Cybersecurity: What the GC and CEO Need to Know

www.solidcounsel.com

“There are only two types of companies: those that have been hacked, and those that will be.” –Robert Mueller

“It’s not a matter of if, but a matter of when”

62% of Cyber Attacks SMBs

Odds: Security @100% / Hacker @ 1

TargetHome DepotNeiman MarcusMichael’sSpecsTJ MaxxeBaySally BeautyPF Chang’sUPSDairy QueenJimmy John’sJP Morgan ChaseKmartStaplesSonyAshley Madison

Yes, Legal


“Security and IT protect companies’ data;

Legal protects companies from their data.”

-Shawn E. Tuma


Privilege / Work Product

“Target has demonstrated . . . that the work of the

Data Breach Task Force was focused not on

remediation of the breach . . . but on informing

Target’s in-house and outside counsel about the

breach so that Target’s attorneys could provide

the company with legal advice and prepare to

defend the company in litigation that was already

pending and was reasonably expected to follow.”

In re Target Corp. Customer Data Breach

Litigation


ACC Study (Sept ‘15)

What concerns keep

Chief Legal Officers

awake at night?

#2 = Data Breaches

82% consider as

somewhat, very, or

extremely important


Cost of a Data Breach – US

2013 Cost• $188.00 per record• $5.4 million = total average cost paid by organizations

2014 Cost• $201 per record• $5.9 million = total average cost paid by organizations

2015 Cost• $217 per record• $6.5 million = total average cost paid by organizations

(Ponemon Institute Cost of Data Breach Studies)


Legal Obligations

International Laws

Safe Harbor

Privacy Shield

Federal Laws & Regs

HIPAA, GLBA, FERPA

FTC, FCC, SEC

State Laws

47 states (Ala, NM, SD)

Fla (w/in 30 days)

OH & VT (45 days)

Industry Groups

PCI, FINRA, etc.

Contracts Vendors & Suppliers

Business Partners

Data Security Addendum


Ancient Cybersecurity

Wisdom

Water shapes its course

according to the nature of the

ground over which it flows;

the soldier works out his

victory in relation to the foe

whom he is facing.”

“In all fighting the direct

method may be used for

joining battle, but indirect

methods will be needed to

secure victory.”

“An ounce of prevention is cheaper than the first day of litigation.”

Litigation


Consumer Litigation

Peters v. St. Joseph Services, 74 F.Supp.3d 847

(S.D. Tex. Feb. 11, 2015)

Remijas v. Neiman Marcus Group, LLC, 794 F.3d

688, 693 (7th Cir. 2015)

Whalen v. Michael Stores Inc., 2015 WL 9462108

(E.D.N.Y. Dec. 28, 2015)

In re SuperValu, Inc., 2016 WL 81792

(D. Minn. Jan. 7, 2016)

In re Anthem Data Breach Litigation, 2016 WL

589760 (N.D. Cal. Feb. 14, 2016) (J. Lucy Koh)

Regulatory & Administrative


Regulatory & Administrative - FTC

F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir.

Aug. 24, 2015).

The FTC has authority to regulate cybersecurity under

the unfairness prong of § 45(a) of the Federal Trade

Commission Act.

Companies have fair notice that their specific

cybersecurity practices could fall short of that provision.

3 breaches / 619,000 records / $10.6 million in fraud

Rudimentary practices v. 2007 guidebook

Website Privacy Policy misrepresentations

Jurisdiction v. set standard?


The Basics

“Some people try

to find things in

this game that

don’t exist but

football is only two

things – blocking

and tackling.”

-Lombardi


The BasicsBest Practices Documented

Basic IT Security

Basic Physical Security

Security Focused P&P

Company

Workforce

Network

Website / Privacy / TOS

Business Associates

Social Engineering

Implementation

Training


Regulatory & Administrative – FTC

In re GMR Transcription Svcs, Inc., 2014 WL 4252393 (Aug. 14,

2014). FTC’s Order requires business to follow 3 steps when

contracting with third party service providers:

1. Investigate before hiring data service providers.

2. Obligate their data service providers to adhere to the

appropriate level of data security protections.

3. Verify that the data service providers are complying

with obligations (contracts).


