Presentation to the State Bar of Texas Advanced In House Counsel Course on August 15, 2014

1. A Brave New World
of Cyber Security
and Data Breach
Jim Brashear
General Counsel
Zix Corporation
Dallas
Chad Pinson
Managing Director & Head of Office
Stroz Friedberg
Dallas

2. Cyber Risks Top Business Concerns
2 8/20/2014
EisnerAmper, Concerns About Risks Confronting Boards 2014
“Reputation,
cybersecurity
and social
media are
largely
intertwined
and the
associated
risk has
captured the
attention of
most boards”

3. Cyber Risk
Slide 3
Threat
Risk
Vulnerability Consequence

4. Threat Landscape
4

5. KKeeyy DDaattaa SSeeccuurriittyy RRiisskkss
•Loss or theft of device
•Social engineering
•Insiders
•Malware
•Hacking
•Data Interception

6. Lost and Stolen Portable Devices

7. Phishing and
Social Engineering

8. Insiders

9. Rogue Cloud
Data
Data
Data
Data
Data
Data
Even if you don’t authorize cloud data storage
It’s happening

10. Types
of
Attacks

11. Zero Day Exploits

12. SQL Injections

13. Data in Transmission

14. Data Intercepts Happen
Even if you don’t see them

15. Reasonable Expectation of Privacy?

16. Who are Targets?
• Individuals
• Governments
• Universities
• Businesses
• Outside directors
• Services providers
– Professionals
– Outsourcers
– Board portal

17.  TWargheto In daursetri eTsargets?
Slide 17

18. Hacking Law Firms
• ALAS: Hacker threats are not hypothetical
• Law firms are soft targets
– Treasure trove of confidential client information
– Consultants, vendors, business partners and
employees may have relatively weak data
security

19. What Are Hackers After?
• Proprietary Information
Slide 19
– Cybercriminals: corporate
trade secrets
– Nation-state hackers:
military and defense
intellectual property,
designs and plans
• Personal Financial Data
• Political change
• Embarrassment
• Information Freedom

21. Cyber Attack Impacts
• Loss of IP, confidential information
• Privacy data breach
• Business disruption
• Forensics, containment, recovery,
remediation
• Regulatory investigation
• Violations, Increased compliance
costs
• Contract breaches
• Consumer lawsuits
• Adverse publicity, brand damage
• Loss of customer trust
• Revenue impact
• Share price decline
• Shareholder derivative suits
• Fines
• Impact on insurance

22. Privacy ≠ Cybersecurity
Privacy Cybersecurity

23. Twice Victimized by Databreach?
Slide 23

24. Litigation
• Consumer class action lawsuits
• Statutory personal rights
• Tort law negligence
• “Reasonable care”
• Contract breach
• Failure to use reasonable care to protect
data under NDA or confidentiality covenants
• First Circuit: Bank failed to provide
commercially reasonable data security
• Patco Contruction Co., Inc. v. People’s
United Bank
• IP Enforcement
• Trade secret law requires reasonable care
to protect confidentiality

25. D&O Liability for Cyber Incidents
“[B]oards that choose to ignore, or minimize, the
importance of cybersecurity responsibility do so
at their own peril.”
~ SEC Commissioner Luis A. Aguilar, June 10, 2014
 Shareholder derivative actions
• Breach of duty of care and duty of oversight
• Derived from good faith obligation in duty of loyalty
 Business judgment rule may not protect directors who
fail to act on cybersecurity
– “Technically speaking, it has no role where directors have
either abdicated their functions, or absent a conscious decision,
failed to act.” Aronson v. Lewis (Del. 1984)
 D&O insurance may not apply
– Exclusion for liability resulting from a privacy breach

26. Federal Enforcement
Slide 26
Case in Point
 Wyndham Worldwide Corp.
– FTC alleges privacy policy
misrepresented security
measures
 Deceptive practice
– FTC alleges failures to
maintain “reasonable and
appropriate data security”
 Unfair practice
 Increased FTC enforcement
 Overlapping jurisdiction with other agencies

27. State Data Breach Enforcement
 47 U.S. States now have databreach
notification laws
 State AGs are actively enforcing them
– State AGs also empowered to enforce HIPAA

28. Texas Privacy Laws
 Texas has some of the strictest privacy laws
in the country
– Data breach notification statute encompasses non-residents
– Texas medical privacy laws are stricter than HIPAA
 Texas privacy laws protect:
– Sensitive Personal Information (SPI)
– Protected Health Information (PHI)
 A business may be simultaneously subject to:
– Texas Identity Theft Enforcement and Protection Act
– Texas Medical Records Privacy Act
– HIPAA and HITECH
– Other privacy laws

