Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Mitigating D&O Liability Exposure for
Data Privacy and Cybersecurity Breaches Reducing D&O Risk With Internal Controls, Insurance,
and Indemnification; Defending Derivative Lawsuits
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
TUESDAY, JULY 8, 2014
Presenting a live 90-minute webinar with interactive Q&A
Sharon R. Klein, Partner, Pepper Hamilton, Irvine, Calif.
Christopher Rittinger, Complex Claims Director, AIG Insurance, New York
Angelo A. Stio, III, Partner, Pepper Hamilton, Princeton, N.J.
J. Bradley Vatrt, Senior Complex Claims Director, AIG Insurance, New York
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-961-8499 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
For CLE purposes, please let us know how many people are listening at your
location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of
attendees at your location
• Click the SEND button beside the box
If you have purchased Strafford CLE processing services, you must confirm your
participation by completing and submitting an Official Record of Attendance (CLE
Form).
You may obtain your CLE form by going to the program page and selecting the
appropriate form in the PROGRAM MATERIALS box at the top right corner.
If you'd like to purchase CLE credit processing, it is available for a fee. For
additional information about CLE credit processing, go to our website or call us at
1-800-926-7926 ext. 35.
FOR LIVE EVENT ONLY
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
Sharon R. Klein, Angelo A. Stio III, Christopher Rittinger, J. Bradley Vatrt
Mitigating D&O Liability Exposure For Data Privacy And Cybersecurity Breaches
Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches
6
TOPICS
• Recent focus on data privacy and security issues
− The Target Breach
− Consequences of Breach
• Duties of Directors and Officers
− Duty to Warn
− Duty to Protect
• Class Actions and Derivative Suits
• Insurance
• Practical Considerations
Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches
7
TOPICS
• Recent focus on data privacy and security issues
− The Target Breach
− Consequences of Breach
• Duties of Directors and Officers
− Duty to Warn
− Duty to Protect
• Class Actions and Derivative Suits
• Insurance
• Practical Considerations
Recent Focus on Data Privacy and Security Issues
8
Chair Mary Jo White - SEC Cybersecurity Roundtable – March 26, 2014
− “This is a global threat. Cyber threats are of extraordinary and long-term seriousness. They are first on the Division of Intelligence’s list of global threats, even surpassing terrorism. And Jim Comey, director of the FBI, has testified that resources devoted to cyber-based threats are expected `to eclipse’ resources devoted to terrorism.”
SEC Commissioner Luis Aguilar – Cyber Risks and the Boardroom Conference – June 14, 2014
− 42% increase between 2011 and 2012 in the number of successful cyber-attacks per week.
− “[B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”
Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches
9
TOPICS
• Recent focus on data privacy and security issues
− The Target Breach
− Consequences of Breach
• Duties of Directors and Officers
− Duty to Warn
− Duty to Protect
• Class Actions and Derivative Suits
• Insurance
• Practical Considerations
Target Breach
10
Target Breach
11
• Target system compromised for 19 consecutive days.
• Information of 110 Million people compromised.
• 11 GB of data stolen.
Target Breach: Consequences
12
− $100M effort to move to chip-based payment cards
− $5M to a campaign to raise awareness on cybersecurity issues
− Overhaul of information security and compliance structure.
− Company has acknowledged failure to adequately handle call volume regarding this incident; increased hiring for phone centers
− Fourth-quarter profit slumped 46% while revenue slid 5.3%
− Reputational Damage
− $61 million in hacking-related expenses
− VP Technology / CIO resigns
Target Breach: Tip of the Iceberg
13
Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches
14
TOPICS
• Recent focus on data privacy and security issues
− The Target Breach
− Consequences of Breach
• Duties of Directors and Officers
− Duty to Warn
− Duty to Protect
• Class Actions and Derivative Suits
• Insurance
• Practical Considerations
Data Breach Consequences
15
• Direct financial impact
• Diversion of resources
• Derivative lawsuits
• Class action lawsuits
• Reputational damage
• Regulatory exposure
Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches
16
TOPICS
• Recent focus on data privacy and security issues
− The Target Breach
− Consequences of Breach
• Duties of Directors and Officers
− Duty to Warn
− Duty to Protect
• Class Actions and Derivative Suits
• Insurance
• Practical Considerations
Duties of Directors and Officers
17
• Directors are liable for oversight of Company affairs due to their fiduciary duties of loyalty and due care
• Cyber liability due to disclosure of personally identifiable information and trade secrets are known material risks
• Standard of Care as to cyber liability generally can be categorized into regulations dealing with:
− Duty to warn
− Duty to protect
Duty to Warn
18
• SEC Guidance
• Data Breach Laws and Regulatory Requirements
Duty to Warn: SEC Guidance
19
Duty to Warn: SEC Guidance
20
SEC Guidance: Disclosure
• Cybersecurity risks and cyber incidents are required to be disclosed when:
• Necessary in order to make other required disclosures not misleading.
