hot topics in dealing with banking cyber security live webcast

Speaker Firms and Organization:

United States Department of Homeland SecurityCarlos P. Kizzee

Deputy Director, Stakeholder Engagement & Cyber Infrastructure Resilience

Thank you for logging into today’s event. Please note we are in standby mode. All Microphones will be muted until the event starts. We will be back with speaker instructions @ 11:55am. Any Questions? Please email: [email protected]

Group Registration Policy

Please note ALL participants must be registered or they will not be able to access the event. If you have more than one person from your company attending, you must fill out the group registration form. We reserve the right to disconnect any unauthorized users from this event and to deny violators admission to future events.

To obtain a group registration please send a note to [email protected] or call 646.202.9344.

Presented By:

June 19, 2014

1

Partner Firms:Kane Russell Coleman & Logan PC

Kenneth JohnstonShareholder

BAE SystemsPaul Henninger

Global Product Director

Bryan Cave LLPMaria Z. Vathis

Of Counsel

United States Department of Homeland Security

June 19, 2014

2

Follow us on Twitter, that’s @Know_Group to receive updates for this event as well as other news and pertinent info.

If you experience any technical difficulties during today’s WebEx session, please contact our Technical Support @ 866-779-3239.

You may ask a question at anytime throughout the presentation today via the chat window on the lower right hand side of your

screen. Questions will be aggregated and addressed during the Q&A segment.

Please note, this call is being recorded for playback purposes.

If anyone was unable to log in to the online webcast and needs to download a copy of the PowerPoint presentation for today’s

event, please send an email to: [email protected]. If you’re already logged in to the online webcast, we will post a link

to download the files shortly.

If you are listening on a laptop, you may need to use headphones as some laptops speakers are not sufficiently amplified enough

to

hear the presentations. If you do not have headphones and cannot hear the webcast send an email to

[email protected]

and we will send you the dial in phone number.

https://twitter.com/know_group

https://twitter.com/know_group

June 19, 2014

3

About an hour or so after the event, you'll be sent a survey via email asking you for your feedback on your experience with this

event

today - it's designed to take less than two minutes to complete, and it helps us to understand how to wisely invest your time in future

events. Your feedback is greatly appreciated. If you are applying for continuing education credit, completions of the surveys are

mandatory as per your state boards and bars. 6 secret words (3 for each credit hour) will be given throughout the presentation. We

will ask you to fill these words into the survey as proof of your attendance. Please stay tuned for the secret word.

Speakers, I will be giving out the secret words at randomly selected times. I may have to break into your presentation briefly to

read

the secret word. Pardon the interruption.

June 19, 2014

4

Welcome to the Knowledge Group Unlimited Subscription Programs. We have Two Options Available for You: FREE UNLIMITED: This program is free of charge with no further costs or obligations. It includes:

Unlimited access to over 15,000 pages of course material from all Knowledge Group Webcasts. Subscribers to this program can download any slides, white papers, or supplemental material covered during all live webcasts.

50% discount for purchase of all Live webcasts and downloaded recordings.

PAID UNLIMITED: Our most comprehensive and cost-effective plan, for a one-time fee:

Access to all LIVE Webcasts (Normally $199 to $349 for each event without a subscription). Including: Bring-a-Friend – Invite a client or associate outside your firm to attend for FREE. Sign up for as many webcasts as you wish.

Access to all of Recorded/Archived Events & Course Material includes 1,500+ hours of audio material (Normally $299 for each event without a subscription).

Free CLE/CPE/CE Processing (Normally $49 Per Course without a subscription). Access to over 15,000 pages of course material from Knowledge Group Webcasts. Ability to invite a guest of your choice to attend any live webcast Free of charge (Exclusive benefit only available for PAID

UNLIMITED subscribers). 6 Month Subscription is $299 with No Additional Fees Other options are available. Special Offer: Sign up today and add 2 of your colleagues to your plan for free Check the “Triple Play” box on the sign-up

sheet contained in the link below.

https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964



June 19, 2014

5

Knowledge Group UNLIMITED PAID Subscription Programs Pricing: Individual Subscription Fees: (2 Options)Semi-Annual: $299 one-time fee for a 6 month subscription with unlimited access to all webcasts, recordings, and materials. Annual: $499 one-time fee for a 12 month unlimited subscription with unlimited access to all webcasts, recordings, and materials.

Group plans are available. See the registration form for details.

