Kevin Szczepanski, Partner, Barclay Damon, LLPData Breach Statistics • NYS AG –March 29, 2018 Press Release –1583 data breach notifications filed with AG in 2017 –highest since

ISO 13485:2016 Change? Do I Have To?? ©2016

2:30 - 4:00 pm – Session 3

Regulatory & Policy Track – “Cyber Security/Data Integrity”

• Moderator - Kevin Szczepanski, Partner, Barclay Damon,

LLP

• Mickey Garcia, Director, Medical Device Industry

Solutions, MasterControl

• Wayne Stewart, Director, EWA-Canada, An Intertek

Company

• Bryan Marlatt - Director Advisory, Cyber Security, KPMG

LLP, Life Sciences

Data Breach Statistics• Ponemon Institute Cost of Data Breach Studies

– Average cost per record lost:• 2016 - $221 (indirect costs $145; direct costs $76).

• 2017 - $225 (indirect costs $146; direct costs $79) (Record High)

• 2017:– Highest – Health Care $380;

– Lowest – Public Sector $110;

– Education Industry - $245

– Average Loss For a Data Breach Event: • 2016 - $7 Million

• 2017 - $7.35 Million (Record High)– Less than 10,000 records: $5.3 million

– More than 50,000 records: $10.3 million

– Average Time to Detect/Resolve Breach:• 2016 – 201 days to detect; 70 days to contain

• 2017 – 191 days to detect; 66 days to contain

– Root Causes of Breach• 52% Criminal/malicious attack

• 24% System glitch

• 24% Human error

DATA BREACH INCIDENT RESPONSE COSTS

3

($19.30)

($16.10)

($12.50)

($10.90)

($8.00)

($6.80)

($6.20)

($5.70)

($5.40)

($5.20)

($5.10)

($2.90)

$2.00

$2.70

$5.50

$7.60

$8.80

$11.20

$14.30

$16.90

$(25.00) $(20.00) $(15.00) $(10.00) $(5.00) $- $5.00 $10.00 $15.00 $20.00

Incident Response Team

Extensive Use of Encryption

Employee Training

BCM Involvement

Participation in Threat Sharing

Use of Security Analytics

Extensive Use of DLP

Data Classification Schema

Insurance Protection

CISO Appointed

Board-level Involvement

CPO Appointed

Provision of ID Protection

Consultants Engaged

Rush to Notify

Lost or Stolen Devices

Extensive use of Mobile Platforms

Compliance Failures

Extensive Cloud Migration

Third-party Involvement

Source: Ponemon Institute’s “2017 Cost of Data Breach Study”

Risk & Cost Mitigation Measures

Increasing Risk & Cost

Average cost of a breach, per record: $141

Listed factors increase or decrease the average cost per record of a data breach

Data Breach Statistics

• NYS AG – March 29, 2018 Press Release

– 1583 data breach notifications filed with AG in

2017 – highest since tracking started in 2006

and up 23% from 2016

– 9.2 million NY residents had private

information exposed – 4X more than 2016

– 44% of breaches attributed to outside hacking

– 26% of breaches attributable to some form of

“employee negligence”

2017 NY Breach Causes

SECURING THE ECOSYSTEM

Start with Secure Products

Products that have undergone rigorous security evaluation against industry accepted standards such as FIPS 140-2, Common Criteria and/or ANSI/UL 2900 or equivalent.

Build a secure networking and computing infrastructure using evaluated products

Follow best practices such as NIST Risk Management Framework (RMF), ISO 27001, or other industry specific standards (eg. PCI-DSS for credit card processing networks).

Ongoing security assessments

A secure ecosystem should be monitored and maintained. Regularly scheduled audits, hiring outside teams for red-teaming (penetration testing, etc.).

Regular security awareness training

Employees should be regularly trained on security best practices as they perform their jobs.

ANSI/UL 2900-2-1 OVERVIEW

7

Threat Risk Assessments

Security Design Review

Consultation

Document Development

Security Vulnerability /

Penetration Testing

Gap Assessments

Compliance Assessments

Compliance Certificates

IOT/MEDICAL DEVICE SECURITY THROUGHOUT THE DEVELOPMENT PROCESS

8

What Are You Required to Do?

If there is a breach, you have to provide notice to New York residents potentially affected by the breach!

• Timing = “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement…or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.”

• Notice can be made in writing, by e-mail (subject to certain requirements), or by telephone (subject to certain requirements)

• “Substitute Notice” may be authorized by Attorney General in business demonstrates cost of providing notice under permitted methods would exceed $250,000, or if the number of individuals affected exceeds 500,000, or if the business does not otherwise have sufficient contact information

What Else are You Required to Do?

• If you are required to provide notice to New York Residents, you must also provide notice to:

1. NY Attorney General;

2. NY Department of State (Division of Consumer Protection); AND

3. NY State Police

• Form for reporting available at: https://its.ny.gov/sites/default/files/documents/Business-Data-Breach-Form.pdf

• NY AG’s office also offers Internet submission option

What Happens if You Don’t Provide

Timely Notice?

• Statute permits AG to bring an action for:

1. Injunctive relief;

2. Damages for actual costs/losses incurred by an affected individual;

3. “Consequential financial losses” – IF notice was not provided as required by statute;

4. Civil Penalties of the greater of $5,000 or $10 per instance of failed notification (up to $150,000) – IF a court determines that a business “knowingly or recklessly” violated the statute

• Does NOT limit any other lawful remedy available

Traditional Insurance Forms

May Not Apply

• General Liability Insurance

• Property Damage; Personal and Advertising Injury

• No Coverage For:

− privacy expenses

− first-party loss

• Traditional Forms Not Written to Cover Cyber Risks

• Limited Experience with Cyber Risks

First-Party Coverage

First-Party Coverage for costs incurred by the insured itself:

breach investigation and notification costs

credit-monitoring and -repair expenses

administrative and postage costs

reputation-rehabilitation services

client data-restoration expenses

business interruption due to, e.g., denial-of-service attack

e-commerce extortion

Third-Party Coverage

Third-Party Liability Coverage

Privacy: failure to protect private or confidential

information

Security: failure of network or information security to

safeguard against viruses, hacker, or theft

Communications and Media: defamation, trade libel,

disparagement torts; invasion of right of publicity,

commercial appropriation; plagiarism or unauthorized

use; infringement of copyright, title, trademark, or logo

Regulatory: defense costs incurred in investigation,

defense, settlement, and appeal, including costs of

expert consultants and witnesses

ISO 13485:2016 Change? Do I Have To?? ©2016

2:30 - 4:00 pm – Session 3

Regulatory & Policy Track – “Cyber Security/Data Integrity”

• Moderator - Kevin Szczepanski, Partner, Barclay Damon,

LLP

• Mickey Garcia, Director, Medical Device Industry

Solutions, MasterControl

• Wayne Stewart, Director, EWA-Canada, An Intertek

Company

• Bryan Marlatt - Director Advisory, Cyber Security, KPMG

LLP, Life Sciences