Cybersecurity and Privacy for In-House Counsel: How the New Regulations and Guidelines Impact Your Company

www.solidcounsel.com
Shawn Tuma
(214) 472-2135
Shawn.Tuma@solidcounsel.com
www.shawnetuma.com
@shawnetuma

Privacy + Security
Privacy v. Security

Cybersecurity (and
Privacy):
A Legal Issue?

Shawn Tuma
(214) 472-2135
Shawn.Tuma@solidcounsel.com
www.shawnetuma.com
@shawnetuma
“Security and IT protect companies’ data;
Legal protects companies from their data.”

What is in-house counsel’s role in
cybersecurity?
What is outside counsel’s role?

Cyber Insurance – Key Questions
• Do you know if you even have it?
• What period does the policy cover?
• Are Officers & Directors Covered?
• Cover 3rd Party Caused Events?
• Social Engineering coverage?
• Cover insiders intentional acts (vs.
negligent)?
• Is contractual liability covered?
• What is the triggering event?
• What types of data are covered?
• What kind of incidents are covered?
• Acts of war? Terrorism?
• Required carrier list for attorneys &
experts?
• Other similar risks?

Cause for Concern
• 62% of Cyber Attacks → SMBs
• Odds: Security @100% v. Hacker @1
• ACC Study (9/15) = #2 Concern
Keeping CLO’s awake at night
• Dyn & IoT?

Legal Obligations
 International Laws
 GDPR
 Privacy Shield
 Federal Laws & Regs.
 HIPAA, GLBA, FERPA
 FTC, FCC, SEC
 State Laws
 48 states (AL & SD)
 Industry Groups
 PCI, FINRA, etc.
 Contracts
 3rd Party Bus. Assoc.
 Data Security Addendum

The real-world threats are not so sophisticated.
Easily preventable
• 90% in 2014
• 91% in 2015
• 63% confirmed breaches from weak,
default, or stolen passwords
• Data is lost over 100x more than stolen
• Phishing used most to install malware
Easily preventable
• 90% in 2014
• 91% in 2015

Cybersecurity must-haves for companies.
 Strong cybersecurity basics.
 Policies and procedures focused on cybersecurity.
 Social engineering.
 Password and security questions
 Training of all employees.
 Phish all employees (esp. executives).
 Signature based antivirus and malware detection.
 Multi-factor authentication.
 Backups segmented from the network.
 Incident response plan.
 Encryption for sensitive and air-gap for hypersensitive data.
 Adequate logging and retention.
 Third-party security and supply chain risk management.*
 Intrusion detection and intrusion prevention systems.*

Cybersecurity must-haves for companies.
 Strong cybersecurity basics.
 Policies and procedures focused on cybersecurity.
 Social engineering.
 Password and security questions
 Training of all employees.
 Phish all employees (esp. executives).
 Signature based antivirus and malware detection.
 Multi-factor authentication.
 Backups segmented from the network.
 Incident response plan.
 Encryption for sensitive and air-gap for hypersensitive data.
 Adequate logging and retention.
 Third-party security and supply chain risk management.*
 Intrusion detection and intrusion prevention systems.*
Ask 1 Question:
“Are our backups frequent
and segmented from the
network?”

Cyber Risk
Assessment
Strategic
Planning
Deploy
Defense
Assets
Develop,
Implement
&Train on
P&P
Tabletop
Testing
Reassess &
Refine
How mature is
your company’s
Cybersecurity Risk
Management
Program?

“An ounce of prevention is cheaper than
the first day of litigation.”

Cyber Risk Factors
Have you analyzed how the attorney-client and work
product privileges apply in cybersecurity incidents?
“Target has demonstrated . . . that the work of the Data
Breach Task Force was focused not on remediation of the
breach . . . but on informing Target’s in-house and outside
counsel about the breach so that Target’s attorneys could
provide the company with legal advice and prepare to
defend the company in litigation that was already pending
and was reasonably expected to follow.”
In re Target Corp. Customer Data Breach Litigation

Peters v. St. Joseph Services (S.D. Tex. 2015)
Remijas v. Neiman Marcus Group, LLC (7th Cir. 2015)
Whalen v. Michael Stores Inc. (E.D.N.Y. 2015)
In re SuperValu, Inc. (D. Minn. 2016)
Anthem Data Breach Litigation (N.D. Cal. 2016) (Koh)
What is risk from consumer breach litigation?
Spokeo v. Robins, 136 S.Ct. 1540 (2016)
Tangible or intangible harm but concrete & particularized
Lewert v. P.F. Chang’s China Bistro Inc. (7th Cir. 2016)
Galaria v. Nationwide Mutual Ins. Co. (6th Cir. 2016)

