mitigating d&o liability exposure for data privacy and...

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Presenting a live 90-minute webinar with interactive Q&A

Mitigating D&O Liability Exposure for

Data Privacy and Cybersecurity Breaches Reducing D&O Risk With Internal Controls, Insurance,

and Indemnification; Defending Derivative Lawsuits

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

TUESDAY, JUNE 23, 2015

Sharon R. Klein, Partner, Pepper Hamilton, Irvine, Calif.

Larry Racioppo, Senior Vice President, USI Insurance Services, Westport, Conn.

Angelo A. Stio, III, Partner, Pepper Hamilton, Princeton, N.J.

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-961-8499 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail [email protected] immediately so we can

address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about CLE credit processing call us at 1-800-926-7926

ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

Sharon R. Klein, Larry Racioppo, Angelo A. Stio III

Mitigating D&O Liability Exposure For Data Privacy And Cybersecurity Breaches

Speakers

949.567.3506 [email protected]

6



Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches

7

TOPICS

• Recent focus on data privacy and security issues

− Analysis of Major Breaches

− Consequences of Breach

• Duties of Directors and Officers

− Duty to Warn

− Duty to Protect

• Class Actions and Derivative Suits

• Insurance

• Practical Considerations


8

TOPICS





− Duty to Warn

− Duty to Protect


• Insurance


Recent Focus on Data Privacy and Security Issues

9

Chair Mary Jo White - SEC Cybersecurity Roundtable – March 2014

− “This is a global threat. Cyber threats are of extraordinary and long-term seriousness. They are first on the Division of Intelligence’s list of global threats, even surpassing terrorism. And Jim Comey, director of the FBI, has testified that resources devoted to cyber-based threats are expected `to eclipse’ resources devoted to terrorism.”

SEC Commissioner Luis Aguilar – Cyber Risks and the Boardroom Conference – June 2014

− 42% increase between 2011 and 2012 in the number of successful cyber-attacks per week.

− “[B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”


10

TOPICS





− Duty to Warn

− Duty to Protect


• Insurance


• Cyber attacks have increased in frequency

• The consequences of lost business are having a

great impact on the cost of data breach

• Data breach costs associated with detection,

escalation and remediation increased

Major Drivers to a Higher Cost of Data Breach in 2015

11

2014 / 2015 Witnessed Major Breaches

12

• Target

• Home Depot

• Anthem

• Premera

• Sony

• J P Morgan Chase & Company

Factors that Increase Cost

13

• Third Parties

• Rush to Notify

• Lost or Stolen Devices

Factors that Decrease Cost

14

• Incident Response Team

• Encryption

• Employee Training

• Appointing Chief Information Security Officer

• Board Involvement

• Insurance


15

TOPICS





− Duty to Warn

− Duty to Protect


• Insurance


Data Breach Consequences

16

• Harm to individual

• Costs of notice and remediation

• Regulatory action

• Fines and penalties

• Potential lawsuits

• Loss of business, resources and employee time

• Damage to brand and reputation

• Disruption

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&docid=81jkqvzobFyGRM&tbnid=0tHfXFzKf0YvAM:&ved=0CAUQjRw&url=http://www.dreamstime.com/illustration/breach.html&ei=dke1U_SYHM2VyASMp4GQBw&bvm=bv.70138588,d.aWw&psig=AFQjCNH4o763iFcokeASbvsQryCDnzZdDg&ust=1404475540782067


17

TOPICS





− Duty to Warn

− Duty to Protect


• Insurance



18

TOPICS





− Duty to Warn

− Duty to Protect


• Insurance


Duties of Directors and Officers

19

• Directors are liable for oversight of Company affairs due to their fiduciary duties of loyalty and due care

• Cyber liability due to disclosure of personally identifiable information and trade secrets are known material risks

• Standard of Care as to cyber liability generally can be categorized into regulations dealing with:

− Duty to warn

− Duty to protect

Duty to Warn

20

• SEC Guidance

• Data Breach Laws and Regulatory Requirements

Duty to Warn: SEC Guidance

21


22

SEC Guidance: Disclosure

• Cybersecurity risks and cyber incidents are required to be disclosed when:

• Necessary in order to make other required disclosures not misleading.

• They are such that a reasonable investor would consider important to an investment decision.

• No existing specific disclosure requirement.

• Registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.


