Presentation addresses issues in cybersecurity law of the evolving standards for data breach liability for companies as well as officers and directors. The event was sponsored by Above Security and the title of the event was Above Compliance – Navigating the Cybersecurity Landscape in Financial Services.
Legal Issues Impacting Data Center Owners, Operators & Usersjyates
MMM’s goal is to work with data center owners, operators and users to identify key legal issues and their related claims, and to provide ways to minimize liability.
Digital Information Law & Your Business - The Alternative BoardShawn Tuma
A discussion for business owners of digital information law issues of social media law, data security and data breach law, and trade secrets and corporate espionage issues.
The Legal Side of Data Breach and Third Party Risk - IIA 9th Annual Fraud SummitShawn Tuma
Shawn Tuma's presentation with Christopher Mitchell (of Crowe Horwath) at The Institute of Internal Auditors 9th Annual Fraud Summit. The title of the presentation is The Legal Side of Data Breach and Third Party Risk.
The main point of the presentation is that when a company is breached through the fault of one of its third-party business associates, or other third-parties, the company is still responsible for all of the repercussions arising out of the breach and, at best, will then have to go and pursue its rights against the third party. Thus, companies need to ensure that their business associates and other third parties adhere to proper data security practices and they should be audited to ensure compliance.
This new publication, Cyber Claims Insight from Aon Benfield’s Cyber Practice Group, empowers readers with the resources and tools they need to understand the cyber landscape, including legal trends, claims and insurance coverage disputes.
The purpose of this paper is to review the topic of data breach from two perspectives: first, an overview of the trends in data breach litigation, and second, a more granular perspective of practical data protection processes that may serve as a guidepost to help reduce the risk of likelihood of data breach. Taken together the reader will understand why a measured approach to data protection can reduce the risk of financial liability from a data breach lawsuit.
Legal Issues Impacting Data Center Owners, Operators & Usersjyates
MMM’s goal is to work with data center owners, operators and users to identify key legal issues and their related claims, and to provide ways to minimize liability.
Digital Information Law & Your Business - The Alternative BoardShawn Tuma
A discussion for business owners of digital information law issues of social media law, data security and data breach law, and trade secrets and corporate espionage issues.
The Legal Side of Data Breach and Third Party Risk - IIA 9th Annual Fraud SummitShawn Tuma
Shawn Tuma's presentation with Christopher Mitchell (of Crowe Horwath) at The Institute of Internal Auditors 9th Annual Fraud Summit. The title of the presentation is The Legal Side of Data Breach and Third Party Risk.
The main point of the presentation is that when a company is breached through the fault of one of its third-party business associates, or other third-parties, the company is still responsible for all of the repercussions arising out of the breach and, at best, will then have to go and pursue its rights against the third party. Thus, companies need to ensure that their business associates and other third parties adhere to proper data security practices and they should be audited to ensure compliance.
This new publication, Cyber Claims Insight from Aon Benfield’s Cyber Practice Group, empowers readers with the resources and tools they need to understand the cyber landscape, including legal trends, claims and insurance coverage disputes.
The purpose of this paper is to review the topic of data breach from two perspectives: first, an overview of the trends in data breach litigation, and second, a more granular perspective of practical data protection processes that may serve as a guidepost to help reduce the risk of likelihood of data breach. Taken together the reader will understand why a measured approach to data protection can reduce the risk of financial liability from a data breach lawsuit.
Cyber risk related to information security is growing. A potentially huge exposure for transportation companies is the personal data of their current and prospective drivers.
In the last several years, substantial data breaches or hacker attacks in the U.S. have shown no signs of abating. Neither have the class actions that typically follow in their wake. Bradley Arant discusses litigation trends in data breach class actions. The video will touch on evolving issues in these cases, including recent loosening of consumer standing requirements (in cases after the Supreme Court’s Clapper decision), class certification and other issues raised in the Target litigation. We will also provide an overview of recent settlements of data breach class actions and what they might mean for later cases. The webinar will address several issues pending before the Supreme Court this term that could have significant impact, including whether a statutory violation without other injury confers Article III standing, and the extent to which statistical evidence can be used to justify class certification.
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Bradley's panel reacts to and addresses a hypothetical cyber incident involving a widespread compromise of consumer healthcare and financial information. Amy Leopard (Healthcare), Mike Pennington (Litigation), John Goodman (Litigation), Elena Lovoy (Financial Services), and moderator Paige Boshell (Intellectual Property, Financial Services) will offer legal and practical strategies to proactively respond to and resolve a specified data breach. Highlights will include customer notice strategies, attorney-client privilege and litigation avoidance strategies, and coordination with third parties, including external PR and forensic investigators, vendors, regulators, and law enforcement.