Best ways to sign up:1. Fill out the sign up form attached to the post conference survey email.2. Sign up online by clicking the link contained in the post conference survey email. 3. Click the link below or the one we just posted in the chat window to the right. https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964

Discounts: Enroll today and you will be eligible for the “Triple Play” program and 3% off if you pay by credit card. Also we will waive the $49 CLE/CPE processing fee for today’s conference. See the form attached to the post conference survey email for details.

Questions: Send an email to: [email protected] with “Unlimited” in the subject.



mailto:[email protected]

Partner Firms:

June 19, 2014

6

BAE Systems Applied Intelligence delivers solutions, which help clients to protect and enhance their critical assets in the intelligence age. Its intelligent protection solutions combine large-scale data exploitation,

‘intelligence-grade’ security and complex services and solutions integration. The company operates in four key domains of expertise:

cyber security, financial crime, communications intelligence and digital transformation.

Leading enterprises and government departments use the solutions to protect and enhance physical infrastructure, mission-critical systems, valuable intellectual property, corporate information, reputation and

customer relationships, competitive advantage and financial success.For more information, please visit www.baesystems.com/ai.

United States Department of Homeland Security

http://theknowledgegroup.org/%22http:/www.baesystems.com/ai/%22

Partner Firms:

June 19, 2014

7

Kane Russell Coleman & Logan PC is a full service law firm with offices in Dallas and Houston. Formed in 1992 with five lawyers, today

KRCL has more than 80 attorneys. The firm provides professional services for clients ranging from Fortune 500 companies to medium-sized public and private companies to entrepreneurs. KRCL handles

transactional, litigation and bankruptcy matters throughout the U.S. and China.

Brief Speaker Bios:

Carlos P. Kizzee

Carlos P. Kizzee is the Deputy Director of the Department of Homeland Security’s Stakeholder Engagement and Cyber Infrastructure Resilience Division within the U.S. Department of Homeland Security’s Office of Cyber Security and Communications. Mr. Kizzee has extensive experience in advising and conducting operational coordination, information sharing, and collaboration among government and private sector. In his position as Deputy Director, he oversees four branches of public-private cyber engagement encompassing Cyber Education and Outreach Awareness, Federal and State Government Engagement, Industry Cyber Engagement, and Critical Infrastructure Stakeholder Risk Assessments and Mitigations.

June 19, 2014

8

Paul Henninger

Paul has worked with a wide range of public sector, global financial and commercial institutions to manage the fraud, compliance and security risks that have evolved rapidly over the last 10 years. He specializes in practical, innovative approaches to building and using technology to solve the real challenges faced by these organizations who are dealing with systematic attacks on their customers, data assets, and infrastructure. Paul specializes in digital crime and financial crime threats and is a frequent media and analyst commentator on digital criminality, security, technology and risk management. He advises financial institutions and government agencies around the world.

Brief Speaker Bios:

June 19, 2014

9

► For more information about the speakers, you can visit: http://theknowledgegroup.org/event_name/hot-topics-in-dealing-with-banking-cyber-security-live-webcast/

Kenneth Johnston

Kenneth Johnston, a shareholder of Kane Russell Coleman & Logan PC, focuses his practice on class-action and general commercial litigation with an emphasis on financial services, insolvency and creditor rights. He routinely represents financial institutions in a variety of matters including data breach issues, general bank operations, insolvency, material defensive litigation, and credit risk management. Kenneth was recently named as one of the Best Lawyers in Dallas in Banking and Finance by D Magazine and has been ranked as one of the top banking attorneys in Texas by Super Lawyers magazine since 2006.

Maria Z. Vathis

Maria Z. Vathis has a broad range of experience defending corporate clients in complex business litigation matters, insurance coverage, and class actions involving alleged violations of federal statutes, including the Telephone Consumer Protection Act. Ms. Vathis has represented financial institutions, loan servicers, investment firms, law firms, brokers, attorneys and other professionals. She handles matters nationwide in federal and state courts. Her practice also includes monitoring litigation for international insurers, advising on risk management, evaluating existing insurance coverage, drafting insurance policy language and analyzing insurance coverage under professional liability, cyber and first-party property insurance policies.

http://theknowledgegroup.org/event_name/hot-topics-in-dealing-with-banking-cyber-security-live-webcast/

http://theknowledgegroup.org/event_name/hot-topics-in-dealing-with-banking-cyber-security-live-webcast/

In a two hour live webcast, a panel of thought leaders and practitioners assembled by The Knowledge

Group will discuss the significant and latest issues with respect to Hot Topics in Dealing with Banking

Cyber Security.

