Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal...
Transcript of Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal...
![Page 1: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/1.jpg)
Cybersecurity and the Law
February 29, 2016 – 9:30-10:30am
Adam H. Greene, JD, MPH Partner, Davis Wright Tremaine LLP
![Page 2: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/2.jpg)
Conflict of Interest
Adam H. Greene Has no real or apparent conflicts of interest to report.
2
![Page 3: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/3.jpg)
Agenda
• Learning Objectives
• The Potential Legal Costs of Poor
Cybersecurity
• What the Law Requires
• The Value of Best Practices
• The Role of NIST
3
![Page 4: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/4.jpg)
Learning Objectives
• Explain the possible legal ramifications of a cyber-attack
• Review recent developments in Cyber Security Law
• Provide ideas on how to prepare executive management and the board for the inevitable
• Discuss the pros and cons of applying the NIST Cyber Security Framework within healthcare
4
![Page 5: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/5.jpg)
The Potential Legal Costs of
Poor Cybersecurity
![Page 6: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/6.jpg)
A Really Bad Day …
An outside security consultant’s review identified sophisticated malware residing on your information systems.
6
![Page 7: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/7.jpg)
More Bad News…
Forensic investigation identified that: • Outside entity obtained initial access through spear phishing.
• Once inside network, obtained administrative credentials.
• Has been in system for four months.
7 7
![Page 8: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/8.jpg)
What Did They Get?
We don’t know what was exfiltrated. Possibly: • Information on 500,000 patients. • Including medical information and Social Security numbers.
• Affecting residents in 22 states where we operate.
8 8
![Page 9: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/9.jpg)
So, How Bad Is This?
Potential HIPAA Violations: • Impermissible disclosure of 500,000 patients’
protected health information (2015-16) • Failure to conduct an accurate and thorough risk
analysis (2011-16). • Failure to implement a risk management plan
(2011-16). • Lack of information system activity review (2011-
16). • Failure to protect from malicious software (2011-
16).
9
![Page 10: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/10.jpg)
So, How Bad Is This?
Potential HIPAA Penalties (HHS): • $50,000 per violation per day or per affected
individual • Annual cap of $1.5 million for multiple violations of
the same requirement
10
![Page 11: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/11.jpg)
So, How Bad Is This?
Potential HIPAA Penalties (HHS): • Impermissible disclosure: 2 years * $1.5M = $3M • Risk analysis: 6 years * $1.5M = $9M • Risk management plan: $9M • Information system activity review: $9M • Failure to protect from malicious software: $9M • HHS Total = $35M
11
![Page 12: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/12.jpg)
But Wait, There’s More ….
Potential HIPAA Penalties (State Attorney General): • $100 per violation per day or per affected individual
• Annual cap of $25,000 million for multiple violations of the same requirement
12
![Page 13: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/13.jpg)
Potential State AG HIPAA Penalties
• Impermissible disclosure: 2 years * $25K = $50K • Risk analysis: 6 years * $25K = $150K • Risk management plan: $150K • Information system activity review: $150K • Failure to protect from malicious software: $150K • Per State Subtotal = $625K • Total for 22 states = $13.8M
13
![Page 14: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/14.jpg)
And then there’s the FTC …
• If breached entity is for-profit entity, FTC can claim lack of security was unfair or deceptive trade practice.
• Standard 20-year consent order (potentially requiring independent monitoring).
• In Henry Schein Practice Solutions, Inc., FTC required payment of $250,000 to a redress fund
14
![Page 15: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/15.jpg)
Welcome to California …
125,000 of the affected patients reside in California.
15
![Page 16: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/16.jpg)
Welcome to California …
16
![Page 17: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/17.jpg)
Welcome to California …
125,000 x ($1,000 + $3,000 + $1,000) = $625M
17
![Page 18: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/18.jpg)
And don’t forget about …
• Breach notification costs • Credit monitoring costs • Breach notification legal costs • Legal costs for handling multiple regulatory investigations
• Legal costs for class action defense
18
![Page 19: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/19.jpg)
What the Law Requires
![Page 20: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/20.jpg)
HIPAA Provides a Minimal Baseline:
• Substantial flexibility and technology neutral • Provides discretion to not implement certain technology based on risk-based approach
• Does not clearly require due diligence of vendors
• Does not require active monitoring of vendors – only requires action upon learning of violation
20
![Page 21: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/21.jpg)
But Don’t Let HIPAA’s Flexibility Fool You…
• For “accurate and thorough” risk analysis, OCR expects you to document how you are addressing every reasonably-anticipated risk.
• While not directly liable for most business associates’ actions, HIPAA may lead to substantial reputational harm and breach notification costs based on BAs’ violations
21
![Page 22: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/22.jpg)
FTC Applies More Stringent Standards than HIPAA
• Section 5 authority is inapplicable to non-profits.
