As cyber security and data privacy concerns continue to evolve, security experts must keep themselves up to date to combat increasingly sophisticated threats to protect their firms and clients. In a two-hour LIVE webcast, a panel of distinguished professionals will address significant issues that will shape up cyber security and data privacy in 2014 along with practical guidance. Our speakers will address the following key issues:
Article III Standing
Latest theories of liability arising out of data breaches and claims of invasion of privacy
Issues surrounding cyber security and data privacy
Best practices to counteract cyber security and data privacy threats
Latest regulatory updates
To view the webcast go to this link: http://youtu.be/Kkyieu9njdw
To learn more about the webcast please visit our website: http://theknowledgegroup.org
Cyber Security and Data Privacy: Views on Article III Standing LIVE Webcast
1. June 25, 2014
1
Thank you for logging into today’s event. Please note we are in standby mode. All Microphones will be muted until the
event starts. We will be back with speaker instructions @ 11:55am. Any Questions? Please email:
Info@knowledgecongress.org
Group Registration Policy
Please note ALL participants must be registered or they will not be able to access the event.
If you have more than one person from your company attending, you must fill out the group registration form.
We reserve the right to disconnect any unauthorized users from this event and to deny violators admission to future events.
To obtain a group registration please send a note to info@knowledgecongress.org or call 646.202.9344.
Presented By:
Partner Firms:
Speaker Firms and Organization:
Proofpoint, Inc.
Patrick Wheeler
Director of Data Privacy & Encryption
Quarles & Brady LLP
Bradley Vynalek
Partner
Perkins Coie LLP
Amelia M. Gerlicher
Counsel
2. June 25, 2014
2
Follow us on Twitter, that’s @Know_Group to receive updates for this event as well as other news and pertinent info.
If you experience any technical difficulties during today’s WebEx session, please contact our Technical Support @ 866-779-3239.
You may ask a question at anytime throughout the presentation today via the chat window on the lower right hand side of your
screen. Questions will be aggregated and addressed during the Q&A segment.
Please note, this call is being recorded for playback purposes.
If anyone was unable to log in to the online webcast and needs to download a copy of the PowerPoint presentation for today’s
event, please send an email to: info@knowledgecongress.org. If you’re already logged in to the online webcast, we will post a link to
download the files shortly.
If you are listening on a laptop, you may need to use headphones as some laptops speakers are not sufficiently amplified enough to
hear the presentations. If you do not have headphones and cannot hear the webcast send an email to info@knowledgecongress.org
and we will send you the dial in phone number.
3. June 25, 2014
3
About an hour or so after the event, you'll be sent a survey via email asking you for your feedback on your experience with this event
today - it's designed to take less than two minutes to complete, and it helps us to understand how to wisely invest your time in future
events. Your feedback is greatly appreciated. If you are applying for continuing education credit, completions of the surveys are
mandatory as per your state boards and bars. 6 secret words (3 for each credit hour) will be given throughout the presentation. We
will ask you to fill these words into the survey as proof of your attendance. Please stay tuned for the secret word.
Speakers, I will be giving out the secret words at randomly selected times. I may have to break into your presentation briefly to read
the secret word. Pardon the interruption.
4. June 25, 2014
4
Welcome to the Knowledge Group Unlimited Subscription Programs. We have Two Options Available for You:
FREE UNLIMITED: This program is free of charge with no further costs or obligations. It includes:
Unlimited access to over 15,000 pages of course material from all Knowledge Group Webcasts.
Subscribers to this program can download any slides, white papers, or supplemental material covered during all live webcasts.
50% discount for purchase of all Live webcasts and downloaded recordings.
PAID UNLIMITED: Our most comprehensive and cost-effective plan, for a one-time fee:
Access to all LIVE Webcasts (Normally $199 to $349 for each event without a subscription). Including: Bring-a-Friend – Invite a
client or associate outside your firm to attend for FREE. Sign up for as many webcasts as you wish.
Access to all of Recorded/Archived Events & Course Material includes 1,500+ hours of audio material (Normally $299 for each
event without a subscription).
Free CLE/CPE/CE Processing (Normally $49 Per Course without a subscription).
Access to over 15,000 pages of course material from Knowledge Group Webcasts.
Ability to invite a guest of your choice to attend any live webcast Free of charge (Exclusive benefit only available for PAID
UNLIMITED subscribers).
6 Month Subscription is $299 with No Additional Fees Other options are available.
Special Offer: Sign up today and add 2 of your colleagues to your plan for free Check the “Triple Play” box on the sign-up
sheet contained in the link below.
https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964
5. June 25, 2014
5
Knowledge Group UNLIMITED PAID Subscription Programs Pricing:
Individual Subscription Fees: (2 Options)
Semi-Annual: $299 one-time fee for a 6 month subscription with unlimited access to all webcasts, recordings, and materials.
