Presentation is loading. Please wait.

Presentation is loading. Please wait.

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215) 864-6435

Published byDuane Booth Modified over 8 years ago

Similar presentations

Presentation on theme: "CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215) 864-6435"— Presentation transcript:

1 CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215) 864-6435 mooneyj@whiteandwilliams.com

2 Types of Hackers: – Criminals, organized and loners – H’activists – State-Sponsored/Terrorism Sources of Cyber Threats

3 Sources of a Data Breach

4 klgates.com 4

5 Breach Notification Compliance – State data breach laws – HIPAA, Graham-Leach-Bliley Act Damaged Reputation/Brand – Loss of market share and revenue – Drop in stock value Loss of Assets – Trade secrets, confidential business strategies – Embarrassing internal communications Sources of Legal Liability: First-Party Damages To Your Company

6 Consumer Class Actions – Increased Risk of Identity Theft, Credit Monitoring Costs – Statutes (CCRA, CoMIA), Invasion of Privacy – Negligence, State Unfair Trade Practices Acts Financial Institutions -- Litigation -- PCI Investigations Regulatory Enforcement Sources of Legal Liability: Third-Party Damages To Your Company

7 Under HIPAA, the definition for “Protected Health Information” includes individually identifiable health information that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium. Notification: HIPAA 7

8 Notice to individuals of acquisition of unencrypted data: Without reasonable delay or no more than 60 days from discovery of the breach Notice to media outlets of acquisition of unencrypted data: Greater than 500 residents of a State - without reasonable delay or no more than 60 days from discovery of the breach Notice to Secretary of Health and Humans Services of acquisition of unencrypted data: Greater than 500 residents of a State – contemporaneous with notice to individuals Less than 500 residents of a State - disclosure of breach log Notification: HIPAA 8

9 State Notification Statutes 9

10 Is “Personal Information” Involved? First initial and last name, plus one of the following: – Social Security number – Driver’s license number – Credit/debit card or account number + security or access code or PIN to access the account N.J. Stat. Ann. sec. 56:8-161 State Notifications Statutes 10

11 “Security Breach” means: Unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. -- N.J. Stat. Ann. Sec. 56:8-161 State Notification Statutes 11

12 “Security Breach” means: Unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. -- N.J. Stat. Ann. Sec. 56:8-161 State Notification Statutes 12

13 Safe harbor: “Disclosure of a breach of security to a customer shall not be required under this section if the business or public entity establishes that misuse of the information is not reasonably possible. Any determination shall be documented in writing and retained for five years.” -- N.J. Stat. Ann. Sec. 56:8-163(a) State Notification Statutes 13

14 “Data security is one of our top consumer protection priorities. In our enforcement actions and policy initiatives, we focus on the harms that consumers may suffer when companies fail to keep information secure.” -- FTC Commissioner Julie Brill The Center for Strategic and International Studies, Sept. 17, 2014 Regulatory: The FTC 14

15 FTC v. Wyndham Worldwide Corporation, 799 F.3d 236 (3d Cir. 2015) -- FTC has authority to regulate cybersecurity -- FTC need not define “fair” or “reasonable” for assessing cybersecurity practices -- Wyndham settles -- annual security audits for 20 years -- comply with PCI Data Security Standards -- prompt notice to the FTC of another breach Regulatory: The FTC 15

16 “[E]nsuring the adequacy of a company's cybersecurity measures needs to be a critical part of a board of director's risk oversight responsibilities....” “Thus, boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.” -- Luis Aguilar, SEC Commissioner NYSE speech, June 10, 2014 Regulatory: The SEC 16

17 Prompt notice Engagement of PCI SSC Forensics Investigator (“PFI”) – Who does the PFI work for? Final PFI Report Liability PCI Investigations 17

18 Target 2014 Earnings Report Net Expense: $145 million Gross Expense: $191 million (Insurance - $46 million) 2015 Settlements with Financial Institutions: $19 million -- MasterCard $67 Million -- Other Institutions Class Action Litigation 18

19 2014: 85% of security budgets targeted toward data breach prevention By 2020: 75% of security budgets targeted toward detection and response Building Resiliency, Not a Wall NIST Unveils Cybersecurity Framework, http://www.klgates.com/nist-unveils-cybersecurity-framework-02-17- 2014/ http://www.klgates.com/nist-unveils-cybersecurity-framework-02-17- 2014/

20 When is the last time your company reviewed its data protection protocols? – Industry standards for data security Does your company have a data breach response plan? – Notification Team – Employee Training – Mitigation of Loss – Compliance Preparing For A Network Security Incident 20

21 Preparing For A Network Security Incident 21 at_STARBUCKS_WI2 at_STARBUCKS_WI3 Double Verification

22 Preparing For A Network Security Incident 22

23 Does Tradition Insurance Respond? 23

24 Cybersecurity Insurance

25 Thank You Joshua A. Mooney Co-Chair, Cyber Law and Data Practice Group White and Williams LLP (215) 864-6345 mooneyj@whiteandwilliams.com mooneyj@whiteandwilliams.com Cybersecurity: Risk and Liability 25

Download ppt "CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215) 864-6435"

Similar presentations

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
Security Breach Notification © 2009 Fox Rothschild A Webinar for the Medical Society of New Jersey October 28, 2009 Presented by Helen Oscislawski, Esq.

Security Breach Notification © 2009 Fox Rothschild A Webinar for the Medical Society of New Jersey October 28, 2009 Presented by Helen Oscislawski, Esq.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL 60646-6085.

Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.

Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.
Recent Trends and Insurance Considerations March 2015

Recent Trends and Insurance Considerations March 2015
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Security Controls – What Works

Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Dino Tsibouris (614) 360-1160 Information Security – What’s New In the Law?

Dino Tsibouris (614) Information Security – What’s New In the Law?
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

Similar presentations

Ads by Google