Responding to a Company-Wide PII Data BreachCBIZ, Inc.
Many small employers falsely believe they can elude the attention of a hacker, yet studies have shown the opposite is true; a growing number of companies with fewer than 100 employees are reporting data breaches every year.
Combating Cyber Fraud, Data Breaches & Corporate EspionageShawn Tuma
A discussion for C-level business executives and board members of digital information law issues of social media law, data security and data breach law, and trade secrets and corporate espionage issues.
This presentation covers the FACTA Identity Theft Red Flags Rule and other legislation in the compliance for business in preventing and reducing Identity Theft in the workplace.
Lost laptops, misplaced paper records, cyber theft - breaches are a fact of life. But they don't have to be a disaster. Breach veterans know that the impact of a data loss event is substantially determined by what happens in the 48 hours after you find out about it. Get things right, and even a substantial and public breach can be weathered gracefully. Mess things up, and a small breach can turn into a nightmare.
This webinar will review critical steps organizations can take in the wake of a breach. Our featured speaker will be privacy and compliance expert, Deb Hampson who is an AVP & Assistant General Counsel at The Hartford. Don't miss this opportunity to learn best practices from a proven professional.
Cyber security legal and regulatory environment - Executive DiscussionJoe Nathans
What will you do when a breach occurs, and critical, confidential information has been publicly disclosed?
• FBI, Law Enforcement or Reporter Calls
• You become the Top News Story
• Investors need answers
• Regulatory Agencies are asking questions
• Your Customers, Suppliers, and Employees are affected, concerned, and need information
• The Breach becomes your only priority and you don’t know:
o What happened and what was disclosed?
o Who is responsible for resolution and who is on our team?
o What are our legal responsibilities?
o How will we manage the surge volume of communications, discovery and analysis?
o Who will pay?
The following presentation begins to address some of the legal and regulatory issues that are involved. The presentation is for discussion purposes only and should not be considered legal advice.
Cybersecurity & Computer Fraud - The ConvergenceShawn Tuma
In this presentation, Cybersecurity & Data Protection attorney Shawn Tuma discusses the convergence of similar legal issues involving cybersecurity and computer fraud, and explains how they are really two sides of the same coin.
This presentation was delivered on April 20, 2016 at the Association of Certified Fraud Examiners Fort Worth Chapter meeting.
Cybersecurity: What the GC and CEO Need to KnowShawn Tuma
Shawn Tuma, Cybersecurity & Data Protection Partner at Scheef & Stone, L.L.P., presented to the Dallas Bar Association's Corporate Counsel Section on May 3, 2016. The title was Cybersecurity: What the GC and CEO Need to Know.
A hands-on cybersecurity presentation: preparing an action plan before you are attacked, contracting tips and available insurance coverage.
Cyber risk related to information security is growing. A potentially huge exposure for transportation companies is the personal data of their current and prospective drivers.
In the last several years, substantial data breaches or hacker attacks in the U.S. have shown no signs of abating. Neither have the class actions that typically follow in their wake. Bradley Arant discusses litigation trends in data breach class actions. The video will touch on evolving issues in these cases, including recent loosening of consumer standing requirements (in cases after the Supreme Court’s Clapper decision), class certification and other issues raised in the Target litigation. We will also provide an overview of recent settlements of data breach class actions and what they might mean for later cases. The webinar will address several issues pending before the Supreme Court this term that could have significant impact, including whether a statutory violation without other injury confers Article III standing, and the extent to which statistical evidence can be used to justify class certification.
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Bradley's panel reacts to and addresses a hypothetical cyber incident involving a widespread compromise of consumer healthcare and financial information. Amy Leopard (Healthcare), Mike Pennington (Litigation), John Goodman (Litigation), Elena Lovoy (Financial Services), and moderator Paige Boshell (Intellectual Property, Financial Services) will offer legal and practical strategies to proactively respond to and resolve a specified data breach. Highlights will include customer notice strategies, attorney-client privilege and litigation avoidance strategies, and coordination with third parties, including external PR and forensic investigators, vendors, regulators, and law enforcement.
Responding to a Company-Wide PII Data BreachCBIZ, Inc.
Many small employers falsely believe they can elude the attention of a hacker, yet studies have shown the opposite is true; a growing number of companies with fewer than 100 employees are reporting data breaches every year.
