PPT Template - Federal Law Enforcement Training Center
A Brave New World of Cyber Security and Data Breach
1. A Brave New World
of Cyber Security
and Data Breach
Jim Brashear
General Counsel
Zix Corporation
Dallas
Chad Pinson
Managing Director & Head of Office
Stroz Friedberg
Dallas
2. Cyber Risks Top Business Concerns
2 8/20/2014
EisnerAmper, Concerns About Risks Confronting Boards 2014
“Reputation,
cybersecurity
and social
media are
largely
intertwined
and the
associated
risk has
captured the
attention of
most boards”
18. Hacking Law Firms
• ALAS: Hacker threats are not hypothetical
• Law firms are soft targets
– Treasure trove of confidential client information
– Consultants, vendors, business partners and
employees may have relatively weak data
security
19. What Are Hackers After?
• Proprietary Information
Slide 19
– Cybercriminals: corporate
trade secrets
– Nation-state hackers:
military and defense
intellectual property,
designs and plans
• Personal Financial Data
• Political change
• Embarrassment
• Information Freedom
20.
21. Cyber Attack Impacts
• Loss of IP, confidential information
• Privacy data breach
• Business disruption
• Forensics, containment, recovery,
remediation
• Regulatory investigation
• Violations, Increased compliance
costs
• Contract breaches
• Consumer lawsuits
• Adverse publicity, brand damage
• Loss of customer trust
• Revenue impact
• Share price decline
• Shareholder derivative suits
• Fines
• Impact on insurance
24. Litigation
• Consumer class action lawsuits
• Statutory personal rights
• Tort law negligence
• “Reasonable care”
• Contract breach
• Failure to use reasonable care to protect
data under NDA or confidentiality covenants
• First Circuit: Bank failed to provide
commercially reasonable data security
• Patco Contruction Co., Inc. v. People’s
United Bank
• IP Enforcement
• Trade secret law requires reasonable care
to protect confidentiality
25. D&O Liability for Cyber Incidents
“[B]oards that choose to ignore, or minimize, the
importance of cybersecurity responsibility do so
at their own peril.”
~ SEC Commissioner Luis A. Aguilar, June 10, 2014
Shareholder derivative actions
• Breach of duty of care and duty of oversight
• Derived from good faith obligation in duty of loyalty
Business judgment rule may not protect directors who
fail to act on cybersecurity
– “Technically speaking, it has no role where directors have
either abdicated their functions, or absent a conscious decision,
failed to act.” Aronson v. Lewis (Del. 1984)
D&O insurance may not apply
– Exclusion for liability resulting from a privacy breach
26. Federal Enforcement
Slide 26
Case in Point
Wyndham Worldwide Corp.
– FTC alleges privacy policy
misrepresented security
measures
Deceptive practice
– FTC alleges failures to
maintain “reasonable and
appropriate data security”
Unfair practice
Increased FTC enforcement
Overlapping jurisdiction with other agencies
27. State Data Breach Enforcement
47 U.S. States now have databreach
notification laws
State AGs are actively enforcing them
– State AGs also empowered to enforce HIPAA
28. Texas Privacy Laws
Texas has some of the strictest privacy laws
in the country
– Data breach notification statute encompasses non-residents
– Texas medical privacy laws are stricter than HIPAA
Texas privacy laws protect:
– Sensitive Personal Information (SPI)
– Protected Health Information (PHI)
A business may be simultaneously subject to:
– Texas Identity Theft Enforcement and Protection Act
– Texas Medical Records Privacy Act
– HIPAA and HITECH
– Other privacy laws
29. Two Principal Texas Privacy Statutes
Identity Theft Enforcement and Protection Act
Applies to virtually all businesses operating in Texas
Business and Commerce Code Chapter 521
http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm
Medical Records Privacy Act
Broader than HIPAA
Health & Safety Code Chapter 181
http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.181.htm
30. Duty to Protect Personal Information
Business and Commerce Code §521.052
Business must use reasonable procedures to protect
from unlawful use or disclosure any sensitive personal
information collected or maintained in its regular course
of business
31. AT THE SEC: A QUIET EVOLUTION
July 1998: OIE Formed
January 2010: Renewed Focus on IT
Infrastructure
October 2011: SEC Cybersecurity
Guidance
January 2014: Jarcho Speech/FINRA
Sweep Announcement
March 2014: SEC Cybersecurity
Roundtable
April 15: OCIE Risk Alert
33. Cyber Risk Disclosure
SEC Disclosure Guidance
– 2011 CF Disclosure Guidance: Topic No. 2 Cybersecurity
– Directs public companies to review, on an ongoing basis,
the adequacy of their disclosure relating to cyber security
risks and cyber incidents
6 disclosure areas
– Risk Factors
– Management's Discussion and Analysis (MD&A)
– Business Description
– Legal Proceedings
– Financial Statement Disclosure
– Disclosure Controls and Procedures
34. Board Oversight of Cyber Risk
• Where does the board and management responsibility reside?
