The document summarizes legal issues related to data privacy and security breaches. It discusses (1) the relevant cost-benefit analysis that courts consider for data security, (2) examples of court orders regarding document productions and computer forensics in litigation, and (3) that parties are responsible for errors made by their vendors. The document then provides an agenda on legal issues in data privacy and security, including anticipating threats, incident response, and applying relevant laws and frameworks.
The document provides an overview of cyber insurance and how it can help small to mid-sized businesses manage the risks and costs associated with a data breach or cyber attack. It discusses the common costs of a breach, the need to assess risks and define an incident response plan, and how cyber insurance can help cover expenses, provide expert guidance and services, and help businesses stay operational after a breach.
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
Getting in Shape – NYDFS Cyber Security Regulations Webinar
Presenters: Shawn Tuma, Cybersecurity & Data Protection Attorney, Scheef & Stone LLP | Bill Belcher, VP Americas, Boldon James In an initiative to protect New York’s financial services industry, a new State regulation has been introduced to protect consumers and financial institutions from cyber-attacks. Effective March 1, 2017, this risk-driven regulation requires all financial services institutions regulated by the Department of Financial Services (DFS) to establish and maintain a cyber security program that will protect both customers’ private data and the technology that supports this. The impact stretches down through the supply chain, as any organization that conducts business with the NYC financial services sector has to adopt the same level of data protection.
Watch this webcast to learn:
The key requirements of the NYC Cyber security regulation
How compliance is about process first, then people and technology
What organizations need to be doing to ensure they comply
How data classification can help ensure compliance
NYDFS Cybersecurity Regulations (23 NYCRR 500) New York is one of the biggest financial hubs in the world; as you can imagine where there is sensitive financial information, there are people who want to get their hands on it. It is for this reason major financial firms operating in New York will face stiff cyber security obligations under the new New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). This regulation will apply to firms holding a banking, insurance or financial services licence to operate in New York. 23 NYCRR 500 has been effective as of March 1st 2017, although firms have 180 days from this introduction date to change internal systems in order to meet new compliance and regulation standards. This fact sheet outlines:
23 NYCRR 500 overview
Key dates for covered entities
Key tasks for compliance
How Boldon James can help
Please complete the adjoining form to request it.
Cyber insurance provides coverage for losses from cyber incidents and security breaches. It helps manage cyber risks through risk sharing. However, the cyber insurance market is still immature with global losses from cyber incidents exceeding the total cyber insurance market. Key challenges include asymmetric information between insurers and clients, interdependent and correlated cyber risks, and limited reinsurance capacity due to lack of claims data and potential for simultaneous global attacks.
This document summarizes an article from The Corporate Governance Advisor on tools for boards to oversee cybersecurity risk. It discusses the business impacts and litigation/regulatory risks of cyber attacks. It outlines how boards have an oversight duty to ensure proper information and reporting systems exist to manage cybersecurity risk. The document provides examples of cybersecurity disclosure from companies like Target and Home Depot. It discusses SEC guidance on cybersecurity disclosure and notes boards must exercise oversight in good faith to avoid liability for failures.
This presentation examines to what extent that cyber-insurance can be a useful tool to manage the risks and harms caused by massive cyber-attacks from the national as opposed to enterprise standpoint,
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
This document provides an overview of typical cyber insurance policy coverage, including available first party losses coverage for breach costs, business interruption, hacker damage, and cyber extortion. It also discusses third party liability coverage for privacy claims, investigations, and media liability. Common pitfalls are outlined, such as precautions against loss, employee dishonesty exclusions, issues with third party suppliers, and jurisdictional limits. The summary emphasizes that cyber policies can vary and understanding the specific risks to your business and the details of coverage is important, advising the reader to seek advice when purchasing a policy.
The document provides an overview of the Department of Homeland Security's Science and Technology Directorate (S&T). Key points include:
- S&T is one of 10 DHS components that provides technical and analytical support to DHS and the homeland security enterprise. It has around 1,200 personnel and accounts for about 1.2% of the DHS budget.
- S&T focuses on six primary areas: first responders, borders and maritime, cyber, chemical/biological defense, explosives, and resilience. It operates five internal laboratories and works with DOE laboratories and federally funded research centers.
- S&T supports the DHS mission through operationally focused research and development,
The document provides an overview of cyber insurance and how it can help small to mid-sized businesses manage the risks and costs associated with a data breach or cyber attack. It discusses the common costs of a breach, the need to assess risks and define an incident response plan, and how cyber insurance can help cover expenses, provide expert guidance and services, and help businesses stay operational after a breach.
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
Getting in Shape – NYDFS Cyber Security Regulations Webinar
Presenters: Shawn Tuma, Cybersecurity & Data Protection Attorney, Scheef & Stone LLP | Bill Belcher, VP Americas, Boldon James In an initiative to protect New York’s financial services industry, a new State regulation has been introduced to protect consumers and financial institutions from cyber-attacks. Effective March 1, 2017, this risk-driven regulation requires all financial services institutions regulated by the Department of Financial Services (DFS) to establish and maintain a cyber security program that will protect both customers’ private data and the technology that supports this. The impact stretches down through the supply chain, as any organization that conducts business with the NYC financial services sector has to adopt the same level of data protection.
Watch this webcast to learn:
The key requirements of the NYC Cyber security regulation
How compliance is about process first, then people and technology
What organizations need to be doing to ensure they comply
How data classification can help ensure compliance
NYDFS Cybersecurity Regulations (23 NYCRR 500) New York is one of the biggest financial hubs in the world; as you can imagine where there is sensitive financial information, there are people who want to get their hands on it. It is for this reason major financial firms operating in New York will face stiff cyber security obligations under the new New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). This regulation will apply to firms holding a banking, insurance or financial services licence to operate in New York. 23 NYCRR 500 has been effective as of March 1st 2017, although firms have 180 days from this introduction date to change internal systems in order to meet new compliance and regulation standards. This fact sheet outlines:
23 NYCRR 500 overview
Key dates for covered entities
Key tasks for compliance
How Boldon James can help
Please complete the adjoining form to request it.
Cyber insurance provides coverage for losses from cyber incidents and security breaches. It helps manage cyber risks through risk sharing. However, the cyber insurance market is still immature with global losses from cyber incidents exceeding the total cyber insurance market. Key challenges include asymmetric information between insurers and clients, interdependent and correlated cyber risks, and limited reinsurance capacity due to lack of claims data and potential for simultaneous global attacks.
This document summarizes an article from The Corporate Governance Advisor on tools for boards to oversee cybersecurity risk. It discusses the business impacts and litigation/regulatory risks of cyber attacks. It outlines how boards have an oversight duty to ensure proper information and reporting systems exist to manage cybersecurity risk. The document provides examples of cybersecurity disclosure from companies like Target and Home Depot. It discusses SEC guidance on cybersecurity disclosure and notes boards must exercise oversight in good faith to avoid liability for failures.
This presentation examines to what extent that cyber-insurance can be a useful tool to manage the risks and harms caused by massive cyber-attacks from the national as opposed to enterprise standpoint,
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
This document provides an overview of typical cyber insurance policy coverage, including available first party losses coverage for breach costs, business interruption, hacker damage, and cyber extortion. It also discusses third party liability coverage for privacy claims, investigations, and media liability. Common pitfalls are outlined, such as precautions against loss, employee dishonesty exclusions, issues with third party suppliers, and jurisdictional limits. The summary emphasizes that cyber policies can vary and understanding the specific risks to your business and the details of coverage is important, advising the reader to seek advice when purchasing a policy.
The document provides an overview of the Department of Homeland Security's Science and Technology Directorate (S&T). Key points include:
- S&T is one of 10 DHS components that provides technical and analytical support to DHS and the homeland security enterprise. It has around 1,200 personnel and accounts for about 1.2% of the DHS budget.
