mitigating d&o liability exposure for data privacy and...
TRANSCRIPT
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Presenting a live 90-minute webinar with interactive Q&A
Mitigating D&O Liability Exposure for
Data Privacy and Cybersecurity Breaches Reducing D&O Risk With Internal Controls, Insurance,
and Indemnification; Defending Derivative Lawsuits
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
TUESDAY, JUNE 23, 2015
Sharon R. Klein, Partner, Pepper Hamilton, Irvine, Calif.
Larry Racioppo, Senior Vice President, USI Insurance Services, Westport, Conn.
Angelo A. Stio, III, Partner, Pepper Hamilton, Princeton, N.J.
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-961-8499 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about CLE credit processing call us at 1-800-926-7926
ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
Sharon R. Klein, Larry Racioppo, Angelo A. Stio III
Mitigating D&O Liability Exposure For Data Privacy And Cybersecurity Breaches
Speakers
949.567.3506 [email protected]
6
609.951.4125 [email protected]
203.291.2015 [email protected]
Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches
7
TOPICS
• Recent focus on data privacy and security issues
− Analysis of Major Breaches
− Consequences of Breach
• Duties of Directors and Officers
− Duty to Warn
− Duty to Protect
• Class Actions and Derivative Suits
• Insurance
• Practical Considerations
Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches
8
TOPICS
• Recent focus on data privacy and security issues
− Analysis of Major Breaches
− Consequences of Breach
• Duties of Directors and Officers
− Duty to Warn
− Duty to Protect
• Class Actions and Derivative Suits
• Insurance
• Practical Considerations
Recent Focus on Data Privacy and Security Issues
9
Chair Mary Jo White - SEC Cybersecurity Roundtable – March 2014
− “This is a global threat. Cyber threats are of extraordinary and long-term seriousness. They are first on the Division of Intelligence’s list of global threats, even surpassing terrorism. And Jim Comey, director of the FBI, has testified that resources devoted to cyber-based threats are expected `to eclipse’ resources devoted to terrorism.”
SEC Commissioner Luis Aguilar – Cyber Risks and the Boardroom Conference – June 2014
− 42% increase between 2011 and 2012 in the number of successful cyber-attacks per week.
− “[B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”
Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches
10
TOPICS
• Recent focus on data privacy and security issues
− Analysis of Major Breaches
− Consequences of Breach
• Duties of Directors and Officers
− Duty to Warn
− Duty to Protect
• Class Actions and Derivative Suits
• Insurance
• Practical Considerations
• Cyber attacks have increased in frequency
• The consequences of lost business are having a
great impact on the cost of data breach
• Data breach costs associated with detection,
escalation and remediation increased
Major Drivers to a Higher Cost of Data Breach in 2015
11
2014 / 2015 Witnessed Major Breaches
12
• Target
• Home Depot
• Anthem
• Premera
• Sony
• J P Morgan Chase & Company
Factors that Increase Cost
13
• Third Parties
• Rush to Notify
• Lost or Stolen Devices
Factors that Decrease Cost
14
• Incident Response Team
• Encryption
• Employee Training
• Appointing Chief Information Security Officer
• Board Involvement
• Insurance
Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches
15
TOPICS
• Recent focus on data privacy and security issues
− Analysis of Major Breaches
− Consequences of Breach
• Duties of Directors and Officers
− Duty to Warn
− Duty to Protect
• Class Actions and Derivative Suits
• Insurance
• Practical Considerations
Data Breach Consequences
16
• Harm to individual
• Costs of notice and remediation
• Regulatory action
• Fines and penalties
• Potential lawsuits
• Loss of business, resources and employee time
• Damage to brand and reputation
• Disruption
Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches
17
TOPICS
• Recent focus on data privacy and security issues
− Analysis of Major Breaches
− Consequences of Breach
• Duties of Directors and Officers
− Duty to Warn
− Duty to Protect
• Class Actions and Derivative Suits
• Insurance
• Practical Considerations
Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches
18
TOPICS
• Recent focus on data privacy and security issues
− Analysis of Major Breaches
− Consequences of Breach
• Duties of Directors and Officers
− Duty to Warn
− Duty to Protect
• Class Actions and Derivative Suits
• Insurance
• Practical Considerations
Duties of Directors and Officers
19
• Directors are liable for oversight of Company affairs due to their fiduciary duties of loyalty and due care
• Cyber liability due to disclosure of personally identifiable information and trade secrets are known material risks
• Standard of Care as to cyber liability generally can be categorized into regulations dealing with:
− Duty to warn
− Duty to protect
Duty to Warn
20
• SEC Guidance
• Data Breach Laws and Regulatory Requirements
Duty to Warn: SEC Guidance
21
Duty to Warn: SEC Guidance
22
SEC Guidance: Disclosure
• Cybersecurity risks and cyber incidents are required to be disclosed when:
• Necessary in order to make other required disclosures not misleading.
