Counsel After Equifax TUESDAY, JANUARY 23, 2018 1pm Eastern | - - PowerPoint PPT Presentation

Data Security Compliance and Responding To a Data Breach: Lessons for Corporate Counsel After Equifax

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

• speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.

TUESDAY, JANUARY 23, 2018

Presenting a live 90-minute webinar with interactive Q&A Robert D. Brownstone, Technology & eDiscovery Counsel, Fenwick & West, Mountain View, Calif. Brent E. Kidwell, Partner, Jenner & Block, Chicago

Tips for Optimal Quality

Sound Quality If you are listening via your computer speakers, please note that the quality

• f your sound will vary depending on the speed and quality of your internet

connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-961-8499 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your participation in this webinar by completing and submitting the Attendance Affirmation/Evaluation after the webinar. A link to the Attendance Affirmation/Evaluation will be in the thank you email that you will receive immediately following the program. For additional information about continuing education, call us at 1-800-926-7926

• ext. 2.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

• I. The Big Picture
• A. Breaches’ Prevalence
• B. Liability Risks & Data Leakage– Big 3
• C. Modern Threats
• II. US. & International Law – Overview
• A. Different Premises in U.S. & EU
• B. Scattershot U.S. Privacy Protections
• C. Potential Liability for Data Breaches
• D. International Law – Summary
• E. Contracts’ Ability to Reallocate Risks

Agenda

5

Agenda

• III. Proactive Prevention

Introduction

• A. Data Protection Overview
• B. Protecting Data at Rest & in Transit
• C. 10 Specific Steps
• IV. Reactive-Remedies/Incident-Response
• TOP Ten

Q&A/Conclusion

6

• I. The Big Picture
• A. Breaches’ Prevalence
• Should only retailers be worried? NO
• 1/1/05 to 12/28/17:
• > 7,800 breaches; > 10 Billion records
• E.g. Yahoo!, Anthem, Target, Verizon & Neiman
• 2017 alone:
• 550 breaches; ≈ 2 Billion records
• E.g. Equifax, T-Mobile, Dunn & Bradstreet, Arby’s, Boeing,

Stanford U., Oklahoma HHS & UNC Health Care Systems

• . . . per Privacy Rights Clearinghouse, DATA BREACHES

(last visited 1/18/18) (searchable/filterable)

7

• Cyber Crime Costs in FY ’16 (237 cos. surveyed across 8 countries):
• $17.36M average in US alone
• 2 largest costs (on average):
• information loss:

39 percent

• business disruption:

36 percent

• . . . per Ponemon Inst. o/b/o HP Enterprise Security,

2016 Cost of Cyber Crime Study (2016)

• A. Breaches’ Prevalence

8

• I. The Big Picture

• B. Leakage Risks – Big 3

1. Intentionally Harmful Intentional Disclosures 2. Inadvertently Harmful Intentional Disclosures (“Netiquette”; Loose Lips; Social-Media; Sock-Puppeting; P2P) 3. Unintentional Losses of Sensitive Info. = primary focus here

9

• I. The Big Picture

• C. Modern Threats
• Biggest ones?
• Social Engineering [including (Spear-) phishing and Ransomware)]

10

• I. The Big Picture

• Phishing :
• W-2 Scam

Adapted from screenshot at <http://www.linkstechnology.com/blog/its-baaack-the- form-w-2-email-scam>

• IRS warning (1/25/17)
• Cinthia Motley10 Ways to Avoid W-2 Phishing Schemes

(LTN 3/20/17) (including “Pick up the phone”)

• C. Modern Threats

11

• I. The Big Picture

• Phishing – Training:
• When in doubt:
• do not click on a link or open an attachment; and
• forward the message as an attachment

to InfoSec or IT department

• If you are suspicious about the purported sender
• place a call to (or meet with) purported

sender to confirm message is legit

• C. Modern Threats

12

• I. The Big Picture

• A. Default in U.S. & EU
• U.S. Perspective
• Data presumptively not protected unless

rendered otherwise by specific rule of law

• Many rules are sector-based
• EU Perspective
• Data presumptively “personal” and thus private,

even in employer/employee setting . . .