- S&T focuses on six primary areas: first responders, borders and maritime, cyber, chemical/biological defense, explosives, and resilience. It operates five internal laboratories and works with DOE laboratories and federally funded research centers.
- S&T supports the DHS mission through operationally focused research and development,
1) The document discusses cyber security laws, regulations, and trends related to critical infrastructure protection. It covers Presidential Executive Orders on cyber security of critical infrastructure, key federal cyber security laws, and Department of Defense guidance documents.
2) It also discusses system cyber defense resilience architectures, including the National Institute of Standards and Technology cybersecurity framework and risk management process.
3) Finally, it addresses lifecycle systems cyber resiliency architecting, including principles, techniques, attack mechanisms, and metrics for measuring cyber resilience.
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
Designed for bankers, this cybersecurity policy presentation given via partnership with the BSG Financial Group explains where the industry should pay attention and what is next. It was presented on Jan. 24, 2017.
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
This document summarizes key topics from a presentation on cybersecurity issues and legal considerations, including:
1) Cyberattacks pose a significant and growing threat, with annual global costs of cybercrime estimated to rise from $3 trillion currently to $6 trillion by 2021. Data breaches continue to mount in size and frequency.
2) Responding to cyber incidents involves substantial costs beyond direct remediation, including brand impact, lost revenue, legal claims, and government fines. Companies are often under-resourced to address cybersecurity issues fully.
3) Bug bounty programs and security researchers can help companies identify vulnerabilities, but legal risks remain around disclosure of vulnerabilities to regulators or the public. Careful management
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
Invited speaker: "Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches ”
with Mark W. Ishman, J.D., Masters in Law in Information Technology and Privacy Law
This document provides an overview of the costs associated with data breaches. It begins by introducing the speakers and the agenda. It then discusses what constitutes a data breach and the types of data that may be exposed, such as PII, PHI, intellectual property, and financial information. The document outlines direct and indirect costs of breaches, including response costs, lost productivity, fines, and reputation damage. It provides estimates of costs from studies and actual breaches, which range from hundreds of thousands to over $170 million depending on the size and type of breach. Patterns in breach cost data are discussed. The document aims to help organizations understand and plan for the potential financial impact of a data security incident.
This document discusses the emerging risks of data security and cyber liability. It notes that virtually every business handles sensitive data and can face risks from data breaches or cyber attacks. The costs of a small data breach involving 1,000 records is estimated at $210,000 on average. It also notes that 40% of small businesses with less than 500 employees have experienced a data breach. Data security and cyber liability risks can result in both first-party losses for a company as well as third-party liabilities.
An analysis and discussion of the many factors to be considered when talking about data breaches.
What is a breach?
What are data?
What costs are we talking about?
Whose costs are we talking about?
How do we estimate costs / impact?
How do we measure / estimate frequency?
Presented at Source Boston, April 18, 2012, Boston, MA
The document discusses a proposal to allow private companies to conduct cyber retaliation against foreign attackers. It summarizes the key challenges with this approach, including: [1] It is difficult to accurately identify attackers due to use of compromised systems. [2] Most companies lack the expertise and resources to conduct effective counterattacks. [3] Allowing private retaliation could escalate tensions and cause international incidents. While improved cyber defense is needed, alternative approaches may be better than outsourcing retaliation to private companies.
“Cyber Liability & Cyber Insurance” - A discussion on best practices around Prevention, Detection, and Response!
Sponsored by Datto and Webster Bank
Series brought to you by the Connecticut Technology Council.
____________
TOPIC FOCUS:
1. Evolution and acceptance of Cybersecurity insurance
a. Understanding risk & effect on businesses
i. Used to be major brands, now widespread.
ii. Risk recognized, business leaders looking to minimize risk
b. Describing changes in cybersecurity insurance
How coverages have evolved - not just for biggest companies
i. Insurers are working with (tech) companies to get it right
ii. Where is it going from here? Trends, specialty insurance
2. Describe insurance types/ specifics and how they perform when needed
. Not all policies are the same
a. What to look for
b. How they vary by type of business (Healthcare vs. Retail vs. Software Co.)
c. What gaps still remain (What can’t get covered?)
3. How to minimize cost, get most value for your company
. Some protections on your current policies
a. Gating elements - What the insurance companies want to see - how that might help costs
4. Best practices generally
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
This document discusses 4 steps that financial service organizations can take to achieve compliance with data security regulations:
1) Secure data in motion by encrypting network traffic over WANs using high-speed encryption.
2) Protect data at rest by encrypting data on devices using disk and file encryption.
3) Control access using strong authentication solutions.
4) Protect encryption keys using hardware security modules to ensure data integrity.
Implementing encryption technologies across these four areas provides comprehensive protection of data assets and facilitates secure access, helping organizations comply with various data security laws.
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
Steve Robinson of RPS Technology & Cyber presented "Discussing Cyber Risk Coverage With Your Commercial Clients" to the 68th Annual F. Addison Fowler Fall Seminar on October 17, 2014.
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
This document discusses cybersecurity threats facing accounting firms and their clients. It provides examples of major data breaches in recent years that impacted millions of customer accounts. While many firms believe they are protected, the document cites statistics showing that most have no formal cybersecurity or internet use policies. It also discusses new regulations and standards, like the HIPAA Omnibus Rules and a recent Executive Order, that require firms to improve their cybersecurity practices to safeguard sensitive data. The role of a Virtual Chief Security Officer is introduced to help firms address these growing risks and compliance requirements.
Cyber Liability - Insurance Risk Management and PreparationEric Reehl
See how Adaptive Solutions is delivering leading cyber risk management solutions through its strategic alliance with Willis Towers Watson and Darklight Technologies.
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
• Trends, and the evolution of cyber insurance/products
• The D&O connection, cyber is a strategic business risk
• Risk Management Strategies
• Best Practices in Breach Response.
Dickstein Shapiro LLP and the Government Technology & Services Coalition (GTSC) held a webcast, “Key Cybersecurity Issues for Government Contractors” on Thursday, October 3, 2013. This interactive program, of particular interest to government contractor compliance officers, CIOs, CISOs, General Counsel, and any other C-suite members, discussed how the federal government is planning on fundamentally altering its acquisition policies to make the cybersecurity of its contractors a top priority. The discussion included:
- Proposed Federal Acquisitions Regulation (FAR) changes relating to President Obama’s Cybersecurity Executive Order;
- Planned changes to procurement requirements based on independent agency actions;
- Congressionally mandated cybersecurity requirements; and
Ways contractors can prepare for these changes.
To view the webinar, visit:
Cyber security for manufacturers umuc cadf-ron mcfarlandHighervista
1. The document discusses implications of cybersecurity for small and medium manufacturers, including risk management and compliance requirements.
2. It covers topics like being compliant with certifications but still being breached, cybersecurity for industrial control systems, and Department of Defense Federal Acquisition Regulation Supplement (DFARS) requirements.
3. The document provides an overview of various laws and standards around data security, including the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), and Family Educational Rights and Privacy Act (FERPA).
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
Security professionals often struggle with the ‘double intangibility’ of security - the intangibility of risk and intangibility of protection.
Changes hearts and minds often requires legislation and new compliance frameworks to motivate investment.
New Zealand's new Privacy Act comes into play on 1st December 2020 and there are ways security professionals can leverage new aspects including mandatory breach notifications to focus efforts on securing personal information and preventing privacy harms.
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossShawn Tuma
Shawn Tuma is a cybersecurity lawyer with expertise in data privacy law. He is a partner at Scheef & Stone LLP, a commercial law firm in Texas. Tuma has extensive experience advising businesses on cybersecurity issues and data breaches. He serves on several boards and committees related to cybersecurity law and policy. The document provides an overview of Tuma's background and experience in cybersecurity law.