• Adequate board expertise?
• Who reports on cybersecurity and privacy to the board?
37. New ABA Resolution
“The American Bar Association encourages
all private and public sector organizations
to develop, implement, and maintain
an appropriate cybersecurity program that
complies with applicable ethical and legal
obligations and is tailored to the nature and
scope of the organization and the data and
systems to be protected.”
39. Multi-disciplinary Approach to Incident Response
In-House
Counsel
Incident
Response
In-House
IT
CPO, CSO
Compliance
Business
Unit
Client and
Media
Relations
Human
Resources
OUTSIDE
INCIDENT
RESPONSE
EXPERTS
OUTSIDE
COUNSEL
40. Slide 40
Technical Incident
Response Team
Employees
From relevant c-levels
of a
company’s org
chart
Information
technology,
investor relations,
public relations,
legal etc.
Independent
Outside Experts
Engage experts to
conduct
independent
investigation of
the attack
Tasks include data
preservation,
malware analysis,
digital forensic
analysis, reversed
engineering
Invest in Resources
43. NIST Framework
• Initiated by Executive Order 13636
• Voluntary
• Designed primarily for US critical infrastructure
owners and operators
• Applicability to companies of all sizes
• Does not create new standards
• Leverages existing cybersecurity practices
• Recommends a proactive cyber risk
management process to assess risks and
capabilities, and establish goals and a plan
47. Key Recommendations
Make cyber risk awareness part of company culture
Recurring cyber security and privacy law training for
employees and contractors
Adopt enterprise-wide cyber risk oversight framework
Identify and retain outside consultants before crisis need
arises
Assess regulatory and contractual requirements
Written policies and procedures to protect Sensitive
Personal Information and Protected Health Information
Written data breach response procedures
Monitor and audit privacy and data security procedures
Revise privacy notices to reflect amended state laws and
changes in company technology and practices
Annual cyber risk insurance coverage analysis
49. Ethics: Competence
Rule 1.1
A lawyer shall provide competent
representation to a client
A lawyer should keep abreast of
the risks associated with
technology
50. Ethics: Client Property
Rule 1.15
Client property should be
appropriately safeguarded
A lawyer should hold property of
others with the care required of
a professional fiduciary
Information
is property
51. Ethics: Client Confidences
Texas Rule 1.05
Lawyer shall not knowingly reveal
confidential information of a client or
former client
Unless the client
“consents after consultation”
52. Ethics: Client Confidences
New Model Rule 1.6
A lawyer shall make reasonable
efforts to prevent the inadvertent
disclosure of, or unauthorized access
to, information relating to the
representation of a client
53. Ethics: Proactive Confidentiality
Comments to Model Rule 1.6
17. When transmitting a communication,
lawyer must take reasonable
precautions to prevent the
information from coming into the
hands of unintended recipients