Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048

Cybersecurity Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048

Setting expectations Are you susceptible to a data breach?

October 7, 2014

Setting expectations Victim Perpetrator

It s only a matter of time

It s only a matter of time

It s only a matter of time October 28, 2014

It s only a matter of time Cyber Espionage Cyber Activism Cyber Crime

Breach trends Financial Institutions Retail (B&M and ecommerce) Healthcare Higher Education Governmental Entities Defense and Aerospace Technology Energy/Utilities All employers 2005 Today

Emerging risks June 27, 2012

Emerging risks October 16, 2014

It s only a matter of time 14% 17% Insider theft Hacking 42% 27% Accidental exposure or negligence Subcontractor Breach Types 2007 through 2013 (4215 breaches)

Re-setting expectations Average cost to respond to a data breach? $5.4 million ($201 per record) Target Corp. s cost so far: $236 million and more than 100 lawsuits Analyst: Cost will exceed $1 billion

October 15, 2014

Part I: Cybersecurity and data breach law* *The least entertaining part of the presentation.

Cybersecurity and data breach law The FTC, SEC, FCC, and NY Other federal statutes States

The FTC The FTC conducts its data security investigations to determine whether a company s data security measures are reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities. The Commission s 50 settlements with businesses that it charged with failing to provide reasonable protections for consumers personal information have halted harmful data security practices; required companies to accord strong protections for consumer data; and raised awareness about the risks to data, the need for reasonable and appropriate security, and the types of security failures that raise concerns. Edith Ramirez, FTC Chairwoman, Congressional testimony (April 2, 2014)

The FTC Example: What did TJX do wrong? Failed to implement measures to limit wireless access to its stores, allowing a hacker to connect wirelessly to its networks without authorization Did not require administrators to use strong passwords Failed to use a firewall or otherwise limit access to the internet on networks processing cardholder data Lacked procedures to detect and prevent unauthorized access, such as by updating antivirus software and responding on security warnings and intrusion alerts

The SEC Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company s cybersecurity measures needs to be a critical part of a board of director s risk oversight responsibilities. In addition to the threat of significant business disruptions, substantial response costs, negative publicity, and lasting reputational harm, there is also the threat of litigation and potential liability for failing to implement adequate steps to protect the company from cyber-threats. Perhaps unsurprisingly, there has recently been a series of derivative lawsuits brought against companies and their officers and directors relating to data breaches resulting from cyber-attacks. Thus, boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril. Luis Aguilar, SEC Commissioner, speech given at NYSE on June 10, 2014

The SEC An SEC comment: We note that your network-security insurance coverage is subject to a $10 million deductible. Please tell us whether this coverage has any other significant limitations. In addition, please describe for us the certain other coverage that may reduce your exposure to Data Breach losses. (Target Form 10-K, March 2014)

The SEC Another SEC comment: Please expand your risk factor disclosure to describe the cybersecurity risks that you face or tell us why you believe such disclosure is unnecessary. If you have experienced any cyber attacks in the past, please state that fact in any additional risk factor disclosure in order to provide the proper context. Please refer to the Division of Corporation Finance s Disclosure Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/cfguidancetopic2.htm for additional information. (Hilton Worldwide Holdings, Inc. S-1, October 2013)

The SEC One more SEC comment: We note your disclosure that an unauthorized party was able to gain access to your computer network in a prior fiscal year. So that an investor is better able to understand the materiality of this cybersecurity incident, please revise your disclosure to identify when the cyber incident occurred and describe any material costs or consequences to you as a result of the incident. Please also further describe your cyber security insurance policy, including any material limits on coverage. (Alion Science and Technology Corp. S-1 filing, March 2014)

The FCC After levying a $10 million fine against two telecom companies for storing personally identifiable customer data online without firewalls, encryption, or password protection: This is unacceptable. This is the first data security enforcement action [by the FCC], but it will not be the last. Travis LeBlanc, FCC s top enforcement official (October 28, 2014)

www. 28

Other federal statutes HITECH (medical information) HIPAA (medical information) GLBA (financial institutions) FTCA (federal trade commission act) FERRPA (educational records) FCRA (consumer reporting agencies) COPPA (children s information)

States There are 47 different state laws with different requirements, different definitions of whether notifications need to occur, and different timings for notifications.

