Presentation on theme: "January 21, 2015 P ROFESSIONAL L IABILITY A TTORNEY N ETWORK Cyber Security Threats, Trips, & Traps: Managing Risk and Protecting Data in the Cyber Age."— Presentation transcript:
January 21, 2015 P ROFESSIONAL L IABILITY A TTORNEY N ETWORK Cyber Security Threats, Trips, & Traps: Managing Risk and Protecting Data in the Cyber Age
Overview – Existing threats – Define breach & when notification is required – Legal framework for cyber security – The role of the attorney Dealing with the government – Responding to inquiries – Reporting breaches Insuring against cyber threats
Spectrum of cyber threats Advanced Persistent Threats (“APTs”) Hackers & other cybercriminals Authors of malware and phishing attacks Distributed Denial-of-Service attacks (“DDoS”) Hijacking of domain name Employee theft of trade secrets or IP Lost or stolen laptop, mobile device, USB drive Lax corporate security policies and systems
Cyber Threats: so what? Civil litigation Loss of online business or customers Loss of trade secrets, research, or IP Damage to brand or reputation Investigations by federal and state authorities Compliance costs, including notification of affected parties
Unauthorized access or loss of unencrypted personal or confidential information: – Social Security Numbers – Bank account numbers or PINs – Credit/debit card numbers – Medical records and treatment info – Access credentials: Usernames and passwords Does not include information that is lawfully publicly available.
Ponemon Institute, 2014 Cost of Data Breach Study The average cost of a data breach in the U.S. was $5.8 million The most costly data breaches are criminal and malicious attacks The average cost of notification in the U.S. was $509,237
Breach notification laws Most states have breach notification laws: – Define a data breach – Identify protected data – Identity data that isn’t protected (i.e., safe harbor) – Establish how & when notification is be made May depend on number of people affected and the cost of notification – Allow for private causes of action
Legal framework for cyber security Federal and state statutes – Set requirements for safeguarding data – Notification regarding data breaches Federal regulations – Implement statutes (and Executive Orders) – Specific to federal agencies and industries Guidance
Health Care Health Insurance Portability & Accountability Act of 1996 (42 U.S.C. §1320) – Regulates the use and disclosure of “protected health information” by “covered entities.” – A covered entity must take reasonable steps to ensure the confidentiality of protected health information. 45 C.F.R. §164.316(a) – Significant civil penalties under 42 U.S.C. § 1320d-5 - $100 to $50,000 per violation)
Health Care Health Information Technology for Economic & Clinical Health Act (42 U.S.C. §§ 17901-17953) – Broadened HIPAA breach disclosure notification and privacy requirements to include business associates of covered entities. – Defines a breach and when notification is required – Notification must be without unreasonable delay Not more than 60 days – Requires breach notification to affected individuals, HHS and, in certain circumstances, the media.
Health Care HITECH (cont.) – Notification to individuals must include: – Brief description of the breach; – Description of the type of PHI involved; – Steps to take to protect themselves from harm; – Description of the covered entity’s to investigate, mitigate, and prevent further breaches; and – Contact information for the covered entity.
Financial Institutions The Gramm-Leach-Bliley Act (15 U.S.C. §§6801, 6805(b) – Applies to U.S. financial services organizations. – Requires protection of the security and confidentiality of customers’ personal information. – Protection should be “appropriate to the size and complexity of the bank and the nature and scope of its activities.” – Interagency Guidance Establishing Standards for Safety and Soundness - 12 C.F.R. §364.
Publicly Traded Companies Sarbanes-Oxley Act, “Management assessment of internal controls” (15 U.S.C. § 7262) – Applies to publicly traded companies – Requires annual report annually on internal financial controls: The report must “contain an assessment…of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.”
Publicly Traded Companies SEC CF Disclosure Guidance: Topic No. 2 (Cybersecurity) – Focuses on disclosure obligations relating to cybersecurity risks and cyber incidents. – Part of obligations under Regulation S-K Item 503(c) requirements for risk factor disclosures. – Must disclose business or operations that give rise to material cybersecurity risks and the potential costs and consequences.
Pharma & Biotech The Food and Drug Act - 21 C.F.R. §11.10, “Controls for closed systems” – Applies to pharmaceutical and biotech companies subject to regulation by the FDA – Sets 11 requirements for electronic records: “Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records…”
Critical infrastructure Federal Energy Regulatory Commission’s Cyber Security Standard, CIP-003-1 – Applies to U.S. energy/infrastructure organizations – Requires “Responsible Entities” to have security controls to protect Critical Cyber Assets: “The Responsible Entity shall create and maintain a cyber security policy that addresses the requirements of this standard and the governance of the cyber security controls.”
Computer Fraud and Abuse Act 18 U.S.C. § 1030 Chapter 47 – Fraud and False Statements Fraud and Related Activity in Connection with Computers Includes offenses in which the computer facilitates other crimes Offenses generally begin as misdemeanors and become felonies if there is something more (e.g., loss, damage, injury, etc.)
