We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byVeronica King
Modified about 1 year ago
The Zero Hour Phone Call How to Respond to a Data Breach to Minimize your Legal Risk Sheryl Falk April 4, 2013 © 2013 Winston & Strawn LLP
2 March 2013 Data Breaches
© 2013 Winston & Strawn LLP 3 Overview 1.Anatomy of a Data Breach 2.Data Breach Incident Response 3.Handling the Aftermath of a Breach 4.The Legal Landscape 5.Practical Strategies to Mitigate your Risk
4 © 2013 Winston & Strawn LLP Anatomy of a Data Breach
© 2013 Winston & Strawn LLP 5 Q: What is a Data Breach? A) Hackers B) Lost laptop C) Misdirected email containing Personal Information D) Improperly disposed of paper files E) All of the above
© 2013 Winston & Strawn LLP 6 How Do Data Breaches Occur? INTERNAL EXTERNAL INTENTIONAL ACCIDENTAL
© 2013 Winston & Strawn LLP 7 Insider Threat- Negligent Employees 1. Pathetic Passwords 2. Loss of devices 3. Improper disposal 4. Misdirected emails 5. Falling for Phishing 6. Use of Public WiFi
© 2013 Winston & Strawn LLP 8 Insider Threat – Employee theft 52% of insider thefts are trade secret related 65% of insiders had accepted positions with a competitor 20% were recruited by an outsider 50% steal data within a month of leaving 54% used a network-email, a remote network access channel, or network file transfer
9 © 2013 Winston & Strawn LLP Best Practices of a Data Breach Response
© 2013 Winston & Strawn LLP 10 Data Breach Response Timeline 00:00Mobilize ResourcesStabilizeInvestigateNotifyAfter Action Review
© 2013 Winston & Strawn LLP 11 Step 1 - Mobile Resources: Immediate Response Team Legal Department Privacy Counsel Human Resources Forensic Experts Notification Support SecurityIT Professionals Communication Support Business Group (Data Owners) C. Suite
© 2013 Winston & Strawn LLP 12 Step 2 - Stabilize/Secure Data Act quickly, but cautiously Take steps to secure data Preserve evidence including logs, back ups Obtain expert advice/legal counsel
© 2013 Winston & Strawn LLP 13 Step 3 - Investigation Goal : Determine the scope and nature of breach Identify all affected data, machines and devices Preserve Evidence (Chain of Custody) Understand how the data was protected Develop the Record Conduct interviews with key personnel Document evidence and findings carefully Quantify the exposure of data compromised
© 2013 Winston & Strawn LLP 14 Importance of Investigatory Privilege Treat every incident as potential litigation Engage Legal Counsel at onset Direct the forensic/security vendors through Legal Counsel Label communications “Confidential and Privileged”
© 2013 Winston & Strawn LLP 15 Do you Involve Law Enforcement? PROS For serious criminal activity, partner with law enforcement LE brings additional resources to investigation Shows you are taking the breach seriously CONS May not meet law enforcement threshold Could lose control over your investigation Information of breach could become public
16 © 2013 Winston & Strawn LLP Handling the Aftermath of a Breach
© 2013 Winston & Strawn LLP 17 Texas Data Breach Statute 521.053 Texas Business and Commerce Code “A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach…to any individual whose sensitive personal information…believed to have been acquired by an unauthorized person.” Notify as quickly as possible Extra-territorial application Civil penalty up to $250,000 for a single breach.
© 2013 Winston & Strawn LLP 18 Was there a Breach? 1. What information is Involved? Names Financial Account data SSNs Government ID numbers Credit Card data Date of Birth
© 2013 Winston & Strawn LLP 19 Was there a Breach? 2. Was the Information Compromised? Unauthorized access or acquisition Sometimes just access/acquisition Has the “security, integrity or confidentiality” of the laptop info been compromised? Is there a “material compromise”? Has illegal use occurred or is it likely to occur? 3. Is there an Exception? Hard copy files Encrypted data Good faith exception
© 2013 Winston & Strawn LLP 20 Who do you have to Notify? Impacted individuals Typically consumers or employees Applicable law is where individual resides Some states require specific information (MA, IL) Timing restrictions: typically “expediently” or 45 days (FL, WI, OH) Federal or State authorities Depends type of information at issue/threshold numbers affected www.winston.com/privacylawresources Credit reporting agencies Usually must meet a threshold of impacted state residents
© 2013 Winston & Strawn LLP 21 Effectively Communicate about Breach Communicate breach facts accurately and quickly Understand and follow breach notification timetables Stay focused and concise Be prepared to update with new information What you might offer: Information about security freezes and credit monitoring Giving contact information for credit reporting agencies, FTC or state authorities Having a central “ombudsman” for all questions Credit monitoring or identity restoration services Coupons or gift certificates
© 2013 Winston & Strawn LLP 22 After Action Review How did the team respond? What can be improved in response/investigation? What security issues can be tightened up? Modify your plan/procedures if necessary
23 © 2013 Winston & Strawn LLP The Legal Landscape