• No clear information security standards. • Expects “defense in depth” • In GMR Transcription, complaint alleged a lack of active monitoring of subcontractor business associate.
• In Henry Schein Practice Solutions, complaint faulted business associate for encryption that did not satisfy NIST standards.
22
![Page 23: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/23.jpg)
Successes and Failures of Class Actions
Limited Plaintiff Successes Absent Clear Damages • AvMed $3 million settlement (1.2 million affected customers, claim of unjust enrichment based on premiums allegedly not going towards adequate information security) (2014)
• Stanford $4 million settlement (20,000 patients, settlement mostly paid by Stanford’s vendors) (2014)
23
![Page 24: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/24.jpg)
Successes and Failures of Class Actions
Limited Plaintiff Successes Absent Clear Damages (cont’d) • Boston Medical Center, Superior Court held that plaintiffs had standing to sue based on data exposure (2016)
24
![Page 25: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/25.jpg)
Successes and Failures of Class Actions
Most Cases Dismissed on Lack of Standing • Clapper v. Amnesty International, U.S. Supreme Court held that individuals potentially subject to surveillance did not have standing based on allegations of possible future injury. (2013)
• Numerous cases have dismissed data breach class actions on lack of standing or lack of damages
25
![Page 26: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/26.jpg)
Dodging the CA CMIA Bullet
California Confidentiality of Medical Information Act provides $1,000 per person for negligent disclosure of medical information in absence of actual damages. • In Sutter Health, court held that evidence must show that medical information was actually viewed.
• In Eisenhower Med. Ctr., court held that patient demographic information was not “medical information.”
26
![Page 27: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/27.jpg)
To Be Determined
• Successful action under CMIA? Will court award millions in absence of any actual damages?
• Spokeo v. Robins, U.S. Supreme Court addresses whether consumer class can sue for monetary damages w/o identifiable financial or personal injuries.
27
![Page 28: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/28.jpg)
The Value of Best Practices
![Page 29: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/29.jpg)
A Robust Cyber Security Program:
• Legal risks follow real risks – and health care hacking is on the rise.
• Tougher regulators are increasing legal risks from data breaches.
• Doing the bare minimum will lead to: – High breach notification incidents and costs – High litigation costs defending claims of
negligence – Fights with regulators over what is required
• Cyber insurance carriers may require more and more
29
![Page 30: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/30.jpg)
Convincing the C-Suite/Board • Inform:
– Evidence of increasing threats to health care data
– Increasing level of enforcement among more regulators
• Quantify: – How much breach will cost vs. risk reduction
through InfoSec investment – Focus on return on investment
• Progress Reports – What is current profile? – What is target profile? – How are we progressing towards target?
30
![Page 31: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/31.jpg)
The Role of NIST
![Page 32: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/32.jpg)
The Role of NIST
• NIST standards are not required for private entities, unless incorporated through contract, but …
• A good set of tools for improving information cyber security;
• A good proxy for industry best practices; and
• Agencies such as the FTC are increasingly expecting NIST-level safeguards.
32
![Page 33: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/33.jpg)
NIST Cyber Security Framework
Framework Core: • Identify • Protect • Detect • Respond • Recover
33
![Page 34: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/34.jpg)
NIST Cyber Security Framework
Framework Implementation Tiers: • Partial (Tier 1) • Risk Informed (Tier 2) • Repeatable (Tier 3) • Adoptive (Tier 4)
34
![Page 35: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/35.jpg)
NIST Cyber Security Framework
Framework Profile: • Current Profile • Target Profile • Comparison of Profiles
35
![Page 36: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/36.jpg)
NIST Cyber Security Framework
1. Prioritize and Scope 2. Orient 3. Create a Current Profile 4. Conduct a Risk Assessment 5. Create a Target Profile 6. Determine, Analyze, and Prioritize Gaps 7. Implement Action Plan
36
![Page 37: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/37.jpg)
NIST, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
37
![Page 38: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/38.jpg)
Stay Tuned
• Section 405 of Cybersecurity Act of 2015 – HHS to work with NIST to create
information for health care industry stakeholders of all sizes for improving preparedness for, and response to, cybersecurity threats affecting health care industry
– Statute states that any new standards will be consistent with HIPAA but will be optional
38
![Page 39: Cybersecurity and the Law · 2016. 2. 29. · Learning Objectives •Explain the possible legal ramifications of a cyber-attack •Review recent developments in Cyber Security Law](https://reader035.fdocuments.net/reader035/viewer/2022071113/5fe931b7dc8e9756257e78c6/html5/thumbnails/39.jpg)
Resources • NIST Framework for Improving Critical
Infrastructure Cybersecurity, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
• NIST Guide for Conducting Risk Assessments, http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
• Cybersecurity Information Sharing Act (part of Pub. L. 114-113), https://www.congress.gov/114/bills/hr2029/BILLS-114hr2029enr.pdf
• HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework, http://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk
39