• They are such that a reasonable investor would consider important to an investment decision.
• No existing specific disclosure requirement.
• Registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.
Duty to Warn: SEC Guidance
21
SEC Guidance: Disclosure
• Places reporting companies may need to include disclosure:
− Risk Factors
− MD&A
− Description of the Business
− Legal Proceedings
− Financial Statement Disclosures
− Disclosure Controls and Procedures
Duty to Warn: SEC Guidance
22
SEC Guidance: Disclosure
• Is a Form 8-K required after a breach? No (not yet)
• Some companies have elected to file under item 8.01 (Other Information)
• Some companies have taken the position that they notify the public of a breach in other ways and an 8-K is unnecessary.
− Pros: Eliminate any potential insider trading, don’t raise flags with the SEC, disclosure can be copied from breach notices
− Cons: Imperfect information
Duty to Warn: Target Breach
23
SEC Disclosure
− Filed an 8-K in late February in connection with its earnings release
• Updated risk factors that could affect forward-looking statements in the release (including cybersecurity risks)
• Total of 18 risk factors, 5 relating to the incident
− Filed 10-K on March 14.
• Disclosures re breach included in: Risk Factors, Legal Proceedings, MD&A (executive summary subpart) and Financial Statement footnotes (commitments and contingencies)
• Target recorded $61 million in breach-related expenses, with insurance covering $44 million for net expenses of $17 million
• Did not estimate losses resulting from litigation, enforcement and related fines
Duty to Warn: Target Breach
24
Target 8-K: Risk Factors
− Our continued success is substantially dependent on positive perceptions of Target which, if eroded, could adversely affect our business and our relationships with our guests and team members.
− The data breach we experienced in 2013 has resulted in government inquiries and private litigation, and if our efforts to protect the security of personal information about our guests and team members are unsuccessful, future issues may result in additional costly government enforcement actions and private litigation and our sales and reputation could suffer.
Duty to Warn: Target Breach
25
Target 8-K: Risk Factors
− Our failure to comply with federal, state, local and international laws, or changes in these laws could increase our costs, reduce our margins and lower our sales.
− A significant disruption in our computer systems and our inability to adequately maintain and update those systems could adversely affect our operations and our ability to maintain guest confidence.
Duty to Warn: Target Breach
26
Target 8-K: Risk Factors
− We experienced a significant data security breach in the fourth quarter of fiscal 2013 and are not yet able to determine the full extent of its impact and the impact of government investigations and private litigation on our results of operations, which could be material.
SEC Cybersecurity Risk Alert
27
• The SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert on its cybersecurity initiative on April 15, 2014.
• The OCIE will initially examine 50+ broker-dealers and registered investment advisers re cybersecurity issues, with a focus on the following issues:
− Cybersecurity governance; identification & assessment of cybersecurity risks; protection of networks & information; remote customer access and funds transfers; vendors & third parties; detection of unauthorized activity; and experiences with certain cybersecurity threats.
SEC Cybersecurity Risk Alert
• OCIE included a sample questionnaire that closely tracked the NIST Framework released in February.
• Focus on written policies:
− Information security policy
− Business continuity plan
− Guidance for employees re security risks/responsibilities
− Data destruction policy
− Cybersecurity incident response policy
− Vendor and business partner security policy.
28
Duty to Warn: Data Breach Law and Regulatory Requirements
• State Privacy Laws
− 47 States have data breach notification legislation
− Identity theft legislation including protection of Social
Security Numbers
− State legislation on protection of personal information
broader than federal (CA, MA, NV)
− Federal privacy legislation generally does not
control/preempt state laws.
