Data Security Compliance and Responding
To a Data Breach: Lessons for Corporate
Counsel After Equifax
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.
TUESDAY, JANUARY 23, 2018
Presenting a live 90-minute webinar with interactive Q&A
Robert D. Brownstone, Technology & eDiscovery Counsel, Fenwick & West,
Mountain View, Calif.
Brent E. Kidwell, Partner, Jenner & Block, Chicago
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-961-8499 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can address
the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 2.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
I. The Big Picture A. Breaches’ Prevalence B. Liability Risks & Data Leakage– Big 3 C. Modern Threats II. US. & International Law – Overview
A. Different Premises in U.S. & EU B. Scattershot U.S. Privacy Protections C. Potential Liability for Data Breaches D. International Law – Summary E. Contracts’ Ability to Reallocate Risks
Agenda
5
Agenda
III. Proactive Prevention Introduction A. Data Protection Overview
B. Protecting Data at Rest & in Transit C. 10 Specific Steps
IV. Reactive-Remedies/Incident-Response
• TOP Ten
Q&A/Conclusion
6
I. The Big Picture
A. Breaches’ Prevalence • Should only retailers be worried? NO • 1/1/05 to 12/28/17:
• > 7,800 breaches; > 10 Billion records • E.g. Yahoo!, Anthem, Target, Verizon & Neiman
• 2017 alone: • 550 breaches; ≈ 2 Billion records
• E.g. Equifax, T-Mobile, Dunn & Bradstreet, Arby’s, Boeing, Stanford U., Oklahoma HHS & UNC Health Care Systems
• . . . per Privacy Rights Clearinghouse, DATA BREACHES (last visited 1/18/18) (searchable/filterable)
7
• Cyber Crime Costs in FY ’16 (237 cos. surveyed across 8 countries):
• $17.36M average in US alone
• 2 largest costs (on average):
• information loss: 39 percent
• business disruption: 36 percent
• . . . per Ponemon Inst. o/b/o HP Enterprise Security,
2016 Cost of Cyber Crime Study (2016)
A. Breaches’ Prevalence
8
I. The Big Picture
B. Leakage Risks – Big 3
1. Intentionally Harmful Intentional Disclosures
2. Inadvertently Harmful Intentional Disclosures (“Netiquette”; Loose Lips; Social-Media; Sock-Puppeting; P2P)
3. Unintentional Losses of Sensitive Info. = primary focus here
9
I. The Big Picture
C. Modern Threats
• Biggest ones?
• Social Engineering [including (Spear-) phishing and Ransomware)]
10
I. The Big Picture
• Phishing :
• W-2 Scam
Adapted from screenshot at <http://www.linkstechnology.com/blog/its-baaack-the-form-w-2-email-scam>
• IRS warning (1/25/17)
• Cinthia Motley10 Ways to Avoid W-2 Phishing Schemes (LTN 3/20/17) (including “Pick up the phone”)
C. Modern Threats
11
I. The Big Picture
• Phishing – Training:
• When in doubt:
• do not click on a link or open an attachment; and
• forward the message as an attachment to InfoSec or IT department
• If you are suspicious about the purported sender
• place a call to (or meet with) purported sender to confirm message is legit
C. Modern Threats
12
I. The Big Picture
A. Default in U.S. & EU
• U.S. Perspective
• Data presumptively not protected unless
rendered otherwise by specific rule of law
• Many rules are sector-based
• EU Perspective
• Data presumptively “personal” and thus private,
even in employer/employee setting . . .
13
I. The Big Picture
• Federal law sector examples:
• Health/medical = HIPAA (60 days notice) • covered entities and business associates
• HITECH ACT expansion Jan. ’09
• HHS Final Regs. Sep. ‘13
• Financial services = Gramm-Leach-Bliley
• Consumer credit reports, etc. = FCRA/FACTA
B. Scattershot U.S. Laws
II. U.S. & International Law
14
• Potential Liability
consumer and/or employee class actions re: PII (PHI)
corporate customer suits
shareholder derivative suits
bad press and/or blog buzz
reputational hit
B. U.S. Rules
15
II. U.S. & International Law
• Specific combo of elements – expanded in, e.g., California multiple times in Civ. Code § 1798.82 et al. . . .
• Trigger usually automatic (as in Cal.) rather than risk-based
• Notice requirements
• If > X no. of people affected, tell AG
• Might have to describe circumstances
B. Notice-of-Breach Laws
16
II. U.S. & International Law
B. Health Info (PHI)
• Protecting Individuals’ PHI
• HIPAA Final HHS Regs (9/23/13)
• HHS active under HIPAA
• > 10 states:
• AR, CA, FL, MO, ND, NV, TX, VA
• WY (state agencies only)
• CT (regs.) & NJ re: insurers
17
II. U.S. & International Law
B. U.S. Rules • Potential Liability
• Difficulty in proving “injury” (damages): • Even CFAA claim in suit against hacker
• “loss” hard to show
• remediation and down-time?
