This document summarizes a webcast on cybersecurity risks and strategies for managing them. It discusses the development of the NIST cybersecurity framework to encourage voluntary adoption of best practices. It also notes incentives recommended to the President to promote framework adoption, such as cyber insurance, grants, liability limitations, and streamlined regulations. The document then provides brief biographies of the three speakers on the webcast, who are experts on cybersecurity law and policy from large law firms and companies.
4. Edward R. McNicholas
Co-Chair, Privacy, Data Security, and Information Law
practice, Sidley Austin LLP
Leslie Thornton
Vice President & General Counsel, WGL Holdings, Inc.
& Washington Gas Light Company
Jeffrey C. Sharer
Partner, Sidley Austin LLP
SPEAKING TODAY
5. Speaker: Edward R. McNicholas
EDWARD R. MCNICHOLAS is a global coordinator of Sidley’s Privacy, Data Security, and Information
Law practice. His practice focused on clients facing complex information technology, constitutional and
privacy issues in civil and white-collar criminal matters. Ed has significant experience with a wide-range
of complex Internet and information law matters involving privacy and data protection, electronic
surveillance, cybersecurity, cloud computing, trade secrets, online advertising, “big data” and national
security. Examples of his matters include:
– a constitutional challenge to portions of the HIPAA final rules (Adheris v. Sebelius, (D.D.C.
2013)),
– a consumer class action challenging Internet advertising cookie techniques (In re: Google Inc.
Cookie Placement Consumer Privacy Litigation, MDL No. 2358 (D. Del. 2012-13)),
– defense of a telecommunications carrier against alleged participation in NSA surveillance (In
re National Security Agency Telecommunications Records Litigation, MDL 1791 (N.D.Cal. and
9th Cir. 2006-12)), and
– briefing in more than a dozen cases before the U.S. Supreme Court.
His practice has been recognized by numerous rankings including Chambers USA (since 2008),
Chambers Global (since 2011), and the US Legal 500.
Prior to joining Sidley, Mr. McNicholas served as an Associate Counsel to President Clinton. In that
capacity, he advised senior White House staff regarding various Independent Counsel, congressional
and grand jury investigations. Mr. McNicholas received his J.D. (cum laude) from Harvard Law School,
where he was an editor of the Harvard Law Review. He received his A.B. (summa cum laude) from
Princeton University, and served as a clerk for the Honorable Paul Niemeyer on the U.S. Court of
Appeals for the Fourth Circuit.
5
6. Speaker: Leslie Thornton
Leslie Thornton has been Vice President and General Counsel of WGL Holdings, Inc. and
Washington Gas Light Company since January 1, 2012, having joined the company as
Counsel to the Chairman in November 2011. Prior to joining the company, Ms. Thornton
served as a partner with prominent Washington D.C. law firms.
Ms. Thornton also served as Chief of Staff to U.S. Secretary of Education Richard W.
Riley, after starting her service in 1992 as Deputy Chief of Staff and Counselor. During
her nearly eight years with the Clinton Administration, Ms. Thornton advised the
Secretary on all administration and agency matters serving as the liaison between the
Secretary and the White House on policy, political, ethics, personnel and other issues.
Holding a top secret clearance, Ms. Thornton served as her agency's representative in the
Continuity of Operations of Government program. In 1995, Ms. Thornton was selected
by the White House in 1995 to serve on the President's White House Budget Working
Group, and in 1996 was selected to serve in a senior role on President Clinton's
Presidential Debate Team.
Ms. Thornton is a member of numerous associations and boards
in the Washington, D.C. community, and has been widely published
in legal and other newspapers including the Legal Times,
The Wall Street Journal, and the Boson Globe. She holds a
Bachelor of Arts from the University of Pennsylvania and
a law degree from Georgetown University.
6
7. Speaker: Jeffrey C. Sharer
JEFFREY SHARER is a partner in Sidley currently very cold Chicago office. He
concentrates his practice in litigation and regulatory enforcement matters as
well as in matters related to electronic discovery, computer forensics, and
information governance. Jeffrey frequently advises and advocates on behalf
of clients in matters related to the governance, preservation, and discovery
of electronically stored information. In litigation, Jeffrey has handled matters
at all stages of the Electronic Discovery Reference Model, with particular
emphasis on the development and implementation of best practices and on
the use of artificial intelligence, statistical sampling, and related tools and
techniques to reduce costs and burdens and increase quality of results and
defensibility of process throughout the discovery lifecycle. Jeffrey also
advises in the areas of records retention, data privacy, and information
governance, including defensible deletion of data stores.
Jeffrey is a member of Sidley’s Electronic Discovery Task Force; a longtime
member of The Sedona Conference, the nation’s leading nonpartisan law and
policy think tank in the area of electronic discovery. He holds degrees from
the University of Chicago Law School, and the University of Michigan.
