The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
4. www.solidcounsel.com
Legal Obligations
International Laws
Safe Harbor
Privacy Shield
Federal Laws & Regs
HIPAA, GLBA, FERPA
FTC, FCC, SEC
State Laws
47 states (Ala, NM, SD)
Fla (w/in 30 days)
OH & VT (45 days)
Industry Groups
PCI, FINRA, etc.
Contracts
Vendors & Suppliers
Business Partners
Data Security Addendum
5. www.solidcounsel.com
ACC Study (Sept ‘15)
What concerns keep
Chief Legal Officers
awake at night?
#2 = Data Breaches
82% consider as
somewhat, very, or
extremely important
6. www.solidcounsel.com
Cost of a Data Breach – US
2013 Cost
• $188.00 per record
• $5.4 million = total average cost paid by organizations
2014 Cost
• $201 per record
• $5.9 million = total average cost paid by organizations
2015 Cost
• $217 per record
• $6.5 million = total average cost paid by organizations
(Ponemon Institute Cost of Data Breach Studies)
7. www.solidcounsel.com
Responding: Execute Response Plan
Contact attorney (privilege + first responder)
Alert and assemble Response Team
Notify insurance carrier
Contact forensics
Begin PR messaging
Contact notification vendor
Notify business partners
Investigate breach
Remediate responsible vulnerabilities
Reporting & notification
8. How Fast?
• 45 days (most states)
• 30 days (some states)
• 3 days (fed contracts)
• 2 days (bus expectation)
• Immediately (contracts)
10. www.solidcounsel.com
Litigation: Business / Real Harm
Standing has not been an issue in cases where the harm is readily
ascertainable: “Target does not challenge Plaintiffs’ allegations with
respect to the elements of causation and damages.” In re Target
Corp. Customer Data Sec. Breach Litigation, 64 F.Supp.3d 1304, 1310 (D.
Minn. 2014) (Financial Institutions Litigation).
11. www.solidcounsel.com
Litigation: Where’s the Harm?
“Peters has not made the requisite demonstration of injury, traceability and redressability for
her alleged injuries.” Peters v. St. Joseph Services, 74 F.Supp.3d 847 (S.D. Tex. Feb. 11, 2015).
“At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial
risk of harm from the Neiman Marcus data breach. Why else would hackers break into a
store’s database and steal consumers private information? Presumably, the purpose of the
hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”
Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 693 (7th Cir. 2015).
“Whalen has not alleged that she suffered any unreimbursed charges. To the contrary, she
asserts only that her credit card was ‘physically presented for payment in Ecuador.’ There are
no allegations that Whalen was required to pay the charges made in Ecuador.” Whalen v.
Michael Stores Inc., 2015 WL 9462108 (E.D.N.Y. Dec. 28, 2015).
Where the data breach affected more than 1,000 retail stores and occurred nearly one and a
half years earlier yet there was only one isolated single instance of an unauthorized charge,
this indicated any data misuse is not fairly traceable to the data breach. In re SuperValu, Inc.,
2016 WL 81792 (D. Minn. Jan. 7, 2016).
“[A]llegations of a concrete and imminent threat of future harm are enough to establish an
injury and standing in the early states of a data breach suit. In re Anthem Data Breach
Litigation, 2016 WL 589760, *25 (N.D. Cal. Feb. 14, 2016).
13. www.solidcounsel.com
Regulatory & Administrative – SEC
S.E.C. v. R.T. Jones Capital Equities Management, Consent
Order (Sept. 22, 2015).
“Firms must adopt written policies to protect their clients’
private information”
“they need to anticipate potential cybersecurity events
and
have clear procedures in place rather than waiting to
react once a breach occurs.”
violated this “safeguards rule
100,000 records (no reports of harm)
$75,000 penalty
14. www.solidcounsel.com
Regulatory & Administrative – FTC
In re GMR Transcription Svcs, Inc., 2014 WL 4252393 (Aug. 14,
2014). FTC’s Order requires business to follow 3 steps when
contracting with third party service providers:
1. Investigate before hiring data service providers.
2. Obligate their data service providers to adhere to the
appropriate level of data security protections.
