Data Security Compliance and Responding

To a Data Breach: Lessons for Corporate

Counsel After Equifax

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.

TUESDAY, JANUARY 23, 2018

Presenting a live 90-minute webinar with interactive Q&A

Robert D. Brownstone, Technology & eDiscovery Counsel, Fenwick & West,

Mountain View, Calif.

Brent E. Kidwell, Partner, Jenner & Block, Chicago

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-961-8499 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail sound@straffordpub.com immediately so we can address

the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 2.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

I. The Big Picture A. Breaches’ Prevalence B. Liability Risks & Data Leakage– Big 3 C. Modern Threats II. US. & International Law – Overview

A. Different Premises in U.S. & EU B. Scattershot U.S. Privacy Protections C. Potential Liability for Data Breaches D. International Law – Summary E. Contracts’ Ability to Reallocate Risks

Agenda

5

Agenda

III. Proactive Prevention Introduction A. Data Protection Overview

B. Protecting Data at Rest & in Transit C. 10 Specific Steps

IV. Reactive-Remedies/Incident-Response

• TOP Ten

Q&A/Conclusion

6

I. The Big Picture

A. Breaches’ Prevalence • Should only retailers be worried? NO • 1/1/05 to 12/28/17:

• > 7,800 breaches; > 10 Billion records • E.g. Yahoo!, Anthem, Target, Verizon & Neiman

• 2017 alone: • 550 breaches; ≈ 2 Billion records

• E.g. Equifax, T-Mobile, Dunn & Bradstreet, Arby’s, Boeing, Stanford U., Oklahoma HHS & UNC Health Care Systems

• . . . per Privacy Rights Clearinghouse, DATA BREACHES (last visited 1/18/18) (searchable/filterable)

7

• Cyber Crime Costs in FY ’16 (237 cos. surveyed across 8 countries):

• $17.36M average in US alone

• 2 largest costs (on average):

• information loss: 39 percent

• business disruption: 36 percent

• . . . per Ponemon Inst. o/b/o HP Enterprise Security,

2016 Cost of Cyber Crime Study (2016)

A. Breaches’ Prevalence

8

I. The Big Picture

B. Leakage Risks – Big 3

1. Intentionally Harmful Intentional Disclosures

2. Inadvertently Harmful Intentional Disclosures (“Netiquette”; Loose Lips; Social-Media; Sock-Puppeting; P2P)

3. Unintentional Losses of Sensitive Info. = primary focus here

9

I. The Big Picture

C. Modern Threats

• Biggest ones?

• Social Engineering [including (Spear-) phishing and Ransomware)]

10

I. The Big Picture

• Phishing :

• W-2 Scam

Adapted from screenshot at <http://www.linkstechnology.com/blog/its-baaack-the-form-w-2-email-scam>

• IRS warning (1/25/17)

• Cinthia Motley10 Ways to Avoid W-2 Phishing Schemes (LTN 3/20/17) (including “Pick up the phone”)

C. Modern Threats

11

I. The Big Picture

• Phishing – Training:

• When in doubt:

• do not click on a link or open an attachment; and

• forward the message as an attachment to InfoSec or IT department

• If you are suspicious about the purported sender

• place a call to (or meet with) purported sender to confirm message is legit

C. Modern Threats

12

I. The Big Picture

A. Default in U.S. & EU

• U.S. Perspective

• Data presumptively not protected unless

rendered otherwise by specific rule of law

• Many rules are sector-based

• EU Perspective

• Data presumptively “personal” and thus private,

even in employer/employee setting . . .

13

I. The Big Picture

• Federal law sector examples:

• Health/medical = HIPAA (60 days notice) • covered entities and business associates

• HITECH ACT expansion Jan. ’09

• HHS Final Regs. Sep. ‘13

• Financial services = Gramm-Leach-Bliley

• Consumer credit reports, etc. = FCRA/FACTA

B. Scattershot U.S. Laws

II. U.S. & International Law

14

• Potential Liability

consumer and/or employee class actions re: PII (PHI)

corporate customer suits

shareholder derivative suits

bad press and/or blog buzz

reputational hit

B. U.S. Rules

15

II. U.S. & International Law

• Specific combo of elements – expanded in, e.g., California multiple times in Civ. Code § 1798.82 et al. . . .

• Trigger usually automatic (as in Cal.) rather than risk-based

• Notice requirements

• If > X no. of people affected, tell AG

• Might have to describe circumstances

B. Notice-of-Breach Laws

16

II. U.S. & International Law

B. Health Info (PHI)

• Protecting Individuals’ PHI

• HIPAA Final HHS Regs (9/23/13)

• HHS active under HIPAA

• > 10 states:

• AR, CA, FL, MO, ND, NV, TX, VA

• WY (state agencies only)

• CT (regs.) & NJ re: insurers

17

II. U.S. & International Law

B. U.S. Rules • Potential Liability

• Difficulty in proving “injury” (damages): • Even CFAA claim in suit against hacker

• “loss” hard to show

• remediation and down-time?