1) The document discusses cyber security laws, regulations, and trends related to critical infrastructure protection. It covers Presidential Executive Orders on cyber security of critical infrastructure, key federal cyber security laws, and Department of Defense guidance documents.
2) It also discusses system cyber defense resilience architectures, including the National Institute of Standards and Technology cybersecurity framework and risk management process.
3) Finally, it addresses lifecycle systems cyber resiliency architecting, including principles, techniques, attack mechanisms, and metrics for measuring cyber resilience.
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
Designed for bankers, this cybersecurity policy presentation given via partnership with the BSG Financial Group explains where the industry should pay attention and what is next. It was presented on Jan. 24, 2017.
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
This document summarizes key topics from a presentation on cybersecurity issues and legal considerations, including:
1) Cyberattacks pose a significant and growing threat, with annual global costs of cybercrime estimated to rise from $3 trillion currently to $6 trillion by 2021. Data breaches continue to mount in size and frequency.
2) Responding to cyber incidents involves substantial costs beyond direct remediation, including brand impact, lost revenue, legal claims, and government fines. Companies are often under-resourced to address cybersecurity issues fully.
3) Bug bounty programs and security researchers can help companies identify vulnerabilities, but legal risks remain around disclosure of vulnerabilities to regulators or the public. Careful management
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
Invited speaker: "Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches ”
with Mark W. Ishman, J.D., Masters in Law in Information Technology and Privacy Law
This document provides an overview of the costs associated with data breaches. It begins by introducing the speakers and the agenda. It then discusses what constitutes a data breach and the types of data that may be exposed, such as PII, PHI, intellectual property, and financial information. The document outlines direct and indirect costs of breaches, including response costs, lost productivity, fines, and reputation damage. It provides estimates of costs from studies and actual breaches, which range from hundreds of thousands to over $170 million depending on the size and type of breach. Patterns in breach cost data are discussed. The document aims to help organizations understand and plan for the potential financial impact of a data security incident.
This document discusses the emerging risks of data security and cyber liability. It notes that virtually every business handles sensitive data and can face risks from data breaches or cyber attacks. The costs of a small data breach involving 1,000 records is estimated at $210,000 on average. It also notes that 40% of small businesses with less than 500 employees have experienced a data breach. Data security and cyber liability risks can result in both first-party losses for a company as well as third-party liabilities.
An analysis and discussion of the many factors to be considered when talking about data breaches.
What is a breach?
What are data?
What costs are we talking about?
Whose costs are we talking about?
How do we estimate costs / impact?
How do we measure / estimate frequency?
Presented at Source Boston, April 18, 2012, Boston, MA
The document discusses a proposal to allow private companies to conduct cyber retaliation against foreign attackers. It summarizes the key challenges with this approach, including: [1] It is difficult to accurately identify attackers due to use of compromised systems. [2] Most companies lack the expertise and resources to conduct effective counterattacks. [3] Allowing private retaliation could escalate tensions and cause international incidents. While improved cyber defense is needed, alternative approaches may be better than outsourcing retaliation to private companies.
“Cyber Liability & Cyber Insurance” - A discussion on best practices around Prevention, Detection, and Response!
Sponsored by Datto and Webster Bank
Series brought to you by the Connecticut Technology Council.
____________
TOPIC FOCUS:
1. Evolution and acceptance of Cybersecurity insurance
a. Understanding risk & effect on businesses
i. Used to be major brands, now widespread.
ii. Risk recognized, business leaders looking to minimize risk
b. Describing changes in cybersecurity insurance
How coverages have evolved - not just for biggest companies
i. Insurers are working with (tech) companies to get it right
ii. Where is it going from here? Trends, specialty insurance
2. Describe insurance types/ specifics and how they perform when needed
. Not all policies are the same
a. What to look for
b. How they vary by type of business (Healthcare vs. Retail vs. Software Co.)
c. What gaps still remain (What can’t get covered?)
3. How to minimize cost, get most value for your company
. Some protections on your current policies
a. Gating elements - What the insurance companies want to see - how that might help costs
4. Best practices generally
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
This document discusses 4 steps that financial service organizations can take to achieve compliance with data security regulations:
1) Secure data in motion by encrypting network traffic over WANs using high-speed encryption.
2) Protect data at rest by encrypting data on devices using disk and file encryption.
3) Control access using strong authentication solutions.
4) Protect encryption keys using hardware security modules to ensure data integrity.
Implementing encryption technologies across these four areas provides comprehensive protection of data assets and facilitates secure access, helping organizations comply with various data security laws.
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
Steve Robinson of RPS Technology & Cyber presented "Discussing Cyber Risk Coverage With Your Commercial Clients" to the 68th Annual F. Addison Fowler Fall Seminar on October 17, 2014.
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
This document discusses cybersecurity threats facing accounting firms and their clients. It provides examples of major data breaches in recent years that impacted millions of customer accounts. While many firms believe they are protected, the document cites statistics showing that most have no formal cybersecurity or internet use policies. It also discusses new regulations and standards, like the HIPAA Omnibus Rules and a recent Executive Order, that require firms to improve their cybersecurity practices to safeguard sensitive data. The role of a Virtual Chief Security Officer is introduced to help firms address these growing risks and compliance requirements.
Cyber Liability - Insurance Risk Management and PreparationEric Reehl
See how Adaptive Solutions is delivering leading cyber risk management solutions through its strategic alliance with Willis Towers Watson and Darklight Technologies.
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
• Trends, and the evolution of cyber insurance/products
• The D&O connection, cyber is a strategic business risk
• Risk Management Strategies
• Best Practices in Breach Response.
Dickstein Shapiro LLP and the Government Technology & Services Coalition (GTSC) held a webcast, “Key Cybersecurity Issues for Government Contractors” on Thursday, October 3, 2013. This interactive program, of particular interest to government contractor compliance officers, CIOs, CISOs, General Counsel, and any other C-suite members, discussed how the federal government is planning on fundamentally altering its acquisition policies to make the cybersecurity of its contractors a top priority. The discussion included:
- Proposed Federal Acquisitions Regulation (FAR) changes relating to President Obama’s Cybersecurity Executive Order;
- Planned changes to procurement requirements based on independent agency actions;
- Congressionally mandated cybersecurity requirements; and
Ways contractors can prepare for these changes.
To view the webinar, visit:
Cyber security for manufacturers umuc cadf-ron mcfarlandHighervista
1. The document discusses implications of cybersecurity for small and medium manufacturers, including risk management and compliance requirements.
2. It covers topics like being compliant with certifications but still being breached, cybersecurity for industrial control systems, and Department of Defense Federal Acquisition Regulation Supplement (DFARS) requirements.
3. The document provides an overview of various laws and standards around data security, including the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), and Family Educational Rights and Privacy Act (FERPA).
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
Security professionals often struggle with the ‘double intangibility’ of security - the intangibility of risk and intangibility of protection.
Changes hearts and minds often requires legislation and new compliance frameworks to motivate investment.
New Zealand's new Privacy Act comes into play on 1st December 2020 and there are ways security professionals can leverage new aspects including mandatory breach notifications to focus efforts on securing personal information and preventing privacy harms.
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossShawn Tuma
Shawn Tuma is a cybersecurity lawyer with expertise in data privacy law. He is a partner at Scheef & Stone LLP, a commercial law firm in Texas. Tuma has extensive experience advising businesses on cybersecurity issues and data breaches. He serves on several boards and committees related to cybersecurity law and policy. The document provides an overview of Tuma's background and experience in cybersecurity law.
This presentation focuses to the rising prominence of insurance considerations—and more particularly—to legal aspects of insurance as it relates to cybersecurity and privacy.
