CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT...
Transcript of CYBER-ATTACK LIABILITY AND PROTECTING CLIENT …CYBER-ATTACK LIABILITY AND PROTECTING CLIENT...
CYBER-ATTACK LIABILITY AND PROTECTING CLIENT INTERESTS
First Run Broadcast: February 14, 2020
1:00 p.m. E.T./12:00 p.m. C.T./11:00 a.m. M.T./10:00 a.m. P.T. (60 minutes)
Every company that stores files in the cloud, has a Web site, or engages in e-commerce is a data
breach waiting to happen. Cyberattacks have become more frequent and more sophisticated,
breaching even federal security agencies and global finance companies. Every smaller company
is constructively on notice that they may the next victim of a malicious breach. When that happens,
clients often turn to their lawyers and ask, what now and are we liable? This program will provide
lawyers with a real-world guide to advising clients about data breaches – what they are, how to
protect themselves legally, and what to do if it’s too late.
• Framework of law of cybersecurity – sources of liability under federal and state law
• What constitutes a data breach and your client’s obligation to protect against breaches
• Data breach notification laws – what must you disclose and when
• Risk of private causes of action and best practices to avoid
• Policies, processes and agreements to protect against – or respond to a data breach
Speaker:
Sue C. Friedberg is a partner in the Pittsburg office of Buchanan, Ingersoll & Rooney, PC, where
she is co-chair of Buchanan’s Cybersecurity and Data Protection Group. She advises clients about
rapidly evolving standards of care for safeguarding confidential information and responding
effectively to security incidents that threaten to compromise their valuable or protected
information. She helps clients assess their data security risks and capabilities, develop information
security programs, design incident response plans and prepare and update contracts. Ms. Friedberg
earned her B.S., magna cum laude, from Georgetown University and her J.D., cum laude, from the
University of Pittsburg School of law.
VT Bar Association Continuing Legal Education Registration Form
Please complete all requested information, print this application, and fax with credit info or mail it with payment to: Vermont Bar Association, PO Box 100, Montpelier, VT 05601-0100. Fax: (802) 223-1573 PLEASE USE ONE REGISTRATION FORM PER PERSON. First Name ________________________ Middle Initial____ Last Name__________________________
Firm/Organization _____________________________________________________________________
Address ______________________________________________________________________________
City _________________________________ State ____________ ZIP Code ______________________
Phone # ____________________________Fax # ______________________
E-Mail Address ________________________________________________________________________
Basics of Cyber-Attack Liability and Protecting Clients Interests Teleseminar
February 14, 2020 1:00PM – 2:00PM
1.0 MCLE GENERAL CREDITS
PAYMENT METHOD:
Check enclosed (made payable to Vermont Bar Association) Amount: _________ Credit Card (American Express, Discover, Visa or Mastercard) Credit Card # _______________________________________ Exp. Date _______________ Cardholder: __________________________________________________________________
VBA Members $75 Non-VBA Members $115
NO REFUNDS AFTER February 7, 2020
Vermont Bar Association
CERTIFICATE OF ATTENDANCE
Please note: This form is for your records in the event you are audited Sponsor: Vermont Bar Association Date: February 14, 2020 Seminar Title: Basics of Cyber-Attack Liability and Protecting Clients Interests Location: Teleseminar - LIVE Credits: 1.0 MCLE General Credit Program Minutes: 60 General Luncheon addresses, business meetings, receptions are not to be included in the computation of credit. This form denotes full attendance. If you arrive late or leave prior to the program ending time, it is your responsibility to adjust CLE hours accordingly.
Basics of Cyber-attack Liability and Protecting Clients Sue Friedberg | Co-chair, Cybersecurity and Data Protection
[email protected] / 412-562-8436
AGENDA
1. What keeps clients—and lawyers—up at night?
2. What is a data breach and how can you help your client—if not
avoid—at least reduce the risks and mitigate the consequences?
Cybersecurity Law Landscape
Federal laws
The patchwork of state laws
Industry standards
Private litigation and government enforcement
3. Cybersecurity incident scenario—ransomeware attack
4. How lawyers can help
2
3
Cybersecurity Law Landscape
Why Are Clients Up at Night?
