Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- Joint Meeting of ISACA and IIA for North Texas

Shawn Tuma
Attorney, Cybersecurity &
Data Privacy
@shawnetumawww.solidcounsel.com

www.solidcounsel.com
• Board of Directors & General Counsel, Cyber Future Foundation
• Board of Advisors, University of NorthTexas Cyber Forensics Lab
• Cybersecurity & Data Privacy LawTrailblazers, National LawJournal (2016)
• SuperLawyersTop 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-16 (IP Litigation)
• Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law)
• Council, Computer &Technology Section, State Bar ofTexas
• Privacy and Data Security Committee of the State Bar ofTexas
• College of the State Bar ofTexas
• Board of Directors, CollinCounty Bench Bar Foundation
• Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association
• Information Security Committee of the Section on Science &Technology
Committee of the American Bar Association
• NorthTexas Crime Commission, Cybercrime Committee
• Infragard (FBI)
• International Association of Privacy Professionals (IAPP)
• Board of Advisors Office of CISO, Optiv Security
• Editor, Business Cybersecurity Business Law Blog
Shawn Tuma
Cybersecurity Partner
Scheef & Stone, L.L.P.
214.472.2135
shawn.tuma@solidcounsel.com
@shawnetuma
blog: www.shawnetuma.com
web: www.solidcounsel.com

KEY POINT: Attorney’s may have privilege
“Target has demonstrated . . . that the work of the Data Breach
Task Force was focused not on remediation of the breach . . .
but on informing Target’s in-house and outside counsel about
the breach so that Target’s attorneys could provide the company
with legal advice and prepare to defend the company in litigation
that was already pending and was reasonably expected to
follow.”
In re Target Corp. Customer Data Breach Litigation
A.C. Privilege / Work Product

“Security and IT protect companies’ data;
Legal protects companies from their data.”

Cause for Concern
• 62% of Cyber Attacks → SMBs
• Odds: Security @100% v. Hacker @1
• ACC Study (9/15) = #2 Concern
Keeping CLO’s awake at night
• Dyn & IoT?

Cost of a Data Breach – US (Ponemon Inst.)
2013 Cost
• $188 per record
• $5.4 million = total avg. cost paid by organizations
2014 Cost
 $201 per record
 $5.9 million = total avg. cost paid by organizations
2015 Cost
 $217 per record
 $6.5 million = total avg. cost paid by organizations

Legal Obligations
 International Laws
 Safe Harbor
 Privacy Shield
 Federal Laws & Regs.
 HIPAA, GLBA, FERPA
 FTC, FCC, SEC
 State Laws
 47 states (AL, NM, SD)
 Industry Groups
 PCI, FINRA, etc.
 Contracts
 3rd Party Bus. Assoc.
 Data Security Addendum

The Turning Point
Easily preventable
• 90% in 2014
• 91% in 2015
• 63% confirmed breaches from weak,
default, or stolen passwords
• Data is lost over 100x more than stolen
• Phishing used most to install malware
Easily preventable
• 90% in 2014
• 91% in 2015

Start with the Basics
“Some people try to find
things in this game that don’t
exist but football is only two
things – blocking and
tackling.”
-Vince Lombardi

Prepare Personnel
• Culture of security
• Policies and procedures
• Systems and controls
• Education and training
• Goal: teach people to think,
recognize, and resist

Breach! Immediate Priorities
• Leadership!
• Assess the situation
• Be a counselor
• Instill confidence
• Bring peace
• Facilitate rational thought &
rational behavior

Data Breach Foundations
Is the cyber event an incident or a breach?
 Event: any occurrence.
 Incident: an event that actually or potentially jeopardizes
the confidentiality, integrity, or availability of the system,
data, policies, or practices.
 Breach: actual loss of control, compromise, unauthorized
disclosure, acquisition or access of data.
 Ransomware? Encryption safe harbor?