Key topics include:

• Digital Crime

• Threat Overload

• Case Studies

• Heightened Regulatory Oversight

• Threat Detection

• Cyber-Attack Triage

• Recent regulatory issues and updatesJune 19, 2014

10

Featured Speakers:

June 19, 2014

11

Paul HenningerGlobal Product DirectorBAE Systems Applied Intelligence

Kenneth JohnstonShareholder Kane Russell Coleman & Logan PC

Maria Z. VathisOf CounselBryan Cave LLP

Carlos P. KizzeeDeputy Director, Stakeholder Engagement & Cyber Infrastructure ResilienceUnited States Department of Homeland Security

Introduction

Paul has worked with a wide range of public sector, global financial and commercial institutions to

manage the fraud, compliance and security risks that have evolved rapidly over the last 10 years. He

specializes in practical, innovative approaches to building and using technology to solve the real

challenges faced by these organizations who are dealing with systematic attacks on their customers, data

assets, and infrastructure. Paul specializes in digital crime and financial crime threats and is a frequent

media and analyst commentator on digital criminality, security, technology and risk management. He

advises financial institutions and government agencies around the world.

June 19, 2014

12


June 19, 2014

13

Digital Crime Threats and Responses


Simple Digital Crime

June 19, 2014

14


Simple Digital Crime

June 19, 2014

15

Once installed

1) Configuration-driven – attacks different banks in different ways

2) Enables tailored attacks which are aware of withdrawal limits and other factors

3) Can perform internal transfers and external payments

4) Downloadable mule IBAN – evade IBAN blacklists

5) Hijacks one-time tokens

6) Delay customer recognition of fraud – fake balance screens


The New Digital Crime

June 19, 2014

16

Fraud Challenge Cyber Challenge

Fraud attacks are attacks against a business

process

Cyber attacks are against information technology

infrastructure

Comms Challenge

Comms attacks are unauthorized or illegal use

of communications technology

Criminals seek to create or manipulate transactions.

Criminals seek to steal data or control/disrupt

systems.

Criminals seek to use or manipulate comms systems to plan or

facilitate crime.

Financial Gain

Information TheftPolitical / Economic

EspionageDenial of Service / Sabotage

Facilitate CrimePromote Ideology

National Security Advantage

Def

init

ion

Met

ho

dT

hre

at

Act

or

Go

al


Common Defences

June 19, 2014

17

Common Defenses

Fraud Defences Cyber Defences Comms Defences

Risk management and security can be enhanced by combining cyber, fraud and comms intelligence and correlating sources of threats to enable better detection and faster, more efficient investigation

Shared intelligence on the threat



Augmentation with other risk sources



Inte

l.

Sh

arin

g

X-

fun

ctio

n

enri

chm

en

t

Integrated investigation tools Integrated investigation tools Integrated investigation tools

Op

erat

ion

s


June 19, 2014

18


Potential Impact – More Than Theft Of Funds

June 19, 2014

19


Organizational Impact of Digital Crime

June 19, 2014

20

Detection Level

Investigation-level

Organisation-level

Information sharing; incident logging; multi-skilled operations teams;

Org structure changes; risk management framework

Automated integration of intelligence data;device reputation; endpoint hardening; Detection systems integration


Case Study: Retail Bank

June 19, 2014

21

Network penetration

and surveillance

Identify high value customer targets, profile their behaviour and formulate attack plan

Surveillance - Identify security procedures & protocols by attacking attack email accounts of staff who work in fraud, risk & security

Attack the existing control systems e.g. change or remove limits on debit cards or for international funds transfer

Exfiltration of account data to enable account compromise

Account Compromise

Quietly compromise accounts – set up mules to receive transactions from compromised accounts

Massive DDOS attack on website and phone systems - distraction

Cash OutRapid movement of funds from target accounts to mule accounts

Mule accounts move money offshore to multiple locations

Funds withdrawn as cash at ATMs in multiple offshore locations

Crypto/Ransomware left as threat to stop any legal pursuit / theft of sensitive data / blackmail of senior staff


Case Study: Insurance

June 19, 2014

22

Network penetration

and surveillance

Identify high value customer targets, long standing customers with no claims, high value vehicles, property

Surveillance - Identify security procedures & protocols by attacking email accounts of staff who work in fraud, risk & security

Attack the existing control systems e.g. change or remove limits on payouts

Exfiltration of policy holder data for account takeover

Account Compromise

Cash Out

Claim against high value policies

Funnel money through mule accounts to offshore locations and extract as ATM withdrawals