Annual: $499 one-time fee for a 12 month unlimited subscription with unlimited access to all webcasts, recordings, and materials.
Group plans are available. See the registration form for details.
Best ways to sign up:
1. Fill out the sign up form attached to the post conference survey email.
2. Sign up online by clicking the link contained in the post conference survey email.
3. Click the link below or the one we just posted in the chat window to the right.
https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964
Discounts:
Enroll today and you will be eligible for the “Triple Play” program and 3% off if you pay by credit card. Also we will waive the $49
CLE/CPE processing fee for today’s conference. See the form attached to the post conference survey email for details.
Questions: Send an email to: info@knowledgecongress.org with “Unlimited” in the subject.
6. Partner Firms:
June 25, 2014
6
Proofpoint Inc. (NASDAQ:PFPT) is a leading security-as-a-service provider
that focuses on cloud-based solutions for threat protection, compliance,
archiving and governance, and secure communications. Organizations
around the world depend on Proofpoint’s expertise, patented technologies
and on-demand delivery system to protect against phishing, malware and
spam, safeguard privacy, encrypt sensitive information, and archive and
govern messages and critical enterprise information. More information is
available atwww.proofpoint.com.
Quarles & Brady LLP exists to help our clients succeed. An area of particular
focus for the firm is data privacy and security where our multi-disciplinary
team of lawyers helps businesses understand the laws and take steps to
protect themselves by successfully developing, implementing, and
maintaining comprehensive privacy and security compliance programs. Our
clients include major national and multinational corporations, high-tech
companies, educational and research institutions, municipalities and
government agencies, charitable organizations, industry executives and
high-net-worth individuals.
Founded in 1892, Quarles & Brady is a multidisciplinary, cross-office legal
services provider with more than 450 attorneys practicing at the top of the
profession in Chicago, Illinois; Milwaukee and Madison, Wisconsin;
Indianapolis, Indiana; Naples and Tampa, Florida; Phoenix and Tucson,
Arizona; and Washington, D.C.
7. Partner Firms:
June 25, 2014
7
Perkins Coie has more than 950 lawyers in 19 offices across the United
States and Asia. We provide a full array of corporate, commercial litigation
and intellectual property legal services to a broad range of clients, from
FORTUNE 50 corporations to small, independent start-ups, as well as public
and not-for-profit organizations.
Perkins Coie’s Privacy & Security group represents some of the world’s
leading Internet companies, wired and wireless communications providers,
brick-and-mortar retailers and emerging online businesses on issues
including: Product and General Privacy and Security Counseling; Electronic
Surveillance and User Information Requests; Online and Mobile Advertising;
Privacy Reviews, Assessments and Data Transfers; Network Intrusions and
Data Breaches; Privacy Litigation and Regulatory Investigations; and Cyber
Enforcement.
8. Brief Speaker Bios:
Patrick Wheeler
Over almost fifteen years in information security at industry leaders, Patrick Wheeler has held roles in Product Management and
Product Marketing for a wide range of enterprise solutions, including network and endpoint security, vulnerability management, data
loss prevention and mobile.
June 25, 2014
8
Bradley Vynalek
Brad Vynalek is a partner in Quarles & Brady's Commercial Litigation Group. He works with financial service, banking, high tech,
internet, software, manufacturing, e-commerce, health care, start-up, and tech transfer clients. Most recently, he created and
moderated a privacy/cyber security panel presentation for the Arizona Bankers Association, was a panelist for “Cloud: Technology to
Grow Your Business” (Phoenix Bus. Journal), and presenter of "The Hidden Side of Technology" (Trans-West/CloudNet/AZ Tech
Council).
Within the firm, Brad holds national roles ranging from client service team leader to national strategy partner.
9. Brief Speaker Bios:
Amelia M. Gerlicher
Amelia Gerlicher, Counsel at Perkins Coie LLP, assists clients in addressing issues arising from their possession of personal data,
from its collection and use through the aftermath of security breach incidents. A member of the firm’s Privacy & Security group, her
privacy-related litigation experience includes actions arising from a variety of online activity, brought under the federal Wiretap Act, the
Stored Communications Act, the Computer Fraud and Abuse Act, and state privacy laws. She also works with clients on consumer
protection, intellectual property and contract issues arising from a wide variety of online activities, including defending clients against
illegal malicious behavior that interfere with their websites.
