503 privacy and cybersecurity regulatory update - slides

Download 503   privacy and cybersecurity regulatory update - slides

Post on 21-Jun-2015




1 download

Embed Size (px)


  • 1. Privacy and Cybersecurity RegulatoryPRIVILEGED & CONFIDENTIALUpdateWomen, Influence & Power in Law Annual ConferenceWashington DCMelissa Cozart, AIG L&RLeslie Thornton, Washington GasMary Jane Wilson-BilikSeptember 19, 201424496382.1

2. 2014 Sutherland Asbill & Brennan LLPPresentersPRIVILEGED & CONFIDENTIAL2Melissa CozartChief Privacy OfficerAIG Life & RetirementMJ Wilson-BilikPartnerSecurities and Insurance RegulationSutherland Asbill & Brennan LLPLeslie T. ThorntonVice President, General Counsel& Corporate SecretaryWGL Holdings, Inc. &Washington Gas Light Company 3. 2014 Sutherland Asbill & Brennan LLPRoadmap toToday Discussion Background on Data Breaches Current Regulatory Landscape What to Expect from Regulators Best PracticesPRIVILEGED & CONFIDENTIAL3 4. Investigators Target eBay Over Massive DataBreach, Time, 5/23/14 100 Million user passwords stolen (failure to protect) Target Missed Signs of Data Breach, NY Times,3/13/14 Malware in system for several years (failure to detect) Target Earnings Show Pain of Data Breach,Business Week, 5/21/14 16% plunge in earnings (threat to going concern) Target Fires Executives Over Data Breach,Business Week, 5/23/14 CIO, CEO and head of operations in Canada dismissed2014 Sutherland Asbill & Brennan LLPThreats In the NewsPRIVILEGED & CONFIDENTIAL4 5. Exponential increase in use, transmission and storageof electronic data (records, laptops, ipads, iphones,social media, the cloud) Increased awareness of Privacy Growing body of law and regulation to protectpersonal and confidential information and systems Expanding number of regulations governing how companiescollect, use and store personal information Heightened national security concerns2014 Sutherland Asbill & Brennan LLPThe Context Increasing number of breaches Growing use of malware to disrupt operations New generation of computersPRIVILEGED & CONFIDENTIAL5 6. 2014 Sutherland Asbill & Brennan LLPRoot Causes ofData BreachesRoot Causes of aData BreachPer Capita Costfor Each RootCausePRIVILEGED & CONFIDENTIAL6Source: 2014 Cost of Data Breach Study: Global AnalysisSponsored by IBM, Conducted by Ponemon Institute LLC 7. 2014 Sutherland Asbill & Brennan LLPCosts of a Data Breach Detection or Discovery Escalation Notification Post Data Breach Opportunity Costs Turnover of Existing Customers Diminished Customer AcquisitionPRIVILEGED & CONFIDENTIAL7 8. Will disrupt a companys operations by planting malwarethat lays dormant for years and then creates havoc --deleting information, etc. Threats to critical infrastructure have drawn the attention ofHomeland Security, CIA, FBI2014 Sutherland Asbill & Brennan LLPTypes of Threats Criminals Former employees/ Teenagers on a dare Cyber-extortion gang in Eastern Europe, etc. Hackivists Intent is to embarrass corporate leadership Espionage WarPRIVILEGED & CONFIDENTIAL8 9. 2014 Sutherland Asbill & Brennan LLPTargets Critical infrastructure Financial information (SSNs, IDs) Trading information Health data Intellectual property Logons and PasswordsPRIVILEGED & CONFIDENTIAL9 10. Employees and contractors already have access They do not need malicious intent to be a problem2014 Sutherland Asbill & Brennan LLPThe Attack Profile Many attacks now are specifically targeted Phishing (spear phishing, whaling) Water-holing Advanced Persistent Threats (APT) Hackers lying in wait Selling time on your computers We have met the enemy and he is usPRIVILEGED & CONFIDENTIAL10 11. Executive Order/ Homeland Security/ CIA/ FBI National Cyber Investigative Joint Task Force (NCIJTF) Commerce: NIST (National Institute of Standards andTechnology) Federal Trade Commission (Gramm Leach Bliley) HHS (HIPAA) U.S. Securities and Exchange Commission, FINRA2014 Sutherland Asbill & Brennan LLPLayers of Regulation International Commissions Federal State State data breach laws State GLB lawsPRIVILEGED & CONFIDENTIAL11 12. Privacy Rule: must notify customers when their informationis shared with others; opt-out rights; annual notice/ Reg. S-P Safeguards Rule: must develop a written informationsecurity plan describing how company will protect thesecurity, confidentiality and integrity of customer information Privacy Rule: Protect individual health data Security Rule: Perform risk assessment, develop policiesand procedures to address potential threats to data securityof electronic protected health data2014 Sutherland Asbill & Brennan LLPFederal: Gramm-Leach-Blileyand HIPAA FTC issued two rules: Tailored to companys size and complexity Nature and scope of companys activities HIPAA:PRIVILEGED & CONFIDENTIAL12 13. Broker-dealers, investment advisers and investmentcompany must have written policies and procedures toensure confidentiality of personal information, protect againstunauthorized