Mitigating D&O Liability Exposure for Data Privacy and - - PowerPoint PPT Presentation

The audio portion of the conference may be accessed via the telephone or by using your computer's

• speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Presenting a live 90-minute webinar with interactive Q&A

Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches

Reducing D&O Risk With Internal Controls, Insurance, and Indemnification; Defending Derivative Lawsuits

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific TUESDAY, JUNE 23, 2015

Sharon R. Klein, Partner, Pepper Hamilton, Irvine, Calif. Larry Racioppo, Senior Vice President, USI Insurance Services, Westport, Conn. Angelo A. Stio, III, Partner, Pepper Hamilton, Princeton, N.J.

Tips for Optimal Quality

Sound Quality If you are listening via your computer speakers, please note that the quality

• f your sound will vary depending on the speed and quality of your internet

connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-961-8499 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your participation in this webinar by completing and submitting the Attendance Affirmation/Evaluation after the webinar. A link to the Attendance Affirmation/Evaluation will be in the thank you email that you will receive immediately following the program. For additional information about CLE credit processing call us at 1-800-926-7926

• ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

Sharon R. Klein, Larry Racioppo, Angelo A. Stio III

Mitigating D&O Liability Exposure For Data Privacy And Cybersecurity Breaches

Speakers

949.567.3506 kleins@pepperlaw.com

6

609.951.4125 stioa@pepperlaw.com 203.291.2015 Larry.Racioppo@usi.biz

Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches

7

TOPICS

• Recent focus on data privacy and security issues

− Analysis of Major Breaches − Consequences of Breach

• Duties of Directors and Officers

− Duty to Warn − Duty to Protect

• Class Actions and Derivative Suits
• Insurance
• Practical Considerations

Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches

8

TOPICS

• Recent focus on data privacy and security issues

− Analysis of Major Breaches − Consequences of Breach

• Duties of Directors and Officers

− Duty to Warn − Duty to Protect

• Class Actions and Derivative Suits
• Insurance
• Practical Considerations

Recent Focus on Data Privacy and Security Issues

9

Chair Mary Jo White - SEC Cybersecurity Roundtable – March 2014

− “This is a global threat. Cyber threats are of extraordinary and long-term seriousness. They are first on the Division of Intelligence’s list of global threats, even surpassing terrorism. And Jim Comey, director of the FBI, has testified that resources devoted to cyber-based threats are expected `to eclipse’ resources devoted to terrorism.”

SEC Commissioner Luis Aguilar – Cyber Risks and the Boardroom Conference – June 2014

− 42% increase between 2011 and 2012 in the number of successful cyber-attacks per week. − “[B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”

Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches

10

TOPICS

• Recent focus on data privacy and security issues

− Analysis of Major Breaches − Consequences of Breach

• Duties of Directors and Officers

− Duty to Warn − Duty to Protect

• Class Actions and Derivative Suits
• Insurance
• Practical Considerations

• Cyber attacks have increased in frequency
• The consequences of lost business are having a

great impact on the cost of data breach

• Data breach costs associated with detection,

escalation and remediation increased

Major Drivers to a Higher Cost of Data Breach in 2015

11

2014 / 2015 Witnessed Major Breaches

12

• Target
• Home Depot
• Anthem
• Premera
• Sony
• J P Morgan Chase & Company

Factors that Increase Cost

13

• Third Parties
• Rush to Notify
• Lost or Stolen Devices

Factors that Decrease Cost

14

• Incident Response Team
• Encryption
• Employee Training
• Appointing Chief Information