Is the cyber event caused by criminal or negligent actions?
 Hacker stealing IP from network.
 Employee misplaces unencrypted USB drive with PII.
 Focus on the action – why was it done?
 Report criminal events to law enforcement, not usually
with negligent.

The difference between reporting, disclosing, notifying?
 Used interchangeably, not official – just used for clarity.
 Reporting: to report a crime to law enforcement.
OPTIONAL, MAYBE.
 Disclosing: to disclose (notify) to a state or federal
regulator of a data breach. NOT OPTIONAL.
 Notification: to notify the data subjects of a data breach.
NOT OPTIONAL.

“An ounce of prevention is cheaper than
the first day of litigation.”

Peters v. St. Joseph Services (S.D. Tex. 2015)
Remijas v. Neiman Marcus Group, LLC (7th Cir. 2015)
Whalen v. Michael Stores Inc. (E.D.N.Y. 2015)
In re SuperValu, Inc. (D. Minn. 2016)
Anthem Data Breach Litigation (N.D. Cal. 2016) (Koh)
Data Breach Litigation Battleship
Spokeo v. Robins, 136 S.Ct. 1540 (2016)
Tangible or intangible harm but concrete & particularized
Lewert v. P.F. Chang’s China Bistro Inc. (7th Cir. 2016)
Galaria v. Nationwide Mutual Ins. Co. (6th Cir. 2016)

Recent Legal Developments
Takeaway: Standard is reasonableness.
• In re Target Data Security Breach Litigation (Financial
Institutions) (Dec. 2, 2014)
• Companies have a duty to be reasonably informed and take
reasonable measures to protect against cybersecurity risks.
• It’s the diligence, not the breach, that counts.
• The court found duties to
• Reasonably protect others’ data
• Not disable security devices (i.e., if have it, use it)
• Respond when alerted of an attack

Takeaway: Must have basic IT security.
• F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug.
24, 2015).
• The FTC has authority to regulate cybersecurity under the
unfairness prong of § 45(a) of the FTC Act.
• Companies have fair notice that their specific cybersecurity
practices could fall short of that provision.
• 3 breaches / 619,000 records / $10.6 million in fraud
• Rudimentary practices v. 2007 guidebook
• Website Privacy Policy misrepresentations

Takeaway: Must have internal network controls.
• F.T.C. v. LabMD (July 2016 FTC Commission Order)
• LabMD had 1 employee using LimeWire, Tiversa obtained file
with PHI information and provided to the FTC.
• “LabMD’s data security practices constitute an unfair act or
practice within the meaning of Section 5 of the FTC Act. We
enter an order requiring that LabMD notify affected consumers,
establish a comprehensive information security program
reasonably designed to protect the security and confidentiality of
the personal consumer information in its possession, and obtain
independent assessments regarding its implementation of the
program.”

Takeaway: Must have written policies & procedures.
• S.E.C. v. R.T. Jones Capital Equities Management, Consent
Order (Sept. 22, 2015).
• “R.T. Jones failed to adopt written policies and procedures
reasonably designed to safeguard customer information.”
• R.T. Jones violated the Securities Act’s “Safeguards Rule”
• 100,000 records vulnerable; no reports of actual harm
• $75,000 penalty
• Cease and desist having any future violations

Takeaway: Must have written incident
response plan.
• S.E.C. v. R.T. Jones Capital Equities Management,
Consent Order (Sept. 22, 2015).
• Firms “need to anticipate potential cybersecurity events
and have clear procedures in place rather than waiting to
react once a breach occurs.”