Combating Cyber Fraud, Data Breaches & Corporate EspionageShawn Tuma
A discussion for C-level business executives and board members of digital information law issues of social media law, data security and data breach law, and trade secrets and corporate espionage issues.
This presentation covers the FACTA Identity Theft Red Flags Rule and other legislation in the compliance for business in preventing and reducing Identity Theft in the workplace.
Lost laptops, misplaced paper records, cyber theft - breaches are a fact of life. But they don't have to be a disaster. Breach veterans know that the impact of a data loss event is substantially determined by what happens in the 48 hours after you find out about it. Get things right, and even a substantial and public breach can be weathered gracefully. Mess things up, and a small breach can turn into a nightmare.
This webinar will review critical steps organizations can take in the wake of a breach. Our featured speaker will be privacy and compliance expert, Deb Hampson who is an AVP & Assistant General Counsel at The Hartford. Don't miss this opportunity to learn best practices from a proven professional.
Cyber security legal and regulatory environment - Executive DiscussionJoe Nathans
What will you do when a breach occurs, and critical, confidential information has been publicly disclosed?
• FBI, Law Enforcement or Reporter Calls
• You become the Top News Story
• Investors need answers
• Regulatory Agencies are asking questions
• Your Customers, Suppliers, and Employees are affected, concerned, and need information
• The Breach becomes your only priority and you don’t know:
o What happened and what was disclosed?
o Who is responsible for resolution and who is on our team?
o What are our legal responsibilities?
o How will we manage the surge volume of communications, discovery and analysis?
o Who will pay?
The following presentation begins to address some of the legal and regulatory issues that are involved. The presentation is for discussion purposes only and should not be considered legal advice.
Cybersecurity & Computer Fraud - The ConvergenceShawn Tuma
In this presentation, Cybersecurity & Data Protection attorney Shawn Tuma discusses the convergence of similar legal issues involving cybersecurity and computer fraud, and explains how they are really two sides of the same coin.
This presentation was delivered on April 20, 2016 at the Association of Certified Fraud Examiners Fort Worth Chapter meeting.
Cybersecurity: What the GC and CEO Need to KnowShawn Tuma
Shawn Tuma, Cybersecurity & Data Protection Partner at Scheef & Stone, L.L.P., presented to the Dallas Bar Association's Corporate Counsel Section on May 3, 2016. The title was Cybersecurity: What the GC and CEO Need to Know.
A hands-on cybersecurity presentation: preparing an action plan before you are attacked, contracting tips and available insurance coverage.
Cybersecurity & Data Protection: What the GC & CEO Need to KnowShawn Tuma
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
Provisions in Cyber Insurance Policies - State Bar of Texas Annual Meeting 20...Shawn Tuma
Presentation discussing key provisions to be considered when reviewing cyber insurance policies. Presentation was delivered on June 19 at the State Bar of Texas Annual Meeting 2015 in San Antonio, Texas.
Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Str...Shawn Tuma
Presentation to the Collin County Bench Bar Foundation's 2015 Bench Bar Conference. Focused on the latest cybersecurity trends and strategies for mitigation of cyber risk and compliance.
E-Contracting: The Basic Rules (2/2/2001)Shawn Tuma
This is a presentation that discusses the basics of contracting over the Internet -- back in 2001 -- before the rules for Internet contracting were settled. The date of the presentation was February 2, 2001. This is a Golden Oldie!
Data Security and Privacy by Contract: Hacking Us All Into Business Associate...Shawn Tuma
This presentation was delivered at the Southern Methodist University Law School, Science and Technology Law Review's 2015 Cybersecurity Symposium on October 23, 2015.
Back in 2001, there were a lot of Internet Law issues that were just beginning to be explored which is what gave rise to the title "Internet Law: An Expedition" -- what we did not realize back then was that many of those issues would still be evolving 15 years later! For example, this presentation discusses use of email and whether it is safe and appropriate for confidential information; Internet or computer use policies, something that I still discuss frequently, and privacy issues in the employment context. It was fascinating to take a look back down memory lane with these presentation slides.
Cybersecurity & Data Protection: Thinking About Risk & ComplianceShawn Tuma
Cybersecurity & Data Protection: Thinking About Risk & Compliance is a presentation that Frisco business lawyer Shawn Tuma delivered to the Corporate Counsel Section of the Collin County Bar Association. The presentation date was May 29, 2015.
Leadership Through the Firestorm - Legal Counsel's Role in Guiding Through Cy...Shawn Tuma
Leadership Through the Firestorm - Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss. This is a keynote speech delivered by Shawn Tuma to the Paralegal Division of the State Bar of Texas on June 17, 2016.