Lost productivity
Physical damage
and bodily injury
CYBER
EXTORTION
CYBER TERRORISM
Theft of intellectual property
LEGAL ACTIONS
FINANCIAL COSTS (response, remediation)
Business Interruption
Reputational Damage
Threats all around
Insider accidents or ignorance Improper disposal of
personal information
Lack of education and awareness
Negligence/indifference Precaution failures
Lost mobile devices
Insider malicious conduct
Vendors with access—accidents, ignorance, negligence, indifference
Hackers and Phishers
Identity thieves
Organized crime
Nation-state actors
Hactivists
Business espionage
5
Internal threats External threats
How we set ourselves up:
Too much data
Retained indefinitely
Too many copies in too many places
Stored on too many devices
Too many people have access
Too easy to transmit
Data is a very valuable asset
6
Sources of duty to protect information Federal information security laws and regulations
Federal consumer protection laws
Federal employment laws with privacy protections
State breach notification laws
State information security laws
State consumer protection laws
State privacy protections
Industry-mandated standards
Contractual obligations: to comply with whatever laws, regulations, and standards apply to the contract parties
7
Thrust of Information Security Laws
Security
Confidentiality
Integrity
Availability
Unauthorized disclosure
Unauthorized access
Unauthorized use
Alteration
Destruction
Loss
8
PROTECT: AGAINST:
9
Federal Laws
Healthcare: HIPAA, HITECH, HHS Rules Security Rule, Privacy Rule, Breach Notification Rule Enforced by:
Health & Human Services, Office of Civil Rights
State attorneys general
Most entities that come into contact with electronic health information (ePHI) are likely required to comply with the Security Rule: Covered entities: health care providers, health plans and
health care clearinghouses
Business associates
Subcontractor to business associates
10
Security Rule: Required Safeguards for ePHI
Administrative
Risk analysis to identify vulnerabilities and threats to ePHI
Policies and procedures
Workforce conduct management—training and awareness
Physical
Access controls (badges, visitor logs)
Machine controls and data storage protections
Technical
Unique passwords
Audit controls to monitor systems activity
Encryption
11
What is a risk analysis?
Identify what ePHI is created, received, maintained or transmitted
Identify and document potential threats and vulnerabilities—internal and external
Assess risk level:
Likelihood that a threat will occur or vulnerability will be exploited, and
Degree of severity of impact on business if it occurs
Assess scope/adequacy/effectiveness of current security measures;
Identify gaps between vulnerabilities and security measures
Develop and document Risk Management Plan to address gaps—setting priorities and timeline
Repeat
12
HIPAA Privacy Rule
Applies to protected health information in all forms—electronic, written, oral (“PHI”)
Strictly limits the ways covered entities may use or disclose PHI without patient authorization
Example: covered entity or business associate that uses or discloses more than the minimum amount of PHI necessary to serve the purpose potentially has violated the Privacy Rule.
13
Financial Services
Gramm Leach Bliley Act—privacy and administrative, technical and physical security
Consumer privacy and security
Enforced by FTC and CFPB
Fair Credit Reporting Act—affirmative duties to report accurately and protect confidentiality
Fair and Accurate Credit Transactions Act —Red Flags identity theft protection programs
Banking institutions—enforced by banking agencies (FDIC, FRB, OCC, et al )
Investment institutions—enforced by SEC, FFIEC, FINRA
14
Breach under HIPAA
Breach =
(i) acquisition, access, use or disclosure
(ii) Of unsecured PHI
(iii) that is not permitted under HIPAA; and
(iv) compromises the security or privacy of the protected health information
Unauthorized access is presumed to be a breach unless organization can show “low probability of compromise”
Breach notification within maximum 60 days to affected individuals and Office of Civil Rights of HHS
Enforcement by OCR through investigations, fines and civil actions
15
Safeguards Rule: requires comprehensive information security program
Designate program coordinator(s)
Conduct risk assessment
Implement safeguards to address risks identified in risk assessment
Oversee service providers
Evaluate and revise program in light of material changes to the business
Employee management and training
Information systems
Detecting and managing system failures
16
Key elements High risk areas
FTC guidance Financial Institutions and Customer Information: Complying
with the Safeguards Rule
https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying
All industries: Start with Security: A Guide for Business
https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business
17
Federal government contractors Critical infrastructure industries
Viewed as targets for cyber exploitation (e.g. financial, utilities, energy, transportation)
National Institute of Standards and Technology (NIST) Cybersecurity Framework
https://www.nist.gov/cyberframework/framework
Core cybersecurity functions: Identify, Protect, Detect, Respond, Recover
18
Federal government contractors
Department of Defense
Defense Federal Acquisition Regulation Supplement (DFARS)—all DOD contractors including small business
