LEGAL AND REGULATORY RAMIFICATIONS OF A DATA BREACH

Transcription

1 LEGAL AND REGULATORY RAMIFICATIONS OF A DATA BREACH NLC- RISC STAFF CONFERNCE Octobegffgfdadadddffffdfddfadr NLC- RISC STAFF CONFERENCE October 22nd, 2013 Portland, Oregon Jim Prendergast Partner, Data Privacy Group Nelson Levine DeLuca & Hamilton

2 JIM PRENDERGAST NELSON LEVINE Jim s practice is focused on privacy and data security. He often represents insureds and corporate clients with breaches involving the Payment Card Industry (PCI) and with breaches involving HIPAA violations. Jim helps his clients succeed by bringing to every file the strategies and tactics learned over 20 years of trial and litigation experience. Jim tried numerous criminal cases as an assistant district attorney in the Philadelphia District Attorney's Office. He has tried complex liability matters to juries and judges. Jim has also represented clients in complex matters to mediators and he has tried serious criminal matters including first-degree murder.

3 DATA BREACH TRENDS Number of Incidents Source: Risk Based Security, Inc. February 2013 Data Breach QuickView Report

4 NETWORK SECURITY/DATA RISK DATA CREATES DUTIES What data do you collect, and why? Where is it? How well is it protected? Who can access it? When do you purge it? How do you purge it?

5 WHY THE CONCERN? Malicious Threats Still Prevalent: Stealth Hackers, Malware, Extortionist; Rogue contractors; Disgruntled IT Staffer Non-Malicious (more often): Staff mistakes (lost laptop) Marketing Mishap: innocent customer data leaks Vendor leak Network Operation & Sharing Trends: Points of failure are multiplied due to trends of outsourcing computing needs (CLOUD) Massive dependencies & data-sharing between organizations Where is YOUR data? A data breach: it s not a matter of if but when

6 WHY THE PROBLEM? THE INTERNET S OPEN NETWORK Many organizations will collect/ store/share VAST private data! More data often collected than needed Data often stored for too long (no records retention limits) Websites are very porous & need constant care (hardening & patching). IDS (detection) is very weak: no matter size many co s learn of breach too late or not at all! Bad buys still rely on the prevalence of human error Unchanged default settings Missing patches Wide open laptop Customer records improperly disposed Guessable access 95% of all network intrusions could be avoided by keeping systems up-todate (CERT)

7 COMMON WEAK SPOTS PROBLEM 1) IDS or Intrusion Detection Software (Bad guy alert system) Studies show that 70% of actual breach events are NOT detected by the victimcompany, but by 3 rd parties (and many more go undetected completely). FTC and plaintiff lawyers often cite failure to detect Vast Data: companies IDS can log millions events against their network each month False positives: 70% PROBLEM 2) Patch Management Challenges: All systems need constant care (patching) to keep bad guys out. Complexity of networking environments Lack of time: Gartner Group estimates that IT Managers spend an average of 2 hours per day managing patches. PROBLEM 3) Encryption (of private data) Problem spans all sizes & sectors. ITRC (Identity Theft Resource Center): Only 2.4% of all breaches had encryption Issues: Budgets, complexities and partner systems Key soft spots: Data at rest for database & laptops (lesser extent) Benefits: Safe harbor (usually)

8 STRATEGIES FOR RISK MANAGERS PLAN FOR THE LOSS CFO must understand that data / network security is NEVER 100%... 4 Legs of Traditional Risk Mgmt: Eliminate: e.g. patch known exploits, encrypt laptops etc Mitigate: e.g. dedicated security staff; policies; IDS/ IPS; etc Accept: e.g. partner SLAs, capabilities (trusting their assurances) Cede: residual risk via privacy risk insurance Wide-Angle Assess Safeguard Controls Surrounding: People: they seem to get it Proper security budget and vigilant about their job! Processes/ Policies: enterprise ISO27002, HITECH ready; employee education/ training; change management processes, breach response plan etc. Technology: proven IDS/IPS capabilities, DLP solutions, hardened & patched servers (tested), full encryption of PII.

9 ARE YOU AT RISK? ASK YOUR TEAM: Has your firm ever experienced a data breach or system attack event? Does your organization collect, store or transact any personal, financial or health data? Do you outsource any part of computer network operations to a third-party service provider? Do you allow outside contractors to manage your data or network in any way? Do you partner with entities and does this alliance involve the sharing or handling of data? Does your posted Privacy Policy align with your actual data management practices? Has your organization had a recent cyber risk assessment of security/ privacy practices to ensure that they are reasonable and prudent and measure up with your peers? Studies show % of execs admitted to a recent breach incident Your security is only as good as their practices and you are still responsible to your customers The contractor is often the responsible party for data breach events You may be liable for a future breach of your business partners If not you may be facing a deceptive trade practice allegation Doing nothing is a plaintiff lawyer s dream.

