Presentation is loading. Please wait.

Presentation is loading. Please wait.

Litigating Privacy, Cybersecurity, and Data Breach Issues in 2014 American Bar AssociationDavid Z. Bodenheimer Litigation Section ProgramCrowell & Moring.

Similar presentations


Presentation on theme: "Litigating Privacy, Cybersecurity, and Data Breach Issues in 2014 American Bar AssociationDavid Z. Bodenheimer Litigation Section ProgramCrowell & Moring."— Presentation transcript:

1 Litigating Privacy, Cybersecurity, and Data Breach Issues in 2014 American Bar AssociationDavid Z. Bodenheimer Litigation Section ProgramCrowell & Moring LLP 2014 Spring MeetingWashington, DC Scottsdale, AZ © 2014 Crowell & Moring LLP

2 Data Breach Litigation in 2014 © 2010 Crowell & Moring LLP

3 3 Data Breach Litigation Overview of Data Breach Litigation 1. Security Standards 2. Litigation Lifecycle (Financial) 3. Litigation Lifecycle (Healthcare) 4. Litigation with Biggest Buyer 5. Other Litigation Risks

4 Security Standards Federal Security Security Objectives Integrity, Availability & Confidentiality Acceptable Security Not Perfect Security Risk-Based Security Commensurate with risk and magnitude of harm Periodic Risk Assessments Cost-Effective Security Cost-effectively reduce risk to acceptable level [FISMA, 44 U.S.C. § 3544] Illustrative Precedent (Federal Indian Trust Fund) Outdated Security Plans(Over 66%) Uncertified IT Systems(Over 75%) Ineffective Training Poor Agency Oversight Limited Testing (20 most serious weaknesses) Cobell v. Kempthorne, 455 F.3d 301 (D.C. Cir. 2006) 4

5 Security Standards Framework Security Voluntary Consensus-based Standards Risk-Based Security Risk Assessments Cost-Effective Security Cost-effective Risk Management Senior Management Role Not Just IT Function Risk Considered at C-Suite NISTCybersecurity Framework (Feb. 2014) NIST Cyber Framework 5

6 Security Standards Reasonable Security Courts have applied a standard of commercially reasonable security Factors include: –Prior breaches & injury –Risk-based analysis –Difficulty to implement –Holistic approach (factors as a whole vs. single type of failure) Illustrative Precedent “Because it had the capacity to do all of those things [i.e., adopt security safeguards], yet failed to do so, we cannot conclude that its security system was commercially reasonable. We emphasize that it was these collective failures taken as a whole, rather than any single failure, which rendered [defendant’s] security system commercially unreasonable.” Patco Const. Co. v. People’s United Bank, 684 F.3d 197 (1 st Cir. 2012) 6

7 7 Data Breach Litigation Overview of Data Breach Litigation 1. Security Standards 2.Litigation Lifecycle (Financial) 3. Litigation Lifecycle (Healthcare) 4. Litigation with Biggest Buyer 5. Other Litigation Risks

8 8 Data Breach (Financial) The Breach: Ground Zero Biggest Data Breaches (2012) Identity Theft Resource Center

9 9 Data Breach (Financial) Investigation/Clean-Up $105.5 Million –Professional Fees –Investigation –B2B Incentive Payments $35.7 Million –Fraud Losses & Fines ($20 Million) –Insurance Receipts _____________________________________ $121.2 Million (total) SEC 10k Statement “To date, we have not experienced a material loss of revenue that we can confirm has been related to this event. However, this event and our related remediation efforts could potentially have a negative impact on future revenues.” No Loss Accruals Insufficient Data to Estimate Losses

10 Stock Impact (2012) “In March 2012, it was reported that a security breach at Global Payments, a firm that processed payments for Visa and Mastercard, could compromise the credit- and debit-card information of millions of Americans. Subsequent to the reported breach, the company’s stock fell more than 9 percent before trading in its stock was halted.” [GAO, June 2012] Stock Impact ? (2013) Data Breach (Financial) 10