29. Two Principal Texas Privacy Statutes
Identity Theft Enforcement and Protection Act
Applies to virtually all businesses operating in Texas
Business and Commerce Code Chapter 521
http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm
Medical Records Privacy Act
Broader than HIPAA
Health & Safety Code Chapter 181
http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.181.htm

30. Duty to Protect Personal Information
Business and Commerce Code §521.052
Business must use reasonable procedures to protect
from unlawful use or disclosure any sensitive personal
information collected or maintained in its regular course
of business

31. AT THE SEC: A QUIET EVOLUTION
July 1998: OIE Formed
January 2010: Renewed Focus on IT
Infrastructure
October 2011: SEC Cybersecurity
Guidance
January 2014: Jarcho Speech/FINRA
Sweep Announcement
March 2014: SEC Cybersecurity
Roundtable
April 15: OCIE Risk Alert

32. SEC Focus on Cyber Risk
Slide 32 32

33. Cyber Risk Disclosure
 SEC Disclosure Guidance
– 2011 CF Disclosure Guidance: Topic No. 2 Cybersecurity
– Directs public companies to review, on an ongoing basis,
the adequacy of their disclosure relating to cyber security
risks and cyber incidents
 6 disclosure areas
– Risk Factors
– Management's Discussion and Analysis (MD&A)
– Business Description
– Legal Proceedings
– Financial Statement Disclosure
– Disclosure Controls and Procedures

34. Board Oversight of Cyber Risk
• Where does the board and management responsibility reside?
• Adequate board expertise?
• Who reports on cybersecurity and privacy to the board?

35. Cyber Risk Assessment Quandry
Too Little Information
Too Much Information

36. Proactive Risk Assessments
Slide 36
NOT CHECK-THE-BOX

37. New ABA Resolution
“The American Bar Association encourages
all private and public sector organizations
to develop, implement, and maintain
an appropriate cybersecurity program that
complies with applicable ethical and legal
obligations and is tailored to the nature and
scope of the organization and the data and
systems to be protected.”

38. Have a Data Breach Response Plan
Slide 38

39. Multi-disciplinary Approach to Incident Response
In-House
Counsel
Incident
Response
In-House
IT
CPO, CSO
Compliance
Business
Unit
Client and
Media
Relations
Human
Resources
OUTSIDE
INCIDENT
RESPONSE
EXPERTS
OUTSIDE
COUNSEL

40. Slide 40
Technical Incident
Response Team
Employees
From relevant c-levels
of a
company’s org
chart
Information
technology,
investor relations,
public relations,
legal etc.
Independent
Outside Experts
Engage experts to
conduct
independent
investigation of
the attack
Tasks include data
preservation,
malware analysis,
digital forensic
analysis, reversed
engineering
Invest in Resources

41. Test the Plan
 Educate
 Awareness
 Test

42. NIST Cyber Risk Framework

43. NIST Framework
• Initiated by Executive Order 13636
• Voluntary
• Designed primarily for US critical infrastructure
owners and operators
• Applicability to companies of all sizes
• Does not create new standards
• Leverages existing cybersecurity practices
• Recommends a proactive cyber risk
management process to assess risks and
capabilities, and establish goals and a plan

44. NIST Framework

45. NIST Framework
Slide 45

46. New COSO Integrated Framework
Expands
emphasis
on risk
assessment

47. Key Recommendations
 Make cyber risk awareness part of company culture
 Recurring cyber security and privacy law training for
employees and contractors
 Adopt enterprise-wide cyber risk oversight framework
 Identify and retain outside consultants before crisis need
arises
 Assess regulatory and contractual requirements
 Written policies and procedures to protect Sensitive
Personal Information and Protected Health Information
 Written data breach response procedures
 Monitor and audit privacy and data security procedures
 Revise privacy notices to reflect amended state laws and
changes in company technology and practices
 Annual cyber risk insurance coverage analysis

48. Cyber Security Ethics
Slide 48

49. Ethics: Competence
Rule 1.1
A lawyer shall provide competent
representation to a client
A lawyer should keep abreast of
the risks associated with
technology

50. Ethics: Client Property
Rule 1.15
Client property should be
appropriately safeguarded
 A lawyer should hold property of
others with the care required of
a professional fiduciary
Information
is property

51. Ethics: Client Confidences
Texas Rule 1.05
Lawyer shall not knowingly reveal
confidential information of a client or
former client
 Unless the client
“consents after consultation”

52. Ethics: Client Confidences
New Model Rule 1.6
A lawyer shall make reasonable
efforts to prevent the inadvertent
disclosure of, or unauthorized access
to, information relating to the
representation of a client

53. Ethics: Proactive Confidentiality
Comments to Model Rule 1.6
17. When transmitting a communication,
lawyer must take reasonable
precautions to prevent the
information from coming into the
hands of unintended recipients

54. Securing cyberspace
starts with YOU
National Cybersecurity Awareness Campaign