Upload
kegler-brown-hill-ritter
View
140
Download
0
Embed Size (px)
Citation preview
z
z
presented by Mark B. Manoukian
Securing Sensitive Personal Data
z
1 Change our perspective
2 Improve our defenses
z
Data Is Valuable
z
Consequences of Data Breach+ Money+ Identity Theft+ Ransom+ Useful Secrets+ Punishment+ Damage to Reputation \ Loss of Business+ Civil Liability+ Criminal Liability
z
Major Data Breaches of 2015From http://www.zdnet.com/pictures/worst-largest-security-data-breaches-2015/
+ Kapersky Labs+ LastPass+ CVS, Walgreen’s, Costco+ Carhone Warehouse (UK)+ UCLA Health
+ Hacking Team+ Ashley Madison+ Anthem+ IRS+ Office of Personnel
Management
z
How Did We Get Here?
z
Protecting Our Data in the Old Days
1. Communications were secure in that virtually all communications were internal.
2. Data was secure in that it was stored on our servers in our offices.
3. Access is restricted access by usernames and passwords?4. You had full control over your PC, but it was
inconsequential.5. Points of entry – desktop PCs in our office – were secure.6. The only real threat was known viruses attached to e-mail.7. Our firewall kept uninvited guests out.8. We were low-value targets.
z
What Has Changed?
z
Communications+ Employees are able to access our network remotely
across the public Internet.+ We routinely use 3rd party services, typically web
sites, wherein we are communicating across the public Internet.
z
Data+ We store sensitive data of our clients.+ Third parties store our sensitive data.
z
Points of Entry+ Home PCs+ Mobile Devices, Lots of Them+ Public PCs \ Devices
z
Viruses Have Evolved Into Malware+ Malware > Viruses.+ Some malware is indefensible…
+ …in that it attacks flaws in the software that are unknown to all, including the makers of the software.
+ …sometimes bespoke, just for you.+ …it piggybacks on other, legit apps or web sites– e.g. Java,
Adobe Flash.
z
Usernames and Passwords+ Public.+ Broken.+ Stolen.+ Shared.+ Reused.
z
Net Effect
1. Communications were secure in that virtually all communications were internal.
2. Data was secure in that it was stored on our servers in our offices.
3. Access is restricted access by usernames and passwords, which may be easily broken.
4. You had full control over your PC, but it was inconsequential.
5. Points of entry – desktop PCs in our office – were secure.6. The only real threat was known viruses attached to e-mail.7. Our firewall kept uninvited guests out.8. We are a high-value low-value target.
z
Order of Events in Hack of RSA, Inc.
Recon• Research public info about RSA employees
E-Mail• Create e-mail accounts purporting to be a close friend or employee
Payload• Payload is an indefensible piece of malware
Malware • Malware leverages privileges to gain access
Damage• Data is stolen
z
Recourse?+ Yes, it’s illegal.+ Remediation is difficult-to-impossible.+ Prevention is the best strategy.
z
Action Items For…+End Users – That’s You+I.T. Staff+Firm Management+Technology Vendors+Non-Technology Vendors
z
Action Item #1 for Employees:Don’t let them in by e-mail.+ Who is the e-mail actually from?+ If you have to ask me if it is legit then you’ve already
told me that you don’t know this person.+ Verify by an alternate method.
z
Spear Phishing
z
E-mail may appear very
genuine
z
Address the recipient by name
Use lingo/jargon of company
Referenceactual
procedures,SOPs/TTPs
z
z
Action Item #2: Look for “HTTPS”Example of a Success
z
Action Item #2: Look for “HTTPS”Example of a Failure
z
z
Test Yourself on #1 and #2E-Mail Phishing Quiz: http://www.sonicwall.com/phishing/
Web Site Phishing Quiz: https://www.opendns.com/phishing-quiz/
z
Action Item #3: Maintain Your Software+ If you didn’t go looking for it then don’t install it.+ If you installed it, then update it. The vast majority of
patches go to security.+ If you don’t use it then uninstall it.
z
Action Item #4: Protect Your Passwords+ Don’t reuse\share passwords across high-value
accounts.+ Keep them secure, in a password vault or paper in a
locked drawer in your desk.+ Not in a Word or Excel document.
z
Action Item #5: Secure Your Mobile Devices + Laptops+ Smartphones+ Tablets+ Fitness gadgets
z
Action Item #6: This is a mindset.+ This is a marathon not a sprint.+ There will be more action items.+ For the rest of your life.+ This is a perpetually, quickly moving target.