Crypto/Ransomware left as threat to stop any legal pursuit / theft of sensitive data / blackmail of senior staff

Massive DDOS attack on website and phone systems - distraction


Introduction

Carlos P. Kizzee is the Deputy Director of the Department of Homeland Security’s Stakeholder Engagement and Cyber Infrastructure Resilience Division within the U.S. Department of Homeland Security’s Office of Cyber Security and Communications. Mr. Kizzee has extensive experience in advising and conducting operational coordination, information sharing, and collaboration among government and private sector. In his position as Deputy Director, he oversees four branches of public-private cyber engagement encompassing Cyber Education and Outreach Awareness, Federal and State Government Engagement, Industry Cyber Engagement, and Critical Infrastructure Stakeholder Risk Assessments and Mitigations.

Mr. Kizzee also serves as the Program Manager of a Joint Program Office implementing key operational information sharing and information sharing support program activities associated with Public-Private Threat Information Sharing, Enhanced Cyber Security Services for Critical Infrastructure, and Implementing Trusted and Secure Automation among public-private cyber data sharing. A graduate of the United States Naval Academy, Mr. Kizzee has a Bachelor of Science degree in Mathematics, a Juris Doctor degree from the Georgetown University Law Center, and a Master of Laws from the Judge Advocate General’s School of the Army at the University of Virginia’s School of Law. In addition to being a retired Marine Corps Judge Advocate, Mr. Kizzee is a career Federal civil servant with over ten years of Federal service.

June 19, 2014

23


What is a “Best Case” Information Sharing Scenario?

The appropriate recipient timely receives actionable information of sufficient relevancy and in the most optimal and manageable form and quantity of ingest required to inform their necessary decision or action;

with no resulting harm to the source, the recipient, or any reasonably foreseeable third party as a result of the transaction.

Character of Data• Relevant to Recipient interests

• No “noise”• No redundancy

• Actionable by Recipient• Informs/defines decision/action of value to the Recipient (including additional analysis)

• Timely transmitted to Recipient• Recipient decision/action can be taken in time to be of maximum value to the Recipient

• Trustworthy• Data and/or Source is of suitable credibility for decision/action

Nature of Impacts• Recipient’s capture of data causes no harm to Source

Nature of transaction• Transmission and capture involves minimal resource and delay (automated)

June 19, 2014

24


Common Barriers to “Best Case” Information Sharing

The appropriate recipient timely receives actionable information of sufficient relevancy and in the most optimal and manageable form and quantity of ingest required to inform their necessary decision or action; with no resulting harm to the source, the recipient, or any reasonably foreseeable third party as a result of

the transaction.

Data Insufficiency• Insufficient data to inform decision/action• Lack of awareness or appreciation of relevance of data

Poor data flow mapping• Right data goes to the wrong Recipient• Wrong data goes to the right Recipient

Trust• Fear of harm chills Source sharing• Recipient actions cause Source or others harm

“Threat Overload”

June 19, 2014

25


Threat Overload

Threat information timely shared in a volume that frustrates or impedes the Recipient’s ability to successfully ingest, parse, and inform their necessary decision or action.

1. Too much data

2. Too much relevant data

June 19, 2014

26


Threat Overload


Too much shared data

• “One-size” threat data does not “fit-all” of a non-uniform Recipient base

• Segmentation of recipients by their data requirements

• Map generated data against the relevant segmented requirements of recipients• “I out source all of my IT.”• “I conduct basic system administration of my network.”• “I research, analyze, and develop mitigations for threats to my enterprise infrastructure.”• “I develop and provide services and products to mitigate threats to networks and systems.”

• Data flow follows the map of generated data to the relevant recipient

• “Information Sharing” defined by recipient requirements segmentation and data flow mapping.

June 19, 2014

27


Threat Overload


Too much relevant shared data

• A good problem to have is still a problem

• Enhance the quality of analysis• Tools• Tradecraft and skills

• Enhance capacity• Analytical collaboration• Tailored analytics• Trust, credibility, and scoring of data and source• Standard, structured data sharing profiles to enable auto ingest and parsing

• “Information Sharing” made scalable and sustainable by partnership, process, and coordination.

June 19, 2014

28


Threat Overload

The appropriate recipient timely receives actionable information of sufficient relevancy and in the most optimal and manageable form and quantity of ingest required to inform their necessary decision or action; with no resulting harm to the source, the recipient, or any reasonably foreseeable third party as a result of

the transaction.

