cybersecurity: managing risk around new data threats
TRANSCRIPT
GOOD. SMART.BUSINESS. PROFIT.TM
Cybersecurity: Managing Risk Around New Data Threats
January 8, 2014
www.paulhastings.com ©2013 Paul Hastings LLP
Chelsie ChmelaEvents Manager [email protected]
703.960.2360
We encourage you to engage during the Q&A portion of today’s webcast by using the “Submit Question” button located within your viewing experience.
HOST
QUESTIONS
MATERIALS Included in your registration: • Event recording and deck: West LegalEdcenter provides on-demand event
access for 180 days or until the end of your subscription, if sooner
The opinions expressed in this presentation are those of the panelist and do not reflect the opinions, practices or policies of the panelists' respective employers, nor do they constitute legal advice.
3
Edward R. McNicholasCo-Chair, Privacy, Data Security, and Information Law practice, Sidley Austin LLP
Leslie ThorntonVice President & General Counsel, WGL Holdings, Inc. & Washington Gas Light Company
Jeffrey C. SharerPartner, Sidley Austin LLP
SPEAKING TODAY
Speaker: Edward R. McNicholas
EDWARD R. MCNICHOLAS is a global coordinator of Sidley’s Privacy, Data Security, and Information Law practice. His practice focused on clients facing complex information technology, constitutional and privacy issues in civil and white-collar criminal matters. Ed has significant experience with a wide-range of complex Internet and information law matters involving privacy and data protection, electronic surveillance, cybersecurity, cloud computing, trade secrets, online advertising, “big data” and national security. Examples of his matters include:
– a constitutional challenge to portions of the HIPAA final rules (Adheris v. Sebelius, (D.D.C. 2013)),
– a consumer class action challenging Internet advertising cookie techniques (In re: Google Inc. Cookie Placement Consumer Privacy Litigation, MDL No. 2358 (D. Del. 2012-13)),
– defense of a telecommunications carrier against alleged participation in NSA surveillance (In re National Security Agency Telecommunications Records Litigation, MDL 1791 (N.D.Cal. and 9th Cir. 2006-12)), and
– briefing in more than a dozen cases before the U.S. Supreme Court.
His practice has been recognized by numerous rankings including Chambers USA (since 2008), Chambers Global (since 2011), and the US Legal 500.
Prior to joining Sidley, Mr. McNicholas served as an Associate Counsel to President Clinton. In that capacity, he advised senior White House staff regarding various Independent Counsel, congressional and grand jury investigations. Mr. McNicholas received his J.D. (cum laude) from Harvard Law School, where he was an editor of the Harvard Law Review. He received his A.B. (summa cum laude) from Princeton University, and served as a clerk for the Honorable Paul Niemeyer on the U.S. Court of Appeals for the Fourth Circuit.
5
Speaker: Leslie Thornton
Leslie Thornton has been Vice President and General Counsel of WGL Holdings, Inc. and Washington Gas Light Company since January 1, 2012, having joined the company as Counsel to the Chairman in November 2011. Prior to joining the company, Ms. Thornton served as a partner with prominent Washington D.C. law firms.
Ms. Thornton also served as Chief of Staff to U.S. Secretary of Education Richard W. Riley, after starting her service in 1992 as Deputy Chief of Staff and Counselor. During her nearly eight years with the Clinton Administration, Ms. Thornton advised the Secretary on all administration and agency matters serving as the liaison between the Secretary and the White House on policy, political, ethics, personnel and other issues. Holding a top secret clearance, Ms. Thornton served as her agency's representative in the Continuity of Operations of Government program. In 1995, Ms. Thornton was selected by the White House in 1995 to serve on the President's White House Budget Working Group, and in 1996 was selected to serve in a senior role on President Clinton's Presidential Debate Team.
Ms. Thornton is a member of numerous associations and boards in the Washington, D.C. community, and has been widely publishedin legal and other newspapers including the Legal Times, The Wall Street Journal, and the Boson Globe. She holds a Bachelor of Arts from the University of Pennsylvania and a law degree from Georgetown University.
6
Speaker: Jeffrey C. Sharer
JEFFREY SHARER is a partner in Sidley currently very cold Chicago office. He concentrates his practice in litigation and regulatory enforcement matters as well as in matters related to electronic discovery, computer forensics, and information governance. Jeffrey frequently advises and advocates on behalf of clients in matters related to the governance, preservation, and discovery of electronically stored information. In litigation, Jeffrey has handled matters at all stages of the Electronic Discovery Reference Model, with particular emphasis on the development and implementation of best practices and on the use of artificial intelligence, statistical sampling, and related tools and techniques to reduce costs and burdens and increase quality of results and defensibility of process throughout the discovery lifecycle. Jeffrey also advises in the areas of records retention, data privacy, and information governance, including defensible deletion of data stores.
