International Association of Defense Counsel IADC Southwest Regional Meeting Dallas, Texas Cybersecurity: What Defense Lawyers Need to Know about Cyberliability, Cybercrime, and Coverage Moderator: John G. Browning, Passman & Jones, A Professional Corporation Panelists: Richard Roper, Thompson & Knight, LLP Mariah Quiroz, Thompson, Coe, Cousins & Irons, L.L.P. Shawn Tuma, Scheef & Stone, L.L.P.
19
Embed
Cybersecurity: What Defense Lawyers Need to Know about Cyberliability, Cybercrime, and Cyber Insurance Coverage
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
International Association of Defense Counsel
IADC Southwest Regional Meeting
Dallas, Texas
Cybersecurity: What Defense Lawyers Need to Know about Cyberliability, Cybercrime, and
Coverage
Moderator: John G. Browning, Passman & Jones, A Professional Corporation
“There are only two types of companies: those that have been hacked, and those that will be.” –Robert Mueller
97% Companies Tested, Breached Prior 6 Mos.
43% Business had Data Breach in 2014
62% of Cyber Attacks SMBs
“There are only two types of companies: those that have been hacked, and those that will be.” –Robert Mueller Odds: Security @100% / Hacker @ 1
How Serious?
2013 Cost • $188.00 per record • $5.4 million = total average cost paid by organizations
2014 Cost • $201 per record • $5.9 million = total average cost paid by organizations
2015 Cost • $217 per record • $6.5 million = total average cost paid by organizations
(for US Companies; Ponemon Institute Cost of Data Breach Studies)
Principal Areas of Risk
What is a cybersecurity incident? 2014 OTA Report The basics Theft of Devices Lost Devices Lost Passwords Phishing Infected Websites Basic IT
Latest Trends
Assess Cyber Risk
Strategic Planning
Deploy Defense Assets
Develop, Implement & Train on
P&P
Tabletop Testing
Reassess & Refine
Minimizing Cybersecurity Risks
Cybersecurity is a Legal Issue
IT
Business / PR Legal
Consumer Litigation
Peters v. St. Joseph Services, 74 F.Supp.3d 847 (S.D. Tex. Feb. 11, 2015)
Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 693 (7th Cir. 2015)
Whalen v. Michael Stores Inc., 2015 WL 9462108 (E.D.N.Y. Dec. 28, 2015)
In re SuperValu, Inc., 2016 WL 81792 (D. Minn. Jan. 7, 2016)
In re Anthem Data Breach Litigation, 2016 WL 589760 (N.D. Cal. Feb. 14, 2016) (J. Lucy Koh)
Regulatory Enforcement The FTC has authority to regulate cybersecurity under
the unfairness prong of § 45(a) of the FTC Act. F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24, 2015).
Firms must (1) adopt written policies to protect their clients private information, (2) anticipate potential cybersecurity events, and (3) have clear procedures in place to respond. S.E.C. v. R.T. Jones Capital Equities Management, Consent Order (Sept. 22, 2015).
FCC - fined AT&T $25,000,000
CFPB - fined Dwolla, Inc. $100,000
DOJ - Yates Memo
Officer & Director / Derivative Claims “[B]oards that choose to ignore, or minimize, the
importance of cybersecurity oversight responsibility, do so at their own peril.” SEC Commissioner Luis A. Aguilar, June 10, 2014.
Derivative claims premised on the harm to the company from data breach.
Caremark Claims - breach of the duty of loyalty and good faith if (1) utterly failed to implement reporting system or controls, or (2) consciously failed to monitor or oversee.
The board satisfied the business judgement rule by staying reasonably informed of the cybersecurity risks and exercising appropriate oversight in the face of the known risks. Palkon v. Holmes, 2014 WL 5341880, *5-6 (D. NJ Oct. 20, 2014).
Helping Clients Minimize Risk
Ask Questions
Awareness
Educate
Understand Legal Obligations
Cybersecurity Risk Management Program
Understand Standard of Care
Law Firm Cybersecurity Risks
Law Firm Cybersecurity Risks
This is the end of Shawn Tuma’s slides. The other speakers’ slides are not included.
International Association of Defense Counsel
IADC Southwest Regional Meeting
Dallas, Texas
Cybersecurity: What Defense Lawyers Need to Know about Cyberliability, Cybercrime, and
Coverage
Moderator: John G. Browning, Passman & Jones, A Professional Corporation