• So what should I do differently?

• “Information Sharing” isn’t just sharing information, it is a data flow:• defined by recipient requirements segmentation and data flow mapping, and• made scalable and sustainable by partnership, processes, and coordination in the data flow.

Governance matters:• What data is required?• To whom?• For what purpose(s)?• Under what conditions?• What uses will cause harm and are not permitted?

Information sharing arrangements and marriage?

June 19, 2014

29


Introduction

Kenneth Johnston, a shareholder of Kane Russell Coleman & Logan PC, focuses his practice on class-action and general

commercial litigation with an emphasis on financial services, insolvency and creditor rights. He routinely represents

financial institutions in a variety of matters including data breach issues, general bank operations, insolvency, material

defensive litigation, and credit risk management. Kenneth was recently named as one of the Best Lawyers in Dallas in

Banking and Finance by D Magazine and has been ranked as one of the top banking attorneys in Texas by Super Lawyers

magazine since 2006.

June 19, 2014

30


The Feds are Watching

• OCC’s Semiannual Risk Perspective

• Cyber attacks are more frequent and more sophisticated

• Increasingly targeting smaller institutions

• Leads banks to implement new technologies, rely on third-party providers

• May adversely affect bank’s ability to identify and control risks

• Agencies have provided guidance focusing on corporate governance tools

June 19, 2014

31



• FFIEC’s recent webinar: High Level Goals

• Set the tone and build a security culture

• Identify, measure, mitigate, and monitor risks

• Develop risk management processes scaled to risks and complexity of institution

• Align cybersecurity strategy with business strategy

• Create a governance process that ensures ongoing awareness and accountability

• Timely report cyber-vulnerabilities to senior management

• FFIEC will announced vulnerability and risk-mitigation assessments, late 2014

June 19, 2014

32



• Federal Reserve guidance: managing outsourcing risk

• Outsourcing of processing, information technology services, and operational activities creates risk

• Carefully evaluate what information to provide to vendor: consider financial information, customer information, and CSI

• Ensure vendor compliance with privacy laws and regulations

June 19, 2014

33



• Securities Exchange Commission guidance

• 2011: SEC guidance requires disclosure of material information regarding cybersecurity risks

• SEC’s Recent Roundtable

• Cybersecurity is SEC’s “number one global threat”

• SEC says it must play a role, but the nature of that role is still emerging

June 19, 2014

34



• Other Government actors:

• The White House 2013 Executive Order on cybersecurity encourages policy coordination and information sharing among federal agencies

• FBI says that resources devoted to cyber threats will soon eclipse resources devoted to terrorism

• FDIC statement: banks must be aware of threats and use government-sponsored resources

June 19, 2014

35


Detecting the Threats

• We will continue to see cyber threats and material data breaches.

June 19, 2014

36


Detecting the threats

• What will those threats look like in the financial services arena?

• An event that puts an individual’s name plus social security number, financial record, or debit card at risk—whether in digital or paper format

• An event that puts a company and its deposits at risk—wire fraud

• Data breaches may occur from malicious criminal attacks, system glitches, or human error

• Breaches may include atypical catastrophic or mega data breaches running into the millions of records—e.g., TJ MAXX or Target

• A breach may be more typical, ranging from as few as a single compromised record to 100,000 compromised records

June 19, 2014

37



• Who initiates cyber threats?

June 19, 2014

38



• Examples of threats

• Wrongdoers attack larger banks through Distributed Denial of Service (DDoS):

o These attacks interrupt the ability to do businesso Some allege that Iran took an active role in a recent DDoS attack

• Both large and small banks experience phishing and malware attacks targeting consumers

o Criminals install malware on a victim’s computer to access passwords and other critical information

o They drain deposit accounts• Corporate accounts provide lucrative opportunities for phishing and malware attacks

o Deposits typically exceed consumer accountso Not so much a bank security issue than a customer security issueo Criminals issue unauthorized wires (not uncommon to see six-figure problems)

• Hactivists unlawfully access systems to make an example or to prove points

June 19, 2014

39



• Understand the evolution of the threat environment—either follow the technology or hunt the hunter

• 1950s and 60s saw an increase in paper check fraud that continues today (more reliance on machines)

• ATM Machines (increased access points)

• Internet Banking (increased access points and outsourcing)

• Mobile Banking (continuing to increase access points and tapping into the unbanked market)

• Mobile Payment Systems (uncharted territory)

June 19, 2014

40


Cyber-Attack Triage: Process Is Key

June 19, 2014

41


This is a fine metaphor, but it’s not the right way to think about cyber attacks.