Addendum to Business Contracts

Common names for the Addendum: Data Security & Privacy; Data Privacy; Cybersecurity;

Privacy; Information Security.

Common features Defines subject “Data” being protected in categories.

Describes acceptable and prohibited uses for Data.

Describes standards for protecting Data.

Describes requirements for deleting Data.

Describes obligations if a breach of Data.

Allocates responsibility if a breach of Data.

Requires binding third parties to similar provisions.












Regulatory & Administrative – SEC

S.E.C. v. R.T. Jones Capital Equities Management, Consent

Order (Sept. 22, 2015).

“Firms must adopt written policies to protect their clients’

private information”

“they need to anticipate potential cybersecurity events

and

have clear procedures in place rather than waiting to

react once a breach occurs.”

violated this “safeguards rule

100,000 records (no reports of harm)

$75,000 penalty


Written Policies


Responding: Execute Response Plan

This is only a

checklist – not a

Response Plan

How Fast?• 45 days (most states)• 30 days (some states)• 3 days (fed contracts)• 2 days (bus expectation)• Immediately (contracts)

Officer & Director Liability



“[B]oards that choose to ignore, or minimize, the

importance of cybersecurity oversight responsibility, do

so at their own peril.” SEC Commissioner Luis A. Aguilar, June 10,

2014.

Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham

Derivative claims premised on the harm to the company from data breach.

Caremark Claims:

Premised on lack of oversight = breach of the duty of loyalty and good faith

Cannot insulate the officers and directors = PERSONAL LIABILITY!

Standard:

(1) “utterly failed” to implement reporting system or controls; or

(2) “consciously failed” to monitor or oversee system.



Palkon v. Holmes, 2014 WL 5341880, *5-6 (D. NJ Oct. 20,

2014).

Derivative action for failing to ensure Wyndham implemented

adequate security policies and procedures.

Order Dismissing: The board satisfied the business judgement rule

by staying reasonably informed of the cybersecurity risks and

exercising appropriate oversight in the face of the known risks.

Well-documented history of diligence showed Board

Discussed cybersecurity risks, company security policies and

proposed enhancements in 14 quarterly meetings; and

Implemented some of those cybersecurity measures.

Cyber Insurance


Cyber Insurance – Key Questions

Even know if you have it?

What period does the

policy cover?

Are Officers & Directors

Covered?

Cover 3rd Party Caused

Events?

Social Engineering

coverage?

Cover insiders intentional

acts (vs. negligent)

What is the triggering

event?

What types of data are

covered?

What kind of incidents are

covered?

Acts of war?

Required carrier list for

attorneys & experts?

Other similar risks?

Virtually all companies will be breached. Will they be liable?

It’s not the breach; it’s their diligence and response that matter most.

Companies have a duty to be reasonably informed of and take reasonable measures to protect against cybersecurity risks.

Cyber Risk Assessment

Strategic Planning

Deploy Defense Assets

Develop, Implement & Train on

P&P

Tabletop Testing

Reassess & Refine

Cybersecurity Risk

Management Program

“You don’t drown by falling in the water; You drown by staying there.”

Shawn Tuma

Cybersecurity Partner

Scheef & Stone, L.L.P.214.472.2135

[email protected]

@shawnetuma

blog: www.shawnetuma.com

web: www.solidcounsel.com

This information provided is for educational purposes only, does not constitute legal advice, and no attorney-client relationship is created by this presentation.

Shawn Tuma is is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and around the world.

Board of Directors, North Texas Cyber Forensics Lab

Board of Directors & General Counsel, Cyber Future Foundation

Texas SuperLawyers 2015-16 (IP Litigation)

Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law)

Council, Computer & Technology Section, State Bar of Texas

Chair, Civil Litigation & Appellate Section, Collin County Bar Association

College of the State Bar of Texas

Privacy and Data Security Committee, Litigation, Intellectual Property Law, and Business Sections of the State Bar of Texas

Information Security Committee of the Section on Science & Technology Committee of the American Bar Association

North Texas Crime Commission, Cybercrime Committee

Infragard (FBI)

International Association of Privacy Professionals (IAPP)

Information Systems Security Association (ISSA)

Board of Advisors, Optiv Security

Editor, Business Cybersecurity Business Law Blog