LEGAL AND REGULATORY RAMIFICATIONS OF A DATA BREACH

Similar documents
CYBER RISK Threats, Loss Control, Liability & Claims

Cloudy With a Chance Of Risk Management

Are Data Breaches a Real Concern? Protecting Your Sensitive Information. Phillips Auction House NY- 03/24/2015

Data Breach and Senior Living Communities May 29, 2015

THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident.

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

CLOUD SECURITY LAW MICHAEL KEELING, PE, ESQ. KEELING LAW OFFICES, PC PHOENIX AND CORONADO

The Matrix Reloaded: Cybersecurity and Data Protection for Employers. Jodi D. Taylor

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

Network Security & Privacy Landscape

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Discussion on Network Security & Privacy Liability Exposures and Insurance

Privacy and Data Breach Protection Modular application form

Privacy Law Basics and Best Practices

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

Cybersecurity Workshop

Law Firm Cyber Security & Compliance Risks

DATA BREACH COVERAGE

The Dish on Data and Disks HIPAAPrivacy and Security Breach Developments. Robin B. Campbell Ethan P. Schulman Jennifer S. Romano

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Managing Cyber & Privacy Risks

Joe A. Ramirez Catherine Crane

What would you do if your agency had a data breach?

What Data? I m A Trucking Company!

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

New Privacy Laws Impacting the Health Care Work Place

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

Legal Ethics in the Information Age: Unique Data Privacy Issues Faced by Law Firms. v , rev

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

ACE Advantage PRIVACY & NETWORK SECURITY

Logging In: Auditing Cybersecurity in an Unsecure World

Health Care Data Breach Discovery Strategies for Immediate Response

Cyber Risks in the Boardroom

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common

HIPAA Compliance: Efficient Tools to Follow the Rules

DATA BREACH CHARTS (Current as of December 31, 2015)

Data Breach Reporting: Summary of Governing Bodies with Reporting Requirements in the United States

Brief. The BakerHostetler Data Security Incident Response Report 2015

Checklist for Breach Readiness. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow

The Legal Pitfalls of Failing to Develop Secure Cloud Services

plantemoran.com What School Personnel Administrators Need to know

Jefferson Glassie, FASAE Whiteford, Taylor & Preston

THE HARTFORD ASSET MANAGEMENT CHOICE sm POLICY NETWORK

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

COMPLIANCE ALERT 10-12

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE

Outline. Outline. What is HIPAA? I. HIPAA Compliance II. Why Should You Care? III. What Should You Do Now?

Data Security Breach Notice Letter

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300)

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

Data Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com

Zurich Security And Privacy Protection Policy Application

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Data Privacy and Security: A Primer for Law Firms

Transcription:

LEGAL AND REGULATORY RAMIFICATIONS OF A DATA BREACH NLC- RISC STAFF CONFERNCE Octobegffgfdadadddffffdfddfadr NLC- RISC STAFF CONFERENCE October 22nd, 2013 Portland, Oregon Jim Prendergast Partner, Data Privacy Group Nelson Levine DeLuca & Hamilton

JIM PRENDERGAST NELSON LEVINE Jim s practice is focused on privacy and data security. He often represents insureds and corporate clients with breaches involving the Payment Card Industry (PCI) and with breaches involving HIPAA violations. Jim helps his clients succeed by bringing to every file the strategies and tactics learned over 20 years of trial and litigation experience. Jim tried numerous criminal cases as an assistant district attorney in the Philadelphia District Attorney's Office. He has tried complex liability matters to juries and judges. Jim has also represented clients in complex matters to mediators and he has tried serious criminal matters including first-degree murder.

DATA BREACH TRENDS Number of Incidents 2644 1103 777 947 1217 2008 2009 2010 2011 2012 Source: Risk Based Security, Inc. February 2013 Data Breach QuickView Report

NETWORK SECURITY/DATA RISK DATA CREATES DUTIES What data do you collect, and why? Where is it? How well is it protected? Who can access it? When do you purge it? How do you purge it?