29
Duty to Warn: Data Breach Law and Regulatory Requirements
− Federal Agencies impose
specific requirements on
content and timeframe of
Data Breach notification:
• Office of the Comptroller
of Currency (OCC)
• Federal Deposit
Insurance Corporation
(FDIC)
• Department of Health and
Human Services (HHS)
• Federal Trade
Commission (FTC)
30
Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches
31
TOPICS
• Recent focus on data privacy and security issues
− The Target Breach
− Consequences of Breach
• Duties of Directors and Officers
− Duty to Warn
− Duty to Protect
• Class Actions and Derivative Suits
• Insurance
• Practical Considerations
Duty to Protect
• Company safeguards for consumer data
• Third party scrutiny
32
Duty to Protect
U.S. Federal Laws
− FTC Regulations (all)
− NIST Security/Privacy Framework (all)
− Gramm-Leach-Bliley Act (financial)
− HIPAA / HITECH (healthcare)
− COPPA (children)
33
FTC Report - Protecting Consumer Privacy in an Era of Rapid Change (March ‘12)
• Congress has been unable to pass a Federal Privacy Bill
• FTC Report is a blue print for self-regulatory best practices.
• (1) “Privacy by Design”: − Promote privacy throughout the organization and at
every stage of development of products and services − Delete consumer data no longer needed and allow
consumers to do the same − Provide reasonable security for data − Limit collection of data (consistent with context of
particular transaction) − Implement reasonable data retention and disposal
policies − Maintain reasonable accuracy of data
34
FTC Report - Protecting Consumer Privacy in an Era of Rapid Change (March ‘12)
• (2) Simplify Consumer Choice: − Provide consumer choice for any communications not
related to original transaction − “Do Not Track” mechanisms allow consumer to
control collection and use of their online data − Certain choices require consumer to “opt in”
• (3) Improve Transparency to Consumers: − Clearer and shorter privacy notices − Provide access to consumer data − Educate consumers about company’s data privacy
practices
35
NIST Framework
• Provides standards and best practices for organizations to:
− Describe their current cybersecurity posture;
− Describe their target state for cybersecurity;
− Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
− Assess progress toward the target state;
− Communicate among internal and external stakeholders about cybersecurity risk.
36
NIST Framework: Core
• Identify
− Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities
• Protect
− Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
• Detect
− Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event in a timely manner.
37
NIST Framework: Core
• Respond
− Develop and implement the appropriate activities to take action regarding a detected cybersecurity event and contain its impact.
• Recover
− Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event
38
Scrutiny of Third Party Relationships
• Liability the same as if company performed activity
• Risk Management Process
− Risk assessment
− Due diligence in third party selection
− Contract structuring
− Oversight/audit
39
Target Breach
40
Scrutiny of Third Party Relationships
• Contract Structuring
− Compliance with all laws/regulations
− Access to records by company and its regulators
− Prohibition on subcontracting
− Performance standards/SLAs
− Monitoring/audits
41
Scrutiny of Third Party Relationships
• Contract Structuring (con’t.)
− Compliance with company’s privacy/security policies
− Business continuity/disaster recovery plans
− Indemnification
− Exclusion of data breach from the limitation of liability
− Insurance coverage
42
Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches
43
TOPICS
• Recent focus on data privacy and security issues
− The Target Breach
− Consequences of Breach
• Duties of Directors and Officers
− Duty to Warn
− Duty to Protect
• Class Actions and Derivative Suits
• Insurance
• Practical Considerations
Class Actions and Derivative Suits
44
• Historically, courts have been skeptical about data breach claims.
− Body of case law exists where dismissal of claims on lack of standing where no actual damages – fear of identity theft/purchasing credit monitoring not enough. See Clapper v. Amnesty International, Inc., 133 S.Ct. 1138 (2013); In re: Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation, No. 12-347 (D.C. May 9, 2014).
− Typical claims include: negligence, UDTPA violations, invasion of privacy, unfair competition, violation of state data notification laws.
Class Actions and Derivative Suits
45
More and more class actions being filed as Plaintiffs’ bar gets more creative
• Valdez v. Quantcast, MTV, NBC Universal et al. (CD.Cal. 2010)
− Violation of Computer Fraud and Abuse Act, 16 U.S.C. § 1030
− Violation of Electronic Communications Privacy Act, 18 U.S.C. § 2510
− Violation of Video Privacy Protection Act, 18 U.S.C. § 2710
− Violation of California’s Computer Crime Law, Penal Code § 502
− Violation of California’s Invasion Of Privacy Act, California Penal Code § 630
− Violation of UCL, Bus & Prof. Code § 17200
− Violation of CLRA
− Unjust Enrichment
Class Actions and Derivative Suits
46
In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 2014 U.S. Dist. LEXIS 7353 (S.D. Cal. 2014))
• Putative class action based on a data breach.