• “Standing” (”Injury”) difficult to show based on mere concern data will be used:

• trade secrets damages theory

• identity-theft theory, including theft decisions re: Cal. Medical Info. Act (CMIA) – Cal. Civ. Code 56.36 . . .

18

II. U.S. & International Law

• Newer Case Law:

• Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (injury must be concrete and not “abstract” to satisfy U.S. Const. Article III, but intangible injuries can be concrete)

• Post-Spokeo (examples) . . .

• Beck v. McDonald, 848 F.3d 262 (4th Cir. 2/6/17) (allegations of increased risk of identity theft: NOT substantial risk of harm)

B. U.S. Rules

19

II. U.S. & International Law

C. Typical Breach Exposure Items

• Aside from viability of legal theories, custom and usage has been . . . • Potential monetary liability for breach of

unsecured personally identifiable information (PII) estimated at $221 per affected person • Ponemon Institute, 2016 Cost of Data Breach Study:

Global Analysis, Ponemon Institute LLC (June 2016)

• Data breach cost calculators <http://www.privacyrisksadvisors.com/data-breach-toolkit/data-breach-calculators/>

<http://cyberscout.com/expensecalc/start.aspx>

<https://eriskhub.com/mini-dbcc>

20

II. U.S. & International Law

• Custom/usage

• Sample set of expense items (from here)

• Internal Investigation

• Cybercrime consulting

• Attorney Fees

• Notification/Crisis Management

• Customer notification

• Call center support

• Crisis management consulting

C. Typical Breach Exposure

• Regulatory/Compliance

• Credit monitoring for affected customers

• Regulatory investigation defense

• State/Federal fines or fees

21

II. U.S. & International Law

D. International Summary • Privacy protected more e.g.

• Europe:

• EU: France/Germany/Italy

• UK (post-Brexit)

• Elsewhere:

• Brazil

• Constitution

• “Marco Civil”

• Israel 22

II. U.S. & International Law

D. Laws Overseas • DATA-BREACH NOTIFICATION LAWS

• less diffused, broader in scope & often shorter/clearer deadlines than U.S. . . . e.g.

• Australia (Feb. ’18)

• Canada

• India

• Israel (Mar. ’18)

• Mexico

• South Korea

23

II. U.S. & International Law

• EU, Directive 95/46/EC (1995)

• PLUS laws of individual EU countries

• BROAD definitions of “personal data,” “processing” and “transfer”

• Being replaced 5/25/18 by General Data Protection Regulation (GDPR)

• Stricter

• Penalties tied to worldwide revenue

• Notice of breach – timing, etc.

• Consent rules

D. EU Data Directive Compliance

24

II. U.S. & International Law

D. EU Data Transfers • EU-U.S. Safe Harbor now replaced by the EU-U.S.

Privacy Shield Framework (same re: Swiss-U.S. . . . )

Must:

• Provide free & accessible dispute resolution

• Cooperate with Department of Commerce

• Ensure accountability for data transferred

to third parties (whether controllers or agents)

25

II. U.S. & International Law

E. Contracts’ Ability to Reallocate Risk

• Defaults may be changeable based on:

• Relative sizes and bargaining power

• Industry of prospective customer

• Location of data (who stores/hosts it)

26

II. U.S. & International Law

III. Proactive Prevention

Introduction

27

Divide the Universe, e.g., into:

1. Policies/practices applicable to all information,

including PII

2. Policies/practices applicable to personal

information as to non-employee individuals

3. Policies/practices applicable to PII collected from

employees

4. Data storage contracts with third-party hosts

(Cloud, etc.)

http://blogs.rsa.com/wp-content/uploads/APT-chart1.jpg

Introduction – Example of Intrusion

III. Proactive Prevention

28

A. Data Protection Overview – Strategy

People Process

Policy Technology

III. Proactive Prevention

29

A. Data Protection – People

Executive leadership – security as an organizational

priority

Identified personnel with specific roles, accountability

and responsibility

Cross-disciplinary security or “information governance”

teams provide better vision into data/security protection

(and instill organizational ownership of security)

Improve communication and training about security with

all personnel

Human vectors continue to be key security exploit route

See, e.g., RSA breach resulting from phishing

III. Proactive Prevention

30

Plan and document security procedures; for

example:

Identify the location and content of your data assets,

specifically PII or other “sensitive” collections

Routinize security assessments conducted by internal

and external experts

Employ incident response drills and training

Develop procedures for the ingestion, storage,

security and destruction of data

A. Data Protection – Process

III. Proactive Prevention

31

Organizational security/data protection policies:

General security, confidentiality, acceptable use and information

governance policies

Special policies may be required for special data (e.g., HIPAA/PHI)

Incident response and breach notification policies

Records and information retention policies should be evaluated to

minimize retention of risky data

Establish a regular policy review cycle

Enforcement and consistent application of policies

Consider certifications, such as ISO 27001

A. Data Protection – Policies

III. Proactive Prevention

32

Security of Existing Technology Base

Periodic re-examination of security posture of existing systems

recommended

Cloud-based systems require contractual protections and due diligence

Specialized Security/Data Protection Tools

Technology is not a security “silver bullet”

Even the best technology requires trained personnel to monitor,

analyze and address identified anomalies

More on this later . . . .

A. Data Protection – Technology

III. Proactive Prevention

33

Perimeter Defenses (Incoming & Outgoing)

Firewall

IDS/IPS

Multi-Factor Authentication

Malware Filtering

Data Loss Prevention (DLP)

Advanced endpoint protection

Access Rights – “Need to Know” – See below

Electronic data destruction (anything with storage)

B. Protecting Data at Rest & in Transit – at Rest I

III. Proactive Prevention

34

Logging and Analysis of Security Events Security Information and Event Management (SIEM)

Provides analytical view into organizational security using a

longer-term baseline for anomaly identification

Don’t Forget Paper Documents Appropriate destruction – shredding, PII bins, etc.

Clean desk policies

Locked offices, drawers and cabinets

Physical Security

B. Protecting Data at Rest II

III. Proactive Prevention

35

Laptops (endpoints)

AV/Malware Detection

Firewall

Data Encryption (FDE)

Passwords, screensavers, etc.

BYOD Issues

Endpoint protection

Storage Devices/Tools

Encryption – flash drives, DVDs, etc.

Restrictions on use of cloud

storage services (Dropbox, etc.)

B. Protecting Data in Motion I

III. Proactive Prevention

36

Handheld Devices

Encryption

Remote Wiping

Mobile Device Management (e.g., Mobile Iron, Airwatch)

BYOD Issues

Backup Tapes

Email encryption

Metadata Scrubbing Tools

Proper Redaction Tools/Methods

B. Protecting Data in Motion II

III. Proactive Prevention

37

C. 10 Specific Steps – 1. Policies

III. Proactive Prevention

38

Train managers and staff about access, nondisclosure and

safeguarding

Review pertinent segments of employee policies, e.g.:

Code of Conduct

Confidentiality Policy

Technology Acceptable Use

Privacy (No Expectation of Privacy?)

Social media policies

BYOD (Mobile Devices)

Separating / off-boarding employee procedures (related

checklist(s) from IT, HR, etc.)

C. Steps – 2. Training

III. Proactive Prevention

39

[Spear-]Phishing & Ransomware

Use tests (Wombat, etc.)

Capture metrics

Encourage vigilance

C. Steps – 3. Passwords

III. Proactive Prevention

40

Passwords

Lockout . . . No sharing . . .

Two factor authentication

Common password practices:

Minimum 8 (or 12) characters complex

Reuse restriction

90 day expiration

But see new NIST SP 800-63: Digital Identity

Guidelines (6/22/17) and this Aug. ’17 NIST

paper/bulletin

C. Steps – 4. Access - RBAC

III. Proactive Prevention

41

“Least Privileged Access" approach [“role-based

access control (RBAC)”]

Data and physical

Ideal default is "deny all” – i.e., cannot gain

access unless affirmative need shown; and

specifically authorized

For lawyers: “ 'Need to Know' Security” (LTN

4/24/17) (LEXIS login/password needed)

Central vs. Local Storage

Digital Rights Management (DRM)?

C. Steps – 5. Encryption of ESI

III. Proactive Prevention

42

Especially PII & Mobile Data

At rest and in transit . . .

Email – TLS

Forced

Opportunistic

Laptops

Bitlocker

FileVault

C(5). Encryption of ESI

III. Proactive Prevention

1. Website & Extranet Servers (> SSL)

2. Virtual Private Network (VPN) Software

3. Cloud: Secure file transfer protocol (.ftp) sites (Citrix ShareFile; and OneHub, e.g.)

4. Email Messages and Attachments [Transport Layer Security (TLS)]

5. End-user devices

• Desktop PC’s and Laptops

• Tablets and Smartphones

• Mobile Devices and Portable Media

43

C. Steps – 6. Commuting / Travel

III. Proactive Prevention

44

Use privacy screen/filter

Security When Traveling

Avoid using shared computers in cyber cafes,

public areas or hotel business centers

If must use public/hotel WiFi, use a VPN

(VMware Horizon or Cisco AnyConnect, e.g.)