June 25, 2014
9
► For more information about the speakers, you can visit: http://theknowledgegroup.org/event_name/cyber-security-and-data-privacy-views-on-article-iii-standing-live-webcast/
10. As cyber security and data privacy concerns continue to evolve, security experts must keep
themselves up to date to combat increasingly sophisticated threats to protect their firms and
clients. In a two-hour LIVE webcast, a panel of distinguished professionals will address
significant issues that will shape up cyber security and data privacy in 2014 along with
practical guidance. Our speakers will address the following key issues:
- Article III Standing
- Latest theories of liability arising out of data breaches and claims of invasion of privacy
- Issues surrounding cyber security and data privacy
- Best practices to counteract cyber security and data privacy threats
- Latest regulatory updates
June 25, 2014
10
11. Featured Speakers:
June 25, 2014
11
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
12. Introduction
Over almost fifteen years in information security at industry leaders, Patrick Wheeler has held roles in
Product Management and Product Marketing for a wide range of enterprise solutions, including network
and endpoint security, vulnerability management, data loss prevention and mobile.
June 25, 2014
12
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
13. June 25, 2014
13
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
14. Regulations Are Having Broad Impact
Regulation of Sensitive information is required in
many cases
June 25, 2014
14
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
Source: ESG Research, Ferris Research
15. Data Breaches Continue
June 25, 2014
15
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
16. Multiple Drivers for Data Privacy
June 25, 2014
16
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
• Mobility & “cloudization” of data are inevitable
• Controlling this data in transit is critical to
managing risk
Data Risks are Multiplying
Personally owned devices
that can be remotely wiped
in BYOD situations2
24%
Data breaches on
data hosted externally
(in cloud environments)
in 20123
26%
Enterprises with users
that use G-Docs &
Dropbox-like services
without IT blessing1
44%
Sources: 1,2: Osterman Report 2012 - Why Securing Communications and Content is a Critical Best
Practice; 3. Verizon 2012 Breach Report
17. How Do Breaches Occur?
June 25, 2014
17
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
• Email Communication is crucial for conducting
business
• Email Security is crucial for maintaining business
Mistakes Happen
Enterprises impacted by
improper exposure of
data2
35%
Breaches from
actions by insiders
& insider devices1
58%
Sensitive data exposed
through email; Email #1
inadvertent risk vector3
70%
Sources: 1. Forrester - Understand The State Of Data Security And Privacy: 2012 To 2013; 2. Proofpoint
Survey 2011 - Outbound Email and Data Loss Prevention in Today’s Enterprise; 3. ESG Research, Ferris
Research
18. Evolving Regulatory Landscape
June 25, 2014
18
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
Gramm-Leach-Bliley Act
Requires financial institutions to explain
their data-sharing practices to customers
and to safeguard sensitive data.
FACTA
Measures to prevent identity theft and
make improvements in the usage and
management of consumer credit records.
FINRA
Regulates virtually every aspect the
securities business & fines where
necessary
HIPAA/HITECH
Provisions for privacy & security
concerns associated with electronic
transmission of health information and
record management
FERPA
Protects privacy of education records
and applies to all schools receiving
funding from the U.S. Dept of Ed.
Massachusetts Data Privacy Law
Prescriptive standards for the protection
of resident personal information.
Nevada Senate Bill 227
Encryption mandates for Nevada state
entities managing customer and non-
customer personal data.
• Data proliferation and consumerization of IT
grows;
• Regulation and Enforcement will continue to
evolve as well
Compliance Gets Tougher
Enterprises that are
concerned that stricter
regulations will drive
increased litigation1
30%
HIPAA violation
complaints
investigated by Office
of Civil Rights2
47%
Percent of US states
that now have a data
breach and
notification law
94%
Sources: 1. US Enterprises - Fulbright & Jaworski, 8th Annual Litigation Trends Report/Survey, 2:
HHS.gov 2012
19. Data Is Everywhere, Control Is Difficult
June 25, 2014
19
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
Key
Partners
Challenges
44x growth
projected
over next 10
years (Source: IDC)
Social, IM,
Mobile, Files,
SharePoint
Keep
everything,
search for it
later
MOBILE
USERS
PARTNERS
THE
ENTERPRISE
CUSTOMERS
FILE STORES MAIL SERVERS
Internet
20. Tool Time: Where, What and How to Enforce
June 25, 2014
20
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
Data in Motion Data in Use Data at Rest
Where to
monitor?
Network Endpoint Discovery
What to
monitor?
• Email
• Web
• IM & Social
• File sync & sharing
• Collaboration
• PC
• USB drives
• CD/DVD
• Smartphones & tablets
• External HDD
• Printing
• Mail archives
• Mobile
• Databases
• Network shares
Enforcement
tools
• Mail encryption
• Network and messaging
DLP
• Social media DLP and
archiving
• Endpoint and removable
media encryption
Content discovery:
- Network-based
- Agent-based
10101101010010101
01010011011100011
10011010011101000
21. Enterprises Still Challenged
Why isn’t everyone using encryption and DLP today?