Cyber Risk Factors
Does your company have reasonable cybersecurity?
• In re Target Data Security Breach Litigation (Financial Institutions)
(Dec. 2, 2014)
• Companies have a duty to be reasonably informed and take
reasonable measures to protect against cybersecurity risks.
• It’s the diligence, not the breach, that counts.
• The court found duties to
• Reasonably protect others’ data
• Not disable security devices (i.e., if have it, use it)
• Respond when alerted of an attack

Cyber Risk Factors
Does your company have reasonable cybersecurity and are
your privacy policies accurate?
• F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24, 2015).
• The FTC has authority to regulate cybersecurity under the unfairness prong
of § 45(a) of the FTC Act.
• Companies have fair notice that their specific cybersecurity practices could
fall short of that provision.
• 3 breaches / 619,000 records / $10.6 million in fraud
• Rudimentary practices v. 2007 guidebook
• Website Privacy Policy misrepresentations

Cyber Risk Factors
Does your company have adequate internal network
controls?
• F.T.C. v. LabMD (July 2016 FTC Commission Order)
• LabMD had 1 employee using LimeWire, Tiversa obtained file with PHI
information and provided to the FTC.
• “LabMD’s data security practices constitute an unfair act or practice within
the meaning of Section 5 of the FTC Act. We enter an order requiring that
LabMD notify affected consumers, establish a comprehensive information
security program reasonably designed to protect the security and
confidentiality of the personal consumer information in its possession, and
obtain independent assessments regarding its implementation of the
program.”

Cyber Risk Factors
Does your company have written policies and procedures
focused on cybersecurity and data privacy?
• S.E.C. v. R.T. Jones Capital Equities Management, Consent Order (Sept.
22, 2015).
• “R.T. Jones failed to adopt written policies and procedures reasonably
designed to safeguard customer information.”
• R.T. Jones violated the Securities Act’s “Safeguards Rule”
• 100,000 records vulnerable; no reports of actual harm
• $75,000 penalty
• Cease and desist having any future violations

Cyber Risk Factors
Does your company have a written cybersecurity incident
response plan?
• S.E.C. v. R.T. Jones Capital Equities Management, Consent Order (Sept.
22, 2015).
• Firms “need to anticipate potential cybersecurity events and have clear
procedures in place rather than waiting to react once a breach occurs.”

Response Process
• Goal is to execute IRP
• This is check list, not
an IRP
• How detailed?
• Tabletop exercises
Download here:
www.shawnetuma.com
@shawnetuma

Cyber Risk Factors
Does your company take adequate steps to ensure data is
protected with third-parties in the supply chain?
• In re GMR Transcription Svcs., Inc., Consent Order (Aug. 14, 2014).
• FTC’s Order requires business to follow 3 steps when working with third-
party service providers:
• Investigate before hiring data service providers
• Obligate data service providers to adhere to the appropriate level of data
security protections
• Verify that the data service providers are complying with obligations
(contracts)

Cyber Risk Factors
How mature is your cyber risk management program?
• In re GMR Transcription Svcs., Inc., Consent Order (Aug. 14, 2014).
“GMR Transcription Services, Inc. . . . Shall . . . establish and implement,
and thereafter maintain, a comprehensive information security program
that is reasonably designed to protect the security, confidentiality, and
integrity of personal information collected from or about consumers. Such
program, the content and implementation of which must be fully
documented in writing, shall contain administrative, technical, and physical
safeguards appropriate to respondents’ or the business entity’s size and
complexity, the nature and scope of respondents’ or the business entity’s
activities, and the sensitivity of the personal information collected from or
about consumers”

Cyber Risk Factors
How familiar are you with the cybersecurity and privacy
obligations in your company’s contracts?
• ACC Outside Counsel Guidelines
• Addendum to business contracts
• Common names: Data Security & Privacy Agreement; Data Privacy;
Cybersecurity; Privacy; Information Security
• Common features:
• Defines subject “Data” being protected in categories
• Describes acceptable and prohibited uses for Data
• Describes standards for protecting Data
• Describes obligations and responsibility for breach of Data
• Requires binding third-parties to similar provisions
• Audit!

Officer & Director Liability
KEY POINT: “boards that choose to ignore, or minimize, the importance of cybersecurity
oversight responsibility, do so at their own peril.” SEC Commissioner Luis A. Aguilar, June 10,
2014.
• Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham
• Derivative claims premised on the harm to the company from data breach.
• Caremark Claims:
 Premised on lack of oversight = breach of the duty of loyalty and good faith
 Cannot insulate the officers and directors = PERSONAL LIABILITY!
 Standard:
(1) “utterly failed” to implement reporting system or controls; or
(2) “consciously failed” to monitor or oversee system.
• $350 million discount
• Share in liabilities

• Is your company in the financial or insurance
industry and doing business in NewYork?
• Is it in such a company’s supply chain?