Avoid public hotspots unless use, e.g., iPass

Borrow/buy MiFi device?

Do not use devices belonging to other travelers,

colleagues or friends

C(6). Commuting / Travel

III. Proactive Prevention

45

International Travel Tips:

Recommended: change passwords before

leaving abroad and again when return

Do not take regular laptop,

tablet or phone to China

Potentially same re: EU travels

Avoid sending sensitive email messages

Beware: U.S. Customs & Border Protection has

increased scrutiny of laptops, devices, etc.

III. Proactive Prevention

46

Upon returning to the States, CBP asking for passwords,

including to social-media

Darlene Storm, NASA scientist detained at U.S. border

until handing over PIN to unlock his phone,

Computerworld (2/13/17)

Sen. Ron Wyden (OR), letter to then HHS Secretary Kelly

(2/20/17)

Assert attorney-client privilege (or another basis for

confidentiality such as privacy?)

But don’t go so far as to get detained?

Recent guidance from CBP:

www.cbp.gov/sites/default/files/assets/documents/...

C(6). Commuting / Travel

C. Steps – 7. Metadata

•Metadata and Redactions • Metadata – Goalkeeper Prompts in Workshare Protect – Example . . .

III. Proactive Prevention

47

C(7). Metadata

III. Proactive Prevention

48

Metadata and Redactions

Workshare settings (incl. re: .pdf ’s)

Redactions

Do use Adobe Acrobat Pro

Don’ts:

Word: borders/shading or highlighter

Acrobat: text box or shapes-drawing tool

III. Proactive Prevention

49

Social Media

Bcc’s

Emails to “All” (companywide)

Auto-complete

Reply All

C. Steps – 8. Netiquette

C. Steps – 9. Network Monitoring & Pen Tests

III. Proactive Prevention

50

Firewall

Anti-Virus/Malware (incl. macros)/Spyware

Vulnerability Assessment / remediation

Spam filtering plus phishing protection (e.g.,

ProofPoint / Mimecast, including URL defense)

Periodic vulnerability assessments and

PENetration tests by independent consultant

C. Steps – 10. Cyber-Insurance

III. Proactive Prevention

51

First Party Coverage? Third Party Coverage

(clients, vendors, employees,

etc.)?

Covered by Prop. Ins. Policy? CGL Policy?

Covered by D&O and/or E&O? Crimes?

If not, get separate/special coverage?

Get phishing endorsement?

Depends at least in part on:

Industry

Data types and volumes

IV. Reactive Remediation – Incident Response

52

FOLLOW PROCESS . . .

Documented response plan / procedures

Document protocols / checklists

Internal team leaders members identified and

trained (e.g. InfoSec, Legal & Public Relations)

Outside contacts listed, e.g., Information-

Security consulting firm, Counsel, law

enforcement & Insurance carrier

Training – tabletop exercises, etc.

IV. Incident Response

10. Big-Picture Process

53

Categories defined?

Data - and machine - handling protocol

Workflow/Communication chart re:

Discover / Assess / Contain

Remediate / Close / Mitigate

IV. TOP TEN TIPS

FACT INTAKE . . . 4 W’s-plus

9. Who, what, where, when re: info.?

8. Encrypted?

7. If encrypted, key compromised?

54

IV. TOP TEN TIPS

GET YOUR BEARINGS . . .

6. If a contractual relationship: • Look at the contract • Decide if will try to negotiate re: notice

5. If law enforcement is involved, open a dialogue 4. See if, under strictest statute, notice trigger(s) have kicked in

55

IV. TOP TEN TIPS

TO GIVE NOTICE OR NOT TO GIVE NOTICE. . . 3. If MUST give notice, address required:

• Method and Contents • E.g., Cal. SB 24 (specifying some required contents

of notice of breach of PII or PHI under Cal. Civ. Code) • Recipients (might include an AG., e.g.) • Timing (might be OK, under law, to delay)

2. If COULD give notice, discuss customer-relations with C level 1. If WILL give notice, work with PR as to theme(s), timing & press release (if any)

56

Q&A/ Conclusion/ Resources . . .

Robert D. Brownstone, Esq.

Fenwick & West LLP

<rbrownstone@fenwick.com>

<tinyurl.com/Bob-Brownstone-Bio>

<www.ITLawToday.com>

Brent E. Kidwell, Esq.

Jenner & Block

<bkidwell@jenner.com>

<www.jenner.com/people/BrentKidwell>

57