Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Zero Hour Phone Call How to Respond to a Data Breach to Minimize your Legal Risk Sheryl Falk April 4, 2013 © 2013 Winston & Strawn LLP.

Published byVeronica King Modified over 9 years ago

Similar presentations

Presentation on theme: "The Zero Hour Phone Call How to Respond to a Data Breach to Minimize your Legal Risk Sheryl Falk April 4, 2013 © 2013 Winston & Strawn LLP."— Presentation transcript:

1 The Zero Hour Phone Call How to Respond to a Data Breach to Minimize your Legal Risk Sheryl Falk April 4, 2013 © 2013 Winston & Strawn LLP

2 2 March 2013 Data Breaches

3 © 2013 Winston & Strawn LLP 3 Overview 1.Anatomy of a Data Breach 2.Data Breach Incident Response 3.Handling the Aftermath of a Breach 4.The Legal Landscape 5.Practical Strategies to Mitigate your Risk

4 4 © 2013 Winston & Strawn LLP Anatomy of a Data Breach

5 © 2013 Winston & Strawn LLP 5 Q: What is a Data Breach? A) Hackers B) Lost laptop C) Misdirected email containing Personal Information D) Improperly disposed of paper files E) All of the above

6 © 2013 Winston & Strawn LLP 6 How Do Data Breaches Occur? INTERNAL EXTERNAL INTENTIONAL ACCIDENTAL

7 © 2013 Winston & Strawn LLP 7 Insider Threat- Negligent Employees 1. Pathetic Passwords 2. Loss of devices 3. Improper disposal 4. Misdirected emails 5. Falling for Phishing 6. Use of Public WiFi

8 © 2013 Winston & Strawn LLP 8 Insider Threat – Employee theft  52% of insider thefts are trade secret related  65% of insiders had accepted positions with a competitor  20% were recruited by an outsider  50% steal data within a month of leaving  54% used a network-email, a remote network access channel, or network file transfer

9 9 © 2013 Winston & Strawn LLP Best Practices of a Data Breach Response

10 © 2013 Winston & Strawn LLP 10 Data Breach Response Timeline 00:00Mobilize ResourcesStabilizeInvestigateNotifyAfter Action Review

11 © 2013 Winston & Strawn LLP 11 Step 1 - Mobile Resources: Immediate Response Team Legal Department Privacy Counsel Human Resources Forensic Experts Notification Support SecurityIT Professionals Communication Support Business Group (Data Owners) C. Suite

12 © 2013 Winston & Strawn LLP 12 Step 2 - Stabilize/Secure Data  Act quickly, but cautiously  Take steps to secure data  Preserve evidence including logs, back ups  Obtain expert advice/legal counsel

13 © 2013 Winston & Strawn LLP 13 Step 3 - Investigation Goal : Determine the scope and nature of breach  Identify all affected data, machines and devices  Preserve Evidence (Chain of Custody)  Understand how the data was protected  Develop the Record  Conduct interviews with key personnel  Document evidence and findings carefully  Quantify the exposure of data compromised

14 © 2013 Winston & Strawn LLP 14 Importance of Investigatory Privilege  Treat every incident as potential litigation  Engage Legal Counsel at onset  Direct the forensic/security vendors through Legal Counsel  Label communications “Confidential and Privileged”

15 © 2013 Winston & Strawn LLP 15 Do you Involve Law Enforcement?  PROS For serious criminal activity, partner with law enforcement LE brings additional resources to investigation Shows you are taking the breach seriously  CONS May not meet law enforcement threshold Could lose control over your investigation Information of breach could become public

16 16 © 2013 Winston & Strawn LLP Handling the Aftermath of a Breach

17 © 2013 Winston & Strawn LLP 17 Texas Data Breach Statute 521.053 Texas Business and Commerce Code “A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach…to any individual whose sensitive personal information…believed to have been acquired by an unauthorized person.”  Notify as quickly as possible  Extra-territorial application  Civil penalty up to $250,000 for a single breach.

18 © 2013 Winston & Strawn LLP 18 Was there a Breach? 1. What information is Involved? Names Financial Account data SSNs Government ID numbers Credit Card data Date of Birth

19 © 2013 Winston & Strawn LLP 19 Was there a Breach? 2. Was the Information Compromised? Unauthorized access or acquisition Sometimes just access/acquisition Has the “security, integrity or confidentiality” of the laptop info been compromised? Is there a “material compromise”? Has illegal use occurred or is it likely to occur? 3. Is there an Exception? Hard copy files Encrypted data Good faith exception

20 © 2013 Winston & Strawn LLP 20 Who do you have to Notify?  Impacted individuals Typically consumers or employees Applicable law is where individual resides Some states require specific information (MA, IL) Timing restrictions: typically “expediently” or 45 days (FL, WI, OH)  Federal or State authorities Depends type of information at issue/threshold numbers affected www.winston.com/privacylawresources  Credit reporting agencies Usually must meet a threshold of impacted state residents

