Data Breaches at Home and Abroad:This Can Mean You Too!

Lessons Learned from the Past, and What’s ComingUp in the Future for US and Multi-National Entities

Mark E. Schreiber, Chair, Privacy and Data Protection GroupTheodore P. Augustinos, Co-ChairLaurie A. Kamaiko, Co-ChairDavid S. SzaboSocheth Sor

1

Agenda

Current Breach Landscape

Breach Response Tips

Massachusetts Data Security Requirements: Update

Credit Card Issues

HIPAA and HITECH Developments

Data Breach Litigation

Cyber Risk Insurance

Foreign and International Data breach Considerations

2

Current Breach Landscape

Company records containing personal information ofindividuals

increasingly exposed to malevolent or inadvertentdisclosures

costs going up drastically

96% avoidable through simple to intermediate securitycontrols

88% of U.S. companies said to have experienced databreach in 2010

some multiple times

About 40% of executives in one recent Deloitte survey saidthey expected their company to have an electronic securitybreach in next 12 months

Roughly ½ said they were not adequately prepared for it

3

Cost of Breaches Increasing

2011 had troubled beginning 9.5M records exposed (excluding 100M plus in Sony) Sony Google Epsilon Citibank Anonymous/LulzSec Massachusetts Executive Office of Labor and Workforce

Development and other government agencies Multiple Hospitals and other Healthcare providers

Average total cost per US company: $7.2 M (2010) up from $6.75 M(2009) $3.4 M in Germany, $2.5 M in UK and France (2009)

329 organizations reported 86,455 laptops lost (2010) Avg. cost of $6.4 million per company

222 million records repeatedly compromised in US in 2009 (likelyundercounts)

10 million patient records in 272 events (OCR report) $6B cost annuallyPonemon, 2010 Annual Study: U.S. Cost of a Data Breach; Global 2009 Annual Study on Cost of a Data BreachVerizon, April 2011: 2011 Data Breach Investigations Report

4

Responsibility for Breaches

According to Ponemon Studies:

Third Party Outsourcers – 39% of breaches (slight declinefrom 2009), but cost up 39%.

Lost/Stolen laptops and other mobile devices – 35% (36%in 2009, but cost up 15%).

Systems failure – 27%, a 9% decline as companies workharder on prevention and more technologies are available.

Negligence – 41% (1% increase); costs up 27%.

Malicious/Criminal – 31% (7%/highest increase)2010 was first time malicious attacks are not least frequentcause. They are the most expensive; increasingly stealthyand successful, requiring more resources.

5

Breach Response Tips

Assemble the team

Decision-maker level of management

IT

Data Forensics

Legal Counsel

Breach Response Services

Call center

Processing

Mailing

Customer, Public, Media and Governmental Relations

Containment

Find and stop the cause of the breach.

First priority is to stop the loss of data, preferably bytaking steps that will preserve the information needed forthe investigation

6

Breach Response Tips (cont.)

Investigation

What happened?

What information was affected?

Where do affected individuals reside?

Analysis – Review results of the investigation underapplicable requirements, and contractual requirements,including PCI-DSS.

Remediation

Choice of products and services to be offered to affectedindividuals, if any

Credit Monitoring

Credit Restoration Services

Credit Insurance

Other

7

Breach Response Tips (cont.)

Communication

Affected Individuals

State Agencies

FTC, HHS, as appropriate.

Card Brands, Merchant Bankers and CardProcessors

Employees

Other Constituents

Reaction to Inquiries

Affected Individuals and other consumers or clients

Media

Governmental Agencies

8

Breach Response Tips (cont.)

Experience at all levels is critical (even the call center)

Benefits of a third-party forensics team

Credible third party assessment

Reliable Chain of Custody

Backups of all pertinent system logs

Attorney-client privilege

Review availability of insurance coverage and affect anyrequired notification.

Conduct the Investigation

Legal, Analysis and Decision-Making

Draft and Effect Required Notices

9

Breach Response Tips (cont.)

