Presentation is loading. Please wait.

Presentation is loading. Please wait.

Carlsmith Ball LLP Cyber Issues For Lawyers Deborah Bjes October 22 nd, 2015.

Similar presentations


Presentation on theme: "Carlsmith Ball LLP Cyber Issues For Lawyers Deborah Bjes October 22 nd, 2015."— Presentation transcript:

1 Carlsmith Ball LLP Cyber Issues For Lawyers Deborah Bjes October 22 nd, 2015

2 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes  Maintain valuable information  Verizon’s 2015 Data Breach Investigations Report found legal department is far more likely to actually open a phishing e-mail than all other departments.2015 Data Breach Investigations Report Why are lawyers targets? 2

3 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes 23% of lawyers opened the email 11% clicked on the attachment WHY? Phishing emails: Lawyers easy targets? 3

4 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes  Lawyers must work efficiently  Lawyers look for new opportunities  Lawyers want to assist  Lawyers are trusting within relationship  Technologically challenged? Are lawyers targets? 4

5 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes Lawyers must: Stay up-to-date with technology. Secure client & company data. Avoid mishandling electronic documents. Changes in technology - Changes in lawyer’s duty: 5

6 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes Maintaining competence ABA Model Rule 1.1 [8] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. 6

7 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes Confidentiality of information ABA Model Rule 1.6 (a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b). ******** (c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. 7

8 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes ABA Model Rule 1.6 Acting Competently to Preserve Confidentiality Comment [18]: ….The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors: 1) sensitivity of the information, 2) likelihood of disclosure, 3) the cost, and 4) the difficulty of implementing the safeguards. Comment [19]....This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. … 8

9 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes 9

10  Negligence  Breach of contract  Waste and conversion  Invasion of privacy  Breach of fiduciary duty Potential cyber causes of action 10

11 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes Forensic experts to establish extent of stolen data (who/what) Notification costs Credit monitoring cost Business interruption cost Network restoration cost Public relations firm fees/costs – restore/mitigate reputational damage Fines Direct costs 11

12 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes  Management/executive time  Loss of good will.  Cost of reissuing documents or credit cards  Cost of mailings/expedited postage  Declined credit card transactions Indirect costs 12

13 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes Management must understand the importance of security. Avoid “it won’t happen to me” thinking. Allocate resources! Obtain upper management buy-in! 13

14 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes Decrease Incident response team Extensive use of encryption Employee training Board level involvement Increase Third party involvement in breach Quick notification Lost or stolen device Engagement of consultants Expense of cyber breach 14

15 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes Breakdown of claims costs $62.3 million in pay-outs on 85 claims  48% on crisis services – $1.5 million in forensics – $6.15 million in notification costs – $2.5 million in legal guidance – $135,000 in public relations  15% on legal defense  10% on legal settlements  10% on regulatory defense  6% on regulatory fines  11% on other fines 15

16 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes Requires prompt notification of unauthorized access to personal information 47 states, DC, Puerto Rico and US VI Common features relate to: Notification trigger Notification requirements Timing of notice Remedies Enforcement/fines State breach notification statutes, Know them (or know someone who does!) 16

17 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes Is it required? If not, is there a benefit or other need? Timing of notification Avoid rush to notify v. will media beat you to it? Law enforcement may delay notification Who must be notified? Affected individuals Government or regulatory agencies Banks Media Who drafts notification letter? Credit monitoring: To offer or not? Notification considerations 17

18 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes Create an educated/proactive work force! Focus on the weakest link! Create an open door for discussion. Avoid finger pointing. Do all employees know who to call? Are all systems security ready before roll out? Are outdated systems retro-fitted? 18

19 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes Cyber security plan 19

20 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes  Well defined objectives  Agreed upon management plan  Nuts and bolts details Insurance can assist Cyber security plan and protocols 20

21 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes Create a Response Plan (75% of the work should be done before incident)  Who is point person? Spokesperson?  Notify law enforcement. (should be aware of identify b/c incident)  Retain privacy counsel! (already lined up)  Retain forensic consultant. (already lined up)  Determine PR issues/ Retain a PR Firm. (already lined up)  Investigate timely notice requirements!  Public company disclosure requirements.  Notice your carrier/broker!  Activate “dark site”. What do I do? I have had a breach! (Or may have had a breach!) 21

22 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes Whether to employ routine cyber risk safety audits? Should you employ cyber incident drills? Should vendors employ cyber risk safety standards? (weakest link) Should business partners employ cyber risk safety standards? How to decide whether to compensate clients/customer if incident? In addition to notice – consider credit monitoring/gift cards? Should you build a “dark website”? Further considerations 22

23 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes 23

24 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes Compare pricing and policies Understand what is covered & what is not Understand notice requirements Determine what is really needed Negotiate your needs No standard cyber policy 24

25 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes Generally: policy covering one or more of the following: Damage to digital assets (data, software) not considered tangible property. Business interruption triggered either by damage to digital assets or impairment of external services. Liabilities arising out of privacy issues, 3rd party infringement of intellectual property, virus transmission, or any other serious trouble. What is cyber insurance? There is no agreed upon definition. 25

26 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes  Crisis management expenses: privacy counsel, public relations or crisis management firm.  Forensic expenses: services to determine cause and scope.  Notification expenses: mandatory notification of customers whose sensitive personal information has been breached.  Credit monitoring expenses: monitoring, credit freezing or fraud alert service expenses for breaches of true identity data. Cyber insurance 26

27 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes  Cyber extortion insurance: Covers expenses to obtain legal, public relations or crisis management services to protect the company’s reputation.  Digital asset loss: Will fund costs incurred to replace or recover data which has been corrupted or destroyed as a result of a network security failure.  Regulatory action coverage: Covers loss (damages, defense costs, civil fines or penalties to the extent insurable by law) resulting from a regulator action. Cyber insurance 27

28 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes Cyber risk insurance - examples RisksCoverage Traditional Policies Cyber and Privacy Policy Legal liability to others for privacy breaches Privacy liability: harm suffered by others due to the disclosure of confidential information Legal liability to others for computer security breaches Network security liability: harm suffered by others from a failure of your network security Regulatory actionsLegal defense for regulatory actions Identity theftExpenses resulting from identity theft Privacy notification requirements Cost to comply with privacy breach notification statutes Loss or damage to data / information Property loss: the value of data stolen, destroyed, or corrupted by a computer attack Extra expense to recover / respond to a computer attack Cyber extortion: the cost of investigation and the extortion demand Loss of revenue due to a computer attack Loss of revenue: business income that is interrupted by a computer attack Loss or damage to reputation 28

29 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes Thank you! 29

30 Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes ©2015 Swiss Re Corporate Solutions. All rights reserved. You are not permitted to create any modifications or derivatives of this presentation or to use it for commercial or other public purposes without the prior written permission of Swiss Re Corporate Solutions. Although all the information used was taken from reliable sources, Swiss Re Corporate Solutions does not accept any responsibility for the accuracy or comprehensiveness of the details given. All liability for the accuracy and completeness thereof or for any damage resulting from the use of the information contained in this presentation is expressly excluded. Under no circumstances shall Swiss Re Corporate Solutions or its Group companies be liable for any financial and/or consequential loss relating to this presentation. Disclaimer 30


Download ppt "Carlsmith Ball LLP Cyber Issues For Lawyers Deborah Bjes October 22 nd, 2015."

Similar presentations


Ads by Google