10 REGULATORY EXPOSURES State level breach notice: 46 states (plus Puerto Rico, Wash. D.C., Virgin Islands) require notice to customers after unauthorized access to PII/PHI. Require firms that conduct business in state to notify resident consumers of security breaches of unencrypted computerized personal information Many require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies Notice due without unreasonable delay Some states allow private right of action for violations

11 REGULATORY EXPOSURES OREGON Personal information includes first name/initial and last name in combination with: Social Security number, driver license/state ID card number, passport number, or financial account number/credit card number with code permitting access. First name/initial and last name not required if any of the data elements above would be sufficient to permit... identity theft. Notification to affected individuals must occur in the most expeditious time possible and without unreasonable delay.

12 EVOLVING EXPOSURES VERMONT Notice to affected individuals within 45 days of breach discovery Notice to VT AG within 14 days of breach discovery or affected individual notice (whichever is sooner) CONNECTICUT Notice to CT AG not later than time when notice provided to Connecticut residents MASSACHUSETTS Written information security plan for businesses storing MA resident personal information NEVADA Data collectors doing business in NV to comply with PCI-DSS CALIFORNIA TEXAS Notice to affected individuals pursuant to law of individual s state of residence or, if none, then pursuant to TX address and PW = pii

13 REGULATORY EXPOSURES HITECH ACT Extends HIPAA to business associates of HIPAA covered entities First national breach notification requirement > 500 HHS < 500 year end Permits state Attorneys General to enforce HIPAA Final Rule is law as of : Privacy and Security Rules now apply to Business Associates; Impermissible disclosure is now presumed to be a breach; Business Associates now directly liable to HHS

14 ANATOMY OF A BREACH RESPONSE FREEDOM OF INFORMATION Open access to public records can lead to inadvertent access to personally identifiable information Colorado municipality posts all permitting, licensing and land use applications online, accidently exposing thousands of SS#s and bank account information. New York municipality posts EMT employee benefits information exposing employees and their families PII. THE USUAL SUSPECTS Credit card information breaches (online or at municipality) Lost HR department laptops

15 ANATOMY OF A BREACH RESPONSE BREACH DISCOVERY EXPERTS Breach coach Forensics Public relations INVESTIGATION internal/forensic/criminal How did it happen When did it happen Is it still happening Who did it happen to What was accessed/acquired Encrypted/protected NOTICE OBLIGATIONS State Federal Other (i.e., PCI, FDIC, OCC) NOTICE METHODS Written Electronic Substitute Media DEADLINES Can be from 48 hours to without unreasonable delay INQUIRIES State regulators (i.e. AG, PD) Federal regulators (i.e. OCR) Federal agencies (i.e. SEC, FTC) Consumer reporting agencies LITIGATION Subrogation Class action

16 BREACH COSTS Forensics vendor Notification vendor Call centers PR vendor ID theft insurance Credit monitoring ID restoration Attorney oversight PLANNING AND DATA MANAGEMENT REGULATOR/COMPLIANCE COST Breach planning (Mass.) ID Theft monitoring (red flags) PCI DSS (Nevada and merchants) HIPAA

17 LITIGATION TRENDS SINGLE PLAINTIFF Identity theft Privacy GOVERNMENT ACTION Attorney General (Goldthwait, South Shore, Accretiv, Health Net) FTC (Choice Point, American United Mortgage) HHS (Hospice of North Idaho, Massachusetts Eye and Ear, Alaska Dept. of HHS) BANKS Cost of replacing credit cards Reimbursement of fraudulent charges Business interruption CLASS ACTION Failure to protect data Failure to properly notify Failure to mitigate NO VERDICTS... YET

18 DEFENSE ERODING Stollenwerk v. Tri West assert actual identity theft Krottner v. Starbucks Corp. increased risk of identity theft constitutes an injury-in-fact Anderson v. Hannaford alleged fraud in population and money spent in mitigation efforts sufficient (instead of time/effort) ITERA (Identity Theft Enforcement and Restitution Act) pay an amount equal to the value of the time reasonably spent In re Hannaford Bros. Data Security Breach Litigation does time equal money? No. But if there is fraud, credit monitoring damages may be due. ChoicePoint Data Breach Settlement FTC paid for time they may have spent monitoring their credit or taking other steps in response

19 COSTS LITIGATION Breach guidance Investigation Notification e-discovery Litigation prep Contractual review Defense (MDL?) PLAINTIFF DEMANDS Fraud reimbursement Credit card replacement Credit monitoring/ repair/ insurance Civil fines/ penalties Statutory damages (CMIA) Time

20 Empowered Senior Executive Talk to your IT Security folks. Gain an appreciation of the many challenges Not many Firms can say: how many records they have; what type of data is being collected, stored, shared, protected; where does all this data reside; when is it purged? Assess & test your own staff and operations Document your due care measures Insurance WHAT CAN BE DONE? PROACTIVE RISK MANAGER STEPS Red Flags, data security and breach response plans affirmative duties

21 Thank you! Jim Prendergast Partner, Data Privacy Group Nelson Levine de Luca & Hamilton