Top Five Ways to Avoid a Breach

Assemble the Team and Assess the Data

Develop Policies and Procedures

Control Hardware and Software

Mitigate Risk

Train, Test, Update and Monitor. Repeat

10

Breach Response Tips (cont.)

Top Five Ways to Respond to a Breach

Assemble the Response Team

Do the Forensics and Assess the Data

Develop and Effectuate Remediation

Draft and Effect Notices

Review Preventative Measures

11

Massachusetts Data SecurityRequirements: Update

State of the Art in Policies and Procedures

Massachusetts requirements for comprehensive writteninformation security programs are both more broad andmore specific than those of other states

More Broad – Extend to areas not covered by others

Written Policy Requirements

Technology and other security requirements

Vendor Contracts

More Specific – Impose specific requirements forsecurity

Encryption

Specific requirements for vendor selection,contracting and management

Different – Unique breach notice requirements andlimitations

12

Massachusetts Data Security Requirements:Update (cont.)

State of the Art in Enforcement?

Briar Group, LLC

Chain of restaurants and bars allegedly sufferedmalware intrusion

Allegedly continued to accept credit cards afterknowledge of attack and prior to effective remediation,without notifying patrons of risk

Consent order entered by Mass AG includedsignificant fine

Breach pre-dated MA Data Security Regulation

Enforcement pursued under general consumerprotection statute

Enforcement posture based in part on apparentposition that failure to comply with PCI-DSS =violations of consumer protection statute

Effectively adopts PCI-DSS as legal standard ofconduct in the Commonwealth?

13

Credit Card Issues

PCI-DSS

Industry Standard imposed by merchant bankingcontracts

Incorporated into Nevada law by statute

Imposed by Massachusetts enforcement posture?

Credit Card Breaches

Brand, Merchant Bank and Processor Notifications

Involvement of QIRA and QSA

Self-Assessment Questionnaire and Certification

14

HIPAA Enforcement

Cignet Healthcare -- $4.3 million penalty

Partners Health Care System -- $1 million settlement

Interesting Questions

What is an “ongoing violation?”

How should penalties be calculated?

Does the statute authorize daily penalties?

15

Resolution Agreements

Five agreements on OCR website

Settlements range from $35,000 to $2.25 million

Four are fundamentally based on security failures (lostor stolen information, improper disposal of information).

One is predominantly a privacy case (unauthorized useof PHI for marketing).

All have a corrective action plan. Terms for CAPs arethree years (4) and two years (1).

16

HITECH Rulemaking

Accounting for Disclosures—proposed rule issued May31, 2011. Includes two rights: right to an accounting ofdisclosures, and right to receive an electronic medicalrecords access report

Period for accounting reduced to three years fromsix years.

Disclosures to be accounted for to be explicitly listedin the final rule. Comment is requested on specificitems to be added or excluded from the list.

17

HITECH Rulemaking (cont.)

Access Reports

OCR proposes a report of every time a personaccesses electronic data in a designated record set,whether a disclosure is made or not.

OCR takes the position that access logs already arerequired by the Security Rule—such that theregulation only requires access to a document thatshould be readily available.

Individuals can request reports reflecting access onspecific dates or by specific individuals.

Reports must be aggregated if data resides on morethan one information system (EMR, billing, etc).

18

HITECH Rulemaking (cont.)

Still pending: Final rule for a large number of otherHITECH mandated changes, including:

Marketing Authorizations

Business Associate Agreements

Transition Provisions

Sale of PHI

Research Authorizations

Decedents

Immunizations

Minimum Necessary

Fundraising

Notice Requirements

Access Rights for Individuals

19

Data Breach LitigationArticle III Standing Required

Data breach class actions

Tend to be in federal court due to Class ActionFairness Act. 28 U.S.C. § 1332(d)

If in state court, may be removable

Federal lawsuits must satisfy Article III standingrequirement

Requires a “case or controversy” requiring aninjury in fact that is actual or imminent, notconjectural or hypothetical.