access, and protect against anticipated threatsand hazards to security and integrity of data SEC Guidance for public companies (2011): Identified cybersecurity risks and incidents as potentialmaterial information to be disclosed to investors Encourages companies to assess their risks of cyberincidents and review impact on a companys operations,liquidity and financial condition A blueprint for assessing cyber risk exposures anddetermining what must be disclosed2014 Sutherland Asbill & Brennan LLPFederal: SEC Rulesand Guidance SEC Reg. S-PPRIVILEGED & CONFIDENTIAL13 14. Feb. 12, 2013: President Obama issued ExecutiveOrder 13636, Improving Critical InfrastructureCybersecurity Calls for development of voluntary cybersecurity framework Provide a flexible, performance-based, cost-efficientapproach to manage cybersecurity risk2014 Sutherland Asbill & Brennan LLPThe 2013 Executive OrderPRIVILEGED & CONFIDENTIAL14 15. National Cyber Investigative Joint Task Force Tracks, attributes and takes action against terrorists, spiesand criminals who exploit our cyber systems If a significant breach occurs, a team of experts fromNCIJTF will offer to help the target company withvulnerability mitigation plans FBI may request permission to monitor specific networks inthe company to capture information about the intruder Critical for GC to handle her companys consent andnegotiate the agreement with the FBI2014 Sutherland Asbill & Brennan LLPNCIJTFPRIVILEGED & CONFIDENTIAL15 16. Federal: NIST atCommerce Feb. 21, 2014: National Institute of Standards andTechnology (NIST) Cybersecurity Framework Year-long initiative of NIST and Homeland Security inresponse to Executive Order Guidance to companies on how to manage the growingcybersecurity threat Deter identify risks Detect unauthorized access and activity Protect safeguards for systems, vendors Respond response plan, communications, mitigation Recover restore capabilities Voluntary but may give rise to new standard of care forcorporate management presented at NAIC2014 Sutherland Asbill & Brennan LLPPRIVILEGED & CONFIDENTIAL16 17. Develop policies, procedures and processes to manage andmonitor the organizations legal risk environment andoperational requirements Establish information security policy Identify security roles and responsibility and aligninternal roles and external partners Understand legal and regulatory requirements regardingcybersecurity Including privacy and civil liberty obligations Ensure governance and risk management processesaddress cybersecurity risks2014 Sutherland Asbill & Brennan LLPNIST Framework Corporate GovernancePRIVILEGED & CONFIDENTIAL17 18. SEC BeginsCybersecurity Exams March 26, 2014: SEC Cybersecurity Roundtable Chair Mary Jo White: compelling need for strongerpartnership between government and private sector toaddress cyber threats Announced cybersecurity initiatives designed to assesscybersecurity preparedness in securities industry April 15, 2014: SEC Cybersecurity Initiatives OCIE conducting exams of 50+ broker-dealers andinvestment advisers. Published list of 26 questions on Cybersecurity governance Protection of networks and information Risks associated with remote customer access, vendors Detecting unauthorized activity2014 Sutherland Asbill & Brennan LLPPRIVILEGED & CONFIDENTIAL18 19. Weak IT Security Policy Weak Incident Response Plan Weak Training Programs Weak Third Party Due Diligence Weak Internal Controls and Protocols for IdentityTheft2014 Sutherland Asbill & Brennan LLPRed Flags for SEC Poorly Documented Controls Weak Access Controls Weak Remote Access Security Excessive IT Cost Cutting Poor Integration and CommunicationsPRIVILEGED & CONFIDENTIAL19 20. 2014 Sutherland Asbill & Brennan LLPState Data Breach LawsPRIVILEGED & CONFIDENTIAL20 21. State DataBreach Notification Laws 51 U.S jurisdictions (47 states, DC, Guam, PR and VI)have data breach notification laws Laws apply based on residence of individual whosedata was compromised Laws have different triggers and specified content Varying definitions of PI Paper v. computerized Risk of harm exception Some states require notification within 5 days of breach Some require state attorneys general and state insurancecommissioner to be notified2014 Sutherland Asbill & Brennan LLP (AL, NM and SD do not yet)PRIVILEGED & CONFIDENTIAL21 22. State DataSecurity Requirements 7 States have data protection laws. Mostcomprehensive is Massachusetts Regulation. Applies to any company that uses or stores personalinformation of Massachusetts residents Must adopt a comprehensive written information securityprogram that: Identifies and evaluates internal and external risks Monitors employee access to PI Service providers must comply Must review security measures annually and upgradesafeguards Establish continuing education program and training Develop procedures to take in response to breach.2014 Sutherland Asbill & Brennan LLPPRIVILEGED & CONFIDEN


View more >