June 25, 2014
21
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
Complex
• Two words: “key management”
• Solutions often part of larger, complicated and
mostly unused encryption suite
Inaccurate
• User-driven client-based email encryption
circumvented network DLP controls
• Error-prone and inconsistent
Avoided!
• Required change in user behavior for email
• Poor experience for sender and recipient, and
source of constant frustration
22. Email Encryption: Low-Hanging Fruit?
Email is a Business Enabler
• Ubiquitous and mission-critical to
communication
Over 70% of intellectual property can be found
in the email system
Greatest risk, usually from unintentional
sending of sensitive information
June 25, 2014
22
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
Memos
File systems DBs
Other email
23. The Ideal Solution
Easy to set up and administer
Accurate for sensitive content
identification
Transparent with no reason to
avoid using
June 25, 2014
23
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
Easy. Accurate.
Transparent.
Enable Communication,
Maintain Security & Compliance
24. Best Practice #1 Automated Policy Enforcement
June 25, 2014
24
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
End users should not be trusted with policy enforcement nor
bothered by key management
Automated action is critical and depends upon data
identification technology capable of minimizing false
positives
Auditing and disposition for violations caught must be
efficient to save administration time
25. Best Practice #2 Ongoing Message Control
June 25, 2014
25
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
Messages that are sensitive may
benefit from auto-expiration of
access
• Reduces risk exposure and
unknowns
Encrypted messages must be
revocable On-Demand if required
• Protects against changing
scenarios and roles
• Should be revocable at user and
message level to offer options on
granularity
26. Best Practice #3 Must Support Mobile Experience
June 25, 2014
26
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
One-Click Access to Encrypted
Messages on Mobile
• Should not require forwarding an
email
• Should not cause loss of security
Must be cross-platform
• Frustration in user experience will
cause lack of adoption
27. Information Governance: Where Do You Begin?
June 25, 2014
27
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
Defensibly Dispose the ROT
Control High Value Content
Enterprise Archive
• Retention according to policy
• Securely manage legal holds
Enterprise Governance
• Preserve documents for
eDiscovery or records mgmt
• Enterprise Governance
– Classify, track, monitor content
via DigitalThreadTM
– Enable document disposition
– Impact storage volume/cost
On Legal
Hold
Has
Business
Value
Legally
Obligated
to Keep
Outdated
Transitory
Redundant
28. Enterprise Governance Use Case: Regulated Industries
June 25, 2014
28
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
1 File Created
.xyz
Files
Tracked
3 Report &
Analyze
5
Governance
Applied
4
Govern
informatio
n in place
Retention
schedule:
Billings: 10 years
General: 2 years
Classification
Applied
2
Private
M&A
General
X
Y
Move records to
RM system
X Y
29. Proofpoint Portfolio of Services
June 25, 2014
29
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
30. Introduction
Brad Vynalek is a partner in Quarles & Brady's Commercial Litigation Group. He works with financial service, banking, high
tech, internet, software, manufacturing, e-commerce, health care, start-up, and tech transfer clients. Most recently, he
created and moderated a privacy/cyber security panel presentation for the Arizona Bankers Association, was a panelist for
“Cloud: Technology to Grow Your Business” (Phoenix Bus. Journal), and presenter of "The Hidden Side of Technology"
(Trans-West/CloudNet/AZ Tech Council).
Within the firm, Brad holds national roles ranging from client service team leader to national strategy partner.
Outside the firm, Brad has served in the following leadership roles: Chair of Make-A-Wish Arizona, President of University of
Arizona's Law College Association, and Co-Chair of the ABA 2014 Sec. of Litigation Annual Conference.
Brad earned his B.A. from Stanford ('95) and J.D. from the Univ. of Arizona James E. Rogers College of Law ('99).
June 25, 2014
30
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
31. June 25, 2014
31
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
Cyber Security and Data Privacy:
Views on Article III
From the Business-to-Business Perspective
C. Bradley Vynalek,
Partner
32. Overall Context of our Cool New World
June 25, 2014
32
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
33. The Basics
Constitutional Standards
Interaction with statutory standing
Claim Requirements for damages/injury
June 25, 2014
33
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
34. Article III of the Constitution
Provides federals courts power to adjudicate certain cases/controversies
This is the key to standing and subject matter jurisdiction
“Injury in fact” (typical privacy scenario is misappropriation of personal information)
Standing versus Success on the Merits
June 25, 2014
34
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
35. Probable Types of Claims in B2B Privacy Cases
Possible Theories
Generalized theory of negligence in construction of IT system & maintenance of data.
A few states have statute-based liability (e.g., Minnesota, where retailers must comply with credit and
security standards, such as prohibitions on retaining sensitive account data).
Improper storage of sensitive financial and credit data of customers may violate federal law as well.
June 25, 2014
35
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
36. Liability Theories (cont.)
Violation of standards to protect confidential data imposed by the credit or debit card agreements with
the retailer.
