Cybersecurity & Data Protection: What the GC & CEO Need to Know

www.solidcounsel.com

What the GC & CEO Need to

Know

Cybersecurity & Data Protection

“There are only two types of companies: those that have been hacked, and those that will be.”

–Robert MuellerOdds: Security @100% / Hacker @ 1

TargetHome DepotNeiman MarcusMichael’sSpecsTJ MaxxeBaySally BeautyPF Chang’sUPSDairy QueenJimmy John’sJP Morgan ChaseKmartStaplesSonyAshley MadisonYes, Legal


Legal Obligations International

Laws Safe Harbor Privacy Shield

Federal Laws & Regs

HIPAA, GLBA, FERPA

FTC, FCC, SEC State Laws

47 states (Ala, NM, SD)

Fla (w/in 30 days) OH & VT (45 days)

Industry Groups PCI, FINRA, etc.

Contracts Vendors & Suppliers Business Partners Data Security

Addendum


ACC Study (Sept ‘15)

What concerns keep Chief Legal Officers awake at night?

#2 = Data Breaches

82% consider as somewhat, very, or extremely important


Cost of a Data Breach – US2013 Cost

• $188.00 per record• $5.4 million = total average cost paid by organizations

2014 Cost• $201 per record• $5.9 million = total average cost paid by organizations

2015 Cost• $217 per record• $6.5 million = total average cost paid by organizations

(Ponemon Institute Cost of Data Breach Studies)


Responding: Execute Response Plan Contact attorney (privilege + first

responder) Alert and assemble Response Team Notify insurance carrier Contact forensics Begin PR messaging Contact notification vendor Notify business partners Investigate breach Remediate responsible vulnerabilities Reporting & notification

How Fast?• 45 days (most

states)• 30 days (some

states)• 3 days (fed

contracts)• 2 days (bus

expectation)• Immediately

(contracts)

Litigation


Litigation: Business / Real HarmStanding has not been an issue in cases where the

harm is readily ascertainable: “Target does not challenge Plaintiffs’ allegations with respect to the elements of causation and damages.” In re Target Corp. Customer Data Sec. Breach Litigation, 64 F.Supp.3d 1304, 1310 (D. Minn. 2014) (Financial Institutions Litigation).


Litigation: Where’s the Harm?“Peters has not made the requisite demonstration of injury, traceability and redressability for her alleged injuries.” Peters v. St. Joseph Services, 74 F.Supp.3d 847 (S.D. Tex. Feb. 11, 2015).“At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 693 (7th Cir. 2015).“Whalen has not alleged that she suffered any unreimbursed charges. To the contrary, she asserts only that her credit card was ‘physically presented for payment in Ecuador.’ There are no allegations that Whalen was required to pay the charges made in Ecuador.” Whalen v. Michael Stores Inc., 2015 WL 9462108 (E.D.N.Y. Dec. 28, 2015). Where the data breach affected more than 1,000 retail stores and occurred nearly one and a half years earlier yet there was only one isolated single instance of an unauthorized charge, this indicated any data misuse is not fairly traceable to the data breach. In re SuperValu, Inc., 2016 WL 81792 (D. Minn. Jan. 7, 2016).“[A]llegations of a concrete and imminent threat of future harm are enough to establish an injury and standing in the early states of a data breach suit. In re Anthem Data Breach Litigation, 2016 WL 589760, *25 (N.D. Cal. Feb. 14, 2016).

Regulatory & Administrative


Regulatory & Administrative – SEC S.E.C. v. R.T. Jones Capital Equities Management, Consent Order (Sept. 22, 2015). “Firms must adopt written policies to protect

their clients’ private information” “they need to anticipate potential cybersecurity

events and have clear procedures in place rather than

waiting to react once a breach occurs.” violated this “safeguards rule 100,000 records (no reports of harm) $75,000 penalty


Regulatory & Administrative – FTC In re GMR Transcription Svcs, Inc., 2014 WL 4252393 (Aug. 14, 2014). FTC’s Order requires business to follow 3 steps when contracting with third party service providers:

1. Investigate before hiring data service providers.

2. Obligate their data service providers to adhere to the appropriate level of data security protections.

3. Verify that the data service providers are complying with obligations (contracts).


Regulatory & Administrative - FTCF.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24, 2015). The FTC has authority to regulate cybersecurity

under the unfairness prong of § 45(a) of the Federal Trade Commission Act.

Companies have fair notice that their specific cybersecurity practices could fall short of that provision. 3 breaches / 619,000 records / $10.6 million

in fraud Rudimentary practices v. 2007 guidebook Website Privacy Policy misrepresentations

Jurisdiction v. set standard?


Regulatory & Administrative FCC - fined AT&T $25,000,000 CFPB - fined Dwolla, Inc. $100,000 FDIC - new cybersecurity

framework DOJ - Yates Memo

Officer & Director Liability


Officer & Director Liability“[B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.” SEC Commissioner Luis A. Aguilar, June 10, 2014.

Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham

Derivative claims premised on the harm to the company from data breach.

Caremark Claims: Premised on lack of oversight = breach of the duty of loyalty

and good faith Cannot insulate the officers and directors = PERSONAL

LIABILITY! Standard:

(1) “utterly failed” to implement reporting system or controls; or

(2) “consciously failed” to monitor or oversee system.


Officer & Director LiabilityPalkon v. Holmes, 2014 WL 5341880, *5-6 (D. NJ Oct. 20, 2014). Derivative action for failing to ensure Wyndham

implemented adequate security policies and procedures. Order Dismissing: The board satisfied the business

judgement rule by staying reasonably informed of the cybersecurity risks and exercising appropriate oversight in the face of the known risks.

Well-documented history of diligence showed Board Discussed cybersecurity risks, company security policies

and proposed enhancements in 14 quarterly meetings; and

Implemented some of those cybersecurity measures.

You will be breached. Will you be liable?It’s not the breach; it’s your diligence that matters most.Companies have a duty to be reasonably informed of and take reasonable measures to protect against cybersecurity risks.

Cyber Risk Assessment

Strategic Planning

Deploy Defense Assets

Develop, Implement & Train on P&P

Tabletop Testing

Reassess & Refine

Shawn Tuma, PartnerScheef & Stone, [email protected]@shawnetumablog: www.shawnetuma.comweb: www.solidcounsel.comThis information provided is for educational purposes only, does not constitute legal advice, and no attorney-client relationship is created by this presentation.

Shawn Tuma is a cyber lawyer business leaders trust to help solve problems with cutting-edge issues involving cybersecurity, data privacy, computer fraud, and intellectual property law. He is a partner at Scheef & Stone, LLP, a full service commercial law firm in Texas that represents businesses of all sizes throughout the US. Texas SuperLawyers 2015 (IP Litigation) Best Lawyers in Dallas 2014 & 2015, D Magazine (Digital

Information Law) Council, Computer & Technology Section, State Bar of

Texas Chair, Civil Litigation & Appellate Section, Collin County

Bar Association College of the State Bar of Texas Privacy and Data Security Committee, Litigation,

Intellectual Property Law, and Business Sections of the State Bar of Texas

Information Security Committee of the Section on Science & Technology Committee of the American Bar Association

North Texas Crime Commission, Cybercrime Committee Infragard (FBI) International Association of Privacy Professionals (IAPP) Information Systems Security Association (ISSA) Board of Advisors, Optiv Security Contributor, Norse DarkMatters Security Blog Editor, Business Cyber Risk Law Blog

What is it Worth to You?