The presentation defines "Cyber and Privacy Insurance” and organizes such insurance into four main types of cyber insurance coverage: data breach and privacy management coverage, multimedia liability coverage, extortion liability coverage, and network security liability coverage. With these definitions, the presentation then gives snapshot of how the Cyber Insurance Market Is Maturing, its participants, costs, and related attributes.
Consideration is given to the importance of defined terms, before launching into difficulties that providers and users have relative to measuring, modeling, and pricing cyber insurance risk. Particular attention is given to the language of “claims” and how to navigate through associated risk/cost analyses and cost structures.
Additionally, general considerations, pre-conditions, cost of compliance, business interruption, governing board oversight and related issues are brought together is a cohesive manner.
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...Shawn Tuma
Presentation addresses issues in cybersecurity law of the evolving standards for data breach liability for companies as well as officers and directors. The event was sponsored by Above Security and the title of the event was Above Compliance – Navigating the Cybersecurity Landscape in Financial Services.
ACI’s lauded Cyber & Data Risk Insurance conference is the highest-level event that provides maximum opportunities to learn from and network with underwriters, brokers, claims managers and industry leaders, and helps you keep pace with the ever-changing cyber insurance market. It’s also the only conference that brings you regulatory and enforcement priorities straight from the federal and state government themselves.
Legal Issues Impacting Data Center Owners, Operators & Usersjyates
MMM’s goal is to work with data center owners, operators and users to identify key legal issues and their related claims, and to provide ways to minimize liability.
American Bar Association guidelines on Cyber Security standardsDavid Sweigert
The document is a resolution from the American Bar Association that encourages organizations to develop and maintain cybersecurity programs to protect their data and systems from threats. It recommends that organizations conduct risk assessments, implement security controls based on the risks identified, develop response plans for cyber attacks, and engage in information sharing about cyber threats. The resolution aims to address the growing cybersecurity threats facing both private and public sector organizations and the nation's critical infrastructure systems.
Legal Issues Impacting Data Center Owners, Operators and UsersMMMTechLaw
The document discusses key legal issues facing data center owners, operators, and users, including contracts, tort liability, products liability, regulatory compliance, privacy, security breaches, and post-hacking issues. It summarizes recent court cases involving data breaches and security issues. The document aims to help data centers identify risks and minimize liability through best practices like reviewing insurance policies and compliance with breach notification laws.
This document discusses drafting vendor contracts for data security and privacy issues. It provides examples of common insurance requirements in such contracts and issues that can arise. Key requirements discussed include maintaining cyber liability insurance with minimum per-incident and aggregate limits, and coverage for privacy breaches, notification costs, fines, and business interruption. Common issues are unrealistic limits, unclear specifications, and requirements that are unattainable. The benefits of insurance requirements are financial security, but pitfalls include that a contract is separate from a policy.
This document discusses emerging legal trends in cyber insurance. It notes that privacy and data security compliance obligations are increasing in the US, Canada, EU and other countries. Proposed legislation in these regions would strengthen data breach notification laws and privacy regulations. The document also summarizes the types of coverage provided by cyber insurance policies, including third-party liability and first-party coverage. It reviews market trends in cyber insurance premiums and who is buying policies. Tips are provided for selecting a policy, such as ensuring adequate limits and sublimits, and watching for consent and panel requirements that could impact claims handling.
Information security involves protecting information from unauthorized access, use, disclosure, disruption or destruction. It aims to ensure the confidentiality, integrity and availability of data regardless of its form. Key goals include preventing breaches of confidentiality which could harm businesses or individuals, and ensuring data integrity so it cannot be modified without authorization. Risk management is the ongoing process of identifying vulnerabilities, deciding on countermeasures to reduce risk to an acceptable level based on the value of the information assets.
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
The document discusses privacy and data protection. It defines privacy as an individual's ability to control how and when personal information is shared with others. It outlines several international agreements that establish privacy as a universal human right. The document also discusses the three dimensions of privacy - personal, territorial, and informational - and basic privacy principles like transparency and purpose limitation.
This document summarizes a presentation on cybersecurity risks, legal frameworks, and insurance. It discusses the spectrum of cyber risks including data breaches, malware attacks, and inadequate security. It outlines relevant state, federal and international privacy laws. It also summarizes strategies to mitigate risk including the NIST cybersecurity framework and outlines potential coverage under existing policies as well as new "cyber" insurance products.
This document summarizes the Summer 2016 edition of Willis Towers Watson's Cyber Claims Brief publication. It discusses potential liability issues that may arise when companies are directed by government authorities to take action or not take action related to a cybersecurity event. It also examines the growing threat of cyber extortion, particularly ransomware attacks, and how companies can help mitigate these threats. Finally, it provides an analysis of the recent EU General Data Protection Regulation and EU-US Privacy Shield agreement.
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfProtected Harbor
Protected Harbor's 2022 Legal Services Data Breach Trend Report is a comprehensive analysis of the evolving cybersecurity landscape in the legal industry. This report offers valuable insights into emerging trends, challenges, and opportunities that legal professionals and firms may encounter in the year ahead. Through in-depth research and expert analysis, it sheds light on the impact of technological advancements, changing regulations, and client expectations on legal services. Stay ahead of the curve with this indispensable guide to the future of legal services.
Patrick Bourk, National Cyber Practice Leader from Hub International, discusses the various cyber policies available for mid size commercial businesses. He also showcases the various types of risk to consider when working with an insurer.
CISA aims to facilitate voluntary cybersecurity information sharing between private and public entities. It establishes procedures for sharing cyber threat indicators and defensive measures through Automated Indicator Sharing, and provides liability protection for entities that share information for permitted cybersecurity purposes. CISA also addresses issues relating to classified, unclassified, and declassified information, as well as antitrust and privacy considerations regarding shared information.
This document discusses considerations for bringing personal devices into the workplace (BYOD). It defines BYOD and explains potential benefits for companies and employees. However, it also outlines ethical, legal and security risks that must be addressed, such as data protection, employee privacy and overtime pay. The document provides guidance for developing strong BYOD policies and advises both employers and employees to carefully manage expectations and responsibilities around personal device use for work.
This document discusses trends in data breach litigation and approaches to practical data protection. It provides an overview of data breach litigation trends, including large settlements companies have faced. It also outlines specific steps companies can take to prevent breaches, such as defining what constitutes a breach, establishing response procedures, forming an incident response team, and tracking incidents. The goal is to help companies understand litigation risks and reduce risks of financial liability from data breaches through proactive data protection measures.
Similar to Legal Issues in Data Privacy and Security: Response Readiness Before the Breach (20)
This public policy session on the activities of the Technology Association of Louisville Kentucky (TALK) was presented in June 2022 at the TALK Cyber Security Summit in Louisville, KY.
A Look At Evolving Cybersecurity Policy for Financial Institutions 2021Dawn Yankeelov
Dawn Yankeelov, a cyber policy leader in Kentucky, speaks to the changing landscape for banking cybersecurity policy for a SecuretheVillage workgroup in the Summer of 2021.
A conversation on guidance and liabilities regarding reopening KY with Frost Brown Todd Attorney Victor Beckman and the Technology Association of Louisville KY's Executive Director Dawn Yankeelov.
DHS Cybersecurity Services for Building Cyber ResilienceDawn Yankeelov
DHS Cybersecurity Analyst details the US Department of Homeland Security Services for all businesses to build cyber resilience at the Technology Association of Louisville's CyberSecurity Summit on June 14, 2019.
Cyber Security Threats Facing Small Businesses--June 2019Dawn Yankeelov
This presentation was made by Cloudnexus Founder Jay Rollins at the Technology Association of Louisville Kentucky's Cybersecurity Summit on June 14, 2019.