States There are 47 different state laws with different requirements, different definitions of whether notifications need to occur, and different timings for notifications. Some require harm to occur to trigger notification Some require notice to their attorneys general or agencies (some are before notice is sent to consumers, some are after) Some have a specific time frame Some permit a private right of action Some have different provisions for third parties that hold data. FUN FACT! How much of what you do crosses state lines?

Washington state (HB 1078 effective July 24, 2015) Among other provisions: Expands coverage to hard copy data. Requires notification to the Washington Attorney General if more than 500 Washington residents must be notified. Imposes a 45-day deadline for notification of affected consumers and/or the Washington Attorney General. Empowers the Washington Attorney General to enforce the statute by bringing actions under the state s consumer protection act. Mandates certain content in the consumer notification.

Part II: What you should do right now* *Well, not right now. But right after this presentation!

Get the Boards on err board. Ensure the company s focus on cybersecurity Provide oversight of the risk management process Identify and empower their experts Include cybersecurity as a regular Board agenda item

Create an information security plan Why? Minimize employee-related breaches Reduce overall exposure Reductions for CISO, information security program, strong security Legally important Increase customer trust and company reputation Don t be a or a

Create an information security plan In November 2005, Jason Spaltro, executive director of information at Sony Pictures Entertainment [said], There are decisions that have to be made. We re trying to remain profitable for our shareholders, and we literally could go broke trying to cover for everything. So, you make riskbased decisions. Legislative requirements are mandatory, but going the extra step is a business decision. Your Guide to Good-Enough Compliance CIO Magazine April 6, 2007

Create an information security plan Designate a lead Conduct a systems assessment Implement a security program include visual hacking measures Policies and training Thanks, Sony! Consider cyber insurance Review third party contracts Create and implement a crisis response plan and team Whistleblowers

Insurance October 12, 2014

Create a crisis response team Identify the key constituents Recognize their motivations

Create a crisis response team Identify the key constituents Recognize their motivations Identify and empower the decision-maker

Part III: I ve been breached (and I can t get up)

Crisis response Feel free to take all the time you need!... yeah. Just kidding. Clock starts ticking from DOB (discovery of breach**) **Nobody else knows what this means, either.

Crisis response What did Part II give you? Faster reaction time More thorough reaction Ability to minimize risk and damage Without Part II...

Crisis response Coordinate first-response team (IT, HR, legal, PR, and business) Investigate, isolate, contain, and secure Notify (federal, state, int l, individual, media, and other) Consider referral to law enforcement and/or civil remedy Re-evaluate

Crisis response Coordinate first-response team (IT, HR, legal, PR, and business) Investigate, isolate, contain, and secure Notify (federal, state, int l, individual, media, and other) Consider referral to law enforcement and/or civil remedy Re-evaluate

Crisis response Coordinate first-response team (IT, HR, legal, PR, and business) Investigate, isolate, contain, and secure Retain forensic investigator Interview witnesses Preserve documents and systems Identify what was compromised Document everything Notify (federal, state, int l, individual, media, and other) Consider referral to law enforcement and/or civil remedy Re-evaluate

Crisis response Coordinate first-response team (IT, HR, legal, PR, and business) Investigate, isolate, contain, and secure Notify (federal, state, int l, individual, media, and other) Federal, state, international Individuals Insurers and credit card companies (PFI!) Media Employees Consider referral to law enforcement and/or civil remedy Re-evaluate

Crisis response Coordinate first-response team (IT, HR, legal, PR, and business) Investigate, isolate, contain, and secure Notify (federal, state, int l, individual, media, and other) Consider referral to law enforcement and/or civil remedy E.g., 18 U.S.C. 1030 Re-evaluate

Crisis response Coordinate first-response team (IT, HR, legal, PR, and business) Investigate, isolate, contain, and secure Notify (federal, state, int l, individual, media, and other) Consider referral to law enforcement and/or civil remedy Re-evaluate

www. 63

The end.

Contact Information Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048 shamoil.shipchandler@bgllp.com