Security Officer

• Board Involvement
• Insurance

Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches

15

TOPICS

• Recent focus on data privacy and security issues

− Analysis of Major Breaches − Consequences of Breach

• Duties of Directors and Officers

− Duty to Warn − Duty to Protect

• Class Actions and Derivative Suits
• Insurance
• Practical Considerations

Data Breach Consequences

16

• Harm to individual
• Costs of notice and

remediation

• Regulatory action
• Fines and penalties
• Potential lawsuits
• Loss of business,

resources and employee time

• Damage to brand and

reputation

• Disruption

Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches

17

TOPICS

• Recent focus on data privacy and security issues

− Analysis of Major Breaches − Consequences of Breach

• Duties of Directors and Officers

− Duty to Warn − Duty to Protect

• Class Actions and Derivative Suits
• Insurance
• Practical Considerations

Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches

18

TOPICS

• Recent focus on data privacy and security issues

− Analysis of Major Breaches − Consequences of Breach

• Duties of Directors and Officers

− Duty to Warn − Duty to Protect

• Class Actions and Derivative Suits
• Insurance
• Practical Considerations

Duties of Directors and Officers

19

• Directors are liable for oversight of Company affairs

due to their fiduciary duties of loyalty and due care

• Cyber liability due to disclosure of personally

identifiable information and trade secrets are known material risks

• Standard of Care as to cyber liability generally can be

categorized into regulations dealing with:

− Duty to warn − Duty to protect

Duty to Warn

20

• SEC Guidance
• Data Breach Laws and

Regulatory Requirements

Duty to Warn: SEC Guidance

21

Duty to Warn: SEC Guidance

22

SEC Guidance: Disclosure

• Cybersecurity risks and cyber incidents are

required to be disclosed when:

• Necessary in order to make other required

disclosures not misleading.

• They are such that a reasonable investor would

consider important to an investment decision.

• No existing specific disclosure requirement.
• Registrants should review, on an ongoing basis,

the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.

Duty to Warn: SEC Guidance

23

SEC Guidance: Disclosure

• Places reporting

companies may need to include disclosure:

− Risk Factors − MD&A − Description of the Business − Legal Proceedings − Financial Statement Disclosures − Disclosure Controls and Procedures

Duty to Warn: SEC Guidance

24

SEC Guidance: Disclosure

• Is a Form 8-K required after a breach? No (not yet)
• Some companies have elected to file under item 8.01

(Other Information)

• Some companies have taken the position that they

notify the public of a breach in other ways and an 8-K is unnecessary.

− Pros: Eliminate any potential insider trading, don’t raise flags with the SEC, disclosure can be copied from breach notices − Cons: Imperfect information

Duty to Warn: Target Breach

25

SEC Disclosure

− Filed an 8-K in late February in connection with its earnings release

• Updated risk factors that could affect forward-looking statements

in the release (including cybersecurity risks)

• Total of 18 risk factors, 5 relating to the incident

− Filed 10-K on March 14.

• Disclosures re breach included in: Risk Factors, Legal

Proceedings, MD&A (executive summary subpart) and Financial Statement footnotes (commitments and contingencies)

• Target recorded $61 million in breach-related expenses, with

insurance covering $44 million for net expenses of $17 million

• Did not estimate losses resulting from litigation, enforcement

and related fines

Duty to Warn: Target Breach

26

Target 8-K: Risk Factors

− Our continued success is substantially dependent on positive perceptions of Target which, if eroded, could adversely affect our business and our relationships with

• ur guests and team members.

− The data breach we experienced in 2013 has resulted in government inquiries and private litigation, and if our efforts to protect the security of personal information about

• ur guests and team members are unsuccessful, future

issues may result in additional costly government enforcement actions and private litigation and our sales and reputation could suffer.

Duty to Warn: Target Breach

27

Target 8-K: Risk Factors

− Our failure to comply with federal, state, local and international laws, or changes in these laws could increase our costs, reduce our margins and lower our sales. − A significant disruption in our computer systems and our inability to adequately maintain and update those systems could adversely affect our operations and our ability to maintain guest confidence.

Duty to Warn: Target Breach

28

Target 8-K: Risk Factors

− We experienced a significant data security breach in the fourth quarter of fiscal 2013 and are not yet able to determine the full extent of its impact and the impact of government investigations and private litigation on our results of operations, which could be material.