Negligence on the specific facts of the data breach (e.g., in Target, an allegation that Target
negligently permitted outside vendor access to its computer network, which was allegedly connected
to the hackers’ break-in).
June 25, 2014
36
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
37. Liability Theories (cont.)
Claims against vendors who allegedly wrongly certified compliance of the compromised system, or
who failed to detect the breach even with 24/7 monitoring services, which are employed by many
major retailers.
June 25, 2014
37
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
38. Who Can Sue?
Customers and Commercial Parties (CP) damaged by the alleged negligence or other breach of
obligation by the retailer. The CP often has contractual claims based on, e.g., the VISA,
MASTERCARD or other Network agreements with the other CP. And the duty of care by one CP may
well be held to run to the other CP, based on foreseeability of harm.
June 25, 2014
38
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
39. Who Can Sue? (cont.)
Actions against third-party vendors, as in the Target case, may be more difficult for CP’s, since they
have no contractual relationship nor is the duty of care as clearly directed toward CP’s in these cases.
May still be able to maintain suits based on “reasonable and foreseeable reliance” theory, however.
All of this currently being litigated in the many Target cases now occurring.
June 25, 2014
39
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
40. For What Harm Can CP’s Recover?
For costs of re-issuance of cards.
For amounts paid to reimburse CP’s customers for fraudulent charges.
Possibly for amounts lost owing to customers being afraid to use their cards (consequential, and
much more speculative - would not think courts will go for this very often, but perhaps in egregious
cases).
June 25, 2014
40
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
41. For What Harm CP’s Recover? (cont.)
In big breaches, the vast majority of damages will be in fraudulent charges, rather than costs of
reissuance. E.g., in recently filed purported class action in Chicago Federal court on behalf of bank
plaintiffs, the estimate of bank costs of reissuance are $172MM, while total losses are estimated at
potentially $18BB, about 100 times the cost of reissuance.
June 25, 2014
41
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
42. History of Settlements and Payments by CP’s
TJX (parent of TJ Maxx) spent a reported $256MM in settlements with banks and others in 2007.
Heartland Payment Systems paid $140MM in 2009, and litigation over the breach continues.
June 25, 2014
42
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
43. The Unbelievably Well-Timed June 16, 2014 Order Out of Pennsylvania
Citizens Bank of Pennsylvania v. Reimbursement Technologies, Inc., et al, US District Court for the
Eastern District of Pennsylvania
2014 WL 2738220 (E.D.Pa.)
Background (Bank, physician billing/management company, former employee, and a third party fraud
ring)
Procedural History
Decision (dismissal of common law and statutory negligence, equitable subrogration, fraud, unjust
enrichment, and SCA claims with no leave to amend for a third time)
June 25, 2014
43
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
44. Key Language in Decision
"third party fraud ring“
"fraudulent withdrawals“
“former employee“
"coincidence"
"wrongful acts by intervening third parties“
"The Court cannot hold defendant responsible for the acts of the fraud ring or the tellers at plaintiff's
bank branches.“
"unclean hands"
June 25, 2014
44
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
45. The Real Go Forward Action and the What ifs in the B2B World
Industry Groups
Contracts/Negotiation
Indemnity
Insurance Contracts
Risk Avoiding and Shifting (Review and Exclusion fights)
In-House Law and Compliance Departments
Press
Reputational Realities
Executives Suites
Directors and Concerns
Notification rules
June 25, 2014
45
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
46. The Real Go Forward Action and the What ifs in the B2B World (cont’d)
Breach Costs and Play Into Negotiations
Guidelines vs. Law
SEC Guidelines
HIPAA
M&A – diligence/disclosure
Vendor Review
41% of breaches attributed to 3rd parties
Data breaches in cloud 3X more costly (amount of stuff)
Data Center – leases/defaults/who owns/etc.
Privacy and Security Audits
FTC
Opt In and Opt Out
June 25, 2014
46
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
47. Ultimately, it’s all about friction and joint oil
“Everything is new, but nothing changes.”
-Dr. Kotofski
June 25, 2014
47
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
48. Introduction
Amelia Gerlicher, Counsel at Perkins Coie LLP, assists clients in addressing issues arising from their possession of personal
data, from its collection and use through the aftermath of security breach incidents. A member of the firm’s Privacy &
Security group, her privacy-related litigation experience includes actions arising from a variety of online activity, brought
under the federal Wiretap Act, the Stored Communications Act, the Computer Fraud and Abuse Act, and state privacy laws.
She also works with clients on consumer protection, intellectual property and contract issues arising from a wide variety of
online activities, including defending clients against illegal malicious behavior that interfere with their websites.
Amelia also counsels clients in issues related to the collection and use of personal information that implicate a number of
federal and state privacy laws, including disclosure obligations, security requirements, and data breach notification and
response.