11 11 Data Breach (Financial) SEC Disclosure Duty Division of Corporation Finance Securities and Exchange Commission CF Disclosure Guidance: Topic No. 2 Cybersecurity Date: October 13, 2011 Summary: This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents Disclosure Duties Risk of Cyber Incidents Prior Security Breaches Adequacy of Preventative Measures Shareholder Actions “Delaware’s Court of Chancery ruled in the 1996 Caremark case that a director’s good faith duty includes a duty to attempt to ensure that a corporate information and reporting system exists and that failure to do so may render a director liable for losses caused by the illegal conduct of employees. The Delaware Supreme Court clarified this language in the 2006 Stone v.Ritter case – deciding that directors may be liable for the damages resulting from legal violations committed by the employees of a corporation, if directors fail to implement a reporting system or controls or fail to monitor such systems.” Office of National Counterintelligence Exec. (Oct. 2011)

12 12 Data Breach (Financial) B2B Disputes Customer Termination –“VISA also removed the company from its list of approved processors.” [GAO, June 2012] Contract Disputes –33.6% reduction in costs for 2013 –Due to prior year charges (in part) for two contractual disputes in 2012 Contract Settlements –$105.5 Million due in part to “incentive payments to certain business partners” Insurance Disputes Insurance Coverage –$30 Million Policy Limit –$1 Million Deductible Insurance Recovery –$20 million Recovered under Policy Insurance Dispute –Dispute involving excess liability policy –Issue: whether policy’s “privacy” & “technology services” coverage apply –State Nat’l Ins. Co. v. Global Payments, No. 1:13-CV-01205 (ND Ga. filed Apr. 2013)

13 13 Data Breach (Financial) Consumer Action Class Action –Willingham Class Action Standard –Failure to maintain reasonable & adequate procedures –Failure to timely notify of breach Causes of Action –Negligence –Federal Stored Comm. Act –Fair Credit Reporting Act –Georgia Unfair Trade Practices Act –Other common law claims Dismissal (Mar. 6, 2013) SEC 10k Statement BUT: “This event could result in additional lawsuits in the future.”

14 14 Data Breach (Financial) FTC Investigtion “In addition, governmental entities have made inquiries and the Federal Trade Commission has initiated an investigation related to the event.” FTC Implications –Investigations & subpoenas –Wyndham-style litigation –Consent decrees FTC “settled 50 law enforcement actions” relating to data security. Edith Ramirez (FTC Commissioner), Sen. Judiciary Comm., Feb. 4, 2014 Congressional Role Sen. Casey (Apr. 2, 2012) “Following this breach, I wrote to [you] to express my concern and my staff has reached out to staff at the Federal Trade Commission (FTC) and the Federal Reserve.” [Letter cc:’d to FDIC, FCT, NCUA] CEO Responds (Apr. 4, 2012)

15 15 Data Breach Litigation Overview of Data Breach Litigation 1. Security Standards 2. Litigation Lifecycle (Financial) 3. Litigation Lifecycle (Healthcare) 4. Litigation vs. World’s Biggest Buyer 5. Other Litigation Risks

16 16 Data Breach (Healthcare) The Breach: Ground Zero Key Facts 4.9 Million TRICARE Beneficiaries Backup Tapes Stolen from Employee’s Car Biggest Data Breaches (2011) Identity Theft Resource Center

17 17 Data Breach (Healthcare) $4.9 Billion Suit vs. DoD “The Defense Department has been hit by a $4.9 billion class action lawsuit filed on behalf of four military family members and the 4.9 million Tricare beneficiaries whose personal information was contained on tapes stolen from a car in San Antonio in September.” Privacy Act Remedies Criminal Penalties –$5,000 fine for willful violations Civil Sanctions –Injunctive relief –Damages ($1,000 minimum)* –Attorney fees Administrative Remedies –Adverse personnel actions –Contract remedies “U.S., Veterans Settle VA Data Breach Privacy Act Class Action for $20 Million,” Privacy Law Watch (1/29/09)