• They are such that a reasonable investor would consider important to an investment decision.
• No existing specific disclosure requirement.
• Registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.
Duty to Warn: SEC Guidance
23
SEC Guidance: Disclosure
• Places reporting companies may need to include disclosure:
− Risk Factors
− MD&A
− Description of the Business
− Legal Proceedings
− Financial Statement Disclosures
− Disclosure Controls and Procedures
Duty to Warn: SEC Guidance
24
SEC Guidance: Disclosure
• Is a Form 8-K required after a breach? No (not yet)
• Some companies have elected to file under item 8.01 (Other Information)
• Some companies have taken the position that they notify the public of a breach in other ways and an 8-K is unnecessary.
− Pros: Eliminate any potential insider trading, don’t raise flags with the SEC, disclosure can be copied from breach notices
− Cons: Imperfect information
Duty to Warn: Target Breach
25
SEC Disclosure
− Filed an 8-K in late February in connection with its earnings release
• Updated risk factors that could affect forward-looking statements in the release (including cybersecurity risks)
• Total of 18 risk factors, 5 relating to the incident
− Filed 10-K on March 14.
• Disclosures re breach included in: Risk Factors, Legal Proceedings, MD&A (executive summary subpart) and Financial Statement footnotes (commitments and contingencies)
• Target recorded $61 million in breach-related expenses, with insurance covering $44 million for net expenses of $17 million
• Did not estimate losses resulting from litigation, enforcement and related fines
Duty to Warn: Target Breach
26
Target 8-K: Risk Factors
− Our continued success is substantially dependent on positive perceptions of Target which, if eroded, could adversely affect our business and our relationships with our guests and team members.
− The data breach we experienced in 2013 has resulted in government inquiries and private litigation, and if our efforts to protect the security of personal information about our guests and team members are unsuccessful, future issues may result in additional costly government enforcement actions and private litigation and our sales and reputation could suffer.
Duty to Warn: Target Breach
27
Target 8-K: Risk Factors
− Our failure to comply with federal, state, local and international laws, or changes in these laws could increase our costs, reduce our margins and lower our sales.
− A significant disruption in our computer systems and our inability to adequately maintain and update those systems could adversely affect our operations and our ability to maintain guest confidence.
Duty to Warn: Target Breach
28
Target 8-K: Risk Factors
− We experienced a significant data security breach in the fourth quarter of fiscal 2013 and are not yet able to determine the full extent of its impact and the impact of government investigations and private litigation on our results of operations, which could be material.
SEC Cybersecurity Risk Alert
29
• The SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert on its cybersecurity initiative on April 15, 2014.
• The OCIE will initially examine 50+ broker-dealers and registered investment advisers re cybersecurity issues, with a focus on the following issues:
− Cybersecurity governance; identification & assessment of cybersecurity risks; protection of networks & information; remote customer access and funds transfers; vendors & third parties; detection of unauthorized activity; and experiences with certain cybersecurity threats.
SEC Cybersecurity Risk Alert
• OCIE included a sample questionnaire that closely tracked the NIST Framework released in February.
• Focus on written policies:
− Information security policy
− Business continuity plan
− Guidance for employees re security risks/responsibilities
− Data destruction policy
− Cybersecurity incident response policy
− Vendor and business partner security policy.
30
Duty to Warn: Data Breach Law and Regulatory Requirements
• State Privacy Laws
− 47 states have data breach notification legislation
• Identity theft legislation to protect personal information
including social security numbers, bank account information,
credit card information
− Federal privacy legislation generally does not
control/preempt state laws.
