CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS

First Run Broadcast: February 14, 2020

1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m. M.T./10:00 a.m. P.T. (60 minutes)

Every company that stores files in the cloud, has a Web site, or engages in e-commerce is a data

breach waiting to happen. Cyberattacks have become more frequent and more sophisticated,

breaching even federal security agencies and global finance companies. Every smaller company

is constructively on notice that they may the next victim of a malicious breach. When that happens,

clients often turn to their lawyers and ask, what now and are we liable? This program will provide

lawyers with a real-world guide to advising clients about data breaches – what they are, how to

protect themselves legally, and what to do if it’s too late.

• Framework of law of cybersecurity – sources of liability under federal and state law

• What constitutes a data breach and your client’s obligation to protect against breaches

• Data breach notification laws – what must you disclose and when

• Risk of private causes of action and best practices to avoid

• Policies, processes and agreements to protect against – or respond to a data breach

Speaker:

Sue C. Friedberg is a partner in the Pittsburg office of Buchanan, Ingersoll & Rooney, PC, where

she is co-chair of Buchanan’s Cybersecurity and Data Protection Group. She advises clients about

rapidly evolving standards of care for safeguarding confidential information and responding

effectively to security incidents that threaten to compromise their valuable or protected

information. She helps clients assess their data security risks and capabilities, develop information

security programs, design incident response plans and prepare and update contracts. Ms. Friedberg

earned her B.S., magna cum laude, from Georgetown University and her J.D., cum laude, from the

University of Pittsburg School of law.

VT Bar Association Continuing Legal Education Registration Form

Please complete all requested information, print this application, and fax with credit info or mail it with payment to: Vermont Bar Association, PO Box 100, Montpelier, VT 05601-0100. Fax: (802) 223-1573 PLEASE USE ONE REGISTRATION FORM PER PERSON. First Name ________________________ Middle Initial____ Last Name__________________________

Firm/Organization _____________________________________________________________________

Address ______________________________________________________________________________

City _________________________________ State ____________ ZIP Code ______________________

Phone # ____________________________Fax # ______________________

E-Mail Address ________________________________________________________________________

Basics of Cyber-Attack Liability and Protecting Clients Interests Teleseminar

February 14, 2020 1:00PM – 2:00PM

1.0 MCLE GENERAL CREDITS

PAYMENT METHOD:

Check enclosed (made payable to Vermont Bar Association) Amount: _________ Credit Card (American Express, Discover, Visa or Mastercard) Credit Card # _______________________________________ Exp. Date _______________ Cardholder: __________________________________________________________________

VBA Members $75 Non-VBA Members $115

NO REFUNDS AFTER February 7, 2020

Vermont Bar Association

CERTIFICATE OF ATTENDANCE

Please note: This form is for your records in the event you are audited Sponsor: Vermont Bar Association Date: February 14, 2020 Seminar Title: Basics of Cyber-Attack Liability and Protecting Clients Interests Location: Teleseminar - LIVE Credits: 1.0 MCLE General Credit Program Minutes: 60 General Luncheon addresses, business meetings, receptions are not to be included in the computation of credit. This form denotes full attendance. If you arrive late or leave prior to the program ending time, it is your responsibility to adjust CLE hours accordingly.

Basics of Cyber-attack Liability and Protecting Clients Sue Friedberg | Co-chair, Cybersecurity and Data Protection

sue.friedberg@bipc.com / 412-562-8436

AGENDA

1. What keeps clients—and lawyers—up at night?

2. What is a data breach and how can you help your client—if not

avoid—at least reduce the risks and mitigate the consequences?

Cybersecurity Law Landscape

Federal laws

The patchwork of state laws

Industry standards

Private litigation and government enforcement

3. Cybersecurity incident scenario—ransomeware attack

4. How lawyers can help

2

3

Cybersecurity Law Landscape

Why Are Clients Up at Night?