13

• I. The Big Picture

• Federal law sector examples:
• Health/medical = HIPAA (60 days notice)
• covered entities and business associates
• HITECH ACT expansion Jan. ’09
• HHS Final Regs. Sep. ‘13
• Financial services = Gramm-Leach-Bliley
• Consumer credit reports, etc. = FCRA/FACTA
• B. Scattershot U.S. Laws
• II. U.S. & International Law

14

• Potential Liability

 consumer and/or employee class actions re: PII (PHI)  corporate customer suits  shareholder derivative suits  bad press and/or blog buzz  reputational hit

• B. U.S. Rules

15

• II. U.S. & International Law

• Specific combo of elements – expanded in, e.g., California

multiple times in Civ. Code § 1798.82 et al. . . .

• Trigger usually automatic (as in Cal.) rather than risk-based
• Notice requirements
• If > X no. of people affected, tell AG
• Might have to describe circumstances
• B. Notice-of-Breach Laws

16

• II. U.S. & International Law

• B. Health Info (PHI)
• Protecting Individuals’ PHI
• HIPAA Final HHS Regs (9/23/13)
• HHS active under HIPAA
• > 10 states:
• AR, CA, FL, MO, ND, NV, TX, VA
• WY (state agencies only)
• CT (regs.) & NJ re: insurers

17

• II. U.S. & International Law

• B. U.S. Rules
• Potential Liability
• Difficulty in proving “injury” (damages):
• Even CFAA claim in suit against hacker
• “loss” hard to show
• remediation and down-time?
• “Standing” (”Injury”) difficult to show based
• n mere concern data will be used:
• trade secrets damages theory
• identity-theft theory, including theft decisions re: Cal.

Medical Info. Act (CMIA) – Cal. Civ. Code 56.36 . . .

18

• II. U.S. & International Law

• Newer Case Law:
• Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (injury

must be concrete and not “abstract” to satisfy U.S. Const. Article III, but intangible injuries can be concrete)

• Post-Spokeo (examples) . . .
• Beck v. McDonald, 848 F.3d 262 (4th Cir. 2/6/17) (allegations of

increased risk of identity theft: NOT substantial risk of harm)

• B. U.S. Rules

19

• II. U.S. & International Law

• C. Typical Breach Exposure Items
• Aside from viability of legal theories,

custom and usage has been . . .

• Potential monetary liability for breach of

unsecured personally identifiable information (PII) estimated at $221 per affected person

• Ponemon Institute, 2016 Cost of Data Breach Study:

Global Analysis, Ponemon Institute LLC (June 2016)

• Data breach cost calculators
• <http://www.privacyrisksadvisors.com/data-breach-toolkit/data-breach-calculators/>
• <http://cyberscout.com/expensecalc/start.aspx>
• <https://eriskhub.com/mini-dbcc>

20

• II. U.S. & International Law

• Custom/usage
• Sample set of expense items (from here)
• Internal Investigation
• Cybercrime consulting
• Attorney Fees
• Notification/Crisis Management
• Customer notification
• Call center support
• Crisis management consulting
• C. Typical Breach Exposure
• Regulatory/Compliance
• Credit monitoring for

affected customers

• Regulatory investigation defense
• State/Federal fines or fees

21

• II. U.S. & International Law

• D. International Summary
• Privacy protected more e.g.
• Europe:
• EU: France/Germany/Italy
• UK (post-Brexit)
• Elsewhere:
• Brazil
• Constitution
• “Marco Civil”
• Israel

22

• II. U.S. & International Law

• D. Laws Overseas
• DATA-BREACH NOTIFICATION LAWS
• less diffused, broader in scope & often

shorter/clearer deadlines than U.S. . . . e.g.

