Data Breaches Are the New Reality: Are You Ready?
February 6, 2014
Brought to you by Winston & Strawn
© 2014 Winston & Strawn LLP 2
Today’s eLunch Presenters
Steve Grimes Partner
Winston & Strawn
312-558-8317
William Ridgway Assistant U.S. Attorney
U.S. Department of Justice, U.S. Attorney’s Office
Liisa Thomas Partner
Winston & Strawn
312-558-6149
Sheryl Falk Of Counsel
Winston & Strawn
713-651-2615
© 2014 Winston & Strawn LLP 3
1. Hackers Are Everywhere!: Reduce Risk 2. Reduce Exposure: The Plan
–Investigation Plan –Notice Plan
3. Preparing for the Future: Cases and Concluding Thoughts
© 2014 Winston & Strawn LLP 4
Is Our Data Sufficiently Secure?
© 2014 Winston & Strawn LLP 5
• Who does this? – 92% outsiders – 19% state-affiliated
• How do they do it? – 52% hacking – 76% stolen credentials – 40% malware – 29% leverage social attacks
(from Verizon Report)
Who Is Doing It, and How?
© 2014 Winston & Strawn LLP 6
• Trojan – malicious code surreptitiously inserted into target computer to allow remote access/control by unauthorized person
• Botnet – network of infected computers controlled remotely
• Phishing – common infection technique involving email that lures user to take action that unwittingly downloads malicious code
• Drive-by infection – infection of internet sites so that user clicking on button on web page unwittingly downloads malware
• Backdoor – creation of means for unauthorized and undetected access
• Keylogger – software tool that logs keystrokes
Tools of the Trade
© 2014 Winston & Strawn LLP 7
Organized Crime
© 2014 Winston & Strawn LLP 8
Hacktivists
© 2014 Winston & Strawn LLP 9
Nation-State Hacking
© 2014 Winston & Strawn LLP 10
Protection Against Hacking?
Passwords Monitor logs
Firewalls Vendor audits/compliance
Secure disposals
DLP software/practice
© 2014 Winston & Strawn LLP 11
Employees, Consultants, Vendors
© 2014 Winston & Strawn LLP 12
How to Protect Your Company
Monitor Restrict permissions
Strong policies Investigate
Background checks
Confidentiality requirements
© 2014 Winston & Strawn LLP 13
Why You Care: Costs
Reputation with
regulators PR Stock or
sales losses
© 2014 Winston & Strawn LLP 14
IT Security Standards?
© 2014 Winston & Strawn LLP 15
Lesson Learned: Audit and Improve, Implement Plan
© 2014 Winston & Strawn LLP 17
1. Hackers Are Everywhere!: Reduce Risk 2. Reduce Exposure: The Plan
– Investigation Plan –Notice Plan
3. Preparing for the Future: Cases and Concluding Thoughts
© 2014 Winston & Strawn LLP 18
Breach Happened: What to Do?
© 2014 Winston & Strawn LLP 19
• Be ready to act quickly – In 84% of cases, the initial compromise took hours or less
• Be proactive – In 66%, the breach wasn’t discovered for months or years – In 69%, someone outside the company spotted breach
• FBI will come knocking to let you know you’ve been breached
• If you get a notice from law enforcement, take it seriously
– 2013 Verizon Data Breach Report
Data Breach Detection
© 2014 Winston & Strawn LLP 20
Plan: Select Team Members
Internal incident
response team
In-house counsel
In-house IT
CPO/CSO compliance
Business unit
Outside counsel
Client and media
relations
Forensic consultant
© 2014 Winston & Strawn LLP 21
Plan: Think About Scope
© 2014 Winston & Strawn LLP 22
Investigation Plan
Secure the data
Preserve evidence
Analyze forensic data
Interview key witnesses
Document security controls
© 2014 Winston & Strawn LLP 23
• As you investigate, facts may become more damning • Could be other things in the data sets
– Proposed business plans – Trade secrets – And more
• Retained faster/investigation quicker • Hire experts (including investigators) under privilege
– Keep under the “direction of counsel”
Take Into Account Privilege in Developing Plan
© 2014 Winston & Strawn LLP 24
Decide: Involve Law Enforcement?