23


• Places reporting companies may need to include disclosure:

− Risk Factors

− MD&A

− Description of the Business

− Legal Proceedings

− Financial Statement Disclosures

− Disclosure Controls and Procedures

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&docid=yO-VE4jXCJrcsM&tbnid=zD44X4brc2gA4M:&ved=0CAUQjRw&url=http://www.canstockphoto.com/illustration/closure.html&ei=CEy1U8S7IMedyATo_4GoAg&bvm=bv.70138588,d.aWw&psig=AFQjCNF7dR-K7vDjdvFNwnSpTrdReHORNA&ust=1404476758225896


24


• Is a Form 8-K required after a breach? No (not yet)

• Some companies have elected to file under item 8.01 (Other Information)

• Some companies have taken the position that they notify the public of a breach in other ways and an 8-K is unnecessary.

− Pros: Eliminate any potential insider trading, don’t raise flags with the SEC, disclosure can be copied from breach notices

− Cons: Imperfect information

Duty to Warn: Target Breach

25

SEC Disclosure

− Filed an 8-K in late February in connection with its earnings release

• Updated risk factors that could affect forward-looking statements in the release (including cybersecurity risks)

• Total of 18 risk factors, 5 relating to the incident

− Filed 10-K on March 14.

• Disclosures re breach included in: Risk Factors, Legal Proceedings, MD&A (executive summary subpart) and Financial Statement footnotes (commitments and contingencies)

• Target recorded $61 million in breach-related expenses, with insurance covering $44 million for net expenses of $17 million

• Did not estimate losses resulting from litigation, enforcement and related fines


26

Target 8-K: Risk Factors

− Our continued success is substantially dependent on positive perceptions of Target which, if eroded, could adversely affect our business and our relationships with our guests and team members.

− The data breach we experienced in 2013 has resulted in government inquiries and private litigation, and if our efforts to protect the security of personal information about our guests and team members are unsuccessful, future issues may result in additional costly government enforcement actions and private litigation and our sales and reputation could suffer.


27


− Our failure to comply with federal, state, local and international laws, or changes in these laws could increase our costs, reduce our margins and lower our sales.

− A significant disruption in our computer systems and our inability to adequately maintain and update those systems could adversely affect our operations and our ability to maintain guest confidence.


28


− We experienced a significant data security breach in the fourth quarter of fiscal 2013 and are not yet able to determine the full extent of its impact and the impact of government investigations and private litigation on our results of operations, which could be material.

SEC Cybersecurity Risk Alert

29

• The SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert on its cybersecurity initiative on April 15, 2014.

• The OCIE will initially examine 50+ broker-dealers and registered investment advisers re cybersecurity issues, with a focus on the following issues:

− Cybersecurity governance; identification & assessment of cybersecurity risks; protection of networks & information; remote customer access and funds transfers; vendors & third parties; detection of unauthorized activity; and experiences with certain cybersecurity threats.

SEC Cybersecurity Risk Alert

• OCIE included a sample questionnaire that closely tracked the NIST Framework released in February.

• Focus on written policies:

− Information security policy

− Business continuity plan

− Guidance for employees re security risks/responsibilities

− Data destruction policy

− Cybersecurity incident response policy

− Vendor and business partner security policy.

30

Duty to Warn: Data Breach Law and Regulatory Requirements

• State Privacy Laws

− 47 states have data breach notification legislation

• Identity theft legislation to protect personal information

including social security numbers, bank account information,

credit card information

− Federal privacy legislation generally does not

control/preempt state laws.

31

Duty to Warn: Data Breach Law and Regulatory Requirements

− Federal Agencies impose

specific requirements on

content and timeframe of

Data Breach notification:

• Office of the Comptroller

of Currency (OCC)

• Federal Deposit

Insurance Corporation

(FDIC)

• Department of Health and

Human Services (HHS)

• Federal Trade

Commission (FTC)

32

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&docid=pRcTliuWO_6n6M&tbnid=-jbU_BF9tbiLDM:&ved=0CAUQjRw&url=http://www.gograph.com/stock-illustration/caution-sign.html&ei=CEm1U-XEH5CvyASUn4LwBQ&bvm=bv.70138588,d.aWw&psig=AFQjCNHCOxXjI54dfX0LwACesbboLbEr3w&ust=1404475752420238


33

TOPICS





− Duty to Warn

− Duty to Protect


• Insurance


Duty to Protect

• Company safeguards for consumer data

• Third party scrutiny

34

Duty to Protect

Federal and State Laws

− FTC Regulations

− SEC FINRA

− NIST Security/Privacy Framework

− Gramm-Leach-Bliley Act

− HIPAA / HITECH

− COPPA

− FCRA

− FACTA

− State data security laws that impose obligations to secure and dispose of data. Laws are often broader than federal laws (see, e.g., CA, MA, NV)

35

FTC Report - Protecting Consumer Privacy in an Era of Rapid Change (March ‘12)

• Congress has been unable to pass a Federal Privacy Bill

• FTC Report is a blue print for self-regulatory best practices.