z
Recurring THEMES
Your PC + data are more valuable than you realize
Person using PC is the weakest link
Phishing is the most common attack vector
Test yourself!
z
Mark B. ManoukianDirector of Information TechnologyKegler Brown Hill + [email protected]/manoukian614-462-5429
Thank You!
z
Litigation THEORIES
in Data Breach Litigation
presented by Luis M. Alcalde
z
Why COMPANIESGet Sued
z
Lost or stolen computers containing
PII or SPI
z
Payment card system hacking
z
Theft of financialdata hacking
z
Unknown intrusions
z
Publication of personal information
z
Suits by banks against corporate hacking
victim to recover cost
z
LEGAL PITFALLSPOTENTIAL
Was it preventable?
z
LEGAL PITFALLSPOTENTIAL
Was it preventable?Federal + 50 state disclosure requirements
z
LEGAL PITFALLSPOTENTIAL
Federal + 50 state disclose requirementsPublic reporting to SEC + federal/state agencies
z
Applicable U.S. Law
+ No common set of laws governing civil liability
+ Claimants use patchwork of federal and state statutory claims + common law claims
z
Federal Statutes
Health Insurance Portability and Accountability
Act (HIPPA)
Health Information Technology for Economic and Clinical Health Act (HITECH)
Stored Communications
Act (SCA)
Fair Credit Reporting Act (FCRA)
Graham-Leach-Bliley Act (GLBA)
z
State Law Claims
Consumer protection statutes
Unfair trade practices statutes
Negligence
Invasion of privacy
Breach of implied or express contract
Unjust enrichment
z
Standing + Injury RequirementNeed to establish injury in-fact to support Article III standing in federal court (biggest impediment so far)
Concrete + particularized
Actual + imminent, not conjectural or hypothetical
Possible future injury not enough
Threatened injury must be impending
Plaintiffs often allege risk of future injury + expenses to mitigate that risk
z
RISK of Future Harm is Obstacle to
Consumer Cases
z
Lack of evidence of what happened to the PII
Lack of evidence of financial loss or proof of identity theft
Lack of loss because claimants were reimbursed within payment card system
Federal courts dismiss on mere possibility of future harm
Plaintiff ’s principal theory of harm is risk that loss of PII puts at higher risk of identity theftSome district courts have found standing on facts falling short of actual financial harm
z
Mitigation EXPENSES
Need to mitigate against fraud + identity theft
Purchasing credit monitoring services
Purchasing identity theft insurance
z
re Sony Gaming Networks …996 F. Supp 2d 942
(S.D. Cal. 2014)
April 2011: hackers attacked computer network used to provide Sony PlayStation Network (PSN)
and related networks
z
re Sony Gaming Networks …996 F.Supp 2d 942
(S.D. Cal. 2014)
Lawsuit claims that Sony did not adequately protect networks and hackers were able to access certain account holder information
z
re Sony Gaming Networks …996 F.Supp 2d 942
(S.D. Cal. 2014)
Claims were that hackers stole information to commit fraud and identity theft + account holders
were legally injured by the unavailability of the network while temporarily off-line for 24 days
z
California D.C. court found plaintiffs alleged sufficient facts of “impending injury”
z
Alternative Theories of Harm
Lost time +inconvenience
Emotionaldistress
Decreasedeconomic
value of PII
Denied benefitof the bargain
z
STATUTORY DAMAGES
z
STATE COURTS EASIER?
z
Class Certification
HURDLE
z
AGAINST CLASS CERTIFICATOIN
z
Suits by Banks + Financial Institutions
z
z
presented by Larry J. McClatchey
Understanding Secured Transactions +Consignments
SECURING PAYMENT
z
Pre-pay or COD
Traditional Meansto Secure Payment
Letters of CreditGuarantee
Liens in Seller’s Favor
z
Obstacles to Securing Payment
+ Type of Goods+ Seller’s Existing Credit Terms + Conditions+ Buyer’s Existing Credit Terms + Conditions+ PO + Supply Agreements
z
UCC – Nationwide Rules for Commerce
+ Rules for Sales + Leases+ Banking, Checks + Letters of Credit+ Procedures for Warehouse Receipts + Bills of Lading+ Agreement to Grant Security to Seller
z
Not All Transactions + Collateral Covered
Secured Transactions Under Article 9
Classification of Collateral
z
Security Agreements+ Identifies Parties+ Buyer Grants Security Interest+ Describes Collateral
+ Specific listing+ Category of Goods+ Type of Goods
+ Include Proceeds and Products of Collateral+ Specifies Indebtedness to be Secured
z
Attachment of Security Interests
+ Value given by creditor+ Debtor has rights in collateral+ Authenticated Security Agreement
1
Formal Requirements
z
Perfection of Security Interest
+ Possession+ Control+ Perfection by Filing
2
z
Filing Rules
+ Name of Individual Debtor+ Name of Registered Organization+ Place of Filing+ Changes in Name or Location+ Sufficient description of Collateral
3
z
Basic Rules of Priority
+ First to File or Perfect+ Filing Before Loan Closing+ Lapse in Filing
4
z
The Purchase Money Security Interest
A PMSI is distinguished from a standard security interest in two main ways: its manner of creation
and the priority it receives relative to other security interests in the same collateral.
