Presentation addresses issues in cybersecurity law of the evolving standards for data breach liability for companies as well as officers and directors. The event was sponsored by Above Security and the title of the event was Above Compliance – Navigating the Cybersecurity Landscape in Financial Services.

1. Shawn E. Tuma
Scheef & Stone, LLP
@shawnetuma
Cybersecurity
Law
Navigating the Cybersecurity
Landscape in Financial Services

2. www.solidcounsel.com
Cost of a Data Breach – US
2013 Cost
 $188.00 per record
 $5.4 million = total average cost paid by organizations
2014 Cost
 $201 per record
 $5.9 million = total average cost paid by organizations
2015 Cost
 $217 per record
 $6.5 million = total average cost paid by organizations
(Ponemon Institute Cost of Data Breach Studies)

3. www.solidcounsel.com
Responding: Reporting & Notification
 Law Enforcement
 State Laws
 47 states (Ala, NM, SD)
 State Attorneys General
 VT (pre-notice w/in 14 days)
 MD (pre-notice)
 NJ (pre-notice to state police)
 Consumers
 Fla (w/in 30 days)
 OH & VT (45 days)
 Federal Agencies
 FTC, SEC, HHS, etc.
 Industry Groups
 PCI, FINRA, etc.
 Credit Bureaus
 Business Associates
 Vendors & Suppliers

4. www.solidcounsel.com
Litigation: The Good Old Days
Fear from the heightened risk of future identity theft or fraud from
a data breach does not give legal standing to sue by a party whose
data may have been compromised.
 “Allegations of future harm can establish Article III standing if that harm is
“certainly impending,” but “allegations of possible future injury are not
sufficient.” Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138, 1147 (2013).
 “An allegation of future injury may suffice if the threatened injury is ‘certainly
impending’ or there is a ‘substantial risk’ that the harm will occur.” Susan B.
Anthony List v. Driehaus, 134 S.Ct. 2334, 2341 (2014).
 “Peters has not made the requisite demonstration of injury, traceability and
redressability for her alleged injuries. Lacking viability, her federal claims are
dismissed with prejudice.” Peters v. St. Joseph Services, 74 F.Supp.3d 847 (S.D.
Tex. Feb. 11, 2015).

5. www.solidcounsel.com
Litigation: The Tectonic Shift
 “Our cases do not uniformly require plaintiffs to demonstrate that it is
literally certain that the harms they identify will come about. . . . we have
found standing based on a ‘substantial risk’ that the harm will occur ….”
Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138, 1150 n.5 (2013).
 “The plaintiffs allege that the hackers deliberately targeted Neiman Marcus
in order to obtain their credit-card information. . . . [t]here is ‘no need to
speculate as to whether [the Neiman Marcus customers’] information has
been stolen and what information was taken. . . . The Neiman Marcus
customers should not have to wait until hackers commit identity theft or
credit-card fraud in order to give the class standing, because there is an
‘objectively reasonable likelihood’ that such an injury will occur.” Remijas v.
Neiman Marcus Group, LLC, 794 F.3d 688, 693 (7th Cir. 2015).
 “At this stage in the litigation, it is plausible to infer that the plaintiffs have
shown a substantial risk of harm from the Neiman Marcus data breach.
Why else would hackers break into a store’s database and steal consumers
private information? Presumably, the purpose of the hack is, sooner or later,
to make fraudulent charges or assume those consumers’ identities.”

6. www.solidcounsel.com
Litigation: Real Harm
Standing has not been an issue in cases where the harm is readily
ascertainable: “Target does not challenge Plaintiffs’ allegations with
respect to the elements of causation and damages.” In re Target
Corp. Customer Data Sec. Breach Litigation, 64 F.Supp.3d 1304, 1310 (D.
Minn. 2014) (Financial Institutions Litigation).

7. www.solidcounsel.com
Regulatory & Administrative
In January 2014, SEC indicates that the new standard of care for
companies may require policies in place for:
1. Prevention, detection, and response to cyber attacks and data breaches,
2. IT training focused on security, and
3. Vendor access to company systems and vendor due diligence.
FTC’s Order requires business to follow 3 steps when contracting
with 3rd party service providers, In re GMR Transcription Svcs, Inc.,
2014 WL 4252393 (Aug. 14, 2014):
1. Investigate by exercising due diligence before hiring data service providers.
2. Obligate their data service providers to adhere to the appropriate level of
data security protections through contractual agreements with provider.
3. Verify that the data service providers are adequately protecting data as
required by the contractual standards.

