PENNSYLVANIA BAR ASSOCIATION PROFESSIONAL LIABILITY COMMITTEE DELAWARE COUNTY BENCH BAR 2017
“Planning for Disaster” Featuring: Cyber Event Preparedness and Incident Response Planning
Viruses (Ransomeware $$$) Identity theft (The black market for personal information $$$) Back door to corporate clients (Insider trading / trade secrets / other confidential information) Consider the Panama papers!
Why Prepare? ? ?
Claims Can Happen! ? ?
Preparing is Key ? ?
OVERVIEW ? ? What is the purpose of an IRP? 2. What are the key components? ? Do law firms need one?
Purpose of an IRP An IRP is like an evacuation plan for a cyber security incident. It outlines step-by-step your response to a data security incident. Rather than try to respond to a data breach, document your response efforts, determine what laws apply, and ensure compliance during the stress of a breach, an IRP is developed pre-breach, and streamlines your response.
Purpose of an IRP STRESS Provides step-by-step guidance for responding to a breach and complying with potentially applicable laws and regulations. Streamlines and organizes your response to save time, money, stress, and downtime STRESS Creates documentation of your response efforts
Key Components of an IRP Team Members Method of Reporting and Timing Step by Step Incident Response Process Notification Requirements Insurance Carrier Information and Reporting Timeframe Post-Incident Investigation / Lessons Learned Testing of IRP Process Training of Employees
Key Components of an IRP Consider your IRP Team Members A lawyer? Office Administrator? IT? (Consider forensic experience) Outside counsel? (Consider privilege issues) Genesco v. Visa (2014) In re Target (2015))
Key Components of an IRP Step by Step Incident Reponse (Basic Overview): Discovering and reporting to the IRP team Ascertaining nature of Incident / systems compromised / length of time Ascertain if a data breach occurred (i.e. whether records were accessed, personal or confidential information therein, and affected clients/employees) Analyze how the breach occurred for future prevention
Key Components of an IRP Notification Requirements: Pennsylvania’s Breach of Personal Information Notification Act 73 Pa.C.S. 2301 et seq. An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. (73 Pa.C.S. 2303)
Key Components of an IRP Notification Requirements: How is a breach defined in Pennsylvania? “The unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth. . . .” 73 Pa. Stat. Ann. § 2302
Key Components of an IRP What is personal information? NAME linked with: SSN Drivers license number, OR Credit/Debit card + access code
Key Components of an IRP INSURANCE CARRIER INFORMATION & REPORTING TIMEFRAME
Key Components of an IRP LESSONS LEARNED TRAINING TESTING Implementing new training?
Do all law firms need an IRP? Consistent with our ethical duties in respect to competence, confidentilaity and safeguarding property Often a requirement for purchasing cyber insurance Certain laws require them HIPAA/HITECH GLBA YES! Often one of the first questions asked by investigating government agency Reduces time, expense, and stress of responding to a breach Presumption of compliance with notification laws of certain states PA, WV, NJ, DE It’s just good 21st century business