Avoiding Legal Landmines Forging a Partnership Between IT and Legal
Agenda Legal Landscape Incident Response and Recovery Leaning on Legal Communicating Risk to Executives Best Practice Recommendations
Legal Landscape
Snapshot of the Average Breach U.S. Average Cost Per Record: $145 U.S. Average Per Organization: $3.8M DOESN’T INCLUDE: Costs associated with reputational damage, business distractions, law suits and fines GLOBAL ROOT CAUSE STATS
Indirect Costs Add Up New Precedent: Banks Suing To Recoup Admin Costs Target card replacement = $400 million Secret Service estimates 1,000 merchants have had similar breaches. -- New York Times Source: 2014 Cost of a Data Breach Study, Ponemon Institute Average Notifications Cost Average Lost Business Cost
Economic Impact of IP Theft Annual Losses Exceeding $300 BILLION “The annual losses are likely to be comparable to the current annual level of U.S. exports to Asia—over $300 billion. The exact figure is unknowable, but private and governmental studies tend to understate the impacts due to inadequacies in data or scope.” “the greatest transfer of wealth in history.” – General Keith Alexander, Commander of the U.S. Cyber Command and Director of the National Security Agency Costing millions of U.S. Jobs “If IP were to receive the same protection overseas that it does here, the American economy would add millions of jobs.” Inhibits U.S. GDP growth. “Better protection of IP would encourage significantly more R&D investment and economic growth.” Discourages Innovation “The incentive to innovate drives productivity growth and the advancements that improve the quality of life. The threat of IP theft diminishes that incentive.” Source: IP Commission Report
US Regulators SEC OCC FRB CFPB FTC DOJ HHS/OCR State AGs PCI Council US Regulations/Standards HIPAA GLBA FTC ACT (Section 5) COPPA/CAN-SPAM CISA PCI DSS Alphabet Soup
Common causes of action Negligence Breach of contract Breach of fiduciary duty Invasion of privacy Consumer fraud and deceptive business practices Violation of numerous state and federal statutes Common theories of damages Fraudulent charges Credit monitoring fees Identity theft Lost wages Damaged credit scores Anxiety over financial well-being Losses by financial institutions (replacing debit/credit cards, closing accounts, reversing fraudulent charges, lost interest/transaction fees) Legal Liability Theories
IR and Managing Risk at Point of Impact
The Point of Impact RISK = THREAT X VULNERABILITY X IMPACT Most companies are disproportionately invested in managing vulnerabilities – A FAILED MODEL Shifting focus to impact management is most cost effective way to reduce risk BUT, it isn’t easy
IT Speed of detection Effectiveness of IR Network segmentation Strict access controls Data minimization DLP program Anomaly detection and user behavior analytics Logging and event correlation Threat hunting Legal Well defined roll for legal in IR Identify relevant regulators Understand contractual obligations Established Internal and external crisis communications strategies Legal hold program – preserve relevant evidence immediately Tight policies and procedures Tight vendor management program Insurance Impact Control
What Every Regulator Wants to Know (and is NOT afraid to ask) How did it happen? When did you know? How did you respond? What was exposed (and how do you know)? Were you on notice of the risk and what measures were in place to prevent breach? How will you mitigate damage to affected parties?
Leaning on Legal
Lean on Legal Apply privilege protection to IR/RA activities Advise on legal risks of investigative steps Anticipate legal and business impact of incidents Engage external resources to assist in IR/RA Help articulate risk and impact 14
Law-Talking DEFENSIBLE DISCOVERABLE ATTORNEY-CLIENT PRIVILEGE/ATTORNEY WORK PRODUCT
DEFENSIBLE Wyndham’s Alleged Failures (abridged version): – Allowing vulnerability to SQL injection and XSS attacks – Lack of encryption of data at rest – Failure to test security of processes – Failure to remedy known vulnerabilities – Failure to implement detection of unauthorized access – Lack of data minimization and access controls – Failure to train employees on security – Failure to manage third-party access – Failure to securely dispose of data – Failure to set up system of public feedback for vulnerabilities – Poor username/password protocol
FTC v. Wyndham Settlement No fine No admission of wrongdoing Must establish “comprehensive information security program” and conduct annual audits for 20 years Annual independent PCI DSS audits with “additional components” focused on franchise risks
DISCOVERABLE FRCP Rule 26(b)(1) “Parties may obtain discovery regarding any nonprivileged matter that is relevant to any party's claim or defense and proportional to the needs of the case...”
DISCOVERABLE
Attorney Client Privilege protects communications between a lawyer and the lawyer’s client regarding a need for legal advice – Does not apply if lawyer is acting in business capacity – Easy to inadvertently waive Attorney Work Product protects reports, summaries, findings prepared at direction of counsel – Better protection when outside counsel is engaged – Cannot be used to withhold facts ATTORNEY-CLIENT PRIVILEGE/WORK PRODUCT
Communicating Risk
The Nerd Alliance Work with Legal to combine legal and IT risk concepts and language to form a comprehensive presentation of risk Collaborate to create a definition of DEFENSIBLE for your organization Talk about insurance coverage Cite legal penalties and costs as justification for investments in security and incident readiness
Recommendations Take your GC to lunch and talk about the “defensibility” of your company’s cyber risk posture. Talk about how you can collaborate to identify and address security at the point of IMPACT Review your company’s incident response plan and make sure legal is comfortable with counsel’s formal role in the process. Make sure you have ready-access to outside counsel and/or other experts who can help in the event of a cyber incident Involve legal in looking at your security investment plan Go together to your executives and board if they are comfortable with the degree of visibility they have into cyber risk issues 23
THANK YOU! R Jason Straight SVP, Cyber Risk Solutions/CPO UnitedLex Corp.