Federal Computer Fraud and Abuse Act & Texas Computer Hacking StatutesShawn Tuma
Federal Computer Fraud and Abuse Act & Texas Computer Hacking Statutes is a presentation that Shawn Tuma delivered to the Intellectual Property Section Track at the State Bar of Texas Annual Meeting in Fort Worth, Texas on June 17, 2016. This presentation focused on the practical "how to" for practitioners to use the Computer Fraud and Abuse Act (CFAA) and the Texas Breach of Computer Security (BCS) and Harmful Access by Computers Act (HACA) statutes to combat privileged-user / insider misuse as well as outsider threats.
ACI’s lauded Cyber & Data Risk Insurance conference is the highest-level event that provides maximum opportunities to learn from and network with underwriters, brokers, claims managers and industry leaders, and helps you keep pace with the ever-changing cyber insurance market. It’s also the only conference that brings you regulatory and enforcement priorities straight from the federal and state government themselves.
Cybersecurity: What Defense Lawyers Need to Know about Cyberliability, Cyberc...Shawn Tuma
Slides from a panel discussion for the International Association of Defense Counsel (IADC) in Dallas, Texas on the subject of "Cybersecurity: What Defense Lawyers Need to Know about Cyberliability, Cybercrime, and Cyber Insurance Coverage"
Note that only Shawn Tuma's slides are included, not those of the other speakers on the panel.
This presentation focuses to the rising prominence of insurance considerations—and more particularly—to legal aspects of insurance as it relates to cybersecurity and privacy.
The presentation defines "Cyber and Privacy Insurance” and organizes such insurance into four main types of cyber insurance coverage: data breach and privacy management coverage, multimedia liability coverage, extortion liability coverage, and network security liability coverage. With these definitions, the presentation then gives snapshot of how the Cyber Insurance Market Is Maturing, its participants, costs, and related attributes.
Consideration is given to the importance of defined terms, before launching into difficulties that providers and users have relative to measuring, modeling, and pricing cyber insurance risk. Particular attention is given to the language of “claims” and how to navigate through associated risk/cost analyses and cost structures.
Additionally, general considerations, pre-conditions, cost of compliance, business interruption, governing board oversight and related issues are brought together is a cohesive manner.
A summarized version of the 60 page Rule broken down by Kirk J. Nahra, a partner with Wiley Rein & Fielding LLP in Washington, D.C. He specializes in privacy and information security litigation and counseling for companies facing compliance obligations in these areas. He is the Chair of the firm’s Privacy Practice. He serves on the Board of Directors of the International Association of Privacy Professionals, and edits IAPP’s monthly newsletter, Privacy Officers Advisor. He is a Certified Information Privacy Professional, and is the Chair of the ABA Health Law Section’s Interest Group on eHealth, Privacy & Security.
Recovering from a Cyber Attack was delivered on February 7, 2018, at the Texas Bar CLE Cybersecurity Workshop course by Todd Hindman, Global Director, Data Breach Response Services of ID Experts Corp. and Shawn Tuma, Cybersecurity & Data Privacy Attorney at Scheef & Stone.
Rarely does a week go by without the announcement of another major data breach that has put thousands, or even millions of consumers at risk of fraud. From malicious use of compromised credit and debit cards, to increased identity theft risk to drained bank accounts, the threats are real and impact millions of consumers. . A key challenge for the incoming 114th Congress will be to implement long-needed reforms that will protect American consumers personal data from malicious use by criminal hackers.
Information Compromise and the Risk of Identity Theft Guidance for your Business- Mark - Fullbright
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Here are the slides used in my presentation to the Toronto Computer Lawyers Group earlier today, The Year in Review: Developments in Computer, Internet and E-Commerce Law (2010-2011). It covers significant developements since my talk last spring.
Data breach events result in significant losses each year. Our partners at Bonahoom & Bobilya, LLC, created a presentation about understanding the hidden regulatory risks of a data breach so you can keep your company from going out of business.
This presentation has been shared with permission.
Similar to Above Compliance – Navigating the Cybersecurity Landscape and Officer & Director Liability in Financial Services (19)
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...Shawn Tuma
Shawn Tuma, a professional "breach guide" (aka, breach quarterback, coach, privacy counsel, etc), is an attorney who has practiced in cyber law since 1999. His day job as Co-Chair of Spencer Fane LLP's Data Privacy and Cybersecurity Practice is leading companies through the cyber incident response and recovery process. In this presentation, he provides a virtual tabletop exercise explaining the lifecycle of responding to a typical ransomware attack through a detailed timeline.
