cybersecurityweb1.amchouston.com/flexshare/003/accw/website/summit/...boards that choose to ignore,...
TRANSCRIPT
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Cybersecurity
Shamoil T. ShipchandlerPartner, Bracewell & Giuliani LLP214.758.1048
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
• Are you susceptible to a data breach?
Setting expectations
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
October 7, 2014
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Victim Perpetrator
Setting expectations
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
It’s only a matter of time
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
It’s only a matter of time
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
It’s only a matter of time
October 28, 2014
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
It’s only a matter of time
CyberEspionage
CyberActivism
Cyber Crime
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Retail (B&M and ecommerce)
Financial Institutions
Healthcare
Higher Education
Governmental Entities
2005 Today
Defense and Aerospace
Technology
All employers
Energy/Utilities
Breach trends
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Emerging risks
June 27, 2012
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Emerging risks
October 16, 2014
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
17%
27%42%
14%
Insider theft
Hacking
Accidental exposure or negligence
Subcontractor
Breach Types – 2007 through 2013 (4215 breaches)
It’s only a matter of time
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Re-setting expectations
Target Corp.’s cost so far: $236 million and more than 100 lawsuits
Average cost to respond to a data breach? $5.4 million($201 per record)
Analyst: Cost will exceed $1 billion
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
October 15, 2014
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Part I: Cybersecurity and data breach law*
*The least entertaining part of the presentation.
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Cybersecurity and data breach law
• The FTC, SEC, FCC, and NY
• Other federal statutes
• States
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
The FTC
• “The FTC conducts its data security investigations to determine whether a company’s data security measures are reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities. The Commission’s 50 settlements with businesses that it charged with failing to provide reasonable protections for consumers’ personal information have halted harmful data security practices; required companies to accord strong protections for consumer data; and raised awareness about the risks to data, the need for reasonable and appropriate security, and the types of security failures that raise concerns.”
— Edith Ramirez, FTC Chairwoman, Congressional testimony (April 2, 2014)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
The FTC
• Example: What did TJX do wrong?
• Failed to implement measures to limit wireless access to its stores, allowing a hacker to connect wirelessly to its networks without authorization
• Did not require administrators to use strong passwords
• Failed to use a firewall or otherwise limit access to the internet on networks processing cardholder data
• Lacked procedures to detect and prevent unauthorized access, such as by updating antivirus software and responding on security warnings and intrusion alerts
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
The SEC
• “Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities. In addition to the threat of significant business disruptions, substantial response costs, negative publicity, and lasting reputational harm, there is also the threat of litigation and potential liability for failing to implement adequate steps to protect the company from cyber-threats. Perhaps unsurprisingly, there has recently been a series of derivative lawsuits brought against companies and their officers and directors relating to data breaches resulting from cyber-attacks. Thus, boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”
— Luis Aguilar, SEC Commissioner, speech given at NYSE on June 10, 2014
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
The SEC
An SEC comment:
“We note that your network-security insurance coverage is subject to a $10 million deductible. Please tell us whether this coverage has any other significant limitations. In addition, please describe for us the ‘certain other coverage’ that may reduce your exposure to Data Breach losses.” (Target Form 10-K, March 2014)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
The SEC
Another SEC comment:“Please expand your risk factor disclosure to describe the cybersecurity risks that you face or tell us why you believe such disclosure is unnecessary. If you have experienced any cyber attacks in the past, please state that fact in any additional risk factor disclosure in order to provide the proper context. Please refer to the Division of Corporation Finance’s Disclosure Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm for additional information.” (Hilton Worldwide Holdings, Inc. S-1, October 2013)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
The SEC
One more SEC comment:
“We note your disclosure that an unauthorized party was able to gain access to your computer network ‘in a prior fiscal year.’ So that an investor is better able to understand the materiality of this cybersecurity incident, please revise your disclosure to identify when the cyber incident occurred and describe any material costs or consequences to you as a result of the incident. Please also further describe your cyber security insurance policy, including any material limits on coverage.” (Alion Science and Technology Corp. S-1 filing, March 2014)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
The FCC
• After levying a $10 million fine against two telecom companies for storing personally identifiable customer data online without firewalls, encryption, or password protection: “This is unacceptable.… This is the first data security enforcement action [by the FCC], but it will not be the last.”
— Travis LeBlanc, FCC’s top enforcement official (October 28, 2014)
28www.bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Other federal statutes
• HITECH (medical information)
• HIPAA (medical information)
• GLBA (financial institutions)
• FTCA (federal trade commission act)
• FERRPA (educational records)
• FCRA (consumer reporting agencies)
• COPPA (children’s information)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
States
• There are 47 different state laws with different requirements, different definitions of whether notifications need to occur, and different timings for notifications.