18 18 Data Breach (Healthcare) Seven Class Actions Richardson et al. v. TMA, SAIC, & DoD (DCDC) Arrellano et al. v. SAIC (W.D. Tex.) Biggerman et al. v. TMA, SAIC, & DoD (DCDC) Moskowitz et al. v. TMA, SAIC, & DoD (DCDC) Palmer et al. v. TMA, SAIC, & DoD (DCDC) Losack et al. v. SAIC (D SD CA) Deatrick v. SAIC(D ND CA) Adcock v. SAIC(D ND FL) (dismissed) SEC 10k Statement (2012)

19 19 Data Breach (Healthcare) MDL Class Action Class Action –In re SAIC Backup Tape Data Theft Causes of Action –Negligence –Breach of express/implied contract –Invasion of privacy –Texas Deceptive Trade Practices –California Acts (multiple) –Fair Credit Reporting Act –Privacy Act Potential Loss/Risk –Insurance Coverage –$10 Million Loss Recorded –Multiple Factors Affect Loss/Risk SEC 10k Statement (2013)

20 20 Data Breach (Healthcare) HHS OCR Investigation “The Company has been informed that the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) is investigating matters related to the incident. OCR is the division of HHS charged with enforcement of [HIPAA]. OCR may, among other things, require a corrective action plan and impose civil monetary penalties against the data owner (Department of Defense) and, in certain situations, against the data owners’ contractors, such as the Company.” SEC 10k Statement (2013)

21 21 Data Breach (Healthcare) Shareholder Demand “The Company has also received three stockholder demand letters related to City Time (one of which is also related to the TRICARE matter described above). An independent committee of the Company’s board of directors reviewed two of the demands and the Company has decided not to pursue the claims outlined in their demand letters. The third demand is under review by the independent committee.” SEC 10k Statement (2013)

22 22 Data Breach Litigation Overview of Data Breach Litigation 1. Security Standards 2. Litigation Lifecycle (Financial) 3. Litigation Lifecycle (Healthcare) 4. Litigation vs. World’s Biggest Buyer 5. Other Litigation Risks

23 23 World’s Biggest Buyer 800-Pound Information Gorilla “The Federal government is the largest single producer, collector, consumer, and disseminator of information in the United States and perhaps the world.” (OMB, 2007) “Largest buyer of IT on the planet” VivekKundra (Federal CIO) Sen. Homeland Security Comm. (2011)

24 24 Cyber Litigation – FCA Suits Security Problem - Improper disposal of data Impact  False Claims Act suit “PLASTILAM, INC. failed to take sufficient steps to safeguard confidential data, including the names and Social Security numbers of over 100 Medicare beneficiaries. The investigation revealed that a number of misprinted beneficiary cards were discarded, whole, in an unsecured dumpster.”

25 25 Cyber Disputes – Suspension Security Problem - Misuse of DoD data (wrong purpose) Impact  Suspension  Loss of $5B Contract “But earlier this month the deputy general counsel of the U.S. Air Force suspended the L-3 unit responsible for the work from receiving new orders because of the investigation. Employees at L-3’s special support programs division were accused of copying government emails and forwarding them without the author’s knowledge.” L-3 Trips as Lockheed Snatches $5 Billion Contract “A disputed U.S. military contract worth up to $5 billion was finally awarded to Lockheed Martin Corp. (LMT) this week after the U.S. Air Force launched an investigation into possibly inappropriate email activities at rival L-3 Communications Corp. (LLL). L-3, a New York-based provider of military and aerospace equipment, reduced its 2010 outlook as a result of the lost contract, which represented about 3% of its 2009 revenue, according to a government filing. Full-year profit is now expected to be in a range of $8.09 to $8.29 a share, compared to a prior view of $8.13 to $8.33 a share.”