© 2013 Winston & Strawn LLP 24 Federal & State Regulatory Agencies Federal Agencies with Privacy Jurisdiction Federal Trade Commission Department of Justice Office for Civil Rights (HHS) Consumer Financial Protection Bureau Office of the Comptroller of the Currency Federal Communications Commission And others Practice Tip – If you regularly have data breaches, get to know your regulators and their notification preferences. State Agencies Likewise have Privacy Enforcement
© 2013 Winston & Strawn LLP 25 Data Breach Civil Litigation Theories of Liability Negligence Gross Negligence Deceptive Trade Practices Breach of Contract Fraud Significant Risk to Companies TJX Litigation Settled for over 40 Million dollars Heartland Payment Systems pending litigation – 12 Million spent in attorney fees
© 2013 Winston & Strawn LLP 26 Legal Trends Data Breach cases are on the Rise Most Courts require Actual Harm Reilly v. Ceridian (3rd Cir.) – Hacker stole 250,00 records But Court dismissed finding potential future injury is not enough Recent case: No Harm required Resnick v. AvMed, Inc.(11th Cir.) – Health plan provider failed to protect PII information. No facts tying data breach to subsequent data. Court allowed Unjust enrichment theory
© 2013 Winston & Strawn LLP 27 Trade Secret Litigation Increase in Trade Secret Litigation To be Successful you must: Establish a Trade Secret (1)Secrecy (2)Independent Economic Value (3)Reasonable Efforts to Maintain Secrecy Prove Misappropriation Allege Damages and/or right to Injunctive Relief
28 © 2013 Winston & Strawn LLP Practical Strategies
© 2013 Winston & Strawn LLP 29 The Best Defense is an ongoing Data Security Program Eliminate unnecessary data Ensure essential controls are met Monitor/mine event logs Implement a firewall on remote access services Change default credentials of POS systems and other internet facing devices Ensure third party vendors are complying with data protection strategies Recommendations from 2012 Verizon Report
© 2013 Winston & Strawn LLP 30 Fully Plan your Breach Response Understand where your data is and how it is protected Develop good privacy and security policies Train employees and monitor enforcement Develop a Data Breach Incident Response Plan Understand what laws/regulations apply Explore Cyber-insurance
© 2013 Winston & Strawn LLP 31 Security Policies: Evaluating what documents you need Remote access policy Internet and electronic communications policy Social media policy Password policy Mobile device policy Guest access policy Vendor access policy Network device attachment policy
© 2013 Winston & Strawn LLP 32 To Learn more… email@example.com twitter: @winstonprivacy www.winston.com/privacylawresources
Eight Strategies to Reduce Your Risk in the Event of A Data Breach Sheryl Falk December 10, 2013.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Investigating & Preserving Evidence in Data Security Incidents Robert J. Scott Scott & Scott, LLP
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
Ethical Issues in Data Security Breach Cases Presented by Robert J. Scott Scott & Scott, LLP
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.
© Copyright 2010 Hemenway & Barnes LLP H&B
1Copyright Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
ENCRYPTION Team 2.0 Pamela Dornan, Thomas Malone, David Kotar, Nayan Thakker, and Eddie Gallon.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
General Awareness Training Security Awareness Module 2 What is a Security Incident? How Vulnerable am I?
The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
Springfield Technical Community College Security Awareness Training.
October The Insider Financial Crime and Identity Theft Hacktivists Piracy Cyber Espionage and Sabotage.
Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
06B – DATA INCIDENTS AND LITIGATION Jeffrey L. Poston Partner Crowell & Moring, LLP.
R ed F lag R ule Training for the Medical Industry © Chery F. Kendrick & Kendrick Technical Services.
The Privacy Symposium – Summer 2008 Identity Theft Resource Center Jay Foley, Executive Director Presents: Privacy: Pre- and Post-Breach © Aug 2007.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Data Classification & Privacy Inventory Workshop Implementing Security to Protect Privacy November 2005.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.
Investigations: Strategies and Recommendations (Hints and Tips) Leah Lane, CFE Director, Global Investigations, Texas Instruments, Inc.
Confidentiality and HIPAA. Learning Objectives Articulate the basic rules governing privacy of medical information and records. Identify the client’s.
© MISHCON DE REYA MAY 2014 RECRUITMENT INTERNATIONAL FINANCIAL DIRECTORS’ FORUM Protecting your business from unlawful competition.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
Developing a Records & Information Retention & Disposition Program: IT’S BIGGER THAN JUST A POLICY!!!
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Protecting Sensitive Information PA Turnpike Commission.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
In the Belly of the Breach: What Every In-House Counsel Needs to Know about Data Breach Response ACC International Legal Affairs Committee Legal Quick.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
PII Breach Management and Risk Assessment 1. Risk Assessment and Breach Management Privacy Officer Roles Oversight Compliance Breach Management.
Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.
Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
© 2017 SlidePlayer.com Inc. All rights reserved.