• “Standing” (”Injury”) difficult to show based on mere concern data will be used:
• trade secrets damages theory
• identity-theft theory, including theft decisions re: Cal. Medical Info. Act (CMIA) – Cal. Civ. Code 56.36 . . .
18
II. U.S. & International Law
• Newer Case Law:
• Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (injury must be concrete and not “abstract” to satisfy U.S. Const. Article III, but intangible injuries can be concrete)
• Post-Spokeo (examples) . . .
• Beck v. McDonald, 848 F.3d 262 (4th Cir. 2/6/17) (allegations of increased risk of identity theft: NOT substantial risk of harm)
B. U.S. Rules
19
II. U.S. & International Law
C. Typical Breach Exposure Items
• Aside from viability of legal theories, custom and usage has been . . . • Potential monetary liability for breach of
unsecured personally identifiable information (PII) estimated at $221 per affected person • Ponemon Institute, 2016 Cost of Data Breach Study:
Global Analysis, Ponemon Institute LLC (June 2016)
• Data breach cost calculators <http://www.privacyrisksadvisors.com/data-breach-toolkit/data-breach-calculators/>
<http://cyberscout.com/expensecalc/start.aspx>
<https://eriskhub.com/mini-dbcc>
20
II. U.S. & International Law
• Custom/usage
• Sample set of expense items (from here)
• Internal Investigation
• Cybercrime consulting
• Attorney Fees
• Notification/Crisis Management
• Customer notification
• Call center support
• Crisis management consulting
C. Typical Breach Exposure
• Regulatory/Compliance
• Credit monitoring for affected customers
• Regulatory investigation defense
• State/Federal fines or fees
21
II. U.S. & International Law
D. International Summary • Privacy protected more e.g.
• Europe:
• EU: France/Germany/Italy
• UK (post-Brexit)
• Elsewhere:
• Brazil
• Constitution
• “Marco Civil”
• Israel 22
II. U.S. & International Law
D. Laws Overseas • DATA-BREACH NOTIFICATION LAWS
• less diffused, broader in scope & often shorter/clearer deadlines than U.S. . . . e.g.
• Australia (Feb. ’18)
• Canada
• India
• Israel (Mar. ’18)
• Mexico
• South Korea
23
II. U.S. & International Law
• EU, Directive 95/46/EC (1995)
• PLUS laws of individual EU countries
• BROAD definitions of “personal data,” “processing” and “transfer”
• Being replaced 5/25/18 by General Data Protection Regulation (GDPR)
• Stricter
• Penalties tied to worldwide revenue
• Notice of breach – timing, etc.
• Consent rules
D. EU Data Directive Compliance
24
II. U.S. & International Law
D. EU Data Transfers • EU-U.S. Safe Harbor now replaced by the EU-U.S.
Privacy Shield Framework (same re: Swiss-U.S. . . . )
Must:
• Provide free & accessible dispute resolution
• Cooperate with Department of Commerce
• Ensure accountability for data transferred
to third parties (whether controllers or agents)
25
II. U.S. & International Law
E. Contracts’ Ability to Reallocate Risk
• Defaults may be changeable based on:
• Relative sizes and bargaining power
• Industry of prospective customer
• Location of data (who stores/hosts it)
26
II. U.S. & International Law
III. Proactive Prevention
Introduction
27
Divide the Universe, e.g., into:
1. Policies/practices applicable to all information,
including PII
2. Policies/practices applicable to personal
information as to non-employee individuals
3. Policies/practices applicable to PII collected from
employees
4. Data storage contracts with third-party hosts
(Cloud, etc.)