(1) Provide adequate security for defense information that resides in or transits through internal unclassified information systems from unauthorized access and disclosure; and
(2) Rapidly report cyber incidents and cooperate with DOD to respond to these security incidents, including access to affected media
NIST published standards apply—14 categories of controls
19
NIST categories for security controls
20
FTC consumer protections
Fair Credit Reporting Act (FCRA)
Requires credit reporting agencies to use “reasonable procedures” to protect “the confidentiality, accuracy, relevancy and proper utilization” of consumer information
Prohibits employers from procuring a consumer credit report for employment purposes without prior disclosure and authorization
Fair and Accurate Credit Transactions Act of 2003 (“FACTA”)
Secure disposal of credit information
Children’s Online Privacy Protection Act of 1998 (“COPPA”)
Parental consent for data from children under 13
21
Federal privacy protections with security aspects
Workplace privacy and anti-discrimination laws EEOC administered
Title VII Civil Rights Act, ADA, Age Discrimination in Employment Act
Electronic surveillance and communications laws: Wiretap Act
Electronic Communications Privacy Act
Stored Communications Act
Children’s Online Privacy Protection Act (COPPA)
22
Industry standards for security controls Payment Card Industry Data Security Standard (PCI DSS)
Developed by Council of major payment card brands
Global standards for all entities that process, store, or transmit cardholder data
Enforced by contracts between payment card issuers and merchants and transaction processors
Accounting (AICPA)
System and Organization Controls (SOC) examination
Design and/or effectiveness of cybersecurity risk management program
Internationally recognized security certifications:
IS0 270001 (International Organization for Standardization)
COBIT (Control Objectives for Information and Related Technologies developed by IT professionals)
23
24
State Laws with Security Standards
States with substantive security requirements
Arkansas
California
Connecticut
Florida
Indiana
Kansas
Maryland
Massachusetts
Minnesota
Nevada
Oregon
Rhode Island
Texas
Utah
25
California
First state to impose information security standard on businesses that own or license personal information about California residents
Implement and maintain reasonable security procedures and practices appropriate to the nature of the information and to protect the information from unauthorized access, destruction, use, modification, or disclosure
If personal information is disclosed to third parties, they must be contractually required to meet the same standard
CA Attorney General list of minimum Critical Security Controls https://oag.ca.gov/breachreport2016#appendixes.
26
PCI DSS codified in Nevada and Minnesota
Nevada:
codified entire Payment Card Industry Data Security Standards (PCI DDS) in statute
Encryption required for transmitting electronic data that is not payment card out of control of data collector (or storage contractor)
Compliance = safe harbor against liability for breach (except gross negligence or intentional misconduct)
Minnesota: codified some portions of PCI DSS that limit time period for retaining payment card usage data
27
Massachusetts: detailed security requirements
Implement formal Written Information Security Program—similar to federal standards
Designate employees to maintain the information security program
Identify and assess reasonably foreseeable internal and external security risks and the effectiveness of current safeguards, and upgrading safeguards as necessary
Develop security policies for employees relating to the storage, access and transportation of records containing personal information
Impose disciplinary measures for violations
Restrict access of terminated employees to records containing personal information
Oversee service providers by:
Restricting physical access to records
Using reasonable due diligence to select and retain service providers; and
Contractually requiring service providers to maintain appropriate security measures
Review security measures at least annually
Document actions taken in response to security breaches and hold post-incident review
28
Five states have laws requiring businesses to have policies designed to prevent unlawful disclosure of SSNs by:
Ensuring confidentiality
Limiting access
Describing proper disposal
SSN Laws
Hard copy destruction laws
At least 30 states have enacted laws that require the secure disposal of paper and electronic records containing personal information
Disposal laws generally require any party holding personal information of state residents to destroy, erase or make unreadable such data prior to disposal
31
State Breach Notification Laws
Overview: State Breach Notification Laws
• 50 states plus U.S. territories have separate and different laws requiring notification of “breach” of “personally identifiable information”
• Each state protects its own residents regardless of where the responsible party is located
• Generally cover businesses and government agencies
• Not industry specific
• Most states exempt breaches subject to notification under HIPAA or GLBA Safeguards Rule
32
“Typical” State Breach Notification Law An entity that maintains computerized “personal information”
Must disclose a “security breach” to any state resident whose unencrypted, unredacted personal information
Was, or is reasonably believed to have been, acquired by an unauthorized person.
