Date post: | 16-Dec-2015 |
Category: |
Documents |
Upload: | veronica-king |
View: | 215 times |
Download: | 0 times |
The Zero Hour Phone CallHow to Respond to a Data Breach to Minimize your Legal Risk
Sheryl Falk
April 4, 2013
© 2013 Winston & Strawn LLP
© 2013 Winston & Strawn LLP 2
March 2013 Data Breaches
© 2013 Winston & Strawn LLP 3
Overview
1. Anatomy of a Data Breach
2. Data Breach Incident Response
3. Handling the Aftermath of a Breach
4. The Legal Landscape
5. Practical Strategies to Mitigate your Risk
4© 2013 Winston & Strawn LLP
Anatomy of a Data Breach
© 2013 Winston & Strawn LLP 5
Q: What is a Data Breach?
A) Hackers
B) Lost laptop
C) Misdirected email containing Personal Information
D) Improperly disposed of paper files
E) All of the above
© 2013 Winston & Strawn LLP 6
How Do Data Breaches Occur?
Employee Theft Hackers & Unsecured Websites
Lost Devices, Negligent handling of data
Vendors & Subcontractors
INTERNAL EXTERNALIN
TENT
IONA
LAC
CIDE
NTAL
© 2013 Winston & Strawn LLP 7
Insider Threat- Negligent Employees
1. Pathetic Passwords
2. Loss of devices
3. Improper disposal
4. Misdirected emails
5. Falling for Phishing
6. Use of Public WiFi
© 2013 Winston & Strawn LLP 8
Insider Threat – Employee theft
52% of insider thefts are trade secret related
65% of insiders had accepted positions with a competitor
20% were recruited by an outsider
50% steal data within a month of leaving
54% used a network-email, a remote network access channel, or network file transfer
9© 2013 Winston & Strawn LLP
Best Practices of a
Data Breach Response
© 2013 Winston & Strawn LLP 10
Data Breach Response Timeline
• 00:00
• Mobilize Resources
• Stabilize
• Investigate
• Notify
• After Action Review
© 2013 Winston & Strawn LLP 11
Step 1 - Mobile Resources: Immediate Response Team
Legal Department
Privacy Counsel
Human Resources
Forensic Experts
Notification Support
Security
IT Professionals
Communication Support
Business Group(Data Owners)
C. Suite
© 2013 Winston & Strawn LLP 12
Step 2 - Stabilize/Secure Data
Act quickly, but cautiously
Take steps to secure data
Preserve evidence including logs, back ups
Obtain expert advice/legal counsel
© 2013 Winston & Strawn LLP 13
Step 3 - Investigation
Goal : Determine the scope and nature of breach
Identify all affected data, machines and devices
Preserve Evidence (Chain of Custody)
Understand how the data was protected
Develop the Record Conduct interviews with key personnel Document evidence and findings carefully
Quantify the exposure of data compromised
© 2013 Winston & Strawn LLP 14
Importance of Investigatory Privilege
Treat every incident as potential litigation
Engage Legal Counsel at onset
Direct the forensic/security vendors through Legal Counsel
Label communications “Confidential and Privileged”
© 2013 Winston & Strawn LLP 15
Do you Involve Law Enforcement?
PROS• For serious criminal activity,
partner with law enforcement• LE brings additional resources
to investigation • Shows you are taking the
breach seriously
CONS• May not meet law
enforcement threshold• Could lose control over your
investigation• Information of breach could
become public
16© 2013 Winston & Strawn LLP
Handling the Aftermath of a Breach
© 2013 Winston & Strawn LLP 17
Texas Data Breach Statute
521.053 Texas Business and Commerce Code
“A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach…to any individual whose sensitive personal information…believed to have been acquired by an unauthorized person.”
Notify as quickly as possible
Extra-territorial application
Civil penalty up to $250,000 for a single breach.
© 2013 Winston & Strawn LLP 18
Was there a Breach?
1. What information is Involved?
• Names• Financial Account data• SSNs• Government ID numbers• Credit Card data• Date of Birth
© 2013 Winston & Strawn LLP 19
Was there a Breach?