Lost productivity

Physical damage

and bodily injury

CYBER

EXTORTION

CYBER TERRORISM

Theft of intellectual property

LEGAL ACTIONS

FINANCIAL COSTS (response, remediation)

Business Interruption

Reputational Damage

Threats all around

Insider accidents or ignorance Improper disposal of

personal information

Lack of education and awareness

Negligence/indifference Precaution failures

Lost mobile devices

Insider malicious conduct

Vendors with access—accidents, ignorance, negligence, indifference

Hackers and Phishers

Identity thieves

Organized crime

Nation-state actors

Hactivists

Business espionage

5

Internal threats External threats

How we set ourselves up:

Too much data

Retained indefinitely

Too many copies in too many places

Stored on too many devices

Too many people have access

Too easy to transmit

Data is a very valuable asset

6

Sources of duty to protect information Federal information security laws and regulations

Federal consumer protection laws

Federal employment laws with privacy protections

State breach notification laws

State information security laws

State consumer protection laws

State privacy protections

Industry-mandated standards

Contractual obligations: to comply with whatever laws, regulations, and standards apply to the contract parties

7

Thrust of Information Security Laws

Security

Confidentiality

Integrity

Availability

Unauthorized disclosure

Unauthorized access

Unauthorized use

Alteration

Destruction

Loss

8

PROTECT: AGAINST:

9

Federal Laws

Healthcare: HIPAA, HITECH, HHS Rules Security Rule, Privacy Rule, Breach Notification Rule Enforced by:

Health & Human Services, Office of Civil Rights

State attorneys general

Most entities that come into contact with electronic health information (ePHI) are likely required to comply with the Security Rule: Covered entities: health care providers, health plans and

health care clearinghouses

Business associates

Subcontractor to business associates

10

Security Rule: Required Safeguards for ePHI

Administrative

Risk analysis to identify vulnerabilities and threats to ePHI

Policies and procedures

Workforce conduct management—training and awareness

Physical

Access controls (badges, visitor logs)

Machine controls and data storage protections

Technical

Unique passwords

Audit controls to monitor systems activity

Encryption

11

What is a risk analysis?

Identify what ePHI is created, received, maintained or transmitted

Identify and document potential threats and vulnerabilities—internal and external

Assess risk level:

Likelihood that a threat will occur or vulnerability will be exploited, and

Degree of severity of impact on business if it occurs

Assess scope/adequacy/effectiveness of current security measures;

Identify gaps between vulnerabilities and security measures

Develop and document Risk Management Plan to address gaps—setting priorities and timeline

Repeat

12

HIPAA Privacy Rule

Applies to protected health information in all forms—electronic, written, oral (“PHI”)

Strictly limits the ways covered entities may use or disclose PHI without patient authorization

Example: covered entity or business associate that uses or discloses more than the minimum amount of PHI necessary to serve the purpose potentially has violated the Privacy Rule.

13

Financial Services

Gramm Leach Bliley Act—privacy and administrative, technical and physical security

Consumer privacy and security

Enforced by FTC and CFPB

Fair Credit Reporting Act—affirmative duties to report accurately and protect confidentiality

Fair and Accurate Credit Transactions Act —Red Flags identity theft protection programs

Banking institutions—enforced by banking agencies (FDIC, FRB, OCC, et al )

Investment institutions—enforced by SEC, FFIEC, FINRA

14

Breach under HIPAA

Breach =

(i) acquisition, access, use or disclosure

(ii) Of unsecured PHI

(iii) that is not permitted under HIPAA; and

(iv) compromises the security or privacy of the protected health information

Unauthorized access is presumed to be a breach unless organization can show “low probability of compromise”

Breach notification within maximum 60 days to affected individuals and Office of Civil Rights of HHS

Enforcement by OCR through investigations, fines and civil actions

15

Safeguards Rule: requires comprehensive information security program

Designate program coordinator(s)

Conduct risk assessment

Implement safeguards to address risks identified in risk assessment

Oversee service providers

Evaluate and revise program in light of material changes to the business

Employee management and training

Information systems

Detecting and managing system failures

16

Key elements High risk areas

FTC guidance Financial Institutions and Customer Information: Complying

with the Safeguards Rule

https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying

All industries: Start with Security: A Guide for Business

https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business

17

Federal government contractors Critical infrastructure industries

Viewed as targets for cyber exploitation (e.g. financial, utilities, energy, transportation)

National Institute of Standards and Technology (NIST) Cybersecurity Framework

https://www.nist.gov/cyberframework/framework

Core cybersecurity functions: Identify, Protect, Detect, Respond, Recover

18

Federal government contractors

Department of Defense

Defense Federal Acquisition Regulation Supplement (DFARS)—all DOD contractors including small business

(1) Provide adequate security for defense information that resides in or transits through internal unclassified information systems from unauthorized access and disclosure; and

(2) Rapidly report cyber incidents and cooperate with DOD to respond to these security incidents, including access to affected media