Jeffrey is a member of Sidley’s Electronic Discovery Task Force; a longtime member of The Sedona Conference, the nation’s leading nonpartisan law and policy think tank in the area of electronic discovery. He holds degrees from the University of Chicago Law School, and the University of Michigan.
7
Opening Comments of Edward McNicholas
8
Where are we on cybersecurity?
• Congressional action remains pending• Focus on implementation of President Obama’s
Executive Order 13636 (February 2013)– Development of NIST “Cybersecurity Framework” and
programs to encourage voluntary adoption of the framework
– DHS designation of CI companies (with right of reconsideration)
– Establishment of regulatory standards by agencies with statutory authority
– Increased threat information sharing to CI operators
9
NIST Framework• Implements Feb. 2, 2013 Executive Order• Final framework due in February 2014• Discussion Framework:
– Provide common language for expressing, understanding, and managing cybersecurity risk internally and externally
– Develop consistent approach: Identify, Protect, Detect, Respond, Recover
– Prioritize actions for reducing cybersecurity risk– Create tools to align policy, business, and technological
approaches to managing risk
10
Incentives Recommended to President
• Cybersecurity Insurance — build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market.
• Grants — leverage federal grant programs. • Process Preference — consider expediting and
prioritizing existing government service delivery; technical assistance to critical infrastructure; incident response situations.
• Liability Limitation — reduced tort liability, limited indemnity, higher burdens of proof, or the creation of a federal legal privilege that preempts State disclosure requirements.
11
Incentives – cont’d• Streamline Regulations — make compliance easier;
eliminate overlaps among existing laws and regulation; enable equivalent adoption across regulatory structures; reduce audit burdens.
• Public Recognition — optional public recognition.• Rate Recovery for Price Regulated Industries —
dialogue with federal, state, and local regulators and sector specific agencies on whether the regulatory agencies that set utility rates should consider allowing utilities recovery for cybersecurity investments.
• Cybersecurity Research — emphasize research and development to meet the most pressing cybersecurity challenges where commercial solutions are not currently available.
12
Opening Comments of Leslie Thornton,
General Counsel of Washington Gas
13
Opening Comments of
Jeffrey Sharer
14
Cybersecurity and Information Governance
• Increasing threats of data breach and other cyberincidents, along with other risks and costs associated with electronic information systems (such as electronic discovery in legal and regulatory proceedings), are driving greater focus on governance of data across organization
• Cyberthreats, in particular, increase both risk and severity of potential loss associated with over-retention of customer PII and other sensitive information
• Loss of protected or sensitive information in data breach can result in notification obligations, regulatory or civil exposure, damage to reputation, and other harm to company
• Risks are only growing with passage of time, especially as concepts such as purpose limitations and the so-called “right to be forgotten” gain legislative traction
15
Information Governance At 30,000 Feet
• For most organizations, mitigation of cyberrisk through effective information governance requires cross-functional approach
• Stakeholders at most organizations include (at least) legal and compliance; IT; RIM; privacy; security; and business
• People, process, and technology• Surging emphasis on remediation – often referred to
as “defensible disposition” – of data that does not have ongoing business value and is not subject to legal or regulatory retention requirements (including litigation holds)
16
Mitigating Risk Through Defensible Disposition
• As a general rule, if data has no business value and is not subject to legal or regulatory retention requirements, it can (and usually should) be deleted in the normal course of business
• Organizations have wide latitude: Legal standards are reasonableness, proportionality, and good faith
• Recent benchmarking of Global 1000 companies estimated that for corporate information at any given time, 1% is on legal hold, 5% is subject to regulatory retention requirements, and 25% has current business value—this means that approximately 70% of data that organizations are managing and storing, and that is at risk of loss through data breach or other security incident, is unnecessary
17
Discussion
18
Questions about Simulation Lessons
• On November 13-14, 2013, the so-called GridEx II exercise tested governmental and industry crisis response plans, and included both cybersecurity and physical security components. – Are these sorts of exercises helpful? If so, what did you take away from it?
– How do you manage both the low probability / enormous risks of cybersecurity issues, and the more mundane but significant risks of activist or less-sophisticated hackers?
• The report on the first GridEx exercise, noted that “Significant horizontal communication occurs across industry, but vertical information sharing to NERC and government agencies is limited due to concerns about compliance implications.” That nicely sums up one of the key information sharing issues that inhibit cybersecurity preparation. – Has the information sharing gotten more or less risky for companies? – Have the Snowden revelations altered the wisdom of sharing cybersecurity
information with the government?
19
Managing Risk Questions
• Does cybersecurity governance need to fit into an overall information governance strategy? How are they integrated?
• Businesses must adapt to a rapidly evolving technology environment, but the legal restrictions are developing slowly. How do you manage this tension?
• How significant a role does insurance play in your management of the cybersecurity threat?