z
Collateral Subject to PMSI: + Goods+ Software+ Consignor’s Inventory
The Purchase Money Security Interest
z
The Purchase Money Security Interest
Priority of PMSI: + Goods other than inventory+ Inventory
z
The Purchase Money Security Interest
“Superior Priority Status”: + Security Interest in Favor of Seller+ Cost of Purchase of Collateral
z
The Purchase Money Security Interest
Limitations on PMSI:+ Notice of Conflicting Inventory+ Prior Secured Party
z
Consignments
z
True Consignment Characteristics
+ Generally consumer goods+ Value of goods less than $1000.+ Delivered to merchant for sale+ Merchant/auctioneer known to sell on consignment+ Usually subject to state bailment law
z
UCC “Consignment” Characteristics+ Merchant deals with goods other than under
consignor’s name+ Merchant is not an auctioneer+ Not generally known as reseller+ Aggregate value of goods over $1000+ Inapplicable to consumer goods+ Transaction does not create a security
interest to secure an obligation.
z
Common Commercial “Consignment”+ Security for payment of an obligation+ Consignment of goods treated as PMSI in inventory+ Rights between consignor and consignee unimpaired+ Several practical problems with consignments
z
Priority of Consignor’s Claim Dependent on Perfection+ Priority over floating inventory lien+ Must create and perfect as PMSI+ Financing statement and notice
z
Practical Problems in Securing Payment Under UCC+ Transactional Costs+ Change of Name of Debtor+ Mergers/Successor Debtor+ Remedies Upon Default+ Disposition of Recovered Collateral
z
Issues to Consider+ What Agreements in Effect Already?+ Eligible for Statutory Lien?+ Would PMSI Be Effective?+ Do We Sell Type of Goods Suitable for Security
Agreement?+ Practical Problems with Collateral?
z
Thank You!Larry J. McClatchey, DirectorKegler Brown Hill + [email protected]/mcclatchey614-462-5463
z
Understanding +DEFENDINGPreference Claims
presented by Christy A. Prince
z
What is a Preference?Payment or transfer made during the
ninety days prior to bankruptcy
Debtor makes a payment or payments to some creditors and not to others
90
z
Purpose of Preference Law?Prevent “piecemeal” dismemberment of a debtor
Avoid the “race to the court house” among creditors
To promote equal distribution among creditors similarly situated
z
Who Can Avoid a Preferential Transfer?
