z

z

presented by Mark B. Manoukian

Securing Sensitive Personal Data

z

1 Change our perspective

2 Improve our defenses

z

Data Is Valuable

z

Consequences of Data Breach+ Money+ Identity Theft+ Ransom+ Useful Secrets+ Punishment+ Damage to Reputation \ Loss of Business+ Civil Liability+ Criminal Liability

z

Major Data Breaches of 2015From http://www.zdnet.com/pictures/worst-largest-security-data-breaches-2015/

+ Kapersky Labs+ LastPass+ CVS, Walgreen’s, Costco+ Carhone Warehouse (UK)+ UCLA Health

+ Hacking Team+ Ashley Madison+ Anthem+ IRS+ Office of Personnel

Management

z

How Did We Get Here?

z

Protecting Our Data in the Old Days

1. Communications were secure in that virtually all communications were internal.

2. Data was secure in that it was stored on our servers in our offices.

3. Access is restricted access by usernames and passwords?4. You had full control over your PC, but it was

inconsequential.5. Points of entry – desktop PCs in our office – were secure.6. The only real threat was known viruses attached to e-mail.7. Our firewall kept uninvited guests out.8. We were low-value targets.

z

What Has Changed?

z

Communications+ Employees are able to access our network remotely

across the public Internet.+ We routinely use 3rd party services, typically web

sites, wherein we are communicating across the public Internet.

z

Data+ We store sensitive data of our clients.+ Third parties store our sensitive data.

z

Points of Entry+ Home PCs+ Mobile Devices, Lots of Them+ Public PCs \ Devices

z

Viruses Have Evolved Into Malware+ Malware > Viruses.+ Some malware is indefensible…

+ …in that it attacks flaws in the software that are unknown to all, including the makers of the software.

+ …sometimes bespoke, just for you.+ …it piggybacks on other, legit apps or web sites– e.g. Java,

Adobe Flash.

z

Usernames and Passwords+ Public.+ Broken.+ Stolen.+ Shared.+ Reused.

z

Net Effect

1. Communications were secure in that virtually all communications were internal.

2. Data was secure in that it was stored on our servers in our offices.

3. Access is restricted access by usernames and passwords, which may be easily broken.

4. You had full control over your PC, but it was inconsequential.

5. Points of entry – desktop PCs in our office – were secure.6. The only real threat was known viruses attached to e-mail.7. Our firewall kept uninvited guests out.8. We are a high-value low-value target.

z

Order of Events in Hack of RSA, Inc.

Recon• Research public info about RSA employees

E-Mail• Create e-mail accounts purporting to be a close friend or employee

Payload• Payload is an indefensible piece of malware

Malware • Malware leverages privileges to gain access

Damage• Data is stolen

z

Recourse?+ Yes, it’s illegal.+ Remediation is difficult-to-impossible.+ Prevention is the best strategy.

z

Action Items For…+End Users – That’s You+I.T. Staff+Firm Management+Technology Vendors+Non-Technology Vendors

z

Action Item #1 for Employees:Don’t let them in by e-mail.+ Who is the e-mail actually from?+ If you have to ask me if it is legit then you’ve already

told me that you don’t know this person.+ Verify by an alternate method.

z

Spear Phishing

z

E-mail may appear very

genuine

z

Address the recipient by name

Use lingo/jargon of company

Referenceactual

procedures,SOPs/TTPs

z

z

Action Item #2: Look for “HTTPS”Example of a Success

z

Action Item #2: Look for “HTTPS”Example of a Failure

z

z

Test Yourself on #1 and #2E-Mail Phishing Quiz: http://www.sonicwall.com/phishing/

Web Site Phishing Quiz: https://www.opendns.com/phishing-quiz/

z

Action Item #3: Maintain Your Software+ If you didn’t go looking for it then don’t install it.+ If you installed it, then update it. The vast majority of

patches go to security.+ If you don’t use it then uninstall it.

z

Action Item #4: Protect Your Passwords+ Don’t reuse\share passwords across high-value

accounts.+ Keep them secure, in a password vault or paper in a

locked drawer in your desk.+ Not in a Word or Excel document.

z

Action Item #5: Secure Your Mobile Devices + Laptops+ Smartphones+ Tablets+ Fitness gadgets

z

Action Item #6: This is a mindset.+ This is a marathon not a sprint.+ There will be more action items.+ For the rest of your life.+ This is a perpetually, quickly moving target.

z

Recurring THEMES

Your PC + data are more valuable than you realize

Person using PC is the weakest link

Phishing is the most common attack vector

Test yourself!