• The SAFETY Act (www.SafetyAct.Gov) was designed to support development and deployment of effective anti-terrorism technologies by designating and certifying Qualified Anti-Terrorism Technologies (“QATTs”) that receive important legal liability protections against claims arising out of an act of terrorism. Is that an effective piece of cybersecurity risk management strategies?
20
Legal Standards Questions
• We continue to have a regime of multiple state data breach laws with slightly different tests. Are these statutes helpful? Would a preemptive federal test be better?
• Is it better to have multiple, voluntary cybersecurity standards and widespread variation or would standardization be better?
• The Massachusetts information security regulations take the unique tact of specifying ISO-based minimum measures. Is this helpful because it is definite or an overly-simplistic check-box approach? Which should companies follow?
• Payment card security is almost entirely self- regulatory via the PCI-DSS. Would this approach work for cybsecurity?
• Have the SEC guidance requiring disclosure of material incidents helped to increase the level of cybersecurity?
21
Future Developments Questions
• Have you altered your approach to privacy / security in light of the coming Internet of Things, such as smart electrical meters? How?
• How should companies factor in these complex cybsecurity issues in moving to the cloud? What do you think are the biggest concerns with cloud computing? Has it made you less likely to move to the cloud?
• What is the top item on your cybsecurity agenda for 2014?
22
Questions for General Counsels to Ask
and a Cybersecurity To-Do List
23
Cybersecurity Questions GCs Should Ask
• Are we “critical infrastructure” operators?• Do we have IP assets, trade secrets, account records,
consumer data that could be subject to cyber-attack? Could our facilities be misused as part of an attack?
• What past incidents have we experienced? Are our incident response procedures effective and well understood throughout the organization?
• Do we have an up-to-date cybersecurity risk assessment in hand?
• Who is responsible and accountable for cybersecurity, and does he/she have sufficient resources?
• Is the Board of Directors adequately focused on cybersecurity; has it established satisfactory internal controls and governance structures?
24
More Cybersecurity Questions• Do we know what existing and prospective laws apply
to cybersecurity?• Are we subject to specific cybersecurity regulation?• Do we know what our contracts say about
cybersecurity; do our existing customer / vendor contracts protect us on cybersecurity? Obligate us?
• Do we have relevant government contracts?• Do we know the necessary government points of
contact? Do we have appropriately cleared persons?• Who is monitoring NIST developments and best
industry practices?• What do we need to include in our SEC filings on
cybersecurity?
25
More Cybersecurity Questions• Do we have special international exposure and/or
obligations?• Are we going to participate in the voluntary White
House and NIST cybersecurity framework?• Could the White House cybersecurity “incentives”
benefit us? Hurt us?• Do we have good cybersecurity awareness and
personal responsibility throughout our company?• Do we understand what our legal exposure and
potential liability is?• Have we considered cyber-insurance?• Are we at risk for FTC “failure to secure” enforcement?
26
More Cybersecurity Questions• Do we have an effective information governance
function and are the right stakeholders involved?• Do our information governance systems effectively
mitigate risk of loss from data breach or other incident?
• Have we considered and addressed defensible disposition of legacy data stores and other sources that have outlived business value and legal and regulatory requirements?
27
Lawyer To-Do List For Cybersecurity Ensuring legal risks are considered in cybersecurity risk
assessments Oversight and readiness for incident response
Have you vetted and tested your response ability? Are you mitigating risk in the ordinary course through effective
information governance?
Analyzing and explaining the complex legal environment Coordination of relationships with government Development of standards and internal policies Managing protections and obligations in contracts,
customer and vendor relationships Addressing “Hack Back” options Managing legal/reputational issues
Required disclosures and reporting Risks and rewards of cooperation with government Privilege and selective waivers Securities issues
28
Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, New York, Los Angeles, San Francisco, Palo Alto, Dallas, London, Hong Kong, Houston, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin (NY) LLP, a Delaware limited liability partnership (New York); Sidley Austin (CA) LLP, a Delaware limited liability partnership (Los Angeles, San Francisco, Palo Alto); Sidley Austin (TX) LLP, a Delaware limited liability partnership (Dallas, Houston); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.
For purposes of compliance with New York State Bar rules, Sidley Austin LLP’s headquarters are 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000.
Questions?
Edward McNicholas: 202.736.8010 [email protected]
Jeffrey C. Sharer: 312.853.7028 [email protected]
www.Sidley.com/InfoLaw
This presentation has been prepared by Sidley Austin LLP as of January 2014 for educational and informational purposes only. It does not constitute legal advice. This information is not intended to
create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking personalized advice from professional advisers.
BEIJING BOSTON BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.
January 17, 2014Information Lifecycle Governance –
Minimize Risks & Improve Readiness
All upcoming Ethisphere events can be found at:
http://ethisphere.com/events/
PLEASE JOIN US FOR
THANK YOU