Presentation is loading. Please wait.

Presentation is loading. Please wait.

Avoiding Legal Landmines Forging a Partnership Between IT and Legal.

Published byConrad Cox Modified over 8 years ago

Similar presentations

Presentation on theme: "Avoiding Legal Landmines Forging a Partnership Between IT and Legal."— Presentation transcript:

1 Avoiding Legal Landmines Forging a Partnership Between IT and Legal

2 Agenda Legal Landscape Incident Response and Recovery Leaning on Legal Communicating Risk to Executives Best Practice Recommendations

3 Legal Landscape

4 Snapshot of the Average Breach U.S. Average Cost Per Record: $145 U.S. Average Per Organization: $3.8M DOESN’T INCLUDE: Costs associated with reputational damage, business distractions, law suits and fines GLOBAL ROOT CAUSE STATS

5 Indirect Costs Add Up New Precedent: Banks Suing To Recoup Admin Costs Target card replacement = $400 million Secret Service estimates 1,000 merchants have had similar breaches. -- New York Times Source: 2014 Cost of a Data Breach Study, Ponemon Institute Average Notifications Cost Average Lost Business Cost

6 Economic Impact of IP Theft Annual Losses Exceeding $300 BILLION “The annual losses are likely to be comparable to the current annual level of U.S. exports to Asia—over $300 billion. The exact figure is unknowable, but private and governmental studies tend to understate the impacts due to inadequacies in data or scope.” “the greatest transfer of wealth in history.” – General Keith Alexander, Commander of the U.S. Cyber Command and Director of the National Security Agency Costing millions of U.S. Jobs “If IP were to receive the same protection overseas that it does here, the American economy would add millions of jobs.” Inhibits U.S. GDP growth. “Better protection of IP would encourage significantly more R&D investment and economic growth.” Discourages Innovation “The incentive to innovate drives productivity growth and the advancements that improve the quality of life. The threat of IP theft diminishes that incentive.” Source: IP Commission Report

7 US Regulators SEC OCC FRB CFPB FTC DOJ HHS/OCR State AGs PCI Council US Regulations/Standards HIPAA GLBA FTC ACT (Section 5) COPPA/CAN-SPAM CISA PCI DSS Alphabet Soup

8 Common causes of action  Negligence  Breach of contract  Breach of fiduciary duty  Invasion of privacy  Consumer fraud and deceptive business practices  Violation of numerous state and federal statutes Common theories of damages  Fraudulent charges  Credit monitoring fees  Identity theft  Lost wages  Damaged credit scores  Anxiety over financial well-being  Losses by financial institutions (replacing debit/credit cards, closing accounts, reversing fraudulent charges, lost interest/transaction fees) Legal Liability Theories

9 IR and Managing Risk at Point of Impact

10 The Point of Impact  RISK = THREAT X VULNERABILITY X IMPACT  Most companies are disproportionately invested in managing vulnerabilities – A FAILED MODEL  Shifting focus to impact management is most cost effective way to reduce risk  BUT, it isn’t easy

11 IT Speed of detection Effectiveness of IR Network segmentation Strict access controls Data minimization DLP program Anomaly detection and user behavior analytics Logging and event correlation Threat hunting Legal Well defined roll for legal in IR Identify relevant regulators Understand contractual obligations Established Internal and external crisis communications strategies Legal hold program – preserve relevant evidence immediately Tight policies and procedures Tight vendor management program Insurance Impact Control

12 What Every Regulator Wants to Know (and is NOT afraid to ask) How did it happen? When did you know? How did you respond? What was exposed (and how do you know)? Were you on notice of the risk and what measures were in place to prevent breach? How will you mitigate damage to affected parties?

