We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byVeronica King
Modified about 1 year ago
The Zero Hour Phone Call How to Respond to a Data Breach to Minimize your Legal Risk Sheryl Falk April 4, 2013 © 2013 Winston & Strawn LLP
2 March 2013 Data Breaches
© 2013 Winston & Strawn LLP 3 Overview 1.Anatomy of a Data Breach 2.Data Breach Incident Response 3.Handling the Aftermath of a Breach 4.The Legal Landscape 5.Practical Strategies to Mitigate your Risk
4 © 2013 Winston & Strawn LLP Anatomy of a Data Breach
© 2013 Winston & Strawn LLP 5 Q: What is a Data Breach? A) Hackers B) Lost laptop C) Misdirected containing Personal Information D) Improperly disposed of paper files E) All of the above
© 2013 Winston & Strawn LLP 6 How Do Data Breaches Occur? INTERNAL EXTERNAL INTENTIONAL ACCIDENTAL
© 2013 Winston & Strawn LLP 7 Insider Threat- Negligent Employees 1. Pathetic Passwords 2. Loss of devices 3. Improper disposal 4. Misdirected s 5. Falling for Phishing 6. Use of Public WiFi
© 2013 Winston & Strawn LLP 8 Insider Threat – Employee theft 52% of insider thefts are trade secret related 65% of insiders had accepted positions with a competitor 20% were recruited by an outsider 50% steal data within a month of leaving 54% used a network- , a remote network access channel, or network file transfer
9 © 2013 Winston & Strawn LLP Best Practices of a Data Breach Response
© 2013 Winston & Strawn LLP 10 Data Breach Response Timeline 00:00Mobilize ResourcesStabilizeInvestigateNotifyAfter Action Review
© 2013 Winston & Strawn LLP 11 Step 1 - Mobile Resources: Immediate Response Team Legal Department Privacy Counsel Human Resources Forensic Experts Notification Support SecurityIT Professionals Communication Support Business Group (Data Owners) C. Suite
© 2013 Winston & Strawn LLP 12 Step 2 - Stabilize/Secure Data Act quickly, but cautiously Take steps to secure data Preserve evidence including logs, back ups Obtain expert advice/legal counsel
© 2013 Winston & Strawn LLP 13 Step 3 - Investigation Goal : Determine the scope and nature of breach Identify all affected data, machines and devices Preserve Evidence (Chain of Custody) Understand how the data was protected Develop the Record Conduct interviews with key personnel Document evidence and findings carefully Quantify the exposure of data compromised
© 2013 Winston & Strawn LLP 14 Importance of Investigatory Privilege Treat every incident as potential litigation Engage Legal Counsel at onset Direct the forensic/security vendors through Legal Counsel Label communications “Confidential and Privileged”
© 2013 Winston & Strawn LLP 15 Do you Involve Law Enforcement? PROS For serious criminal activity, partner with law enforcement LE brings additional resources to investigation Shows you are taking the breach seriously CONS May not meet law enforcement threshold Could lose control over your investigation Information of breach could become public
16 © 2013 Winston & Strawn LLP Handling the Aftermath of a Breach
© 2013 Winston & Strawn LLP 17 Texas Data Breach Statute Texas Business and Commerce Code “A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach…to any individual whose sensitive personal information…believed to have been acquired by an unauthorized person.” Notify as quickly as possible Extra-territorial application Civil penalty up to $250,000 for a single breach.
© 2013 Winston & Strawn LLP 18 Was there a Breach? 1. What information is Involved? Names Financial Account data SSNs Government ID numbers Credit Card data Date of Birth
© 2013 Winston & Strawn LLP 19 Was there a Breach? 2. Was the Information Compromised? Unauthorized access or acquisition Sometimes just access/acquisition Has the “security, integrity or confidentiality” of the laptop info been compromised? Is there a “material compromise”? Has illegal use occurred or is it likely to occur? 3. Is there an Exception? Hard copy files Encrypted data Good faith exception
© 2013 Winston & Strawn LLP 20 Who do you have to Notify? Impacted individuals Typically consumers or employees Applicable law is where individual resides Some states require specific information (MA, IL) Timing restrictions: typically “expediently” or 45 days (FL, WI, OH) Federal or State authorities Depends type of information at issue/threshold numbers affected Credit reporting agencies Usually must meet a threshold of impacted state residents
© 2013 Winston & Strawn LLP 21 Effectively Communicate about Breach Communicate breach facts accurately and quickly Understand and follow breach notification timetables Stay focused and concise Be prepared to update with new information What you might offer: Information about security freezes and credit monitoring Giving contact information for credit reporting agencies, FTC or state authorities Having a central “ombudsman” for all questions Credit monitoring or identity restoration services Coupons or gift certificates
© 2013 Winston & Strawn LLP 22 After Action Review How did the team respond? What can be improved in response/investigation? What security issues can be tightened up? Modify your plan/procedures if necessary
23 © 2013 Winston & Strawn LLP The Legal Landscape
© 2013 Winston & Strawn LLP 24 Federal & State Regulatory Agencies Federal Agencies with Privacy Jurisdiction Federal Trade Commission Department of Justice Office for Civil Rights (HHS) Consumer Financial Protection Bureau Office of the Comptroller of the Currency Federal Communications Commission And others Practice Tip – If you regularly have data breaches, get to know your regulators and their notification preferences. State Agencies Likewise have Privacy Enforcement