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
States
• There are 47 different state laws with different requirements, different definitions of whether notifications need to occur, and different timings for notifications.• Some require harm to occur to trigger notification
• Some require notice to their attorneys general or agencies (some are before notice is sent to consumers, some are after)
• Some have a specific time frame
• Some permit a private right of action
• Some have different provisions for third parties that hold data.
How much of what you do crosses state lines?FUN FACT!
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Washington state (HB 1078 – effective July 24, 2015)
• Among other provisions:
• Expands coverage to hard copy data.
• Requires notification to the Washington Attorney General if more than 500 Washington residents must be notified.
• Imposes a 45-day deadline for notification of affected consumers and/or the Washington Attorney General.
• Empowers the Washington Attorney General to enforce the statute by bringing actions under the state’s consumer protection act.
• Mandates certain content in the consumer notification.
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Part II: What you should do right now*
*Well, not right now. But right after this presentation!
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Get the Boards on … err … board.
• Ensure the company’s focus on cybersecurity
• Provide oversight of the risk management process
• Identify and empower their experts
• Include cybersecurity as a regular Board agenda item
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Create an information security plan
• Why?
• Minimize employee-related breaches
• Reduce overall exposure• Reductions for CISO, information security program, strong security
• Legally important
• Increase customer trust and company reputation
• Don’t be a or a
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Create an information security plan
“In November 2005, Jason Spaltro, executive director of information at Sony Pictures Entertainment [said], ‘There are decisions that have to be made. We’re trying to remain profitable for our shareholders, and we literally could go broke trying to cover for everything. So, you make risk-based decisions…. Legislative requirements are mandatory, but going the extra step is a business decision.’”
Your Guide to Good-Enough Compliance
CIO Magazine
April 6, 2007
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Create an information security plan• Designate a lead
• Conduct a systems assessment
• Implement a security program – include “visual hacking” measures• Policies and training
• Thanks, Sony!
• Consider cyber insurance
• Review third party contracts
• Create and implement a crisis response plan and team
• Whistleblowers
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Insurance
October 12, 2014
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Create a crisis response team
• Identify the key constituents
• Recognize their motivations
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Create a crisis response team
• Identify the key constituents
• Recognize their motivations
• Identify and empower the decision-maker
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Part III: I’ve been breached (and I can’t get up)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Crisis response
Feel free to take all the time you need!
. . . yeah. Just kidding.
Clock starts ticking from DOB (discovery of breach**)
**Nobody else knows what this means, either.
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Crisis response
• What did Part II give you?
• Faster reaction time
• More thorough reaction
• Ability to minimize risk and damage
• Without Part II . . .
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Crisis response
• Coordinate first-response team (IT, HR, legal, PR, and business)
• Investigate, isolate, contain, and secure
• Notify (federal, state, int’l, individual, media, and other)
• Consider referral to law enforcement and/or civil remedy
• Re-evaluate
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Crisis response
• Coordinate first-response team (IT, HR, legal, PR, and business)
• Investigate, isolate, contain, and secure
• Notify (federal, state, int’l, individual, media, and other)
• Consider referral to law enforcement and/or civil remedy
• Re-evaluate
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Crisis response
• Coordinate first-response team (IT, HR, legal, PR, and business)
• Investigate, isolate, contain, and secure• Retain forensic investigator• Interview witnesses• Preserve documents and systems• Identify what was compromised• Document everything
• Notify (federal, state, int’l, individual, media, and other)• Consider referral to law enforcement and/or civil remedy• Re-evaluate
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Crisis response
• Coordinate first-response team (IT, HR, legal, PR, and business)
• Investigate, isolate, contain, and secure• Notify (federal, state, int’l, individual, media, and other)
• Federal, state, international• Individuals• Insurers and credit card companies (PFI!)• Media• Employees
• Consider referral to law enforcement and/or civil remedy• Re-evaluate
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Crisis response
• Coordinate first-response team (IT, HR, legal, PR, and business)
• Investigate, isolate, contain, and secure
• Notify (federal, state, int’l, individual, media, and other)
• Consider referral to law enforcement and/or civil remedy
• E.g., 18 U.S.C. § 1030
• Re-evaluate
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Crisis response
• Coordinate first-response team (IT, HR, legal, PR, and business)
• Investigate, isolate, contain, and secure
• Notify (federal, state, int’l, individual, media, and other)
• Consider referral to law enforcement and/or civil remedy
• Re-evaluate
63www.bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
The end.
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Contact Information
Shamoil T. ShipchandlerPartner, Bracewell & Giuliani LLP
214.758.1048 | [email protected]