June 25, 2014
48
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
49. June 25, 2014
49
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
Amelia M. Gerlicher
June 25, 2014
50. What do consumer privacy cases
look like?
June 25, 2014
50
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
51. Types of cases
Traditional data breaches
Hacks, theft, accidents
Sensitive or not-so-sensitive data
Product design complaints
Data is being disclosed or used data contrary to policy or consumer expectations
More or different data is being collected than consumer expected
June 25, 2014
51
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
52. Types of Claims
Common law torts
Negligence, fraud/misrepresentation, trespass to chattels, breach of warranty, unjust enrichment
Usually not traditional “right to privacy” torts
Statutory claims
State unfair competition claims
State data breach/data security statutes
Federal statutes often don’t fit, but might include FCRA, Wiretap Act
June 25, 2014
52
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
53. Claimed Injuries
Identity theft (fraudulent charges, new loans, medical fraud)
Increased risk of identity theft
Time and money spent preventing identity theft
Increased price paid for security in product
Unwanted telemarketing/spam
Loss of services
Loss of value of personal information
June 25, 2014
53
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
54. Trends
Plaintiffs either have difficulty tying incident to ID theft or must rely on risk of future harm
Courts have been pretty skeptical on both fronts
But some courts have found that wrongful disclosure, especially combined with facts suggesting
identity theft was the goal, is sufficient for standing.
But then they go on to find that the pled injuries are insufficient.
Outcome is the same in the individual case, but gives plaintiffs openings for the future
June 25, 2014
54
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
55. U.S. Supreme Court Weighs In
June 25, 2014
55
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
56. Clapper v. Amnesty Int’l (2013)
Lawyers, journalists, and others with overseas contacts challenged 2008 FISA amendments that permitted
surveillance of foreign nationals.
Asserted compromised communications, lost sources, costly measures to maintain confidentiality
Held: Petitioners have no standing (Alito, J.)
Theory of future standing is too speculative
Asserted injury is not fairly traceable to the challenged law
Plaintiffs cannot manufacture standing by spending money to avoid speculative harms
June 25, 2014
56
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
57. “Certainly Impending”
“[W]e have repeatedly reiterated that ‘threatened injury must be certainly impending to constitute injury in
fact,’ and that ‘[a]llegations of possible future injury’ are not sufficient.”
“The Second Circuit's ‘objectively reasonable likelihood’ standard is inconsistent with our requirement that
‘threatened injury must be certainly impending to constitute injury in fact.’”
June 25, 2014
57
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
58. “Chain of Possibilities”
“Respondents' theory of standing, which relies on a highly attenuated chain of possibilities, does not
satisfy the requirement that threatened injury must be certainly impending.”
Court saw theory as requiring numerous decisions on the government’s part to target Respondents’
contacts—none of which Respondents could know or control.
“We decline to abandon our usual reluctance to endorse standing theories that rest on speculation
about the decisions of independent actors.”
June 25, 2014
58
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
59. “Manufactured standing”
“Respondents' contention that they have standing because they incurred certain costs as a reasonable
reaction to a risk of harm is unavailing — because the harm respondents seek to avoid is not certainly
impending. In other words, respondents cannot manufacture standing merely by inflicting harm on
themselves based on their fears of hypothetical future harm that is not certainly impending.”
June 25, 2014
59
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
60. District Courts React
Barnes & Noble: Cites Clapper to deny standing on a dozen claims—but plaintiffs could not plead any
disclosure. (N.D. Ill. 2013)
Galaria v. Nationwide – Plaintiffs alleged disclosure, but not identity theft. Standing rejected because
injury was too uncertain. (S.D. Ohio 2014).
In re SAIC Backup Tape Theft – Risk of harm was too attenuated when the underlying theft was for
goods not data—but plaintiffs who alleged actual ID theft did have standing. (D.D.C. 2014)
Stautins v. Trustwave – Standing rejected for a criminal hack where plaintiffs could not demonstrate
information was taken. (N.D. Ill. 2014)
June 25, 2014
60
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
61. But then there’s Sony
Widely reported credit card breach that disrupted access to PlayStation Network and related services
Original MTD granted, but court found standing based on allegations that information was
disseminated, increasing the risk of future harm.
Consistent with previous 9th Circuit precedent.
New complaint, new MTD, Sony urged reconsideration in light of Clapper.
June 25, 2014
61
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
62. Sony Claims Survive
9th Circuit, pre-Clapper: standing must be based on a “real and immediate” threat of harm.
Clapper: Harm must be certainly impending.
Sony: “real and immediate threat” = “certainly impending”
Accordingly, allegations that information was wrongfully disclosed, causing a threat of harm, remain
sufficient in the 9th Circuit to show standing.
