Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact February 10, 2015
Overview 1 The Legal Risks And Issues/The Role Of Legal Counsel: The Breach Coach The Slippery Slope of Data: Where Are The Vulnerabilities? Why Do Hackers Want Data? Because That s Where The Money Is... Information Governance: What Do You Have And How Do You Protect It? Risk Mitigation And Insurance Pulling It All Together When The Worst Happens: The Data Breach Response
The Legal Framework 2 Pre-Breach Risk Management: statutory and contractual requirements, best practices The Post-Breach Legal Landscape Consumer and Employee Class Actions B2B Litigation Regulatory Investigations, Enforcement Actions, and Penalties The Role of Legal Counsel
Risk Management, Privacy and Data Security 3 Website Review and Audit Privacy Policy Gap Analysis Geolocation and Consumer Information Collection Advice Review of Digital Media Policies Review for COPPA, VPPA, HIPAA/HITECH Privacy Review of Mobile apps Data Compliance and Counseling Security Privacy and network policy security development and review Incident response Gap analysis and audit review of policies and practices Legal advice on compliance with HIPAA/HITECH Litigation Defense Insurance Coverage Crisis Management Litigation Avoidance Class Action Defense Coverage Defense Analysis of applicable notice obligations Risk Management Information Governance Coordination of Privacy and Data Security Policies Compliance with state and federal regulations Advice on policy development and implementation Advice on Board recommendations Federal cyberrisk business development Advocacy and public policy Contact: Donna L. Wilson DLWilson@manatt.com 310.312.4144 P&DS Webpage
Information Security & Privacy Exposures 4 Privacy Exposure Wrongful Use Wrongful Collection Physical Theft of Sensitive Info Electronic Accidental Disclosure Non-Electronic Accidental Disclosure Information Security Exposure Cyber Attacks
Cyber Breaches 5 75% of Breaches reported were due to Human Error/Negligence Mobile Device Breach Laptop thefts controlled by two healthcare organizations led to an investigation by the Office for Civil Rights. It was discovered that not all devices containing PHI were encrypted. It was also discovered that one of the organizations failed to comply with numerous HIPAA requirements for several years. Both organizations were required to pay a monetary settlement and required to implement a corrective action plan that included providing status updates to HHS. Total paid = $2M
Cyber Breaches (cont d) 6 75% of Breaches reported were due to Human Error/Negligence Hacking Breach Cyber terrorist group hacked into company s network accessing over 100 million customer accounts including customer usernames and passwords, credit card numbers and expiration dates. Sixty five suits were filed in the United States. There were also Federal investigations, State investigations, and international investigations. Total paid = expected to be over $150M
Cyber Breaches (cont d) 7 75% of Breaches reported were due to Human Error/Negligence Paper Breach Over 5,000 medical records were left unattended on the driveway of a physician s home. The Office for Civil Rights investigated and the hospital was required to adopt a corrective action plan to address deficiencies in its HIPAA compliance program to include employee training. Total paid = $800K
8 Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. NACD Cyber-Risk Oversight Handbook
9 What Proactive Steps Can I Take To Protect Sensitive Information?
What Keeps CIOs Up at Night? 10 N=1587, Source: Ponemon Research, May 2014
What s The Most Common Type of Breach? 11 Breach Types 2007 through 2013 (4215 breaches)
Looking Inside Business Practices 12 RETENTION WHAT SENSITIVITY WHERE BUSINESS BUSINESS PROCESSES PROCESSESS
Looking Inside Business Practices 13 RETENTION WHAT SENSITIVITY RECORDS INVENTORY WHERE BUSINESS BUSINESS PROCESSES PROCESSESS
What Do You Have? 14 Accident/Incident Records Advertising Records Benefit Records Budget Records Contracts & Agreements Coupon Records Credit Approvals Customer Information Customer Orders Employee Medical Files Gift Card Functions Payment Records Sales Receipts
Where Is It? 15 1010100011 1001010011 0 1 1 0 1 0 0 1 0 0 1 0 1 1 0 1 0 0 1 1 0 1 0 0 1 1 0 1 1 0 0 0 1 0 0 1
What Are the Requirements? 16 BUSINESS NEEDS SENSITIVITY REQUIREMENTS Corporate Sensitive PII Customer Data Intellectual Property Bio Metric Patient Health Info. Personal Financial Sensitive EU DOL FSMA GLB HIPAA OSHA PCI SEC State Privacy Laws
17
18 How Can Cyber Insurance Provide a Risk Management Solution?
19 Evaluate loss prevention. Incident response plan. Breach resolution team.
When The Worst Happens... 20 The Role of Legal Counsel: Data Breach Coach Forensics PR Litigation Risk Identification and Management Risk Transfer Insurance Notification Litigation Enforcement
21 Final Thoughts
22 Rebecca Perry Jordan Lawrence rperry@jordanlawrence.com Liz Wittenberg AIG Liz.Wittenberg@aig.com Donna Wilson Manatt, Phelps & Phillips, LLP DLWilson@manatt.com