1. A Brave New Worldof Cyber Securityand Data BreachJim BrashearGeneral CounselZix CorporationDallasChad PinsonManaging Director & Head of OfficeStroz FriedbergDallas

2. Cyber Risks Top Business Concerns2 8/20/2014EisnerAmper, Concerns About Risks Confronting Boards 2014Reputation,cybersecurityand socialmedia arelargelyintertwinedand theassociatedrisk hascaptured theattention ofmost boards 3. Cyber RiskSlide 3ThreatRiskVulnerability Consequence 4. Threat Landscape4 5. KKeeyy DDaattaa SSeeccuurriittyy RRiisskkssLoss or theft of deviceSocial engineeringInsidersMalwareHackingData Interception 6. Lost and Stolen Portable Devices 7. Phishing andSocial Engineering 8. Insiders 9. Rogue CloudDataDataDataDataDataDataEven if you dont authorize cloud data storageIts happening 10. TypesofAttacks 11. Zero Day Exploits 12. SQL Injections 13. Data in Transmission 14. Data Intercepts HappenEven if you dont see them 15. Reasonable Expectation of Privacy? 16. Who are Targets? Individuals Governments Universities Businesses Outside directors Services providers Professionals Outsourcers Board portal 17. TWargheto In daursetri eTsargets?Slide 17 18. Hacking Law Firms ALAS: Hacker threats are not hypothetical Law firms are soft targets Treasure trove of confidential client information Consultants, vendors, business partners andemployees may have relatively weak datasecurity 19. What Are Hackers After? Proprietary InformationSlide 19 Cybercriminals: corporatetrade secrets Nation-state hackers:military and defenseintellectual property,designs and plans Personal Financial Data Political change Embarrassment Information Freedom 20. Cyber Attack Impacts Loss of IP, confidential information Privacy data breach Business disruption Forensics, containment, recovery,remediation Regulatory investigation Violations, Increased compliancecosts Contract breaches Consumer lawsuits Adverse publicity, brand damage Loss of customer trust Revenue impact Share price decline Shareholder derivative suits Fines Impact on insurance 21. Privacy CybersecurityPrivacy Cybersecurity 22. Twice Victimized by Databreach?Slide 23 23. Litigation Consumer class action lawsuits Statutory personal rights Tort law negligence Reasonable care Contract breach Failure to use reasonable care to protectdata under NDA or confidentiality covenants First Circuit: Bank failed to providecommercially reasonable data security Patco Contruction Co., Inc. v. PeoplesUnited Bank IP Enforcement Trade secret law requires reasonable careto protect confidentiality 24. D&O Liability for Cyber Incidents[B]oards that choose to ignore, or minimize, theimportance of cybersecurity responsibility do soat their own peril.~ SEC Commissioner Luis A. Aguilar, June 10, 2014 Shareholder derivative actions Breach of duty of care and duty of oversight Derived from good faith obligation in duty of loyalty Business judgment rule may not protect directors whofail to act on cybersecurity Technically speaking, it has no role where directors haveeither abdicated their functions, or absent a conscious decision,failed to act. Aronson v. Lewis (Del. 1984) D&O insurance may not apply Exclusion for liability resulting from a privacy breach 25. Federal EnforcementSlide 26Case in Point Wyndham Worldwide Corp. FTC alleges privacy policymisrepresented securitymeasures Deceptive practice FTC alleges failures tomaintain reasonable andappropriate data security Unfair practice Increased FTC enforcement Overlapping jurisdiction with other agencies 26. State Data Breach Enforcement 47 U.S. States now have databreachnotification laws State AGs are actively enforcing them State AGs also empowered to enforce HIPAA 27. Texas Privacy Laws Texas has some of the strictest privacy lawsin the country Data breach notification statute encompasses non-residents Texas medical privacy laws are stricter than HIPAA Texas privacy laws protect: Sensitive Personal Information (SPI) Protected Health Information (PHI) A business may be simultaneously subject to: Texas Identity Theft Enforcement and Protection Act Texas Medical Records Privacy Act HIPAA and HITECH Other privacy laws 28. Two Principal Texas Privacy StatutesIdentity Theft Enforcement and Protection ActApplies to virtually all businesses operating in TexasBusiness and Commerce Code Chapter 521http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htmMedical Records Privacy ActBroader than HIPAAHealth & Safety Code Chapter 181http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.181.htm 