Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission June 25, 2015 1

Your Panelists Kenneth L. Chernof Partner, Litigation, Arnold & Porter LLP Nicholas L. Townsend Counsel, National and Homeland Security, Arnold & Porter LLP Troy M. Pearsall Chief Information Officer, In-Q-Tel, Inc. Bill Karazsia Assistant General Counsel and Chief Privacy Officer, National Student Clearinghouse 2

The Threat Recently published statistics: 79,790 data security incidents in 2014 2,133 confirmed data breaches In 60 per cent of cases, attackers are able to compromise an organization within minutes. Source: Verizon, 2015 Data Breach Investigations Report High profile examples Nonprofits equally vulnerable 3

Agenda I. Data Privacy & Security II. Regulatory Landscape III. Being Prepared IV.Responding to a Breach 4

DATA PRIVACY Building Awareness & Distinctions Privacy & Information Security Domain Awareness & Role Differentiation The Law and Ethics of Big Data Effect of Acquisition Models on Influence 5

Data Privacy & Information Security What does each mean to you (now/after)? Where are the boundaries? Who holds the expertise? 6

Privacy Professional s View of Data Privacy InfoSec Notice Consent Choice Access Confidentiality Use Availability Integrity *IAPP Architecture 7

Influence across Acquisition Models Outright Owner Licensee Lessee Agent 8

Regulatory Standards State Law Federal Trade Commission PCI Standards NIST Cybersecurity Framework Other Requirements HIPAA Government Contractors Grantees Contractual Pending Federal Legislation 9

State Laws Patchwork quilt Focus on location of business, breach and/or individual or entity whose data is compromised Some substantive privacy requirements Notification requirements AG or other regulatory involvement 10

FTC Enforcement Authority Broad authority under Sec. 5(a) of the FTC Act The FTC has the authority to enforce violations of unfair and deceptive acts in the commercial marketplace The FTC has asserted violations of numerous statutes in its data security enforcement actions, including the GLBA and FCRA Over 60 data security enforcement actions over the past 12 years, affecting nearly all sectors of the economy Note: Pending challenges to FTC Authority 11

Pending Federal Legislation Cyber Threat and Prevention Information- Sharing House passed two different bills in April 2015 Senate bill pending for committee and floor action Anticipated enactment of compromise measure Data Security and Breach Notification Standards Standards for data protection Requirements for breach notification Preemption of varying state laws 12

PCI Standards 1. Build & Maintain Secure Network Firewalls Passwords (do not use defaults) 2. Protect Cardholder Data Protect stored data Encrypt transmissions 3. Maintain a Vulnerability Management Program Anti-virus software Maintain secure systems/applications 4. Implement Strong Access Controls Need-to-Know Unique IDs Restrict Physical Access 5. Regularly Monitor and Test Networks Track and monitor all access Regularly test systems and processes 6. Maintain an Information Security Policy 13

NIST Cybersecurity Framework Executive Order 13636 directed NIST to work w/ stakeholders to develop voluntary cybersecurity framework for critical infrastructure 1. Framework Core Functions: Identify, Protect, Detect, Respond, Recover 2. Implementation Tiers: Companies select appropriate Cybersecurity posture from Partial and reactive (Tier 1) to Adaptive and risk-informed (Tier 4) 3. Profile: The outcomes selected based on business needs can be used to perform self assessments and to set goals 14

Incident Readiness: Being Prepared 15

Fundamental Steps for Preparedness Identify areas of risk Implement safeguards State-of-the-art firewalls IT security Physical security Adopt prudent vendor management and contracting practices Establish written policies and procedures Conduct training for employees and agents Designate Security Officer Obtain insurance coverage 16

Governance and Compliance Structure Board Committee Oversight Committee Charter Resolutions Approval of Policies Designation of Officers Periodic Report and Review Officer Responsibilities Line, compliance, technology, risk management, and audit Organization Chart / Map People, business units, systems, vendors, functions 17

External Team and Resources Identify/retain in advance: Outside legal counsel Forensic consultants Public relations firms Credit monitoring service providers 18

Responding to a Breach 19

Initial Concerns Veracity of allegation Possible extortion Reputational exposure Civil/criminal exposure How to investigate? 20

Investigation Options Contact police Notify FBI Interview company employees Engage private investigator Engage (through legal counsel) forensic vendor 21