The audio for this presentation, in podcast form, is here: https://www.secureworldexpo.com/resources/podcast-ransomware-attack-lifecycle
Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, was a guest lecturer on this topic at Southern Methodist University Digital Branding Class on October 27, 2020.
Incident Response Planning - Lifecycle of Responding to a Ransomware AttackShawn Tuma
Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, was a guest lecturer on this topic at Columbia University for the Executive Masters of Technology Management Program on November 21, 2020.
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Shawn Tuma
Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, presented on this topic at the 2020 Northwestern State University's Fall Continuing Legal Education Conference on November 18, 2020.
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...Shawn Tuma
Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, presented on this topic at the 2020 Dallas Baptist University Reimagine Technology Conference course in Dallas, Texas on November 18, 2020.
The Role of Contracts in Privacy, Cybersecurity, and Data BreachShawn Tuma
Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, presented on this topic at the 2020 Texas Bar CLE's Making and Breaking Iron-Clad Contracts course in Austin, Texas on March 6, 2020.
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Shawn Tuma
Shawn Tuma delivered this presentation on April 9, 2019, at the Oklahoma State University 4th Annual Cyber Security Conference in Oklahoma City, Oklahoma.
In twenty years of practicing cyber law, Shawn Tuma has seen a multitude of cybersecurity and data breach cases that have helped him understand the real-world risks companies face and the practical things they can do to prioritize their resources and effectively manage cyber risk. In this presentation, he will share his experience on issues such as:
· Why cybersecurity is an overall business risk issue that must be properly managed to comply with laws and regulations
· Why strategic leadership is critical in cybersecurity
· Why teams are critical for cybersecurity and how to personalities and psychology can impact that team
· The most likely real-world risks that most companies face
· How to prioritize limited resources to effectively manage the most likely real-world risks
· What is reasonable cybersecurity
· How to develop, implement, and mature a cyber risk management program
· Why cyber insurance is a critical component of the cyber risk management process
Real World Cyber Risk. Understand it. Manage it.Shawn Tuma
Renaissance Executive Forums 2019 CEO Summit presentation by Shawn E. Tuma, Co-Chair, Data Privacy & Cybersecurity Group, Spencer Fane, LLP
March 7, 2019
Dallas, Texas
The Legal Case for Cyber Risk Management Programs and What They Should IncludeShawn Tuma
Spencer Fane LLP Cybersecurity and Data Privacy attorney Shawn Tuma delivered "The Legal Case for Cyber Risk Management Programs and What They Should Include" at the Texas Society of Certified Public Accountants' TSCPA CPE 2018 CPE Expo Conference on November 30, 2018, in Addison, Texas.
As an attorney serving as a guide for companies that have data breaches, I regularly advise clients through the data breach incident response process. Here is a checklist that I developed to give them a roadmap for how this process works, on a single page. While this is not an exhaustive list, these are the items that most often need to be performed in the cases in which I guide clients through the incident response and remediation process. Of course, there will be exceptions, additions, and omissions — take this for what it is, a starting point. Another important point to remember is that this is just a checklist, it is not a cybersecurity incident response plan. Fore more information see https://shawnetuma.com/incident-response-checklist/
Cybersecurity: Cyber Risk Management for Lawyers and ClientsShawn Tuma
Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled "Cybersecurity: Cyber Risk Management for Lawyers and Clients" at the Texas Bar CLE's 16th Annual Advanced Business Law Course on November 8, 2018.
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Shawn Tuma
Cybersecurity is a Team Sport: Why strategic leadership and an understanding of roles, personalities, and psychology is important for building and managing effective cybersecurity teams.
This presentation was a discussion of issues such as:
* Who should be on the team and what should they know?
* How should the team be organized?
* Who is responsible for developing the strategy and seeing the whole playing field?
* What are the team members responsibilities?
* How do team members personalities affect their roles and performance?
* Is there a role for lawyers if the "privilege" "magic wand" turns out to be more fairy-tale than reality?
The presentation was delivered by cybersecurity and data privacy attorney Shawn Tuma, Co-Chair of the Cybersecurity and Data Privacy Practice Group of Spencer Fane LLP, on October 10, 2018, at SecureWorld - Dallas.