Trespassing: 18 U.S.C. § 1030(a)(3) Simple trespass on a government computer Prohibits the intentional accessing without authorization of any nonpublic computer of a department or agency of the U.S. used exclusively by the Government Can be shared use if conduct affects the use by or for the U.S. Government Includes attempts First offense is a misdemeanor (§ 1030 (c)(2)(A)) Second offense has a 10 year max (§1030(c)(2)(C))
Theft of information: 18 U.S.C. § 1030(a)(2) Intentionally accesses a computer without authorization (outsider) or exceeds authorized access (insider), and thereby obtains – Records of a financial institution or of a credit card issuer; Information from any department or agency of the U.S.; or Information from any protected computer
Definition of “computer” 18 U.S.C. § 1030(e)(1): Means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage functions, includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable handheld calculator, or other similar device
Theft of information: stored communications 18 U.S.C. § 2701: Intentionally accessed a computer without authorization or in excess of authorization Through which an electronic communication service is provided Obtained, altered, or prevented authorized access to the stored communications Technically includes undelivered email
Theft of information: stored communications 18 U.S.C. § 2701 (cont.): Misdemeanor but can be a 5-year felony if: For commercial advantage In furtherance of a crime or tort Involves malicious destruction or damage Second offense is a 5-year felony (10 if “aggravating”)
Theft of information through interception 18 U.S.C. § 2511(a) (Wiretap Act) : Intentionally intercepted, endeavored to intercept, or procured any other person to intercept Any wire, oral, or electronic communication Includes intercepting electronic signals via “sniffers” 5-year felony Disclosing illegally intercepted communications also violates § 2511(d)
Definition of “damage” “Damage” means any impairment to the integrity or availability of data, a program, a system, or information (18 U.S.C. § 1030(e)(8)) Damage can occur after the intrusion Damage can occur without access (e.g. DDoS)
Damage to government communication facility 18 U.S.C. § 1362 Malicious destruction of communications facility Operated or controlled by the US (or used for military or civil defense functions of the US) Or, maliciously interfered “in any way” with working or use of such system (includes attempts and conspiracy) 10-year felony
Password trafficking Access device fraud (18 U.S.C. § 1029(a)(3)): Prohibits knowingly possessing 15 or more unauthorized access devices with intent to defraud “Access device” is any “card, plate, code, account number, …or other telecommunications service …that can be used…to obtain money, goods, services, or any other thing of value....” “Unauthorized” means “lost, stolen, expired, revoked, canceled, or obtained with intent to defraud” 10-year felony
Other password crimes Trafficking or use of access devices in a fraud with loss greater than $1000 (18 U.S.C. § 1029(a)(2)) Trafficking in computer passwords with intent to defraud (18 U.S.C. § 1030(a)(6)) Misdemeanor 10-year felony for a second offense
John Schwab JAS@Pietragallo.com 412-263-1849 Questions?
CYBER-LIABILITY POLICIES Now that we know the threats… protect yourself
Gaps in Traditional Insurance Policies Property Insurance policies – “Property” : Tangible vs. Intangible D&O: Property exclusion; Professional services exclusion; not covered by insuring clauses Crime/Fidelity policies –Tangible Property CGL: Exclusions for losses associated with unauthorized access by third parties. Errors & Omissions policies – Generally exclude security breaches or damages arising from unauthorized access. EPL policies – Not covered by Insuring Clauses.
Coverage Generally, cyber liability policies address two types of risks: First Party: losses suffered directly by the Insured Third Party: losses associated with the Insured’s liability for damages suffered by a third party
First Party Losses Business interruption costs Crisis management and public relations costs Privacy notifications and credit monitoring costs Costs associated with theft or vandalism of a company’s network or systems Upgrades in network security
Third Party Losses Disclosure Injuries: unauthorized access to or dissemination of a third party’s private information Content Injuries: copyright, trademark, trade secrets or other intellectual property claims Reputation Injuries: libel, slander, defamation, invasion of privacy claims System Injuries: security failures or virus transmissions that harm the computer systems of third parties Impaired Access Injuries: customers cannot access their accounts or information
First Party Losses in Third Party Claims Often a third party liability claim will involve direct losses by the Insured – A third party cyber liability policy may provide coverage for certain direct losses associated with a claim (or a potential claim) by a third party. These may include: Security breach notifications Credit monitoring costs Crisis management consultation
Data Breach – Potential Damages What are the potential damages to which the insured could be exposed? – Depending on governmental involvement, the strategy of the claimant, and the approach of the Insured, multiple damages are possible: Compensatory damages (although difficult to prove) Consequential damages Punitive damages Fines and fees (imposed by regulatory agencies) Remediation of hardware and software Lost profits and goodwill Notification of effected individuals/entities Monitoring of effected individuals/entities