3. Verify that the data service providers are complying
with obligations (contracts).
15. www.solidcounsel.com
Regulatory & Administrative - FTC
F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir.
Aug. 24, 2015).
The FTC has authority to regulate cybersecurity under
the unfairness prong of § 45(a) of the Federal Trade
Commission Act.
Companies have fair notice that their specific
cybersecurity practices could fall short of that provision.
3 breaches / 619,000 records / $10.6 million in fraud
Rudimentary practices v. 2007 guidebook
Website Privacy Policy misrepresentations
Jurisdiction v. set standard?
19. www.solidcounsel.com
Officer & Director Liability
“[B]oards that choose to ignore, or minimize, the
importance of cybersecurity oversight responsibility, do
so at their own peril.” SEC Commissioner Luis A. Aguilar, June 10,
2014.
Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham
Derivative claims premised on the harm to the company from data breach.
Caremark Claims:
Premised on lack of oversight = breach of the duty of loyalty and good faith
Cannot insulate the officers and directors = PERSONAL LIABILITY!
Standard:
(1) “utterly failed” to implement reporting system or controls; or
(2) “consciously failed” to monitor or oversee system.
20. www.solidcounsel.com
Officer & Director Liability
Palkon v. Holmes, 2014 WL 5341880, *5-6 (D. NJ Oct. 20,
2014).
Derivative action for failing to ensure Wyndham implemented
adequate security policies and procedures.
Order Dismissing: The board satisfied the business judgement rule
by staying reasonably informed of the cybersecurity risks and
exercising appropriate oversight in the face of the known risks.
Well-documented history of diligence showed Board
Discussed cybersecurity risks, company security policies and
proposed enhancements in 14 quarterly meetings; and
Implemented some of those cybersecurity measures.
21. You will be breached.Will you be
liable?
It’s not the breach; it’s your diligence
that matters most.
Companies have a duty to be
reasonably informed of and take
reasonable measures to protect
against cybersecurity risks.
Cyber Risk
Assessment
Strategic
Planning
Deploy
Defense
Assets
Develop,
Implement
&Train on
P&P
Tabletop
Testing
Reassess &
Refine
Shawn Tuma, Partner
Scheef & Stone, L.L.P.
214.472.2135
shawn.tuma@solidcounsel.com
@shawnetuma
blog: www.shawnetuma.com
web: www.solidcounsel.com
This information provided is
for educational purposes only,
does not constitute legal
advice, and no attorney-client
relationship is created by this
presentation.
ShawnTuma is a cyber lawyer business leaders trust to help solve
problems with cutting-edge issues involving cybersecurity, data privacy,
computer fraud, and intellectual property law. He is a partner at Scheef
& Stone, LLP, a full service commercial law firm inTexas that represents
businesses of all sizes throughout the US.
Texas SuperLawyers 2015 (IP Litigation)
Best Lawyers in Dallas 2014 & 2015, D Magazine (Digital Information
Law)
Council, Computer &Technology Section, State Bar ofTexas
Chair, Civil Litigation & Appellate Section, Collin County Bar
Association
College of the State Bar ofTexas
Privacy and Data Security Committee, Litigation, Intellectual
Property Law, and Business Sections of the State Bar ofTexas
Information Security Committee of the Section on Science &
Technology Committee of the American Bar Association
NorthTexas Crime Commission,Cybercrime Committee
Infragard (FBI)
International Association of Privacy Professionals (IAPP)
Information Systems Security Association (ISSA)
Board of Advisors, Optiv Security
Contributor, Norse DarkMatters Security Blog
Editor, Business Cyber Risk Law Blog
What is it Worth toYou?