cybersecurity legal trends: the evolving standard of care for companies and management, secureworld...

Shawn E. Tuma

Cybersecurity Legal Trends

Partner, Scheef & Stone, L.L.P.

@shawnetuma #SWDAL15

“There are only two types of companies: those that havebeen hacked, and those that will be.” –Robert Mueller

Odds: Security @100% / Hacker @ 1TargetHome DepotNeiman MarcusMichaelsSpecsTJ MaxeBaySally BeautyPF Chang’sUPSDairy QueenJimmy John’sJP Morgan ChaseKmartStaplesSonyAshley Madison

www.solidcounsel.com

Cost of a Data Breach – US

2013 Cost $188.00 per record $5.4 million = total average cost paid by organizations

2014 Cost $201 per record $5.9 million = total average cost paid by organizations

2015 Cost $217 per record $6.5 million = total average cost paid by organizations

(Ponemon Institute Cost of Data Breach Studies)

LegalIssues

Responding

Litigation

Regulatory &Administrative

Officer &DirectorLiability


Responding: Execute Response Plan

Contact attorney (privilege)

Assemble your Response Team

Review insurance & notify carrier

Notify Card Processor

Contact forensics

Contact notification vendor

Investigate breach

Remediate responsible vulnerabilities

Reporting & notification


Responding: Reporting & Notification

Law Enforcement

State Laws 47 states (Ala, NM, SD)

State Attorneys General

VT (pre-notice w/in 14 days)

MD (pre-notice)

NJ (pre-notice to state police)

Consumers

Fla (w/in 30 days)

OH & VT (45 days)

Federal Agencies FTC, SEC, HHS, etc.

Industry Groups PCI, FINRA, etc.

Credit Bureaus

Business Associates Vendors & Suppliers

Litigation


Litigation: Business / Real HarmStanding has not been an issue in cases where the harm is readilyascertainable: “Target does not challenge Plaintiffs’ allegations withrespect to the elements of causation and damages.” In re TargetCorp. Customer Data Sec. Breach Litigation, 64 F.Supp.3d 1304, 1310 (D.Minn. 2014) (Financial Institutions Litigation).


Litigation: The Good Old DaysFear from the heightened risk of future identity theft or fraudfrom a data breach does not give legal standing to sue by aparty whose data may have been compromised.

“Allegations of future harm can establish Article III standing if thatharm is “certainly impending,” but “allegations of possible futureinjury are not sufficient.” Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138,1147 (2013).

“[A]llegation of future injury may suffice if the threatened injury is‘certainly impending’ or there is a ‘substantial risk’ that the harm willoccur.” Susan B. Anthony List v. Driehaus, 134 S.Ct. 2334, 2341 (2014).

“Peters has not made the requisite demonstration of injury,traceability and redressability for her alleged injuries.” Peters v. St.Joseph Services, 74 F.Supp.3d 847 (S.D. Tex. Feb. 11, 2015).


Litigation: Sensing Change?

Target’s Proposed Consumer LitigationSettlement (March 19, 2015)

Target pay $10 million to interest-bearing escrowaccount.

Consumers eligible for up to $10,000, if

Show proof of losses from the data breach(prioritized).

Remaining funds will be disbursed later.


Litigation: The Tectonic ShiftRemijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 693 (7th

Cir. 2015).

“The plaintiffs allege that the hackers deliberately targeted NeimanMarcus in order to obtain their credit-card information. . . . [t]here is‘no need to speculate as to whether [the Neiman Marcus customers’]information has been stolen and what information was taken. . . .there is an ‘objectively reasonable likelihood’ that such an injurywill occur.”

“At this stage in the litigation, it is plausible to infer that the plaintiffshave shown a substantial risk of harm from the Neiman Marcus databreach. Why else would hackers break into a store’s databaseand steal consumers private information? Presumably, the purposeof the hack is, sooner or later, to make fraudulent charges or assume

those consumers’ identities.”


Litigation: The Trends?

Standing

Theft of data v. negligent loss of data?

Target Fin. / Sony / Ashley Madison – the harm?

Overall Litigation Trend

Incrementalism

Who’s gonna get it?

Who has best opportunity to control?

Regulatory & Administrative


Regulatory Response – SEC

January 2014: SEC indicates companies needPolicies & Procedures for:

1. Prevention, detection, and response tocyber attacks and data breaches,

2. IT training focused on security, and

3. Third party access to company systemsand vendor third party due diligence.


Regulatory Response – SEC

April 2014: Office of Compliance Inspections andExaminations (OCIE) Cybersecurity Initiative

Examine 50 registered broker-dealers andregistered investment advisors.

7 page sample cybersecurity doc request.

Detailed cybersecurity questions.

Extensive 3rd party provider questions.


