1 / 17

Responding to a Data Breach: Issues of Civil and Criminal Liability

Responding to a Data Breach: Issues of Civil and Criminal Liability. Michael R. Sklaire Greenberg Traurig April 24, 2010. Hotel Data Breaches. “Cybercriminals Consider Hotels Easy Target,” USA Today, March 2, 2010 “Hotel Hackers Attack Westin Bonaventure,” LA Times, March 7, 2010

astra-franks
Download Presentation

Responding to a Data Breach: Issues of Civil and Criminal Liability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Responding to a Data Breach:Issues of Civil and Criminal Liability Michael R. Sklaire Greenberg Traurig April 24, 2010

  2. Hotel Data Breaches • “Cybercriminals Consider Hotels Easy Target,” USA Today, March 2, 2010 • “Hotel Hackers Attack Westin Bonaventure,” LA Times, March 7, 2010 • “Wyndham Suffers Another Data Breach,” SC Magazine, March 9, 2010 • “Data Breaches Are Heaviest At Hotels,” Wall Street Journal, March 18, 2010

  3. Recent Incidents • Radisson Hotel & Resorts • August 2009 • Breached from November 2008 – May 2009 • Wyndham Hotel and Resorts • August 2009 (again in March 2010) • Breached from March 29 through May 10, 2009 • Westin Bonaventure • March 2010 • April 2009 through December 2009

  4. Why Hotels? • 38% of All Data Breaches Suffered At Hotels • Twice as Many as in Financial Services Industry • Average 156 days to discover breach • Why? • that’s where the credit cards are • POS system easier to access • Employee Internet access

  5. Potential Liability • Credit Card Companies • Merchant Agreement • Civil Liability • Customer Privacy • Issuer lawsuit • State Attorney General Actions • FTC • Criminal Liability

  6. Credit Card Companies • Issue Fines to Merchants for Failure to Follow PCI Protocol • Contractual Relationship • Require Forensic Investigation • Fines start at $50,000 • Visa Guidelines

  7. Civil Liability • Customer Privacy Issues • Class Action Lawsuit • TJ Maxx • Breach of Contract • Gross Negligence

  8. State Attorneys General • State Privacy Requirements • California Recommended Practices • http://www.privacy.ca.gov/res/docs/pdf/COPP_Breach_Reco_Practices_6-09.pdf • Massachusetts Minimum Data Protection and Safeguard Standards • March 1, 2010 • All businesses possessing non-public personal information • Fines and Litigation

  9. Criminal Liability • Inside Job • Company may be held liable for acts of employees • Scope of Employment • Intent to benefit company • Conduct Thorough Investigation • Get Secret Service/FBI on board early

  10. How to Respond to a Data Breach • Designate coordinator - main contact with HR, legal, IT, communications • Contain and limit exposure - stop intrusion • Preserve data • Forensic investigation • preliminary findings • final report

  11. Responding to Data Breach • Notify management • Interviews and email review • Privilege issues- encourage counsel involvement • current employees • former employees • any third party/contract employees with access? • Prepare written report • Inventory System • Compliance holes? • Encryption issues?

  12. Responding to Data Breach • Contact law enforcement • FBI/Secret Service • Victim • Contact all credit card companies • Visa requires full report within two weeks • call fraud coordinators at Visa, MC, Discover, AMEX • provide list of all credit cards used during time period • Insurance coverage? • Contracts with Third Parties affected

  13. Responding to Data Breach • Review State notification laws re what type of notice needed • Reasonable Time Period = 10 business days • 45 days for Ohio and Florida • Delay for Law Enforcement • Prepare Notice to customers • offer to pay for free credit report? • website or toll free number? • discuss steps taken to ensure future privacy

  14. Responding to Data Breach • Public Relations plan • Press Release if necessary • Who speaks for company • 800 number for inquiries • Prepare for leaks prior to actual notice

  15. Responding to Data Breach • Prepare Notice to employees • Update/Revise privacy and compliance program if necessary • Train employees

  16. Steps to Prevent Breach • Passwords • Dedicated System • PCI Compliance Program • Rapid Response Team • Training • Review Contracts with Computer Vendors • Who is going to be liable • Indemnification

  17. Michael R. SklaireGreenberg Traurig LLP1750 Tysons Boulevard, Suite 1200McLean, VA 22102Tel 703.749.1308Fax 703.714.8308 sklairem@gtlaw.com

More Related