Presentation on theme: "SPEAKER INTRODUCTION Josh M. Kantrow is a Partner at Lewis Brisbois who advises clients on how to protect their intellectual property, trade secrets and."— Presentation transcript:
1SPEAKER INTRODUCTIONJosh M. Kantrow is a Partner at Lewis Brisbois who advises clients on how to protect their intellectual property, trade secrets and proprietary information from security breaches. Josh litigates a wide variety of high-exposure, complex cyber, technology, computer-related and professional liability matters throughout the United States. Josh is an AV® Preeminent™ peer review rated lawyer by Martindale-Hubbell, reflecting the highest peer recognition for both ethical standards and legal ability, is a Chicago Top Rated Lawyer, and a current Illinois “Leading Lawyer” for Commercial Litigation, Insurance Law and Professional Liability. Josh is active is pro-Israel causes and the Chicago Jewish Community and has visited Israel many times. Josh co-founded and co-chaired the American Israel Public Affairs Committee’s (AIPAC) Young Leadership Council in Chicago. Over the past 12 years, the Young Leadership Council has produced thousands of pro-Israel activists in the Chicago area.
2So You Want to Do Business in the United States: Protecting Your Intellectual Property, Bottom Line and Reputation from Cyber Intrusions and Security Breaches Josh Kantrow Lewis Brisbois Bisgaard & Smith LLP
3OVERVIEW Background re digital risk explosion. What are the enterprise risks caused by internet connectivity?What are the legal risks in the United States caused by internet connectivity?What you can do to protect your bottom line and reputation (or the bottom line and reputation of companies in which you invest that do business in the U.S.)?
4BACKGROUND: DIGITAL RISK EXPLOSION 99.9% of new information is stored digitally.Facebook collects an average of 15 TB of data every day or TB per year.That’s equivalent to the amount of paper stored in the beds of 15 pickup trucks per day.Privacy breaches are occurring more often - more than once a day.The average rate of publicly reported privacy breaches has grown from about 5 per month in 2005 to a peak of about 60 per month in 2008.By 2009 the 5 year average was about 40 per month.
5BACKGROUND: OFTEN OVERLOOKED SOURCES OF DATA PhotocopiersShredding machinesFlash drivesSmart phonesTabletsCloud storage (Google Drive, DropBox, eDiscovery Systems, etc)Court Reporters - Audio/Video Tapes, Transcripts
6BACKGROUND: HOW DO BREACHES HAPPEN Traditional “Hacking” – only one type of breachNumber of Attacks Increasing & Sophistication of Attacks IncreasingChina (in some cases, state sponsored; recently China Hackers hit big U.S. Media like the Wall Street Journal and New York Times)Eastern EuropeAfricaThe security firm Mandiant estimated that 80 major U.S. law firms were hacked in 2011.Action Items:Improve Network Security Policies/ProceduresEncryption of Sensitive InformationPenetration TestingBreach Response Plan and Testing
7ENTERPRISE RISKS: OVERVIEW Theft of IP/Proprietary information/business secretsStolen customer informationNegligenceSocial media/e-publishingBad technology and softwareBusiness interruptionVendor negligence or fault
8ENTERPRISE RISKS: THEFT OF IP Data breaches where there is theft of IP, proprietary data, confidential business secrets, etc.China and other countries actively stealing and attempting to steal such information.IP can be stolen not just from hacking into the target company’s computer systems but via the vendors (i.e. professional service providers like law firms, accounting firms, etc.) that do work for them.In fact, it’s often easier to do it this way.
9ENTERPRISE RISKS: STOLEN CUSTOMER INFORMATION Data breaches, where customers personal information (health, financial, employment records, social security numbers, credit card information, etc.) is stolen.
10ENTERPRISE RISKS: DATA BREACHES VIA NEGLIGENCE Data breaches via negligence (i.e. leaving a laptop or a smart phone in a coffee shop or on a bus).In fact, negligence is responsible for about 70% of all breaches, while network hacking or a malicious breach only responsible for 30%.
11ENTERPRISE RISKS: SOCIAL MEDIA Many employers and their employees engage in social media of some sort – a corporate blog, Twitter, Facebook, LinkedIn, etc.Employer use of social media can lead to privacy defamation, trade libel, trademark infringement, and copyright infringement claims.Recent study shows that only 40% of corporate directors and general counsel at public companies believe their company has a good handle on the risks associated with social media.Only 39% of companies even have a social media policy.If properly tied to an overall internet and policy, a comprehensive social media policy can be used to help reduce defamation, trade libel, trademark infringement, and copyright infringement claims.