31
Duty to Warn: Data Breach Law and Regulatory Requirements
− Federal Agencies impose
specific requirements on
content and timeframe of
Data Breach notification:
• Office of the Comptroller
of Currency (OCC)
• Federal Deposit
Insurance Corporation
(FDIC)
• Department of Health and
Human Services (HHS)
• Federal Trade
Commission (FTC)
32
Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches
33
TOPICS
• Recent focus on data privacy and security issues
− Analysis of Major Breaches
− Consequences of Breach
• Duties of Directors and Officers
− Duty to Warn
− Duty to Protect
• Class Actions and Derivative Suits
• Insurance
• Practical Considerations
Duty to Protect
• Company safeguards for consumer data
• Third party scrutiny
34
Duty to Protect
Federal and State Laws
− FTC Regulations
− SEC FINRA
− NIST Security/Privacy Framework
− Gramm-Leach-Bliley Act
− HIPAA / HITECH
− COPPA
− FCRA
− FACTA
− State data security laws that impose obligations to secure and dispose of data. Laws are often broader than federal laws (see, e.g., CA, MA, NV)
35
FTC Report - Protecting Consumer Privacy in an Era of Rapid Change (March ‘12)
• Congress has been unable to pass a Federal Privacy Bill
• FTC Report is a blue print for self-regulatory best practices.
• (1) “Privacy by Design”: − Promote privacy throughout the organization and at
every stage of development of products and services − Delete consumer data no longer needed and allow
consumers to do the same − Provide reasonable security for data − Limit collection of data (consistent with context of
particular transaction) − Implement reasonable data retention and disposal
policies − Maintain reasonable accuracy of data
36
FTC Report - Protecting Consumer Privacy in an Era of Rapid Change (March ‘12)
• (2) Simplify Consumer Choice: − Provide consumer choice for any communications not
related to original transaction − “Do Not Track” mechanisms allow consumer to
control collection and use of their online data − Certain choices require consumer to “opt in”
• (3) Improve Transparency to Consumers: − Clearer and shorter privacy notices − Provide access to consumer data − Educate consumers about company’s data privacy
practices
37
FTC Red Flags Rule – 16 C.F.R. 681
• Requires companies to implement Identity Theft Protection programs that identify warning signals to alert a company of the risk of identity theft, to detect and to deal with identity theft when it occurs
• Other regulations exist: • OCC (12 C.F.R. 41) • Federal Reserve (12 C.F.R. 222) • FDIC (12 C.F.R. 334, 336) • OTS (12 C.F.R. 571) • NCUA (12 C.F.R. 717)
38
SEC/FINRA
• Reg S-P
− Privacy Rule - requires “financial institutions” - brokers, advisers, insurance companies, etc. to:
• provide an annual notice of their privacy policies and practices to their customers
• describe the institutions’ policies and practices with respect to disclosing nonpublic personal information about a consumer to both affiliated and nonaffiliated third parties.
• provide a consumer a reasonable opportunity to direct the institution not to share nonpublic personal information about the consumer (that is, to “opt out”) with nonaffiliated third parties.
39
SEC/FINRA
• Reg. S-P
−Rule 30 – Safeguard Procedures:
• adopt written policies and procedures for the protection of customer information and records
− Administrative
− Technical
− Physical
• protect against any anticipated threats or hazards to the security or integrity of customer records and information, and against unauthorized access to or use of customer records or information .
40
NIST Framework
• Provides standards and best practices for organizations to:
− Describe their current cybersecurity posture;
− Describe their target state for cybersecurity;
− Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
− Assess progress toward the target state;
− Communicate among internal and external stakeholders about cybersecurity risk.
41
NIST Framework: Core
• Identify
− Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities
• Protect
− Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
• Detect
− Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event in a timely manner.
42
NIST Framework: Core
• Respond
− Develop and implement the appropriate activities to take action regarding a detected cybersecurity event and contain its impact.
• Recover
− Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event
43
Scrutiny of Third Party Relationships
• Liability the same as if company performed activity
• Risk Management Process
− Risk assessment
− Due diligence in third party selection
− Contract structuring
− Oversight/audit
44
Target Breach
45
Scrutiny of Third Party Relationships
• Contract Structuring
− Compliance with all laws/regulations
− Access to records by company and its regulators
− Prohibition on subcontracting
− Performance standards/SLAs
− Monitoring/audits
46
Scrutiny of Third Party Relationships
• Contract Structuring (con’t.)
− Compliance with company’s privacy/security policies
− Business continuity/disaster recovery plans
− Indemnification
− Exclusion of data breach from the limitation of liability
− Insurance coverage
47
Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches
48
TOPICS
• Recent focus on data privacy and security issues
− Analysis of Major Breaches
− Consequences of Breach
• Duties of Directors and Officers
− Duty to Warn
− Duty to Protect
• Class Actions and Derivative Suits
• Insurance
• Practical Considerations
Class Actions and Derivative Suits
49
• Courts have been skeptical about data breach claims.
− Body of case law exists where dismissal of claims on lack of standing where no actual damages – fear of identity theft/purchasing credit monitoring not enough. See Clapper v. Amnesty International, Inc., 133 S.Ct. 1138 (2013); In re: Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation, No. 12-347 (D.C. May 9, 2014).
− Typical claims include: negligence, breach of fiduciary duty, UDTPA violations, invasion of privacy, unfair competition, violation of state data notification laws.
Class Actions and Derivative Suits
50
More and more class actions being filed as Plaintiffs’ bar gets more creative
• alleging violations with statutes with statutory damages
• asserting unjust enrichment claims alleging customers paid monies with the understanding their data would be protected, and therefore defendant was unjustly enriched by the acceptance of payment without providing adequate data protection
• alleging an implied contract arising from a company’s privacy policy that contains language that the company complies with state and federal laws
• alleging product liability claims related to defective security (CAN-Bus system litigation)
Class Actions and Derivative Suits
51
In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 2014 U.S. Dist. LEXIS 7353 (S.D. Cal. 2014))
• Putative class action based on a data breach.
• Plaintiffs’ allegations that their personal information was collected by defendant and then wrongfully disclosed as a result of the intrusion was sufficient to establish Article III standing at the motion to dismiss stage.
• Plaintiffs claim economic injury in form of (1) loss of the unencumbered use of their passwords; (2) their passwords were obtained by a third party without their consent; (3) they were unable to access Sony Online Services during the time the play station was temporarily disabled; (4) certain applications and products that can only be accessed via the network were rendered worthless during the brief interruption in play station service; and (5) their Consoles diminished in value as a result of Sony's failure to secure the network and/or the extended time during which the network was disabled.
• Consumer protection law statutes allowed to survive motion to dismiss.
• Case settled $17.75 million, including $2.75 million in attorneys fees.
Class Actions and Derivative Suits
52
Target Class Actions
• Consumers asserting claims for negligence, breach of fiduciary duty, and violations of consumer protection laws
• Banks and Credit Unions seeking damages for, among other things, cost of notifying customers about compromised debit cards, closing customer accounts and reissuing new cards
• April 2, 2014, transfer order by Judicial Panel on Multi-District Litigation entered transferring all class actions to District of Minnesota and assigned to District Judge Paul A. Magnuson.
• The U.S. Department of Justice and State Attorneys General, led by Illinois and Connecticut, are investigating the matter.
• Consumer case settles - $10 million
• Banks and Credit Unions’ case survives motion to dismiss
Class Actions and Derivative Suits
53
STOCK DROP CLASS ACTIONS
• In re Heartland Payment Sys., Inc. Sec. Litig., 2009 U.S. Dist. LEXIS 114866 (D.N.J. Dec. 7, 2009)
− December 2007, cyber attack on Heartland computer system that infects the entire payment processing system.
− Loss of personal information on 130 million credit and debit card owners.
− Heartland did not discover this breach until early 2009.
− Heartland's stock falls by a total of 80%, resulting in a suit by shareholders who purchased stock in 2008.
Class Actions and Derivative Suits
54
• In re Heartland Payment Sys., Inc. Sec. Litig., 2009 U.S. Dist. LEXIS 114866 (D.N.J. Dec. 7, 2009)
− Investors allege fraud on the basis that Heartland misrepresented the state of its computer network security.
− The claims based on Heartland publicly stating it was committed to maintaining high levels of data security, after Heartland discovered the breach but before the breach was disclosed to the public.
Class Actions and Derivative Suits
55
• In re Heartland Payment Sys., Inc. Sec. Litig., 2009 U.S. Dist. LEXIS 114866 (D.N.J. Dec. 7, 2009)
− On motion to dismiss Court finds that the security breach alone did not demonstrate that the company failed to “place significant emphasis on maintaining a high level of security.”
− Plaintiffs could not allege Heartland knew or had reason to suspect that its security systems were so deficient that it was false to say that Heartland “place[s] significant emphasis on maintaining a high level of security.”
− “[A]fter-the-fact speculation by a handful of lower-level employees does not support the inference that Heartland and its corporate officers were consciously or recklessly dissembling when they stated that the company treated security as one of its central concerns.”
Class Actions and Derivative Suits
56
SHAREHOLDER DERIVATIVE SUITS
• Palkon v. Wyndham Worldwide, et al., 2:14-cv-01234 (D.N.J. May 2, 2014)
− Derivative suit against officers and directors of Wyndham related to three data breaches between April 2008 and January 2010.
− 619,000 consumer payment card account numbers are compromised.
− Suit alleges that officers and directors failed to ensure that Wyndham and its subsidiaries implemented adequate information security policies and procedures, used an out-of-date network and then failed to timely disclose breaches in Company filings.
− Asserts claims for breach of fiduciary duty (loyalty and care), corporate waste and unjust enrichment and seeks to recover damages suffered by company, remedial action with respect to corporate governance and internal procedures and disgorgement of profits and compensation.
− Motion to dismiss is granted.
• Board adequately addressed demand and refusal to pursue claims protected by business judgment rule
Class Actions and Derivative Suits
57
SHAREHOLDER DERIVATIVE SUITS
• Palkon v. Wyndham Worldwide, et al., 2:14-cv-01234 (D.N.J. May 2, 2014) cont’d
− Board considerations:
• hold meetings to discuss data security, resources and plan.
• engage technology consultants to assess data security
• have board committee tasked with data security
• discussion at board level about breaches or attacks and remediation
• expertise on board
• engagement of outside counsel to advise on legal consequences
Class Actions and Derivative Suits
58
SHAREHOLDER DERIVATIVE SUITS
• Kulla v. Target Corp., et al., 0:14-cv-00203 (D.Minn. Jan. 21, 2014)
• Collier v. Target Corp. et al., 0:14-cv-00266 (D.Minn. Jan. 29, 2014)
− Derivative suits against officers and directors of Target arising from largest data breach in history.
− Millions of consumer payment card account numbers are compromised.
− Suit alleges that officers and directors were aware of importance of security of customer information and risks a data breach could present, yet failed to take reasonable steps to maintain its customers’ personal financial information and failed to implement internal controls to detect and prevent a breach. Complaint also contends defendants failed to take proper steps to respond.
− Claims for breach of fiduciary duty (loyalty and care), aiding and abetting, corporate waste and unjust enrichment and seeks to recover damages suffered by company, remedial action with respect to corporate governance and internal procedures and disgorgement of profits and compensation.
Class Actions and Derivative Suits
59
SHAREHOLDER DERIVATIVE SUITS
Common Themes:
• Duty to warn
• Duty to protect
− A sustained or systematic failure of the board to exercise oversight — such as an utter failure to attempt to assure a reasonable information and reporting system exists — will establish the lack of good faith. In re Caremark Int'l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996).
Class Actions and Derivative Suits
60
SHAREHOLDER DERIVATIVE SUITS
Potential Defenses:
• Lack of standing – no damage
• Failure to plead requirements of derivative suit
• Business judgment rule
• Director exculpation clause
• No misrepresentations/No Concealment
• Company has internal controls which Board oversees and monitors
Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches
61
TOPICS
• Recent focus on data privacy and security issues
− Analysis of Major Breaches
− Consequences of Breach
• Duties of Directors and Officers
− Duty to Warn
− Duty to Protect
• Class Actions and Derivative Suits
• Insurance
• Practical Considerations
62
Potential Insurance Solutions
Directors & Officers (D&O) Insurance
Errors & Omissions (E&O) Insurance
Network Security/Privacy (“Cyber”) Insurance
Insurance
Loss arising from third party “Claims” made (during the policy period) alleging a Wrongful Act in one’s capacity as a Director or Officer of the Organization
Lack of oversight
Failure to take action
”Liability” cover, so policy is not triggered until Claim is made
No front-end “Breach Response Coverage”
Generally intended to respond to Claims brought by shareholders/investors
Derivative Actions (including sub-limit for Derivative Demand Investigations)
Direct Claims
Definition of Claim typically includes Formal Regulatory Proceedings and Formal Investigations (for Insured Persons)
Entity coverage for public companies limited to Securities Claims
Informal Investigations of Insured persons may be available for certain risks
Potential Exclusions to consider
What Does a D & O Policy Cover?
Insurance
63
Claims brought by 3rd parties (customers) for Wrongful Acts in
the rendering or failing to render “Professional Services”
”Liability” cover, so policy is not triggered until Claim is made
No front-end “Breach Response Coverage”
No coverage for Regulatory Claims (unless Regulatory Agency
is bringing Claim as a customer)
What Does an E & O Policy Cover?
Insurance
64
First Party
Other Business Costs
Business interruption
Data repair /replacement
Cyber-extortion
Cyber-terrorism
First Party
Breach Notice Costs
Forensic Investigation
Crisis management/PR
Notification costs
Credit monitoring/I.D.
Recovery
Third Party
Civil Lawsuits
Consumer class action
Corporate or financial
institution suits
Credit card brands
PCI fines, penalties, and
assessments
Third Party
Regulatory Actions
State AG investigations
FTC investigations
Health & Human
Services
Foreign Privacy Entities
Security/Privacy Liability
Insurance
What Does a Cyber Policy Cover?
65
Breaches getting more publicized
Breaches getting larger in scale
Companies are being held accountable
Insurance market remains competitive
Tougher classes (Healthcare, Retail) underwritten more closely
Recent Trends/State of the Market
Insurance
66
Key Coverage Considerations
Data/Confidential Info – Types/How much?/location
Encryption (Safe harbor) – At rest, in motion, backup, mobile devices
POS Systems & Software – Patches/updates/controls
Use of cloud vendors – who and what services (payroll, payments, services,
etc.)
Vendor Controls – Due Diligence/ Contracts/Data shared/Access control
Network Access – How and who accesses your network remotely?
Subsidiary acquisitions – Due diligence, conversion process
Additional risk mitigation controls – What else are you doing?
Current “Hot Button” Issues for Insurers
Insurance
67
Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches
68
TOPICS
• Recent focus on data privacy and security issues
− Analysis of Major Breaches
− Consequences of Breach
• Duties of Directors and Officers
− Duty to Warn
− Duty to Protect
• Class Actions and Derivative Suits
• Insurance
• Practical Considerations
Practical Steps Companies Must Take
69
preparation
detection
analysis and
prioritization
investigation
and mitigation
notification
post-
incident
activity
Practical Steps Companies Must Take
1. Preparation self-assessment know legal requirements
2. Detection monitor compliance
3. Analysis and Prioritization which states/countries which law enforcement/regulators
4. Investigation and Mitigation analyze root cause mitigate/remediate loss
5. Notification send individual, substitute notice engage public relations notify insurance carrier(s)
6. Post-incident activity incorporates lessons learned
70
Practical Steps: Preparation
• Set up an inter-disciplinary team
− IT
− Physical security
− Human resources
− Enterprise Risk
− Compliance
− Communications
− Legal
71
Practical Steps: Preparation
• Self Assessment:
− Analyze cyber risks throughout collection, transmission, use, storage, destruction
− Assess security infrastructure, connectivity, cloud for malware/misuse
− Audit third parties and applications
− Develop incident response programs
− Obtain consent for collection of personally identifiable information
72
Practical Steps: Preparation
• Establish written policies and procedures to regulate compliance
− Institute a privacy policy (data collection, sharing and retention/destruction)
− Adopt a BYOD policy and appropriate safeguards
− Institute a business continuity plan
• Put a cybersecurity insurance policy in place or review/upgrade current policy
73
Practical Steps: Detection
• Set up intrusion detection/firewalls and contract for technology to assist with detecting and managing risk
• Establish a process for reporting suspicious activity
• Assess and mitigate transactional risk
− Inheriting risks from a target in an acquisition; include appropriate counsel in diligence review
− Agreements with vendors/suppliers should include provisions safeguarding systems and data and appropriate SLAs
− Agreements with customers/client should address risks, allocate responsibility (for agreements with other businesses) and establish a venue for claims
74
Practical Steps: Analysis and Prioritization
• Identify all applicable laws and regulatory requirements
• Establish appropriate law enforcement contacts and relationships with the regulators
• Evaluate the current compliance structure
− Attorney-Client privilege protection for gap analysis
− Set up a system regulating the access to data OR
− Amend, expand or streamline existing system as needed.
75
Practical Steps: Investigation and Mitigation
• Undertake Fact-Finding Protected by Attorney-Client Privilege
• Work with Forensics Consultants/FGIS to Contain Breach
• Document Each Step of the Investigation Findings
• Technical Mitigation to Correct Cause of Breach
• Legal Mitigation to Update Policies/Procedures
• Address Personnel Issues—Educate Employees
76
Practical Steps: Notification
• Internal Notification
− Notify the Breach Incident Response Team
− Provide Employee Awareness
• External Notification
− Consumers whose data has been breached
− Law enforcement
− Attorney generals
− Consumer agencies
− Regulators
− Investors
− Data protection authorities
− Insurance
77
Practical Steps: Post Incident Activity
• Review and determine the adequacy of:
− Incident response team model
− Policies/procedures
− Response tools and resources
− Training of employees
− Integrity of third parties
− Documentation and reports
78
Questions & Answers
79