Fixing leaks is losing the battle.


June 19, 2014

42


Cyber-Attack Triage: Process Is Key• The First 24 Hours Checklist

Panicking won’t get you anywhere once you’ve discovered a data breach. Accept that it’s happened and immediately contact your legal counsel for guidance on initiating these 10 critical steps:

Record the date and time when the breach was discovered, as well as the current date and time when response efforts begin, i.e. when someone on the response team is alerted to the breach.

Alert and activate everyone on the response team, including external resources, to begin executing your preparedness plan.

Secure the premises around the area where the data breach occurred to help preserve evidence.

Stop additional data loss. Take affected machines offline but do not turn them off or start probing into the computer until your forensics team arrives.

Document everything known thus far about the breach: Who discovered it, who reported it, to whom was it reported, who else knows about it, what type of breach occurred, what was stolen, how was it stolen, what systems are affected, what devices are missing, etc.

June 19, 2014

43


Cyber-Attack Triage: Process Is Key• The First 24 Hours Checklist (continued)

Interview those involved in discovering the breach and anyone else who may know about it. Document your investigation.

Review protocols regarding disseminating information about the breach for everyone involved in this early stage.

Assess priorities and risks based on what you know about the breach.

Bring in your forensics firm to begin an in-depth investigation.

Notify law enforcement, if needed, after consulting with legal counsel and upper management.

June 19, 2014

44


Cyber-Attack Triage: Process Is Key• Notification: When and how should you notify?

• Certain state laws and federal regulations shrink the timeline to 30 or 45 days.

• Some states mandate specific content for you to include in customer notification letters. This can include toll-free numbers and addresses for the three major credit bureaus, the FTC and a state’s attorney general.

• Contact with law enforcement is important. Notification may be delayed if law enforcement believes it would interfere with an ongoing investigation.

• Multiple state laws may apply to one data breach.

• If some affected individuals live in a state that mandates notification and others live in a state that doesn’t, you may need to notify everyone.

• Some recipients will think the notification letter itself is a scam.

June 19, 2014

45



What does the financial institution’s in-house legal team need to do before a breach occurs?

• Establish relationships with any necessary external counsel now – not after the breach.

• Review and stay up to date on state and federal laws governing data breaches in the financial institutions sector.

• Direct the creation of a concrete, written, and fully vetted response policy.

Then, when a breach occurs, counsel can quickly determine whether it is necessary to notify affected individuals, the media, law enforcement, government agencies and other third parties, such as card holder issuers.

June 19, 2014

46


Introduction

Maria Z. Vathis has a broad range of experience defending corporate clients in complex business litigation matters,

insurance coverage, and class actions involving alleged violations of federal statutes, including the Telephone Consumer

Protection Act.

Ms. Vathis has represented financial institutions, loan servicers, investment firms, law firms, brokers, attorneys and other

professionals. She handles matters nationwide in federal and state courts. Her practice also includes monitoring litigation

for international insurers, advising on risk management, evaluating existing insurance coverage, drafting insurance policy

language and analyzing insurance coverage under professional liability, cyber and first-party property insurance policies.

Phone: (312) 602-5127

Email: [email protected]

June 19, 2014

47



Trends in Privacy & Security Class Actions

Shifting attack vectors, scanning for vulnerabilities and leveraging zero day exploits – these terms describe the plaintiffs’ class action bar just as easily as they do hackers. This quarter’s analysis of the types of complaints filed by the Plaintiffs’ bar, and the ways in which those complaints have been structured, shows an increase in class action filing and an ongoing evolution by the plaintiffs’ bar to identify the “right” strategy for obtaining damages or leveraging settlement value.

The following are key findings concerning data-related complaints filed by the plaintiffs’ bar over the most recently reported quarter (2014 – Q1):

• A total of 178 data-related class action complaints were filed.

• Despite overwhelming media attention on payment card related data security breaches, the majority of complaints (77%) involve data privacy (collection, use and sharing) as opposed to data security (safeguarding and breach) (23%). As a result, while data security litigation is on the rise when compared to previous quarter, it remains a minority of overall litigation.

June 19, 2014

48


* Source: Shahin Rothermel and David Zetoony, “Shifting Trends: Privacy & Security Class Action Litigation,” Bryan Cave Data Privacy & Security Bulletin, June 2014.