SEC Cybersecurity Risk Alert

29

• The SEC’s Office of Compliance Inspections and

Examinations (OCIE) issued a risk alert on its cybersecurity initiative on April 15, 2014.

• The OCIE will initially examine 50+ broker-dealers and

registered investment advisers re cybersecurity issues, with a focus on the following issues:

− Cybersecurity governance; identification & assessment of cybersecurity risks; protection of networks & information; remote customer access and funds transfers; vendors & third parties; detection of unauthorized activity; and experiences with certain cybersecurity threats.

SEC Cybersecurity Risk Alert

• OCIE included a sample questionnaire that closely

tracked the NIST Framework released in February.

• Focus on written policies:

− Information security policy − Business continuity plan − Guidance for employees re security risks/responsibilities − Data destruction policy − Cybersecurity incident response policy − Vendor and business partner security policy.

30

Duty to Warn: Data Breach Law and Regulatory Requirements

• State Privacy Laws

− 47 states have data breach notification legislation

• Identity theft legislation to protect personal information

including social security numbers, bank account information, credit card information

− Federal privacy legislation generally does not control/preempt state laws.

31

Duty to Warn: Data Breach Law and Regulatory Requirements

− Federal Agencies impose specific requirements on content and timeframe of Data Breach notification:

• Office of the Comptroller
• f Currency (OCC)
• Federal Deposit

Insurance Corporation (FDIC)

• Department of Health and

Human Services (HHS)

• Federal Trade

Commission (FTC)

32

Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches

33

TOPICS

• Recent focus on data privacy and security issues

− Analysis of Major Breaches − Consequences of Breach

• Duties of Directors and Officers

− Duty to Warn − Duty to Protect

• Class Actions and Derivative Suits
• Insurance
• Practical Considerations

Duty to Protect

• Company safeguards for consumer data
• Third party scrutiny

34

Duty to Protect

Federal and State Laws

− FTC Regulations − SEC FINRA − NIST Security/Privacy Framework − Gramm-Leach-Bliley Act − HIPAA / HITECH − COPPA − FCRA − FACTA − State data security laws that impose obligations to secure and dispose of data. Laws are often broader than federal laws (see, e.g., CA, MA, NV)

35

FTC Report - Protecting Consumer Privacy in an Era of Rapid Change (March ‘12)

• Congress has been unable to pass a Federal Privacy

Bill

• FTC Report is a blue print for self-regulatory best

practices.

• (1) “Privacy by Design”:

− Promote privacy throughout the organization and at every stage of development of products and services

− Delete consumer data no longer needed and allow consumers to do the same − Provide reasonable security for data − Limit collection of data (consistent with context of particular transaction) − Implement reasonable data retention and disposal policies − Maintain reasonable accuracy of data

36

FTC Report - Protecting Consumer Privacy in an Era of Rapid Change (March ‘12)

• (2) Simplify Consumer Choice:

− Provide consumer choice for any communications not related to original transaction − “Do Not Track” mechanisms allow consumer to control collection and use of their online data − Certain choices require consumer to “opt in”

• (3) Improve Transparency to Consumers:

− Clearer and shorter privacy notices − Provide access to consumer data − Educate consumers about company’s data privacy practices

37

FTC Red Flags Rule – 16 C.F.R. 681

• Requires companies to implement Identity Theft

Protection programs that identify warning signals to alert a company of the risk of identity theft, to detect and to deal with identity theft when it occurs

• Other regulations exist:
• OCC (12 C.F.R. 41)
• Federal Reserve (12 C.F.R. 222)
• FDIC (12 C.F.R. 334, 336)
• OTS (12 C.F.R. 571)
• NCUA (12 C.F.R. 717)

38

SEC/FINRA

• Reg S-P

− Privacy Rule - requires “financial institutions” - brokers, advisers, insurance companies, etc. to:

• provide an annual notice of their privacy policies and

practices to their customers

• describe the institutions’ policies and practices with

respect to disclosing nonpublic personal information about a consumer to both affiliated and nonaffiliated third parties.