12ENTERPRISE RISKS: BUSINESS INTERRUPTION Technology/Systems/software that don't work as plannedComputer malfunction or attackCan lead to massive business interruption claims
13ENTERPRISE RISKS: VENDOR/BUSINESS PARTNER ISSUES 30-40% of all breaches are caused by vendors (litigation support, offsite storage, disaster recovery, mail room, shredding service, cleaning service).Must have contracts that shift liability to vendor (defense and indemnity).
14ENTERPRISE RISKS: LACK OF ACTION BY COMPANIES RE CYBER EXPOSURE Recent studies show that data security was the number one concern of directors and general counsel at public companies.33% of GCs believe their board is not effective at managing cyber risk.Yet only 42% of companies had a crisis management plan in place.
15LEGAL RISKSExplanation of federalism system of government in the U.S.: State v. Federal powersState government efforts: new laws and regulationsFederal (U.S. government) efforts: new laws and regulationsCommon law: class actionsTrends
16LEGAL RISKS: EXAMPLEStolen IP and lack of digital risk management safeguards can lead to large shareholder derivative claims against directors and officers and other claims for large companies.Cyber claims can put small companies out of business.Wall Street Journal ran a series last year about the number of small companies who filed for bankruptcy or suffered significant financial losses due to the costs of responding to data breaches.
17LEGAL RISKS: STATE LAW State Laws and Trends 46 States with Breach Notification LawsAttorney General/Other Agency Notification
18LEGAL RISKS: FEDERAL LAWS PROTECTING PERSONAL INFORMATION F.A.C.T.A. “Red Flag” Rule: Rules that require financial institutions and creditors to develop and implement written identity theft prevention programs.H.I.P.A.A. Security Rule: Require appropriate administrative, physical and technical safeguard to insure confidentiality, integrity and security of electronic protected health information.H.I.T.E.C.H. Law: Extends the scope of HIPAA requirements to the business associates of covered entities. This also expands the regulations to include mandatory breach notifications, heightened enforcement, increased penalties and patient rights.Gramm-Leach-Biley Act: Requires financial institutions to have in place standards which protect the security of the their banking customers’ nonpublic information.I.T.E.R.A.: The Identity Theft Enforcement and Restitution Act amends the federal criminal code to authorize criminal restitution orders in identity theft cases.
19LEGAL RISKS: FTC ENFORCEMENT IS ON THE RISE Since 2005, the FTC has settled dozens of cases against companies for issues ranging from failure to safeguard private information to failure to comply with their own privacy policies.Not even small “do good” firms escape the FTC’s reach.
20LEGAL RISKS: COMMON LAW CAUSES OF ACTION - OVERVIEW MalpracticeNegligenceBreach of fiduciary dutyFraud
22LEGAL RISKS: FRAUDMaterial misrepresentation by defendant (that information would be kept private) induced plaintiff to provide private information, reasonably believing that it would be kept private.Plaintiff was damaged because the information was not kept private.
23LEGAL RISKS: EU PLANS NEW CYBERSECURITY RULES The Wall Street Journal recently reported that the EU is considering enacting laws and regulations that would require search engines, energy providers, banks, transit hubs, stock exchanges and other companies must report disruptions and breaches to government authorities.The WSJ further reported that “In the U.S., a White House backed bill, which would have established a voluntary regime of cybersecurity standards developed by private industry, was blocked by Republican lawmakers in August.”