Additional Litigation Statistics

• Complaints against Target accounted for more than 50% of all data security-related filings.

• Telemarketing remained the most common primary legal theory alleged (64%).

• The U.S. District Court for the Central District of California (25%) replaced the Northern District of Illinois (15%) as the most popular federal forum for filing.

• In terms of industry sectors, retail (21%), debt collection (16%), financial services (7%), and marketing (7%) received the largest number of complaints.

• 96% of complaints filed in federal courts in the first quarter alleged putative national classes.

• Consumers’ mobile phone numbers were the leading type of data at issue (44%), followed by credit and debit card information (18%) and fax numbers (17%).

• Over 100 plaintiffs’ firms were involved in data-related litigation. The vast majority of firms filed less than four complaints.

June 19, 2014

49


Bryan Cave Data Breach Hotline

Hackers don't stop working at 5:00... and neither do we. Data breaches can and do occur at any time, day or night. When a security breach occurs, preventing liability often means analyzing facts, identifying legal obligations, and taking steps to prevent or mitigate harm within the first minutes and hours of becoming aware of a breach.

That's why an attorney from our global Bryan Cave Data Privacy and Security Practice is on-call for clients whenever and wherever a breach occurs: 24 hours a day, 7 days a week.

June 19, 2014

50


June 19, 2014

51

CLE PROCESSINGThe Knowledge Group offers complete CLE processing solutions for your webcasts and land events. This comprehensive service includes everything you need to offer CLE credit at your conference: Complete end-to-end CLE credit Solutions Setting up your marketing collateral properly. Completing and filing all of the applications to the state bar. Guidance on how to structure content meet course material requirements for the state Bars. Sign up forms to be used to check & confirm attendance at your event. Issuing official Certificates of Attendance for credit to attendees.

Obtaining CLE credit varies from state to state and the rules can be complex. The Knowledge Group will help you navigate the complexities via complete cost effective CLE solutions for your conferences. Most CLE processing plans are just $499 plus filing fees and postage.

To learn more email us at [email protected] or CALL 646-202-9344


June 19, 2014

52

PRIVATE LABEL PROGRAM & INTERNAL TRAINING The Knowledge Group provides complete private label webcasts and in-house training solutions. Developing and executing webcasts can be a huge logistical nightmare. There are a lot of moving parts and devolving a program that is executed smoothly and cost effectively can prove to be a significant challenge for companies who do not produce events on a regular basis. Live events require a high level of proficiency in order to execute proficiently. Our producers will plan and develop your webcast for you and our webcast technicians will execute your live event with expert precision. We have produced over 1000 live webcasts. Put our vast expertise to work for you. Let us develop a professional webcast for your firm that will impress all your clients and internal stakeholders. Private Label Programs Include: Complete Project Management Topic Development Recruitment of Speakers (Or you can use your own) Marketing Material Design PR Campaign Marketing Campaign Event Webpage Design Slides: Design and Content Development Speaker coordination: Arranging & Executing Calls, Coordinating Slides & Content Attendee Registration Complete LIVE Event Management for Speaker and Attendees including:

o Technical Supporto Event Moderatoro Running the Live event (All Aspects)o Multiple Technical Back-ups & Redundancies to Ensure a Perfect Live Evento Webcast Recording (MP3 Audio & MP4 Video)o Post Webcast Performance Survey

CLE and CPE Processing Private Label Programs Start at just $999

June 19, 2014

53

RESEARCH & BUSINESS PROCESS OUTSOURCING The Knowledge Group specializes in highly focused and intelligent market and topic research. Outsource your research projects and business processes to our team of experts. Normally we can run programs for less than 50% of what it would cost you to do it in-house. Here are some ideal uses for our services: Market Research and Production

o List Research (Prospects, Clients, Market Evaluation, Sales Lists, Surveys)o Design of Electronic Marketing Collateralo Executing Online Marketing Campaigns (Direct Email, PR Campaigns)o Website Designo Social Media

Analysis & Research

o Research Companies & Produce Reportso Research for Cases o Specialized Research Projects

eSales (Electronic Inside Sales – Email and Online)

o Sales Leads Developmento eSales Campaigns

Inside Sales people will prospect for leased, contact them and coordinate with your sales team to follow up. Our Inside eSales reps specialize in developing leads for big-ticket enterprise level products and services.

o Electronic Database Building – Comprehensive service which includes development of sales leads, contacting clients, scoring leads, adding notes and transferring the entire data set to you for your internal sales reps.

eCustomer Service (Electronic Inside Sales – Email and Online)

o Real-Time Customer Service for Your clients Online Chat Email

o Follow-Up Customer Service Responds to emails Conducts Research Replies Back to Your Customer

Please note these are just a few ways our experts can help with your Business Process Outsourcing needs. If you have a project not specifically listed above please contact us to see if we can help.