© 2014 Winston & Strawn LLP 25
Delay When Working With Law Enforcement
© 2014 Winston & Strawn LLP 26
• Financial account data • SSNs • Government ID numbers • Credit card data • Dates of birth • Health information • Email address and passwords
Plan: Look at Types of Impacted Data
© 2014 Winston & Strawn LLP 27
“Breach”
Unauthorized access and/or
acquisition
Compromise security
Likelihood of harm
Exceptions
Investigation Needs to Determine “Breach”
© 2014 Winston & Strawn LLP 28
1. Hackers Are Everywhere!: Reduce Risk 2. Reduce Exposure: The Plan
–Investigation Plan –Notice Plan
3. Preparing for the Future: Cases and Concluding Thoughts
© 2014 Winston & Strawn LLP 29
Impacted individuals
Government Authorities
Credit reporting agencies
Contractual Partners Press
Put Your Notice Plan in Place
© 2014 Winston & Strawn LLP 30
Describe incident
Categories of information
Consequences of breach/nature of risk
• Steps to investigate, mitigate harm
Protection measures put in place
• Contact information for law enforcement • Where to get more information
Advice about how to protect self
Have a Sample Notice Ready to Go
© 2014 Winston & Strawn LLP 31
• What happened? • When did it happen? • What information was compromised? • Was my information compromised? • How many people’s information was impacted? • Was the information encrypted? • Was my social security number compromised? • Did anyone misuse this information? • What should I do? • What are you doing to protect me? • Why aren’t you taking other measures to help? • What are you doing to protect others? • Will this happen again? • Who should I contact if I have more questions?
PR Plan: Remember What People Will Want to Know
© 2014 Winston & Strawn LLP 32
1. Hackers Are Everywhere!: Reduce Risk 2. Reduce Exposure: The Plan
–Investigation Plan –Notice Plan
3. Preparing for the Future: Cases and Concluding Thoughts
© 2014 Winston & Strawn LLP 33
• Victims of breach are litigation targets –FTC –State AGs –SEC –Shareholders –Customers
Once Notice Is Done, That’s It… Right?
© 2014 Winston & Strawn LLP 34
Fed Regulators
© 2014 Winston & Strawn LLP 35
Fighting Back: FTC v. Wyndham
© 2014 Winston & Strawn LLP 36
State Regulators
© 2014 Winston & Strawn LLP 37
SEC
Shareholder
Securities
© 2014 Winston & Strawn LLP 38
Hot Area for Plaintiff’s Lawyers
© 2014 Winston & Strawn LLP 39
Notification statutes Negligence
Contract / quasi
Statutory violations
Unfair trade practices
Consumer Class Action Lawsuits
© 2014 Winston & Strawn LLP 40
– High Court May Tighten Reins On Data Breach Class Actions (by Steve Grimes,
Law360)
Supreme Court Helping Out…?
© 2014 Winston & Strawn LLP 41
Create Plan Appropriate for Your Company
Analyze practices
Implement plan
Implement breach plan before hack
Tighten IT security (work with
consultants)
Train employees
Monitor compliance
© 2014 Winston & Strawn LLP 42
Analyze practices
Implement privacy policy
Implement breach plan before hack
Tighten IT security (work with
consultants)
Train employees
Monitor compliance
Improve Security
© 2014 Winston & Strawn LLP 43
Analyze practices
Implement plan
Implement breach plan before hack
Tighten IT security (work with
consultants)
Train employees
Monitor compliance
Monitor Compliance
© 2014 Winston & Strawn LLP 45
• Winston Privacy Law News – Frequent Breach and Security Articles – Newsletter (US, Asia, Europe) – Twitter: @winstonprivacy – www.winston.com/privacylawcorner
• Publications
– Thomas on Data Breaches (to be published in the Spring) – High Court May Tighten Reins On Data Breach Class Actions (by Steve Grimes,
Law360)
• Breach “Crisis Simulation” Sessions – April, June, September
What’s Next? Stay Informed
© 2014 Winston & Strawn LLP 46
Thank You!
Steve Grimes Partner
Winston & Strawn
312-558-8317
William Ridgway Assistant U.S. Attorney
U.S. Department of Justice, U.S. Attorney’s Office
Liisa Thomas Partner
Winston & Strawn
312-558-6149
Sheryl Falk Of Counsel
Winston & Strawn
713-651-2615