Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss

ShawnTuma
Cybersecurity Partner
Scheef & Stone, L.L.P.
214.472.2135
shawn.tuma@solidcounsel.com
@shawnetuma
blog: www.shawnetuma.com
web: www.solidcounsel.com
This information provided is
for educational purposes only,
does not constitute legal
advice, and no attorney-client
relationship is created by this
presentation.
ShawnTuma is a business lawyer with an internationally recognized
reputation in cybersecurity, computer fraud and data privacy law. He is a
Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-
service commercial law firm inTexas that represents businesses of all
sizes throughout the United States and around the world.
 Board of Advisors, NorthTexas Cyber Forensics Lab
 Board of Directors & General Counsel, Cyber Future Foundation
 Cybersecurity LawTrailblazer, National Law Journal
 Texas SuperLawyers 2015-17 (IP Litigation)
 Best Lawyers in Dallas 2014-17, D Magazine (Digital Information Law)
 Council, Computer &Technology Section, State Bar ofTexas
 College of the State Bar ofTexas
 Privacy and Data Security Committee, Litigation, Intellectual
Property Law, and Business Sections of the State Bar ofTexas
 Information Security Committee of the Section on Science &
Technology Committee of the American Bar Association
 NorthTexas Crime Commission,Cybercrime Committee
 Infragard (FBI)
 International Association of Privacy Professionals (IAPP)
 Information Systems Security Association (ISSA)
 Board of Advisors, Optiv Security
 Editor, Business Cybersecurity Business Law Blog
www.shawnetuma.com

www.solidcounsel.com
“Security and IT protect companies’ data;
Legal protects companies from their data.”
-Shawn E. Tuma

KEEP CALM
I’M A
FIRST
RESPONDER

Immediate Priorities
• Assess the situation
• Be a counselor
• Instill confidence
• Bring peace
• Facilitate rational
thought & behavior

Who are targets?
Key Point: We are all targets
 Your clients’ businesses
 Your law firms
 Big firms (give examples)
 James Shelton Example
 Rural Texas solo practitioner
 Employee left, didn’t change password or disable acct
 Hackers accessed, spoofed email, sent “pleadings” all over,
including other countries

Privilege / Work Product
KEY POINT: Attorney’s may have privilege
“Target has demonstrated . . . that the work of the
Data Breach Task Force was focused not on
remediation of the breach . . . but on informing
Target’s in-house and outside counsel about the
breach so that Target’s attorneys could provide
the company with legal advice and prepare to
defend the company in litigation that was already
pending and was reasonably expected to follow.”
In re Target Corp. Customer Data Breach
Litigation

ACC Study (Sept ‘15)
What concerns keep
Chief Legal Officers
awake at night?
#2 = Data Breaches
82% consider as
somewhat, very, or
extremely important

Cost of a Data Breach – US
2013 Cost
• $188.00 per record
• $5.4 million = total average cost paid by organizations
2014 Cost
• $201 per record
2015 Cost
• $217 per record
(Ponemon Institute Cost of Data Breach Studies)

Legal Obligations
 International Laws
 Safe Harbor
 Privacy Shield
 Federal Laws & Regs
 HIPAA, GLBA, FERPA
 FTC, FCC, SEC
 State Laws
 47 states (Ala, NM, SD)
 Fla (w/in 30 days)
 OH & VT (45 days)
 Industry Groups
 PCI, FINRA, etc.
 Contracts
 Vendors & Suppliers
 Business Partners
 Data Security Addendum

Ancient Cybersecurity
Wisdom
 Water shapes its course
according to the nature of
the ground over which it
flows; the soldier works out
his victory in relation to the
foe whom he is facing.”
 “In all fighting the direct
method may be used for
joining battle, but indirect
methods will be needed to
secure victory.”

“An ounce of prevention is cheaper than
the first day of litigation.”

Consumer Litigation
Peters v. St. Joseph Services, 74 F.Supp.3d 847
(S.D. Tex. Feb. 11, 2015)
Remijas v. Neiman Marcus Group, LLC, 794 F.3d
688, 693 (7th Cir. 2015)
Whalen v. Michael Stores Inc., 2015 WL 9462108
(E.D.N.Y. Dec. 28, 2015)
In re SuperValu, Inc., 2016 WL 81792
(D. Minn. Jan. 7, 2016)
In re Anthem Data Breach Litigation, 2016 WL
589760 (N.D. Cal. Feb. 14, 2016) (J. Lucy Koh)

Regulatory & Administrative - FTC
KEY POINT: You must have basic IT security
F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24,
2015).
 The FTC has authority to regulate cybersecurity under the
unfairness prong of § 45(a) of the Federal Trade Commission
Act.
 Companies have fair notice that their specific cybersecurity
practices could fall short of that provision.
 3 breaches / 619,000 records / $10.6 million in fraud
 Rudimentary practices v. 2007 guidebook
 Website Privacy Policy misrepresentations
 Jurisdiction v. set standard?

