Presentation on theme: "SPEAKER INTRODUCTION Josh M. Kantrow is a Partner at Lewis Brisbois who advises clients on how to protect their intellectual property, trade secrets and."— Presentation transcript:
SPEAKER INTRODUCTION Josh M. Kantrow is a Partner at Lewis Brisbois who advises clients on how to protect their intellectual property, trade secrets and proprietary information from security breaches. Josh litigates a wide variety of high-exposure, complex cyber, technology, computer-related and professional liability matters throughout the United States. Josh is an AV® Preeminent™ peer review rated lawyer by Martindale- Hubbell, reflecting the highest peer recognition for both ethical standards and legal ability, is a Chicago Top Rated Lawyer, and a current Illinois “Leading Lawyer” for Commercial Litigation, Insurance Law and Professional Liability. Josh is active is pro-Israel causes and the Chicago Jewish Community and has visited Israel many times. Josh co-founded and co-chaired the American Israel Public Affairs Committee’s (AIPAC) Young Leadership Council in Chicago. Over the past 12 years, the Young Leadership Council has produced thousands of pro-Israel activists in the Chicago area.
So You Want to Do Business in the United States: Protecting Your Intellectual Property, Bottom Line and Reputation from Cyber Intrusions and Security Breaches Josh Kantrow Lewis Brisbois Bisgaard & Smith LLP
OVERVIEW Background re digital risk explosion. What are the enterprise risks caused by internet connectivity? What are the legal risks in the United States caused by internet connectivity? What you can do to protect your bottom line and reputation (or the bottom line and reputation of companies in which you invest that do business in the U.S.)?
BACKGROUND: DIGITAL RISK EXPLOSION 99.9% of new information is stored digitally. Facebook collects an average of 15 TB of data every day or TB per year. –That’s equivalent to the amount of paper stored in the beds of 15 pickup trucks per day. Privacy breaches are occurring more often - more than once a day. –The average rate of publicly reported privacy breaches has grown from about 5 per month in 2005 to a peak of about 60 per month in –By 2009 the 5 year average was about 40 per month.
BACKGROUND: OFTEN OVERLOOKED SOURCES OF DATA Photocopiers Shredding machines Flash drives Smart phones Tablets Cloud storage (Google Drive, DropBox, eDiscovery Systems, etc) Court Reporters - Audio/Video Tapes, Transcripts
BACKGROUND: HOW DO BREACHES HAPPEN Traditional “Hacking” – only one type of breach –Number of Attacks Increasing & Sophistication of Attacks Increasing China (in some cases, state sponsored; recently China Hackers hit big U.S. Media like the Wall Street Journal and New York Times) Eastern Europe Africa –The security firm Mandiant estimated that 80 major U.S. law firms were hacked in –Action Items: Improve Network Security Policies/Procedures Encryption of Sensitive Information Penetration Testing Breach Response Plan and Testing
ENTERPRISE RISKS: OVERVIEW Theft of IP/Proprietary information/business secrets Stolen customer information Negligence Social media/e-publishing Bad technology and software Business interruption Vendor negligence or fault
ENTERPRISE RISKS: THEFT OF IP Data breaches where there is theft of IP, proprietary data, confidential business secrets, etc. China and other countries actively stealing and attempting to steal such information. IP can be stolen not just from hacking into the target company’s computer systems but via the vendors (i.e. professional service providers like law firms, accounting firms, etc.) that do work for them. In fact, it’s often easier to do it this way.
ENTERPRISE RISKS: STOLEN CUSTOMER INFORMATION Data breaches, where customers personal information (health, financial, employment records, social security numbers, credit card information, etc.) is stolen.
ENTERPRISE RISKS: DATA BREACHES VIA NEGLIGENCE Data breaches via negligence (i.e. leaving a laptop or a smart phone in a coffee shop or on a bus). In fact, negligence is responsible for about 70% of all breaches, while network hacking or a malicious breach only responsible for 30%.
ENTERPRISE RISKS: SOCIAL MEDIA Many employers and their employees engage in social media of some sort – a corporate blog, Twitter, Facebook, LinkedIn, etc. Employer use of social media can lead to privacy defamation, trade libel, trademark infringement, and copyright infringement claims. Recent study shows that only 40% of corporate directors and general counsel at public companies believe their company has a good handle on the risks associated with social media. Only 39% of companies even have a social media policy. If properly tied to an overall internet and policy, a comprehensive social media policy can be used to help reduce defamation, trade libel, trademark infringement, and copyright infringement claims.
