Perkins Coie LLP

Cybersecurity and Data Protection

What you need to know and how

to be prepared

December 2017

Kevin R. Feldis

Attorney Work Product

The Current Threat Environment

A Growing Risk of Cyber Attacksand Data Breaches

3

4

5

6

Internet usage increasing• 3.89 billion Internet users (50% world)

• Reaching far corners of the earth

Device usage increasing• 12 billion internet-connected devices

worldwide (21 billion by 2020)

• Average American owns 4 internet-connected devices

More diverse & data rich services offered• Medical, Financial, Personal Fitness

• Children (Facebook’s Messenger Kids)

• IoT, Smart Homes, Wearables

• Artificial Intelligence (AI)

The Internet Ecosystem andThe Ubiquity of Personal Information

CloudPets“Smart” Toys

Wi Fi/Bluetooth enabled audio messages through toys

CloudPets company was hacked exposing data of

800,000 customers and 2 million voice messages from

“smart” teddy bears (February 2017)

Diverse Threat Actors1. Nation-state actors

• Highly resourced & sophisticated

• Target critical infrastructure, ISPs, large corporations, gov. contractors

• Propaganda & information value

• Advanced Persistent Threats *

• Examples = Las Vegas Sands, Anthem, OPM, Sony, Equifax (?)

2. Organized Crime/Other Criminals• Personal Identifiable Information, credit cards, data

• Black market for stolen data – Dark Web

• Examples = Target, Home Depot, Uber

3. Hacktivists

4. Lone Wolves

13

The Nature of the Threat

• In Chinese intrusion cases (coming from China) handled by Mandiant, 94% of the victim companies didn't realize their networks had been breached until someone else told them.

• On average, companies' networks had been breached for 416 days before the intrusion was detected.

"Nation-states willing to spend unlimited amounts of money for technology, intelligence gathering, and bribery can overcome just about any defense."

-- Alan Paller, Director of Research, SANS Institute

15

15

Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

IncreasedData Breaches

• Personal Information of 57 million customers and drivers• 3 potential class action lawsuits• Attorneys General investigations in three states• LA City Attorney lawsuit• Federal Trade Commission inquiry

18

19

20

The Cyber Legal and Regulatory Landscape

21

22

Increasing risk

of litigation and

regulation

Growing class of plaintiffs Consumers, shareholders, financial

institutions, third-parties

Class action lawsuits (failure to protect)

State Attorneys General Increasingly active (Uber)

Federal Trade Commission Consumer privacy protections

Trends Increased private litigation

Fewer claims dismissed for standing

More and higher settlements

Increased Enforcement

Additional Regulations

Increased Litigation & Regulatory Risk

Substantive Data Security Standards

23

• State Laws

• Nearly all states have data breach regulations

• Many states: commercially reasonable measures

• Federal Laws

• FTC § 5, HIPAA, FERPA, GLBA (Gramm-Leach-Bliley Act)

• SEC guidance

• Industry standards

• PCI (payment card industry) , NERC (North American Electric

Reliability Corporation) CIP (critical infrastructure protection)

• Common law standards: Rising standard of care

• EU and International Regulations

Substantive Data Security Standards

24

• Government Contracts

• Defense contractors and subcontractors

• DFARS 252.204.7012 Safeguarding Covered Defense

Information (CDI) and Cyber Incident Reporting (December 31,

2017)

• Multi-factor authentication

• Encryption

• Breach notification (w/in 72 hours through portal)

• FAR 52.204-21 Basic Safeguarding of Contractor

Information Systems that process, store or transmit

federal contract information (June 2016)

• 15 basic security controls for the systems (controls access, virus scans)

• Federal contract information = information provided or generated for the

Government under a contract to develop or deliver a product or service

• Must include in solicitations and contracts, and flow through to subs

State Data Breach Laws

25

26

Contractual Obligations

Contractual Provisions (Where to look)

• Confidentiality clauses

• Nondisclosure clauses

• Express security requirements

• Trade secret / proprietary information clauses

Highlights the need for assessing contract risks

and including cybersecurity provisions in contracts

27

How to Protect Your Business

Prevent AND Plan for Response

1. Implement a Company-wide Data Security Program• All stakeholders – IT alone can’t secure your data• High-level engagement across components and business lines• Written policies and practices • Train, test, and enforce

2. Consider What Data is Shared with Third-Parties• Conduct due diligence and risk analysis before sharing data• Contract terms and considerations/vendor risks• Encryption

3. Develop and Test your Incident Response Plan• Effective response to a data breach can reduce actual damage

and legal exposure

Avoid Common Mistakes

1. Data Security Program Mistakes• Too narrow or an out-of-date information security programs expose

you to legal, contractual and regulatory risks• Failure to stress test • Failure to enforce

2. Contract and Third-party Mistakes• Failure to assess the risks of sharing information• Failure to conduct due diligence• Failure to have continued oversight/update due diligence• Failure to know the scope of access and data being shared• Failure to clearly define rights and responsibilities in contracts

3. Incident Response Plan Mistakes• Failure to include cybersecurity in your IRP• Failure to appoint responsible senior officials, identify cybersecurity

vendors, and hire legal counsel to direct the response and preserve privileges.

• Failure to routinely assess, test and update the IRP

30

31

Immediate Steps:• Review your current Data Security Program

• Have some with experience review & update it• Get the buy-in and budgeting necessary from the top• Schedule and conduct training & stress testing

• Conduct a Cyber Compliance Review• Are you complying with industry standards, government contract

requirements (FAR, DFARS), and regulations/laws

• Develop procedures for limiting third-party risks• Determine the level or risk that is appropriate for your business

before you outsource or share any data• Develop a third-party due diligence process and follow-it

• Update your Incident Response Plan• Dust it off, have someone with cyber experience review it, update it. • Test it – table top and simulated

33

Perkins Coie LLP | PerkinsCoie.com

Kevin FeldisPerkins Coie - Partner907-263-6955 desk907-529-1599 mobilekfeldis@perkinscoie.com

www.perkinscoie.com/KFeldis

Admitted in Alaska, Illinois and Washington DC