Response Process
• Goal is to execute IRP
• This is check list, not
an IRP
• How detailed?
• Tabletop exercises
Download here:
www.shawnetuma.com
@shawnetuma

How quick to respond?
• 45 days (most states)
• 30 days (some states)
• 3 days (fed contracts)
• 2 days (business expectation)
• Immediately (contracts)

Takeaway: Must evaluate third-parties’ security.
• In re GMR Transcription Svcs., Inc., Consent Order (Aug. 14,
2014).
• FTC’s Order requires business to follow 3 steps when working
with third-party service providers:
• Investigate before hiring data service providers
• Obligate data service providers to adhere to the appropriate
level of data security protections
• Verify (AUDIT!) that the data service providers are complying
with obligations (contracts)

Takeaway: Know your contractual obligations.
• Addendum to business contracts
• Common names: Data Security & Privacy Agreement; Data
Privacy; Cybersecurity; Privacy; Information Security
• Common features:
• Defines subject “Data” being protected in categories
• Describes acceptable and prohibited uses for Data
• Describes standards for protecting Data
• Describes obligations and responsibility for breach of Data
• Requires binding third-parties to similar provisions

Officer & Director Liability
KEY POINT: “boards that choose to ignore, or minimize, the importance of cybersecurity
oversight responsibility, do so at their own peril.” SEC Commissioner Luis A. Aguilar, June 10,
2014.
• Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham
• Derivative claims premised on the harm to the company from data breach.
• Caremark Claims:
 Premised on lack of oversight = breach of the duty of loyalty and good faith
 Cannot insulate the officers and directors = PERSONAL LIABILITY!
 Standard:
(1) “utterly failed” to implement reporting system or controls; or
(2) “consciously failed” to monitor or oversee system.

Officer & Director Liability
KEY POINT: “boards that choose to ignore, or minimize, the importance of cybersecurity
oversight responsibility, do so at their own peril.” SEC Commissioner Luis A. Aguilar, June 10,
2014.
• Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham
• Derivative claims premised on the harm to the company from data breach.
• Caremark Claims:
 Premised on lack of oversight = breach of the duty of loyalty and good faith
 Cannot insulate the officers and directors = PERSONAL LIABILITY!
 Standard:
(1) “utterly failed” to implement reporting system or controls; or
(2) “consciously failed” to monitor or oversee system.
$4.8 Billion
Deal?

Cyber Insurance – Key Questions
• Even know if you have it?
• What period does the policy cover?
• Are Officers & Directors Covered?
• Cover 3rd Party Caused Events?
• Social Engineering coverage?
• Cover insiders intentional acts (vs.
negligent)
• Contractual liability?
• What is the triggering event?
• What types of data are covered?
• What kind of incidents are covered?
• Acts of war?
• Required carrier list for attorneys &
experts?
• Other similar risks?

The Game Changer?
New York Department of Financial Services Cybersecurity
Requirements for Financial Services Companies + [fill in]
• All NY “financial institutions” + third party service providers
• Third party service providers – examine, obligate, audit
• Establish Cybersecurity Program (w/ specifics)
• Logging, Data Classification, IDS, IPS
• Pen Testing, Vulnerability Assessments, Risk Assessment
• Encryption, Access Controls
• Adopt Cybersecurity Policies
• Designate qualified CISO to be responsible
• Adequate cybersecurity personnel and intelligence
• Personnel Policies & Procedures, Training, Written IRP
• Board or Senior Officer Certify Compliance

Virtually all companies will be breached.Will
they be liable?
It’s not the breach; it’s their diligence and
response that matters most.
Companies have a duty to be reasonably
informed of and take reasonable measures to
protect against cybersecurity risks.

Cyber Risk
Assessment
Strategic
Planning
Deploy
Defense
Assets
Develop,
Implement
&Train on
P&P
Tabletop
Testing
Reassess &
Refine
Cybersecurity Risk
Management Program

“You don’t drown by
falling in the water;
You drown by staying
there.”

In-house Legal Counsel?
shawn.tuma@solidcounsel.com

Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- Joint Meeting of ISACA and IIA for North Texas

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- Joint Meeting of ISACA and IIA for North Texas

Similar to Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- Joint Meeting of ISACA and IIA for North Texas (20)

More from Shawn Tuma

More from Shawn Tuma (20)

Recently uploaded

Recently uploaded (20)

Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- Joint Meeting of ISACA and IIA for North Texas