Cybersecurity: What Defense Lawyers Need to Know about Cyberliability, Cybercrime, and Cyber Insurance Coverage

International Association of Defense Counsel

IADC Southwest Regional Meeting

Dallas, Texas

Cybersecurity: What Defense Lawyers Need to Know about Cyberliability, Cybercrime, and

Coverage

Moderator: John G. Browning, Passman & Jones, A Professional Corporation

Panelists: Richard Roper, Thompson & Knight, LLP

Mariah Quiroz, Thompson, Coe, Cousins & Irons, L.L.P.

Shawn Tuma, Scheef & Stone, L.L.P.

“There are only two types of companies: those that have been hacked, and those that will be.” –Robert Mueller

97% Companies Tested, Breached Prior 6 Mos.

43% Business had Data Breach in 2014

62% of Cyber Attacks SMBs

“There are only two types of companies: those that have been hacked, and those that will be.” –Robert Mueller Odds: Security @100% / Hacker @ 1

How Serious?

2013 Cost • $188.00 per record • $5.4 million = total average cost paid by organizations

2014 Cost • $201 per record • $5.9 million = total average cost paid by organizations

2015 Cost • $217 per record • $6.5 million = total average cost paid by organizations

(for US Companies; Ponemon Institute Cost of Data Breach Studies)

Principal Areas of Risk

What is a cybersecurity incident? 2014 OTA Report The basics Theft of Devices Lost Devices Lost Passwords Phishing Infected Websites Basic IT

Latest Trends

Assess Cyber Risk

Strategic Planning

Deploy Defense Assets

Develop, Implement & Train on

P&P

Tabletop Testing

Reassess & Refine

Minimizing Cybersecurity Risks

Cybersecurity is a Legal Issue

IT

Business / PR Legal

Consumer Litigation

Peters v. St. Joseph Services, 74 F.Supp.3d 847 (S.D. Tex. Feb. 11, 2015)

Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 693 (7th Cir. 2015)

Whalen v. Michael Stores Inc., 2015 WL 9462108 (E.D.N.Y. Dec. 28, 2015)

In re SuperValu, Inc., 2016 WL 81792 (D. Minn. Jan. 7, 2016)

In re Anthem Data Breach Litigation, 2016 WL 589760 (N.D. Cal. Feb. 14, 2016) (J. Lucy Koh)

Regulatory Enforcement The FTC has authority to regulate cybersecurity under

the unfairness prong of § 45(a) of the FTC Act. F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24, 2015).

Firms must (1) adopt written policies to protect their clients private information, (2) anticipate potential cybersecurity events, and (3) have clear procedures in place to respond. S.E.C. v. R.T. Jones Capital Equities Management, Consent Order (Sept. 22, 2015).

FCC - fined AT&T $25,000,000

CFPB - fined Dwolla, Inc. $100,000

DOJ - Yates Memo

Officer & Director / Derivative Claims “[B]oards that choose to ignore, or minimize, the

importance of cybersecurity oversight responsibility, do so at their own peril.” SEC Commissioner Luis A. Aguilar, June 10, 2014.

Derivative claims premised on the harm to the company from data breach.

Caremark Claims - breach of the duty of loyalty and good faith if (1) utterly failed to implement reporting system or controls, or (2) consciously failed to monitor or oversee.

The board satisfied the business judgement rule by staying reasonably informed of the cybersecurity risks and exercising appropriate oversight in the face of the known risks. Palkon v. Holmes, 2014 WL 5341880, *5-6 (D. NJ Oct. 20, 2014).

Helping Clients Minimize Risk

Ask Questions

Awareness

Educate

Understand Legal Obligations

Cybersecurity Risk Management Program

Understand Standard of Care

Law Firm Cybersecurity Risks

Law Firm Cybersecurity Risks

This is the end of Shawn Tuma’s slides. The other speakers’ slides are not included.

International Association of Defense Counsel

IADC Southwest Regional Meeting

Dallas, Texas

Cybersecurity: What Defense Lawyers Need to Know about Cyberliability, Cybercrime, and

Coverage

Moderator: John G. Browning, Passman & Jones, A Professional Corporation

Panelists: Richard Roper, Thompson & Knight, LLP

Mariah Quiroz, Thompson, Coe, Cousins & Irons, L.L.P.

Shawn Tuma, Scheef & Stone, L.L.P.