Presenting a live 90-minute webinar with interactive Q&A Data Security Compliance and Responding To a Data Breach: Lessons for Corporate Counsel After Equifax TUESDAY, JANUARY 23, 2018 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific Today’s faculty features: Robert D. Brownstone, Technology & eDiscovery Counsel, Fenwick & West , Mountain View, Calif. Brent E. Kidwell, Partner, Jenner & Block , Chicago The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 1 .
Tips for Optimal Quality FOR LIVE EVENT ONLY Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-961-8499 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
Continuing Education Credits FOR LIVE EVENT ONLY In order for us to process your continuing education credit, you must confirm your participation in this webinar by completing and submitting the Attendance Affirmation/Evaluation after the webinar. A link to the Attendance Affirmation/Evaluation will be in the thank you email that you will receive immediately following the program. For additional information about continuing education, call us at 1-800-926-7926 ext. 2.
Program Materials FOR LIVE EVENT ONLY If you have not printed the conference materials for this program, please complete the following steps: Click on the ^ symbol next to “Conference Materials” in the middle of the left - • hand column on your screen. • Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program. • Double click on the PDF and a separate page will open. Print the slides by clicking on the printer icon. •
Agenda I. The Big Picture A. Breaches’ Prevalence B. Liability Risks & Data Leakage – Big 3 C. Modern Threats II. US. & International Law – Overview A. Different Premises in U.S. & EU B. Scattershot U.S. Privacy Protections C. Potential Liability for Data Breaches D. International Law – Summary E. Contracts’ Ability to Reallocate Risks 5
Agenda III. Proactive Prevention Introduction A. Data Protection Overview B. Protecting Data at Rest & in Transit C. 10 Specific Steps IV. Reactive-Remedies/Incident-Response • TOP Ten Q&A/Conclusion 6
I. The Big Picture A. Breaches’ Prevalence • Should only retailers be worried? NO • 1/1/05 to 12/28/17: • > 7,800 breaches; > 10 Billion records • E.g. Yahoo!, Anthem, Target, Verizon & Neiman • 2017 alone: • 550 breaches; ≈ 2 Billion records • E.g. Equifax, T- Mobile, Dunn & Bradstreet, Arby’s, Boeing, Stanford U., Oklahoma HHS & UNC Health Care Systems • . . . per Privacy Rights Clearinghouse, DATA BREACHES (last visited 1/18/18) (searchable/filterable) 7
I. The Big Picture A. Breaches’ Prevalence • Cyber Crime Costs in FY ’16 (237 cos. surveyed across 8 countries): • $17.36M average in US alone • 2 largest costs (on average): • information loss: 39 percent • business disruption: 36 percent • . . . per Ponemon Inst. o/b/o HP Enterprise Security, 2016 Cost of Cyber Crime Study (2016) 8
I. The Big Picture B. Leakage Risks – Big 3 1. Intentionally Harmful Intentional Disclosures 2. Inadvertently Harmful Intentional Disclosures (“Netiquette”; Loose Lips; Social -Media; Sock-Puppeting; P2P) 3. Unintentional Losses of Sensitive Info. = primary focus here 9
I. The Big Picture C. Modern Threats • Biggest ones? • Social Engineering [including (Spear-) phishing and Ransomware)] 10
I. The Big Picture C. Modern Threats • Phishing : • W-2 Scam Adapted from screenshot at <http://www.linkstechnology.com/blog/its-baaack-the- form-w-2-email-scam> • IRS warning (1/25/17) • Cinthia Motley 10 Ways to Avoid W-2 Phishing Schemes (LTN 3/20/17) (including “Pick up the phone”) 11
I. The Big Picture C. Modern Threats • Phishing – Training: • When in doubt : • do not click on a link or open an attachment; and • forward the message as an attachment to InfoSec or IT department • If you are suspicious about the purported sender • place a call to (or meet with) purported sender to confirm message is legit 12