20

Data Breach LitigationArticle III Standing Required (cont.)

Several lower federal courts have found thatincreased risk of identity theft as result of databreach not an injury in fact

Two federal appellate courts found increased riskof identity theft satisfies injury in fact requirement

Sixth Circuit suggested increased risk of identitytheft too conjectural to be injury in fact

21

Data Breach LitigationCognizable Injury Also Required

If standing requirements satisfied

Plaintiffs still need to allege injury for which state lawprovides remedy

Injuries not cognizable (generally) under state common law:

Increased risk of identity theft

Time and effort spent closing accounts/protecting creditratings

Court finds cognizable injury in statutory claim

Doe 1 v. AOL LLC, 719 F.Supp.2d 1102 (N.D. Ca. 2010)

Claim under California Consumers Legal Remedy Act

Statute says consumer suffering “any damage” maybring a claim

Defendant exposed “highly sensitive” personal informationof plaintiffs

Sufficient allegation of injury under statute

Moral: state law on injury may determine outcome of motionto dismiss

22

Data Breach LitigationClass Certification

Plaintiffs’ attorneys need financial incentive of classaction in order to pursue data breach action

Individual losses will generally be too small

Court may not certify class

May not be worth proceeding without class

23

Cyber Risk Insurance

Specialty cyber risk/data protection/tech policies

Personal information breaches

Network security

Cyber extortion

Business Disruption

Often can be sub-limits and other limitations oncoverage

Terms/Scope of coverage vary

24

Other Insurance

Claims often made under more traditional lines(although frequently exclusions/coverage defenses apply)

Property

Crime/Fidelity

K&R

CGL

Coverage A –property damage/BI-emotional distress

Coverage B – injury arising out of publication thatviolated the data owners privacy

Professional liability

Lawyers, real estate agents, A&E, etc.

D&O

Approval/Lack of security plans

How a breach is handled

What is said about the cause and remediation

25

Other Insurance Issues

Aggregation of risk on policies issued

The cyber hurricane

(simultaneous attack on multiple targets)

Multiple insureds impacted

Multiple lines have claims made under them

Regulatory scrutiny

Includes data security

Insurance depts. such as Connecticut want to know within 5days of breach of insurer

Increasing accumulation of protected informationincrease risk of breach of insurers

Medical records and PI of claimants/insureds/beneficiaries

Medicare secondary payer reporting requirements

26

Foreign and International BreachConsiderations

Global Transactions, Operations, Data Processing andStorage

U.S. – styled breach notice requirements are being adoptedin EU and elsewhere EU Data Protection Directive may change by year end Art. 29 W.P., April 2011, recommends breach notification Definition of Personal Information is broader than U.S.

definitions India New Data Security Rules issued under Information

Technology Act of 2000 effective April 11, 2011 Requires “reasonable security practices” to protect

“sensitive personal data” and Imposes restrictions and requirements for Collection of data Disclosure of data Transfer of data Security practices and procedures

27

Foreign and International BreachConsiderations (cont.)

Notification Considerations

Does the Company have operations there?

Is the Company a data controller or processor in thecountry?

Does DPA have jurisdiction?

Would it help mitigate reputational risk to notify affectedindividuals?

Would the Company’s posture in enforcement beimproved by notifying government agencies?

Method of Notifying Individuals: Mail or Email:Translated or English?

Remediation Issues

Limited credit monitoring

Call center operations: Toll free? Foreign languagecapabilities?

28

Thank you

Mark E. Schreiber, Partnermschreiber@eapdlaw.com

617.239.0585

Theodore P. Augustinos, Partnertaugustinos@eapdlaw.com

860.541.7710

Laurie A. Kamaiko, Partnerlkamaiko@eapdlaw.com

212.912.2768

David S. Szabo, Partnerdszabo@eapdlaw.com

617.239.0414

Socheth Sor, Associatessor@eapdlaw.com

860.541.7773