z

Mark B. ManoukianDirector of Information TechnologyKegler Brown Hill + Rittermmanoukian@keglerbrown.comkeglerbrown.com/manoukian614-462-5429

Thank You!

z

Litigation THEORIES

in Data Breach Litigation

presented by Luis M. Alcalde

z

Why COMPANIESGet Sued

z

Lost or stolen computers containing

PII or SPI

z

Payment card system hacking

z

Theft of financialdata hacking

z

Unknown intrusions

z

Publication of personal information

z

Suits by banks against corporate hacking

victim to recover cost

z

LEGAL PITFALLSPOTENTIAL

Was it preventable?

z

LEGAL PITFALLSPOTENTIAL

Was it preventable?Federal + 50 state disclosure requirements

z

LEGAL PITFALLSPOTENTIAL

Federal + 50 state disclose requirementsPublic reporting to SEC + federal/state agencies

z

Applicable U.S. Law

+ No common set of laws governing civil liability

+ Claimants use patchwork of federal and state statutory claims + common law claims

z

Federal Statutes

Health Insurance Portability and Accountability

Act (HIPPA)

Health Information Technology for Economic and Clinical Health Act (HITECH)

Stored Communications

Act (SCA)

Fair Credit Reporting Act (FCRA)

Graham-Leach-Bliley Act (GLBA)

z

State Law Claims

Consumer protection statutes

Unfair trade practices statutes

Negligence

Invasion of privacy

Breach of implied or express contract

Unjust enrichment

z

Standing + Injury RequirementNeed to establish injury in-fact to support Article III standing in federal court (biggest impediment so far)

Concrete + particularized

Actual + imminent, not conjectural or hypothetical

Possible future injury not enough

Threatened injury must be impending

Plaintiffs often allege risk of future injury + expenses to mitigate that risk

z

RISK of Future Harm is Obstacle to

Consumer Cases

z

Lack of evidence of what happened to the PII

Lack of evidence of financial loss or proof of identity theft

Lack of loss because claimants were reimbursed within payment card system

Federal courts dismiss on mere possibility of future harm

Plaintiff ’s principal theory of harm is risk that loss of PII puts at higher risk of identity theftSome district courts have found standing on facts falling short of actual financial harm

z

Mitigation EXPENSES

Need to mitigate against fraud + identity theft

Purchasing credit monitoring services

Purchasing identity theft insurance

z

re Sony Gaming Networks …996 F. Supp 2d 942

(S.D. Cal. 2014)

April 2011: hackers attacked computer network used to provide Sony PlayStation Network (PSN)

and related networks

z

re Sony Gaming Networks …996 F.Supp 2d 942

(S.D. Cal. 2014)

Lawsuit claims that Sony did not adequately protect networks and hackers were able to access certain account holder information

z

re Sony Gaming Networks …996 F.Supp 2d 942

(S.D. Cal. 2014)

Claims were that hackers stole information to commit fraud and identity theft + account holders

were legally injured by the unavailability of the network while temporarily off-line for 24 days

z

California D.C. court found plaintiffs alleged sufficient facts of “impending injury”

z

Alternative Theories of Harm

Lost time +inconvenience

Emotionaldistress

Decreasedeconomic

value of PII

Denied benefitof the bargain

z

STATUTORY DAMAGES

z

STATE COURTS EASIER?

z

Class Certification

HURDLE

z

AGAINST CLASS CERTIFICATOIN

z

Suits by Banks + Financial Institutions

z

Luis M. Alcalde, Of CounselKegler Brown Hill + Ritterlalcalde@keglerbrown.comkeglerbrown.com/alcalde614-462-5480

Thank You!

z

z

presented by Larry J. McClatchey

Understanding Secured Transactions +Consignments

SECURING PAYMENT

z

Pre-pay or COD

Traditional Meansto Secure Payment

Letters of CreditGuarantee

Liens in Seller’s Favor

z

Obstacles to Securing Payment

+ Type of Goods+ Seller’s Existing Credit Terms + Conditions+ Buyer’s Existing Credit Terms + Conditions+ PO + Supply Agreements

z

UCC – Nationwide Rules for Commerce

+ Rules for Sales + Leases+ Banking, Checks + Letters of Credit+ Procedures for Warehouse Receipts + Bills of Lading+ Agreement to Grant Security to Seller

z

Not All Transactions + Collateral Covered

Secured Transactions Under Article 9

Classification of Collateral

z

Security Agreements+ Identifies Parties+ Buyer Grants Security Interest+ Describes Collateral