• Australia (Feb. ’18)
• Canada
• India
• Israel (Mar. ’18)
• Mexico
• South Korea

23

• II. U.S. & International Law

• EU, Directive 95/46/EC (1995)
• PLUS laws of individual EU countries
• BROAD definitions of “personal data,” “processing” and “transfer”
• Being replaced 5/25/18 by General Data Protection Regulation (GDPR)
• Stricter
• Penalties tied to worldwide revenue
• Notice of breach – timing, etc.
• Consent rules
• D. EU Data Directive Compliance

24

• II. U.S. & International Law

• D. EU Data Transfers
• EU-U.S. Safe Harbor now replaced by the EU-U.S.

Privacy Shield Framework (same re: Swiss-U.S. . . . ) Must:

• Provide free & accessible dispute resolution
• Cooperate with Department of Commerce
• Ensure accountability for data transferred

to third parties (whether controllers or agents)

25

• II. U.S. & International Law

• E. Contracts’ Ability to Reallocate Risk
• Defaults may be changeable based on:
• Relative sizes and bargaining power
• Industry of prospective customer
• Location of data (who stores/hosts it)

26

• II. U.S. & International Law

• III. Proactive Prevention

Introduction

27

Divide the Universe, e.g., into:

• 1. Policies/practices applicable to all information,

including PII

• 2. Policies/practices applicable to personal

information as to non-employee individuals

• 3. Policies/practices applicable to PII collected from

employees

• 4. Data storage contracts with third-party hosts

(Cloud, etc.)

http://blogs.rsa.com/wp-content/uploads/APT-chart1.jpg

Introduction – Example of Intrusion

• III. Proactive Prevention

28

• A. Data Protection Overview – Strategy

People Process Policy Technology

• III. Proactive Prevention

29

• A. Data Protection – People
• Executive leadership – security as an organizational

priority

• Identified personnel with specific roles, accountability

and responsibility

• Cross-disciplinary security or “information governance”

teams provide better vision into data/security protection (and instill organizational ownership of security)

• Improve communication and training about security with

all personnel

• Human vectors continue to be key security exploit route
• See, e.g., RSA breach resulting from phishing
• III. Proactive Prevention

30

• Plan and document security procedures; for

example:

• Identify the location and content of your data assets,

specifically PII or other “sensitive” collections

• Routinize security assessments conducted by internal

and external experts

• Employ incident response drills and training
• Develop procedures for the ingestion, storage,

security and destruction of data

• A. Data Protection – Process
• III. Proactive Prevention

31

• Organizational security/data protection policies:
• General security, confidentiality, acceptable use and information

governance policies

• Special policies may be required for special data (e.g., HIPAA/PHI)
• Incident response and breach notification policies
• Records and information retention policies should be evaluated to

minimize retention of risky data

• Establish a regular policy review cycle
• Enforcement and consistent application of policies
• Consider certifications, such as ISO 27001
• A. Data Protection – Policies
• III. Proactive Prevention

32

• Security of Existing Technology Base
• Periodic re-examination of security posture of existing systems

recommended

• Cloud-based systems require contractual protections and due diligence
• Specialized Security/Data Protection Tools
• Technology is not a security “silver bullet”
• Even the best technology requires trained personnel to monitor,

analyze and address identified anomalies

• More on this later . . . .
• A. Data Protection – Technology
• III. Proactive Prevention

33

• Perimeter Defenses (Incoming & Outgoing)
• Firewall
• IDS/IPS
• Multi-Factor Authentication
• Malware Filtering
• Data Loss Prevention (DLP)
• Advanced endpoint protection
• Access Rights – “Need to Know” – See below
• Electronic data destruction (anything with storage)
• B. Protecting Data at Rest & in Transit – at Rest I
• III. Proactive Prevention

34

• Logging and Analysis of Security Events
• Security Information and Event Management (SIEM)
• Provides analytical view into organizational security using a

longer-term baseline for anomaly identification

• Don’t Forget Paper Documents
• Appropriate destruction – shredding, PII bins, etc.
• Clean desk policies
• Locked offices, drawers and cabinets
• Physical Security
• B. Protecting Data at Rest II
• III. Proactive Prevention

35

• Laptops (endpoints)
• AV/Malware Detection
• Firewall
• Data Encryption (FDE)
• Passwords, screensavers, etc.
• BYOD Issues
• Endpoint protection
• Storage Devices/Tools
• Encryption – flash drives, DVDs, etc.
• Restrictions on use of cloud

storage services (Dropbox, etc.)