• Plaintiffs’ allegations that their personal information was collected by defendant and then wrongfully disclosed as a result of the intrusion was sufficient to establish Article III standing at the motion to dismiss stage.
• Plaintiffs claim economic injury in form of (1) loss of the unencumbered use of their passwords; (2) their passwords were obtained by a third party without their consent; (3) they were unable to access Sony Online Services during the time the play station was temporarily disabled; (4) certain applications and products that can only be accessed via the network were rendered worthless during the brief interruption in play station service; and (5) their Consoles diminished in value as a result of Sony's failure to secure the network and/or the extended time during which the network was disabled.
• Consumer protection law statutes allowed to survive motion to dismiss.
Class Actions and Derivative Suits
47
Target Class Actions
• Approximately 70 pending in 21 states
• Consumers asserting claims for negligence, breach of fiduciary duty, and violations of consumer protection laws
• Banks and Credit Unions seeking damages for, among other things, cost of notifying customers about compromised debit cards, closing customer accounts and reissuing new cards
• April 2, 2014, transfer order by Judicial Panel on Multi-District Litigation entered transferring all class actions to District of Minnesota and assigned to District Judge Paul A. Magnuson.
• The U.S. Department of Justice and State Attorneys General, led by Illinois and Connecticut, are investigating the matter.
Class Actions and Derivative Suits
48
SHAREHOLDER DERIVATIVE SUITS
• In re Heartland Payment Sys., Inc. Sec. Litig., 2009 U.S. Dist. LEXIS 114866 (D.N.J. Dec. 7, 2009)
− December 2007, cyber attack on Heartland computer system that infects the entire payment processing system.
− Loss of personal information on 130 million credit and debit card owners.
− Heartland did not discover this breach until early 2009.
− Heartland's stock falls by a total of 80%, resulting in a suit by shareholders who purchased stock in 2008.
Class Actions and Derivative Suits
49
SHAREHOLDER DERIVATIVE SUITS
• In re Heartland Payment Sys., Inc. Sec. Litig., 2009 U.S. Dist. LEXIS 114866 (D.N.J. Dec. 7, 2009)
− Investors allege fraud on the basis that Heartland misrepresented the state of its computer network security.
− The claims based on Heartland publicly stating it was committed to maintaining high levels of data security, after Heartland discovered the breach but before the breach was disclosed to the public.
Class Actions and Derivative Suits
50
SHAREHOLDER DERIVATIVE SUITS
• In re Heartland Payment Sys., Inc. Sec. Litig., 2009 U.S. Dist. LEXIS 114866 (D.N.J. Dec. 7, 2009)
− On motion to dismiss Court finds that the security breach alone did not demonstrate that the company failed to “place significant emphasis on maintaining a high level of security.”
− Plaintiffs could not allege Heartland knew or had reason to suspect that its security systems were so deficient that it was false to say that Heartland “place[s] significant emphasis on maintaining a high level of security.”
− “[A]fter-the-fact speculation by a handful of lower-level employees does not support the inference that Heartland and its corporate officers were consciously or recklessly dissembling when they stated that the company treated security as one of its central concerns.”
Class Actions and Derivative Suits
51
SHAREHOLDER DERIVATIVE SUITS
• Palkon v. Wyndham Worldwide, et al., 2:14-cv-01234 (D.N.J. May 2, 2014)
− Derivative suit against officers and directors of Wyndham related to three data breaches between April 2008 and January 2010.
− 619,000 consumer payment card account numbers are compromised.
− Suit alleges that officers and directors failed to ensure that Wyndham and its subsidiaries implemented adequate information security policies and procedures, used an out-of-date network and then failed to timely disclose breaches in Company filings.
− Asserts claims for breach of fiduciary duty (loyalty and care), corporate waste and unjust enrichment and seeks to recover damages suffered by company, remedial action with respect to corporate governance and internal procedures and disgorgement of profits and compensation.
