate their data service providers to adhere to the
appropriate level of data security protections.
3. Verify that the data service providers are complying
with obligations (contracts).

Regulatory & Administrative - FTC
F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir.
Aug. 24, 2015).
 The FTC has authority to regulate cybersecurity under
the unfairness prong of § 45(a) of the Federal Trade
Commission Act.
 Companies have fair notice that their specific
cybersecurity practices could fall short of that provision.
 3 breaches / 619,000 records / $10.6 million in fraud
 Rudimentary practices v. 2007 guidebook
 Website Privacy Policy misrepresentations
 Jurisdiction v. set standard?

Regulatory & Administrative
 FCC - fined AT&T $25,000,000
 CFPB - fined Dwolla, Inc. $100,000
 FDIC - new cybersecurity framework
 DOJ - Yates Memo

Officer & Director Liability
“[B]oards that choose to ignore, or minimize, the
importance of cybersecurity oversight responsibility, do
so at their own peril.” SEC Commissioner Luis A. Aguilar, June 10,
2014.
 Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham
 Derivative claims premised on the harm to the company from data breach.
 Caremark Claims:
 Premised on lack of oversight = breach of the duty of loyalty and good faith
 Cannot insulate the officers and directors = PERSONAL LIABILITY!
 Standard:
 (1) “utterly failed” to implement reporting system or controls; or
 (2) “consciously failed” to monitor or oversee system.

Officer & Director Liability
Palkon v. Holmes, 2014 WL 5341880, *5-6 (D. NJ Oct. 20,
2014).
 Derivative action for failing to ensure Wyndham implemented
adequate security policies and procedures.
 Order Dismissing: The board satisfied the business judgement rule
by staying reasonably informed of the cybersecurity risks and
exercising appropriate oversight in the face of the known risks.
 Well-documented history of diligence showed Board
 Discussed cybersecurity risks, company security policies and
proposed enhancements in 14 quarterly meetings; and
 Implemented some of those cybersecurity measures.

Key Computer Fraud Laws
 Computer Fraud and Abuse Act
 Fed Criminal Law – 18 USC § 1040
 Inspired by War Games
 Civil Claim (1994 Amend)
 Most important computer fraud /
cybersecurity law
 Texas: Computer Crimes

Protected Computer
“If a device is ‘an electronic … or other high
speed data processing device performing
logical, arithmetic, or storage functions,’ it is
a computer. This definition captures any
device that makes use of an electronic data
processor, examples of which are legion.”
United States v. Kramer, 631 F.3d 900, 901 (8th Cir. 2011)
Protected = connected to the Internet

Access Crime
CFAA prohibits the access of a
protected computer that is:
 Without authorization, or
 Exceeds authorized access,
 Where the person accessing:
 Obtains information  Causes damage
 Commits a fraud  Traffics in passwords
 Obtains something of value  Commits extortion
 Transmits damaging info

Elements: Easiest CFAA Claim
1. Intentionally access computer;
2. Without authorization or
exceeding authorized access;
3. Obtained information from any
protected computer; and
4. Victim incurred a loss to one or
more persons during any 1-year
period of at least $5,000

Key Issues: Circuit Split
Trilogy of Access Theories
 Strict Access (2nd, 4th & 9th Cir.)
 Agency (7th Cir)
 Intended-Use (1st, 3rd, 5th, 8th, 11th)
 Policy Essentials: limit authorization
 Cover use of computer and data
 Restrict duration (i.e., terminate right)
 Restrict purpose (i.e., business use)

Key Issues: Civil Remedy
Loss
 $5,000 jurisdictional threshold
 Damage ≠ damages ≠ loss
(or)
Interruption of service

Texas: Computer Crimes
 Breach of Computer Security
 Ch. 33 Texas Penal Code
 Civil cause of action in TCPRC
 Generally follows CFAA
 Broader language
 Attorney’s fees recoverable

Breach of Computer Security
Elements
 knowingly accesses a computer, computer
network, or computer system;
 without the effective consent of the owner
Consent is not effective if:
 induced by deception or coercion;
 used for a purpose other than that for which
the consent was given;
 (others excluded)

Pros & Cons
Pros
 Federal court (if you want)
 Injunctive relief
 The dude who cried
Cons
 Focus on computer, not data (TUTSA)
 Non-Competes = data
 Must have policy language
 Complex & exotic

Virtually all companies will be
breached.Will they be liable?
It’s not the breach; it’s their diligence
and response that matters most.
Companies have a duty to be
reasonably informed of and take
reasonable measures to protect
against cybersecurity risks.

Shawn Tuma
Cybersecurity Partner
Scheef & Stone, L.L.P.
214.472.2135
shawn.tuma@solidcounsel.com
@shawnetuma
blog: www.shawnetuma.com
web: www.solidcounsel.com
This information provided is
for educational purposes only,
does not constitute legal
advice, and no attorney-client
relationship is created by this
presentation.
ShawnTuma is a cyber lawyer business leaders trust to help solve
problems with cutting-edge issues involving cybersecurity, data privacy,
computer fraud, and intellectual property law. He is a Cybersecurity &
Data Protection Partner at Scheef & Stone, LLP, a full service
commercial law firm inTexas serving clients throughout the US.
 Board of Directors, NorthTexas Cyber Forensics Lab
 Board of Directors & General Counsel, Cyber Future Foundation
 Texas SuperLawyers 2015-16 (IP Litigation)
 Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law)
 Council, Computer &Technology Section, State Bar ofTexas
 Chair, Civil Litigation & Appellate Section, Collin County Bar
Association
 College of the State Bar ofTexas
 Privacy and Data Security Committee, Litigation, Intellectual
Property Law, and Business Sections of the State Bar ofTexas
 Information Security Committee of the Section on Science &
Technology Committee of the American BarAssociation
 NorthTexas Crime Commission,Cybercrime Committee
 Infragard (FBI)
 International Association of Privacy Professionals (IAPP)
 Information Systems Security Association (ISSA)
 Board of Advisors, Optiv Security
 Editor, Business Cybersecurity Business Law Blog

Cybersecurity Attorney Explains Data Breach Risks and Legal Obligations

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (8)

Similar to Cybersecurity Attorney Explains Data Breach Risks and Legal Obligations

Similar to Cybersecurity Attorney Explains Data Breach Risks and Legal Obligations (19)

More from Shawn Tuma

More from Shawn Tuma (20)

Recently uploaded

Recently uploaded (20)

Cybersecurity Attorney Explains Data Breach Risks and Legal Obligations