NIST published standards apply—14 categories of controls

19

NIST categories for security controls

20

FTC consumer protections

Fair Credit Reporting Act (FCRA)

Requires credit reporting agencies to use “reasonable procedures” to protect “the confidentiality, accuracy, relevancy and proper utilization” of consumer information

Prohibits employers from procuring a consumer credit report for employment purposes without prior disclosure and authorization

Fair and Accurate Credit Transactions Act of 2003 (“FACTA”)

Secure disposal of credit information

Children’s Online Privacy Protection Act of 1998 (“COPPA”)

Parental consent for data from children under 13

21

Federal privacy protections with security aspects

Workplace privacy and anti-discrimination laws EEOC administered

Title VII Civil Rights Act, ADA, Age Discrimination in Employment Act

Electronic surveillance and communications laws: Wiretap Act

Electronic Communications Privacy Act

Stored Communications Act

Children’s Online Privacy Protection Act (COPPA)

22

Industry standards for security controls Payment Card Industry Data Security Standard (PCI DSS)

Developed by Council of major payment card brands

Global standards for all entities that process, store, or transmit cardholder data

Enforced by contracts between payment card issuers and merchants and transaction processors

Accounting (AICPA)

System and Organization Controls (SOC) examination

Design and/or effectiveness of cybersecurity risk management program

Internationally recognized security certifications:

IS0 270001 (International Organization for Standardization)

COBIT (Control Objectives for Information and Related Technologies developed by IT professionals)

23

24

State Laws with Security Standards

States with substantive security requirements

Arkansas

California

Connecticut

Florida

Indiana

Kansas

Maryland

Massachusetts

Minnesota

Nevada

Oregon

Rhode Island

Texas

Utah

25

California

First state to impose information security standard on businesses that own or license personal information about California residents

Implement and maintain reasonable security procedures and practices appropriate to the nature of the information and to protect the information from unauthorized access, destruction, use, modification, or disclosure

If personal information is disclosed to third parties, they must be contractually required to meet the same standard

CA Attorney General list of minimum Critical Security Controls https://oag.ca.gov/breachreport2016#appendixes.

26

PCI DSS codified in Nevada and Minnesota

Nevada:

codified entire Payment Card Industry Data Security Standards (PCI DDS) in statute

Encryption required for transmitting electronic data that is not payment card out of control of data collector (or storage contractor)

Compliance = safe harbor against liability for breach (except gross negligence or intentional misconduct)

Minnesota: codified some portions of PCI DSS that limit time period for retaining payment card usage data

27

Massachusetts: detailed security requirements

Implement formal Written Information Security Program—similar to federal standards

Designate employees to maintain the information security program

Identify and assess reasonably foreseeable internal and external security risks and the effectiveness of current safeguards, and upgrading safeguards as necessary

Develop security policies for employees relating to the storage, access and transportation of records containing personal information

Impose disciplinary measures for violations

Restrict access of terminated employees to records containing personal information

Oversee service providers by:

Restricting physical access to records

Using reasonable due diligence to select and retain service providers; and

Contractually requiring service providers to maintain appropriate security measures

Review security measures at least annually

Document actions taken in response to security breaches and hold post-incident review

28

Five states have laws requiring businesses to have policies designed to prevent unlawful disclosure of SSNs by:

Ensuring confidentiality

Limiting access

Describing proper disposal

SSN Laws

Hard copy destruction laws

At least 30 states have enacted laws that require the secure disposal of paper and electronic records containing personal information

Disposal laws generally require any party holding personal information of state residents to destroy, erase or make unreadable such data prior to disposal

31

State Breach Notification Laws

Overview: State Breach Notification Laws

• 50 states plus U.S. territories have separate and different laws requiring notification of “breach” of “personally identifiable information”

• Each state protects its own residents regardless of where the responsible party is located

• Generally cover businesses and government agencies

• Not industry specific

• Most states exempt breaches subject to notification under HIPAA or GLBA Safeguards Rule

32

“Typical” State Breach Notification Law An entity that maintains computerized “personal information”

Must disclose a “security breach” to any state resident whose unencrypted, unredacted personal information

Was, or is reasonably believed to have been, acquired by an unauthorized person.

Reasonable likelihood that access has or will result in loss or harm

Any vendor that maintains data must provide notice to the entity that manages the data

Safe harbor for encrypted data

Excludes good faith acquisition of personal information by an employee or agent if the personal information is not used and is not subject to further unauthorized disclosure

Be Careful with the Word “Breach””

“Breach” is a legal conclusion not a description

General elements:

Unauthorized access and/or acquisition of computerized data

Compromises the security, confidentiality or integrity of PII

Reasonable belief that access has caused or will cause loss

Encryption is usually a defense (unless—in CA—reasonable belief that key or access credential also compromised)

Overuse of "breach" could lead public and regulators to think client is ignoring security

34

State laws vary significantly: What is considered to be “personally identifiable information”

What is a “breach”

Whether reasonable likelihood of harm is required before notice is required

Method and content of required notice

When notice must be given

Who gets notice

Whether paper records are covered

Penalties imposed

35

What is “Personally Identifiable Information?”

Name + Another Sensitive Data Element = Personally Identifiable Information (PII)

Social Security number

Driver’s License or state-issued ID number

Account, credit or debit card number with security code, access code, password of PIN needed to access

Online Account access information (user name + password)

Date of birth

Health Insurance Card

Medical Records

Biometric data

36

When must notice be given?

Data owners:

Most states: without unreasonable delay

Specified period (30/45/60/90 days) from “discovery”

Discovery not always defined

Delay usually permitted:

if law enforcement authorities request a delay

to restore the security of the affected system

to determine the scope of the breach.

Service providers to data owners: immediately” or “as soon as practicable”

Some states publish all breach notifications online

37

Who should receive breach notification?

Affected individuals—customers, employees, others

Attorney General or other state regulators

National consumer credit bureaus (large breaches)

Local and/or Federal law enforcement

Payment card issuers

If public company—possibly SEC and shareholders

Contract parties to whom client has breach notification

obligation

38

State law workplace protections Although privacy-directed, also involve confidentiality

and security expectations for information collected

Anti-discrimination laws (restrict, regulate, and/or

mandate certain information gathering)

Restrictions on employee monitoring and surveillance

Drug testing

State wiretapping acts

39

EU General Data Protection Regulation (GDPR) effective May 25, 2018

Personal data = any information relating to an identified or identifiable natural person (‘data subject’)

Scope includes any “processing” of personal data by person without an EU presence involving:

Offering of goods or services to data subjects in EU, or

Monitoring of behavior of data subjects in EU

A few highlights:

Right to protection of personal data is fundamental right

Disclosure of what data is processed, why, with whom shared, retained

Data minimization and privacy by design

Extensive rights of data subjects to consent to processing and control data

Extensive record keeping requirements

40

Cyber-attack Scenario

Ransomeware Attack

One Monday morning afternoon at 8:00 AM, your client calls:

Company may be the victim of a ransomware attack.

All employees are locked out of their computers and unable to work.

All databases are inaccessible and the landline phone system isn’t working.

The bad actors are demanding payment of 20 bitcoin to restore the network.

Your client wants to know whether to pay the ransom.

What should you do?

42

First, ask questions: Do you have cyber-liability insurance?

Do you have an Information Security Incident Response Plan?

Who manages your IT infrastructure—inhouse or outsourced?

Do you have backups to try to restore the data?

Do you know what personally identifiable information is stored in your system (customers, employees, job applicants, contractors, former of all of these)?

43

What advice should you give the client?

If client has a Plan, convene the Incident Response Team

If client does not have a Plan, convene a crisis team including senior management, IT, communications, HR

Notify the carrier

Engage breach response counsel and they will engage a forensic investigator

Instruct IT to try to restore using the backup system

Centralize and control all company and public communications with a designated spokesperson

44

Planning for Ransomeware

Employ a secure data back-up and recovery plan for business critical data

Test the back-up system periodically

Have and test an Incident Response Plan

Train all personnel to know: What a security incident is

How and to whom to report an incident

Identify breach response counsel and forensic expert

Regularly patch operating systems and ensure up to date anti virus anti malware

46

Litigation and

Enforcement

FTC Enforcement Actions Section 5 of the FTC Act (15 U.S.C. § 45)

“unfair or deceptive business practices”

>60 enforcement actions for cybersecurity failings since 2002

Broad range of industries affected

Repeat offenders targeted

Focus on disparity between security promised / security delivered

Severe sanctions including 20-year consent decrees to maintain extensive data security protections

Consent decrees are major source for FTC view of “reasonable and necessary” security measures

Ongoing battle over FTC authority to regulate cybersecurity

47

What FTC considered to be unreasonable in 2017? Uber: failed to control who could access data; not requiring multi-factor

authentication; storing database backup in plain readable text in cloud

Lenovo: used the same, easy-to-crack password on laptops allowing attackers to intercept communications