26 26 Cyber Litigation vs. Fed. Gov. Security Problem - Prior security risks Impact  Protest Litigation Company’s “nonconformance with system security requirements ‘may have put the Medicare program at risk,’ [and] ‘could have a negative effect on the Offeror’s ability to perform efficiently and protect the confidentiality, integrity, and availability’ [of Mediare data].” Wisconsin Physicians Service Ins. Corp., GAO B-401068.14 (Jan. 2013) Protest Litigation

27 27 Cyber Disputes – DOJ & IGs Security Problem - Failure to install safeguards Impact  IG investigation  False statement risk  Criminal exposure Thompson, Langevin Demand Investigation into Department Cyber Attacks (Sept. 24, 2007) “criminal investigation” “fraudulent statement”

28 28 Contractor Liability Risks on the Cyber Battlefield Going on the Offensive: Contractors in Cyber War International Law - Authority to attack? -Authentication? -Rogue virus? U.S. Law - Electronic surveillance & wiretapping laws - Covert operations (Title 10 vs. Title 50) - Posse Comitatus (DoD & domestic operations) $50 Billion Lawsuit “One lawsuit alone, filed May 12 by a purported national class of Verizon customers, seeks $50 billion in damages.” [“Court Will Decide State Secrets Issues First in NSA Phone Surveillance Class Action Suit,” Privacy Law Watch, June 9, 2006]

29 29 Data Breach Litigation Overview of Data Breach Litigation 1. Security Standards 2. Litigation Lifecycle (Financial) 3. Litigation Lifecycle (Healthcare) 4. Litigation vs. World’s Biggest Buyer 5. Other Litigation Risks

30 IP & Trade Secrets Gone? Do the CEO, CFO, & GC Care? Wiped Out? © 2011 Crowell & Moring LLP 30

31 31 Data Losses & Cyber Breach 2x Library of Congress  38 terabytes of lost data “As an example of the threat, one American company had 38 terabytes of sensitive data and intellectual property exfiltrated from its computers – equivalent to nearly double the amount of text contained in the Library of Congress.” [Sen. Whitehouse, May 10, 2010] 2 x It’s Personal “As an example, in 2008, [China’s] APT1 compromised the network of a company involved in a wholesale industry.... Over the following 2.5 years, APT1 stole an unknown number of files from the victim and repeatedly accessed the email accounts of several executives, including the CEO and General Counsel.” [Mandiant Report (Feb. 2013)]

32 One Firm’s IP Loss “For example, a 2011 FBI report noted, ‘company was the victim of an intrusion and lost 10 years’ worth of research and development data –valued at $1 billion – virtually overnight.’” CRS Report, 2013 Cybersecurity Executive Order (Mar. 2013) $1 Trillion IP Losses “Last year alone, cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion.” (President Obama, 2009) IP Cyber Losses 32

33 Infiltrated M&A Deals $2.4 Billion Huiyuan Deal. Coca Cola’s deal collapsed after hackers took key files $40 Billion BHP Deal. BHP Billiton Ltd’s bid to acquire Potash Corp. collapsed after cyber theft “Coke Gets Hacked and Doesn’t Tell Anyone,”Bloomberg.com(Nov. 2012) Counter Intel Report “Information was pilfered from the corporate networks of a US Fortune 500 manufacturing company during business negotiations in which that company was looking to acquire a Chinese firm.... [T]his may have helped the Chinese firm attain a better negotiating and pricing position.” National Counter-intelligence Executive Report (Oct. 2011) Cybered M&A Deals 33

34 Investors Really Care 70% of investors – interested in reviewing corporate cyber practices 80% of investors – likely would not invest if history of cyber attacks Zogby Analytics Survey (Mar. 2013) Litigation Risks SEC Investigations Shareholder Suits Regulatory Violations (DFARS) Export Investigations (ITAR) B2B Disputes –NDA Violations –Trade Secret Breaches & IP Losses Data Breach (IP/Trade Secrets) 34

35 35 Questions? David Z. Bodenheimer Crowell & Moring LLP dbodenheimer@crowell.com (202) 624-2713 26834453


Download ppt "Litigating Privacy, Cybersecurity, and Data Breach Issues in 2014 American Bar AssociationDavid Z. Bodenheimer Litigation Section ProgramCrowell & Moring."

Similar presentations


Ads by Google