Presenting a live 90-minute webinar with interactive Q&A Data Breaches and Cyber Liability: What Commercial Litigators Need to Know Protecting and Defending Against New and Emerging Cyber Risks WEDNESDAY, JUNE 3, 2015 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific Today’s faculty features: Antony P . Kim, Partner, Orrick Herrington & Sutcliffe , Washington, D.C. Christina Guerola Sarchio, Partner, Orrick Herrington & Sutcliffe , Washington, D.C. Joseph J. Siprut, Founder and Managing Partner, Siprut , Chicago The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10 .
Tips for Optimal Quality FOR LIVE EVENT ONLY Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-871-8924 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
Continuing Education Credits FOR LIVE EVENT ONLY In order for us to process your continuing education credit, you must confirm your participation in this webinar by completing and submitting the Attendance Affirmation/Evaluation after the webinar. A link to the Attendance Affirmation/Evaluation will be in the thank you email that you will receive immediately following the program. For additional information about CLE credit processing call us at 1-800-926-7926 ext. 35.
Program Materials FOR LIVE EVENT ONLY If you have not printed the conference materials for this program, please complete the following steps: Click on the ^ symbol next to “Conference Materials” in the middle of the left - • hand column on your screen. • Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program. • Double click on the PDF and a separate page will open. Print the slides by clicking on the printer icon. •
Data Breaches and Cyber Liability What Commercial Litigators Need to Know Christina Guerola Sarchio, Orrick Antony P. Kim, Orrick Joseph J. Siprut, Siprut PC
Data Breach Occurrences Over 500 million personal information records stolen - IBM security services Companies reporting financial loss of $20 million or more from cyber attacks increased by 92% -Study Sample by PwC In 2014, over 25 billion attacks on Japanese Govt. 6
Costs Incurred from Data Breach Average Loss to Organization In 2012 In 2014 Average Total Cost $5.5 million $6.5 million (direct and indirect expenses, e.g., forensic experts, outsourcing hotline support, free credit monitoring, discounts, customer loss, diminished customer acquisition) Cost per compromised record $188/record $217/record Source: Ponemon Institute/IBM, 2015 Cost of Data Breach Study: United States Averages based on study of smaller breaches of 5,000 to 99,000 records Breaches >100,000 records excluded because they would “skew” the results 7
Common Components of Costs 8
LEGAL LANDSCAPE
U.S. “Cyber Law” Framework • In U.S., no comprehensive privacy and security legislation • Laws that impose civil or criminal liability for hacking – Computer Fraud and Abuse Act, ECPA, Wiretap Act; state laws • Laws that require implementation of security measures – Gramm Leach Bliley Act; Health Insurance Portability Accountability Act – State law requirements (CA, MA, NV and progeny) • Laws that require notification of breaches – 47 state laws, plus D.C., Guam, P.R., V.I.; HIPAA / Hi-Tech Act – Dozens of federal notification law proposals • Contractual legal obligations – Privacy policies, Terms of Use, Marketing materials – Payment Card Industry Data Security Standard (PCI-DSS) • Regulatory Enforcement Actions/Resolutions (Consent Decrees) – FTC, FCC, FINRA, SEC, State AGs, Office of Insurance Commissioner, etc. etc. 10
Regulator Investigations • What are regulators checking? – Deceptive statements and “unfair” practices (see FTC and “baby FTC acts”) – Have you implemented “readily available” technology (e.g., basics: patch management, encryption, 2FA) and “reasonable” practices, including requirements in any specific security statutes? – Have you used any government or industry guidelines (e.g. NIST, ISO)? • What information do regulators review in the wake of a breach? – Breach notifications; timing; remedies offered; law enforcement cooperation – Breach forensics, reports/findings re: attack vector, data accessed, numbers – Pre-breach security audits and risk assessments, by company or third-party – Information security plan (e.g., “WISP”); Incident response plan (IRP) – Employee handbooks and training materials – Vendor and service-provider management – Privacy policies and other promises made to consumers about security – Interviews with company personnel knowledgeable about security practices – Other documents and information (usually via CID) 11
DATA-RELATED LAWSUITS
Business Practices Subject to Litigation • Telemarketing • E-mail scanning for targeted advertising • Point of Service Data Collection • Data security 13
Industries Subject to Data-Related Lawsuits • Retailers • Health • Financial Services • Debt Collectors • Hospitality/Restaurants • Internet-based Companies • Social Media • Insurance 14
Data-Related Lawsuits: CONSUMERS Individuals, on behalf of a class of consumers, may bring suits under the following statutes or legal theories: – Telephone Consumer Protection Act – Fair Credit Reporting Act – POS Collection Statute – Breach of Contract – Electronic Communications Privacy Act – Wiretap Act – Video Privacy Protection Act – Stored Communications Act – Unjust Enrichment – Unfair Competition Law – Negligence – Common Law Fraud – Computer Fraud and Abuse Act 15
Defenses in Data Breach Litigation: STANDING • Clapper v. Amnesty International USA , 133 S. Ct. 1138 (2013) – To bring suit in federal court, must establish Article III standing, that plaintiff suffered an “injury in fact” that is “actual” or “imminent” – While personal information may have been lost or compromised, if not yet misused, claims are indefinite and speculative – In Clapper , the US Supreme Court rejected a challenge to the constitutionality of a federal electronic surveillance statute, holding that mere fear of government interception of electronic communications is too speculative to confer legal standing – Clapper stressed that standing requires a “substantial risk” of actual harm — not simply a generalized fear of future consequences 16
Dismissals of Data-Breach Litigation: STANDING • In re Barnes & Noble PIN Pad Litig. (N.D. Ill. 2013): an alleged “risk to Plaintiffs of suffering some actual injury due to the security breach,” such as identity theft, is insufficient to convey standing • Galaria v. Nationwide Mutual Insurance (S.D. Ohio 2014): “an increased risk of identity theft, identity fraud, medical fraud or phishing is not itself an injury-in- fact” without allegations or facts suggesting that this harm is “certainly impending” • P.F. Chang (N.D. Ill. 2014): plaintiffs failed to show “an unreimbursed charge” on their payment cards such that plaintiffs could demonstrate an actual injury, and that the opportunity cost of not having a credit or debit card for the days between learning about a fraudulent charge and receiving a new card “is not a cognizable injury” • eBay (E.D. La. 2015): “mitigation expenses do not qualify as injury-in-fact when the alleged harm is not imminent. Therefore, Plaintiff’s allegations relating to costs already incurred or that may be incurred to monitor against future identity theft or identity fraud likewise fail to constitute injury-in-fact for standing purposes. ” 17
Creative Plaintiff Arguments: STANDING • Moyer v. Michaels Stores, Inc. (N.D. Ill. 2014): Clapper should be limited to cases involving national security Alleging a “ credible threat of impending harm ,” that is “both real and immediate, not conjectural or hypothetical” ( In re: Sony Gaming Networks and Customer Data Security Breach Litig. , S.D. Cal. 2014) • In re Adobe Sys. Privacy Litig. (N.D. Cal. 2014): Deliberative nature of a breach suggests a greater danger of improper use • In re: Target Corporation Customer Data Security Breach Litig. (D. Minn. 2014): Charges and financial damages “fairly traceable” to breach, including unlawful charges that went unreimbursed for long periods of time and restricted or blocked bank accounts, resulting in late payment charges, an inability for the plaintiffs to pay other bills, and additional fees 18
Recommend
More recommend