− Motion to dismiss has been filed.
Class Actions and Derivative Suits
52
SHAREHOLDER DERIVATIVE SUITS
• Kulla v. Target Corp., et al., 0:14-cv-00203 (D.Minn. Jan. 21, 2014)
• Collier v. Target Corp. et al., 0:14-cv-00266 (D.Minn. Jan. 29, 2014)
− Derivative suits against officers and directors of Target arising from largest data breach in history.
− 619,000 consumer payment card account numbers are compromised.
− Suit alleges that officers and directors were aware of importance of security of customer information and risks a data breach could present, yet failed to take reasonable steps to maintain its customers’ personal financial information and failed to implement internal controls to detect and prevent a breach. Complaint also contends defendants failed to take proper steps to respond.
− Claims for breach of fiduciary duty (loyalty and care), aiding and abetting, corporate waste and unjust enrichment and seeks to recover damages suffered by company, remedial action with respect to corporate governance and internal procedures and disgorgement of profits and compensation.
Class Actions and Derivative Suits
53
SHAREHOLDER DERIVATIVE SUITS
Common Themes:
• Duty to warn
• Duty to protect
− A sustained or systematic failure of the board to exercise oversight — such as an utter failure to attempt to assure a reasonable information and reporting system exists — will establish the lack of good faith. In re Caremark Int'l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996).
Class Actions and Derivative Suits
54
SHAREHOLDER DERIVATIVE SUITS
Potential Defenses:
• Lack of standing – no damage
• Failure to plead requirements of derivative suit
• Business judgment rule
• Director exculpation clause
• No misrepresentations/No Concealment
• Company has internal controls which Board oversees and monitors
Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches
55
TOPICS
• Recent focus on data privacy and security issues
− The Target Breach
− Consequences of Breach
• Duties of Directors and Officers
− Duty to Warn
− Duty to Protect
• Class Actions and Derivative Suits
• Insurance
• Practical Considerations
Insurance
56
D & O Insurance
− Would a D & O Policy cover breach of fiduciary duty claims related to a data breach?
− Do any exclusions apply?
− What triggers coverage?
− What coverage is typically available?
• Derivative Actions
• Enforcement Actions
• Investigations
Insurance
57
Cyber-Insurance: Coverage
• Crisis Management Expenses
− Notification costs
− Credit monitoring costs
− PR costs
− Forensic examination costs
− Legal analysis costs
• Claim Expenses
− Costs of defending lawsuits
− Judgments and settlements
− Regulatory response/settlement costs
− Regulatory compliance costs
− PCI-DSS fines and penalties
Insurance
58
Cyber-Insurance: Other Coverage
• Network interruption
− Costs for insured’s loss of income and operating expenses due to a cyber event
− Loss includes: Lost income and normal operation expenses
− Public relations/legal assistance expense coverage
• Costs of restoring or recollecting
− Lost data
− Stolen data
− Damaged data
• Cyber-Extortion
− Network security demands related to extortion demands
• Legal, forensic costs of investigations to determine cause of breach and settlement of extortion demands
Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches
59
TOPICS
• Recent focus on data privacy and security issues
− The Target Breach
− Consequences of Breach
• Duties of Directors and Officers
− Duty to Warn
− Duty to Protect
• Class Actions and Derivative Suits
• Insurance
• Practical Considerations
Practical Steps Companies Must Take
60
preparation
detection
analysis and
prioritization
investigation
and mitigation
notification
post-
incident
activity
Practical Steps Companies Must Take
1. Preparation self-assessment know legal requirements
2. Detection monitor compliance
3. Analysis and Prioritization which states/countries which law enforcement/regulators
4. Investigation and Mitigation analyze root cause mitigate/remediate loss
5. Notification send individual, substitute notice engage public relations notify insurance carrier(s)
6. Post-incident activity incorporates lessons learned
61
Practical Steps: Preparation
• Set up an inter-disciplinary team
− IT
− Physical security
− Human resources
− Enterprise Risk
− Compliance
− Communications
− Legal
62
Practical Steps: Preparation
• Self Assessment:
− Analyze cyber risks throughout collection, transmission, use, storage, destruction
− Assess security infrastructure, connectivity, cloud for malware/misuse
− Audit third parties and applications
− Develop incident response programs
− Obtain consent for collection of personally identifiable information
63
Practical Steps: Preparation
• Establish written policies and procedures to regulate compliance
− Institute a privacy policy (data collection, sharing and retention/destruction)
− Adopt a BYOD policy and appropriate safeguards
− Institute a business continuity plan
• Put a cybersecurity insurance policy in place or review/upgrade current policy
64
Practical Steps: Detection
• Set up intrusion detection/firewalls and contract for technology to assist with detecting and managing risk
• Establish a process for reporting suspicious activity
• Assess and mitigate transactional risk
− Inheriting risks from a target in an acquisition; include appropriate counsel in diligence review
− Agreements with vendors/suppliers should include provisions safeguarding systems and data and appropriate SLAs
− Agreements with customers/client should address risks, allocate responsibility (for agreements with other businesses) and establish a venue for claims
65
Practical Steps: Analysis and Prioritization
• Identify all applicable laws and regulatory requirements
• Establish appropriate law enforcement contacts and relationships with the regulators
• Evaluate the current compliance structure
− Attorney-Client privilege protection for gap analysis
− Set up a system regulating the access to data OR
− Amend, expand or streamline existing system as needed.
