1 / 36

January 29, 2014 Anaheim, California Sponsored by Crowell & Moring LLP

How To Manage A Data Breach (“Incident”) Crisis. January 29, 2014 Anaheim, California Sponsored by Crowell & Moring LLP Panelists: Jeffrey L. Poston, Partner Jennifer S. Romano, Partner. Typical Breach Costs $Millions. Forensics Outside Counsel Credit Monitoring

shira
Download Presentation

January 29, 2014 Anaheim, California Sponsored by Crowell & Moring LLP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How To Manage A Data Breach (“Incident”) Crisis January 29, 2014 Anaheim, California Sponsored by Crowell & Moring LLP Panelists: Jeffrey L. Poston, Partner Jennifer S. Romano, Partner

  2. Typical Breach Costs $Millions • Forensics • Outside Counsel • Credit Monitoring • Security and Technology Upgrades • Fines • Settlements • Damages • Opportunity Costs

  3. What Is At Risk? • Protected Health Information (“PHI”) • Health status, treatment or payment • Identifiers (name, SSNs) and health information • Does not apply to “de-identified data” • Personal Information (broader category under state law) • Personally Identifiable Information (“PII”) • Generally defined as combination of first and last name PLUS any one of the following: • SSN • Drivers License No. • Account No. • Credit Card No. • Medical Information • Trade Secrets • Mayhem/Tort Liability

  4. Cyber Threats Cyber Threats

  5. Cyber Threats Trade Secrets PII

  6. The Threat: What’s Out There?(cont’d) • Cyber Criminals • Ties to organized crime • International in nature (particularly Eastern Europe and the former Soviet Union) • Selling stolen data: • PHI/PII • Trade secrets

  7. How Do They Get It? Common Techniques • Spear Phishing • Targeted • Appear to be authentic emails, with attachments or links containing malware • Malware • Either via email or websites, can give hackers a “back door” into your network • Distributed Denial of Service (DDoS) Attacks • Often accompanied by fraud

  8. Corrupt Employees • Paid to steal personal information (SSNs, credit card numbers) • The MOB/Eastern Europeans • Often low tech theft - hard copies • Provide PII to identify theft rings • Fake IDs/credit cards made • Lines of credit opened at stores • Prescriptions

  9. Corrupt Employees (cont’d) • In past six months • Employees steal PI from dental practice, insurer and rental car company • Nurse’s Aid indicted in Va. – stealing PI for tax fraud • Stolen Porsche traced to home where $2.5 million credit card operation discovered

  10. Target and Neiman Marcus Data Breaches • Type of Breach • Target: outside hacker; likely used RAM scraper (memory scraping malware), along with other toolsNeiman Marcus: outside hacker– details not disclosed • How many Affected • Target: up to 70 million individuals; 40 million credit and debit card accounts • Neiman Marcus: numbers unknown but data reportedly includes credit and debit card numbers, customer names, contact information

  11. Target and Neiman Marcus Data Breaches (cont’d) • Litigation & Enforcement actions • Target: 40+ class actions, punitive damages requested; State AG (MA, NY, IL, PA, others) investigations; Senate briefing requests • Neiman Marcus: likely same as for Target

  12. How To Manage Crisis When PII Compromised How To Manage Crisis When PII Compromised

  13. How To Manage Crisis When PII Compromised (cont’d) • Do Not Sweep Under the Rug • Will come back to haunt you • Public somewhat sensitized to breaches • Will not tolerate cover-up – cover up worse than crime • If data missing, beware the “no harm, no foul” position • Subsequent discovery • Identity theft • Whistleblowers • Litigation Discovery/Audit

  14. How To Manage Crisis When PII Compromised (cont’d) • Be Prepared • Breach Response Plan • GC’s Office • Privacy Office • IT • Outside Counsel • Forensics Firm • Media Relations • Dry Runs • Training/Policies to Ensure Incident Reported Up the Chain

  15. How To Manage Crisis When PII Compromised (cont’d) • Involve In-House/Outside Counsel Immediately • Can assert privilege to maximum extent possible • Assert privilege over outside consultants • Use counsel to conduct employee interviews • Assess claims/positions vs. vendor • Assess need for law enforcement • Strategize for long-run -- investigation through class actions • Don’t want an early false step to jeopardize a defense or position 2 years down the road

  16. How To Manage Crisis When PII Compromised (cont’d) • Investigate • Privilege • Forensics • What data? • PHI • PI • SSN • Credit Card Info • Whose data? • What states involved? • Minors Involved? • What systems? • How accessible is missing data if in wrong hands? • Access to vendors • JDA

  17. How To Manage Crisis When PII Compromised (cont’d) • Mitigate/Remediate • Can you track and recover lost data? • Can you verify that data not accessed? • If technical cause, can it be fixed? • First 24-48 hours critical • Can’t presume missing data has not been improperly accessed

  18. How To Manage Crisis When PII Compromised (cont’d)Mitigate/Remediate (cont’d) • Cyber Breach • Can you identify type of infiltration and impact? • Can you show forensically that data not accessed? • Can you determine if data exfiltrated? • Typically, can at least determine what was accessible • In case of lost laptop, can usually determine what data it contained

  19. How To Manage Crisis When PII Compromised (cont’d)Mitigate/Remediate (cont’d) • Corrupt Employee • Can you track extent of employee’s access? • If so, is there a definable group to be notified? • If not, must you notify entire population? • How widespread is the incident? • Documents discovered in several states • Is law enforcement involved? • Can scope of incident be determined through criminal process?

