1 / 32

The Zero Hour Phone Call How to Respond to a Data Breach to Minimize your Legal Risk

The Zero Hour Phone Call How to Respond to a Data Breach to Minimize your Legal Risk. Sheryl Falk April 4, 2013. © 2013 Winston & Strawn LLP. March 2013 Data Breaches. Overview. Anatomy of a Data Breach Data Breach Incident Response Handling the Aftermath of a Breach The Legal Landscape

dinah
Download Presentation

The Zero Hour Phone Call How to Respond to a Data Breach to Minimize your Legal Risk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Zero Hour Phone CallHow to Respond to a Data Breach to Minimize your Legal Risk Sheryl Falk April 4, 2013 ©2013 Winston & Strawn LLP

  2. March 2013 Data Breaches

  3. Overview • Anatomy of a Data Breach • Data Breach Incident Response • Handling the Aftermath of a Breach • The Legal Landscape • Practical Strategies to Mitigate your Risk

  4. Anatomy of a Data Breach

  5. Q: What is a Data Breach? A) Hackers B) Lost laptop C) Misdirected email containing Personal Information D) Improperly disposed of paper files E) All of the above

  6. How Do Data Breaches Occur? EXTERNAL INTERNAL INTENTIONAL ACCIDENTAL

  7. Insider Threat- Negligent Employees 1. Pathetic Passwords 2. Loss of devices 3. Improper disposal 4. Misdirected emails 5. Falling for Phishing 6. Use of Public WiFi

  8. Insider Threat – Employee theft • 52% of insider thefts are trade secret related • 65% of insiders had accepted positions with a competitor • 20% were recruited by an outsider • 50% steal data within a month of leaving • 54% used a network-email, a remote network access channel, or network file transfer

  9. Best Practices of a Data Breach Response

  10. Data Breach Response Timeline

  11. Step 1 - Mobile Resources: Immediate Response Team

  12. Step 2 - Stabilize/Secure Data • Act quickly, but cautiously • Take steps to secure data • Preserve evidence including logs, back ups • Obtain expert advice/legal counsel

  13. Step 3 - Investigation Goal : Determine the scope and nature of breach • Identify all affected data, machines and devices • Preserve Evidence (Chain of Custody) • Understand how the data was protected • Develop the Record • Conduct interviews with key personnel • Document evidence and findings carefully • Quantify the exposure of data compromised

  14. Importance of Investigatory Privilege • Treat every incident as potential litigation • Engage Legal Counsel at onset • Direct the forensic/security vendors through Legal Counsel • Label communications “Confidential and Privileged”

  15. Do you Involve Law Enforcement? • PROS • For serious criminal activity, partner with law enforcement • LE brings additional resources to investigation • Shows you are taking the breach seriously • CONS • May not meet law enforcement threshold • Could lose control over your investigation • Information of breach could become public

  16. Handling the Aftermath of a Breach

  17. Texas Data Breach Statute 521.053 Texas Business and Commerce Code “A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach…to any individual whose sensitive personal information…believed to have been acquired by an unauthorized person.” • Notify as quickly as possible • Extra-territorial application • Civil penalty up to $250,000 for a single breach.

  18. Was there a Breach? 1. What information is Involved? • Names • Financial Account data • SSNs • Government ID numbers • Credit Card data • Date of Birth

  19. Was there a Breach? 2. Was the Information Compromised? • Unauthorized access or acquisition • Sometimes just access/acquisition • Has the “security, integrity or confidentiality”of the laptop info been compromised? • Is there a “material compromise”? • Has illegal use occurred or is it likely to occur? 3. Is there an Exception? • Hard copy files • Encrypted data • Good faith exception

  20. Who do you have to Notify? • Impacted individuals • Typically consumers or employees • Applicable law is where individual resides • Some states require specific information (MA, IL) • Timing restrictions: typically “expediently” or 45 days (FL, WI, OH) • Federal or State authorities • Depends type of information at issue/threshold numbers affected • www.winston.com/privacylawresources • Credit reporting agencies • Usually must meet a threshold of impacted state residents

  21. Effectively Communicate about Breach • Communicate breach facts accurately and quickly • Understand and follow breach notification timetables • Stay focused and concise • Be prepared to update with new information • What you might offer: • Information about security freezes and credit monitoring • Giving contact information for credit reporting agencies, FTC or state authorities • Having a central “ombudsman” for all questions • Credit monitoring or identity restoration services • Coupons or gift certificates

  22. After Action Review • How did the team respond? • What can be improved in response/investigation? • What security issues can be tightened up? • Modify your plan/procedures if necessary

  23. The Legal Landscape

  24. Federal & State Regulatory Agencies • Federal Agencies with Privacy Jurisdiction • Federal Trade Commission • Department of Justice • Office for Civil Rights (HHS) • Consumer Financial Protection Bureau • Office of the Comptroller of the Currency • Federal Communications Commission • And others • State Agencies Likewise have Privacy Enforcement • Practice Tip – If you regularly have data breaches, get to know your regulators and their notification preferences.

  25. Data Breach Civil Litigation • Theories of Liability • Negligence • Gross Negligence • Deceptive Trade Practices • Breach of Contract • Fraud • Significant Risk to Companies • TJX Litigation Settled for over 40 Million dollars • Heartland Payment Systems pending litigation – 12 Million spent in attorney fees

  26. Legal Trends • Data Breach cases are on the Rise • Most Courts require Actual Harm • Reilly v. Ceridian (3rd Cir.) – Hacker stole 250,00 records • But Court dismissed finding potential future injury is not enough • Recent case: No Harm required • Resnick v. AvMed, Inc.(11th Cir.) – Health plan provider failed to protect PII information. No facts tying data breach to subsequent data. Court allowed Unjust enrichment theory

  27. Trade Secret Litigation • Increase in Trade Secret Litigation • To be Successful you must: • Establish a Trade Secret • Secrecy • Independent Economic Value • Reasonable Efforts to Maintain Secrecy • Prove Misappropriation • Allege Damages and/or right to Injunctive Relief

  28. Practical Strategies

  29. The Best Defense is an ongoing Data Security Program • Eliminate unnecessary data • Ensure essential controls are met • Monitor/mine event logs • Implement a firewall on remote access services • Change default credentials of POS systems and other internet facing devices • Ensure third party vendors are complying with data protection strategies Recommendations from 2012 Verizon Report

  30. Fully Plan your Breach Response • Understand where your data is and how it is protected • Develop good privacy and security policies • Train employees and monitor enforcement • Develop a Data Breach Incident Response Plan • Understand what laws/regulations apply • Explore Cyber-insurance

  31. Security Policies:Evaluating what documents you need • Remote access policy • Internet and electronic communications policy • Social media policy • Password policy • Mobile device policy • Guest access policy • Vendor access policy • Network device attachment policy

  32. To Learn more… sfalk@winston.com twitter: @winstonprivacy www.winston.com/privacylawresources

More Related