► You may ask a question at anytime throughout the presentation today. Simply click on the question mark icon located on the floating tool bar on the bottom right side of your screen. Type your

question in the box that appears and click send.

► Questions will be answered in the order they are received.

Q&A:

June 19, 2014

54

Paul HenningerGlobal Product DirectorBAE Systems Applied Intelligence [email protected]

Kenneth JohnstonShareholder Kane Russell Coleman & Logan [email protected]

Maria Z. VathisOf CounselBryan Cave [email protected]

Carlos P. KizzeeDeputy Director, Stakeholder Engagement & Cyber Infrastructure ResilienceUnited States Department of Homeland [email protected]

June 19, 2014

55

Welcome to the Knowledge Group Unlimited Subscription Programs. We have Two Options Available for You: FREE UNLIMITED: This program is free of charge with no further costs or obligations. It includes:

Unlimited access to over 15,000 pages of course material from all Knowledge Group Webcasts. Subscribers to this program can download any slides, white papers, or supplemental material covered during all live webcasts.

50% discount for purchase of all Live webcasts and downloaded recordings.

PAID UNLIMITED: Our most comprehensive and cost-effective plan, for a one-time fee: Access to all LIVE Webcasts (Normally $199 to $349 for each event without a subscription). Including: Bring-a-Friend – Invite a

client or associate outside your firm to attend for FREE. Sign up for as many webcasts as you wish. Access to all of Recorded/Archived Events & Course Material includes 1,500+ hours of audio material (Normally $299 for each

event without a subscription). Free CLE/CPE/CE Processing3 (Normally $49 Per Course without a subscription). Access to over 15,000 pages of course material from Knowledge Group Webcasts. Ability to invite a guest of your choice to attend any live webcast Free of charge. (Exclusive benefit only available for PAID

UNLIMITED subscribers.) 6 Month Subscription is $299 with No Additional Fees. Other options are available. Special Offer: Sign up today and add 2 of your colleagues to your plan for free. Check the “Triple Play” box on the sign-up

sheet contained in the link below.




June 19, 2014

56

Knowledge Group UNLIMITED PAID Subscription Programs Pricing: Individual Subscription Fees: (2 Options)Semi-Annual: $299 one-time fee for a 6 month subscription with unlimited access to all webcasts, recordings, and materials. Annual: $499 one-time fee for a 12 month unlimited subscription with unlimited access to all webcasts, recordings, and materials.

Group plans are available. See the registration form for details.

Best ways to sign up:1. Fill out the sign up form attached to the post conference survey email.2. Sign up online by clicking the link contained in the post conference survey email. 3. Click the link below or the one we just posted in the chat window to the right. https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964

Discounts: Enroll today and you will be eligible for the “Triple Play” program and 3% off if you pay by credit card. Also we will waive the $49 CLE/CPE processing fee for today’s conference. See the form attached to the post conference survey email for details.

Questions: Send an email to: [email protected] with “Unlimited” in the subject.




June 19, 2014

57

ABOUT THE KNOWLEDGE GROUP, LLC.

The Knowledge Group, LLC is an organization that produces live webcasts which examine regulatory

changes and their impacts across a variety of industries. “We bring together the world's leading

authorities and industry participants through informative two-hour webcasts to study the impact of

changing regulations.”

If you would like to be informed of other upcoming events, please click here.

Disclaimer:

The Knowledge Group, LLC is producing this event for information purposes only. We do not intend to provide or offer business advice. The contents of this event are based upon the opinions of our speakers. The Knowledge Congress does not warrant their accuracy and completeness. The statements made by them are based on their independent opinions and does not necessarily reflect that of The Knowledge Congress' views. In no event shall The Knowledge Congress be liable to any person or business entity for any special, direct, indirect, punitive, incidental or consequential damages as a result of any information gathered from this webcast.

Certain images and/or photos on this page are the copyrighted property of 123RF Limited, their Contributors or Licensed Partners and are being used with permission under license. These images and/or photos may not be copied or downloaded without permission from 123RF Limited

http://theknowledgegroup.org/

http://theknowledgegroup.org/all-events-list/