• provide a consumer a reasonable opportunity to direct the

institution not to share nonpublic personal information about the consumer (that is, to “opt out”) with nonaffiliated third parties.

39

SEC/FINRA

• Reg. S-P

−Rule 30 – Safeguard Procedures:

• adopt written policies and procedures for the protection of

customer information and records

− Administrative − Technical − Physical

• protect against any anticipated threats or hazards to the security
• r integrity of customer records and information, and against

unauthorized access to or use of customer records or information .

40

NIST Framework

• Provides standards and best practices for
• rganizations to:

− Describe their current cybersecurity posture; − Describe their target state for cybersecurity; − Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; − Assess progress toward the target state; − Communicate among internal and external stakeholders about cybersecurity risk.

41

NIST Framework: Core

• Identify

− Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities

• Protect

− Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

• Detect

− Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event in a timely manner.

42

NIST Framework: Core

• Respond

− Develop and implement the appropriate activities to take action regarding a detected cybersecurity event and contain its impact.

• Recover

− Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event

43

Scrutiny of Third Party Relationships

• Liability the same as if company performed activity
• Risk Management Process

− Risk assessment − Due diligence in third party selection − Contract structuring − Oversight/audit

44

Target Breach

45

Scrutiny of Third Party Relationships

• Contract Structuring

− Compliance with all laws/regulations − Access to records by company and its regulators − Prohibition on subcontracting − Performance standards/SLAs − Monitoring/audits

46

Scrutiny of Third Party Relationships

• Contract Structuring (con’t.)

− Compliance with company’s privacy/security policies − Business continuity/disaster recovery plans − Indemnification − Exclusion of data breach from the limitation of liability − Insurance coverage

47

Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches

48

TOPICS

• Recent focus on data privacy and security issues

− Analysis of Major Breaches − Consequences of Breach

• Duties of Directors and Officers

− Duty to Warn − Duty to Protect

• Class Actions and Derivative Suits
• Insurance
• Practical Considerations

Class Actions and Derivative Suits

49

• Courts have been skeptical about data breach claims.

− Body of case law exists where dismissal of claims on lack

• f standing where no actual damages – fear of identity

theft/purchasing credit monitoring not enough. See Clapper v. Amnesty International, Inc., 133 S.Ct. 1138 (2013); In re: Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation, No. 12-347 (D.C. May 9, 2014). − Typical claims include: negligence, breach of fiduciary duty, UDTPA violations, invasion of privacy, unfair competition, violation of state data notification laws.

Class Actions and Derivative Suits

50

More and more class actions being filed as Plaintiffs’ bar gets more creative

• alleging violations with statutes with statutory damages
• asserting unjust enrichment claims alleging customers

paid monies with the understanding their data would be protected, and therefore defendant was unjustly enriched by the acceptance of payment without providing adequate data protection

• alleging an implied contract arising from a company’s

privacy policy that contains language that the company complies with state and federal laws

• alleging product liability claims related to defective

security (CAN-Bus system litigation)

Class Actions and Derivative Suits

51

In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 2014 U.S. Dist. LEXIS 7353 (S.D. Cal. 2014))

• Putative class action based on a data breach.
• Plaintiffs’ allegations that their personal information was collected by

defendant and then wrongfully disclosed as a result of the intrusion was sufficient to establish Article III standing at the motion to dismiss stage.

• Plaintiffs claim economic injury in form of (1) loss of the unencumbered

use of their passwords; (2) their passwords were obtained by a third party without their consent; (3) they were unable to access Sony Online Services during the time the play station was temporarily disabled; (4) certain applications and products that can only be accessed via the network were rendered worthless during the brief interruption in play station service; and (5) their Consoles diminished in value as a result of Sony's failure to secure the network and/or the extended time during which the network was disabled.