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
Everyone should now understand that no bank or financial institution is immune from cyber risk. Many are now ready to move forward with improving their cyber risk posture but do not know what to do next or how to prioritize their resources. Recognizing that cybersecurity is an overall business risk issue that must be properly managed to comply with many laws and regulations governing banks and financial institutions, this presentation will provide a strategy for how to better understand and manage such risks by:
(1) Providing an overview of the legal and regulatory framework;
(2) Examining the most likely real-world risks; and
(3) Providing strategies for how to manage such risks, including cyber insurance and the development and implementation of an appropriate cyber risk management program (which is not as difficult as it sounds).
Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled Cybersecurity: Cyber Risk Management for Banks & Financial Institutions (and Attorneys Who Represent Them) at the Southwest Association of Bank Counsel 42nd Annual Convention on September 20, 2018 (formerly, Texas Association of Bank Counsel).
Something is Phishy: Cyber Scams and How to Avoid ThemShawn Tuma
Reginald A. Hirsch and Shawn E. Tuma presented this talk at the Annual Meeting of the State Bar of Texas for the Law Practice Management Section of the State Bar of Texas. The date of the talk was June 22, 2018, and the location was Houston, Texas.
Cybersecurity Fundamentals for Legal Professionals (and every other business)Shawn Tuma
Cybersecurity & Data Privacy attorney Shawn Tuma delivered this presentation to the Mid-Year Meeting of the State Bar of Oklahoma's Intellectual Property Law Section on June 2, 2018. For more information visit www.shawnetuma.com
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxanvithaav
These slides helps the student of international law to understand what is the nature of international law? and how international law was originated and developed?.
The slides was well structured along with the highlighted points for better understanding .
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
All eyes on Rafah: But why?. The Rafah border crossing, a crucial point between Egypt and the Gaza Strip, often finds itself at the center of global attention. As we explore the significance of Rafah, we’ll uncover why all eyes are on Rafah and the complexities surrounding this pivotal region.
INTRODUCTION
What makes Rafah so significant that it captures global attention? The phrase ‘All eyes are on Rafah’ resonates not just with those in the region but with people worldwide who recognize its strategic, humanitarian, and political importance. In this guide, we will delve into the factors that make Rafah a focal point for international interest, examining its historical context, humanitarian challenges, and political dimensions.
WINDING UP of COMPANY, Modes of DissolutionKHURRAMWALI
Winding up, also known as liquidation, refers to the legal and financial process of dissolving a company. It involves ceasing operations, selling assets, settling debts, and ultimately removing the company from the official business registry.
Here's a breakdown of the key aspects of winding up:
Reasons for Winding Up:
Insolvency: This is the most common reason, where the company cannot pay its debts. Creditors may initiate a compulsory winding up to recover their dues.
Voluntary Closure: The owners may decide to close the company due to reasons like reaching business goals, facing losses, or merging with another company.
Deadlock: If shareholders or directors cannot agree on how to run the company, a court may order a winding up.
Types of Winding Up:
Voluntary Winding Up: This is initiated by the company's shareholders through a resolution passed by a majority vote. There are two main types:
Members' Voluntary Winding Up: The company is solvent (has enough assets to pay off its debts) and shareholders will receive any remaining assets after debts are settled.
Creditors' Voluntary Winding Up: The company is insolvent and creditors will be prioritized in receiving payment from the sale of assets.
Compulsory Winding Up: This is initiated by a court order, typically at the request of creditors, government agencies, or even by the company itself if it's insolvent.
Process of Winding Up:
Appointment of Liquidator: A qualified professional is appointed to oversee the winding-up process. They are responsible for selling assets, paying off debts, and distributing any remaining funds.
Cease Trading: The company stops its regular business operations.
Notification of Creditors: Creditors are informed about the winding up and invited to submit their claims.
Sale of Assets: The company's assets are sold to generate cash to pay off creditors.
Payment of Debts: Creditors are paid according to a set order of priority, with secured creditors receiving payment before unsecured creditors.
Distribution to Shareholders: If there are any remaining funds after all debts are settled, they are distributed to shareholders according to their ownership stake.
Dissolution: Once all claims are settled and distributions made, the company is officially dissolved and removed from the business register.
Impact of Winding Up:
Employees: Employees will likely lose their jobs during the winding-up process.
Creditors: Creditors may not recover their debts in full, especially if the company is insolvent.
Shareholders: Shareholders may not receive any payout if the company's debts exceed its assets.
Winding up is a complex legal and financial process that can have significant consequences for all parties involved. It's important to seek professional legal and financial advice when considering winding up a company.
