cybersecurity legal trends: the evolving standard of care for companies and management, secureworld...
TRANSCRIPT
“There are only two types of companies: those that havebeen hacked, and those that will be.” –Robert Mueller
Odds: Security @100% / Hacker @ 1TargetHome DepotNeiman MarcusMichaelsSpecsTJ MaxeBaySally BeautyPF Chang’sUPSDairy QueenJimmy John’sJP Morgan ChaseKmartStaplesSonyAshley Madison
www.solidcounsel.com
Cost of a Data Breach – US
2013 Cost $188.00 per record $5.4 million = total average cost paid by organizations
2014 Cost $201 per record $5.9 million = total average cost paid by organizations
2015 Cost $217 per record $6.5 million = total average cost paid by organizations
(Ponemon Institute Cost of Data Breach Studies)
www.solidcounsel.com
Responding: Execute Response Plan
Contact attorney (privilege)
Assemble your Response Team
Review insurance & notify carrier
Notify Card Processor
Contact forensics
Contact notification vendor
Investigate breach
Remediate responsible vulnerabilities
Reporting & notification
www.solidcounsel.com
Responding: Reporting & Notification
Law Enforcement
State Laws 47 states (Ala, NM, SD)
State Attorneys General
VT (pre-notice w/in 14 days)
MD (pre-notice)
NJ (pre-notice to state police)
Consumers
Fla (w/in 30 days)
OH & VT (45 days)
Federal Agencies FTC, SEC, HHS, etc.
Industry Groups PCI, FINRA, etc.
Credit Bureaus
Business Associates Vendors & Suppliers
www.solidcounsel.com
Litigation: Business / Real HarmStanding has not been an issue in cases where the harm is readilyascertainable: “Target does not challenge Plaintiffs’ allegations withrespect to the elements of causation and damages.” In re TargetCorp. Customer Data Sec. Breach Litigation, 64 F.Supp.3d 1304, 1310 (D.Minn. 2014) (Financial Institutions Litigation).
www.solidcounsel.com
Litigation: The Good Old DaysFear from the heightened risk of future identity theft or fraudfrom a data breach does not give legal standing to sue by aparty whose data may have been compromised.
“Allegations of future harm can establish Article III standing if thatharm is “certainly impending,” but “allegations of possible futureinjury are not sufficient.” Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138,1147 (2013).
“[A]llegation of future injury may suffice if the threatened injury is‘certainly impending’ or there is a ‘substantial risk’ that the harm willoccur.” Susan B. Anthony List v. Driehaus, 134 S.Ct. 2334, 2341 (2014).
“Peters has not made the requisite demonstration of injury,traceability and redressability for her alleged injuries.” Peters v. St.Joseph Services, 74 F.Supp.3d 847 (S.D. Tex. Feb. 11, 2015).
www.solidcounsel.com
Litigation: Sensing Change?
Target’s Proposed Consumer LitigationSettlement (March 19, 2015)
Target pay $10 million to interest-bearing escrowaccount.
Consumers eligible for up to $10,000, if
Show proof of losses from the data breach(prioritized).
Remaining funds will be disbursed later.
www.solidcounsel.com
Litigation: The Tectonic ShiftRemijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 693 (7th
Cir. 2015).
“The plaintiffs allege that the hackers deliberately targeted NeimanMarcus in order to obtain their credit-card information. . . . [t]here is‘no need to speculate as to whether [the Neiman Marcus customers’]information has been stolen and what information was taken. . . .there is an ‘objectively reasonable likelihood’ that such an injurywill occur.”
“At this stage in the litigation, it is plausible to infer that the plaintiffshave shown a substantial risk of harm from the Neiman Marcus databreach. Why else would hackers break into a store’s databaseand steal consumers private information? Presumably, the purposeof the hack is, sooner or later, to make fraudulent charges or assume
those consumers’ identities.”
www.solidcounsel.com
Litigation: The Trends?
Standing
Theft of data v. negligent loss of data?
Target Fin. / Sony / Ashley Madison – the harm?
Overall Litigation Trend
Incrementalism
Who’s gonna get it?
Who has best opportunity to control?
www.solidcounsel.com
Regulatory Response – SEC
January 2014: SEC indicates companies needPolicies & Procedures for:
1. Prevention, detection, and response tocyber attacks and data breaches,
2. IT training focused on security, and
3. Third party access to company systemsand vendor third party due diligence.
www.solidcounsel.com
Regulatory Response – SEC
April 2014: Office of Compliance Inspections andExaminations (OCIE) Cybersecurity Initiative
Examine 50 registered broker-dealers andregistered investment advisors.
7 page sample cybersecurity doc request.
Detailed cybersecurity questions.