66
Practical Steps: Investigation and Mitigation
• Undertake Fact-Finding Protected by Attorney-Client Privilege
• Work with Forensics Consultants/FGIS to Contain Breach
• Document Each Step of the Investigation Findings
• Technical Mitigation to Correct Cause of Breach
• Legal Mitigation to Update Policies/Procedures
• Address Personnel Issues—Educate Employees
67
Practical Steps: Notification
• Internal Notification
− Notify the Breach Incident Response Team
− Provide Employee Awareness
• External Notification
− Consumers whose data has been breached
− Law enforcement
− Attorney generals
− Consumer agencies
− Regulators
− Investors
− Data protection authorities
− Insurance
68
Practical Steps: Post Incident Activity
• Review and determine the adequacy of:
− Incident response team model
− Policies/procedures
− Response tools and resources
− Training of employees
− Integrity of third parties
− Documentation and reports
69
Speaker: Sharon R. Klein
949.567.3506 [email protected]
70
• Partner in the Corporate and Securities Practice Group
• Partner in charge of the firm’s Orange County office and chair of the Privacy, Security and Data Protection practice
• Handles a variety of corporate and intellectual property matters, in particular, helping information technology and telemedicine clients grow and succeed
• Commissioner of the Electronic Healthcare Network Accreditation Commission (EHNAC), a voluntary, self-governing standards development organization established to develop standard criteria and accredit organizations that electronically exchange health care data.
Speaker: Angelo A. Stio III
609.951.4125 [email protected]
71
• Partner in the Litigation and Dispute Resolution Department of Pepper Hamilton LLP and a resident in the firm’s Princeton, New Jersey office.
• Member of the firm’s Privacy, Security and Data Protection group, and has counseled health care, financial services and educational institution clients on data privacy issues
• Practice focuses on complex commercial disputes, defending class actions and derivative suits, corporate governance issues, and the representation of colleges and universities.
Speaker: Christopher Rittinger
212.458.3264
72
• AIG Complex Claims Director in the Directors & Officers, National Accounts Group
• Mr. Rittinger has worked at AIG for the past 5 years and handles high-exposure claims from inception through conclusion.
• Mr. Rittinger is responsible for coverage analysis, litigation management, and litigation resolution strategy for matters submitted with a specific focus on derivative shareholder suits, securities class action suits, and regulatory investigations and enforcement actions.
• Before joining AIG, Chris was an assistant district attorney at the Brooklyn DA’s office for three years and worked as a litigator in private practice for 6 years.
Speaker: J. Bradley Vatrt
212.458.3986 [email protected]
73
• Senior Complex Claims Director, Network Security/Media/Technology for AIG
• Mr. Vatrt evaluates coverage and drafts detailed analyses pursuant to security and privacy, crisis management, technology, media, internet, and miscellaneous professional liability policies.
• Mr. Vatrt advises senior management, underwriters, brokers and insureds regarding coverage, litigation / dispute resolution strategies, and the business impact of lawsuits.
• Mr. Vatrt serves as the Senior Complex Claim Director for AIG’s Kidnap and Ransom claims group.
• Mr. Vatrt joined AIG in 2008, after working as a litigator in New York for over six years.
74