503 privacy and cybersecurity regulatory update - final slides

Download 503   privacy and cybersecurity regulatory update - final slides

Post on 28-Nov-2014

107 views

Category:

Documents

2 download

Embed Size (px)

DESCRIPTION

 

TRANSCRIPT

  • 1. Privacy and Cybersecurity Regulatory PRIVILEGED & CONFIDENTIAL Update Women, Influence & Power in Law Annual Conference Washington DC Melissa H. Cozart, AIG Life & Retirement Leslie T. Thornton, Washington Gas Mary Jane Wilson-Bilik, Sutherland September 19, 2014 24496382.1
  • 2. 2014 Sutherland Asbill & Brennan LLP Presenters PRIVILEGED & CONFIDENTIAL 2 Melissa H. Cozart Chief Privacy Officer AIG Life & Retirement MJ Wilson-Bilik Partner Securities and Insurance Regulation Sutherland Asbill & Brennan LLP Leslie T. Thornton Vice President, General Counsel & Corporate Secretary WGL Holdings, Inc. & Washington Gas Light Company
  • 3. 2014 Sutherland Asbill & Brennan LLP Roadmap to Today Discussion Background on Data Breaches Current Regulatory Landscape What to Expect from Regulators Best Practices PRIVILEGED & CONFIDENTIAL 3
  • 4. Investigators Target eBay Over Massive Data Breach, Time, 5/23/14 100 Million user passwords stolen (failure to protect) Target Missed Signs of Data Breach, NY Times, 3/13/14 Malware in system for several years (failure to detect) Target Earnings Show Pain of Data Breach, Business Week, 5/21/14 16% plunge in earnings (threat to going concern) Target Fires Executives Over Data Breach, Business Week, 5/23/14 CIO, CEO and head of operations in Canada dismissed 2014 Sutherland Asbill & Brennan LLP Threats In the News PRIVILEGED & CONFIDENTIAL 4
  • 5. Exponential increase in use, transmission and storage of electronic data (records, laptops, ipads, iphones, social media, the cloud) Increased awareness of Privacy Growing body of law and regulation to protect personal and confidential information and systems Expanding number of regulations governing how companies collect, use and store personal information Heightened national security concerns 2014 Sutherland Asbill & Brennan LLP The Context Increasing number of breaches Growing use of malware to disrupt operations New generation of computers PRIVILEGED & CONFIDENTIAL 5
  • 6. 2014 Sutherland Asbill & Brennan LLP Root Causes of Data Breaches Root Causes of a Data Breach Per Capita Cost for Each Root Cause PRIVILEGED & CONFIDENTIAL 6 Source: 2014 Cost of Data Breach Study: Global Analysis Sponsored by IBM, Conducted by Ponemon Institute LLC
  • 7. 2014 Sutherland Asbill & Brennan LLP Costs of a Data Breach Detection or Discovery Escalation Notification Post Data Breach Opportunity Costs Turnover of Existing Customers Diminished Customer Acquisition PRIVILEGED & CONFIDENTIAL 7
  • 8. Will disrupt a companys operations by planting malware that lays dormant for years to steal secrets and create havoc -- deleting information, etc. Threats to critical infrastructure have drawn the attention of Homeland Security, CIA, FBI 2014 Sutherland Asbill & Brennan LLP Types of Threats Criminals Former employees/ Teenagers on a dare Cyber-extortion gang in Eastern Europe, etc. Hackivists Intent is to embarrass corporate leadership Espionage National Security PRIVILEGED & CONFIDENTIAL 8
  • 9. 2014 Sutherland Asbill & Brennan LLP Targets Critical infrastructure Financial information (SSNs, IDs) Trading information Health data Intellectual property Logons and Passwords PRIVILEGED & CONFIDENTIAL 9
  • 10. Employees and contractors already have access They do not need malicious intent to be a problem 2014 Sutherland Asbill & Brennan LLP The Attack Profile Many attacks now are specifically targeted Phishing (spear phishing, whaling) Water-holing Advanced Persistent Threats (APT) Hackers lying in wait Selling time on your computers We have met the enemy and he is us PRIVILEGED & CONFIDENTIAL 10
  • 11. Executive Order/ Homeland Security/ CIA/ FBI National Cyber Investigative Joint Task Force (NCIJTF) Commerce: NIST (National Institute of Standards and Technology) Federal Trade Commission (Gramm Leach Bliley) HHS (HIPAA) U.S. Securities and Exchange Commission, FINRA 2014 Sutherland Asbill & Brennan LLP Layers of Regulation International Commissions Federal State State data breach laws State GLB laws PRIVILEGED & CONFIDENTIAL 11
  • 12. Privacy Rule: must notify customers when their information is shared with others; opt-out rights; annual notice/ Reg. S-P Safeguards Rule: must develop a written information security plan describing how company will protect the security, confidentiality and integrity of customer information Privacy Rule: Protect individual health data Security Rule: Perform risk assessment, develop policies and procedures to address potential threats to data security of electronic protected health data 2014 Sutherland Asbill & Brennan LLP Federal: Gramm-Leach-Bliley and HIPAA FTC issued two rules: Tailored to companys size and complexity Nature and scope of companys activities HIPAA: PRIVILEGED & CONFIDENTIAL 12
  • 13. Broker-dealers, investment advisers and investment company must have written policies and procedures to ensure confidentiality of personal information, protect against unauthorized access, and protect against anticipated threats and hazards to security and integrity of data SEC Guidance for public companies (2011): Identified cybersecurity risks and incidents as potential material information to be disclosed to investors Encourages companies to assess their risks of cyber incidents and review impact on a companys operations, liquidity and financial condition A blueprint for assessing cyber risk exposures and determining what must be disclosed 2014 Sutherland Asbill & Brennan LLP Federal: SEC Rules and Guidance SEC Reg. S-P PRIVILEGED & CONFIDENTIAL 13
  • 14. Feb. 12, 2013: President Obama issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity Calls for development of voluntary cybersecurity framework Provide a flexible, performance-based, cost-efficient approach to manage cybersecurity risk 2014 Sutherland Asbill & Brennan LLP The 2013 Executive Order PRIVILEGED & CONFIDENTIAL 14
  • 15. National Cyber Investigative Joint Task Force Tracks, attributes and takes action against terrorists, spies and criminals who exploit our cyber systems If a significant breach occurs, a team of experts from NCIJTF will offer to help the target company with vulnerability mitigation plans FBI may request permission to monitor specific networks in the company to capture information about the intruder Critical for GC to handle her companys consent and negotiate the agreement with the FBI 2014 Sutherland Asbill & Brennan LLP NCIJTF PRIVILEGED & CONFIDENTIAL 15
  • 16. Federal: NIST at Commerce Feb. 21, 2014: National Institute of Standards and Technology (NIST) Cybersecurity Framework Year-long initiative of NIST and Homeland Security in response to Executive Order Guidance to companies on how to manage the growing cybersecurity threat Deter identify risks Detect unauthorized access and activity Protect safeguards for systems, vendors Respond response plan, communications, mitigation Recover restore capabilities Voluntary but may give rise to new standard of care for corporate management presented at NAIC 2014 Sutherland Asbill & Brennan LLP PRIVILEGED & CONFIDENTIAL 16
  • 17. Develop policies, procedures and p

Recommended

View more >