• Consumer protection law statutes allowed to survive motion to dismiss.
• Case settled $17.75 million, including $2.75 million in attorneys fees.

Class Actions and Derivative Suits

52

Target Class Actions

• Consumers asserting claims for negligence, breach of fiduciary

duty, and violations of consumer protection laws

• Banks and Credit Unions seeking damages for, among other

things, cost of notifying customers about compromised debit cards, closing customer accounts and reissuing new cards

• April 2, 2014, transfer order by Judicial Panel on Multi-District

Litigation entered transferring all class actions to District of Minnesota and assigned to District Judge Paul A. Magnuson.

• The U.S. Department of Justice and State Attorneys General, led

by Illinois and Connecticut, are investigating the matter.

• Consumer case settles - $10 million
• Banks and Credit Unions’ case survives motion to dismiss

Class Actions and Derivative Suits

53

STOCK DROP CLASS ACTIONS

• In re Heartland Payment Sys., Inc. Sec. Litig., 2009

U.S. Dist. LEXIS 114866 (D.N.J. Dec. 7, 2009)

− December 2007, cyber attack on Heartland computer system that infects the entire payment processing system. − Loss of personal information on 130 million credit and debit card owners. − Heartland did not discover this breach until early 2009. − Heartland's stock falls by a total of 80%, resulting in a suit by shareholders who purchased stock in 2008.

Class Actions and Derivative Suits

54

• In re Heartland Payment Sys., Inc. Sec. Litig., 2009

U.S. Dist. LEXIS 114866 (D.N.J. Dec. 7, 2009)

− Investors allege fraud on the basis that Heartland misrepresented the state of its computer network security. − The claims based on Heartland publicly stating it was committed to maintaining high levels of data security, after Heartland discovered the breach but before the breach was disclosed to the public.

Class Actions and Derivative Suits

55

• In re Heartland Payment Sys., Inc. Sec. Litig., 2009

U.S. Dist. LEXIS 114866 (D.N.J. Dec. 7, 2009)

− On motion to dismiss Court finds that the security breach alone did not demonstrate that the company failed to “place significant emphasis on maintaining a high level of security.” − Plaintiffs could not allege Heartland knew or had reason to suspect that its security systems were so deficient that it was false to say that Heartland “place[s] significant emphasis on maintaining a high level of security.” − “[A]fter-the-fact speculation by a handful of lower-level employees does not support the inference that Heartland and its corporate officers were consciously or recklessly dissembling when they stated that the company treated security as one of its central concerns.”

Class Actions and Derivative Suits

56

SHAREHOLDER DERIVATIVE SUITS

• Palkon v. Wyndham Worldwide, et al., 2:14-cv-01234 (D.N.J.

May 2, 2014)

− Derivative suit against officers and directors of Wyndham related to three data breaches between April 2008 and January 2010. − 619,000 consumer payment card account numbers are compromised. − Suit alleges that officers and directors failed to ensure that Wyndham and its subsidiaries implemented adequate information security policies and procedures, used an out-of-date network and then failed to timely disclose breaches in Company filings. − Asserts claims for breach of fiduciary duty (loyalty and care), corporate waste and unjust enrichment and seeks to recover damages suffered by company, remedial action with respect to corporate governance and internal procedures and disgorgement of profits and compensation. − Motion to dismiss is granted.

• Board adequately addressed demand and refusal to pursue claims

protected by business judgment rule

Class Actions and Derivative Suits

57

SHAREHOLDER DERIVATIVE SUITS

• Palkon v. Wyndham Worldwide, et al., 2:14-cv-

01234 (D.N.J. May 2, 2014) cont’d

− Board considerations:

• hold meetings to discuss data security, resources and plan.
• engage technology consultants to assess data security
• have board committee tasked with data security
• discussion at board level about breaches or attacks and

remediation

• expertise on board
• engagement of outside counsel to advise on legal

consequences

Class Actions and Derivative Suits

58

SHAREHOLDER DERIVATIVE SUITS

• Kulla v. Target Corp., et al., 0:14-cv-00203 (D.Minn. Jan. 21, 2014)
• Collier v. Target Corp. et al., 0:14-cv-00266 (D.Minn. Jan. 29, 2014)

