Cybersecurity Stuff Happens: A Corporate Counsel's Primer for Security

1
Cybersecurity Stuff Happens A Corporate
Counsel's Primer for Security

• Albert Gidari
• Jill Chasson
• February 19, 2008

2
INTRODUCTION

• Security - a corporate counsels full time job
• It should keep you up at night a security
  breach is your worst nightmare
• Total number of records lost in security breaches
  in U.S. since 2005 218,202,156
• http//www.privacyrights.org/ar/ChronDataBreaches.
  htm2008
• Total cost per record 197
• 2007 Ponemon Institute Study www.ponemon.org

3
INCIDENT RESPONSE PLANNING

• Cradle-to-Grave Security Plan
• Combine SOX, PCI, and other regulatory drivers
  for holistic plan
• Organize IRP team with key stakeholders and
  conduct periodic meetings
• Training
• Audit/Assessment/Corrective Action Plan

4
ANATOMY OF INCIDENT RESPONSE

• Fix the Breach
• Preserve Evidence
• Document Response Costs
• Law Enforcement Referral
• Initiate Customer/Employee/State Notice
• Call center
• Credit monitoring
• Notice letter
• Defensive/Remedial Action Plan

5
LITIGATION

• Most common claim in security breach class action
  is for negligence
• Classic negligence formula applies duty, breach,
  causation and damages
• Almost universally, companies have won (but,
  agency enforcement actions are another story)

6
Stollenwerk v. Tri-West Health Care

• Beneficiaries of government health insurance
  program brought action against local manager of
  the program for negligently failing to secure
  their personal information following burglary of
  computer servers containing hard drives with
  beneficiaries' personal information.
• District Court granted SJ, finding cost of credit
  monitoring service not cognizable damage under AZ
  law. (2005 WL 2465906, Sept. 6, 2005)
• Ninth Circuit affirms and adds that cost of
  premium monitoring was not a necessary cost, but
  reverses and remands on causation grounds as to
  one party who experienced post-burglary incidents
  of identity theft. (2007 WL 4116068, 9th Cir.
  Nov. 20, 2007)

7
Guin v. Brazos Higher Ed. Svc. Corp.

• Claim Employer negligently allowed employee to
  keep unencrypted nonpublic customer data on
  laptop that was stolen from employee's home
  during burglary argued that GLBA applied to
  financial information.
• GLBA does not prohibit someone from working with
  sensitive data on a laptop computer in a home
  office.
• GLBA does not require PII to be encrypted on
  laptop.
• Reasonable care standard met employee had
  permission to work at home, lived in a safe
  neighborhood.
• No evidence that plaintiffs identity
  transferred, possessed, or used by a third
  party with the intent to commit, aid, or abet
  any unlawful activity.
• No other evidence of damages.
• Intervening criminal act of another negates
  causation.
• 2006 WL 288483 (D. Minn. Feb. 7, 2006)

8
Pisciotta v. Old National Bancorp

• Putative class asserted negligence and breach of
  implied contract claims against bank and its
  website hosting facility for allowing PII
  collected through bank's marketing web site to be
  accessed via database security breach sought
  recovery of costs associated with credit
  monitoring services.
• No claim for credit monitoring available under
  Indiana common law because damages were
  speculative (no existing injury) "compensable
  damage requires more than an exposure to a future
  potential harm."
• Indiana Code provision defined database owner's
  disclosure duties narrowly and provided
  state-enforced penalties as the exclusive remedy
  for violations of such duties.
• 499 F.3d 629 (7th Cir. 2007)

9
FTC ACTIONS

• Section 5 of the FTC Act provides that "unfair or
  deceptive acts or practices in or affecting
  commerce are declared unlawful."
• FTC actions based on deception prong material
  representation or omission that is likely to
  mislead consumers acting reasonably under the
  circumstances

10
FTC CONSENT DECREE ELEMENTS

• Establish, implement maintain comprehensive
  information security program reasonably designed
  to protect security, confidentiality integrity
  of PII collected from or about consumers
• Security Policy in writing
• Designate Responsible Employee for Security
  Program
• Third Party Audit every 2 years
• Make all audits available to FTC for 5 years
• 20 years of FTC oversight
• See e.g., Cardsystems Solution Settlement (2006)
  at http//www.ftc.gov/os/caselist/0523148/0523148
  consent.pdf

11
EMPLOYEE ISSUES

• Leading cause of security breaches is employee
  negligence or dishonesty
• Confidentiality Agreement/Policy
• Network Access and Use Policy
• Disciplinary process for failure to follow policy
  (e.g., leaving laptop unsecured in hotel room)

12
PCI DATA SECURITY STANDARDS

• Consists of 12 basic requirements (the "Digital
  Dozen") in 6 key areas
• Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
• Compliance may include third party audit or
  self-assessment, submission of ROC to Visa,
  quarterly scans
• Merchants liable for failures of their service
  providers

13
FINANCIAL PRIVACYPCI DATA SECURITY STANDARDS

• Compliance Penalties If a merchant or service
  provider does not comply with the security
  requirements or fails to rectify a security
  issue, Visa may
• Fine the acquiring member
• Impose restrictions on the merchant or its agent,
  or
• Permanently prohibit the merchant or its agent
  from participating in Visa programs
• Members receive protection from fines for
  merchants or service providers that have been
  compromised but found to be CISP-compliant at the
  time of the security breach
• Members are subject to fines, up to 500,000 per
  incident, for any merchant or service provider
  that is compromised and not CISP-compliant at the
  time of the incident
• Horror Stories BJ's, CardServices, and more

14
CONTRACTING FOR SECURITY

• Contracting 
• Vendors
• Require vendors who hold data to represent
  adequate security, indemnify for breaches, and be
  obligated to give immediate notice of breach and
  cooperate in investigation
• Reserve your rights to audit and to control any
  litigation
• Lessons from HIPAA Business Associate Agreements
  and GLB Security Safeguard Rule flowing down
  security
• Customer Terms of Use
• Include limits on liability and arbitration
  clause with waiver of class action right, specify
  that the service is provided as is, disclaim
  warranty of security
• Privacy Policy
• Be certain not to over-promise and under-deliver
• Be certain to keep current on security and known
  security risks

15
LAWS AND REGULATIONS

• Section 501(b) of the Gramm-Leach-Bliley Act, 15
  U.S.C. 6801(b)
• Implementing regulations FTC Safeguards Rule,
  16 C.F.R. Part 314
• HIPAA
• Implementing regulations HHS Security Rule, 45
  C.F.R. Parts 160, 162, and 164
• Section 404 of the Sarbanes-Oxley Act of 2002,
  15 U.S.C. 7262
• FTC Data Destruction Rule, 16 C.F.R. 682
• State security breach laws
• http//www.perkinscoie.com/files/upload/securitybr
  each.pdf