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Director Liability in Financial Services
1. Shawn E. Tuma
Scheef & Stone, LLP
@shawnetuma
Cybersecurity
Law
Navigating the Cybersecurity
Landscape in Financial Services
2. www.solidcounsel.com
Cost of a Data Breach – US
2013 Cost
$188.00 per record
$5.4 million = total average cost paid by organizations
2014 Cost
$201 per record
$5.9 million = total average cost paid by organizations
2015 Cost
$217 per record
$6.5 million = total average cost paid by organizations
(Ponemon Institute Cost of Data Breach Studies)
3. www.solidcounsel.com
Responding: Reporting & Notification
Law Enforcement
State Laws
47 states (Ala, NM, SD)
State Attorneys General
VT (pre-notice w/in 14 days)
MD (pre-notice)
NJ (pre-notice to state police)
Consumers
Fla (w/in 30 days)
OH & VT (45 days)
Federal Agencies
FTC, SEC, HHS, etc.
Industry Groups
PCI, FINRA, etc.
Credit Bureaus
Business Associates
Vendors & Suppliers
4. www.solidcounsel.com
Litigation: The Good Old Days
Fear from the heightened risk of future identity theft or fraud from
a data breach does not give legal standing to sue by a party whose
data may have been compromised.
“Allegations of future harm can establish Article III standing if that harm is
“certainly impending,” but “allegations of possible future injury are not
sufficient.” Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138, 1147 (2013).
“An allegation of future injury may suffice if the threatened injury is ‘certainly
impending’ or there is a ‘substantial risk’ that the harm will occur.” Susan B.
Anthony List v. Driehaus, 134 S.Ct. 2334, 2341 (2014).
“Peters has not made the requisite demonstration of injury, traceability and
redressability for her alleged injuries. Lacking viability, her federal claims are
dismissed with prejudice.” Peters v. St. Joseph Services, 74 F.Supp.3d 847 (S.D.
Tex. Feb. 11, 2015).
5. www.solidcounsel.com
Litigation: The Tectonic Shift
“Our cases do not uniformly require plaintiffs to demonstrate that it is
literally certain that the harms they identify will come about. . . . we have
found standing based on a ‘substantial risk’ that the harm will occur ….”
Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138, 1150 n.5 (2013).
“The plaintiffs allege that the hackers deliberately targeted Neiman Marcus
in order to obtain their credit-card information. . . . [t]here is ‘no need to
speculate as to whether [the Neiman Marcus customers’] information has
been stolen and what information was taken. . . . The Neiman Marcus
customers should not have to wait until hackers commit identity theft or
credit-card fraud in order to give the class standing, because there is an
‘objectively reasonable likelihood’ that such an injury will occur.” Remijas v.
Neiman Marcus Group, LLC, 794 F.3d 688, 693 (7th Cir. 2015).
“At this stage in the litigation, it is plausible to infer that the plaintiffs have
shown a substantial risk of harm from the Neiman Marcus data breach.
Why else would hackers break into a store’s database and steal consumers
private information? Presumably, the purpose of the hack is, sooner or later,
to make fraudulent charges or assume those consumers’ identities.”
6. www.solidcounsel.com
Litigation: Real Harm
Standing has not been an issue in cases where the harm is readily
ascertainable: “Target does not challenge Plaintiffs’ allegations with
respect to the elements of causation and damages.” In re Target
Corp. Customer Data Sec. Breach Litigation, 64 F.Supp.3d 1304, 1310 (D.
Minn. 2014) (Financial Institutions Litigation).
7. www.solidcounsel.com
Regulatory & Administrative
In January 2014, SEC indicates that the new standard of care for
companies may require policies in place for:
1. Prevention, detection, and response to cyber attacks and data breaches,
2. IT training focused on security, and
3. Vendor access to company systems and vendor due diligence.
FTC’s Order requires business to follow 3 steps when contracting
with 3rd party service providers, In re GMR Transcription Svcs, Inc.,
2014 WL 4252393 (Aug. 14, 2014):
1. Investigate by exercising due diligence before hiring data service providers.
2. Obligate their data service providers to adhere to the appropriate level of
data security protections through contractual agreements with provider.
3. Verify that the data service providers are adequately protecting data as
required by the contractual standards.
8. www.solidcounsel.com
Regulatory & Administrative
The federal security laws require registered investment advisors to
adopt written policies and procedures reasonably designed to
protect customer records and information. S.E.C. v. R.T. Jones
Capital Equities Management, Consent Order (Sept. 22, 2015).
“Firms must adopt written policies to protect their clients’ private
information and they need to anticipate potential cybersecurity
events and have clear procedures in place rather than waiting to
react once a breach occurs.”