• (1) “Privacy by Design”: − Promote privacy throughout the organization and at

every stage of development of products and services − Delete consumer data no longer needed and allow

consumers to do the same − Provide reasonable security for data − Limit collection of data (consistent with context of

particular transaction) − Implement reasonable data retention and disposal

policies − Maintain reasonable accuracy of data

36

FTC Report - Protecting Consumer Privacy in an Era of Rapid Change (March ‘12)

• (2) Simplify Consumer Choice: − Provide consumer choice for any communications not

related to original transaction − “Do Not Track” mechanisms allow consumer to

control collection and use of their online data − Certain choices require consumer to “opt in”

• (3) Improve Transparency to Consumers: − Clearer and shorter privacy notices − Provide access to consumer data − Educate consumers about company’s data privacy

practices

37

FTC Red Flags Rule – 16 C.F.R. 681

• Requires companies to implement Identity Theft Protection programs that identify warning signals to alert a company of the risk of identity theft, to detect and to deal with identity theft when it occurs

• Other regulations exist: • OCC (12 C.F.R. 41) • Federal Reserve (12 C.F.R. 222) • FDIC (12 C.F.R. 334, 336) • OTS (12 C.F.R. 571) • NCUA (12 C.F.R. 717)

38

SEC/FINRA

• Reg S-P

− Privacy Rule - requires “financial institutions” - brokers, advisers, insurance companies, etc. to:

• provide an annual notice of their privacy policies and practices to their customers

• describe the institutions’ policies and practices with respect to disclosing nonpublic personal information about a consumer to both affiliated and nonaffiliated third parties.

• provide a consumer a reasonable opportunity to direct the institution not to share nonpublic personal information about the consumer (that is, to “opt out”) with nonaffiliated third parties.

39

SEC/FINRA

• Reg. S-P

−Rule 30 – Safeguard Procedures:

• adopt written policies and procedures for the protection of customer information and records

− Administrative

− Technical

− Physical

• protect against any anticipated threats or hazards to the security or integrity of customer records and information, and against unauthorized access to or use of customer records or information .

40

NIST Framework

• Provides standards and best practices for organizations to:

− Describe their current cybersecurity posture;

− Describe their target state for cybersecurity;

− Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;

− Assess progress toward the target state;

− Communicate among internal and external stakeholders about cybersecurity risk.

41

NIST Framework: Core

• Identify

− Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities

• Protect

− Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

• Detect

− Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event in a timely manner.

42

NIST Framework: Core

• Respond

− Develop and implement the appropriate activities to take action regarding a detected cybersecurity event and contain its impact.

• Recover

− Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event

43

Scrutiny of Third Party Relationships

• Liability the same as if company performed activity

• Risk Management Process

− Risk assessment

− Due diligence in third party selection

− Contract structuring

− Oversight/audit

44

Target Breach

45


• Contract Structuring

− Compliance with all laws/regulations

− Access to records by company and its regulators

− Prohibition on subcontracting

− Performance standards/SLAs

− Monitoring/audits

46


• Contract Structuring (con’t.)

− Compliance with company’s privacy/security policies

− Business continuity/disaster recovery plans

− Indemnification

− Exclusion of data breach from the limitation of liability

− Insurance coverage

47


48

TOPICS





− Duty to Warn

− Duty to Protect


• Insurance


Class Actions and Derivative Suits

49

• Courts have been skeptical about data breach claims.

− Body of case law exists where dismissal of claims on lack of standing where no actual damages – fear of identity theft/purchasing credit monitoring not enough. See Clapper v. Amnesty International, Inc., 133 S.Ct. 1138 (2013); In re: Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation, No. 12-347 (D.C. May 9, 2014).