http://blogs.rsa.com/wp-content/uploads/APT-chart1.jpg
Introduction – Example of Intrusion
III. Proactive Prevention
28
A. Data Protection Overview – Strategy
People Process
Policy Technology
III. Proactive Prevention
29
A. Data Protection – People
Executive leadership – security as an organizational
priority
Identified personnel with specific roles, accountability
and responsibility
Cross-disciplinary security or “information governance”
teams provide better vision into data/security protection
(and instill organizational ownership of security)
Improve communication and training about security with
all personnel
Human vectors continue to be key security exploit route
See, e.g., RSA breach resulting from phishing
III. Proactive Prevention
30
Plan and document security procedures; for
example:
Identify the location and content of your data assets,
specifically PII or other “sensitive” collections
Routinize security assessments conducted by internal
and external experts
Employ incident response drills and training
Develop procedures for the ingestion, storage,
security and destruction of data
A. Data Protection – Process
III. Proactive Prevention
31
Organizational security/data protection policies:
General security, confidentiality, acceptable use and information
governance policies
Special policies may be required for special data (e.g., HIPAA/PHI)
Incident response and breach notification policies
Records and information retention policies should be evaluated to
minimize retention of risky data
Establish a regular policy review cycle
Enforcement and consistent application of policies
Consider certifications, such as ISO 27001
A. Data Protection – Policies
III. Proactive Prevention
32
Security of Existing Technology Base
Periodic re-examination of security posture of existing systems
recommended
Cloud-based systems require contractual protections and due diligence
Specialized Security/Data Protection Tools
Technology is not a security “silver bullet”
Even the best technology requires trained personnel to monitor,
analyze and address identified anomalies
More on this later . . . .
A. Data Protection – Technology
III. Proactive Prevention
33
Perimeter Defenses (Incoming & Outgoing)
Firewall
IDS/IPS
Multi-Factor Authentication
Malware Filtering
Data Loss Prevention (DLP)
Advanced endpoint protection
Access Rights – “Need to Know” – See below
Electronic data destruction (anything with storage)
B. Protecting Data at Rest & in Transit – at Rest I
III. Proactive Prevention
34
Logging and Analysis of Security Events Security Information and Event Management (SIEM)
Provides analytical view into organizational security using a
longer-term baseline for anomaly identification
Don’t Forget Paper Documents Appropriate destruction – shredding, PII bins, etc.
Clean desk policies
Locked offices, drawers and cabinets
Physical Security
B. Protecting Data at Rest II
III. Proactive Prevention
35
Laptops (endpoints)
AV/Malware Detection
Firewall
Data Encryption (FDE)
Passwords, screensavers, etc.
BYOD Issues
Endpoint protection
Storage Devices/Tools
Encryption – flash drives, DVDs, etc.
Restrictions on use of cloud
storage services (Dropbox, etc.)
B. Protecting Data in Motion I
III. Proactive Prevention
36
Handheld Devices
Encryption
Remote Wiping
Mobile Device Management (e.g., Mobile Iron, Airwatch)
BYOD Issues
Backup Tapes
Email encryption
Metadata Scrubbing Tools
Proper Redaction Tools/Methods
B. Protecting Data in Motion II
III. Proactive Prevention
37
C. 10 Specific Steps – 1. Policies
III. Proactive Prevention
38
Train managers and staff about access, nondisclosure and
safeguarding
Review pertinent segments of employee policies, e.g.:
Code of Conduct
Confidentiality Policy
Technology Acceptable Use
Privacy (No Expectation of Privacy?)
Social media policies
BYOD (Mobile Devices)
Separating / off-boarding employee procedures (related
checklist(s) from IT, HR, etc.)
C. Steps – 2. Training
III. Proactive Prevention
39
[Spear-]Phishing & Ransomware
Use tests (Wombat, etc.)
Capture metrics
Encourage vigilance
C. Steps – 3. Passwords
III. Proactive Prevention
40
Passwords
Lockout . . . No sharing . . .
Two factor authentication
Common password practices:
Minimum 8 (or 12) characters complex
Reuse restriction
90 day expiration
But see new NIST SP 800-63: Digital Identity
Guidelines (6/22/17) and this Aug. ’17 NIST
paper/bulletin
C. Steps – 4. Access - RBAC
III. Proactive Prevention
41
“Least Privileged Access" approach [“role-based
access control (RBAC)”]
Data and physical
Ideal default is "deny all” – i.e., cannot gain
access unless affirmative need shown; and
specifically authorized
For lawyers: “ 'Need to Know' Security” (LTN
4/24/17) (LEXIS login/password needed)
Central vs. Local Storage
Digital Rights Management (DRM)?
C. Steps – 5. Encryption of ESI
III. Proactive Prevention
42
Especially PII & Mobile Data
At rest and in transit . . .
Email – TLS
Forced
Opportunistic
Laptops
Bitlocker
FileVault
C(5). Encryption of ESI
III. Proactive Prevention
1. Website & Extranet Servers (> SSL)
2. Virtual Private Network (VPN) Software
3. Cloud: Secure file transfer protocol (.ftp) sites (Citrix ShareFile; and OneHub, e.g.)
4. Email Messages and Attachments [Transport Layer Security (TLS)]
5. End-user devices
• Desktop PC’s and Laptops
• Tablets and Smartphones
• Mobile Devices and Portable Media
43
C. Steps – 6. Commuting / Travel
III. Proactive Prevention
44
Use privacy screen/filter
Security When Traveling
Avoid using shared computers in cyber cafes,
public areas or hotel business centers
If must use public/hotel WiFi, use a VPN
(VMware Horizon or Cisco AnyConnect, e.g.)
