Data Security and Privacy by ContractHacking Us All Into Business

Associates

Shawn E. TumaScheef & Stone, LLP

@shawnetumaCybersecurity Symposium

October 23, 2015

breach impacting 110 million customers$262 million in expenses for 2013 and 2014offer “free” identity theft and credit monitoring to all affected customersNet earnings down 34.28%Earnings per share down 44.60%Non-cash losses up 487.71%US sales down 6.60%Lawsuits, possible enforcement actions, who knows?

4

Have you ever heard of …

www.solidcounsel.com

Ancient Cybersecurity Wisdom “In all fighting the

direct method may be used for joining battle, but indirect methods will be needed to secure victory.”

“You can be sure of succeeding in your attacks if you attack places which are not defended.”

Regulatory Response

www.solidcounsel.com

Regulatory Response – SECJanuary 2014: SEC indicates companies need P&P for:1. Prevention, detection, and

response to cyber attacks and data breaches,

2. IT training focused on security, and

3. Vendor access to company systems and vendor due diligence.

www.solidcounsel.com

Regulatory Response – SECApril 15, 2014 – Office of Compliance Inspections and Examinations (OCIE) Cybersecurity Initiative Examine 50 registered broker-

dealers and registered investment advisors.

7 page sample cybersecurity doc request. Many 3rd parties

www.solidcounsel.com

Regulatory Response – SEC “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” S.E.C. v. R.T. Jones Capital Equities Management, Consent Order (Sept. 22, 2015).

R.T. Jones violated this “safeguards rule 100,000 records (no reports of harm) $75,000 penalty

www.solidcounsel.com

Regulatory Response – FTC FTC’s Order requires business to follow 3 steps when contracting with 3rd party service providers. In re GMR Transcription Svcs, Inc., 2014 WL 4252393 (Aug. 14, 2014):

1. Investigate before hiring data service providers.

2. Obligate their data service providers to adhere to the appropriate level of data security protections.

3. Verify that the data service providers are complying with obligations (contracts).

www.solidcounsel.com

Regulatory & AdministrativeThe FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a) of the Federal Trade Commission Act and companies have fair notice that their specific cybersecurity practices could fall short of that provision. F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24, 2015).

The Contract

www.solidcounsel.com

Addendum to Business ContractsMany names, similar features:

Defines “Data” being protected in categories.

Describes acceptable and prohibited uses.

Describes standards for protecting. Describes requirements for

returning/deleting. Describes obligations if a breach. Allocates responsibility if a breach. Requires binding third parties to similar

contractual obligations.

“Business Associates”?