− Derivative suits against officers and directors of Target arising from largest data breach in history. − Millions of consumer payment card account numbers are compromised. − Suit alleges that officers and directors were aware of importance of security

• f customer information and risks a data breach could present, yet failed to

take reasonable steps to maintain its customers’ personal financial information and failed to implement internal controls to detect and prevent a

• breach. Complaint also contends defendants failed to take proper steps to

respond. − Claims for breach of fiduciary duty (loyalty and care), aiding and abetting, corporate waste and unjust enrichment and seeks to recover damages suffered by company, remedial action with respect to corporate governance and internal procedures and disgorgement of profits and compensation.

Class Actions and Derivative Suits

59

SHAREHOLDER DERIVATIVE SUITS

Common Themes:

• Duty to warn
• Duty to protect

− A sustained or systematic failure of the board to exercise

• versight — such as an utter failure to attempt to assure a

reasonable information and reporting system exists — will establish the lack of good faith. In re Caremark Int'l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996).

Class Actions and Derivative Suits

60

SHAREHOLDER DERIVATIVE SUITS

Potential Defenses:

• Lack of standing – no damage
• Failure to plead requirements of derivative suit
• Business judgment rule
• Director exculpation clause
• No misrepresentations/No Concealment
• Company has internal controls which Board oversees

and monitors

Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches

61

TOPICS

• Recent focus on data privacy and security issues

− Analysis of Major Breaches − Consequences of Breach

• Duties of Directors and Officers

− Duty to Warn − Duty to Protect

• Class Actions and Derivative Suits
• Insurance
• Practical Considerations

62

Potential Insurance Solutions

• Directors & Officers (D&O) Insurance
• Errors & Omissions (E&O) Insurance
• Network Security/Privacy (“Cyber”) Insurance

Insurance

• Loss arising from third party “Claims” made (during the policy period) alleging

a Wrongful Act in one’s capacity as a Director or Officer of the Organization

• Lack of oversight
• Failure to take action
• ”Liability” cover, so policy is not triggered until Claim is made
• No front-end “Breach Response Coverage”
• Generally intended to respond to Claims brought by shareholders/investors
• Derivative Actions (including sub-limit for Derivative Demand

Investigations)

• Direct Claims
• Definition of Claim typically includes Formal Regulatory Proceedings and

Formal Investigations (for Insured Persons)

• Entity coverage for public companies limited to Securities Claims
• Informal Investigations of Insured persons may be available for certain

risks

• Potential Exclusions to consider

What Does a D & O Policy Cover?

Insurance

63

• Claims brought by 3rd parties (customers) for Wrongful Acts in

the rendering or failing to render “Professional Services”

• ”Liability” cover, so policy is not triggered until Claim is made
• No front-end “Breach Response Coverage”
• No coverage for Regulatory Claims (unless Regulatory Agency

is bringing Claim as a customer)

What Does an E & O Policy Cover?

Insurance

64

First Party

Other Business Costs

• Business interruption
• Data repair /replacement
• Cyber-extortion
• Cyber-terrorism

First Party

Breach Notice Costs

• Forensic Investigation
• Crisis management/PR
• Notification costs
• Credit monitoring/I.D.

Recovery

Third Party

Civil Lawsuits

• Consumer class action
• Corporate or financial

institution suits

• Credit card brands
• PCI fines, penalties, and

assessments

Third Party

Regulatory Actions

• State AG investigations
• FTC investigations
• Health & Human

Services

• Foreign Privacy Entities

Security/Privacy Liability

Insurance

What Does a Cyber Policy Cover?