Regulatory Response – SECS.E.C. v. R.T. Jones Capital Equities Management, ConsentOrder (Sept. 22, 2015).

“Firms must adopt written policies to protect their clients’private information”

“they need to anticipate potential cybersecurity eventsand

have clear procedures in place rather than waiting toreact once a breach occurs.”

violated this “safeguards rule

100,000 records (no reports of harm)

$75,000 penalty


Regulatory Response – FTC

In re GMR Transcription Svcs, Inc., 2014 WL 4252393(Aug. 14, 2014). FTC’s Order requires business tofollow 3 steps when contracting with third partyservice providers:

1. Investigate before hiring data serviceproviders.

2. Obligate their data service providers to adhereto the appropriate level of data securityprotections.

3. Verify that the data service providers arecomplying with obligations (contracts).


Regulatory & AdministrativeF.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir.Aug. 24, 2015).

The FTC has authority to regulate cybersecurity underthe unfairness prong of § 45(a) of the Federal TradeCommission Act.

Companies have fair notice that their specificcybersecurity practices could fall short of that provision.

3 breaches / 619,000 records / $10.6 million in fraud

Rudimentary practices v. 2007 guidebook

Website Privacy Policy misrepresentations

Officer & Director Liability


Officer & Director Liability“[B]oards that choose to ignore, or minimize, the importance ofcybersecurity oversight responsibility, do so at their own peril.” SECCommissioner Luis A. Aguilar, June 10, 2014.

Derivative Litigation the wave of the future.

Trend of holding responsible those perceived to be in position of control vis-à-vis those perceived as being the victim.

Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham

Derivative claims are premised on the harm to the company that stem fromthe data breach, a much different standard than the harm / standing issuesthat plaintiffs face in consumer data breach litigation.

Derivative plaintiffs rely on Caremark claims that are premised on the officersand directors’ lack of oversight which is a breach of the duty of loyalty andgood faith. Companies cannot insulate the officers and directors for abreach of this duty.

Caremark standard: (1) “utterly failed” to implement reporting system orcontrols; or (2) consciously failed to monitor or oversee system.


Officer & Director LiabilityPalkon v. Holmes, 2014 WL 5341880, *5-6 (D. NJ Oct. 20, 2014).

Palkon, a Wyndham shareholder, brought a derivative action againstits officers and directors for failing to ensure that Wyndhamimplemented adequate security policies and procedures.

Included Caremark Claim: “Defendants failed to ensure that theCompany and its subsidiaries implemented adequate informationsecurity policies and procedures . . . .” (Pl’s Complaint ¶ 4)

Court granted Motion to Dismiss, finding the board satisfied thebusiness judgement rule by staying reasonably informed of thecybersecurity risks and exercising appropriate oversight in theface of the known risks.

The well-documented history of diligence and compliance showedthe board had discussed cybersecurity risks, company security policiesand proposed security enhancements in 14 quarterly meetings andhad implemented some of those cybersecurity measures.

Standard of Care

You will be breached. Will you beliable?

It’s not the breach; it’s your diligencethat matters most.

Companies have a duty to bereasonably informed of and takereasonable measures to protectagainst cybersecurity risks.

Cyber RiskAssessment

StrategicPlanning

DeployDefenseAssets

Develop,Implement& Train on

P&P

TabletopTesting

Reassess &Refine

Parting Thought

Shawn Tuma

Partner, Scheef & Stone, L.L.P.

214.472.2135

[email protected]

@shawnetuma

blog: shawnetuma.com

web: solidcounsel.com

This information provided is for educational purposes only, does not constitute legal advice,and no attorney-client relationship is created by this presentation.

Shawn Tuma is a cyber lawyer business leaders trust to help solve problemswith cutting-edge issues involving cybersecurity, data privacy, computerfraud, intellectual property, and social media law. He is a partner at Scheef &Stone, LLP, a full service commercial law firm in Texas that representsbusinesses of all sizes throughout the United States and, through its MackrellInternational network, around the world.

Texas SuperLawyers 2015

Best Lawyers in Dallas 2014 & 2015, D Magazine (Digital Information Law)

Council, Computer & Technology Section, State Bar of Texas

Chair, Civil Litigation & Appellate Section, Collin County Bar Association

College of the State Bar of Texas

Privacy and Data Security Committee, Litigation, Intellectual PropertyLaw, and Business Sections of the State Bar of Texas

Information Security Committee of the Section on Science & TechnologyCommittee of the American Bar Association

North Texas Crime Commission, Cybercrime Committee

Infragard (FBI)

International Association of Privacy Professionals (IAPP)

Information Systems Security Association (ISSA)

Board of Advisors, Optiv Security

Contributor, Norse DarkMatters Security Blog

Editor, Business Cyber Risk Law Blog