7
9. Where are we on cybersecurity?
• Congressional action remains pending
• Focus on implementation of President Obama’s
Executive Order 13636 (February 2013)
– Development of NIST “Cybersecurity Framework” and
programs to encourage voluntary adoption of the
framework
– DHS designation of CI companies (with right of
reconsideration)
– Establishment of regulatory standards by agencies with
statutory authority
– Increased threat information sharing to CI operators
9
10. NIST Framework
• Implements Feb. 2, 2013 Executive Order
• Final framework due in February 2014
• Discussion Framework:
– Provide common language for expressing,
understanding, and managing cybersecurity risk
internally and externally
– Develop consistent approach: Identify, Protect, Detect,
Respond, Recover
– Prioritize actions for reducing cybersecurity risk
– Create tools to align policy, business, and technological
approaches to managing risk
10
11. Incentives Recommended to President
• Cybersecurity Insurance — build underwriting
practices that promote the adoption of cyber risk-
reducing measures and risk-based pricing and foster
a competitive cyber insurance market.
• Grants — leverage federal grant programs.
• Process Preference — consider expediting and
prioritizing existing government service delivery;
technical assistance to critical infrastructure; incident
response situations.
• Liability Limitation — reduced tort liability, limited
indemnity, higher burdens of proof, or the creation of
a federal legal privilege that preempts State
disclosure requirements.
11
12. Incentives – cont’d
• Streamline Regulations — make compliance easier;
eliminate overlaps among existing laws and
regulation; enable equivalent adoption across
regulatory structures; reduce audit burdens.
• Public Recognition — optional public recognition.
• Rate Recovery for Price Regulated Industries —
dialogue with federal, state, and local regulators and
sector specific agencies on whether the regulatory
agencies that set utility rates should consider allowing
utilities recovery for cybersecurity investments.
• Cybersecurity Research — emphasize research and
development to meet the most pressing cybersecurity
challenges where commercial solutions are not
currently available.
12
15. Cybersecurity and Information Governance
• Increasing threats of data breach and other cyberincidents,
along with other risks and costs associated with electronic
information systems (such as electronic discovery in legal
and regulatory proceedings), are driving greater focus on
governance of data across organization
• Cyberthreats, in particular, increase both risk and severity
of potential loss associated with over-retention of customer
PII and other sensitive information
• Loss of protected or sensitive information in data breach
can result in notification obligations, regulatory or civil
exposure, damage to reputation, and other harm to
company
• Risks are only growing with passage of time, especially as
concepts such as purpose limitations and the so-called
“right to be forgotten” gain legislative traction
15
16. Information Governance At 30,000 Feet
• For most organizations, mitigation of cyberrisk
through effective information governance requires
cross-functional approach
• Stakeholders at most organizations include (at least)
legal and compliance; IT; RIM; privacy; security; and
business
• People, process, and technology
• Surging emphasis on remediation – often referred to
as “defensible disposition” – of data that does not
have ongoing business value and is not subject to
legal or regulatory retention requirements (including
litigation holds)
16
17. Mitigating Risk Through Defensible Disposition
• As a general rule, if data has no business value and is
not subject to legal or regulatory retention
requirements, it can (and usually should) be deleted
in the normal course of business
• Organizations have wide latitude: Legal standards
are reasonableness, proportionality, and good faith
• Recent benchmarking of Global 1000 companies
estimated that for corporate information at any given
time, 1% is on legal hold, 5% is subject to regulatory
retention requirements, and 25% has current
business value—this means that approximately 70%
of data that organizations are managing and storing,
and that is at risk of loss through data breach or
other security incident, is unnecessary
17
19. Questions about Simulation Lessons
• On November 13-14, 2013, the so-called GridEx II exercise tested
governmental and industry crisis response plans, and included both
cybersecurity and physical security components.
– Are these sorts of exercises helpful? If so, what did you take away from it?
– How do you manage both the low probability / enormous risks of
cybersecurity issues, and the more mundane but significant risks of
activist or less-sophisticated hackers?
• The report on the first GridEx exercise, noted that “Significant horizontal
communication occurs across industry, but vertical information sharing to
NERC and government agencies is limited due to concerns about
compliance implications.” That nicely sums up one of the key information
sharing issues that inhibit cybersecurity preparation.
– Has the information sharing gotten more or less risky for companies?
– Have the Snowden revelations altered the wisdom of sharing cybersecurity
information with the government?
19
20. Managing Risk Questions
• Does cybersecurity governance need to fit into an overall
information governance strategy? How are they integrated?
• Businesses must adapt to a rapidly evolving technology
environment, but the legal restrictions are developing
slowly. How do you manage this tension?
• How significant a role does insurance play in your management of
the cybersecurity threat?
• The SAFETY Act (www.SafetyAct.Gov) was designed to support
development and deployment of effective anti-terrorism
technologies by designating and certifying Qualified Anti-
Terrorism Technologies (“QATTs”) that receive important legal
liability protections against claims arising out of an act of
terrorism. Is that an effective piece of cybersecurity risk
management strategies?