• B. Protecting Data in Motion I
• III. Proactive Prevention

36

• Handheld Devices
• Encryption
• Remote Wiping
• Mobile Device Management (e.g., Mobile Iron, Airwatch)
• BYOD Issues
• Backup Tapes
• Email encryption
• Metadata Scrubbing Tools
• Proper Redaction Tools/Methods
• B. Protecting Data in Motion II
• III. Proactive Prevention

37

• C. 10 Specific Steps – 1. Policies
• III. Proactive Prevention

38

• Train managers and staff about access, nondisclosure and

safeguarding

• Review pertinent segments of employee policies, e.g.:
• Code of Conduct
• Confidentiality Policy
• Technology Acceptable Use
• Privacy (No Expectation of Privacy?)
• Social media policies
• BYOD (Mobile Devices)
• Separating / off-boarding employee procedures (related

checklist(s) from IT, HR, etc.)

• C. Steps – 2. Training
• III. Proactive Prevention

39

• [Spear-]Phishing & Ransomware
• Use tests (Wombat, etc.)
• Capture metrics
• Encourage vigilance

• C. Steps – 3. Passwords
• III. Proactive Prevention

40

• Passwords
• Lockout . . . No sharing . . .
• Two factor authentication
• Common password practices:
• Minimum 8 (or 12) characters complex
• Reuse restriction
• 90 day expiration
• But see new NIST SP 800-63: Digital Identity

Guidelines (6/22/17) and this Aug. ’17 NIST paper/bulletin

• C. Steps – 4. Access - RBAC
• III. Proactive Prevention

41

• “Least Privileged Access" approach [“role-based

access control (RBAC)”]

• Data and physical
• Ideal default is "deny all” – i.e., cannot gain

access unless affirmative need shown; and specifically authorized

• For lawyers: “ 'Need to Know' Security” (LTN

4/24/17) (LEXIS login/password needed)

• Central vs. Local Storage
• Digital Rights Management (DRM)?

• C. Steps – 5. Encryption of ESI
• III. Proactive Prevention

42

• Especially PII & Mobile Data
• At rest and in transit . . .
• Email – TLS
• Forced
• Opportunistic
• Laptops
• Bitlocker
• FileVault

C(5). Encryption of ESI

• III. Proactive Prevention

1.

Website & Extranet Servers (> SSL) 2. Virtual Private Network (VPN) Software

3. Cloud: Secure file transfer protocol (.ftp) sites (Citrix ShareFile; and OneHub, e.g.)

4.

Email Messages and Attachments [Transport Layer Security (TLS)]

5. End-user devices

• Desktop PC’s and Laptops
• Tablets and Smartphones
• Mobile Devices and Portable Media

43

• C. Steps – 6. Commuting / Travel
• III. Proactive Prevention

44

• Use privacy screen/filter
• Security When Traveling
• Avoid using shared computers in cyber cafes,

public areas or hotel business centers

• If must use public/hotel WiFi, use a VPN

(VMware Horizon or Cisco AnyConnect, e.g.)

• Avoid public hotspots unless use, e.g., iPass
• Borrow/buy MiFi device?
• Do not use devices belonging to other travelers,

colleagues or friends

C(6). Commuting / Travel

• III. Proactive Prevention

45

• International Travel Tips:
• Recommended: change passwords before

leaving abroad and again when return

• Do not take regular laptop,

tablet or phone to China

• Potentially same re: EU travels
• Avoid sending sensitive email messages
• Beware: U.S. Customs & Border Protection has

increased scrutiny of laptops, devices, etc.