24LEGAL RISKS: CYBER LITIGATION TRENDS Privacy/Security BreachesAvoiding SpoliationJurisdictionMotions to DismissClass Certification and SettlementTechnology Errors & OmissionsVendor ContractsCyber Media LiabilitySocial MediaPublishing
25LEGAL RISKS: COST OF A DATA BREACH: TANGIBLE COSTS Legal Fees $100,000Customer Notification $10,000Public Relations $20,000Credit Monitoring $50,000Customer DemandsReimbursement $300,000Forensic Investigation $25,000Total $505,000Insurable Costs $505,000(Less any applicable Deductible)
26INTANGIBLE COSTS Loss of Customer Goodwill/Trust Loss of Future Revenues Due to Reputation DamageEmployee Downtime
27PROTECTING YOUR BOTTOM LINE AND REPUTATION: STEPS FOR COMBATING BREACHES Technical Steps:Strong and complex passwords & encryptionMonitoring softwareBottom-up security approach – allowing employees access to the required set of resources to perform their job functionRegular Implementation of security patches and updatesThreat assessmentsProactively look for potential risksReview logs proactivelyIntrusion / penetration testingIndependent testing of security protocols
28PROTECTING YOUR BOTTOM LINE AND REPUTATION: RISK MANAGEMENT STEPS Evaluate Breach Exposure as an Enterprise RiskWhat Policies/Procedures Protect Network and Sensitive Information?Form Breach Response TeamStakeholdersInternal CommunicationExternal CommunicationComplianceBrand/Reputation ProtectionPeriodically Test Breach Response and Revise as Warranted
29PROTECTING YOUR BOTTOM LINE AND REPUTATION: RISK MANAGEMENT STEPS Pre-Breach Response PlanningIncident AnalysisIncident DisclosureLoss MitigationCommunication &RemediationIdentify StakeholdersEstablish Analysis and Communication ProtocolsEvaluate Vendor NeedsRemediation and Recovery ProceduresHuman Resource InvolvementTesting (DRP)Breach ContainmentDamage DeterminationLegal AnalysisCommunicationAnalyze Requirements (State and Fed Considerations)Consider All Notification MethodsThird Party Vendors for Notification and PR(?)Roll Out Notifications Over TimeInsurance RemediesCredit MonitoringPublic RelationsCustomer Retention PlansImplementation of IT UpgradesPublic RelationsOngoing Marketing EffortsIT as part of the Ongoing SolutionHR Involvement TBD
30PROTECTING YOUR BOTTOM LINE AND REPUTATION: RISK MANAGEMENT STEPS Before the Data Security IncidentPlan and prepareRecognize that regulators expect complianceIncident response planWorkforce security awareness trainingAnnual privacy/security risk assessmentIdentify resources needed to respond to an incidentDuring the Incident (Conducting an Investigation)Implement incident response planDocument everythingManage internal and external communications (Know who to notify)Mitigate harm to affected personsWork cooperatively with regulatorsAfter the Investigation ConcludesGAP analysisFix identified problemsUpdate the incident response plan based on lessons learnedIncorporate lessons learned into training30
31PROTECTING YOUR BOTTOM LINE: EVOLUTION OF CYBER INSURANCE PastPresentFutureInternet and e-commerceIdentity Theft and Privacy RegulationsSocial Media, Cloud Computing, Expanded BI, Additional RegulationFebruary 21, 201331
32PROTECTING YOUR BOTTOM LINE AND REPUTATION: CYBER LIABILITY MARKETPLACE Evolution of Cyber InsuranceSome companies offer business interruption cover: positive developmentWho is in the Hot Seat?Risk Management and Underwriting Considerations
33PROTECTING YOUR BOTTOM LINE: OUR EXISTING INSURANCE PROVIDES ENOUGH COVERAGE−ARE YOU SURE? Ok for existing limits to be eroded by a data breach?− If you aren’t purchasing more than you need, a data breach claim could leave you bare if you have the type of claim for which the coverage was purchased.
34PROTECTING YOUR BOTTOM LINE: OUR EXISTING INSURANCE PROVIDES ENOUGH COVERAGE−ARE YOU SURE? What isn’t covered by traditional policies?− Non-client claims, including claims stemming from bots, spyware and other malware on your system without your authorization.Responding to regulatory inquiries.Complying with state breach notification laws, including providing notice to regulators and potentially impacted individuals.Credit monitoring.Public relations costs incurred in connection with a breach response.Correcting risk control deficiencies that may have contributed to a breach.Managing relationships with privacy regulatory/law enforcement authorities.Your vicarious liability for your vendor’s breach.Theft of laptops, Blackberries, iPhones, USB drives etc.
35Reputational damage−lost client trust/loyalty Symantec study results: PROTECTING YOUR BOTTOM LINE: OUR EXISTING INSURANCE PROVIDES ENOUGH COVERAGE−ARE YOU SURE? COST OF A DATA BREACHReputational damage−lost client trust/loyalty Symantec study results:85% would only want to do business with companies that haven’t had a breach.82% would warn others not to do business with a company that had a breach.
36PROTECTING YOUR BOTTOM LINE AND REPUTATION: RISK MANAGEMENT AND UNDERWRITING CONSIDERATIONS Target of Choice or Opportunity?Facebook and LinkedInSmart phones: Health care providers/PHI; Business/Proprietary InfoBasic IssuesEmployee awareness and trainingPassword security − Administrator too!Avoid using/keeping PII and PHI absent needLimit use of PII to only those who need itPaper recordsAdopt defenses to known attack methodsCoverage gaps in traditional policiesMedia: Does coverage follow you where you publish?
37QUESTIONS?Josh M. Kantrow Lewis Brisbois Bisgaard & Smith LLP