WHY THE CONCERN? Malicious Threats Still Prevalent: Stealth Hackers, Malware, Extortionist; Rogue contractors; Disgruntled IT Staffer Non-Malicious (more often): Staff mistakes (lost laptop) Marketing Mishap: innocent customer data leaks Vendor leak Network Operation & Sharing Trends: Points of failure are multiplied due to trends of outsourcing computing needs (CLOUD) Massive dependencies & data-sharing between organizations Where is YOUR data? A data breach: it s not a matter of if but when

WHY THE PROBLEM? THE INTERNET S OPEN NETWORK Many organizations will collect/ store/share VAST private data! More data often collected than needed Data often stored for too long (no records retention limits) Websites are very porous & need constant care (hardening & patching). IDS (detection) is very weak: no matter size many co s learn of breach too late or not at all! Bad buys still rely on the prevalence of human error Unchanged default settings Missing patches Wide open laptop Customer records improperly disposed Guessable access 95% of all network intrusions could be avoided by keeping systems up-todate (CERT)

COMMON WEAK SPOTS PROBLEM 1) IDS or Intrusion Detection Software (Bad guy alert system) Studies show that 70% of actual breach events are NOT detected by the victimcompany, but by 3 rd parties (and many more go undetected completely). FTC and plaintiff lawyers often cite failure to detect Vast Data: companies IDS can log millions events against their network each month False positives: 70% PROBLEM 2) Patch Management Challenges: All systems need constant care (patching) to keep bad guys out. Complexity of networking environments Lack of time: Gartner Group estimates that IT Managers spend an average of 2 hours per day managing patches. PROBLEM 3) Encryption (of private data) Problem spans all sizes & sectors. ITRC (Identity Theft Resource Center): Only 2.4% of all breaches had encryption Issues: Budgets, complexities and partner systems Key soft spots: Data at rest for database & laptops (lesser extent) Benefits: Safe harbor (usually)

STRATEGIES FOR RISK MANAGERS PLAN FOR THE LOSS CFO must understand that data / network security is NEVER 100%... 4 Legs of Traditional Risk Mgmt: Eliminate: e.g. patch known exploits, encrypt laptops etc Mitigate: e.g. dedicated security staff; policies; IDS/ IPS; etc Accept: e.g. partner SLAs, capabilities (trusting their assurances) Cede: residual risk via privacy risk insurance Wide-Angle Assess Safeguard Controls Surrounding: People: they seem to get it Proper security budget and vigilant about their job! Processes/ Policies: enterprise ISO27002, HITECH ready; employee education/ training; change management processes, breach response plan etc. Technology: proven IDS/IPS capabilities, DLP solutions, hardened & patched servers (tested), full encryption of PII.

ARE YOU AT RISK? ASK YOUR TEAM: Has your firm ever experienced a data breach or system attack event? Does your organization collect, store or transact any personal, financial or health data? Do you outsource any part of computer network operations to a third-party service provider? Do you allow outside contractors to manage your data or network in any way? Do you partner with entities and does this alliance involve the sharing or handling of data? Does your posted Privacy Policy align with your actual data management practices? Has your organization had a recent cyber risk assessment of security/ privacy practices to ensure that they are reasonable and prudent and measure up with your peers? Studies show 80-100% of execs admitted to a recent breach incident Your security is only as good as their practices and you are still responsible to your customers The contractor is often the responsible party for data breach events You may be liable for a future breach of your business partners If not you may be facing a deceptive trade practice allegation Doing nothing is a plaintiff lawyer s dream.

REGULATORY EXPOSURES State level breach notice: 46 states (plus Puerto Rico, Wash. D.C., Virgin Islands) require notice to customers after unauthorized access to PII/PHI. Require firms that conduct business in state to notify resident consumers of security breaches of unencrypted computerized personal information Many require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies Notice due without unreasonable delay Some states allow private right of action for violations

REGULATORY EXPOSURES OREGON Personal information includes first name/initial and last name in combination with: Social Security number, driver license/state ID card number, passport number, or financial account number/credit card number with code permitting access. First name/initial and last name not required if any of the data elements above would be sufficient to permit... identity theft. Notification to affected individuals must occur in the most expeditious time possible and without unreasonable delay.