This presentation was given by Security Analyst Josh Chou from Cybereason on June 14, 2019 at the Technology Association of Louisville Kentucky's Cybersecurity Summit.
Cyber Security Resilience from Metro Louisville Govt. Dawn Yankeelov
Metro Louisville's Chief Security Officer James Meece spoke at the Technology Association of Louisville Kentucky's CyberSecurity Summit 2019 in June on Cyber Resilience.
"How You Can Participate in TALK's KY Cybersecurity Enclave for Regional and National Attack Views & Reporting," Phil Bond, CEO of CyberUSA, with Q&A, including Dawn Yankeelov, Executive Director, TALK.
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...Dawn Yankeelov
"Understanding Cyber Industrial Controls in the Manufacturing and Utilities Environment," By Dr. John Naber, Co-Founder & Partner in True Secure SCADA, which is KY-based and holds 2 key patents in this area. This was given at the TALK Cybersecurity Summit 2018 in Louisville, KY.
Kentucky's Cyber Engineering Pathway for Teens By Scott U'SellisDawn Yankeelov
These slides by Scott U'Sellis of the Kentucky Department of Education, Office of Career and Technical Education, were presented at Techfest Louisville 2017 hosted by the Technology Association of Louisville Kentucky.
This presentation was made on PSST's approach to building the company at Techfest Louisville 2017, hosted by the Technology Association of Louisville Kentucky.
Entrepreneur John Wiliamson presented RCM Brain: AI Bots in Healthcare at Techfest Louisville 2017 hosted by TALK, the Technology Association of Louisville Kentucky.
Cybersecurity Trends & Startups by Gula Tech AdventuresDawn Yankeelov
This presentation was made by Cybersecurity Expert and Investor Ron Gula at Techfest Louisville 2017, hosted by TALK, the Technology Association of Louisville Kentucky.
Derek Rush of LBMC Information Security presented at Techfest Louisville 2017 which was hosted by the Technology Association of Louisville Kentucky (TALK.)
Blockchain: An Explanation by Frost, Brown & Todd Attorneys Dawn Yankeelov
Blackline Advisory Group ran the panel discussion on Blockchain at the Techfest Louisville 2017 event hosted by TALK, the Technology Association of Louisville Kentucky.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
1. Legal Issues In Data Privacy & Security:
Anticipating, Then Responding To The Breach
Robert W. Dibert
Connie Wilkinson-Tobbe
Lindsay P. Graves
Alison P. Howard
June 14, 2018
1
Views expressed in these materials are those of the authors individually,
and do not constitute legal or any other formal advice.
Presentation for the Technology Assoc. of Louisville Kentucky, Cybersecurity Summit
2. 2
“the relevant inquiry here is a cost-benefit analysis, that considers a number of relevant
factors, including the probability and expected size of reasonably unavoidable harms to
consumers given a certain level of cybersecurity and the costs to consumers that would arise
from investment in stronger cybersecurity.” FTC v. Wyndham Worldwide Corp., No. 14-3514,
Slip Op. at 39-40 (3rd Cir. 8/24/2015)
Defendant “has made a supplemental production of the approximately 15,000 additional
documents inadvertently omitted from its prior production. However, at least 500 pages have
been inadvertently omitted from that production as well. No later than August 23, 2010,
defendant … will produce the omitted pages. Defense counsel will personally supervise the
preparation of this production and will assure the completeness of the production.” Chubb
Custom Ins. Co. v. Grange Mut. Cas. Co., No. 2:07-cv-1285 (S.D. Ohio 8/19/10).
“The defendants are to provide [one defendant]’s wife[‘s] computer image to the plaintiffs.
Mr. Dibert will communicate with the defendants’ IT personnel for the information”). PPG
Indus. v. Payne, No. 3:10-cv-73 (E.D. Tenn. 5/21/10).
In re Seroquel Products Liab. Lit., No. 06-md-1769, Slip Op. at 26 (M.D. Fla. 8/21/07) (“a
party is responsible for the errors of its vendors”).
Why Are Lawyers Here?!?!?
3. 3
Why? (2)
Defendants, must … establish and implement, and thereafter maintain, a comprehensive information security program
that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or
about U.S. consumers … Such program, the content and implementation of which must be fully documented in writing,
shall contain administrative, technical, and physical safeguards appropriate to Defendants’ size and complexity, the nature
and scope of Defendants’ activities, and the sensitivity of the personal information collected from or about consumers,
including:
A. the designation of an employee or employees to coordinate and be responsible for the information security
program;
B. the identification of internal and external risks to the security, confidentiality, and integrity of personal
information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other
compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks.
…
C. the design and implementation of reasonable safeguards to control the risks identified through risk assessment,
and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;
D. the development and use of reasonable steps to select and retain service providers capable of appropriately
safeguarding personal information they receive from Defendants, and requiring service providers, by contract, to
implement and maintain appropriate safeguards; and
E. the evaluation and adjustment of the information security program in light of the results of the testing and
monitoring required by sub-Section C, … or any other circumstances that Defendants know or have reason to know
may have an impact on the effectiveness of the information security program.
FTC v Ruby Corp., No. 1:16-cv-02438, Dkt. 1-9 at 4-5 (D.D.C. 12/14/2016) (“Ashley Madison”)
6. 6
Will Read The Fine Print ...?
<Vendor> AND <Vendor>’S LICENSORS, RESELLERS AND/OR DISTRIBUTORS MAKE
NO OTHER WARRANTY OR CONDITION, EXPRESS OR IMPLIED, STATUTORY OR
OTHERWISE, REGARDING THE SERVICES, INCLUDING WITHOUT LIMITATION THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, TITLE, NON-INFRINGEMENT ERROR FREE OPERATION OR NON-
INTRUSION DUE TO HACKING OR OTHER SIMILAR MEANS OF UNAUTHORIZED
ACCESS.
FURTHER <Vendor> DOES NOT GUARANTY THAT ... THE SERVICES WILL MEET
YOUR REQUIREMENTS, SPECIFICATIONS OR EXPECTATIONS. ...
NO REPRESENTATION OR OTHER AFFIRMATION OF FACT, INCLUDING BUT NOT
LIMITED TO STATEMENTS REGARDING CAPACITY, SUITABILITY FOR USE OR
PERFORMANCE OF ANY SERVICES ... WHICH IS NOT CONTAINED IN THIS
AGREEMENT, WILL BE DEEMED TO BE A WARRANTY BY <Vendor> FOR ANY
PURPOSE OR GIVE RISE TO ANY LIABILITY OF <Vendor> WHATSOEVER.
YOU ACKNOWLEDGE THAT IT IS IMPOSSIBLE UNDER ANY AVAILABLE
TECHNOLOGY FOR ANY APPLICATION TO IDENTIFY AND ELIMINATE ALL
MALWARE.
7. 7
I. Three-dimensional Data (And, Therefore, Threats) …
A. What Is The Environment/What Are The Odds?
B. What Is The Environment/What Are The Costs?
II. Anticipating Threats
A. Legal Duties
B. The NIST Framework
C. Cyber Insurance
D. GDPR
E. Data Mapping
III. Incident Response
A. Applying Laws & Frameworks
B. Time For Compliance
1. Notice requirements
2. Courts accelerate compliance
3. Examples of cyber-evidence
Today’s Agenda
8. 8
“In 2015, 43 percent of all attacks were directed at small
businesses. … 42 percent of small businesses surveyed by the
National Small Business Association (NSBA) reported being a
victim of a cyber- attack, with cyber-attacks cost an average
$32,021 for companies whose business banking accounts were
hacked, and $7,115 on average for small businesses overall.”