− Typical claims include: negligence, breach of fiduciary duty, UDTPA violations, invasion of privacy, unfair competition, violation of state data notification laws.


50

More and more class actions being filed as Plaintiffs’ bar gets more creative

• alleging violations with statutes with statutory damages

• asserting unjust enrichment claims alleging customers paid monies with the understanding their data would be protected, and therefore defendant was unjustly enriched by the acceptance of payment without providing adequate data protection

• alleging an implied contract arising from a company’s privacy policy that contains language that the company complies with state and federal laws

• alleging product liability claims related to defective security (CAN-Bus system litigation)


51

In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 2014 U.S. Dist. LEXIS 7353 (S.D. Cal. 2014))

• Putative class action based on a data breach.

• Plaintiffs’ allegations that their personal information was collected by defendant and then wrongfully disclosed as a result of the intrusion was sufficient to establish Article III standing at the motion to dismiss stage.

• Plaintiffs claim economic injury in form of (1) loss of the unencumbered use of their passwords; (2) their passwords were obtained by a third party without their consent; (3) they were unable to access Sony Online Services during the time the play station was temporarily disabled; (4) certain applications and products that can only be accessed via the network were rendered worthless during the brief interruption in play station service; and (5) their Consoles diminished in value as a result of Sony's failure to secure the network and/or the extended time during which the network was disabled.

• Consumer protection law statutes allowed to survive motion to dismiss.

• Case settled $17.75 million, including $2.75 million in attorneys fees.


52

Target Class Actions

• Consumers asserting claims for negligence, breach of fiduciary duty, and violations of consumer protection laws

• Banks and Credit Unions seeking damages for, among other things, cost of notifying customers about compromised debit cards, closing customer accounts and reissuing new cards

• April 2, 2014, transfer order by Judicial Panel on Multi-District Litigation entered transferring all class actions to District of Minnesota and assigned to District Judge Paul A. Magnuson.

• The U.S. Department of Justice and State Attorneys General, led by Illinois and Connecticut, are investigating the matter.

• Consumer case settles - $10 million

• Banks and Credit Unions’ case survives motion to dismiss


53

STOCK DROP CLASS ACTIONS

• In re Heartland Payment Sys., Inc. Sec. Litig., 2009 U.S. Dist. LEXIS 114866 (D.N.J. Dec. 7, 2009)

− December 2007, cyber attack on Heartland computer system that infects the entire payment processing system.

− Loss of personal information on 130 million credit and debit card owners.

− Heartland did not discover this breach until early 2009.

− Heartland's stock falls by a total of 80%, resulting in a suit by shareholders who purchased stock in 2008.


54


− Investors allege fraud on the basis that Heartland misrepresented the state of its computer network security.

− The claims based on Heartland publicly stating it was committed to maintaining high levels of data security, after Heartland discovered the breach but before the breach was disclosed to the public.


55


− On motion to dismiss Court finds that the security breach alone did not demonstrate that the company failed to “place significant emphasis on maintaining a high level of security.”

− Plaintiffs could not allege Heartland knew or had reason to suspect that its security systems were so deficient that it was false to say that Heartland “place[s] significant emphasis on maintaining a high level of security.”

− “[A]fter-the-fact speculation by a handful of lower-level employees does not support the inference that Heartland and its corporate officers were consciously or recklessly dissembling when they stated that the company treated security as one of its central concerns.”


56

SHAREHOLDER DERIVATIVE SUITS

• Palkon v. Wyndham Worldwide, et al., 2:14-cv-01234 (D.N.J. May 2, 2014)

− Derivative suit against officers and directors of Wyndham related to three data breaches between April 2008 and January 2010.

− 619,000 consumer payment card account numbers are compromised.

− Suit alleges that officers and directors failed to ensure that Wyndham and its subsidiaries implemented adequate information security policies and procedures, used an out-of-date network and then failed to timely disclose breaches in Company filings.

− Asserts claims for breach of fiduciary duty (loyalty and care), corporate waste and unjust enrichment and seeks to recover damages suffered by company, remedial action with respect to corporate governance and internal procedures and disgorgement of profits and compensation.

− Motion to dismiss is granted.

• Board adequately addressed demand and refusal to pursue claims protected by business judgment rule


57


• Palkon v. Wyndham Worldwide, et al., 2:14-cv-01234 (D.N.J. May 2, 2014) cont’d

− Board considerations:

• hold meetings to discuss data security, resources and plan.