D-Link: Touted security of routers, but not protecting against well-known, easily prevented security flaws

Turn Inc.: deceptive Privacy Policy that falsely claimed that consumers could reduce tracking online and on mobile devices

Vizio: failed to disclose that smart TVs were tracking viewers, combining their viewing with demographic data to sell to advertisers

BLU: failed to adequately manage third party provider that pre-installed software on mobile devices that transmitted call and text numbers and logs to undisclosed third party

48

Enforcement by State Attorneys General

State penalties some >$500,000 per failure to give breach notification

Authorized to enforce HOPAA, FCRA, and TCPA violations

Frequently work together to investigate and bring civil enforcement actions for major data breaches resulting in major settlements: Target, Anthem, Nationwide Mutual

49

Civil litigation

Some states (14) provide some form of private right of action under breach notification statutes

Negligence, breach of contract, breach of fiduciary duty, invasion of privacy, breach of a duty of confidentiality and conversion

Plaintiffs face difficult issues of standing, injury, causation, and class certification

Defense is expensive, even if cases are dismissed

50

Allegations in Data Breach Litigation

Private litigants typically allege that defendants:

Failed to safeguard information, such as

Failed to have appropriate encryption or other technical controls

Failed to train personnel with access

Failed to have adequate data security program

Failed to monitor vendor security

Privacy Policy misrepresented data security provided or inadequately disclosed data security risks; or

Failed to respond adequately to the breach.

51

Threshold Question = Standing

Common defense to most data breach class actions is failure to establish an injury-in-fact sufficient to support Article III standing.

Did plaintiff suffer an injury-in-fact?

Is heightened risk of future harm because of breach (i.e. possible identity theft) sufficient injury-in-fact?

Do statutes that create a private right of action for data breach convey standing without showing injury-in-fact?

52

Standing: Supreme Court on Injury-in-Fact

Injury-in-fact is an invasion of a legally-protected interest that is:

1. Concrete and particularized

2. Actual or imminent, and

3. Not conjectural or hypothetical

Spokeo, Inc. v, Robbins, 136 S. Ct. 1540 (2016)

Supreme Court on risk of future injury: standing does not exist if:

Plaintiff relying on a speculative chain of possibilities

Plaintiff does not show feared future injury was certainly impending.

Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1143, 1147-50 (2013)

53

Is increased risk of future harm sufficient to show injury-in-fact? Four Circuits have held that increased risk of future harm can

confer standing if plaintiff pleads sufficient facts to show identity theft or other concrete injury is a real possibility:

DC, Third, Sixth, Seventh, Ninth

Increased risk of future harm not sufficient to confer standing:

Second, Fourth, Eighth

But, in “not sufficient” cases, facts seem arguably very speculative—at least as described in opinions

Next hurdle: Barnes & Noble is a “fellow victim of the data thieves,” so difficult to get class certification Dieffenbach v. Barnes & Noble, Inc.(7th Cir. 2018)

54

55

How we can help clients reduce

—or at least mitigate— the risk of a damaging

cyber-attack

Strong words to follow….

1. Figure out: What protected and other sensitive data you have, where it is located, who

can access it?

Do you really need to have it? How long do you need to keep it?

2. Cybersecurity left to the IT Department is inadequate security: Over-reliance on technical “solutions” and ignoring equally if not more critical

role of “governance” misses all prevailing standards of care

Inherent conflict of interest—need to ask hard questions and expect straight

answers about encryption, secure document transmission, known gaps

3. Adopt at least a basic governance program: Written Information Security Program (Massachusetts model)

Incident Response Plan

Personal device and other remote access

56

More strong words….

4. Manage employee-related security risks—“need to know” access, exit protocols, regular security training, background checks, confidentiality agreements

5. Get back with IT for “technical solutions”: encryption; access controls; password management; multi-factor authentication; patch management; network segmentation; download/upload controls; vulnerability/penetration testing

6. Manage third party (vendor) security risks: Due diligence in selecting and retaining

Confidentiality and security obligations in service provider contracts

7. Actually implement a document retention and destruction plan

57

If there isn’t time for your question, please contact me…

Sue Friedberg

Co-chair Cybersecurity and Data Protection Group

Buchanan Ingersoll & Rooney PC

sue.friedberg@bipc.com

412-562-8436

58