+ Specific listing+ Category of Goods+ Type of Goods

+ Include Proceeds and Products of Collateral+ Specifies Indebtedness to be Secured

z

Attachment of Security Interests

+ Value given by creditor+ Debtor has rights in collateral+ Authenticated Security Agreement

1

Formal Requirements

z

Perfection of Security Interest

+ Possession+ Control+ Perfection by Filing

2

z

Filing Rules

+ Name of Individual Debtor+ Name of Registered Organization+ Place of Filing+ Changes in Name or Location+ Sufficient description of Collateral

3

z

Basic Rules of Priority

+ First to File or Perfect+ Filing Before Loan Closing+ Lapse in Filing

4

z

The Purchase Money Security Interest

A PMSI is distinguished from a standard security interest in two main ways: its manner of creation

and the priority it receives relative to other security interests in the same collateral.

z

Collateral Subject to PMSI: + Goods+ Software+ Consignor’s Inventory

The Purchase Money Security Interest

z

The Purchase Money Security Interest

Priority of PMSI: + Goods other than inventory+ Inventory

z

The Purchase Money Security Interest

“Superior Priority Status”: + Security Interest in Favor of Seller+ Cost of Purchase of Collateral

z

The Purchase Money Security Interest

Limitations on PMSI:+ Notice of Conflicting Inventory+ Prior Secured Party

z

Consignments

z

True Consignment Characteristics

+ Generally consumer goods+ Value of goods less than $1000.+ Delivered to merchant for sale+ Merchant/auctioneer known to sell on consignment+ Usually subject to state bailment law

z

UCC “Consignment” Characteristics+ Merchant deals with goods other than under

consignor’s name+ Merchant is not an auctioneer+ Not generally known as reseller+ Aggregate value of goods over $1000+ Inapplicable to consumer goods+ Transaction does not create a security

interest to secure an obligation.

z

Common Commercial “Consignment”+ Security for payment of an obligation+ Consignment of goods treated as PMSI in inventory+ Rights between consignor and consignee unimpaired+ Several practical problems with consignments

z

Priority of Consignor’s Claim Dependent on Perfection+ Priority over floating inventory lien+ Must create and perfect as PMSI+ Financing statement and notice

z

Practical Problems in Securing Payment Under UCC+ Transactional Costs+ Change of Name of Debtor+ Mergers/Successor Debtor+ Remedies Upon Default+ Disposition of Recovered Collateral

z

Issues to Consider+ What Agreements in Effect Already?+ Eligible for Statutory Lien?+ Would PMSI Be Effective?+ Do We Sell Type of Goods Suitable for Security

Agreement?+ Practical Problems with Collateral?

z

Thank You!Larry J. McClatchey, DirectorKegler Brown Hill + Ritterlmcclatchey@keglerbrown.comkeglerbrown.com/mcclatchey614-462-5463

z

Understanding +DEFENDINGPreference Claims

presented by Christy A. Prince

z

What is a Preference?Payment or transfer made during the

ninety days prior to bankruptcy

Debtor makes a payment or payments to some creditors and not to others

90

z

Purpose of Preference Law?Prevent “piecemeal” dismemberment of a debtor

Avoid the “race to the court house” among creditors

To promote equal distribution among creditors similarly situated

z

Who Can Avoid a Preferential Transfer?

1 Bankruptcy trustee or “debtor in possession”

2 Representative of Liquidating Trust in chapter 11 case

z

Elements of a Preference Claim

Transfer of property of

a debtor

To or for benefit of creditor

On account of an

antecedent debt

Made while debtor was insolvent

Enables creditor to receive more than if transfer had not been

made

Within 90 days prior to bankruptcy

z

Element: A Transfer

Must be of the debtor’s

property

z

Element: A Transfer

Typically from debtor to creditor

z

Element: A Transfer

Could be payment

from debtor to third-

party

z

+ Debtor owes Creditor, and Creditor owes ABC Company

+ Debtor pays ABC Company for Creditor’s debt in consideration of Debtor’s debt to Creditor

+ Debtor can recover the transfer from Creditor

z

+ Creditor applies credit for damaged goods to Debtor’s account, reducing amount due from Debtor to Creditor

+ Application of credit to Debtor’s account is not a transfer for the benefit of Creditor