I. The Big Picture A. Default in U.S. & EU • U.S. Perspective • Data presumptively not protected unless rendered otherwise by specific rule of law • Many rules are sector-based • EU Perspective • Data presumptively “personal” and thus private, even in employer/employee setting . . . 13
II. U.S. & International Law B. Scattershot U.S. Laws • Federal law sector examples: • Health/medical = HIPAA (60 days notice) • covered entities and business associates • HITECH ACT expansion Jan. ’09 • HHS Final Regs. Sep. ‘13 • Financial services = Gramm-Leach-Bliley • Consumer credit reports, etc. = FCRA/FACTA 14
II. U.S. & International Law B. U.S. Rules • Potential Liability consumer and/or employee class actions re: PII (PHI) corporate customer suits shareholder derivative suits bad press and/or blog buzz reputational hit 15
II. U.S. & International Law B. Notice-of-Breach Laws • Specific combo of elements – expanded in, e.g., California multiple times in Civ. Code § 1798.82 et al. . . . • Trigger usually automatic (as in Cal.) rather than risk-based • Notice requirements • If > X no. of people affected, tell AG • Might have to describe circumstances 16
II. U.S. & International Law B. Health Info (PHI) • Protecting Individuals’ PHI • HIPAA Final HHS Regs (9/23/13) • HHS active under HIPAA • > 10 states: • AR, CA, FL, MO, ND, NV, TX, VA • WY (state agencies only) • CT (regs.) & NJ re: insurers 17
II. U.S. & International Law B. U.S. Rules • Potential Liability • Difficulty in proving “injury” (damages): • Even CFAA claim in suit against hacker • “loss” hard to show • remediation and down-time? • “Standing” (”Injury”) difficult to show based on mere concern data will be used: • trade secrets damages theory • identity-theft theory, including theft decisions re: Cal. Medical Info. Act (CMIA) – Cal. Civ. Code 56.36 . . . 18
II. U.S. & International Law B. U.S. Rules • Newer Case Law: • Spokeo, Inc. v. Robins , 136 S. Ct. 1540 (2016) (injury must be concrete and not “abstract” to satisfy U.S. Const. Article III, but intangible injuries can be concrete) • Post- Spokeo (examples) . . . • Beck v. McDonald , 848 F.3d 262 (4th Cir. 2/6/17) (allegations of increased risk of identity theft: NOT substantial risk of harm) 19
II. U.S. & International Law C. Typical Breach Exposure Items • Aside from viability of legal theories, custom and usage has been . . . • Potential monetary liability for breach of unsecured personally identifiable information (PII) estimated at $221 per affected person • Ponemon Institute, 2016 Cost of Data Breach Study: Global Analysis , Ponemon Institute LLC (June 2016) • Data breach cost calculators <http://www.privacyrisksadvisors.com/data-breach-toolkit/data-breach-calculators/> <http://cyberscout.com/expensecalc/start.aspx> <https://eriskhub.com/mini-dbcc> 20
II. U.S. & International Law C. Typical Breach Exposure • Custom/usage • Sample set of expense items (from here ) • Internal Investigation • Regulatory/Compliance • Cybercrime consulting • Credit monitoring for affected customers • Attorney Fees • Regulatory investigation defense • Notification/Crisis Management • State/Federal fines or fees • Customer notification • Call center support • Crisis management consulting 21
II. U.S. & International Law D. International Summary • Privacy protected more e.g. • Europe: • EU: France/Germany/Italy • UK (post-Brexit) • Elsewhere: • Brazil • Constitution • “ Marco Civil ” • Israel 22
II. U.S. & International Law D. Laws Overseas • DATA-BREACH NOTIFICATION LAWS • less diffused, broader in scope & often shorter/clearer deadlines than U.S. . . . e.g. • Australia (Feb. ’18) • Canada • India • Israel (Mar. ’18) • Mexico • South Korea 23
II. U.S. & International Law D. EU Data Directive Compliance • EU, Directive 95/46/EC (1995) • PLUS laws of individual EU countries • BROAD definitions of “personal data,” “processing” and “transfer” • Being replaced 5/25/18 by General Data Protection Regulation (GDPR) • Stricter • Penalties tied to worldwide revenue • Notice of breach – timing, etc. • Consent rules 24
Recommend
More recommend