R. Luft (on behalf of NSBA), “Protecting Small Businesses from
Cyber Attacks: the Cybersecurity Insurance Option” at 2,3; Hearing
before the House Small Business Committee (7/26/2017).
I. Three-D Data And, Therefore, Threats ...
9. 9
What is the Environment/What are the Odds?
The Global
Risks Landscape
2018, World
Economic
Forum, Global
Risks Report
2018
(1/17/2018)
12. 12
What Are The Costs?
“Almost half of organizations represented in this research (47 percent) identified the root cause of the data
breach as a malicious or criminal attack and the average cost was approximately $156 [per compromised
record]. In contrast system glitches and human error or negligence averaged approximately $128 and $126,
respectively.” Ponemon, supra at 4 (6/6/2017).
“Third party involvement in a breach and extensive cloud migration at the time of the breach increases the
cost.” Id., at 6.
Small to medium-sized businesses may face cyber incident losses ranging in the tens of thousands of
dollars per incident. See The Hiscox Cyber Readiness Report 2017, at 5 (Forrester Research survey found an
average cost per incident of $35,967 for businesses with fewer than 99 employees).
Example cyber insurance annual premiums may range from hundreds (for $1-2 million coverage on a
small business) to more than $40,000 (for $5-10 million coverage on a medium-sized business)
The average cyber insurance claim may average $250,000.
“Expenses/fines related to breach of customer/personal information is the primary driver for purchasing a
cyber insurance policy. Conversely, just 10 percent of respondents identified business interruption as the
primary reason for purchasing the cover.” Information Security And Cyber Risk Management Survey 4
(Advisen/Zurich North America Oct. 2017)
13. 13
A. General Legal Duties: Beyond Sectors
B. The NIST Framework
C. Cyber Insurance
D. GDPR
E. Data Mapping
II. Anticipating Threats
14. 14
General Legal Duties: Beyond Sectors
Common law fiduciary duties to protect non-public information: Attorney-client; employer-employee … see also,
Savidge v Pharm-Save, Inc., 2017 WL 5986972 (W.D. Ky. 12/1/2017) (“the Court can draw the reasonable inference
that, because [the employee] Plaintiffs' information was released to unauthorized individuals, Defendants breached their
duties to safeguard that information ... Defendants' motion to dismiss will be denied with respect to Plaintiffs'
negligence claim.”); id. (“these facts [of employees providing ‘personal information for tax purposes and to receive
employment and benefits’] are sufficient for the Court to draw the reasonable inference that Defendants impliedly
assented to protect Plaintiffs' information ... Plaintiffs have adequately pled the existence of an implied contract”).
General statutory duty to protect confidentiality of non-public citizen data: “At least 13 states now have general
information security laws that require reasonable measures to protect defined categories of personal information
(including Arkansas, California, Connecticut, Illinois, Maryland, Massachusetts, Nevada, New Jersey, New York,
Oregon, Rhode Island, Texas, and Utah). ... ‘personal information’is usually defined to include general or specific facts
about an identifiable individual.” I. Hemmans & D. Ries, Cybersecurity: Ethically Protecting Your Confidential Data in
a Breach-A-Day World, at 25 (ABA Law Prac. Div. 4/27/2016).
Mandatory, secure disposal of records containing “personal information” when their legal or business retention
has expired. KRS 365.725.
Duty to notify individuals of a data security breach: “All 50 states, the District of Columbia, Guam, Puerto
Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of
security breaches of information involving personally identifiable information.” Nat’l Conf. of State Legislatures
(NCSL), Security Breach Notification Laws, http://www.ncsl.org/research/telecommunications-and-information-
technology/security-breach-notification-laws.aspx (3/29/2018) (last visited 4/17/2018).
15. 15
The NIST Framework
“This voluntary framework provides a much needed roadmap
for improving the cybersecurity of our most critical
infrastructure… Companies now have a common, but
flexible path forward to better secure their systems, and also
a meaningful way to measure their progress. We must now
focus like a laser on ensuring widespread implementation of
the framework in order to effectively protect our national and
economic security.” - Senator Tom Carper (D-DE), Chairman of the
Committee on Homeland Security and Governmental Affairs:
Image Credit: https://www.nist.gov/cyberframework/new-framework
“The release of the Cybersecurity Framework is a helpful step
forward in providing guidance and best practices to help
companies, particularly small and medium sized companies,
grappling with today's cyber threats.” - Michael Chertoff, Secretary of
Homeland Security under President George W. Bush and Chairman of the Chertoff
Group
22. 22
Cyber Insurance
• Compliance = Policies & procedures.
• Risk = Loss, theft, or damage to
irreplaceable data (ex. customer lists),
sensitive customer information (ex.
social security numbers, credit
information), intellectual property (ex.
the secret recipe….yours, or the
customer’s).
• Loss = liability to others and/or
business losses.
• Insurance = Part of Compliance and
Mitigating Risk of Loss.
• Consider Insurance in Policies &
Response Protocol.
This presentation provides a brief overview
of insurance considerations based on our
legal experience and observations. Please
consult with a licensed agent to determine
your specific coverage needs and available
options.
23. This Photo
by
Unknown
Author is
licensed
under CC
BY-NC
This Photo by Unknown Author is licensed under CC BY-NC-SA
• Require service providers to
demonstrate adequate security
policies and procedures?
• Require 3rd party
indemnification?
• Restrict employee access to
personally identifiable
information on a business-need to
know basis?
• Implement an identity theft
program (aka FTC “Red Flags”)?
• Have a written Intellectual
Property clearance procedure?
• Were such policies reviewed by a
qualified attorney?
• Have a designated Chief
Security Officer? Chief
Privacy Officer?
• Have a disaster recovery
plan? Business continuity
plan?
• Have an incident response
plan for network intrusions
and virus incidents?
• How often are such plans
tested?
• Conduct training for every
employee user regarding
security events and
procedures?
• Encrypt data stored on
laptop computers, back-up
tapes?
Application: First Considerations
23
24. Do existing E&O, CGL,
Crime, etc. coverages …
have: _____?
Review a sample copy of
any Policy you consider
purchasing: The Writing
controls the coverage!
• Theft and Fraud – Destruction or loss of
policyholder’s data
• Forensic Investigation
• Business Continuity – Cyber events and data loss =
investigation, reporting, lost income and costs
• Extortion (Ransomware) – Pay the ransom?
• Computer data loss and restoration
• 3rd party claims (privacy injury, identity theft, etc.)
• Network damage (damage due to viruses),
• Loss or theft of data, including propriety
information.
• Costs to comply with “duty to notify” laws
• Crisis Management/Public Relations
• Regulatory expenses, fines and penalties
• Legal counsel – yours? Or panel counsel?
• Custom coverage – livestock, golf course, etc.
Application: Some Coverage Options
24
26. 26
When – Not “If” – A Cyber Incident Occurs:
STOP … THINK ... what insurance could apply?
E&O? Crime? Cyber?
Know your Duties: (1) Policy (or Policies); and (2) Written Incident Response Plan
Policy Duties -- Follow written procedures preserve coverage. Triggers for incident
response? Definition of “claim”? Concerned about premium effects? Any “pre-notice” or
“pre-claim provisions”? Notification/reporting requirements? Term? Business
changes/insurance revisions?
Incident Response Plan Duties -- Is Insurance Addressed? There may be coverage for
immediate steps following a cyber incident…i.e. forensic investigator, legal counsel,
compliance with notification laws, etc.
Seek Legal Help -- Consult counsel or a designated incident response officer
BEFORE notifying anyone else .
