The Zero Hour Phone Call How to Respond to a Data Breach to Minimize your Legal Risk Sheryl Falk April 4, 2013 © 2013 Winston & Strawn LLP.

The Zero Hour Phone CallHow to Respond to a Data Breach to Minimize your Legal Risk

Sheryl Falk

April 4, 2013

© 2013 Winston & Strawn LLP

© 2013 Winston & Strawn LLP 2

March 2013 Data Breaches

http://careers.baptisthealth.net/Default.aspx


Overview

1. Anatomy of a Data Breach

2. Data Breach Incident Response

3. Handling the Aftermath of a Breach

4. The Legal Landscape

5. Practical Strategies to Mitigate your Risk

4© 2013 Winston & Strawn LLP

Anatomy of a Data Breach


Q: What is a Data Breach?

A) Hackers

B) Lost laptop

C) Misdirected email containing Personal Information

D) Improperly disposed of paper files

E) All of the above


How Do Data Breaches Occur?

Employee Theft Hackers & Unsecured Websites

Lost Devices, Negligent handling of data

Vendors & Subcontractors

INTERNAL EXTERNALIN

TENT

IONA

LAC

CIDE

NTAL


Insider Threat- Negligent Employees

1. Pathetic Passwords

2. Loss of devices

3. Improper disposal

4. Misdirected emails

5. Falling for Phishing

6. Use of Public WiFi


Insider Threat – Employee theft

52% of insider thefts are trade secret related

65% of insiders had accepted positions with a competitor

20% were recruited by an outsider

50% steal data within a month of leaving

54% used a network-email, a remote network access channel, or network file transfer


Best Practices of a

Data Breach Response


Data Breach Response Timeline

• 00:00

• Mobilize Resources

• Stabilize

• Investigate

• Notify

• After Action Review


Step 1 - Mobile Resources: Immediate Response Team

Legal Department

Privacy Counsel

Human Resources

Forensic Experts

Notification Support

Security

IT Professionals

Communication Support

Business Group(Data Owners)

C. Suite


Step 2 - Stabilize/Secure Data

Act quickly, but cautiously

Take steps to secure data

Preserve evidence including logs, back ups

Obtain expert advice/legal counsel


Step 3 - Investigation

Goal : Determine the scope and nature of breach

Identify all affected data, machines and devices

Preserve Evidence (Chain of Custody)

Understand how the data was protected

Develop the Record Conduct interviews with key personnel Document evidence and findings carefully

Quantify the exposure of data compromised


Importance of Investigatory Privilege

Treat every incident as potential litigation

Engage Legal Counsel at onset

Direct the forensic/security vendors through Legal Counsel

Label communications “Confidential and Privileged”


Do you Involve Law Enforcement?

PROS• For serious criminal activity,

partner with law enforcement• LE brings additional resources

to investigation • Shows you are taking the

breach seriously

CONS• May not meet law

enforcement threshold• Could lose control over your

investigation• Information of breach could

become public


Handling the Aftermath of a Breach


Texas Data Breach Statute

521.053 Texas Business and Commerce Code

“A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach…to any individual whose sensitive personal information…believed to have been acquired by an unauthorized person.”

Notify as quickly as possible

Extra-territorial application

Civil penalty up to $250,000 for a single breach.


Was there a Breach?

1. What information is Involved?

• Names• Financial Account data• SSNs• Government ID numbers• Credit Card data• Date of Birth


Was there a Breach?

2. Was the Information Compromised?

• Unauthorized access or acquisition• Sometimes just access/acquisition

• Has the “security, integrity or confidentiality”of the laptop info been compromised?• Is there a “material compromise”? • Has illegal use occurred or is it likely to occur?

3. Is there an Exception? • Hard copy files• Encrypted data• Good faith exception


Who do you have to Notify?

Impacted individuals• Typically consumers or employees• Applicable law is where individual resides• Some states require specific information (MA, IL)• Timing restrictions: typically “expediently” or 45 days (FL, WI, OH)

Federal or State authorities• Depends type of information at issue/threshold numbers affected• www.winston.com/privacylawresources

Credit reporting agencies• Usually must meet a threshold of impacted state residents

http://www.winston.com/privacylawresources


Effectively Communicate about Breach

Communicate breach facts accurately and quickly • Understand and follow breach notification timetables• Stay focused and concise • Be prepared to update with new information

What you might offer: • Information about security freezes and credit monitoring• Giving contact information for credit reporting agencies, FTC or

state authorities• Having a central “ombudsman” for all questions• Credit monitoring or identity restoration services• Coupons or gift certificates


After Action Review

How did the team respond? What can be improved in response/investigation? What security issues can be tightened up? Modify your plan/procedures if necessary


The Legal Landscape


Federal & State Regulatory Agencies

Federal Agencies with Privacy Jurisdiction Federal Trade Commission Department of Justice Office for Civil Rights (HHS) Consumer Financial Protection Bureau Office of the Comptroller of the Currency Federal Communications Commission And others

Practice Tip – If you regularly have data breaches, get to know your regulators and their notification preferences.

State Agencies Likewise have Privacy Enforcement


Data Breach Civil Litigation

Theories of Liability Negligence Gross Negligence Deceptive Trade Practices Breach of Contract Fraud

Significant Risk to Companies TJX Litigation Settled for over 40 Million dollars Heartland Payment Systems pending litigation – 12 Million

spent in attorney fees


Legal Trends

Data Breach cases are on the Rise

Most Courts require Actual Harm Reilly v. Ceridian (3rd Cir.) – Hacker stole 250,00 records But Court dismissed finding potential future injury is not enough

Recent case: No Harm required Resnick v. AvMed, Inc.(11th Cir.) – Health plan provider failed to

protect PII information. No facts tying data breach to subsequent data. Court allowed Unjust enrichment theory


Trade Secret Litigation

Increase in Trade Secret Litigation

To be Successful you must: Establish a Trade Secret

(1) Secrecy(2) Independent Economic Value(3) Reasonable Efforts to Maintain Secrecy

Prove Misappropriation

Allege Damages and/or right to Injunctive Relief


Practical Strategies


The Best Defense is an ongoing Data Security Program

Eliminate unnecessary data Ensure essential controls are met Monitor/mine event logs Implement a firewall on remote access services Change default credentials of POS systems and other

internet facing devices Ensure third party vendors are complying with data

protection strategies

Recommendations from 2012 Verizon Report


Fully Plan your Breach Response

Understand where your data is and how it is protected

Develop good privacy and security policies

Train employees and monitor enforcement

Develop a Data Breach Incident Response Plan

Understand what laws/regulations apply

Explore Cyber-insurance


Security Policies:Evaluating what documents you need

Remote access policy Internet and electronic communications policy Social media policy Password policy Mobile device policy Guest access policy Vendor access policy Network device attachment policy


To Learn more…

[email protected]

twitter: @winstonprivacywww.winston.com/privacylawresources

mailto:[email protected]

http://www.winston.com/privacylawresources

The Zero Hour Phone Call How to Respond to a Data Breach to Minimize your Legal Risk Sheryl Falk April 4, 2013 © 2013 Winston & Strawn LLP.

Documents

winston strawn llp slide

data breach slide

data breach response

winston strawn llp anatomy

data breaches

risk slide

affected data

public slide