• engage technology consultants to assess data security

• have board committee tasked with data security

• discussion at board level about breaches or attacks and remediation

• expertise on board

• engagement of outside counsel to advise on legal consequences


58


• Kulla v. Target Corp., et al., 0:14-cv-00203 (D.Minn. Jan. 21, 2014)

• Collier v. Target Corp. et al., 0:14-cv-00266 (D.Minn. Jan. 29, 2014)

− Derivative suits against officers and directors of Target arising from largest data breach in history.

− Millions of consumer payment card account numbers are compromised.

− Suit alleges that officers and directors were aware of importance of security of customer information and risks a data breach could present, yet failed to take reasonable steps to maintain its customers’ personal financial information and failed to implement internal controls to detect and prevent a breach. Complaint also contends defendants failed to take proper steps to respond.

− Claims for breach of fiduciary duty (loyalty and care), aiding and abetting, corporate waste and unjust enrichment and seeks to recover damages suffered by company, remedial action with respect to corporate governance and internal procedures and disgorgement of profits and compensation.


59


Common Themes:

• Duty to warn

• Duty to protect

− A sustained or systematic failure of the board to exercise oversight — such as an utter failure to attempt to assure a reasonable information and reporting system exists — will establish the lack of good faith. In re Caremark Int'l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996).


60


Potential Defenses:

• Lack of standing – no damage

• Failure to plead requirements of derivative suit

• Business judgment rule

• Director exculpation clause

• No misrepresentations/No Concealment

• Company has internal controls which Board oversees and monitors


61

TOPICS





− Duty to Warn

− Duty to Protect


• Insurance


62

Potential Insurance Solutions

Directors & Officers (D&O) Insurance

Errors & Omissions (E&O) Insurance

Network Security/Privacy (“Cyber”) Insurance

Insurance

Loss arising from third party “Claims” made (during the policy period) alleging a Wrongful Act in one’s capacity as a Director or Officer of the Organization

Lack of oversight

Failure to take action

”Liability” cover, so policy is not triggered until Claim is made

No front-end “Breach Response Coverage”

Generally intended to respond to Claims brought by shareholders/investors

Derivative Actions (including sub-limit for Derivative Demand Investigations)

Direct Claims

Definition of Claim typically includes Formal Regulatory Proceedings and Formal Investigations (for Insured Persons)

Entity coverage for public companies limited to Securities Claims

Informal Investigations of Insured persons may be available for certain risks

Potential Exclusions to consider

What Does a D & O Policy Cover?

Insurance

63

Claims brought by 3rd parties (customers) for Wrongful Acts in

the rendering or failing to render “Professional Services”

”Liability” cover, so policy is not triggered until Claim is made

No front-end “Breach Response Coverage”

No coverage for Regulatory Claims (unless Regulatory Agency

is bringing Claim as a customer)

What Does an E & O Policy Cover?

Insurance

64

First Party

Other Business Costs

Business interruption

Data repair /replacement

Cyber-extortion

Cyber-terrorism

First Party

Breach Notice Costs

Forensic Investigation

Crisis management/PR

Notification costs

Credit monitoring/I.D.

Recovery

Third Party

Civil Lawsuits

Consumer class action

Corporate or financial

institution suits

Credit card brands

PCI fines, penalties, and

assessments

Third Party

Regulatory Actions

State AG investigations

FTC investigations

Health & Human

Services

Foreign Privacy Entities

Security/Privacy Liability

Insurance

What Does a Cyber Policy Cover?

65

Breaches getting more publicized

Breaches getting larger in scale

Companies are being held accountable

Insurance market remains competitive

Tougher classes (Healthcare, Retail) underwritten more closely

Recent Trends/State of the Market

Insurance

66

Key Coverage Considerations

Data/Confidential Info – Types/How much?/location

Encryption (Safe harbor) – At rest, in motion, backup, mobile devices

POS Systems & Software – Patches/updates/controls

Use of cloud vendors – who and what services (payroll, payments, services,

etc.)

Vendor Controls – Due Diligence/ Contracts/Data shared/Access control

Network Access – How and who accesses your network remotely?

Subsidiary acquisitions – Due diligence, conversion process

Additional risk mitigation controls – What else are you doing?