Reasonable likelihood that access has or will result in loss or harm
Any vendor that maintains data must provide notice to the entity that manages the data
Safe harbor for encrypted data
Excludes good faith acquisition of personal information by an employee or agent if the personal information is not used and is not subject to further unauthorized disclosure
Be Careful with the Word “Breach””
“Breach” is a legal conclusion not a description
General elements:
Unauthorized access and/or acquisition of computerized data
Compromises the security, confidentiality or integrity of PII
Reasonable belief that access has caused or will cause loss
Encryption is usually a defense (unless—in CA—reasonable belief that key or access credential also compromised)
Overuse of "breach" could lead public and regulators to think client is ignoring security
34
State laws vary significantly: What is considered to be “personally identifiable information”
What is a “breach”
Whether reasonable likelihood of harm is required before notice is required
Method and content of required notice
When notice must be given
Who gets notice
Whether paper records are covered
Penalties imposed
35
What is “Personally Identifiable Information?”
Name + Another Sensitive Data Element = Personally Identifiable Information (PII)
Social Security number
Driver’s License or state-issued ID number
Account, credit or debit card number with security code, access code, password of PIN needed to access
Online Account access information (user name + password)
Date of birth
Health Insurance Card
Medical Records
Biometric data
36
When must notice be given?
Data owners:
Most states: without unreasonable delay
Specified period (30/45/60/90 days) from “discovery”
Discovery not always defined
Delay usually permitted:
if law enforcement authorities request a delay
to restore the security of the affected system
to determine the scope of the breach.
Service providers to data owners: immediately” or “as soon as practicable”
Some states publish all breach notifications online
37
Who should receive breach notification?
Affected individuals—customers, employees, others
Attorney General or other state regulators
National consumer credit bureaus (large breaches)
Local and/or Federal law enforcement
Payment card issuers
If public company—possibly SEC and shareholders
Contract parties to whom client has breach notification
obligation
38
State law workplace protections Although privacy-directed, also involve confidentiality
and security expectations for information collected
Anti-discrimination laws (restrict, regulate, and/or
mandate certain information gathering)
Restrictions on employee monitoring and surveillance
Drug testing
State wiretapping acts
39
EU General Data Protection Regulation (GDPR) effective May 25, 2018
Personal data = any information relating to an identified or identifiable natural person (‘data subject’)
Scope includes any “processing” of personal data by person without an EU presence involving:
Offering of goods or services to data subjects in EU, or
Monitoring of behavior of data subjects in EU
A few highlights:
Right to protection of personal data is fundamental right
Disclosure of what data is processed, why, with whom shared, retained
Data minimization and privacy by design
Extensive rights of data subjects to consent to processing and control data
Extensive record keeping requirements
40
Cyber-attack Scenario
Ransomeware Attack
One Monday morning afternoon at 8:00 AM, your client calls:
Company may be the victim of a ransomware attack.
All employees are locked out of their computers and unable to work.
All databases are inaccessible and the landline phone system isn’t working.
The bad actors are demanding payment of 20 bitcoin to restore the network.
Your client wants to know whether to pay the ransom.
What should you do?
42
First, ask questions: Do you have cyber-liability insurance?
Do you have an Information Security Incident Response Plan?
Who manages your IT infrastructure—inhouse or outsourced?
Do you have backups to try to restore the data?
Do you know what personally identifiable information is stored in your system (customers, employees, job applicants, contractors, former of all of these)?
43
What advice should you give the client?