• III. Proactive Prevention

46

• Upon returning to the States, CBP asking for passwords,

including to social-media

• Darlene Storm, NASA scientist detained at U.S. border

until handing over PIN to unlock his phone, Computerworld (2/13/17)

• Sen. Ron Wyden (OR), letter to then HHS Secretary Kelly

(2/20/17)

• Assert attorney-client privilege (or another basis for

confidentiality such as privacy?)

• But don’t go so far as to get detained?
• Recent guidance from CBP:

www.cbp.gov/sites/default/files/assets/documents/...

C(6). Commuting / Travel

• C. Steps – 7. Metadata
• Metadata and Redactions
• Metadata – Goalkeeper Prompts in Workshare Protect – Example . . .
• III. Proactive Prevention

47

C(7). Metadata

• III. Proactive Prevention

48

• Metadata and Redactions
• Workshare settings (incl. re: .pdf’s)
• Redactions
• Do use Adobe Acrobat Pro
• Don’ts:
• Word: borders/shading or highlighter
• Acrobat: text box or shapes-drawing tool

• III. Proactive Prevention

49

• Social Media
• Bcc’s
• Emails to “All” (companywide)
• Auto-complete
• Reply All
• C. Steps – 8. Netiquette

• C. Steps – 9. Network Monitoring & Pen Tests
• III. Proactive Prevention

50

• Firewall
• Anti-Virus/Malware (incl. macros)/Spyware
• Vulnerability Assessment / remediation
• Spam filtering plus phishing protection (e.g.,

ProofPoint / Mimecast, including URL defense)

• Periodic vulnerability assessments and

PENetration tests by independent consultant

• C. Steps – 10. Cyber-Insurance
• III. Proactive Prevention

51

• First Party Coverage? Third Party Coverage

(clients, vendors, employees, etc.)?

• Covered by Prop. Ins. Policy? CGL Policy?
• Covered by D&O and/or E&O? Crimes?
• If not, get separate/special coverage?
• Get phishing endorsement?
• Depends at least in part on:
• Industry
• Data types and volumes

• IV. Reactive Remediation – Incident Response

52

FOLLOW PROCESS . . .

• Documented response plan / procedures
• Document protocols / checklists
• Internal team leaders members identified and

trained (e.g. InfoSec, Legal & Public Relations)

• Outside contacts listed, e.g., Information-

Security consulting firm, Counsel, law enforcement & Insurance carrier

• Training – tabletop exercises, etc.

• IV. Incident Response
• 10. Big-Picture Process

53

• Categories defined?
• Data - and machine - handling protocol
• Workflow/Communication chart re:
• Discover / Assess / Contain
• Remediate / Close / Mitigate

• IV. TOP TEN TIPS

FACT INTAKE . . . 4 W’s-plus

• 9. Who, what, where, when re: info.?
• 8. Encrypted?
• 7. If encrypted, key compromised?

54

• IV. TOP TEN TIPS

GET YOUR BEARINGS . . .

• 6. If a contractual relationship:
• Look at the contract
• Decide if will try to negotiate re: notice
• 5. If law enforcement is involved, open a dialogue
• 4. See if, under strictest statute, notice trigger(s) have kicked in

55

• IV. TOP TEN TIPS

TO GIVE NOTICE OR NOT TO GIVE NOTICE. . .

• 3. If MUST give notice, address required:
• Method and Contents
• E.g., Cal. SB 24 (specifying some required contents
• f notice of breach of PII or PHI under Cal. Civ. Code)
• Recipients (might include an AG., e.g.)
• Timing (might be OK, under law, to delay)
• 2. If COULD give notice, discuss customer-relations with C level
• 1. If WILL give notice, work with PR as to theme(s), timing & press release (if any)

56

Q&A/ Conclusion/ Resources . . .

Robert D. Brownstone, Esq.

Fenwick & West LLP

<rbrownstone@fenwick.com> <tinyurl.com/Bob-Brownstone-Bio> <www.ITLawToday.com>



Brent E. Kidwell, Esq.

Jenner & Block

<bkidwell@jenner.com> <www.jenner.com/people/BrentKidwell>

57