Data Breaches and Cyber Liability: What Commercial ...

Data Breaches and Cyber Liability:

What Commercial Litigators Need to Know Protecting and Defending Against New and Emerging Cyber Risks

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

WEDNESDAY, JUNE 3, 2015

Presenting a live 90-minute webinar with interactive Q&A

Antony P. Kim, Partner, Orrick Herrington & Sutcliffe, Washington, D.C.

Christina Guerola Sarchio, Partner, Orrick Herrington & Sutcliffe, Washington, D.C.

Joseph J. Siprut, Founder and Managing Partner, Siprut, Chicago

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-871-8924 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail [email protected] immediately so we can

address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about CLE credit processing call us at 1-800-926-7926

ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

Data Breaches and Cyber Liability

Christina Guerola Sarchio, Orrick

Antony P. Kim, Orrick

Joseph J. Siprut, Siprut PC

What Commercial Litigators Need to Know

Data Breach Occurrences

In 2014, over 25 billion attacks on Japanese Govt.

Companies reporting financial loss of $20 million or more from cyber attacks increased by 92%

-Study Sample by PwC

Over 500 million personal information records stolen

- IBM security services

6

Average Loss to Organization In 2012 In 2014

Average Total Cost

(direct and indirect expenses, e.g., forensic experts, outsourcing hotline support, free credit monitoring, discounts, customer loss, diminished customer acquisition)

$5.5 million $6.5 million

Cost per compromised record $188/record $217/record Source: Ponemon Institute/IBM, 2015 Cost of Data Breach Study: United States

Costs Incurred from Data Breach

Averages based on study of smaller breaches of 5,000 to 99,000 records

Breaches >100,000 records excluded because they would “skew” the results

7

Common Components of Costs

8

LEGAL LANDSCAPE

U.S. “Cyber Law” Framework

10

• In U.S., no comprehensive privacy and security legislation

• Laws that impose civil or criminal liability for hacking

– Computer Fraud and Abuse Act, ECPA, Wiretap Act; state laws

• Laws that require implementation of security measures

– Gramm Leach Bliley Act; Health Insurance Portability Accountability Act

– State law requirements (CA, MA, NV and progeny)

• Laws that require notification of breaches

– 47 state laws, plus D.C., Guam, P.R., V.I.; HIPAA / Hi-Tech Act

– Dozens of federal notification law proposals

• Contractual legal obligations

– Privacy policies, Terms of Use, Marketing materials

– Payment Card Industry Data Security Standard (PCI-DSS)

• Regulatory Enforcement Actions/Resolutions (Consent Decrees)

– FTC, FCC, FINRA, SEC, State AGs, Office of Insurance Commissioner, etc. etc.

Regulator Investigations

11

• What are regulators checking?

– Deceptive statements and “unfair” practices (see FTC and “baby FTC acts”)

– Have you implemented “readily available” technology (e.g., basics: patch management, encryption, 2FA) and “reasonable” practices, including requirements in any specific security statutes?

– Have you used any government or industry guidelines (e.g. NIST, ISO)?

• What information do regulators review in the wake of a breach?

– Breach notifications; timing; remedies offered; law enforcement cooperation

– Breach forensics, reports/findings re: attack vector, data accessed, numbers

– Pre-breach security audits and risk assessments, by company or third-party

– Information security plan (e.g., “WISP”); Incident response plan (IRP)

– Employee handbooks and training materials

– Vendor and service-provider management

– Privacy policies and other promises made to consumers about security

– Interviews with company personnel knowledgeable about security practices

– Other documents and information (usually via CID)

DATA-RELATED LAWSUITS

• Telemarketing

• E-mail scanning for targeted advertising

• Point of Service Data Collection

• Data security

Business Practices Subject to Litigation

13

• Retailers

• Health

• Financial Services

• Debt Collectors

• Hospitality/Restaurants

• Internet-based Companies

• Social Media

• Insurance

Industries Subject to Data-Related Lawsuits

14

Individuals, on behalf of a class of consumers, may bring suits under the following statutes or legal theories:

– Telephone Consumer Protection Act

– Fair Credit Reporting Act

– POS Collection Statute

– Breach of Contract

– Electronic Communications Privacy Act

– Wiretap Act

– Video Privacy Protection Act

– Stored Communications Act

– Unjust Enrichment

– Unfair Competition Law

– Negligence

– Common Law Fraud

– Computer Fraud and Abuse Act

Data-Related Lawsuits: CONSUMERS

15

• Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013)

– To bring suit in federal court, must establish Article III standing, that plaintiff suffered an “injury in fact” that is “actual” or “imminent”

– While personal information may have been lost or compromised, if not yet misused, claims are indefinite and speculative

– In Clapper, the US Supreme Court rejected a challenge to the constitutionality of a federal electronic surveillance statute, holding that mere fear of government interception of electronic communications is too speculative to confer legal standing