R.T. Jones violated this “safeguards rule” during a four-year period
when it had no such policies and hackers accessed more then
100,000 records of individuals, including its clients. The attack was
traced to China; no individuals have reported financial harm.
This violated Rule 30(a) of Regulation S-P of the Securities Act of
1933. In settling, R.T. Jones agreed to censure and a $75,000 penalty.
9. www.solidcounsel.com
Regulatory & Administrative
The FTC has authority to regulate cybersecurity under the
unfairness prong of § 45(a) of the Federal Trade Commission Act
and companies have fair notice that their specific cybersecurity
practices could fall short of that provision. F.T.C. v. Wyndham
Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24, 2015).
Wyndham was hacked three times in 2008 and 2009 that resulted the
compromise of over 619,000 consumer payment card records.
Information used to commit over $10.6 million in fraudulent charges.
Cybersecurity posture was very rudimentary and contravened
recommendations in the FTC’s 2007 guidebook, Protecting Personal
Information: A Guide for Businesses.
Website Privacy Policy made representations about its cybersecurity
practices that were not true and, therefore, deceptive.
10. www.solidcounsel.com
Officer & Director Liability
“[B]oards that choose to ignore, or minimize, the importance of
cybersecurity oversight responsibility, do so at their own peril.” SEC
Commissioner Luis A. Aguilar, June 10, 2014.
Derivative Litigation the wave of the future.
Trend of holding responsible those perceived to be in position of control vis-
à-vis those perceived as being the victim.
Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham
Derivative claims are premised on the harm to the company that stem from
the data breach, a much different standard than the harm / standing issues
that plaintiffs face in consumer data breach litigation.
Derivative plaintiffs rely on Caremark claims that are premised on the officers
and directors’ lack of oversight which is a breach of the duty of loyalty and
good faith. Companies cannot insulate the officers and directors for a breach
of this duty.
Caremark standard: (1) “utterly failed” to implement reporting system or
controls; or (2) consciously failed to monitor or oversee system.
11. www.solidcounsel.com
Officer & Director Liability
Palkon, a Wyndham shareholder, brought a derivative action against its
officers and directors for failing to ensure that Wyndham implemented
adequate security policies and procedures.
Included Caremark Claim: “Defendants failed to ensure that the
Company and its subsidiaries implemented adequate information
security policies and procedures . . . .” (Pl’s Complaint ¶ 4)
Court granted Motion to Dismiss, finding the board satisfied the
business judgement rule by staying reasonably informed of the
cybersecurity risks and exercising appropriate oversight in the face of
the known risks.
The well-documented history of diligence and compliance showed
the board had discussed cybersecurity risks, company security policies
and proposed security enhancements in 14 quarterly meetings and
had implemented some of those cybersecurity measures. Palkon v.
Holmes, 2014 WL 5341880, *5-6 (D. NJ Oct. 20, 2014).
12. You will be breached.Will you be
liable?
It’s not the breach; it’s your
diligence that matters most.
Companies & leadership have a
duty to be reasonably informed of
and take reasonable measures to
protect against cybersecurity risks.
13. ShawnTuma
Partner, Scheef & Stone, L.L.P.
214.472.2135
shawn.tuma@solidcounsel.com
@shawnetuma
blog: shawnetuma.com
web: solidcounsel.com
This information provided is for educational purposes only, does not constitute legal advice,
and no attorney-client relationship is created by this presentation.
ShawnTuma is a cyber lawyer business leaders trust to help solve problems
with cutting-edge issues involving cybersecurity, data privacy, computer
fraud, intellectual property, and social media law. He is a partner at Scheef &
Stone, LLP, a full service commercial law firm inTexas that represents
businesses of all sizes throughout the United States and, through its Mackrell
International network, around the world.
Texas SuperLawyers 2015
Best Lawyers in Dallas 2014 & 2015, D Magazine (Digital Information Law)
Council, Computer &Technology Section, State Bar ofTexas
Chair, Civil Litigation & Appellate Section, Collin County Bar Association
College of the State Bar ofTexas
Privacy and Data Security Committee, Litigation, Intellectual Property
Law, and Business Sections of the State Bar ofTexas
Information Security Committee of the Section on Science &Technology
Committee of theAmerican Bar Association
NorthTexas Crime Commission, Cybercrime Committee
Infragard (FBI)
International Association of Privacy Professionals (IAPP)
Information Systems SecurityAssociation (ISSA)
Board of Advisors, Optiv Security
Contributor, Norse DarkMatters Security Blog
Editor, Cybersecurity & Data Privacy Business Law