June 25, 2014
62
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
63. And they showed injury too
Sony succeeded in getting 43 of 51 claims thrown out
Most torts claimed insufficient injury, or injury that could not be supported by the facts
Remaining claims:
State Unfair Competition claims seeking injunctive relief
Unfair Competition claims for damages based on omissions
California data breach notice claim for injunctive relief
Some of the remaining claims have attorney fees provisions
Last week: Settlement filed for $15 million.
June 25, 2014
63
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
64. Where are we?
June 25, 2014
64
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
65. Injuries other than risk of harm
Actual identity theft doesn’t always work
Banks/cards cover most out of pocket losses from card theft
Causation is a problem
Time/aggravation not compensable
Most other theories of injury work less well
Loss of value of PII: Courts are skeptical individuals trade on their own information
Loss of free services: No monetary damages
Loss of privacy: Information is generally not truly private
Preventative measures: Cut off in Clapper
June 25, 2014
65
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
66. Top Risks for Breached Companies
Breaches most likely to attract a lawsuit:
Financial information
Intentional theft by bad actors
Known misuse of information
Large breach with media attention
June 25, 2014
66
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
67. Top Risks for Breached Companies
Breaches most likely to survive a lawsuit (at least for a while):
Known misuse of information
Affected individuals with out of pocket costs
Breach exploited security practices inconsistent with expectations
Well-pled injunctive relief
June 25, 2014
67
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
68. What to do?
Before the breach:
Know what you have
Data
Systems
What are you saying about your security practices?
You can’t lose information you don’t have
June 25, 2014
68
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
69. What to do?
During and after:
Don’t say more than you know
Understand as much as possible about who is affected
Take advantage of the card companies’ protections
Tailor your strategy to your customers and how they communicate
Avoid out of pocket losses from those affected
June 25, 2014
69
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
70. June 25, 2014
70
CLE PROCESSING
The Knowledge Group offers complete CLE processing solutions for your webcasts and land events. This comprehensive service
includes everything you need to offer CLE credit at your conference:
Complete end-to-end CLE credit Solutions
Setting up your marketing collateral properly.
Completing and filing all of the applications to the state bar.
Guidance on how to structure content meet course material requirements for the state Bars.
Sign up forms to be used to check & confirm attendance at your event.
Issuing official Certificates of Attendance for credit to attendees.
Obtaining CLE credit varies from state to state and the rules can be complex. The Knowledge Group will help you navigate the
complexities via complete cost effective CLE solutions for your conferences.
Most CLE processing plans are just $499 plus filing fees and postage.
To learn more email us at info@knowledgecongress.org or CALL 646-202-9344
71. June 25, 2014
71
PRIVATE LABEL PROGRAM & INTERNAL TRAINING
The Knowledge Group provides complete private label webcasts and in-house training solutions. Developing and executing webcasts can
be a huge logistical nightmare. There are a lot of moving parts and devolving a program that is executed smoothly and cost effectively can
prove to be a significant challenge for companies who do not produce events on a regular basis. Live events require a high level of
proficiency in order to execute proficiently. Our producers will plan and develop your webcast for you and our webcast technicians will
execute your live event with expert precision. We have produced over 1000 live webcasts. Put our vast expertise to work for you. Let us
develop a professional webcast for your firm that will impress all your clients and internal stakeholders.
Private Label Programs Include:
Complete Project Management
Topic Development
Recruitment of Speakers (Or you can use your own)
Marketing Material Design
PR Campaign
Marketing Campaign
Event Webpage Design
Slides: Design and Content Development
Speaker coordination: Arranging & Executing Calls, Coordinating Slides & Content
Attendee Registration
Complete LIVE Event Management for Speaker and Attendees including:
o Technical Support
o Event Moderator
o Running the Live event (All Aspects)
o Multiple Technical Back-ups & Redundancies to Ensure a Perfect Live Event
o Webcast Recording (MP3 Audio & MP4 Video)
o Post Webcast Performance Survey
CLE and CPE Processing
Private Label Programs Start at just $999
72. June 25, 2014
72
RESEARCH & BUSINESS PROCESS OUTSOURCING
The Knowledge Group specializes in highly focused and intelligent market and topic research. Outsource your research projects and business processes to our
team of experts. Normally we can run programs for less than 50% of what it would cost you to do it in-house.
Here are some ideal uses for our services:
Market Research and Production
o List Research (Prospects, Clients, Market Evaluation, Sales Lists, Surveys)
o Design of Electronic Marketing Collateral
o Executing Online Marketing Campaigns (Direct Email, PR Campaigns)
o Website Design
o Social Media
Analysis & Research
o Research Companies & Produce Reports
o Research for Cases
o Specialized Research Projects
eSales (Electronic Inside Sales – Email and Online)
o Sales Leads Development
o eSales Campaigns
Inside Sales people will prospect for leased, contact them and coordinate with your sales team to follow up.