8. www.solidcounsel.com
Regulatory & Administrative
The federal security laws require registered investment advisors to
adopt written policies and procedures reasonably designed to
protect customer records and information. S.E.C. v. R.T. Jones
Capital Equities Management, Consent Order (Sept. 22, 2015).
 “Firms must adopt written policies to protect their clients’ private
information and they need to anticipate potential cybersecurity
events and have clear procedures in place rather than waiting to
react once a breach occurs.”
 R.T. Jones violated this “safeguards rule” during a four-year period
when it had no such policies and hackers accessed more then
100,000 records of individuals, including its clients. The attack was
traced to China; no individuals have reported financial harm.
 This violated Rule 30(a) of Regulation S-P of the Securities Act of
1933. In settling, R.T. Jones agreed to censure and a $75,000 penalty.

9. www.solidcounsel.com
Regulatory & Administrative
The FTC has authority to regulate cybersecurity under the
unfairness prong of § 45(a) of the Federal Trade Commission Act
and companies have fair notice that their specific cybersecurity
practices could fall short of that provision. F.T.C. v. Wyndham
Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24, 2015).
 Wyndham was hacked three times in 2008 and 2009 that resulted the
compromise of over 619,000 consumer payment card records.
 Information used to commit over $10.6 million in fraudulent charges.
 Cybersecurity posture was very rudimentary and contravened
recommendations in the FTC’s 2007 guidebook, Protecting Personal
Information: A Guide for Businesses.
 Website Privacy Policy made representations about its cybersecurity
practices that were not true and, therefore, deceptive.

10. www.solidcounsel.com
Officer & Director Liability
“[B]oards that choose to ignore, or minimize, the importance of
cybersecurity oversight responsibility, do so at their own peril.” SEC
Commissioner Luis A. Aguilar, June 10, 2014.
 Derivative Litigation  the wave of the future.
 Trend of holding responsible those perceived to be in position of control vis-
à-vis those perceived as being the victim.
 Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham
 Derivative claims are premised on the harm to the company that stem from
the data breach, a much different standard than the harm / standing issues
that plaintiffs face in consumer data breach litigation.
 Derivative plaintiffs rely on Caremark claims that are premised on the officers
and directors’ lack of oversight which is a breach of the duty of loyalty and
good faith. Companies cannot insulate the officers and directors for a breach
of this duty.
 Caremark standard: (1) “utterly failed” to implement reporting system or
controls; or (2) consciously failed to monitor or oversee system.

11. www.solidcounsel.com
Officer & Director Liability
Palkon, a Wyndham shareholder, brought a derivative action against its
officers and directors for failing to ensure that Wyndham implemented
adequate security policies and procedures.
 Included Caremark Claim: “Defendants failed to ensure that the
Company and its subsidiaries implemented adequate information
security policies and procedures . . . .” (Pl’s Complaint ¶ 4)
 Court granted Motion to Dismiss, finding the board satisfied the
business judgement rule by staying reasonably informed of the
cybersecurity risks and exercising appropriate oversight in the face of
the known risks.
 The well-documented history of diligence and compliance showed
the board had discussed cybersecurity risks, company security policies
and proposed security enhancements in 14 quarterly meetings and
had implemented some of those cybersecurity measures. Palkon v.
Holmes, 2014 WL 5341880, *5-6 (D. NJ Oct. 20, 2014).

12. You will be breached.Will you be
liable?
It’s not the breach; it’s your
diligence that matters most.
Companies & leadership have a
duty to be reasonably informed of
and take reasonable measures to
protect against cybersecurity risks.

13. ShawnTuma
Partner, Scheef & Stone, L.L.P.
214.472.2135
shawn.tuma@solidcounsel.com
@shawnetuma
blog: shawnetuma.com
web: solidcounsel.com
This information provided is for educational purposes only, does not constitute legal advice,
and no attorney-client relationship is created by this presentation.
ShawnTuma is a cyber lawyer business leaders trust to help solve problems
with cutting-edge issues involving cybersecurity, data privacy, computer
fraud, intellectual property, and social media law. He is a partner at Scheef &
Stone, LLP, a full service commercial law firm inTexas that represents
businesses of all sizes throughout the United States and, through its Mackrell
International network, around the world.
 Texas SuperLawyers 2015
 Best Lawyers in Dallas 2014 & 2015, D Magazine (Digital Information Law)
 Council, Computer &Technology Section, State Bar ofTexas
 Chair, Civil Litigation & Appellate Section, Collin County Bar Association
 College of the State Bar ofTexas
 Privacy and Data Security Committee, Litigation, Intellectual Property
Law, and Business Sections of the State Bar ofTexas
 Information Security Committee of the Section on Science &Technology
Committee of theAmerican Bar Association
 NorthTexas Crime Commission, Cybercrime Committee
 Infragard (FBI)
 International Association of Privacy Professionals (IAPP)
 Information Systems SecurityAssociation (ISSA)
 Board of Advisors, Optiv Security
 Contributor, Norse DarkMatters Security Blog
 Editor, Cybersecurity & Data Privacy Business Law