Survivor s Guide to Data Breach

Transcription

1 Survivor s Guide to Data Breach Presented by Michael S.Taaffe, Esq. Shumaker, Loop & Kendrick, LLP Sarasota (941) Charlotte (704)

2 Shumaker Data Breach Team Sarasota, FL Michael S. Taaffe Douglas A. Cherry Scott A. LaPorta Jarrod J. Malone Charlotte, NC Jeffrey S. Bernard David H. Conaway Steven A. Meckler Joseph J. Santaniello

3 Note: These materials are for guidance and reference purposes only. They are of a general and informational nature and should not be construed or relied upon as legal advice. Businesses and individuals facing decisions regarding federal and state statutes, regulations, and the interpretation of the law should consult directly with an attorney. Shumaker, Loop & Kendrick, LLP (941)

4 2015 Top Targets, filtered by breaches

5 What is a Security or Data Breach? A security breach is defined as the unauthorized release of unencrypted or unredacted records or data containing personal information with corresponding names, such as a person s first initial and last name. The acquisition of encrypted data only is a breach if a confidential process or key needed to unlock the data is also breached. The authorized access of personal information by an employee or agent is not considered a security breach so long as the information is used for a lawful purpose.

6 What is Personal Information in North Carolina? Personal information includes: an individual s Social Security number (SSN), employer taxpayer identification number (TIN), driver s license or state identification number, passport number, checking/saving account number, credit/debit card number, PIN, digital signature, biometric data, fingerprints or any number that can be used to access his financial resources. An individual s name or address, Internet account number, Internet username or password may be considered a breach if it would permit someone to access financial accounts or resources. Personal information does not include directories available to the public.

7 How Do Data Breaches Occur? Hacking/malware Payment card fraud Unintended disclosure Lost or stolen electronic devices Physical loss Insider access

8 The Costs of Data Breaches IBM study covered: 61 U.S. companies across 16 industry sectors; Only breaches of 10,000 records or less were included; No mega breaches were included due to skewed (higher) costs; All suffered a loss of theft of customer PII that triggered data breach notification laws. Total average cost paid by organization increased from $5.4 million in 2013 to $5.9 million in Direct costs included forensic experts, customer credit monitoring and discounts on future products; Indirect costs included in-house investigations and communications, extrapolated value of customer loss, and diminished customer acquisition rates.

9 Who Must Notify of a Breach In North Carolina? A business, state or local government agency that owns or licenses records or data with personal information that has been subject to a security breach must notify. A business includes sole proprietorships, partnerships, corporations, associations, charities or any group, however organized. The business must be (1) located in North Carolina or (2) own/license the personal information (in any form) of North Carolina residents. Businesses that keep records/data with the personal information of North Carolina residents on behalf of another company must notify the owner or licensee of a security breach.

10 The Notice Must Include: General description of the security breach incident; Type of personal information breached; General description of your efforts to avoid further unauthorized access to personal information; Telephone number where people can call for more information and assistance, if one exists; and Advice for people who are affected.

11 North Carolina Security Breach Reporting Form

12 Private Data Breach Litigation Potential Causes of Action: Negligence or Negligent Misrepresentation (if more egregious facts or fraud); Violation of Uniform Deceptive Trade Practices Act statutes; Breach of Contract or Implied Covenant of Good Faith; or Invasion of Privacy. Plaintiffs counsel model is a nationwide putative class action Frequent nationwide class settlements on any remaining claims Coupon settlements. Many suits are limited (or eliminated) at the motion to dismiss stage due to inadequate Article III standing or lack of injury in fact (i.e. only harm is fear of identity theft)

13 Examples of Private Litigation Curry v. AvMed (S.D. Fla., 2014) 2009 data breach Two unencrypted laptops containing 1.2 million customers PII were stolen from a locked AvMed conference room Settled after 11 th Circuit overturned district court s dismissal for lack of cognizable injury $3 million to 460,000 class members (customers who paid premiums and were victims of the data breach) Class members who experienced identity theft could submit additional claims for reimbursement for related monetary costs ($750,000 class-wide max); $750,000 in attorney s fees (Motion to Dismiss, appeal, settlement, but no discovery); Rare cash settlement: $10 to each class member for each year of alleged premium overpayment. ($30 max);

14 Examples of Private Litigation, continued In re Sony Gaming Networks & Customer Data Breach Security Breach Litigation (MDL, S.D. Cal., 2014)* 2011 data breach into Sony s PlayStation and Sony Online Entertainment networks resulted in the theft of 77 million customers names, addresses and possibly credit card data. Sony suspended access to the hacked networks for over two weeks $15 Million Coupon Settlement Customers who took Welcome Back Package following suspended service will receive less in settlement; With proper documentation, class members can receive up to $2,500 in reimbursements for identity theft-related expenses; and Class members will receive online purchase credits and/or 1-3 months of free membership to certain Sony online gaming and music services. Up to $2.75 million in class counsels fees and expenses * Preliminary approval only

15 Hypothetical Scenarios 1. What are the most important steps to take to prepare for a cyber attack? 2. Your company has been the victim of a cyber attack, what steps should you take? 3. How should you notify customers/clients of a data breach?

16 Steps to Take Before an Attack Occurs (NOW)! A. Have an actionable plan tailored to your organization in place before an attack occurs. B. Assess the benefits of data breach insurance. C. Have appropriate technology and services in place before an attack occurs in order to prevent breaches and alert you to them. D. Make sure your legal counsel is ready and able to respond to an attack. E. Make sure to practice your plan prior to an attack, have a fire drill.

17 Steps to Take When an Attack Occurs A. Make an initial assessment. B. Contact outside counsel knowledgeable about responding to an attack. C. Implement your organizations specifically tailored data breach plan. D. Begin a forensic investigation to learn about the attack. E. Contact the proper authorities (local police, state police, FBI, secret service) using outside counsel to maintain attorney client privilege. F. Contact a PR firm through your outside counsel to maintain attorney client privilege.

18 Steps to Take When an Attack Occurs, continued G. Notify those affected by the breach (A requirement in most states). H. Notify state attorney generals (A requirement in many states). I. Notify credit reporting agencies (A requirement in most states).

19 The Value of Outside Counsel Attorney-client privilege protects communications Outside counsel can help navigate the legal landscape and ensure compliance with numerous laws that may apply to a data breach Outside counsel can ensure that processes are put into place to preserve materials that may be discoverable in litigation Time is of the essence! A team of experienced attorneys can mobilize quickly

20 Solutions Limitations on further disclosure Keep only what is necessary Confidentiality Breach notification requirements Information security requirements Cyber Insurance Use of subcontractors Aggressive and timely legal counsel

21 Questions? Thank you so much for attending!

22 Shumaker, Loop & Kendrick, LLP Michael S. Taaffe Esq. Shumaker, Loop & Kendrick, LLP 240 South Pineapple Avenue, 10 th Floor Sarasota, FL PH: Fax: