680 likes | 819 Views
Handling Data Breaches When – Not If – They Happen. Panelists Jason Anderman, VP and Sr. Counsel, American Express Thomas Rohback, Partner , Axinn , Veltop & Harkrider, LLP Sarah Statz, Info . Sec. Counsel, American Express Isvara Wilson, SVP & Gen. Counsel, AgFirst Farm Credit Bank.
E N D
Handling Data Breaches When – Not If – They Happen Panelists Jason Anderman, VP and Sr. Counsel, American Express Thomas Rohback, Partner, Axinn, Veltop & Harkrider, LLP Sarah Statz, Info. Sec. Counsel, American Express Isvara Wilson, SVP & Gen. Counsel, AgFirst Farm Credit Bank
The number of cyber criminal attacks against businesses doubled in 2015. • 58% of corporate PCs faced an attempted malware infection. • 41% of corporate PCs faced at least one local threat. • 29% of corporate PCs faced an internet-based attack. The Threat: 2015 Data Causes of a Breach:
Jason Mark Anderman April 11, 2006 Bank Regulatory Third Party Management in the Information Security Arena
The Legal Driver Assessing 3rd party risk is vital for financial institutions to meet guidance issued by the OCC (Bulletin 2013-29), FRB (SR 13-19), FDIC (FIL-44-2008) and CFPB (Bulletin 2012-03), comply with the GLBA Safeguards Rule, follow FFIEC InfoBase and the NIST Cybersecurity Framework, and meet other requirements in enhancing safety and soundness.
FFIEC • FFIEC Promotes uniformity in financial institution supervision. • Federal Financial Institutions Examination Council, includes five banking regulators—the Federal Reserve Board of Governors (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). State Liaison Committee (SLC) joined in 2006, includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS). • (Established March 10, 1979, Title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978 (FIRA). Regulations in Title 12 of the Code of Federal Regulations)
FFIEC InfoBase • FFIEC IT Examination Handbook InfoBase • Covers Key Issues – Many relevant to 3rd party management: • Audit • Business Continuity Planning • Development and Acquisition • E-Banking • Information Security • Management • Operations • Outsourcing Technology Services • Retail Payment Systems • Supervision of Technology Service Providers (TSP) • Wholesale Payment Systems • (http://ithandbook.ffiec.gov)
GLBA Inter Agency Guidance (GLBA IAG) • Overall Security Guidelines + 3rd Party Data Security Contract Clauses: Interagency Guidelines Establishing Information Security Standards. Covers administrative, physical and technical safeguards, as elaborated in FFIEC InfoBase. • Breach Notice Standard – GLBA IAG: Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. Issued under GLBA 501(b) and the Security Guidelines. Requires a response program to: • (1) Assess nature and scope of an incident, and identify customer information systems and types of information accessed/misused. • (2) Notify primary Federal regulator when aware of unauthorized access/use of sensitive customer information • (3) Notify law enforcement in situations involving Federal criminal violations requiring immediate attention • (4) Take appropriate steps to contain and control the incident to prevent further unauthorized access/misuse, such as by monitoring, freezing, or closing affected accounts, while preserving records + other evidence • (5) Notify customers when warranted. • Standard for Providing Notice. • When aware of an incident of unauthorized access to sensitive customer information, conduct a reasonable investigation to promptly determine likelihood of misuse. • If misuse occurred or is reasonably possible, then notify the affected customer as soon as possible. • GLBA IAG Focused on Consumers. Does not apply to business accounts. Applies to nonpublic personal information about a consumer with a financial product or service from a financial institution used primarily for personal/family/household purposes, with a continuing relationship with the institution. • Sensitive Customer Information. Means a customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. Also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number. (pages 61-63)
4 Key Guidance Documents Federal Reserve Bank (FRB) Federal Deposit Insurance Corporation (FDIC) Office of the Comptroller of Currency (OCC) • FRB SR 13-19 Guidance on Managing Outsourcing Risk • OCC Bulletin 2013-29 Risk Management Guidance • FDIC-FIL-44-2008 Guidance for Managing Third-Party Risk • CFPB Bulletin-2012-03-Service Providers
FRB SR 13-19 Guidance on Managing Outsourcing Risk • Applies to Service Providers/Suppliers
FRB SR 13-19 Guidance on Managing Outsourcing Risk (See Section III – Board of Directors Approval of Policy)
FRB SR 13-19 Guidance on Managing Outsourcing Risk • Tune to Risk. A 3rd party risk management program should provide oversight and controls commensurate with the level of risk: • Have a substantial impact on a financial institution's financial condition • Are critical to the institution's ongoing operations • Involve sensitive customer information or new bank products or services • Pose material compliance risk • Info. Security Example: Your main network provider usually poses critical information security risk by holding/transmitting essential customer, employee, account, clearance and/or settlement data • (See Section IV – Service Provider Risk Management Program)
FRB SR 13-19 Guidance on Managing Outsourcing Risk • Core Elements: Assess for a risk management program based on supplier: • Risk Assessments: Experienced supplier availability; Oversight ability • Due Diligence: Business background/reputation/strategy; Financial performance/condition; Operations and internal controls • Contract Considerations: Activity characteristics determine terms. • Incentive Compensation Review • Oversight (less monitoring for lower risk 3rd parties): Escalation triggers for more stringent/frequent monitoring; On-site control reviews; Audits; Termination planning • Service Continuity: Critical suppliers focus (See Section IV – Service Provider Risk Management Program)
OCC Bulletin 2013-29 Risk Management GuidanceApplies to All 3rd Parties (Not Just Suppliers) (See p. 18)
OCC Bulletin 2013-29 Risk Management GuidanceIndependent Reviews Emphasized: Often, financial institutions adopt a “3 Lines of Defense” approach:
OCC Bulletin 2013-29 Risk Management Guidance • Due Diligence – Calls out certain issues: • Information Security + Management of Info. Systems + Resilience + Incident Reporting + Physical Security (compatibility, interoperability, technology, inventories, metrics, segregation of duties, cyber attacks, disaster recovery) • Insurance • Strategies and Goals (quality, service, efficiency) • Legal/Regulatory Compliance • HR Management + Subcontractors • Fee Structure and Incentives • Company Principals • Conflicting Contractual Arrangements
OCC Bulletin 2013-29 Risk Management Guidance • Ongoing Oversight – Calls out certain issues: • Key Personnel (Ability to retain essential knowledge) • Adjusting Procedures (In light of new threats) • Customer Complaints (Volume, nature, and trends, especially compliance or risk management problems, and ability to remediate) • (See p. 12)
OCC Bulletin 2013-29 Risk Management Guidance • Bank Name + 3rd Party Products – Calls out certain issues: • Offering 3rd Party Products As Your Own (Reputation risk, quality control and oversight essential) • 3rd Party Unregulated (Risk increased if 3rd party relies on bank’s regulated status to offer services with terms that cannot be offered by the 3rd party directly) • Presents Breach Notification Challenges • Who Is Responsible? For notifying customers, partners and regulators. (See p. 2)
Controversy: Risk Tuning Via NIST Framework vs. FFIEC Tool “Check the Box” Approach
The States (U.S.) 50 State Analysis of Breach Notification Laws
Multi-Factor Authentication • Guidance: Authentication in an Internet Banking Environment Issued Oct. 12, 2005, FAQ (Aug. 15, 2006, not for credit/debit card retail use Q.7), Supplement (June 22, 2011) Know Have Are hard token, chip card retina, fingerprint password, PIN, security questions • Key Concepts • Perform periodic risk assessments • Starting points based on output: ■ High Risk (Commercial): Multifactor ■ High Risk (Consumer): Single Factor + Layered (or Multifactor) ■ Non-High Risk: “appropriate and reasonable” • Customer awareness & education • Sources: FFIEC e-Banking Handbook (2003), FFIEC Retail Payment Systems Booklet (2010), CA AG & NY DFS
European Union – Obligations Rising Data Protection Authorities Financial Regulators Data Security Regulators Possibly 85 Data Security Regulators Possibly 57 New Laws General Data Protection Regulation + Network & Info. Security (NIS) Directive* + Payment Service Directive 2 • *Brussels discussing if NIS Directive applies to financial firms. If not, then 29 laws (PSD2 as implemented + GDPR) and 57 regulators (Financial + DPAs + GDPR European Data Protection Board)
Jason Mark Anderman April 11, 2006 Bank Regulatory Third Party Management in the Information Security Arena
Many Regulatory Guidelines and Frameworks More than 150 different cybersecurity guidances applicable to the banking and finance sector. Deviations can be used to argue procedures were not “commercially reasonable,” as required by UCC Art. 4A. Patco Const. Co. v. People’s United Bank (1st Cir. 2012)
Some Government-Actors Who Might Sue You • FTC • Prosecutes lax cybersecurity as an unfair practice and misrepresentations of cybersecurity as a deceptive practice. • Required to show actual or likely harm. • SEC • Prosecutes failures to adopt written policies and procedures reasonably designed to protect customer information, even if no harm and appropriate steps taken post-breach. • State Regulators and Attorneys General • Most states have their own privacy and data breach notification laws, which vary widely. • Willing to prosecute, even when federal regulators do not.
Negligence Per Se • Unjust Enrichment • Statutory • Shareholder Actions • Breach of Contract • Breach of Implied Contract • Breach of Implied Covenant of Good Faith and Fair Dealing • Breach of Warranty • Breach of Fiduciary Duty • Invasion of Privacy • Negligence Private Litigation: Common Causes of Action
Elements of Article III standing: (1) Injury in Fact; (2) Causation; (3) Redressability Krottner v. Starbucks Corp. (9th Cir. 2010) “[A]n increased risk of identity theft is a constitutionally sufficient injury. . . [akin to] seeking medical monitoring as a remedy for an increased risk of disease or injury.” Reilly v. Ceridian Corp. (3d Cir. 2011) “Allegations of possible future injury are not sufficient.” The increased risk of identity theft is “entirely speculative” and dependent on the “future actions of an unknown third-party.” Remijas v. Neiman Marcus Group, LLC (7th Cir. 2015) Allegations that hackers targeted PII are sufficient: “Why else would hackers breach into a store’s database and steal consumers private information?” “[T]he purpose of the hack is, sooner or later, to make fraudulent charges.” Lessons: “Injury in Fact” Disagreements Continue
Loss of privacy claims: hacker, not the company, reveals the PII. • No fiduciary relationship. Examples: • Ambulance patient and ambulance’s medical billing company • Merchant and customer • Consumers are not intended beneficiaries of merchant and payment contractor. • Contractual terms can limit damages and define standard of care. • Economic Loss Doctrine. Exceptions vary. Courts split on whether employers and employees within “special relationship” exception. Lessons: Common Law Defenses Increased risk of identity theft may be sufficient for standing, but not a compensable injury under state law.
Not within the scope of the statute. Example: Fair Credit Reporting Act (“FCRA”). • Only applies to credit reporting agencies. • Being hacked does not qualify as furnishing or transmitting PII. • Are statutory damages sufficient for standing? Robins v. Spokeo, Inc. Lessons: Statutory Claim Defenses • No private right of action. • Not all state privacy and data breach notification laws create private rights of action. Examples: Delaware, Oklahoma, and Wisconsin. • No private right of action under HIPAA, but some state courts allow HIPAA violations to establish standard of care for negligence claims. Examples: Connecticut, North Carolina, Missouri, and Tennessee.
Not All Coverage Issues Are Sophisticated • Result: No coverage because no proof that PII was accessed – much less published. Losing the tapes was not publication. Recall Total Info. Mgmt. v. Fed. Ins. Co. (Conn. 2015) Background Facts: Tapes containing PII fall out of truck during transport and are picked up by unknown person. Company settles. Policy: Covers losses “caused by . . . publication of material that. . . violates a person’s right to privacy.”
Basic Insurance Issues • Result: No coverage because loss resulted from Fed. Recovery’s intentional acts. Travelers v. Fed. Recovery Serv. (D. Utah 2015) Background Facts: Fed. Recovery provides data processing and storage. When customer fails to make certain payments, Fed. Recovery refuses to return its client data. Policy: Cyber policy.
Publically Posting Health Records Online • Result: Coverage. • Columbia Casualty v. Cottage Health Sys. (C.D. Cal. 2015) • Factual Background: Company that safeguards patient PHI makes records available online via simple internet search. • Policy: Cyber policy with exclusion for “failure to follow minimum required practices.” • Result: No coverage because incident within exclusion for failure to follow minimum required practices. • Travelers v. Portal Health Care Sol. (E.D. Va. 2014) • Background Facts: Company that safeguards patient PHI makes records available online via simple internet search. • Policy: Covers losses from “electronic publication of material” disclosing private information.
Result: Coverage. Event was within Electronic Risk Liability Coverage’s fraud exclusion, but fraud exclusion made coverage illusory, so court disregarded exclusion. First Bank of Delaware, Inc. v. Fidelity and Deposit Co. of Maryland (Del. Super. Ct. Oct. 30, 2013) • Background Facts: • Bank’s credit card payment processing contractor is hacked. • First Bank is liable for resulting unauthorized withdrawals and seeks insurance coverage. • Policy: • Electronic Risk Liability Coverage for “any unauthorized use of, or unauthorized access to electronic data or software with a computer system.” • Exclusion: Losses based on fraudulent activity.
Result: Coverage. “Trade Secrets,” “Confidential Processing Methods” and “other confidential information” only cover plaintiff’s confidential information regarding how they operate their business, not consumers’ PII. Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh (6th Cir. Aug. 23, 2012) • Background Facts: Seeks coverage for settlement with credit card processor arising from DSW hack, including charge backs, card reissuance, account monitoring, and fines imposed by VISA/MasterCard. • Policy: • Commercial crime policy coverage for losses “resulting directly from . . . the theft of any Insured property by Computer Fraud.” • Exclusion: “[A]ny loss of proprietary information, Trade Secrets, Confidential Processing Methods, or other confidential information of any kind.”
Result: Coverage for all claims, including statutory because CMIA did “not create new privacy rights, but rather codif[ied] existing rights and create[d] effective remedies.” Hartford Cas. Ins. Co. v. Corcino & Associates (C.D. Cal. Oct. 7, 2013) Background Facts: Hospital gave job applicant patient data and instructed applicant to perform certain tasks with the data as part of application for employment. Applicant posts the data to a public online “homework help” website for help converting the data. Patients sue for violations of constitutional right of privacy, common law privacy, and California Confidentiality of Medical Information Act. Policy: Covers losses from “electronic publication of material that violates a person’s right of privacy.” Exclusion: Injuries “[a]rising out of the violation of a person’s right to privacy created by any state or federal act. However, this exclusion does not apply to liability for damages that the insured would have in absence of such state or federal act.”
Regulators: • Increased enforcement actions • Increased fines • Insurance Coverage Litigation: • Interpreting scope and exclusions • Illusory coverage claims • Large-scale Interruptions Litigation Expectations • Private Plaintiffs: • Whistleblower actions • Increased securities class actions • Increased derivative actions • Personal injury actions
Background • This tabletop exercise consists of realistic scenarios based on historical examples of actual cyber crises • This type of incident has resulted in legal and regulatory action, media attention, and financial losses • This exercise is designed to emphasize counsel’s role in breach response
Objectives • Develop the legal skills to lead and manage an investigation • Understand all of the relevant stakeholders required to respond to a breach • Learn how to conduct an exercise that could be used to test your company’s breach preparedness • Take away ideas for how your company could improve its plan
Just Before We Begin… • You work in the legal department for ACME, a small regional bank. • ACME is in the process of developing an incident response plan and has conducted some tabletop exercises, but does not yet have a formal plan. • This exercise will take place over the next 3 days and new facts will be provided each day as the investigation unfolds. • Each table represents a working group to discuss the scenario and answer polling questions using the ACC mobile app.
Tuesday, April 12, 2016; 11:00 AM • You receive a call from Special Agent Thomas Frank from the New York FBI Office. The Special Agent informs ACME that an estimated 10,000 ACME usernames and passwords and associated names, SSNs and home addresses have been discovered on the Dark Net. He states that he is unable to provide any additional information but wants ACME to begin an internal investigation.
Tuesday, April 12, 2016; 3:00 PM You get a call from your security officer relaying information he received from the U.S. Secret Service: Hi, Brian Smith here – I just got a call from a guy I used to work with at USSS. They say they are working on a bigger investigation involving ACME. The Task force found some emails with some senior ACME executives about potential mergers and new product launches.
Tuesday, April 12, 2016; 3:30 PM You relay this information to your information security team and they state that they will start investigating.