1 Bankruptcy trustee or “debtor in possession”
2 Representative of Liquidating Trust in chapter 11 case
z
Elements of a Preference Claim
Transfer of property of
a debtor
To or for benefit of creditor
On account of an
antecedent debt
Made while debtor was insolvent
Enables creditor to receive more than if transfer had not been
made
Within 90 days prior to bankruptcy
z
Element: A Transfer
Must be of the debtor’s
property
z
Element: A Transfer
Typically from debtor to creditor
z
Element: A Transfer
Could be payment
from debtor to third-
party
z
+ Debtor owes Creditor, and Creditor owes ABC Company
+ Debtor pays ABC Company for Creditor’s debt in consideration of Debtor’s debt to Creditor
+ Debtor can recover the transfer from Creditor
z
+ Creditor applies credit for damaged goods to Debtor’s account, reducing amount due from Debtor to Creditor
+ Application of credit to Debtor’s account is not a transfer for the benefit of Creditor
+ Review records of alleged preferential transfers to weed out credits
z
Element: Antecedent Debt
Transfer must be on account of preexisting
debt
z
Element: Antecedent Debt
If payment terms are Cash on
Delivery, no antecedent
debt
z
Element: Antecedent Debt
If payment terms are
paying old invoices, there is antecedent
debt
z
Element: Time Span
If creditor is an insider, preference period is one year
prior to bankruptcy petition date
z
Element: Time Span
If creditor is not an insider, preference period is 90 days
prior to bankruptcy petition date
z
Element: Debtor’s Insolvency
Transfer must have been
made while debtor was insolvent
z
Element: Debtor’s Insolvency
Insolvency is presumed for the 90 days
prior to bankruptcy
z
Element: Debtor’s Insolvency
Creditor can introduce
evidence that debtor was
solvent at time of transfer
z
Element: Debtor’s Insolvency
If bankruptcy filed suddenly
after meaningful
event, explore this element
z
Element: Creditor Receives More
Disputes over this element are rare
z
Element: Creditor Receives More
If debt fully secured by collateral,
transfer didn’t allow creditor to obtain
more than it would have in bankruptcy
z
Element: Creditor Receives More
If creditors will be paid in full through
bankruptcy, this element would not
be met
z
Debtor/trustee must prove each element of preference
Burden of proof for elements is on debtor/trustee
Creditor can establish an “affirmative defense”
Creditor has burden of proof on any affirmative defense
Defense Considerations
z
Ordinary Course of Business Defense
Encourages creditors to deal with companies on “normal” credit terms
z
Ordinary Course of Business Defense
The debt was incurred in the ordinary course of the business between debtor and creditor, AND:
EITHERPayment is made in the ordinary course of business
of the debtor and the transferee
ORPayment is made according to
ordinary business terms in the industry
z
Ordinary Course of Business Between the Parties
Payment that is “normal” in parties’ course of dealingConsistency with other business transactions between partiesExamines course of conduct + payment history prior to filing
Historical period v. preference period
Consistency late payments may qualify as ordinary payments
z
Payment NOT in Subjective Ordinary Course of Business
Creditor requires a cashier’s check for the first time
Creditor imposes new terms during the preference period
Payment results from coercive collection practices
Creditor imposes or threatens credit hold
z
Ordinary Business Terms: Objective Ordinary Course
Payment is “ordinary” in relation to the relevant industry standard
Examine industry as a whole
Explore practices common to similarly situated businesses Usually requires expert testimony
z
PotentialPROBLEMS
with OCB
z
Subsequent New Value Defense
Creditor may have replenished the value of Debtor by continuing to supply goods/services
z
Subsequent New Value
Transfer by creditor after payment received
Not secured by “otherwise unavoidable” security interest
On account of which new value debtor did not make an otherwise unavoidable transfer to or benefit of creditor
New value determined as of petition date, so post-petition payments are not relevant
z
May not be available if Creditor retains a security interest
May not be available if Debtor later paid for the new goods prior to the petition date
Subsequent New Value
z
+ June 1: Debtor pays Creditor $200,000 + June 15: Creditor ships new goods on credit+ August 1: Debtor files bankruptcy
+ Zero preference exposure because of SNV+ Creditor has a proof of claim for $200,000
z
+ June 1: Debtor owes creditor $500,000+ June 15: Debtor pays creditor $200,000+ June 30: Creditor ships new goods ($100,000) on credit+ August 1: Debtor files bankruptcy
+ $100,000 preference exposure because of SNV+ Creditor has a proof of claim for $400,000
z
+ June 1: Creditor ships new goods ($200,000) on credit+ June 15: Debtor pays creditor $200,000+ August 1: Debtor files bankruptcy
+ $200,000 preference exposure
z
TIMINGof the Claim
z
Preparing for the
DEFENSE
z
Transfer <$5,000 in business cases<$5000
Amount in controversy
Case filed too late (statute of limitations)
Transfer to holder of unperfected lien rights
Other Potential Defenses+
Transfer <$600 in consumer cases <$600
z
Where is the lawsuit filed?
When was the lawsuit filed?
How much is the claim?
Did the debtor make the transfer?
Checklist of Defenses Against Preference Claims
z
Checklist of Defenses Against Preference Claims
Do lien rights exist? PMSI?
Did debtor receive “20 day goods”?
Has debtor made “critical vendor” offer?
Section 503(b)(9) bargaining chip?
z
TIPSPractical
z
Review your invoices to compare to
industry standards
z
Stay consistent in your collection
practices
z
If a problem customer files bankruptcy, work up defenses
while fresh
z
Preserve all records of collection
communications
z
Don’t ignore a demand letter
z