If client has a Plan, convene the Incident Response Team
If client does not have a Plan, convene a crisis team including senior management, IT, communications, HR
Notify the carrier
Engage breach response counsel and they will engage a forensic investigator
Instruct IT to try to restore using the backup system
Centralize and control all company and public communications with a designated spokesperson
44
Planning for Ransomeware
Employ a secure data back-up and recovery plan for business critical data
Test the back-up system periodically
Have and test an Incident Response Plan
Train all personnel to know: What a security incident is
How and to whom to report an incident
Identify breach response counsel and forensic expert
Regularly patch operating systems and ensure up to date anti virus anti malware
46
Litigation and
Enforcement
FTC Enforcement Actions Section 5 of the FTC Act (15 U.S.C. § 45)
“unfair or deceptive business practices”
>60 enforcement actions for cybersecurity failings since 2002
Broad range of industries affected
Repeat offenders targeted
Focus on disparity between security promised / security delivered
Severe sanctions including 20-year consent decrees to maintain extensive data security protections
Consent decrees are major source for FTC view of “reasonable and necessary” security measures
Ongoing battle over FTC authority to regulate cybersecurity
47
What FTC considered to be unreasonable in 2017? Uber: failed to control who could access data; not requiring multi-factor
authentication; storing database backup in plain readable text in cloud
Lenovo: used the same, easy-to-crack password on laptops allowing attackers to intercept communications
D-Link: Touted security of routers, but not protecting against well-known, easily prevented security flaws
Turn Inc.: deceptive Privacy Policy that falsely claimed that consumers could reduce tracking online and on mobile devices
Vizio: failed to disclose that smart TVs were tracking viewers, combining their viewing with demographic data to sell to advertisers
BLU: failed to adequately manage third party provider that pre-installed software on mobile devices that transmitted call and text numbers and logs to undisclosed third party
48
Enforcement by State Attorneys General
State penalties some >$500,000 per failure to give breach notification
Authorized to enforce HOPAA, FCRA, and TCPA violations
Frequently work together to investigate and bring civil enforcement actions for major data breaches resulting in major settlements: Target, Anthem, Nationwide Mutual
49
Civil litigation
Some states (14) provide some form of private right of action under breach notification statutes
Negligence, breach of contract, breach of fiduciary duty, invasion of privacy, breach of a duty of confidentiality and conversion
Plaintiffs face difficult issues of standing, injury, causation, and class certification
Defense is expensive, even if cases are dismissed
50
Allegations in Data Breach Litigation
Private litigants typically allege that defendants:
Failed to safeguard information, such as
Failed to have appropriate encryption or other technical controls
Failed to train personnel with access
Failed to have adequate data security program
Failed to monitor vendor security
Privacy Policy misrepresented data security provided or inadequately disclosed data security risks; or
Failed to respond adequately to the breach.
51
Threshold Question = Standing
Common defense to most data breach class actions is failure to establish an injury-in-fact sufficient to support Article III standing.
Did plaintiff suffer an injury-in-fact?
Is heightened risk of future harm because of breach (i.e. possible identity theft) sufficient injury-in-fact?
Do statutes that create a private right of action for data breach convey standing without showing injury-in-fact?
52
Standing: Supreme Court on Injury-in-Fact
Injury-in-fact is an invasion of a legally-protected interest that is:
1. Concrete and particularized
2. Actual or imminent, and
3. Not conjectural or hypothetical
Spokeo, Inc. v, Robbins, 136 S. Ct. 1540 (2016)
Supreme Court on risk of future injury: standing does not exist if:
Plaintiff relying on a speculative chain of possibilities
Plaintiff does not show feared future injury was certainly impending.
Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1143, 1147-50 (2013)
53
Is increased risk of future harm sufficient to show injury-in-fact? Four Circuits have held that increased risk of future harm can
confer standing if plaintiff pleads sufficient facts to show identity theft or other concrete injury is a real possibility:
DC, Third, Sixth, Seventh, Ninth
Increased risk of future harm not sufficient to confer standing:
Second, Fourth, Eighth
But, in “not sufficient” cases, facts seem arguably very speculative—at least as described in opinions
Next hurdle: Barnes & Noble is a “fellow victim of the data thieves,” so difficult to get class certification Dieffenbach v. Barnes & Noble, Inc.(7th Cir. 2018)
54
55
How we can help clients reduce
—or at least mitigate— the risk of a damaging
cyber-attack
Strong words to follow….
1. Figure out: What protected and other sensitive data you have, where it is located, who
can access it?
Do you really need to have it? How long do you need to keep it?
2. Cybersecurity left to the IT Department is inadequate security: Over-reliance on technical “solutions” and ignoring equally if not more critical
role of “governance” misses all prevailing standards of care
Inherent conflict of interest—need to ask hard questions and expect straight
answers about encryption, secure document transmission, known gaps
3. Adopt at least a basic governance program: Written Information Security Program (Massachusetts model)
Incident Response Plan
Personal device and other remote access
56
More strong words….
4. Manage employee-related security risks—“need to know” access, exit protocols, regular security training, background checks, confidentiality agreements
5. Get back with IT for “technical solutions”: encryption; access controls; password management; multi-factor authentication; patch management; network segmentation; download/upload controls; vulnerability/penetration testing
6. Manage third party (vendor) security risks: Due diligence in selecting and retaining
Confidentiality and security obligations in service provider contracts
7. Actually implement a document retention and destruction plan
57
If there isn’t time for your question, please contact me…
Sue Friedberg
Co-chair Cybersecurity and Data Protection Group
Buchanan Ingersoll & Rooney PC
412-562-8436
58