Avoid public hotspots unless use, e.g., iPass
Borrow/buy MiFi device?
Do not use devices belonging to other travelers,
colleagues or friends
C(6). Commuting / Travel
III. Proactive Prevention
45
International Travel Tips:
Recommended: change passwords before
leaving abroad and again when return
Do not take regular laptop,
tablet or phone to China
Potentially same re: EU travels
Avoid sending sensitive email messages
Beware: U.S. Customs & Border Protection has
increased scrutiny of laptops, devices, etc.
III. Proactive Prevention
46
Upon returning to the States, CBP asking for passwords,
including to social-media
Darlene Storm, NASA scientist detained at U.S. border
until handing over PIN to unlock his phone,
Computerworld (2/13/17)
Sen. Ron Wyden (OR), letter to then HHS Secretary Kelly
(2/20/17)
Assert attorney-client privilege (or another basis for
confidentiality such as privacy?)
But don’t go so far as to get detained?
Recent guidance from CBP:
www.cbp.gov/sites/default/files/assets/documents/...
C(6). Commuting / Travel
C. Steps – 7. Metadata
•Metadata and Redactions • Metadata – Goalkeeper Prompts in Workshare Protect – Example . . .
III. Proactive Prevention
47
C(7). Metadata
III. Proactive Prevention
48
Metadata and Redactions
Workshare settings (incl. re: .pdf ’s)
Redactions
Do use Adobe Acrobat Pro
Don’ts:
Word: borders/shading or highlighter
Acrobat: text box or shapes-drawing tool
III. Proactive Prevention
49
Social Media
Bcc’s
Emails to “All” (companywide)
Auto-complete
Reply All
C. Steps – 8. Netiquette
C. Steps – 9. Network Monitoring & Pen Tests
III. Proactive Prevention
50
Firewall
Anti-Virus/Malware (incl. macros)/Spyware
Vulnerability Assessment / remediation
Spam filtering plus phishing protection (e.g.,
ProofPoint / Mimecast, including URL defense)
Periodic vulnerability assessments and
PENetration tests by independent consultant
C. Steps – 10. Cyber-Insurance
III. Proactive Prevention
51
First Party Coverage? Third Party Coverage
(clients, vendors, employees,
etc.)?
Covered by Prop. Ins. Policy? CGL Policy?
Covered by D&O and/or E&O? Crimes?
If not, get separate/special coverage?
Get phishing endorsement?
Depends at least in part on:
Industry
Data types and volumes
IV. Reactive Remediation – Incident Response
52
FOLLOW PROCESS . . .
Documented response plan / procedures
Document protocols / checklists
Internal team leaders members identified and
trained (e.g. InfoSec, Legal & Public Relations)
Outside contacts listed, e.g., Information-
Security consulting firm, Counsel, law
enforcement & Insurance carrier
Training – tabletop exercises, etc.
IV. Incident Response
10. Big-Picture Process
53
Categories defined?
Data - and machine - handling protocol
Workflow/Communication chart re:
Discover / Assess / Contain
Remediate / Close / Mitigate
IV. TOP TEN TIPS
FACT INTAKE . . . 4 W’s-plus
9. Who, what, where, when re: info.?
8. Encrypted?
7. If encrypted, key compromised?
54
IV. TOP TEN TIPS
GET YOUR BEARINGS . . .
6. If a contractual relationship: • Look at the contract • Decide if will try to negotiate re: notice
5. If law enforcement is involved, open a dialogue 4. See if, under strictest statute, notice trigger(s) have kicked in
55
IV. TOP TEN TIPS
TO GIVE NOTICE OR NOT TO GIVE NOTICE. . . 3. If MUST give notice, address required:
• Method and Contents • E.g., Cal. SB 24 (specifying some required contents
of notice of breach of PII or PHI under Cal. Civ. Code) • Recipients (might include an AG., e.g.) • Timing (might be OK, under law, to delay)
2. If COULD give notice, discuss customer-relations with C level 1. If WILL give notice, work with PR as to theme(s), timing & press release (if any)
56
Q&A/ Conclusion/ Resources . . .
Robert D. Brownstone, Esq.
Fenwick & West LLP
<tinyurl.com/Bob-Brownstone-Bio>
<www.ITLawToday.com>
Brent E. Kidwell, Esq.
Jenner & Block
<www.jenner.com/people/BrentKidwell>
57