34. 34
Benefits Of Complying With The GDPR
1
Reduce
Reputational
Risks
2
Reduce
Financial
Risks 3
Organize
Your Data
4
Build Trust
5
Reduce
Chaos
6
Peace of
Mind
36. 36
Anticipating Threats: Data Mapping
“Knowing the type of data collected, where it is being held, with whom it is being
shared, and how it is being transferred is a central component of most data privacy and
data security programs. The process of answering these questions is often referred to as
a ‘data map’ or a ‘data inventory.’” D. Zetoony, Data Privacy and Security: A Practical
Guide for In-House Counsel 1 (Wash. Legal Foundation, May 2016).
How is a data map compiled?
System inventories
Organization charts
Classification systems?
How frequently is a map updated?
41. 41
Cybersecurity:
Summary Retention & Compliance Issues
How and Where are your records for customer & employee financial & health data created,
communicated & stored?
Who are the custodians responsible for the security of that data?
Where are the records to define the reasonable administrative, physical & technical safeguards that
protect Critical Cyber Assets, as well as employee & customer financial & health data?
Are the records identifiable within the general categories of administrative, physical &
technical safeguards?
Are the classifications of technical records (such as system security logs) NIST-consistent, and
do they include logs of internet access & use of connected facilities?
Does your RIM taxonomy account for specific jurisdictional requirements (e.g., Massachusetts
encryption and WISP requirements for personal data)?
Who are the custodians responsible for maintaining and updating those records?
How frequently are systems mapped, or otherwise tested, to validate the continuing accuracy of the
records classifications?
42. A. Applying Laws & Frameworks
B. Time For Compliance
1. Notice Requirements
2. Courts accelerate compliance
3. Examples of cyber-evidence
III. Incident Response
42
43. 43
(Choice of) Laws & Frameworks
Whose Law Controls?
“Kentucky has adopted the ‘most significant relationship’test to resolve choice of law issues relating to contract
disputes. … ‘[t]he rights and duties of the parties with respect to an issue in contract are determined by the local
law of the state which, with respect to that issue, has the most significant relationship to the transaction and the
parties …’ Kentucky will override the outcome of the ‘most significant relationship’test and apply its own laws
if ‘a clear and certain statement of strong public policy in controlling laws or judicial precedent’would be
violated in applying another state's laws.“ Henry v. Travelers Personal Security Insurance Co., 2016-CA-
001939-MR (Ky. App. 2/2/2018) (unpublished) (citations omitted).
“Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the
processing activities of natural and legal persons under the jurisdiction of the Member States. … extraterritorial
application of those laws, regulations and other legal acts may be in breach of international law and may impede
the attainment of the protection of natural persons ensured in the Union by this Regulation.” GDPR, at Recital
(115).
∑ Is There a Race to an Agency or Courthouse?
What are the Facts Supporting One Choice Over Another?
Does the Framework Provide Early Answers?
44. 44
Compliance: Notice Requirements
Nature of the Incident?
• Which sector?
• Are specific contracts or other duties implicated?
Time to Notify?
• State data breach notification laws may provide for notice within anywhere
from 14-90 days after discovery of the incident.
• GDPR compresses the notice timeframe to 72 hours (Art. 33:1)
Manner of Notice?
Does the Framework Provide Early Answers?
45. 45
Courts expect parties to have document & data retention practices in order: See Rules 16(b)(2);
26(f)(1) (requiring pre-discovery conference & scheduling order within 90-120 days of the beginning of
an action); In re Direct Southwest, Inc. FLSA Litigation, 2009 U.S. Dist. LEXIS 69142 (E.D. La.)
(requiring execution of supplemental search terms, production of documents & production of privilege log
within 10 days).
[Defendant] “was ordered to “provide a data-map of the ESI involved in this litigation for in-camera
review ... If no data-map exists, then …[defendant] [was to] to explain why no ESI data-map exist[ed] and
how Counsel ... educated themselves about [defendant’s] information and record keeping systems.” Small
v. Univ. Med. Center of Southern Nevada, 2:13-cv-00298 (D. Nev. 8/18/2014). Id., at n. 15 (Court-
appointed Special Master “was forced to create his own data map ... from scratch, by synthesizing
testimony from IT personnel and other employees”).
“[T]he parties have fifteen (15) business days from the date of this order to exchange information
regarding the location and existence of electronic data sources that may contain discoverable ESI (the
"Data Map"), including information regarding the parties' policies and/or procedures regarding data
retention; their computer servers and back-up and archival sources that store ESI; all computers, phones,
tablets, and other storage devices issued to the Custodians or used by the Custodians for business
purposes; all email accounts and cloud-storage/file-sharing service accounts used by the Custodians for
business purposes; and any data source that the party identifies as not reasonably accessible pursuant to
Fed. R. Civ. P. 26(b)(2).” Hydrochem LLC v. Duplessis, Civil No. 14-264 (M.D. La. 5/28/2015).
Courts Accelerate Compliance
46. 46
Examples Of Cyber Evidence
Logs of internet URL/domain access. Microsoft Corp. v. John Does 1-5, No. 15-cv-6565
(E.D.N.Y. 11/23/2015)
Server login records. Tyan v Garcia, No. 15-cv-05443 (C.D. Cal. 5/2/2017)
“more than 42, 000 files on appellant’s computer were intentionally overwritten on February
6, 2011, using [XXXXXX], a program designed to permanently delete and overwrite files.
[Defendants’ expert] was unable to restore or retrieve the content of the overwritten files. In
addition, certain files one would expect to find (such as “Recent Folder Activity, Link Files,
Recycle Bin Info Files, Temp Folders, and Internet Cache Folders”) were missing and could not
be restored or retrieved. [The expert] found remnants of other files …” Braun v. Toyota Motor
Sales, U.S.A., Inc., No. B234212 (Cal. App. 2d Dist. 2/13/2013) (unpublished)
“Defendants have … failed to ascertain that third-party service providers implemented
reasonable security measures to protect personal information.” FTC v Ruby Corp., No. 1:16-cv-
02438, Dkt. 1 at 9, ¶31 (D.D.C. 12/14/2016) (“Ashley Madison”). Cf. Board of Trustees of Ibew
Local 43 Electrical Contractors Health v. D'Arcangelo & Co., LLP, 1 N.Y.S. 3d 659, 124 A.D.3d
1358 (4th Dept. 1/2/2015) (motion to dismiss denied where negligence claim was based on alleged
failure to obtain an audit report)
49. 49
(Today’s) Conclusions
Cyber privacy & security must balance economic, human and technology
resources. Balance is essential to preserve, identify, collect & produce material
information in an appropriate form, that is reasonably necessary to resolve a
privacy/security incident or any other matter.
Educated, empowered and accountable employees are a company’s ultimate
defense against threats to data integrity and security.
An integrated privacy & security program must establish reasonable standards,
verify their implementation, and validate their effectiveness on a regular basis.
Attorneys will be held responsible for assessing and defending “reasonable”
privacy and security standards in particular matters.
50. 50
Lindsay Graves: Lindsay is a senior Attorney in the Electronic Data Discovery
(“EDD”) Group of Frost Brown Todd, LLC. Her experience in the Group includes counseling
clients on privacy policies and practices applicable to financial, healthcare, and retail consumer
businesses. She also has worked with clients in the investigation of both internal and
external/international data misappropriation incidents. Before joining the EDD Group, Lindsay
represented individuals and businesses in commercial litigation, including real estate developers
and brokers, title insurers and financial institutions. She helped those clients obtain successful
outcomes in judicial/appellate, regulatory and mediation/arbitration proceedings throughout the
Commonwealth of Kentucky.
Alison Howard: Alison is a senior Attorney in the Electronic Data Discovery
(“EDD”) Group of Frost Brown Todd, LLC. Her experience in the Group includes research,
analysis and drafting for privacy policies and practices applicable to financial, insurance, land title
and retail consumer businesses. Apart from her work with the Group, Alison has been an
experienced litigator, a licensed insurance and real estate agent, and a licensed property and
casualty adjuster. She also served as compliance counsel for a national real estate title company,
and a conflicts counsel for Frost Brown Todd. Alison has authored and presented multiple official
continuing education courses for real estate licensees and government regulators concerning
liability insurance and claims experiences.