The Basics
“Some people try
to find things in
this game that
don’t exist but
football is only two
things – blocking
and tackling.”
-Lombardi

The Basics
Best Practices
 Documented
 Basic IT Security
 Basic Physical Security
 Security Focused P&P
 Company
 Workforce
 Network
 Website / Privacy / TOS
 Business Associates
 Social Engineering
 Implementation
 Training

Regulatory & Administrative – FTC
KEY POINT: You must evaluate business partners’ security
In re GMR Transcription Svcs, Inc., 2014 WL 4252393 (Aug. 14,
2014). FTC’s Order requires business to follow 3 steps when
contracting with third party service providers:
1. Investigate before hiring data service providers.
2. Obligate their data service providers to adhere to the
appropriate level of data security protections.
3. Verify that the data service providers are complying with
obligations (contracts).

Addendum to Business Contracts
KEY POINT: Know your contractual obligations
 Common names for the Addendum:
 Data Security & Privacy; Data Privacy; Cybersecurity; Privacy;
Information Security.
 Common features
 Defines subject “Data” being protected in categories.
 Describes acceptable and prohibited uses for Data.
 Describes standards for protecting Data.
 Describes requirements for deleting Data.
 Describes obligations if a breach of Data.
 Allocates responsibility if a breach of Data.
 Requires binding third parties to similar provisions.

Regulatory & Administrative – SEC
KEY POINT: You must have written (1) Policies &
Procedures and (2) Incident Response Plan
S.E.C. v. R.T. Jones Capital Equities Management, Consent
Order (Sept. 22, 2015).
 “Firms must adopt written policies to protect their clients’
private information”
 “they need to anticipate potential cybersecurity events
and
 have clear procedures in place rather than waiting to
react once a breach occurs.”
 violated this “safeguards rule
 100,000 records (no reports of harm)
 $75,000 penalty

Responding: Execute Response Plan
This is only a
checklist – not a
Response Plan

How Fast?
• 45 days (most states)
• 30 days (some states)
• 3 days (fed contracts)
• 2 days (bus expectation)
• Immediately (contracts)

Officer & Director Liability
KEY POINT: “boards that choose to ignore, or minimize,
the importance of cybersecurity oversight responsibility,
do so at their own peril.” SEC Commissioner Luis A. Aguilar, June
10, 2014.
 Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham
 Derivative claims premised on the harm to the company from data breach.
 Caremark Claims:
 Premised on lack of oversight = breach of the duty of loyalty and good faith
 Cannot insulate the officers and directors = PERSONAL LIABILITY!
 Standard:
 (1) “utterly failed” to implement reporting system or controls; or
 (2) “consciously failed” to monitor or oversee system.

Officer & Director Liability
Palkon v. Holmes, 2014 WL 5341880, *5-6 (D. NJ Oct. 20,
2014).
 Derivative action for failing to ensure Wyndham implemented
adequate security policies and procedures.
 Order Dismissing: The board satisfied the business judgement rule
by staying reasonably informed of the cybersecurity risks and
exercising appropriate oversight in the face of the known risks.
 Well-documented history of diligence showed Board
 Discussed cybersecurity risks, company security policies and
proposed enhancements in 14 quarterly meetings; and
 Implemented some of those cybersecurity measures.

Cyber Insurance – Key Questions
 Even know if you have it?
 What period does the
policy cover?
 Are Officers & Directors
Covered?
 Cover 3rd Party Caused
Events?
 Social Engineering
coverage?
 Cover insiders intentional
acts (vs. negligent)
 Contractual liability?
 What is the triggering
event?
 What types of data are
covered?
 What kind of incidents are
covered?
 Acts of war?
 Required carrier list for
attorneys & experts?
 Other similar risks?

Virtually all companies will be
breached.Will they be liable?
It’s not the breach; it’s their diligence
and response that matter most.
Companies have a duty to be
reasonably informed of and take
reasonable measures to protect
against cybersecurity risks.

Cyber Risk
Assessment
Strategic
Planning
Deploy
Defense
Assets
Develop,
Implement
&Train on
P&P
Tabletop
Testing
Reassess &
Refine
Cybersecurity Risk
Management Program

3 Must-Haves for Every Organization
1. Basic IT Security
2. Written Policies & Procedures
3. Written Incident Response Plan
***Document3***

“You don’t drown by falling in the water;
You drown by staying there.”

Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss

Similar to Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss (20)

More from Shawn Tuma

More from Shawn Tuma (20)

Recently uploaded

Recently uploaded (20)

Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss