Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Zero Hour Phone Call How to Respond to a Data Breach to Minimize your Legal Risk Sheryl Falk April 4, 2013 © 2013 Winston & Strawn LLP.

Similar presentations


Presentation on theme: "The Zero Hour Phone Call How to Respond to a Data Breach to Minimize your Legal Risk Sheryl Falk April 4, 2013 © 2013 Winston & Strawn LLP."— Presentation transcript:

1 The Zero Hour Phone Call How to Respond to a Data Breach to Minimize your Legal Risk Sheryl Falk April 4, 2013 © 2013 Winston & Strawn LLP

2 2 March 2013 Data Breaches

3 © 2013 Winston & Strawn LLP 3 Overview 1.Anatomy of a Data Breach 2.Data Breach Incident Response 3.Handling the Aftermath of a Breach 4.The Legal Landscape 5.Practical Strategies to Mitigate your Risk

4 4 © 2013 Winston & Strawn LLP Anatomy of a Data Breach

5 © 2013 Winston & Strawn LLP 5 Q: What is a Data Breach? A) Hackers B) Lost laptop C) Misdirected containing Personal Information D) Improperly disposed of paper files E) All of the above

6 © 2013 Winston & Strawn LLP 6 How Do Data Breaches Occur? INTERNAL EXTERNAL INTENTIONAL ACCIDENTAL

7 © 2013 Winston & Strawn LLP 7 Insider Threat- Negligent Employees 1. Pathetic Passwords 2. Loss of devices 3. Improper disposal 4. Misdirected s 5. Falling for Phishing 6. Use of Public WiFi

8 © 2013 Winston & Strawn LLP 8 Insider Threat – Employee theft  52% of insider thefts are trade secret related  65% of insiders had accepted positions with a competitor  20% were recruited by an outsider  50% steal data within a month of leaving  54% used a network- , a remote network access channel, or network file transfer

9 9 © 2013 Winston & Strawn LLP Best Practices of a Data Breach Response

10 © 2013 Winston & Strawn LLP 10 Data Breach Response Timeline 00:00Mobilize ResourcesStabilizeInvestigateNotifyAfter Action Review

11 © 2013 Winston & Strawn LLP 11 Step 1 - Mobile Resources: Immediate Response Team Legal Department Privacy Counsel Human Resources Forensic Experts Notification Support SecurityIT Professionals Communication Support Business Group (Data Owners) C. Suite

12 © 2013 Winston & Strawn LLP 12 Step 2 - Stabilize/Secure Data  Act quickly, but cautiously  Take steps to secure data  Preserve evidence including logs, back ups  Obtain expert advice/legal counsel

13 © 2013 Winston & Strawn LLP 13 Step 3 - Investigation Goal : Determine the scope and nature of breach  Identify all affected data, machines and devices  Preserve Evidence (Chain of Custody)  Understand how the data was protected  Develop the Record  Conduct interviews with key personnel  Document evidence and findings carefully  Quantify the exposure of data compromised

14 © 2013 Winston & Strawn LLP 14 Importance of Investigatory Privilege  Treat every incident as potential litigation  Engage Legal Counsel at onset  Direct the forensic/security vendors through Legal Counsel  Label communications “Confidential and Privileged”

15 © 2013 Winston & Strawn LLP 15 Do you Involve Law Enforcement?  PROS For serious criminal activity, partner with law enforcement LE brings additional resources to investigation Shows you are taking the breach seriously  CONS May not meet law enforcement threshold Could lose control over your investigation Information of breach could become public

16 16 © 2013 Winston & Strawn LLP Handling the Aftermath of a Breach

17 © 2013 Winston & Strawn LLP 17 Texas Data Breach Statute Texas Business and Commerce Code “A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach…to any individual whose sensitive personal information…believed to have been acquired by an unauthorized person.”  Notify as quickly as possible  Extra-territorial application  Civil penalty up to $250,000 for a single breach.