21 © 2013 Winston & Strawn LLP 21 Effectively Communicate about Breach  Communicate breach facts accurately and quickly Understand and follow breach notification timetables Stay focused and concise Be prepared to update with new information  What you might offer: Information about security freezes and credit monitoring Giving contact information for credit reporting agencies, FTC or state authorities Having a central “ombudsman” for all questions Credit monitoring or identity restoration services Coupons or gift certificates

22 © 2013 Winston & Strawn LLP 22 After Action Review  How did the team respond?  What can be improved in response/investigation?  What security issues can be tightened up?  Modify your plan/procedures if necessary

23 23 © 2013 Winston & Strawn LLP The Legal Landscape

24 © 2013 Winston & Strawn LLP 24 Federal & State Regulatory Agencies  Federal Agencies with Privacy Jurisdiction  Federal Trade Commission  Department of Justice  Office for Civil Rights (HHS)  Consumer Financial Protection Bureau  Office of the Comptroller of the Currency  Federal Communications Commission  And others  Practice Tip – If you regularly have data breaches, get to know your regulators and their notification preferences.  State Agencies Likewise have Privacy Enforcement

25 © 2013 Winston & Strawn LLP 25 Data Breach Civil Litigation  Theories of Liability  Negligence  Gross Negligence  Deceptive Trade Practices  Breach of Contract  Fraud  Significant Risk to Companies  TJX Litigation Settled for over 40 Million dollars  Heartland Payment Systems pending litigation – 12 Million spent in attorney fees

26 © 2013 Winston & Strawn LLP 26 Legal Trends  Data Breach cases are on the Rise  Most Courts require Actual Harm  Reilly v. Ceridian (3rd Cir.) – Hacker stole 250,00 records  But Court dismissed finding potential future injury is not enough  Recent case: No Harm required  Resnick v. AvMed, Inc.(11th Cir.) – Health plan provider failed to protect PII information. No facts tying data breach to subsequent data. Court allowed Unjust enrichment theory

27 © 2013 Winston & Strawn LLP 27 Trade Secret Litigation  Increase in Trade Secret Litigation  To be Successful you must:  Establish a Trade Secret (1)Secrecy (2)Independent Economic Value (3)Reasonable Efforts to Maintain Secrecy  Prove Misappropriation  Allege Damages and/or right to Injunctive Relief

28 28 © 2013 Winston & Strawn LLP Practical Strategies

29 © 2013 Winston & Strawn LLP 29 The Best Defense is an ongoing Data Security Program  Eliminate unnecessary data  Ensure essential controls are met  Monitor/mine event logs  Implement a firewall on remote access services  Change default credentials of POS systems and other internet facing devices  Ensure third party vendors are complying with data protection strategies Recommendations from 2012 Verizon Report

30 © 2013 Winston & Strawn LLP 30 Fully Plan your Breach Response  Understand where your data is and how it is protected  Develop good privacy and security policies  Train employees and monitor enforcement  Develop a Data Breach Incident Response Plan  Understand what laws/regulations apply  Explore Cyber-insurance

31 © 2013 Winston & Strawn LLP 31 Security Policies: Evaluating what documents you need  Remote access policy  Internet and electronic communications policy  Social media policy  Password policy  Mobile device policy  Guest access policy  Vendor access policy  Network device attachment policy

32 © 2013 Winston & Strawn LLP 32 To Learn more… sfalk@winston.com twitter: @winstonprivacy www.winston.com/privacylawresources

Download ppt "The Zero Hour Phone Call How to Respond to a Data Breach to Minimize your Legal Risk Sheryl Falk April 4, 2013 © 2013 Winston & Strawn LLP."

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Eight Strategies to Reduce Your Risk in the Event of A Data Breach Sheryl Falk December 10, 2013.

Eight Strategies to Reduce Your Risk in the Event of A Data Breach Sheryl Falk December 10, 2013.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
06B – DATA INCIDENTS AND LITIGATION Jeffrey L. Poston Partner Crowell & Moring, LLP.

06B – DATA INCIDENTS AND LITIGATION Jeffrey L. Poston Partner Crowell & Moring, LLP.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
Confidentiality and HIPAA

Confidentiality and HIPAA
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.

Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.
Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.
Ethical Issues in Data Security Breach Cases www.ScottandScottllp.com Presented by Robert J. Scott Scott & Scott, LLP 800-596-6176.

Ethical Issues in Data Security Breach Cases Presented by Robert J. Scott Scott & Scott, LLP
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
The Privacy Office U.S. Department of Homeland Security Washington, DC 20528 t: 703-235-0780; f: 703-235-0442 Safeguarding.

The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.

Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Similar presentations

Ads by Google