The Game Changer?
New York Department of Financial Services Cybersecurity
Requirements for Financial Services Companies + [fill in]
• All NY “financial institutions” + third party service providers
• Third party service providers – examine, obligate, audit
• Establish Cybersecurity Program (w/ specifics)
• Logging, Data Classification, IDS, IPS
• Pen Testing, Vulnerability Assessments, Risk Assessment
• Encryption, Access Controls
• Adopt Cybersecurity Policies
• Designate qualified CISO to be responsible
• Adequate cybersecurity personnel and intelligence
• Personnel Policies & Procedures, Training, Written IRP
• Board or Senior Officer Certify Compliance

Free Webinar: 5/23/17 @shawnetuma

EU General Data Protection Regulation (GDPR)
• EU’s view on privacy vis-à-vis US
• GDPR - regulations for treatment of data in EU and for EU citizens
• Safe Harbor - allowed US companies to voluntarily agree
• Snowden (and others) killed Safe Harbor!
• Privacy Shield is the new answer – now in question
• Use Model Clauses
• GDPR Key Points (Article 29 Working Party – WP29)
• Implementation Date: May 25, 2018
• Fines: higher of € 20 million or 4% global annual turnover (gross)
• Data protection and breach notice requirements
• Data portability

Breach! Immediate Priorities
• Leadership!
• Assess the situation
• Be a counselor
• Instill confidence
• Bring peace
• Facilitate rational thought &
rational behavior

Data Breach Response
Is the cyber event an incident or a breach?
 Event: any occurrence.
 Incident: an event that actually or potentially jeopardizes
the confidentiality, integrity, or availability of the system,
data, policies, or practices.
 Breach: actual loss of control, compromise, unauthorized
disclosure, acquisition or access of data.
 Ransomware? Encryption safe harbor?

The difference between reporting, disclosing, notifying?
 Used interchangeably, not official – just used for clarity.
 Reporting: to report a crime to law enforcement.
OPTIONAL, MAYBE.
 Disclosing: to disclose (notify) to a state or federal
regulator of a data breach. NOT OPTIONAL.
 Notification: to notify the data subjects of a data breach.
NOT OPTIONAL.

Breach Notification Laws
No national breach notification law
Laws governing types of data and industry (HIPAA, GLB, etc)
47 States w/ laws + DC, PR, VI (≠ AL & SD)
 Data subjects’ residence determines + state doing bus.
 Some consistency but some not (e.g., MA & CA)
See Guide to Reporting Cybersecurity Incidents to Law Enforcement and
Governmental Agencies, https://shawnetuma.com/cyber-law-resources/guide-
reporting-cybersecurity-incidents-law-enforcement-governmental-regulatory-agencies/

Texas Breach Notification Law
 Breach of System Security: “unauthorized acquisition ...
compromises the security, confidentiality, or integrity of” SPI.
 Employee leaving with customer data?
 Applies to anyone doing business in Texas.
 Notify any individual whose SPI “was, or is reasonably believed to
have been, acquired by an unauthorized person.”
 When: “as quickly as possible” but allows for LE delay
 Penalty: $100 per individual per day for delayed time, not to
exceed $250,000 for a single breach (AG / no civil remedy)

“You don’t drown by
falling in the water;
You drown by staying
there.” – Edwin Louis Cole

• Board of Directors & General Counsel, Cyber Future Foundation
• Board of Advisors, NorthTexas Cyber Forensics Lab
• Policy Council, NationalTechnology Security Coalition
• CybersecurityTask Force, IntelligentTransportation Society of America
• Cybersecurity & Data Privacy LawTrailblazers, National Law Journal (2016)
• SuperLawyersTop 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-16 (IP Litigation)
• Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law)
• Council, Computer &Technology Section, State Bar ofTexas
• Privacy and Data Security Committee of the State Bar ofTexas
• College of the State Bar ofTexas
• Board of Directors, Collin County Bench Bar Conference
• Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association
• Information Security Committee of the Section on Science &Technology
Committee of the American Bar Association
• NorthTexas Crime Commission, Cybercrime Committee & Infragard (FBI)
• International Association of Privacy Professionals (IAPP)
• Board of Advisors Office of CISO, Optiv Security
ShawnTuma
Cybersecurity Partner
Scheef & Stone, L.L.P.
214.472.2135
shawn.tuma@solidcounsel.com
@shawnetuma
blog: www.shawnetuma.com
web: www.solidcounsel.com

Cybersecurity and Privacy for In-House Counsel: How the New Regulations and Guidelines Impact Your Company

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cybersecurity and Privacy for In-House Counsel: How the New Regulations and Guidelines Impact Your Company

Similar to Cybersecurity and Privacy for In-House Counsel: How the New Regulations and Guidelines Impact Your Company (20)

More from Shawn Tuma

More from Shawn Tuma (20)

Recently uploaded

Recently uploaded (20)

Cybersecurity and Privacy for In-House Counsel: How the New Regulations and Guidelines Impact Your Company