18 © 2013 Winston & Strawn LLP 18 Was there a Breach? 1. What information is Involved? Names Financial Account data SSNs Government ID numbers Credit Card data Date of Birth

19 © 2013 Winston & Strawn LLP 19 Was there a Breach? 2. Was the Information Compromised? Unauthorized access or acquisition Sometimes just access/acquisition Has the “security, integrity or confidentiality” of the laptop info been compromised? Is there a “material compromise”? Has illegal use occurred or is it likely to occur? 3. Is there an Exception? Hard copy files Encrypted data Good faith exception

20 © 2013 Winston & Strawn LLP 20 Who do you have to Notify?  Impacted individuals Typically consumers or employees Applicable law is where individual resides Some states require specific information (MA, IL) Timing restrictions: typically “expediently” or 45 days (FL, WI, OH)  Federal or State authorities Depends type of information at issue/threshold numbers affected  Credit reporting agencies Usually must meet a threshold of impacted state residents

21 © 2013 Winston & Strawn LLP 21 Effectively Communicate about Breach  Communicate breach facts accurately and quickly Understand and follow breach notification timetables Stay focused and concise Be prepared to update with new information  What you might offer: Information about security freezes and credit monitoring Giving contact information for credit reporting agencies, FTC or state authorities Having a central “ombudsman” for all questions Credit monitoring or identity restoration services Coupons or gift certificates

22 © 2013 Winston & Strawn LLP 22 After Action Review  How did the team respond?  What can be improved in response/investigation?  What security issues can be tightened up?  Modify your plan/procedures if necessary

23 23 © 2013 Winston & Strawn LLP The Legal Landscape

24 © 2013 Winston & Strawn LLP 24 Federal & State Regulatory Agencies  Federal Agencies with Privacy Jurisdiction  Federal Trade Commission  Department of Justice  Office for Civil Rights (HHS)  Consumer Financial Protection Bureau  Office of the Comptroller of the Currency  Federal Communications Commission  And others  Practice Tip – If you regularly have data breaches, get to know your regulators and their notification preferences.  State Agencies Likewise have Privacy Enforcement

25 © 2013 Winston & Strawn LLP 25 Data Breach Civil Litigation  Theories of Liability  Negligence  Gross Negligence  Deceptive Trade Practices  Breach of Contract  Fraud  Significant Risk to Companies  TJX Litigation Settled for over 40 Million dollars  Heartland Payment Systems pending litigation – 12 Million spent in attorney fees

26 © 2013 Winston & Strawn LLP 26 Legal Trends  Data Breach cases are on the Rise  Most Courts require Actual Harm  Reilly v. Ceridian (3rd Cir.) – Hacker stole 250,00 records  But Court dismissed finding potential future injury is not enough  Recent case: No Harm required  Resnick v. AvMed, Inc.(11th Cir.) – Health plan provider failed to protect PII information. No facts tying data breach to subsequent data. Court allowed Unjust enrichment theory

27 © 2013 Winston & Strawn LLP 27 Trade Secret Litigation  Increase in Trade Secret Litigation  To be Successful you must:  Establish a Trade Secret (1)Secrecy (2)Independent Economic Value (3)Reasonable Efforts to Maintain Secrecy  Prove Misappropriation  Allege Damages and/or right to Injunctive Relief

28 28 © 2013 Winston & Strawn LLP Practical Strategies

29 © 2013 Winston & Strawn LLP 29 The Best Defense is an ongoing Data Security Program  Eliminate unnecessary data  Ensure essential controls are met  Monitor/mine event logs  Implement a firewall on remote access services  Change default credentials of POS systems and other internet facing devices  Ensure third party vendors are complying with data protection strategies Recommendations from 2012 Verizon Report

30 © 2013 Winston & Strawn LLP 30 Fully Plan your Breach Response  Understand where your data is and how it is protected  Develop good privacy and security policies  Train employees and monitor enforcement  Develop a Data Breach Incident Response Plan  Understand what laws/regulations apply  Explore Cyber-insurance

31 © 2013 Winston & Strawn LLP 31 Security Policies: Evaluating what documents you need  Remote access policy  Internet and electronic communications policy  Social media policy  Password policy  Mobile device policy  Guest access policy  Vendor access policy  Network device attachment policy

32 © 2013 Winston & Strawn LLP 32 To Learn more…


Download ppt "The Zero Hour Phone Call How to Respond to a Data Breach to Minimize your Legal Risk Sheryl Falk April 4, 2013 © 2013 Winston & Strawn LLP."

Similar presentations


Ads by Google