65

• Breaches getting more publicized
• Breaches getting larger in scale
• Companies are being held accountable
• Insurance market remains competitive
• Tougher classes (Healthcare, Retail) underwritten

more closely

Recent Trends/State of the Market

Insurance

66

Key Coverage Considerations

• Data/Confidential Info – Types/How much?/location
• Encryption (Safe harbor) – At rest, in motion, backup, mobile devices
• POS Systems & Software – Patches/updates/controls
• Use of cloud vendors – who and what services (payroll, payments, services,

etc.)

• Vendor Controls – Due Diligence/ Contracts/Data shared/Access control
• Network Access – How and who accesses your network remotely?
• Subsidiary acquisitions – Due diligence, conversion process
• Additional risk mitigation controls – What else are you doing?

Current “Hot Button” Issues for Insurers

Insurance

67

Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches

68

TOPICS

• Recent focus on data privacy and security issues

− Analysis of Major Breaches − Consequences of Breach

• Duties of Directors and Officers

− Duty to Warn − Duty to Protect

• Class Actions and Derivative Suits
• Insurance
• Practical Considerations

Practical Steps Companies Must Take

69

preparation detection

analysis and prioritization

investigation and mitigation

notification

post- incident activity

Practical Steps Companies Must Take

1. Preparation self-assessment know legal requirements 2. Detection monitor compliance 3. Analysis and Prioritization which states/countries which law enforcement/regulators 4. Investigation and Mitigation analyze root cause mitigate/remediate loss 5. Notification send individual, substitute notice engage public relations notify insurance carrier(s) 6. Post-incident activity incorporates lessons learned

70

Practical Steps: Preparation

• Set up an inter-

disciplinary team

− IT − Physical security − Human resources − Enterprise Risk − Compliance − Communications − Legal

71

Practical Steps: Preparation

• Self Assessment:

− Analyze cyber risks throughout collection, transmission, use, storage, destruction − Assess security infrastructure, connectivity, cloud for malware/misuse − Audit third parties and applications − Develop incident response programs − Obtain consent for collection of personally identifiable information

72

Practical Steps: Preparation

• Establish written policies and procedures to regulate

compliance

− Institute a privacy policy (data collection, sharing and retention/destruction) − Adopt a BYOD policy and appropriate safeguards − Institute a business continuity plan

• Put a cybersecurity insurance policy in place or

review/upgrade current policy

73

Practical Steps: Detection

• Set up intrusion detection/firewalls and contract for

technology to assist with detecting and managing risk

• Establish a process for reporting suspicious activity
• Assess and mitigate transactional risk

− Inheriting risks from a target in an acquisition; include appropriate counsel in diligence review − Agreements with vendors/suppliers should include provisions safeguarding systems and data and appropriate SLAs − Agreements with customers/client should address risks, allocate responsibility (for agreements with other businesses) and establish a venue for claims

74

Practical Steps: Analysis and Prioritization

• Identify all applicable laws and regulatory requirements
• Establish appropriate law enforcement contacts and

relationships with the regulators

• Evaluate the current compliance structure

− Attorney-Client privilege protection for gap analysis − Set up a system regulating the access to data OR − Amend, expand or streamline existing system as needed.

75

Practical Steps: Investigation and Mitigation

• Undertake Fact-Finding Protected by Attorney-Client

Privilege

• Work with Forensics Consultants/FGIS to Contain

Breach

• Document Each Step of the Investigation Findings
• Technical Mitigation to Correct Cause of Breach
• Legal Mitigation to Update Policies/Procedures
• Address Personnel Issues—Educate Employees

76

Practical Steps: Notification

• Internal Notification

− Notify the Breach Incident Response Team − Provide Employee Awareness

• External Notification

− Consumers whose data has been breached − Law enforcement − Attorney generals − Consumer agencies − Regulators − Investors − Data protection authorities − Insurance

77

Practical Steps: Post Incident Activity

• Review and determine the adequacy of:

− Incident response team model − Policies/procedures − Response tools and resources − Training of employees − Integrity of third parties − Documentation and reports

78

Questions & Answers

79