Cyber Incidents: Protecting Your Future in an Ever-Changing Landscape Presented by: Chris Ralston, Partner, New Orleans Office
Cybersecurity refers to the technologies and processes designed to protect computers and networks from the unauthorized access, theft, and corruption of data by cyber criminals.
A data breach is an occurrence in which sensitive, protected, or confidential information has potentially been viewed, stolen, or used by unauthorized individuals.
Types of Information Affected • Personal Identifiable Information (PII) – 57.2% • Personal Health Information (PHI) – 27.2% • Trade Secrets – 1.4% • Other Information – 14.2%
The People Problem
The People Problem Top Causes of Data Breaches • Cyber Criminals – 43% • Employee Action – 32% • Lost/Stolen Electronic Devices – 18% • Other Criminal Acts – 7%
Cyber Crimes Phishing Ransomware • Emails/Instant Messages • Type of malware • Spear-phishing • Gains complete control • Social Media • Seeks ransom Hacking • Trojan Horse • The Onion Router • Malware • Embedded link that tricks users into installing mal icious soft ware.
Could You Be the Next TARGET?
Could You Be the Next TARGET?
Could You Be the Next TARGET?
Industries Affected – By the Numbers • 35% Healthcare Healthcare is • 16% Finance and the top industry affected at 35%. Insurance • 14% Education • 13% Restaurant/Retail/Hospitality • 9% Other • 8% Business and Professional Services • 5% Government
The Facts • 22% of all incidents attributed to network intrusions and malware • 38% of hackers target credit payment information • 20% of hackers target health information
The Facts • 55% of data breaches involved: • Social Security Numbers • Driver’s License Information • Credit Card Numbers • Bank Account Information • Usernames/Passwords • Healthcare Records
The Reality • No one is immune • Form a Response Protocol • Operational resiliency • Choose wisely • People are the problem • Trust the facts • Practice makes perfect • Communication is key
How To Be Prepared • Be vigilant • Be pro-active • Simulation • Forensic firm engagement • Be calm • Be knowledgeable
Minimize Your Risk 1. Stay aware of current cybersecurity issues 2. Require employees to use complex passwords • Change every 90 days 3. Maintain a relationship with your forensic firm 4. Create a Crisis Management plan • Where are your backups held? • What procedures are necessary to resort the system? 5. Purchase cyber security insurance
Hotel Monteleone Case An example of why it is important to have cyber coverage and to understand the extent of coverage • In 2013, the hotel suffered a cyberattack which resulted in the theft of credit card numbers • The credit card companies fined the hotel “in excess of $200,000” • The hotel had no cyber policy for the 2013 cyberattack • After the 2013 cyberattack, the hotel purchased a cyber policy with a $3 million limit for various coverages and a $200,000 sublimit for PCI fines and penalties • In 2014, the hotel suffered another cyberattack which again resulted in the theft of credit card numbers • The hotel tendered its claim to its cyber insurer which took the position that coverage was limited to the $200,000 PCI fines and penalties sublimit; the hotel argued that it was entitled to the full $3 million policy limit for privacy and security liability
Forensic Data • Invaluable Information • Forensic Firms • Average: 44 days after Discovery • Investigatory Research • Average: $93,322
The Numbers Average Detection Time: • 61 days after Occurrence Average Containment Time: • 8 days after Discovery Average Forensic Analysis: • 40 days after Discovery Average Notification Disbursement: • 41 days after Discovery
Notification • Average number of individuals notified in 2016: 77,230 • Number of 2016 incidents that required notification: 257 • 56% of total incidents • Less than 5% of notified individuals filed lawsuits. • Healthcare: • 163 incidents • 91 led to notifications (56%) • 3 lawsuits filed
Notification: Information Seeking • Detailed outline of incident • Description of incident • Details on discovery process • Copies of corporate data security policiesprocedures. • Details on remedial measures • Details of mitigation efforts • Example: Credit Monitoring System
Louisiana’s Security Breach Law Louisiana Database Security Breach Notification Law • La. R.S. 51: 3071 et. seq. • Requires risk of harm analysis to determine notification necessity. • “ Notification is not required if, after reasonable investigation, the person or business determines that there is no reasonable likelihood of harm to customers .” Louisiana does not require entities to offer one year of credit monitoring.
