Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact. February 10, 2015

Transcription

1 Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact February 10, 2015

2 Overview 1 The Legal Risks And Issues/The Role Of Legal Counsel: The Breach Coach The Slippery Slope of Data: Where Are The Vulnerabilities? Why Do Hackers Want Data? Because That s Where The Money Is... Information Governance: What Do You Have And How Do You Protect It? Risk Mitigation And Insurance Pulling It All Together When The Worst Happens: The Data Breach Response

3 The Legal Framework 2 Pre-Breach Risk Management: statutory and contractual requirements, best practices The Post-Breach Legal Landscape Consumer and Employee Class Actions B2B Litigation Regulatory Investigations, Enforcement Actions, and Penalties The Role of Legal Counsel

4 Risk Management, Privacy and Data Security 3 Website Review and Audit Privacy Policy Gap Analysis Geolocation and Consumer Information Collection Advice Review of Digital Media Policies Review for COPPA, VPPA, HIPAA/HITECH Privacy Review of Mobile apps Data Compliance and Counseling Security Privacy and network policy security development and review Incident response Gap analysis and audit review of policies and practices Legal advice on compliance with HIPAA/HITECH Litigation Defense Insurance Coverage Crisis Management Litigation Avoidance Class Action Defense Coverage Defense Analysis of applicable notice obligations Risk Management Information Governance Coordination of Privacy and Data Security Policies Compliance with state and federal regulations Advice on policy development and implementation Advice on Board recommendations Federal cyberrisk business development Advocacy and public policy Contact: Donna L. Wilson DLWilson@manatt.com P&DS Webpage

5 Information Security & Privacy Exposures 4 Privacy Exposure Wrongful Use Wrongful Collection Physical Theft of Sensitive Info Electronic Accidental Disclosure Non-Electronic Accidental Disclosure Information Security Exposure Cyber Attacks

6 Cyber Breaches 5 75% of Breaches reported were due to Human Error/Negligence Mobile Device Breach Laptop thefts controlled by two healthcare organizations led to an investigation by the Office for Civil Rights. It was discovered that not all devices containing PHI were encrypted. It was also discovered that one of the organizations failed to comply with numerous HIPAA requirements for several years. Both organizations were required to pay a monetary settlement and required to implement a corrective action plan that included providing status updates to HHS. Total paid = $2M

7 Cyber Breaches (cont d) 6 75% of Breaches reported were due to Human Error/Negligence Hacking Breach Cyber terrorist group hacked into company s network accessing over 100 million customer accounts including customer usernames and passwords, credit card numbers and expiration dates. Sixty five suits were filed in the United States. There were also Federal investigations, State investigations, and international investigations. Total paid = expected to be over $150M

8 Cyber Breaches (cont d) 7 75% of Breaches reported were due to Human Error/Negligence Paper Breach Over 5,000 medical records were left unattended on the driveway of a physician s home. The Office for Civil Rights investigated and the hospital was required to adopt a corrective action plan to address deficiencies in its HIPAA compliance program to include employee training. Total paid = $800K

9 8 Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. NACD Cyber-Risk Oversight Handbook

10 9 What Proactive Steps Can I Take To Protect Sensitive Information?

11 What Keeps CIOs Up at Night? 10 N=1587, Source: Ponemon Research, May 2014

12 What s The Most Common Type of Breach? 11 Breach Types 2007 through 2013 (4215 breaches)

13 Looking Inside Business Practices 12 RETENTION WHAT SENSITIVITY WHERE BUSINESS BUSINESS PROCESSES PROCESSESS

14 Looking Inside Business Practices 13 RETENTION WHAT SENSITIVITY RECORDS INVENTORY WHERE BUSINESS BUSINESS PROCESSES PROCESSESS

15 What Do You Have? 14 Accident/Incident Records Advertising Records Benefit Records Budget Records Contracts & Agreements Coupon Records Credit Approvals Customer Information Customer Orders Employee Medical Files Gift Card Functions Payment Records Sales Receipts

16 Where Is It?

17 What Are the Requirements? 16 BUSINESS NEEDS SENSITIVITY REQUIREMENTS Corporate Sensitive PII Customer Data Intellectual Property Bio Metric Patient Health Info. Personal Financial Sensitive EU DOL FSMA GLB HIPAA OSHA PCI SEC State Privacy Laws

18 17

19 18 How Can Cyber Insurance Provide a Risk Management Solution?

20 19 Evaluate loss prevention. Incident response plan. Breach resolution team.

21 When The Worst Happens The Role of Legal Counsel: Data Breach Coach Forensics PR Litigation Risk Identification and Management Risk Transfer Insurance Notification Litigation Enforcement

22 21 Final Thoughts

23 22 Rebecca Perry Jordan Lawrence Liz Wittenberg AIG Donna Wilson Manatt, Phelps & Phillips, LLP