+ Review records of alleged preferential transfers to weed out credits

z

Element: Antecedent Debt

Transfer must be on account of preexisting

debt

z

Element: Antecedent Debt

If payment terms are Cash on

Delivery, no antecedent

debt

z

Element: Antecedent Debt

If payment terms are

paying old invoices, there is antecedent

debt

z

Element: Time Span

If creditor is an insider, preference period is one year

prior to bankruptcy petition date

z

Element: Time Span

If creditor is not an insider, preference period is 90 days

prior to bankruptcy petition date

z

Element: Debtor’s Insolvency

Transfer must have been

made while debtor was insolvent

z

Element: Debtor’s Insolvency

Insolvency is presumed for the 90 days

prior to bankruptcy

z

Element: Debtor’s Insolvency

Creditor can introduce

evidence that debtor was

solvent at time of transfer

z

Element: Debtor’s Insolvency

If bankruptcy filed suddenly

after meaningful

event, explore this element

z

Element: Creditor Receives More

Disputes over this element are rare

z

Element: Creditor Receives More

If debt fully secured by collateral,

transfer didn’t allow creditor to obtain

more than it would have in bankruptcy

z

Element: Creditor Receives More

If creditors will be paid in full through

bankruptcy, this element would not

be met

z

Debtor/trustee must prove each element of preference

Burden of proof for elements is on debtor/trustee

Creditor can establish an “affirmative defense”

Creditor has burden of proof on any affirmative defense

Defense Considerations

z

Ordinary Course of Business Defense

Encourages creditors to deal with companies on “normal” credit terms

z

Ordinary Course of Business Defense

The debt was incurred in the ordinary course of the business between debtor and creditor, AND:

EITHERPayment is made in the ordinary course of business

of the debtor and the transferee

ORPayment is made according to

ordinary business terms in the industry

z

Ordinary Course of Business Between the Parties

Payment that is “normal” in parties’ course of dealingConsistency with other business transactions between partiesExamines course of conduct + payment history prior to filing

Historical period v. preference period

Consistency late payments may qualify as ordinary payments

z

Payment NOT in Subjective Ordinary Course of Business

Creditor requires a cashier’s check for the first time

Creditor imposes new terms during the preference period

Payment results from coercive collection practices

Creditor imposes or threatens credit hold

z

Ordinary Business Terms: Objective Ordinary Course

Payment is “ordinary” in relation to the relevant industry standard

Examine industry as a whole

Explore practices common to similarly situated businesses Usually requires expert testimony

z

PotentialPROBLEMS

with OCB

z

Subsequent New Value Defense

Creditor may have replenished the value of Debtor by continuing to supply goods/services

z

Subsequent New Value

Transfer by creditor after payment received

Not secured by “otherwise unavoidable” security interest

On account of which new value debtor did not make an otherwise unavoidable transfer to or benefit of creditor

New value determined as of petition date, so post-petition payments are not relevant

z

May not be available if Creditor retains a security interest

May not be available if Debtor later paid for the new goods prior to the petition date

Subsequent New Value

z

+ June 1: Debtor pays Creditor $200,000 + June 15: Creditor ships new goods on credit+ August 1: Debtor files bankruptcy

+ Zero preference exposure because of SNV+ Creditor has a proof of claim for $200,000

z

+ June 1: Debtor owes creditor $500,000+ June 15: Debtor pays creditor $200,000+ June 30: Creditor ships new goods ($100,000) on credit+ August 1: Debtor files bankruptcy

+ $100,000 preference exposure because of SNV+ Creditor has a proof of claim for $400,000

z

+ June 1: Creditor ships new goods ($200,000) on credit+ June 15: Debtor pays creditor $200,000+ August 1: Debtor files bankruptcy

+ $200,000 preference exposure

z

TIMINGof the Claim

z

Preparing for the

DEFENSE

z

Transfer <$5,000 in business cases<$5000

Amount in controversy

Case filed too late (statute of limitations)

Transfer to holder of unperfected lien rights

Other Potential Defenses+

Transfer <$600 in consumer cases <$600

z

Where is the lawsuit filed?

When was the lawsuit filed?

How much is the claim?

Did the debtor make the transfer?

Checklist of Defenses Against Preference Claims

z

Checklist of Defenses Against Preference Claims

Do lien rights exist? PMSI?

Did debtor receive “20 day goods”?

Has debtor made “critical vendor” offer?

Section 503(b)(9) bargaining chip?

z

TIPSPractical

z

Review your invoices to compare to

industry standards

z

Stay consistent in your collection

practices

z

If a problem customer files bankruptcy, work up defenses

while fresh

z

Preserve all records of collection

communications

z

Don’t ignore a demand letter

z

Christy A. Prince, DirectorKegler Brown Hill + Rittercprince@keglerbrown.comkeglerbrown.com/prince614-462-5444

Thank You!

z