– Clapper stressed that standing requires a “substantial risk” of actual harm — not simply a generalized fear of future consequences

Defenses in Data Breach Litigation: STANDING

16

• In re Barnes & Noble PIN Pad Litig. (N.D. Ill. 2013): an alleged “risk to Plaintiffs of suffering some actual injury due to the security breach,” such as identity theft, is insufficient to convey standing

• Galaria v. Nationwide Mutual Insurance (S.D. Ohio 2014): “an increased risk of identity theft, identity fraud, medical fraud or phishing is not itself an injury-in-fact” without allegations or facts suggesting that this harm is “certainly impending”

• P.F. Chang (N.D. Ill. 2014): plaintiffs failed to show “an unreimbursed charge” on their payment cards such that plaintiffs could demonstrate an actual injury, and that the opportunity cost of not having a credit or debit card for the days between learning about a fraudulent charge and receiving a new card “is not a cognizable injury”

• eBay (E.D. La. 2015): “mitigation expenses do not qualify as injury-in-fact when the alleged harm is not imminent. Therefore, Plaintiff’s allegations relating to costs already incurred or that may be incurred to monitor against future identity theft or identity fraud likewise fail to constitute injury-in-fact for standing purposes.”

Dismissals of Data-Breach Litigation: STANDING

17

• Moyer v. Michaels Stores, Inc. (N.D. Ill. 2014): Clapper should be limited to cases involving national security Alleging a “credible threat of impending harm,” that is “both real and immediate, not conjectural or hypothetical” (In re: Sony Gaming Networks and Customer Data Security Breach Litig., S.D. Cal. 2014)

• In re Adobe Sys. Privacy Litig. (N.D. Cal. 2014): Deliberative nature of a breach suggests a greater danger of improper use

• In re: Target Corporation Customer Data Security Breach Litig. (D. Minn. 2014): Charges and financial damages “fairly traceable” to breach, including unlawful charges that went unreimbursed for long periods of time and restricted or blocked bank accounts, resulting in late payment charges, an inability for the plaintiffs to pay other bills, and additional fees

Creative Plaintiff Arguments: STANDING

18

• Breach of Contract

– LinkedIn: sued not for the fact data was compromised because of the data breach, but because users who purchased the “premium” subscription would not have done so if it were not for the company’s promise to safeguard their data

• Economic Injury

– In re Google, Inc. Privacy Policy Litigation: allegation of unauthorized use of system resources, which drained device battery, established cognizable injury for Article III standing purposes

• Violation of Statutory Rights

– Spokeo v. Robins: a consumer who had not suffered actual harm from a data breach claimed that the Fair Credit Reporting Act (“FCRA”) conferred a private right of action to sue for statutory damages without any proof of injury

Creative Litigation Theories

19

• Banks that issued credit cards and debit cards and provided credit to consumers affected by a data breach allege they suffered harm by having to re-issue refunds to cardholders and that the retailer failed to maintain appropriate data-security measures that could have prevented the breach

• Target’s motion to dismiss nearly 30 financial institutions denied (2014)

• Financial institution suits pending against Kmart, Home Depot

Data-Related Lawsuits: FINANCIAL INSTITUTIONS

20

• Alleging that a company’s board breached its fiduciary duty by failing to take sufficient steps to protect the company from a breach, failing to provide prompt and adequate notice to customers and releasing statements giving a false sense of security

• Suit against Wyndham dismissed (2014)

Data-Related Lawsuits: SHAREHOLDER DERIVATIVE SUITS

21

• Alleging that a company’s false statements and omissions regarding its ability to safeguard data resulted in the artificial inflation of the prices of the company’s securities, the prices of which dropped after the company disclosed the fact of a breach

• Suit against Heartland Payment Systems dismissed (2009)

• Suit against ChoicePoint settled for $10M (2008)

Data-Related Lawsuits: SECURITIES CLASS ACTIONS

22

• Zurich American Insurance Co. v. Sony (NY 2014): Zurich sued Sony in NY state court seeking a declaratory judgment that it wasn't liable to defend the company from the class actions by consumers whose personal data was breached in hacking attacks on Sony's PlayStation Network. Zurich also sought a declaratory ruling that it wasn't obligated under an excess liability policy issued to Sony to indemnify the company by paying any share of the possible damages awards from the class actions until any coverage by other insurance companies had been exhausted.

• Travelers Indem. Co. of Conn. v. P.F. Chang’s China Bistro, Inc. (D. Conn. 2014): Travelers filed a declaratory judgment action seeking a declaration that it is not obligated to defend or indemnify P.F. Chang’s data breach litigation under two commercial general liability insurance policies.

Data-Related Lawsuits: INSURANCE

23

Is There Any Risk Mitigation To Be Had?

Influence Your +/- From the Average

Source: Ponemon Institute/IBM, 2015 Cost of Data Breach Study: United States

25

• Evaluate cyber-insurance policies with an insurance expert!