2. Was the Information Compromised?
• Unauthorized access or acquisition• Sometimes just access/acquisition
• Has the “security, integrity or confidentiality”of the laptop info been compromised?• Is there a “material compromise”? • Has illegal use occurred or is it likely to occur?
3. Is there an Exception? • Hard copy files• Encrypted data• Good faith exception
© 2013 Winston & Strawn LLP 20
Who do you have to Notify?
Impacted individuals• Typically consumers or employees• Applicable law is where individual resides• Some states require specific information (MA, IL)• Timing restrictions: typically “expediently” or 45 days (FL, WI, OH)
Federal or State authorities• Depends type of information at issue/threshold numbers affected• www.winston.com/privacylawresources
Credit reporting agencies• Usually must meet a threshold of impacted state residents
© 2013 Winston & Strawn LLP 21
Effectively Communicate about Breach
Communicate breach facts accurately and quickly • Understand and follow breach notification timetables• Stay focused and concise • Be prepared to update with new information
What you might offer: • Information about security freezes and credit monitoring• Giving contact information for credit reporting agencies, FTC or
state authorities• Having a central “ombudsman” for all questions• Credit monitoring or identity restoration services• Coupons or gift certificates
© 2013 Winston & Strawn LLP 22
After Action Review
How did the team respond? What can be improved in response/investigation? What security issues can be tightened up? Modify your plan/procedures if necessary
23© 2013 Winston & Strawn LLP
The Legal Landscape
© 2013 Winston & Strawn LLP 24
Federal & State Regulatory Agencies
Federal Agencies with Privacy Jurisdiction Federal Trade Commission Department of Justice Office for Civil Rights (HHS) Consumer Financial Protection Bureau Office of the Comptroller of the Currency Federal Communications Commission And others
Practice Tip – If you regularly have data breaches, get to know your regulators and their notification preferences.
State Agencies Likewise have Privacy Enforcement
© 2013 Winston & Strawn LLP 25
Data Breach Civil Litigation
Theories of Liability Negligence Gross Negligence Deceptive Trade Practices Breach of Contract Fraud
Significant Risk to Companies TJX Litigation Settled for over 40 Million dollars Heartland Payment Systems pending litigation – 12 Million
spent in attorney fees
© 2013 Winston & Strawn LLP 26
Legal Trends
Data Breach cases are on the Rise
Most Courts require Actual Harm Reilly v. Ceridian (3rd Cir.) – Hacker stole 250,00 records But Court dismissed finding potential future injury is not enough
Recent case: No Harm required Resnick v. AvMed, Inc.(11th Cir.) – Health plan provider failed to
protect PII information. No facts tying data breach to subsequent data. Court allowed Unjust enrichment theory
© 2013 Winston & Strawn LLP 27
Trade Secret Litigation
Increase in Trade Secret Litigation
To be Successful you must: Establish a Trade Secret
(1) Secrecy(2) Independent Economic Value(3) Reasonable Efforts to Maintain Secrecy
Prove Misappropriation
Allege Damages and/or right to Injunctive Relief
28© 2013 Winston & Strawn LLP
Practical Strategies
© 2013 Winston & Strawn LLP 29
The Best Defense is an ongoing Data Security Program
Eliminate unnecessary data Ensure essential controls are met Monitor/mine event logs Implement a firewall on remote access services Change default credentials of POS systems and other
internet facing devices Ensure third party vendors are complying with data
protection strategies
Recommendations from 2012 Verizon Report
© 2013 Winston & Strawn LLP 30
Fully Plan your Breach Response
Understand where your data is and how it is protected
Develop good privacy and security policies
Train employees and monitor enforcement
Develop a Data Breach Incident Response Plan
Understand what laws/regulations apply
Explore Cyber-insurance
© 2013 Winston & Strawn LLP 31
Security Policies:Evaluating what documents you need
Remote access policy Internet and electronic communications policy Social media policy Password policy Mobile device policy Guest access policy Vendor access policy Network device attachment policy
© 2013 Winston & Strawn LLP 32
To Learn more…
twitter: @winstonprivacywww.winston.com/privacylawresources