20
21. Legal Standards Questions
• We continue to have a regime of multiple state data breach laws
with slightly different tests. Are these statutes helpful? Would a
preemptive federal test be better?
• Is it better to have multiple, voluntary cybersecurity standards
and widespread variation or would standardization be better?
• The Massachusetts information security regulations take the
unique tact of specifying ISO-based minimum measures. Is this
helpful because it is definite or an overly-simplistic check-box
approach? Which should companies follow?
• Payment card security is almost entirely self- regulatory via the
PCI-DSS. Would this approach work for cybsecurity?
• Have the SEC guidance requiring disclosure of material incidents
helped to increase the level of cybersecurity?
21
22. Future Developments Questions
• Have you altered your approach to privacy / security
in light of the coming Internet of Things, such as
smart electrical meters? How?
• How should companies factor in these complex
cybsecurity issues in moving to the cloud? What do
you think are the biggest concerns with cloud
computing? Has it made you less likely to move to
the cloud?
• What is the top item on your cybsecurity agenda for
2014?
22
24. Cybersecurity Questions GCs Should Ask
• Are we “critical infrastructure” operators?
• Do we have IP assets, trade secrets, account records,
consumer data that could be subject to cyber-attack?
Could our facilities be misused as part of an attack?
• What past incidents have we experienced? Are our
incident response procedures effective and well
understood throughout the organization?
• Do we have an up-to-date cybersecurity risk
assessment in hand?
• Who is responsible and accountable for cybersecurity,
and does he/she have sufficient resources?
• Is the Board of Directors adequately focused on
cybersecurity; has it established satisfactory internal
controls and governance structures?
24
25. More Cybersecurity Questions
• Do we know what existing and prospective laws apply
to cybersecurity?
• Are we subject to specific cybersecurity regulation?
• Do we know what our contracts say about
cybersecurity; do our existing customer / vendor
contracts protect us on cybersecurity? Obligate us?
• Do we have relevant government contracts?
• Do we know the necessary government points of
contact? Do we have appropriately cleared persons?
• Who is monitoring NIST developments and best
industry practices?
• What do we need to include in our SEC filings on
cybersecurity?
25
26. More Cybersecurity Questions
• Do we have special international exposure and/or
obligations?
• Are we going to participate in the voluntary White
House and NIST cybersecurity framework?
• Could the White House cybersecurity “incentives”
benefit us? Hurt us?
• Do we have good cybersecurity awareness and
personal responsibility throughout our company?
• Do we understand what our legal exposure and
potential liability is?
• Have we considered cyber-insurance?
• Are we at risk for FTC “failure to secure”
enforcement?
26
27. More Cybersecurity Questions
• Do we have an effective information governance
function and are the right stakeholders involved?
• Do our information governance systems effectively
mitigate risk of loss from data breach or other
incident?
• Have we considered and addressed defensible
disposition of legacy data stores and other sources
that have outlived business value and legal and
regulatory requirements?
27
28. Lawyer To-Do List For Cybersecurity
Ensuring legal risks are considered in cybersecurity risk
assessments
Oversight and readiness for incident response
Have you vetted and tested your response ability?
Are you mitigating risk in the ordinary course through effective
information governance?
Analyzing and explaining the complex legal environment
Coordination of relationships with government
Development of standards and internal policies
Managing protections and obligations in contracts,
customer and vendor relationships
Addressing “Hack Back” options
Managing legal/reputational issues
Required disclosures and reporting
Risks and rewards of cooperation with government
Privilege and selective waivers
Securities issues
28
29. Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, New York, Los Angeles, San Francisco, Palo Alto, Dallas,
London, Hong Kong, Houston, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley
Austin (NY) LLP, a Delaware limited liability partnership (New York); Sidley Austin (CA) LLP, a Delaware limited liability partnership (Los Angeles, San Francisco, Palo Alto);
Sidley Austin (TX) LLP, a Delaware limited liability partnership (Dallas, Houston); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin
LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership
of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are
referred to herein collectively as Sidley Austin, Sidley, or the firm.
For purposes of compliance with New York State Bar rules, Sidley Austin LLP’s headquarters are 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South
Dearborn, Chicago, IL 60603, 312.853.7000.
Questions?
Edward McNicholas: 202.736.8010 eMcNicholas@sidley.com
Jeffrey C. Sharer: 312.853.7028 jcSharer@sidley.com
www.Sidley.com/InfoLaw
This presentation has been prepared by Sidley Austin LLP as of January 2014 for educational and informational
purposes only. It does not constitute legal advice. This information is not intended to create, and receipt of it does
not constitute, a lawyer-client relationship. Readers should not act upon this without seeking personalized advice
from professional advisers.
BEIJING BOSTON BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.
30. January 17, 2014
Information Lifecycle Governance –
Minimize Risks & Improve Readiness
All upcoming Ethisphere events can be found
at:
http://ethisphere.com/events/
PLEASE JOIN US FOR