Presenters
51. 51
Presenters (too)
Connie Wilkinson-Tobbe: Connie is a senior Attorney in the Electronic Data
Discovery (“EDD”) Group of Frost Brown Todd, LLC. Her experience in the Group
includes counseling clients on privacy policy and practices applicable to financial,
healthcare, and retail consumer businesses. She also has worked with clients in the
investigation of both internal and external/international data misappropriation incidents.
Before joining the EDD Group, Connie was a trial and compliance attorney for both
individual and business clients. She helped those clients obtain successful outcomes in
bench and jury trials, regulatory and grand jury proceedings, and mediation/arbitration
proceedings in Kentucky state and federal courts.
Robert Dibert: Bob is a Member of the Business Litigation and Electronic
Data Discovery (“EDD”) groups at Frost Brown Todd, LLC. He has more than 30 years’
experience litigating commercial disputes, including cases based upon alleged fraud and
racketeering violations. His data privacy/security experience began with HIPAA
compliance issues in litigation, and has expanded over the last 10 years to include both
counseling for breach preparedness and representation for incident response.
52. Views expressed in these materials are those of the authors individually,
and do not constitute legal or any other formal advice.
I. Identifying Threats
A. Do we maintain an annual profile of predominant threats to our business sector?
B. Do we maintain an annual profile of costs in our sector?
1. Costs/potential financial impact of predominant threats
2. Costs of safeguards to prevent or mitigate threats
3. Costs of insurance to offset impacts of threats
II. Preparing For Threats
A. Have we established a Framework to anticipate and respond to threats?
1. Does that Framework reasonably reflect the scope of our business & legal
environment?
2. Do we verify our use and maintenance of that Framework?
3. Do we validate the scope and effectiveness of that Framework?
B. Does our records retention & compliance program include categories for the
profiles, Framework, and types of information likely to be necessary for incident
response?
III. Incident Response
A. Have we identified a team for first response?
B. Do we maintain a scope and choice of law analysis for how, and how quickly,
responses must be made?
C. Do we have data maps to help identify and contain the compromised area(s)?
D. Do we have tools or providers necessary to preserve potentially relevant
information from the compromised area(s)?
Robert W. Dibert
Connie Wilkinson-Tobbe
Lindsay P. Graves
Alison P. Howard
June 14, 2018
54. Snooping is one of the most common
causes of a HIPAA breach. This can occur in
a HIPAA-covered entity if an employee looks
at PHI beyond what is necessary to perform
their responsibilities for the employer.
Case Study: Compliance Following a
HIPAA Privacy Breach
This incident is a cautionary tale for HIPAA-covered entities
(health care providers, insurers or group health plans
sponsored by an employer) which may have access to
HIPAA-protected information in their files.
Incident: As part of her job responsibilities for a medical
practice, “Employee A” reviews medical records for
purposes of determining the proper charge for the services
provided by the medical practice. One day, she realizes
that the medical record she is reviewing is for a fellow
employee, “Employee B,” who has received services by
the medical practice. Instead of limiting her current review
to the specific medical record for the recent office visit of
“Employee B,” “Employee A,” apparently out of curiosity,
looked at a number of other “Employee B” medical records.
In a routine audit, the medical practice’s information
technology staff determined that “Employee A” looked at
numerous medical records on one specific date. Because
“Employee A” has no legitimate reason to review the prior
test information to perform her duties, this unauthorized use
of protected health information (PHI) was a HIPAA breach
required to be reported to the patient and to Health and
Human Services in year-end breach reporting.
Result: The medical practice had a robust HIPAA policy and
practice, which lessens the risk of governmental penalties,
but the employee involved was disciplined, as required by
HIPAA. Routine review of records accessed is a best practice
that should be used by all businesses that hold HIPAA-
protected data. If a HIPAA-covered entity believes there
has been an unauthorized use or disclosure of PHI as there
was in the example above, the covered entity is required to
investigate the matter and report a HIPAA breach.
Representative Experience
»» Assisted a national restaurant chain from start to finish
with a credit card data breach in dozens of states
with over one million card exposures. Responsibilities
included emergency response coaching, breach
evaluation, breach notification, breach vendor
management, liability assessments, negotiations with
processors, acquiring banks, issuing banks and card
brands, and litigation support.
»» Assisted a large multinational corporation with its
evaluation of and response to a ransomware attack that
crippled all corporate servers including human resources
and payroll.
»» Assisted a company with response and notification
arising from infiltration of the company’s system that
altered payroll files processed by a third-party payroll
processor. Responsibilities included working with a
forensics investigation firm, coordination of notification
to employees, and negotiation with the cyber liability
insurance provider.
»» Consulted proactively with a national manufacturing
business regarding appropriate privacy and security
provisions for maintenance of employee personal
information, both internally and for purposes of data
sharing and transfer agreements.
»» Advised a national restaurant chain regarding incident
response for potential misuse of Wi-Fi services. Scope of
the matter included working with the client’s information
technology department to identify potential access and
use of facilities in question, and response to information
requests from law enforcement and private litigants.
»» Consulted with an international manufacturing business
regarding a "phishing" incident directed at employees'
personal data. Scope of the matter included identification
of the scope of attempted intrusion, analysis of
potentially applicable law of multiple jurisdictions, and
assessment of technological safeguards in place to
prevent an actual breach of the security of information
systems in question.
»» Advised a mid-sized consumer retail services
business on response to employee theft of personal
information from company systems. The scope of the
matter included working with the client’s information
technology department to identify access and attempted
misappropriation of information, and coordination
with law enforcement for potential prosecution and
assessment of any breach notification.
Frost Brown Todd | Defending Your Company from a Data Breach
55. Jane Hils Shea | Member | jshea@fbtlaw.com | 513.651.6961
Jane leads FBT’s privacy and information security practice. She has significant experience in the law governing
data privacy and information security, assisting clients with the development of written information security
programs, the European Union’s General Data Protection Regulation (GDPR) compliance, appropriate internal
policies and procedures, as well as incident response measures and data breach notification. Jane is a member
of the International Association of Privacy Professionals and is a Certified Information Privacy Professional for
the U.S. private-sector (CIPP/US).
frostbrowntodd.com
Michael T. Bindner I Member | mbindner@fbtlaw.com I 317.237.3863
Michael assist clients with various HIPAA privacy matters, including privacy training, investigating and reporting
HIPAA privacy breaches, and with breaches of personal information. He speaks frequently on topics related to
employee benefits, HIPAA and other health care issues.
Robert W. Dibert | Member | bdibert@fbtlaw.com | 502.568.0379
Bob works with businesses in the educational, financial, health care, manufacturing, professional services, and
consumer retail sectors on data privacy and security matters, beginning with the proactive incorporation of
privacy/security-related records, procedures into retention and compliance programs, and breach notifications.
The nature of incidents include commercial espionage, employee theft, lost or stolen devices, misuse of
facilities by outsiders, and so-called “phishing” for personal information.
Milton C. Sutton | Senior Associate | msutton@fbtlaw.com | 614.559.7271
Milton practices in FBT’s intellectual property and government services practice groups. His practice focuses
on complex information technology matters including computer systems, telecommunications, data, software
development, web hosting, licensing, cloud computing, cybersecurity and privacy. He is a Certified Information
Privacy Professional for the U.S. private-sector (CCIP/US). He assists entities on general privacy issues, GDPR
compliance, cybersecurity preparation as well as responding to large data breach incidents.
Frost Brown Todd Data Breach Attorneys