  20. How To Manage Crisis When PII Compromised (cont’d) • Notification Issues • OCR/HIPAA – HI-TECH • FTC • State Breach Notification Laws • States plus D.C., Puerto Rico and Virgin Islands • 46 different standards some involving “risk of harm” • AGs have enforcement authority • Timing: “in the most expedient time possible,” “without unreasonable delay” • If required to notify in some states, notify in all states

  21. How To Manage Crisis When PII Compromised (cont’d)Notification Issues (cont’d) • Who notifies – company or vendor? • Don’t sugarcoat notification letter • What do you do if you cannot determine extent of incident? • Notify everyone? • Notify no one?

  22. How To Manage Crisis When PII Compromised (cont’d) • Here Come the Regulators • AGs and FTC • Be proactive with regulators • Establish relationship/bring them in the loop • You don’t want them to find out about this second hand • Beware of turf wars within a state • Make sure they know that situation is fluid and you will update them

  23. How To Manage Crisis When PII Compromised (cont’d) • Involve Corporate Communications • States require certain content in notification letters • Media statement should be consistent with notification letters and call center talking points • Inconsistent message will confuse members and embolden Plaintiffs’ attorneys • AGs may use loose language against you • Have talking points ready to go prior to notification

  24. Third Party Vendor • Joint Defense Agreement • Who is notifying members? • Liability for Vendor Conduct • Need to think ahead to class litigation • Need to understand scope of indemnity • Timing of claim • Tolling Agreement • If ultimate position is common - e.g. class suffered no injury, then need united front in public while deferring any fight with Vendor

  25. Insurance Issues • Report incident to commence/preserve claim • What kind of policy? • All Risk • CGL • Standalone Cyber Policy

  26. CGL Policies • Traditional CGL? • Physical loss • Tangible property • Personal and advertising injury • Hacking and data breaches not contemplated when standard CGL policies first written • Exclusions for privacy-related action e.g., TCPAclaims are getting tighter and more explicit • ISO filed endorsements to become effective 5/14 that excludes claims regarding access/disclosure of confidential PI or data – related liability

  27. Insurers Contesting Data Breach Coverage Under CGL • Liberty Mutual v. Schuck’s Markets, Inc. (E.D. Mo., August 14, 2013): Liberty Mutual contested coverage under a general liability policy, for losses due to a data breach claiming suits resulting from the breach do not allege bodily injury or property damage. Liberty also contends that the “expected or intended” exclusion precludes coverage (based on Schuck’s delay in reporting the breach).

  28. Insurers Contesting Data Breach Coverage Under CGL • OneBeacon America Ins. Co. v. Urban Outfitters, Inc. & Anthropologie(E.D. Pa. September 10, 2013): • Class actions have been filed against Urban Outfitters & Anthropologie, alleging that the stores violated the Credit Card Act by asking customers for their zip codes during credit card transactions as a marketing ploy; • OneBeacon alleges that the underlying complaints do not amount to an advertising injury under the comprehensive general liability policy at issue.

  29. Insurers Contesting Data Breach Coverage Under CGL • Zurich American Ins. Co. v. Sony Corp. of America, et. al. (N.Y. Sup. Ct., 7/20/11) Zurich refuses to pay for costs associated with Play Station breach and 55 class actions under CGL because no bodily injury, property damage or personal and advertising injury.

  30. Insurers Contesting Data Breach Coverage Under CGL • Hartford Casualty Insurance Company v. Corcino & Associates et al (C.D. Cal 10/7/13) court grants MTD ruling that CGL policy covers indemnity of claims under California Confidentiality of Medical Information Act (“CCMIA”) in spite of exclusion disclaiming coverage arising from a right of privacy “created by state or federal act”

  31. Cyber Risk Policies: Common Exclusions • Coverage from territory restrictions • Losses from “named viruses” • Failure to take reasonable security measures • Blogs • Hostilities and warlike operations

  32. Emerging Litigation Issues • Typical Claims • Negligence • Breach of Contract • Unfair Trade Practices • Breach of Privacy • State Statutes e.g. CMIA • Threshold issues • Standing to sue (Federal Court) • Actual injury or harm (common law claims)

  33. EmergingLitigation Issues (cont’d) • Class Certification Issues • Rare (dismissal or settlement) • Claims often turn on individualized issues or causation and damages • Thus common questions of law and facts do not predominate over questions affecting individual members • Damages • Aggregate exposure to nominal damages • Due process violation?

  34. Typical Settlements • Non-monetary relief (e.g., credit monitoring) • Monetary payments to privacy non profits (e.g., Privacy Rights Clearinghouse) • Consent decree requiring security improvements • Attorneys fees to Plaintiffs’ counsel • Capped individual payments to Plaintiffs who can prove causation

  35. Significant Take-Away Points • The threat is real - be prepared with a breach response plan • Take action -- don't sweep it under the rug • Involve counsel at the outset • Investigate thoroughly • Coordinate with all internal stakeholders

More Related