13 Leaning on Legal

14 Lean on Legal Apply privilege protection to IR/RA activities Advise on legal risks of investigative steps Anticipate legal and business impact of incidents Engage external resources to assist in IR/RA Help articulate risk and impact 14

15 Law-Talking DEFENSIBLE DISCOVERABLE ATTORNEY-CLIENT PRIVILEGE/ATTORNEY WORK PRODUCT

16 DEFENSIBLE Wyndham’s Alleged Failures (abridged version): – Allowing vulnerability to SQL injection and XSS attacks – Lack of encryption of data at rest – Failure to test security of processes – Failure to remedy known vulnerabilities – Failure to implement detection of unauthorized access – Lack of data minimization and access controls – Failure to train employees on security – Failure to manage third-party access – Failure to securely dispose of data – Failure to set up system of public feedback for vulnerabilities – Poor username/password protocol

17 FTC v. Wyndham Settlement No fine No admission of wrongdoing Must establish “comprehensive information security program” and conduct annual audits for 20 years Annual independent PCI DSS audits with “additional components” focused on franchise risks

18 DISCOVERABLE FRCP Rule 26(b)(1) “Parties may obtain discovery regarding any nonprivileged matter that is relevant to any party's claim or defense and proportional to the needs of the case...”

19 DISCOVERABLE

20 Attorney Client Privilege protects communications between a lawyer and the lawyer’s client regarding a need for legal advice – Does not apply if lawyer is acting in business capacity – Easy to inadvertently waive Attorney Work Product protects reports, summaries, findings prepared at direction of counsel – Better protection when outside counsel is engaged – Cannot be used to withhold facts ATTORNEY-CLIENT PRIVILEGE/WORK PRODUCT

21 Communicating Risk

22 The Nerd Alliance  Work with Legal to combine legal and IT risk concepts and language to form a comprehensive presentation of risk  Collaborate to create a definition of DEFENSIBLE for your organization  Talk about insurance coverage  Cite legal penalties and costs as justification for investments in security and incident readiness

23 Recommendations Take your GC to lunch and talk about the “defensibility” of your company’s cyber risk posture. Talk about how you can collaborate to identify and address security at the point of IMPACT Review your company’s incident response plan and make sure legal is comfortable with counsel’s formal role in the process. Make sure you have ready-access to outside counsel and/or other experts who can help in the event of a cyber incident Involve legal in looking at your security investment plan Go together to your executives and board if they are comfortable with the degree of visibility they have into cyber risk issues 23

24 THANK YOU! R Jason Straight SVP, Cyber Risk Solutions/CPO UnitedLex Corp. jason.straight@unitedlex.com

Download ppt "Avoiding Legal Landmines Forging a Partnership Between IT and Legal."

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.
IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.

IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.
Ethical Issues in Data Security Breach Cases www.ScottandScottllp.com Presented by Robert J. Scott Scott & Scott, LLP 800-596-6176.

Ethical Issues in Data Security Breach Cases Presented by Robert J. Scott Scott & Scott, LLP
Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL 60646-6085.

Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.

Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.
Vendor Risk: Effective Management is Essential

Vendor Risk: Effective Management is Essential
In the Belly of the Breach: What Every In-House Counsel Needs to Know about Data Breach Response ACC International Legal Affairs Committee Legal Quick.

In the Belly of the Breach: What Every In-House Counsel Needs to Know about Data Breach Response ACC International Legal Affairs Committee Legal Quick.
Why are Small and Mid-Size Companies Easy Targets for Hackers, and What can You do to Protect Yourself? 2/11/2015 Asher Dahan.

Why are Small and Mid-Size Companies Easy Targets for Hackers, and What can You do to Protect Yourself? 2/11/2015 Asher Dahan.
Investigating & Preserving Evidence in Data Security Incidents www.ScottandScottllp.com Robert J. Scott Scott & Scott, LLP 214-999-2902.

Investigating & Preserving Evidence in Data Security Incidents Robert J. Scott Scott & Scott, LLP
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
Overview of Cybercrime

Overview of Cybercrime

Similar presentations

Ads by Google