Our Inside eSales reps specialize in developing leads for big-ticket enterprise level products and services.
o Electronic Database Building – Comprehensive service which includes development of sales leads, contacting clients, scoring leads, adding notes
and transferring the entire data set to you for your internal sales reps.
eCustomer Service (Electronic Inside Sales – Email and Online)
o Real-Time Customer Service for Your clients
Online Chat
Email
o Follow-Up Customer Service
Responds to emails
Conducts Research
Replies Back to Your Customer
Please note these are just a few ways our experts can help with your Business Process Outsourcing needs. If you have a project not specifically listed
above please contact us to see if we can help.
73. ► You may ask a question at anytime throughout the presentation today. Simply click on the question mark icon located on the floating tool bar on the bottom right side of your screen. Type
your question in the box that appears and click send.
► Questions will be answered in the order they are received.
Q&A:
June 25, 2014
73
SEGMENT 1:
Patrick Wheeler
Director of Data Privacy & Encryption
Proofpoint, Inc.
SEGMENT 2:
Bradley Vynalek
Partner
Quarles & Brady LLP
SEGMENT 3:
Amelia M. Gerlicher
Counsel
Perkins Coie LLP
74. June 25, 2014
74
Welcome to the Knowledge Group Unlimited Subscription Programs. We have Two Options Available for You:
FREE UNLIMITED: This program is free of charge with no further costs or obligations. It includes:
Unlimited access to over 15,000 pages of course material from all Knowledge Group Webcasts.
Subscribers to this program can download any slides, white papers, or supplemental material covered during all live webcasts.
50% discount for purchase of all Live webcasts and downloaded recordings.
PAID UNLIMITED: Our most comprehensive and cost-effective plan, for a one-time fee:
Access to all LIVE Webcasts (Normally $199 to $349 for each event without a subscription). Including: Bring-a-Friend – Invite a
client or associate outside your firm to attend for FREE. Sign up for as many webcasts as you wish.
Access to all of Recorded/Archived Events & Course Material includes 1,500+ hours of audio material (Normally $299 for each
event without a subscription).
Free CLE/CPE/CE Processing3 (Normally $49 Per Course without a subscription).
Access to over 15,000 pages of course material from Knowledge Group Webcasts.
Ability to invite a guest of your choice to attend any live webcast Free of charge. (Exclusive benefit only available for PAID
UNLIMITED subscribers.)
6 Month Subscription is $299 with No Additional Fees. Other options are available.
Special Offer: Sign up today and add 2 of your colleagues to your plan for free. Check the “Triple Play” box on the sign-
up sheet contained in the link below.
https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964
75. June 25, 2014
75
Knowledge Group UNLIMITED PAID Subscription Programs Pricing:
Individual Subscription Fees: (2 Options)
Semi-Annual: $299 one-time fee for a 6 month subscription with unlimited access to all webcasts, recordings, and materials.
Annual: $499 one-time fee for a 12 month unlimited subscription with unlimited access to all webcasts, recordings, and materials.
Group plans are available. See the registration form for details.
Best ways to sign up:
1. Fill out the sign up form attached to the post conference survey email.
2. Sign up online by clicking the link contained in the post conference survey email.
3. Click the link below or the one we just posted in the chat window to the right.
https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964
Discounts:
Enroll today and you will be eligible for the “Triple Play” program and 3% off if you pay by credit card. Also we will waive the $49
CLE/CPE processing fee for today’s conference. See the form attached to the post conference survey email for details.
Questions: Send an email to: info@knowledgecongress.org with “Unlimited” in the subject.
76. June 25, 2014
76
ABOUT THE KNOWLEDGE GROUP, LLC.
The Knowledge Group, LLC is an organization that produces live webcasts which examine regulatory
changes and their impacts across a variety of industries. “We bring together the world's leading
authorities and industry participants through informative two-hour webcasts to study the impact of
changing regulations.”
If you would like to be informed of other upcoming events, please click here.
Disclaimer:
The Knowledge Group, LLC is producing this event for information purposes only. We do not intend to
provide or offer business advice.
The contents of this event are based upon the opinions of our speakers. The Knowledge Congress
does not warrant their accuracy and completeness. The statements made by them are based on their
independent opinions and does not necessarily reflect that of The Knowledge Congress' views.
In no event shall The Knowledge Congress be liable to any person or business entity for any special,
direct, indirect, punitive, incidental or consequential damages as a result of any information gathered
from this webcast.
Certain images and/or photos on this page are the copyrighted property of 123RF Limited, their
Contributors or Licensed Partners and are being used with permission under license. These images
and/or photos may not be copied or downloaded without permission from 123RF Limited