Upload
shawn-tuma
View
278
Download
0
Embed Size (px)
Citation preview
International Association of Defense Counsel
IADC Southwest Regional Meeting
Dallas, Texas
Cybersecurity: What Defense Lawyers Need to Know about Cyberliability, Cybercrime, and
Coverage
Moderator: John G. Browning, Passman & Jones, A Professional Corporation
Panelists: Richard Roper, Thompson & Knight, LLP
Mariah Quiroz, Thompson, Coe, Cousins & Irons, L.L.P.
Shawn Tuma, Scheef & Stone, L.L.P.
“There are only two types of companies: those that have been hacked, and those that will be.” –Robert Mueller
“There are only two types of companies: those that have been hacked, and those that will be.” –Robert Mueller Odds: Security @100% / Hacker @ 1
How Serious?
2013 Cost • $188.00 per record • $5.4 million = total average cost paid by organizations
2014 Cost • $201 per record • $5.9 million = total average cost paid by organizations
2015 Cost • $217 per record • $6.5 million = total average cost paid by organizations
(for US Companies; Ponemon Institute Cost of Data Breach Studies)
Principal Areas of Risk
What is a cybersecurity incident? 2014 OTA Report The basics Theft of Devices Lost Devices Lost Passwords Phishing Infected Websites Basic IT
Assess Cyber Risk
Strategic Planning
Deploy Defense Assets
Develop, Implement & Train on
P&P
Tabletop Testing
Reassess & Refine
Minimizing Cybersecurity Risks
Consumer Litigation
Peters v. St. Joseph Services, 74 F.Supp.3d 847 (S.D. Tex. Feb. 11, 2015)
Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 693 (7th Cir. 2015)
Whalen v. Michael Stores Inc., 2015 WL 9462108 (E.D.N.Y. Dec. 28, 2015)
In re SuperValu, Inc., 2016 WL 81792 (D. Minn. Jan. 7, 2016)
In re Anthem Data Breach Litigation, 2016 WL 589760 (N.D. Cal. Feb. 14, 2016) (J. Lucy Koh)
Regulatory Enforcement The FTC has authority to regulate cybersecurity under
the unfairness prong of § 45(a) of the FTC Act. F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24, 2015).
Firms must (1) adopt written policies to protect their clients private information, (2) anticipate potential cybersecurity events, and (3) have clear procedures in place to respond. S.E.C. v. R.T. Jones Capital Equities Management, Consent Order (Sept. 22, 2015).
FCC - fined AT&T $25,000,000
CFPB - fined Dwolla, Inc. $100,000
DOJ - Yates Memo
Officer & Director / Derivative Claims “[B]oards that choose to ignore, or minimize, the
importance of cybersecurity oversight responsibility, do so at their own peril.” SEC Commissioner Luis A. Aguilar, June 10, 2014.
Derivative claims premised on the harm to the company from data breach.
Caremark Claims - breach of the duty of loyalty and good faith if (1) utterly failed to implement reporting system or controls, or (2) consciously failed to monitor or oversee.
The board satisfied the business judgement rule by staying reasonably informed of the cybersecurity risks and exercising appropriate oversight in the face of the known risks. Palkon v. Holmes, 2014 WL 5341880, *5-6 (D. NJ Oct. 20, 2014).
Helping Clients Minimize Risk
Ask Questions
Awareness
Educate
Understand Legal Obligations
Cybersecurity Risk Management Program
Understand Standard of Care
International Association of Defense Counsel
IADC Southwest Regional Meeting
Dallas, Texas
Cybersecurity: What Defense Lawyers Need to Know about Cyberliability, Cybercrime, and
Coverage
Moderator: John G. Browning, Passman & Jones, A Professional Corporation
Panelists: Richard Roper, Thompson & Knight, LLP
Mariah Quiroz, Thompson, Coe, Cousins & Irons, L.L.P.
Shawn Tuma, Scheef & Stone, L.L.P.