© 2013 Winston & Strawn LLP 25 Data Breach Civil Litigation Theories of Liability Negligence Gross Negligence Deceptive Trade Practices Breach of Contract Fraud Significant Risk to Companies TJX Litigation Settled for over 40 Million dollars Heartland Payment Systems pending litigation – 12 Million spent in attorney fees
© 2013 Winston & Strawn LLP 26 Legal Trends Data Breach cases are on the Rise Most Courts require Actual Harm Reilly v. Ceridian (3rd Cir.) – Hacker stole 250,00 records But Court dismissed finding potential future injury is not enough Recent case: No Harm required Resnick v. AvMed, Inc.(11th Cir.) – Health plan provider failed to protect PII information. No facts tying data breach to subsequent data. Court allowed Unjust enrichment theory
© 2013 Winston & Strawn LLP 27 Trade Secret Litigation Increase in Trade Secret Litigation To be Successful you must: Establish a Trade Secret (1)Secrecy (2)Independent Economic Value (3)Reasonable Efforts to Maintain Secrecy Prove Misappropriation Allege Damages and/or right to Injunctive Relief
28 © 2013 Winston & Strawn LLP Practical Strategies
© 2013 Winston & Strawn LLP 29 The Best Defense is an ongoing Data Security Program Eliminate unnecessary data Ensure essential controls are met Monitor/mine event logs Implement a firewall on remote access services Change default credentials of POS systems and other internet facing devices Ensure third party vendors are complying with data protection strategies Recommendations from 2012 Verizon Report
© 2013 Winston & Strawn LLP 30 Fully Plan your Breach Response Understand where your data is and how it is protected Develop good privacy and security policies Train employees and monitor enforcement Develop a Data Breach Incident Response Plan Understand what laws/regulations apply Explore Cyber-insurance
© 2013 Winston & Strawn LLP 31 Security Policies: Evaluating what documents you need Remote access policy Internet and electronic communications policy Social media policy Password policy Mobile device policy Guest access policy Vendor access policy Network device attachment policy
© 2013 Winston & Strawn LLP 32 To Learn more…
Eight Strategies to Reduce Your Risk in the Event of A Data Breach Sheryl Falk December 10, 2013.
Star Wars in the New Millennium: Cyber Liability and Data Risk.
HIPAA The New HIPAA Laws Now Have REAL Penalties; Criminal & Civil Legal Information Is Not Legal Advice This site provides information about the law designed.
Examination of a Privacy Breach WHAT TO DO WHEN A PRIVACY BREACH OCCURS MISA London Region Professional Network PIM Regional Training Workshop: Privacy.
Elements of a Swift (and Effective) Response to a HIPAA Security Breach Susan E. Ziel, RN BSN MPH JD Krieg DeVault LLP Past President, The American Association.
Cyber Liability: Data, Privacy and the Perils of Social Networking.
Breach Response TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Breach vs. Incident – a Guided Discussion Sharon Blanton, PhD Craig Schiller, CISSP-ISSMP, ISSAP Chief Information Officer Chief Information Security Officer.
Bring Your Own Device: Challenges faced by the Consumerization of IT Therese P. Miller, Esq., CIPP Shook, Hardy & Bacon LLP April 18, 2013.
Texas Privacy Update Ana E. Cowan, Associate Deborah C. Hiser, Partner Brown McCarroll LLP A Look at HITECH and H.B.300 Developments.
SECURITY AWARENESS. The Importance of Security Awareness Training Security Awareness Training provides the knowledge to protect information systems and.
Red Flag Rules WELCOME Iowa State University Identity Theft Prevention Program.
Cyber Liability What School Districts Need to Know.
Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany.
IT Security Auditing. Topics Defining IT Audit Risk Analysis Internal Controls Steps of an IT Audit Preparing to be Audited Auditing IT Applications Who.
1 Data Handling at Purdue. Section I The Importance of Data Security (slides 4 – 5) Laws and Policies (Slides 7 – 18) - Federal - State - Purdue Section.
Anatomy of a HIPAA Breach Maureen DAgostino SVP, Quality, Service and Performance Excellence Colleen McClorey Associate General Counsel, University of.
Privacy and Information Security Training ( ) Privacy and Information Security Training Vanderbilt University Medical Center Information.
A Business-Oriented Overview of IP for Law and Management Students Geneva, May 29-31, 2007 Small and Medium-Sized Enterprises (SMEs) Division World Intellectual.
Mississippi DOM Fraud, Waste, and Abuse (FWA) and HIPAA Training UPDATED 4/1/2014.
HOW TO RESPOND TO A DATA BREACH: ITS NOT JUST ABOUT HIPAA ANYMORE The Fourteenth National HIPAA Summit March 29, 2007 Renee H. Martin, JD, RN, MSN Tsoules,
© Husch Blackwell LLP HIPAA IN THE WORKPLACE September 27, 2013 Deborah C. Hiser Julianne P. Story.
Risk Analysis and Security Management Under HIPAA: What's Practical, Systematic, and Cost-Effective Richard D. Marks Davis Wright Tremaine LLP Washington,
1 Gramm-Leach-Bliley Act (GLBA) Implementation of the Safeguards Rule Information Security Program University of Minnesota (Adapted from the Federal Trade.
Personal Privacy Identity protection in this wired world.
WIPO ASIA SUB-REGIONAL WORKSHOP ON THE USE OF INTELLECTUAL PROPERTY (IP) BY SME SUPPORT INSTITUTIONS FOR THE PROMOTION OF COMPETITIVENESS OF SMEs IN THE.
Legal Issues in Information Security Chapter 5. Objectives Understand U.S. Criminal Law Understand U.S. Criminal Law Understand State Laws Understand.
Risk Management User Group October 18, WELCOME Michael L. Hay, CRM, CGFM, CPPM.
Personal Information Security and Malware Awareness Workshop Bard College at Simons Rock Information Technology Services (ITS) Summer 2012 (Please sign.
HIPAA Security Awareness What You Need To Know. Training Overview This course will discuss the following subject areas: How this training relates to you.
© 2016 SlidePlayer.com Inc. All rights reserved.