Extensive 3rd party provider questions.
www.solidcounsel.com
Regulatory Response – SECS.E.C. v. R.T. Jones Capital Equities Management, ConsentOrder (Sept. 22, 2015).
“Firms must adopt written policies to protect their clients’private information”
“they need to anticipate potential cybersecurity eventsand
have clear procedures in place rather than waiting toreact once a breach occurs.”
violated this “safeguards rule
100,000 records (no reports of harm)
$75,000 penalty
www.solidcounsel.com
Regulatory Response – FTC
In re GMR Transcription Svcs, Inc., 2014 WL 4252393(Aug. 14, 2014). FTC’s Order requires business tofollow 3 steps when contracting with third partyservice providers:
1. Investigate before hiring data serviceproviders.
2. Obligate their data service providers to adhereto the appropriate level of data securityprotections.
3. Verify that the data service providers arecomplying with obligations (contracts).
www.solidcounsel.com
Regulatory & AdministrativeF.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir.Aug. 24, 2015).
The FTC has authority to regulate cybersecurity underthe unfairness prong of § 45(a) of the Federal TradeCommission Act.
Companies have fair notice that their specificcybersecurity practices could fall short of that provision.
3 breaches / 619,000 records / $10.6 million in fraud
Rudimentary practices v. 2007 guidebook
Website Privacy Policy misrepresentations
www.solidcounsel.com
Officer & Director Liability“[B]oards that choose to ignore, or minimize, the importance ofcybersecurity oversight responsibility, do so at their own peril.” SECCommissioner Luis A. Aguilar, June 10, 2014.
Derivative Litigation the wave of the future.
Trend of holding responsible those perceived to be in position of control vis-à-vis those perceived as being the victim.
Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham
Derivative claims are premised on the harm to the company that stem fromthe data breach, a much different standard than the harm / standing issuesthat plaintiffs face in consumer data breach litigation.
Derivative plaintiffs rely on Caremark claims that are premised on the officersand directors’ lack of oversight which is a breach of the duty of loyalty andgood faith. Companies cannot insulate the officers and directors for abreach of this duty.
Caremark standard: (1) “utterly failed” to implement reporting system orcontrols; or (2) consciously failed to monitor or oversee system.
www.solidcounsel.com
Officer & Director LiabilityPalkon v. Holmes, 2014 WL 5341880, *5-6 (D. NJ Oct. 20, 2014).
Palkon, a Wyndham shareholder, brought a derivative action againstits officers and directors for failing to ensure that Wyndhamimplemented adequate security policies and procedures.
Included Caremark Claim: “Defendants failed to ensure that theCompany and its subsidiaries implemented adequate informationsecurity policies and procedures . . . .” (Pl’s Complaint ¶ 4)
Court granted Motion to Dismiss, finding the board satisfied thebusiness judgement rule by staying reasonably informed of thecybersecurity risks and exercising appropriate oversight in theface of the known risks.
The well-documented history of diligence and compliance showedthe board had discussed cybersecurity risks, company security policiesand proposed security enhancements in 14 quarterly meetings andhad implemented some of those cybersecurity measures.
You will be breached. Will you beliable?
It’s not the breach; it’s your diligencethat matters most.
Companies have a duty to bereasonably informed of and takereasonable measures to protectagainst cybersecurity risks.
Cyber RiskAssessment
StrategicPlanning
DeployDefenseAssets
Develop,Implement& Train on
P&P
TabletopTesting
Reassess &Refine
Shawn Tuma
Partner, Scheef & Stone, L.L.P.
214.472.2135
@shawnetuma
blog: shawnetuma.com
web: solidcounsel.com
This information provided is for educational purposes only, does not constitute legal advice,and no attorney-client relationship is created by this presentation.
Shawn Tuma is a cyber lawyer business leaders trust to help solve problemswith cutting-edge issues involving cybersecurity, data privacy, computerfraud, intellectual property, and social media law. He is a partner at Scheef &Stone, LLP, a full service commercial law firm in Texas that representsbusinesses of all sizes throughout the United States and, through its MackrellInternational network, around the world.
Texas SuperLawyers 2015
Best Lawyers in Dallas 2014 & 2015, D Magazine (Digital Information Law)
Council, Computer & Technology Section, State Bar of Texas
Chair, Civil Litigation & Appellate Section, Collin County Bar Association
College of the State Bar of Texas
Privacy and Data Security Committee, Litigation, Intellectual PropertyLaw, and Business Sections of the State Bar of Texas
Information Security Committee of the Section on Science & TechnologyCommittee of the American Bar Association
North Texas Crime Commission, Cybercrime Committee
Infragard (FBI)
International Association of Privacy Professionals (IAPP)
Information Systems Security Association (ISSA)
Board of Advisors, Optiv Security
Contributor, Norse DarkMatters Security Blog
Editor, Business Cyber Risk Law Blog