ENTERPRISE RISKS: BUSINESS INTERRUPTION Technology/Systems/software that don't work as planned Computer malfunction or attack Can lead to massive business interruption claims
ENTERPRISE RISKS: VENDOR/BUSINESS PARTNER ISSUES 30-40% of all breaches are caused by vendors (litigation support, offsite storage, disaster recovery, mail room, shredding service, cleaning service). Must have contracts that shift liability to vendor (defense and indemnity).
ENTERPRISE RISKS: LACK OF ACTION BY COMPANIES RE CYBER EXPOSURE Recent studies show that data security was the number one concern of directors and general counsel at public companies. 33% of GCs believe their board is not effective at managing cyber risk. Yet only 42% of companies had a crisis management plan in place.
LEGAL RISKS Explanation of federalism system of government in the U.S.: State v. Federal powers State government efforts: new laws and regulations Federal (U.S. government) efforts: new laws and regulations Common law: class actions Trends
LEGAL RISKS: EXAMPLE Stolen IP and lack of digital risk management safeguards can lead to large shareholder derivative claims against directors and officers and other claims for large companies. Cyber claims can put small companies out of business. Wall Street Journal ran a series last year about the number of small companies who filed for bankruptcy or suffered significant financial losses due to the costs of responding to data breaches.
LEGAL RISKS: STATE LAW State Laws and Trends –46 States with Breach Notification Laws –Attorney General/Other Agency Notification
LEGAL RISKS: FEDERAL LAWS PROTECTING PERSONAL INFORMATION F.A.C.T.A. “Red Flag” Rule: Rules that require financial institutions and creditors to develop and implement written identity theft prevention programs. H.I.P.A.A. Security Rule: Require appropriate administrative, physical and technical safeguard to insure confidentiality, integrity and security of electronic protected health information. H.I.T.E.C.H. Law: Extends the scope of HIPAA requirements to the business associates of covered entities. This also expands the regulations to include mandatory breach notifications, heightened enforcement, increased penalties and patient rights. Gramm-Leach-Biley Act: Requires financial institutions to have in place standards which protect the security of the their banking customers’ nonpublic information. I.T.E.R.A.: The Identity Theft Enforcement and Restitution Act amends the federal criminal code to authorize criminal restitution orders in identity theft cases.
LEGAL RISKS: FTC ENFORCEMENT IS ON THE RISE Since 2005, the FTC has settled dozens of cases against companies for issues ranging from failure to safeguard private information to failure to comply with their own privacy policies. Not even small “do good” firms escape the FTC’s reach.
LEGAL RISKS: COMMON LAW CAUSES OF ACTION - OVERVIEW Malpractice Negligence Breach of fiduciary duty Fraud
LEGAL RISKS: FRAUD Material misrepresentation by defendant (that information would be kept private) induced plaintiff to provide private information, reasonably believing that it would be kept private. Plaintiff was damaged because the information was not kept private.
LEGAL RISKS: EU PLANS NEW CYBERSECURITY RULES The Wall Street Journal recently reported that the EU is considering enacting laws and regulations that would require search engines, energy providers, banks, transit hubs, stock exchanges and other companies must report disruptions and breaches to government authorities. The WSJ further reported that “In the U.S., a White House backed bill, which would have established a voluntary regime of cybersecurity standards developed by private industry, was blocked by Republican lawmakers in August.”