Notice To Attorney General or Other State Agency “When notice is required, the entity must also provide written notice to the Consumer Protection Section of the Louisiana Attorney General’s office .” • Notice must include: • Details of the breach • Names of all Louisiana citizens affected • Notice to the state’s Attorney General must be timely • Received within 10 days of distribution of notice to customers • Failure to notify deemed a separate violation
Security Breach Litigation: Louisiana Law “ A civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system, resulting in the disclosure of a person’s personal information.”
Louisiana Data Breach Statute Substitute Notification Available if cost of providing notification would exceed $250,000 or that the affected class of persons to be notified exceeds $500,000, or the agency or person does not have sufficient contact information. • Email notification • Conspicuous posting of the notification on the Internet site of the agency or person • Notification to major statewide media
Defense Strategy: The Standing Requirement Federal Article III § 2 requires: 1. An injury-in-fact; 2. Causal connection; and 3. Injury will be redressed by favorable decision. • Clapper v. Amnesty Int’l USA (U.S. 2013) (J. Alito) • Plaintiffs lacked Article III standing because no injury occurred. • Incurring costs to protect sensitive information, though burdensome, does not satisfy federal Case or Controversy Requirement. “… they cannot demonstrate that future injury they purportedly fear is certainly impending and because they cannot manufacture standing by incurring costs in anticipation of non-imminent harm.” – Justice Alito
Value of Personal Information • Plaintiffs argue data breaches cause injury. • Their confidential information has monetary value because criminals’ are willing to pay for it on the black market • Commonly Asserted Theories: • Breach of contract • Negligence • Motions to Dismiss • Average: 303 days – Time it took from date the complaint was filed to date the court ruled on the motion. • 53% granted in part • 33% granted
Louisiana Decisions Mathieu v. Imperial Toy Corp. (La. 1994) (J. Kimball) • Sets out the elements Plaintiff must prove for liability to attach • For negligence, duty/risk analysis will apply Ponder v. Pfizer, Inc. (M.D. La. 2007) (J. Brady) • Without actual damages, no ability to state a claim Melancon v. La. Office of Student Fin. Assistance (E.D. La. 2008) (J. Barbier) • Mere possibility of confidential information at risk does not constitute actual harm • Case law on standing in data breach cases is still in infancy stage Green v. eBay Inc. (E.D. La. 2015) (J. Morgan) • Increased risk of future identity theft/fraud does not constitute certainly impending injury and does not confer Article III standing • Intention to cause injury and/or to profit from stolen data will not be presumed Bradix v. Advance Stores Co., Inc. (E.D. La. 2016) (J. Morgan) • Federal courts have SMJ under the Class Action Fairness Act (“ CAFA ”) • Possible remand if no injury in fact
Ponder v. Pfizer, Inc. 522 F.Supp.2d 793 (La. 2007) “ Notification, which ‘shall be made in the most expedient time possible and without unreasonable delay,’… ” – Id. at 796. “ The Court, however, finds that the Plaintiff’s complaint does not allege that he suffered any actual damage – that someone actually used the disclosed information to his detriment.” – Id. at 798
Barnes & Noble In re Barnes and Noble Pin Pad Litigation (N.D. Ill. 2017) (J. Woods) • Class action complaint was dismissed with prejudice. • The class representatives failed to show economic damages • Judge held these are not actual economic injuries: 1. A block on your bank accounts 2. Time spent sorting out your financial affairs 3. The purchase of credit monitoring services
Role Of Attorney In Cybersecurity • Consultant/Risk Assessment Pre-incident • Incident Response Assessment • Defense Counsel – Regulatory, Litigation • Use of Outside Counsel Provides Added Layer of Confidentiality and Privilege at Each Phase of Cyber Incidents
“ It is not a question of if you’ll be hacked, but WHEN you’ll be hacked.”
Recommend
More recommend