• Scope of coverage

– Is your data covered wherever it resides (e.g., at a cloud provider; on mobile devices)? Are you covered for the acts and omissions of vendors?

• Business interruption coverage

– Consider fail-over capabilities and waiting-period deductibles

• Insurer-provided breach-response services

– Advantages and disadvantages

• Exclusions for failure to maintain system

– Eliminate exclusions to avoid a focus on your conduct in the event of a breach

Key Cyber-Insurance Considerations

26

• By some accounts, over 90% of security breaches involve some elements of employee malfeasance, negligence, or ignorance

• Common mistakes:

– “D’oh!” Sensitive information reaching incorrect recipients

– “My bad!” Publishing nonpublic data to public web servers

– “Oops!” Insecure disposal of personal/medical data (see, e.g., FINRA/Sterne Agee)

• Social Engineering and Phishing:

– 23% of recipients open phishing e-mails and 11% click on attachments

– 10 phishing e-mails sent = > 90% chance that at least one person will fail

– 82 seconds = median time it takes for first phishing e-mail to be clicked

• Awareness, Education, Training . . . Rinse and Repeat

Source: Statistics and Humor courtesy of Verizon, 2015 Data Breach Investigations Report.

The “Human Element” is Key

27

• Company had proactively consulted experts and implemented cybersecurity measures and compliance procedures

• Company had created a crisis response plan in the event of a breach

• Company audited its systems regularly, to include when it initially suspected a breach

• After a breach occurred, company reported breach to authorities and cooperated with regulatory inquiries

• Company publicly disclosed information about the breach “as soon as was practicable” so as to not disturb investigation

• Board also satisfied its fiduciary duty by investigating whether breach was result of negligent or reckless conduct by its officers

Tips from Wyndham & Other Defense Successes

28

QUESTIONS

Biographies: Christina Guerola Sarchio

• Christina Guerola Sarchio, a member of Orrick's Executive Committee, has received national recognition for both her legal skills and business acumen. Ms. Sarchio, a former prosecutor, concentrates her practice on general business litigation, class actions, and white collar criminal defense matters.

• Ms. Sarchio’s representation spans several industries, including oil and gas, financial, pharmaceutical, transportation, consumer products, and sports.

• Ms. Sarchio has successfully tried more than a dozen cases in federal and state courts, and has negotiated with a number of agencies, including the SEC, FDA, DOJ, and various U.S. Attorney Offices. Her cases have received widespread media attention in The Wall Street Journal, The New York Times and FOX News, among others.

• Recently named one of the Top 50 Women Lawyers in D.C., Ms. Sarchio has received a number of awards, been profiled by Law360, Powerful Latinas and the Minority Corporate Counsel Association, and has been recognized by numerous publications.

• She is a graduate of Cornell University and George Washington Law .

Orrick, Herrington & Sutcliffe LLP 1152 15th Street, NW Washington, DC 20005 Tel: (202) 339-8687 Fax: (202) 339-8500 [email protected]

30

Biographies: Antony P. Kim

• Antony (Tony) Kim co-chairs the firm's Cybersecurity & Data Privacy team, which is nationally ranked by The Legal 500 for "high-level practical experience and understanding of the law" in cybercrime matters.

• In 2014, the International Law Office (ILO) and Lexology awarded Tony the exclusive Client Choice award in Competition for the District of Columbia and United States region based on a survey of over 2,000 senior in-house counsel. The National Law Journal named Tony to its 2014 list of D.C. Rising Stars, a 40-under-40 group of "game changing" private, government and public interest attorneys who practice in our nation's capital.

• Tony works with in-house legal departments, C-Suites, Boards of Directors and IT teams on proactive corporate cybersecurity preparedness and risk mitigation strategies. He has directed forensic investigations, cross-border notifications, responses to regulatory enforcement actions, and civil defense strategies in significant cyber-attacks and security breaches involving millions of compromised records, including credit card data and trade secrets, on behalf of both private and public companies.

• He is a graduate of Yale University and Georgetown Law.

Orrick, Herrington & Sutcliffe LLP 1152 15th Street, NW Washington, DC 20005

(202) 339-8493 [email protected]

31

Biographies: Joseph J. Siprut

• Joseph J. Siprut, Founder and Managing Partner Siprut, Chicago

• Mr. Siprut's practice encompasses a wide spectrum of litigation, with an emphasis on representing plaintiffs in challenging cases against powerful, well-funded adversaries. He has been appointed lead or co-lead class counsel in some of the largest and most complex class actions in the country, and has substantial experience in all aspects of litigation, including trial, arbitration, and mediation. He is a frequent commentator on legal issues and has appeared on NPR, ESPN, CBS Radio and in the Chicago Tribune.

• Mr. Siprut is an adjunct professor at Northwestern University School of Law where he teaches trial advocacy.

312.236.0000 [email protected]

32