29. Duty to Protect Personal InformationBusiness and Commerce Code 521.052Business must use reasonable procedures to protectfrom unlawful use or disclosure any sensitive personalinformation collected or maintained in its regular courseof business 30. AT THE SEC: A QUIET EVOLUTIONJuly 1998: OIE FormedJanuary 2010: Renewed Focus on ITInfrastructureOctober 2011: SEC CybersecurityGuidanceJanuary 2014: Jarcho Speech/FINRASweep AnnouncementMarch 2014: SEC CybersecurityRoundtableApril 15: OCIE Risk Alert 31. SEC Focus on Cyber RiskSlide 32 32 32. Cyber Risk Disclosure SEC Disclosure Guidance 2011 CF Disclosure Guidance: Topic No. 2 Cybersecurity Directs public companies to review, on an ongoing basis,the adequacy of their disclosure relating to cyber securityrisks and cyber incidents 6 disclosure areas Risk Factors Management's Discussion and Analysis (MD&A) Business Description Legal Proceedings Financial Statement Disclosure Disclosure Controls and Procedures 33. Board Oversight of Cyber Risk Where does the board and management responsibility reside? Adequate board expertise? Who reports on cybersecurity and privacy to the board? 34. Cyber Risk Assessment QuandryToo Little InformationToo Much Information 35. Proactive Risk AssessmentsSlide 36NOT CHECK-THE-BOX 36. New ABA ResolutionThe American Bar Association encouragesall private and public sector organizationsto develop, implement, and maintainan appropriate cybersecurity program thatcomplies with applicable ethical and legalobligations and is tailored to the nature andscope of the organization and the data andsystems to be protected. 37. Have a Data Breach Response PlanSlide 38 38. Multi-disciplinary Approach to Incident ResponseIn-HouseCounselIncidentResponseIn-HouseITCPO, CSOComplianceBusinessUnitClient andMediaRelationsHumanResourcesOUTSIDEINCIDENTRESPONSEEXPERTSOUTSIDECOUNSEL 39. Slide 40Technical IncidentResponse TeamEmployeesFrom relevant c-levelsof acompanys orgchartInformationtechnology,investor relations,public relations,legal etc.IndependentOutside ExpertsEngage experts toconductindependentinvestigation ofthe attackTasks include datapreservation,malware analysis,digital forensicanalysis, reversedengineeringInvest in Resources 40. Test the Plan Educate Awareness Test 41. NIST Cyber Risk Framework 42. NIST Framework Initiated by Executive Order 13636 Voluntary Designed primarily for US critical infrastructureowners and operators Applicability to companies of all sizes Does not create new standards Leverages existing cybersecurity practices Recommends a proactive cyber riskmanagement process to assess risks andcapabilities, and establish goals and a plan 43. NIST Framework 44. NIST FrameworkSlide 45 45. New COSO Integrated FrameworkExpandsemphasison riskassessment 46. Key Recommendations Make cyber risk awareness part of company culture Recurring cyber security and privacy law training foremployees and contractors Adopt enterprise-wide cyber risk oversight framework Identify and retain outside consultants before crisis needarises Assess regulatory and contractual requirements Written policies and procedures to protect SensitivePersonal Information and Protected Health Information Written data breach response procedures Monitor and audit privacy and data security procedures Revise privacy notices to reflect amended state laws andchanges in company technology and practices Annual cyber risk insurance coverage analysis 47. Cyber Security EthicsSlide 48 48. Ethics: CompetenceRule 1.1A lawyer shall provide competentrepresentation to a clientA lawyer should keep abreast ofthe risks associated withtechnology 49. Ethics: Client PropertyRule 1.15Client property should beappropriately safeguarded A lawyer should hold property ofothers with the care required ofa professional fiduciaryInformationis property 50. Ethics: Client ConfidencesTexas Rule 1.05Lawyer shall not knowingly revealconfidential information of a client orformer client Unless the clientconsents after consultation 51. Ethics: Client ConfidencesNew Model Rule 1.6A lawyer shall make reasonableefforts to prevent the inadvertentdisclosure of, or unauthorized accessto, information relating to therepresentation of a client 52. Ethics: Proactive ConfidentialityComments to Model Rule 1.617. When transmitting a communication,lawyer must take reasonableprecautions to prevent theinformation from coming into thehands of unintended recipients 53. Securing cyberspacestarts with YOUNational Cybersecurity Awareness Campaign