Strategic Considerations Actions by legal department v. security department Role of outside counsel Independence Expertise Privilege Forensic vendors Privilege issues Internal investigations v. external investigation Upjohn warning Civil lawsuit tools to further investigation Theft; Intrusion 18 U.S.C. 1030; Lanham Act 22

Contacting Law Enforcement: Benefits Using criminal law as a weapon against wrongdoers: Grand jury subpoenas and search warrants Arrest and conviction Restitution (damages) Mandatory in some cases 18 U.S.C. 3663A May get investigation costs (including legal fees) 23

Contacting Law Enforcement: Downsides Lose control of litigation Can t change the prosecutor s mind Prosecutor s timing may interfere with your needs The Oscar Wilde problem Unanticipated exposure Corporate criminal exposure Employee s actions are attributed to corporation FCPA Corporate espionage 24

Victim Notification Federal agency requirements Different state requirements (various standards) Application to out-of-state entities Personal information definition Breach definition Consideration of harm Timing for notices Form and content of notices SEC disclosure statement 25

Offering Credit Monitoring to Victims Pros: Mitigate damages Mitigate reputational harm Cons: Expense Admission of fault? 26

Media Exposure Preempt adverse reports Get your own message out first Monitor all communication channels (Twitter, Facebook, etc.) Use experienced PR consultants Don t try to master the media on your own Consult with legal counsel regarding all press statements 27

Managing Litigation Risk Plan for litigation at outset Keep in mind in everything you do Press releases Investigation Remediation Communications with government, customers, employees A good preventative plan is not only a way to avoid a breach, but is also a great defense 28

Kenneth L. Chernof, Partner, Arnold & Porter LLP kenneth.chernof@aporter.com /+1 202.942.5940 Ken Chernof is chair of the firm's Business Litigation practice. He focuses his practice on complex commercial, antitrust, and IP litigation. His practice is centered on defending leading business clients, particularly consumer products or services corporations, in multistate class actions and government litigation and investigations, and he applies a "bring order out of chaos" approach to each matter by devising creative litigation and nonlitigation strategies. He has particular experience advising clients on the potential impact of civil litigation resulting from data breaches and mitigating associated risks, and in defending class action data breach litigation. Nicholas L. Townsend, Counsel, Arnold & Porter LLP nicholas.townsend@aporter.com /+1 202.942.5249 Nicholas Townsend is Counsel in the firm's National Security and Public Policy practices. His national security work focuses on cybersecurity, US export controls and trade sanctions, biodefense, and information sharing within the intelligence community and more broadly across the government and the private sector. Mr. Townsend's privacy work includes drafting privacy policies governing companies' collection and use of customer data. He also advises clients on data breaches, including customer notice requirements and government inquiries regarding such breaches. 29

Troy M. Pearsall, Chief Information Officer, In-Q-Tel tpearsall@iqt.org / +1 703.248.3063 Troy Pearsall serves as Chief Information Officer of In-Q-Tel (IQT), the independent, non-profit, strategic investor for the CIA and the U.S. Intelligence Community. He also serves of the board of directors of Product Lab, LLC, a company incubator. Before assuming the CIO role, Pearsall led Big Data and Open Source initiatives at IQT. Prior to his Big Data role, Pearsall served as Executive Vice President of Architecture & Engineering at IQT where he oversaw IQT s investment strategy, technology assessments and selection process and client support functions. Before assuming the role of Executive Vice President of Architecture & Engineering, Pearsall served as a Visionary Solutions Architect on IQT s technical team, championing investments in the areas of information visualization and visual analytics. Bill Karazsia, Assistant General Counsel & Chief Privacy Officer, National Student Clearinghouse karazsia@studentclearinghouse.org /+1 703.742.4847 Bill Karazsia is Assistant General Counsel and Chief Privacy Officer at National Student Clearinghouse, a nonprofit organization that serves the higher education community by facilitating the exchange of student information. Bill s main customers at the Clearinghouse are responsible for the organization s revenue-generating lines of business. His portfolio includes strategic transactions, commercial contracts, information privacy, and corporate governance. Ten years ago Bill earned a JD from the Georgetown University Law Center, and later this year he will graduate with an MBA from the global executive program at Bocconi University, a specialized business and finance university in Milan, Italy. He has held the Certified Information Privacy Professional credential for the US since 2013 and this year earned the European credential. 30