Current “Hot Button” Issues for Insurers

Insurance

67


68

TOPICS





− Duty to Warn

− Duty to Protect


• Insurance


Practical Steps Companies Must Take

69

preparation

detection

analysis and

prioritization

investigation

and mitigation

notification

post-

incident

activity

http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=bvgnoKrnHxn9pM&tbnid=cDlN0NwSKirK0M:&ved=0CAgQjRwwAA&url=http://www.designedlykristi.com/tutorials/color_intro/color_theory2.html&ei=zaSkUa_MOKXN0wHE7oHQAw&psig=AFQjCNH-1easoQ311mOwsY6zGN5x0cSRXg&ust=1369830989984992

Practical Steps Companies Must Take

1. Preparation self-assessment know legal requirements

2. Detection monitor compliance

3. Analysis and Prioritization which states/countries which law enforcement/regulators

4. Investigation and Mitigation analyze root cause mitigate/remediate loss

5. Notification send individual, substitute notice engage public relations notify insurance carrier(s)

6. Post-incident activity incorporates lessons learned

70

Practical Steps: Preparation

• Set up an inter-disciplinary team

− IT

− Physical security

− Human resources

− Enterprise Risk

− Compliance

− Communications

− Legal

71

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&docid=qXgnAw88w5dD0M&tbnid=YZG0l3xSjqQm8M:&ved=0CAUQjRw&url=http://www.sensabilityuk.co.uk/2014/04/02/presenting-impact-1-preparation/&ei=DUq1U--7CIiayATlk4Fo&bvm=bv.70138588,d.aWw&psig=AFQjCNF7RdI9xSRLMti9ldTQzV8cueYzzQ&ust=1404476145508672


• Self Assessment:

− Analyze cyber risks throughout collection, transmission, use, storage, destruction

− Assess security infrastructure, connectivity, cloud for malware/misuse

− Audit third parties and applications

− Develop incident response programs

− Obtain consent for collection of personally identifiable information

72


• Establish written policies and procedures to regulate compliance

− Institute a privacy policy (data collection, sharing and retention/destruction)

− Adopt a BYOD policy and appropriate safeguards

− Institute a business continuity plan

• Put a cybersecurity insurance policy in place or review/upgrade current policy

73

Practical Steps: Detection

• Set up intrusion detection/firewalls and contract for technology to assist with detecting and managing risk

• Establish a process for reporting suspicious activity

• Assess and mitigate transactional risk

− Inheriting risks from a target in an acquisition; include appropriate counsel in diligence review

− Agreements with vendors/suppliers should include provisions safeguarding systems and data and appropriate SLAs

− Agreements with customers/client should address risks, allocate responsibility (for agreements with other businesses) and establish a venue for claims

74

Practical Steps: Analysis and Prioritization

• Identify all applicable laws and regulatory requirements

• Establish appropriate law enforcement contacts and relationships with the regulators

• Evaluate the current compliance structure

− Attorney-Client privilege protection for gap analysis

− Set up a system regulating the access to data OR

− Amend, expand or streamline existing system as needed.

75

Practical Steps: Investigation and Mitigation

• Undertake Fact-Finding Protected by Attorney-Client Privilege

• Work with Forensics Consultants/FGIS to Contain Breach

• Document Each Step of the Investigation Findings

• Technical Mitigation to Correct Cause of Breach

• Legal Mitigation to Update Policies/Procedures

• Address Personnel Issues—Educate Employees

76

Practical Steps: Notification

• Internal Notification

− Notify the Breach Incident Response Team

− Provide Employee Awareness

• External Notification

− Consumers whose data has been breached

− Law enforcement

− Attorney generals

− Consumer agencies

− Regulators

− Investors

− Data protection authorities

− Insurance

77

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&docid=WIGznl4ONa6BvM&tbnid=c-eMQJYL-TmRlM:&ved=0CAUQjRw&url=http://kpstuedappal.blogspot.com/2013/11/lss-uss-examination-2013.html&ei=sEq1U9aCJsy3yASuxIDADQ&bvm=bv.70138588,d.aWw&psig=AFQjCNEk-rDKiPAFldT-2yQ-b0m0Ub0OOQ&ust=1404476383978587

Practical Steps: Post Incident Activity

• Review and determine the adequacy of:

− Incident response team model

− Policies/procedures

− Response tools and resources

− Training of employees

− Integrity of third parties

− Documentation and reports

78

Questions & Answers

79

mitigating d&o liability exposure for data privacy and...

Documents