LEGAL RISKS: CYBER LITIGATION TRENDS –Privacy/Security Breaches Avoiding Spoliation Jurisdiction Motions to Dismiss Class Certification and Settlement –Technology Errors & Omissions Vendor Contracts –Cyber Media Liability Social Media Publishing
LEGAL RISKS: COST OF A DATA BREACH: TANGIBLE COSTS Legal Fees $100,000 Customer Notification $10,000 Public Relations $20,000 Credit Monitoring $50,000 Customer Demands Reimbursement $300,000 Forensic Investigation $25,000 Total $505,000 Insurable Costs $505,000 (Less any applicable Deductible)
INTANGIBLE COSTS Loss of Customer Goodwill/Trust Loss of Future Revenues Due to Reputation Damage Employee Downtime
PROTECTING YOUR BOTTOM LINE AND REPUTATION: STEPS FOR COMBATING BREACHES Technical Steps: –Strong and complex passwords & encryption –Monitoring software –Bottom-up security approach – allowing employees access to the required set of resources to perform their job function –Regular Implementation of security patches and updates –Threat assessments a.Proactively look for potential risks b.Review logs proactively c.Intrusion / penetration testing d.Independent testing of security protocols
PROTECTING YOUR BOTTOM LINE AND REPUTATION: RISK MANAGEMENT STEPS Risk Management Steps: Evaluate Breach Exposure as an Enterprise Risk What Policies/Procedures Protect Network and Sensitive Information? Form Breach Response Team Stakeholders Internal Communication External Communication Compliance Brand/Reputation Protection Periodically Test Breach Response and Revise as Warranted
PROTECTING YOUR BOTTOM LINE AND REPUTATION: RISK MANAGEMENT STEPS Identify Stakeholders Establish Analysis and Communication Protocols Evaluate Vendor Needs Remediation and Recovery Procedures Human Resource Involvement Testing (DRP) Breach Containment Damage Determination Legal Analysis Communication Analyze Requirements (State and Fed Considerations) Consider All Notification Methods Third Party Vendors for Notification and PR(?) Roll Out Notifications Over Time Insurance Remedies Credit Monitoring Public Relations Customer Retention Plans Implementation of IT Upgrades Public Relations Ongoing Marketing Efforts IT as part of the Ongoing Solution HR Involvement TBD Pre-Breach Response Planning Incident Analysis Incident Disclosure Loss Mitigation Communication & Remediation
PROTECTING YOUR BOTTOM LINE AND REPUTATION: RISK MANAGEMENT STEPS Before the Data Security Incident –Plan and prepare –Recognize that regulators expect compliance –Incident response plan –Workforce security awareness training –Annual privacy/security risk assessment –Identify resources needed to respond to an incident During the Incident (Conducting an Investigation) –Implement incident response plan –Document everything –Manage internal and external communications (Know who to notify) –Mitigate harm to affected persons –Work cooperatively with regulators After the Investigation Concludes –GAP analysis –Fix identified problems –Update the incident response plan based on lessons learned –Incorporate lessons learned into training
PROTECTING YOUR BOTTOM LINE: EVOLUTION OF CYBER INSURANCE February 21, Past Internet and e-commerce Present Identity Theft and Privacy Regulations Future Social Media, Cloud Computing, Expanded BI, Additional Regulation
PROTECTING YOUR BOTTOM LINE AND REPUTATION: CYBER LIABILITY MARKETPLACE Evolution of Cyber Insurance Some companies offer business interruption cover: positive development Who is in the Hot Seat? Risk Management and Underwriting Considerations
PROTECTING YOUR BOTTOM LINE: OUR EXISTING INSURANCE PROVIDES ENOUGH COVERAGE−ARE YOU SURE? Ok for existing limits to be eroded by a data breach? − If you aren’t purchasing more than you need, a data breach claim could leave you bare if you have the type of claim for which the coverage was purchased.
PROTECTING YOUR BOTTOM LINE: OUR EXISTING INSURANCE PROVIDES ENOUGH COVERAGE−ARE YOU SURE? What isn’t covered by traditional policies? − Non-client claims, including claims stemming from bots, spyware and other malware on your system without your authorization. −Responding to regulatory inquiries. −Complying with state breach notification laws, including providing notice to regulators and potentially impacted individuals. −Credit monitoring. −Public relations costs incurred in connection with a breach response. −Correcting risk control deficiencies that may have contributed to a breach. −Managing relationships with privacy regulatory/law enforcement authorities. −Your vicarious liability for your vendor’s breach. −Theft of laptops, Blackberries, iPhones, USB drives etc.
PROTECTING YOUR BOTTOM LINE: OUR EXISTING INSURANCE PROVIDES ENOUGH COVERAGE−ARE YOU SURE? COST OF A DATA BREACH Reputational damage−lost client trust/loyalty Symantec study results: −85% would only want to do business with companies that haven’t had a breach. −82% would warn others not to do business with a company that had a breach.
PROTECTING YOUR BOTTOM LINE AND REPUTATION: RISK MANAGEMENT AND UNDERWRITING CONSIDERATIONS Target of Choice or Opportunity? Facebook and LinkedIn Smart phones: Health care providers/PHI; Business/Proprietary Info Basic Issues –Employee awareness and training –Password security − Administrator too! –Avoid using/keeping PII and PHI absent need –Limit use of PII to only those who need it –Paper records –Adopt defenses to known attack methods –Coverage gaps in traditional policies Media: Does coverage follow you where you publish?
QUESTIONS? Josh M. Kantrow Lewis Brisbois Bisgaard & Smith LLP