Mastering Data Privacy, Protection, & Forensics Law April 15, 2015 Data Breach Notification and Cybersecurity Developments in 2015 Melissa J. Krasnow, Dorsey & Whitney LLP, and Certified Information Privacy Professional/US This presentation was created by Dorsey & Whitney LLP, 50 South Sixth Street, Suite 1500, Minneapolis, MN 55402. This presentation is intended for general information purposes only and should not be construed as legal advice or legal opinions on any specific facts or circumstances. An attorney-client relationship is not created or continued by sending and/or receiving this presentation. Members of Dorsey & Whitney will be pleased to provide further information regarding the matters discussed in this presentation. 1
2015 state data breach notification requirements 18 state laws, plus Puerto Rico law, also require notification of a breach to a state attorney general or regulator in addition to the affected individuals Effective October 1, 2015: 19 state laws with the addition of Montana California and Florida laws define personal information as covering online account information Effective July 1, 2015: 3 state laws with the addition of Wyoming 2
Cybersecurity laws and guidance and provisions in contracts and policies Issued in January 2015: Federal: Federal Trade Commission Staff Report on Internet of Things 3
Resources (continued) Cybersecurity (continued) Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation http://www.dorsey.com/files/upload/krasnow-ma-data-security- Regulation-mar-2015.pdf Guidance for Managing Cybersecurity Risks http://www.irmi.com/expert/articles/2014/krasnow05-cyberprivacy-risk-insurance.aspx National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity http://www.nist.gov/cyberframework/upload/cybersecurityframework-021214.pdf Cybersecurity in the Golden State https://oag.ca.gov/cybersecurity 4
Resources (continued) Boards of Directors and Corporate Governance Board Oversight of Cyberrisks: Directors and Officers Litigation http://www.irmi.com/expert/articles/2015/krasnow02- cyber-privacy-risk-insurance.aspx Boards of Directors, Corporate Governance and Cyber- Risks: Sharpening the Focus http://www.sec.gov/news/speech/detail/speech/1370542 057946#.VDvmOa1OXct National Association of Corporate Directors 2014 Cyber- Risk Oversight Handbook http://www.nacdonline.org/cyber 5
Questions & Answers Melissa J. Krasnow (612) 492-6106 krasnow.melissa@dorsey.com 6
Mastering Data Privacy, Social Media, & Cyber Law October 22, 2014 Data Breach Notification and Cybersecurity Developments in 2014 Melissa J. Krasnow, Dorsey & Whitney LLP, and Certified Information Privacy Professional/US 1
State breach notification laws 47 states, plus the District of Columbia, Guam, Puerto Rico and Virgin Islands, have breach notification laws (Alabama, New Mexico, and South Dakota do not have these laws) These laws require notification of a breach to affected individuals These laws cover breaches involving personal information in electronic format 2
2014 state breach notification law developments 18 state laws, plus Puerto Rico law, also require notification of a breach to a state attorney general or regulator in addition to the affected individuals 7 state laws cover breaches involving personal information in both electronic and paper formats California and Florida laws define personal information as covering online account information New Kentucky breach notification law 3
California breach notification law amendment effective January 1, 2015 Where a person or business was the source of a breach, the person or business providing breach notification must offer to provide appropriate identity theft prevention and mitigation services, if any, at no cost to an affected individual for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed his or her first name or first initial and last name, together with any of the following data elements, where the name or the data elements are not encrypted: SSN Driver's license number or California identification card number 4
Breach notification in federal and foreign laws and provisions in contracts and policies Federal HIPAA / HITECH Act breach notification for covered entities and business associates regarding protected health information Laws in other countries (e.g., Canada) Provisions in contracts and policies 5
Cybersecurity laws and guidance and provisions in contracts and policies State security procedures laws: Massachusetts and certain other states (e.g., California) Issued in February 2014: Federal: National Institute of Standards and Technology critical infrastructure cybersecurity framework California cybersecurity guidance Provisions in contracts and policies 6
Cyber liability insurance Main coverages in a traditional cyber liability insurance policy include: Security and privacy liability insurance that responds to third party liability Event management insurance that responds by paying costs for breach notification, public relations and other services to assist in managing a covered privacy or network security incident Cyber extortion insurance that pays to settle network securityrelated extortion demands made against the insured Network business interruption insurance that responds to an insured s loss of income and operating expenses when business operations are interrupted or suspended due to a failure of network security 7
Enforcement, litigation and other consequences Federal Trade Commission Department of Health and Human Services State attorneys general (e.g., California and Massachusetts) Foreign regulators Litigation Other consequences 8
Some steps companies are taking to prepare Preparing, revising and testing incident response plans Tabletop Exercise (TTX) A TTX is intended to generate discussion of various issues regarding a hypothetical, simulated emergency. TTXs can be used to enhance general awareness, validate plans and procedures, rehearse concepts, and/or assess the types of systems needed to guide the prevention of, protection from, mitigation of, response to, and recovery from a defined incident. Generally, TTXs are aimed at facilitating conceptual understanding, identifying strengths and areas for improvement, and/or achieving changes in perceptions. Source: Homeland Security Exercise and Evaluation Program (HSEEP) (April 2013) 9
Some steps companies are taking to prepare (continued) Preparing and revising company policies and programs, including training Procuring security and data breach services Considering or reviewing cyber liability insurance 10
Resources Data breach California Privacy Laws Change: Identity Theft Prevention and Mitigation Services http://www.irmi.com/expert/articles/2014/krasnow10-cyber-privacy-riskinsurance.aspx Changes in State Breach Notification Laws http://www.irmi.com/expert/articles/2014/krasnow08-cyber-privacy-riskinsurance.aspx California s Breach Notification Law Expands to Include Online Account Information http://www.dorsey.com/psm_ca_breach_online_account_info/ Verizon 2014 Data Breach Investigations Report http://www.verizonenterprise.com/dbir/2014/ Cybersecurity Cybersecurity White Paper http://www.dorsey.com/files/upload/cybersecurity-white-paper.pdf 11
Resources (continued) Cybersecurity (continued) Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation http://www.dorsey.com/files/upload/written%20information%20security%20progra ms%20compliance%20with%20the%20massachusetts%20%287-523- 1520%29.pdf Guidance for Managing Cybersecurity Risks http://www.irmi.com/expert/articles/2014/krasnow05-cyber-privacy-riskinsurance.aspx National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf Cybersecurity in the Golden State https://oag.ca.gov/cybersecurity Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus http://www.sec.gov/news/speech/detail/speech/1370542057946#.vdvmoa1oxct National Association of Corporate Directors 2014 Cyber-Risk Oversight Handbook http://www.nacdonline.org/cyber 12
Questions & Answers Melissa J. Krasnow 612-492-6106 krasnow.melissa@dorsey.com 13