EVOLVING EXPOSURES VERMONT Notice to affected individuals within 45 days of breach discovery Notice to VT AG within 14 days of breach discovery or affected individual notice (whichever is sooner) CONNECTICUT Notice to CT AG not later than time when notice provided to Connecticut residents MASSACHUSETTS Written information security plan for businesses storing MA resident personal information NEVADA Data collectors doing business in NV to comply with PCI-DSS CALIFORNIA TEXAS Notice to affected individuals pursuant to law of individual s state of residence or, if none, then pursuant to TX Email address and PW = pii

REGULATORY EXPOSURES HITECH ACT Extends HIPAA to business associates of HIPAA covered entities First national breach notification requirement > 500 HHS < 500 year end Permits state Attorneys General to enforce HIPAA Final Rule is law as of 9-23-13: Privacy and Security Rules now apply to Business Associates; Impermissible disclosure is now presumed to be a breach; Business Associates now directly liable to HHS

ANATOMY OF A BREACH RESPONSE FREEDOM OF INFORMATION Open access to public records can lead to inadvertent access to personally identifiable information Colorado municipality posts all permitting, licensing and land use applications online, accidently exposing thousands of SS#s and bank account information. New York municipality posts EMT employee benefits information exposing employees and their families PII. THE USUAL SUSPECTS Credit card information breaches (online or at municipality) Lost HR department laptops

ANATOMY OF A BREACH RESPONSE BREACH DISCOVERY EXPERTS Breach coach Forensics Public relations INVESTIGATION internal/forensic/criminal How did it happen When did it happen Is it still happening Who did it happen to What was accessed/acquired Encrypted/protected NOTICE OBLIGATIONS State Federal Other (i.e., PCI, FDIC, OCC) NOTICE METHODS Written Electronic Substitute Media DEADLINES Can be from 48 hours to without unreasonable delay INQUIRIES State regulators (i.e. AG, PD) Federal regulators (i.e. OCR) Federal agencies (i.e. SEC, FTC) Consumer reporting agencies LITIGATION Subrogation Class action

BREACH COSTS Forensics vendor Notification vendor Call centers PR vendor ID theft insurance Credit monitoring ID restoration Attorney oversight PLANNING AND DATA MANAGEMENT REGULATOR/COMPLIANCE COST Breach planning (Mass.) ID Theft monitoring (red flags) PCI DSS (Nevada and merchants) HIPAA

LITIGATION TRENDS SINGLE PLAINTIFF Identity theft Privacy GOVERNMENT ACTION Attorney General (Goldthwait, South Shore, Accretiv, Health Net) FTC (Choice Point, American United Mortgage) HHS (Hospice of North Idaho, Massachusetts Eye and Ear, Alaska Dept. of HHS) BANKS Cost of replacing credit cards Reimbursement of fraudulent charges Business interruption CLASS ACTION Failure to protect data Failure to properly notify Failure to mitigate NO VERDICTS... YET

DEFENSE ERODING Stollenwerk v. Tri West assert actual identity theft Krottner v. Starbucks Corp. increased risk of identity theft constitutes an injury-in-fact Anderson v. Hannaford alleged fraud in population and money spent in mitigation efforts sufficient (instead of time/effort) ---------------------------------------------------------------------------------------------------------------------- ITERA (Identity Theft Enforcement and Restitution Act) pay an amount equal to the value of the time reasonably spent In re Hannaford Bros. Data Security Breach Litigation does time equal money? No. But if there is fraud, credit monitoring damages may be due. ChoicePoint Data Breach Settlement FTC paid for time they may have spent monitoring their credit or taking other steps in response

COSTS LITIGATION Breach guidance Investigation Notification e-discovery Litigation prep Contractual review Defense (MDL?) PLAINTIFF DEMANDS Fraud reimbursement Credit card replacement Credit monitoring/ repair/ insurance Civil fines/ penalties Statutory damages (CMIA) Time

Empowered Senior Executive Talk to your IT Security folks. Gain an appreciation of the many challenges Not many Firms can say: how many records they have; what type of data is being collected, stored, shared, protected; where does all this data reside; when is it purged? Assess & test your own staff and operations Document your due care measures Insurance WHAT CAN BE DONE? PROACTIVE RISK MANAGER STEPS Red Flags, data security and breach response plans affirmative duties

Thank you! Jim Prendergast Partner, Data Privacy Group Nelson Levine de Luca & Hamilton jprendergast@nldhlaw.com www.nldhlaw.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information