cybersecurity: legal perspectives · the average cost of a data breach in the study was . $6.5...
TRANSCRIPT
![Page 1: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/1.jpg)
Cybersecurity: Legal Perspectives
Mackenzie S. Wallace, Thompson & Knight LLP Craig C. Carpenter, Thompson & Knight LLP
Thompson & Knight Data Privacy and Cybersecurity Practice
Texas Society of Certified Public Accountants, Fort Worth Chapter - Sept. 23, 2015
![Page 2: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/2.jpg)
Personally Professionally
Why is this important?
![Page 3: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/3.jpg)
● The average cost of a data breach in the study was $6.5 Million.
● The average cost per stolen record has increased from $201 last year, to $217 per record.
● Heavily regulated industries (such as healthcare, financial, energy and transportation) tend to have higher costs.
● Malicious attacks were the primary cause of the attacks studied, followed by attacks due to negligent employees.
● Effective preparation can reduce the cost of a data breach.
3
Why is this important?
(Source: Ponemon 2015 Cost of Data Breach Study: United States (sponsored by IBM))
![Page 4: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/4.jpg)
THREATS
Insider Breaches
E-mail or Spear
Phishing
Accidental Breaches
Corporate Espionage
What is the threat?
![Page 6: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/6.jpg)
● Bad actors look for weaknesses
● Credentials
● Vulnerable software versions
● Misconfigured settings
● Intrusion
● Malware insertion
● Extraction of valuable information
● Covering tracks
6
Anatomy of a Breach
![Page 7: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/7.jpg)
Step 1 • Become aware of threats
Step 2 • Analyze vulnerabilities
Step 3 • Inventory data
Step 4 • Understand the standard of care
Step 5 • Meet the standard of care
Step 6 • Develop and implement a security program
What should you do about it?
![Page 8: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/8.jpg)
“Reasonable” Cybersecurity
Practices
Common Law
Statutory Law Industry/NIST
Global Framework
What is the standard of care?
![Page 9: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/9.jpg)
● Statutory law
● Common law
● Industry Standards
● Global framework
Current State of the Law
![Page 10: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/10.jpg)
Know your data
Safeguards
Secure Vendors
Data Security Policies
How to meet the standard of care
![Page 11: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/11.jpg)
● What types of data:
● Employee PII
● Client PII
● Financial Data, Trade Secrets
● Data flow
● Collection, storage, transmission
● Data retention
● Destruction
11
Know Your Data
![Page 12: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/12.jpg)
● Physical
● Locks and safes, fencing, walls, surveillance systems, intrusion detectors, alarms and cameras, key cards
● Technical
● Passwords, firewalls, unique user identifications, automatic logoffs, and encryption and decryption of information
● Administrative
● Training, background checks, exit interviews, need-to-know
12
Data Security Safeguards
![Page 13: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/13.jpg)
13
Data Breach
“There are two types of companies, those that have been hacked and those that will be.” Robert Muller, Director, FBI
“Any company that is patting itself on the back and saying that they are not a target or not susceptible to attack is in complete and utter denial.” Roger Cressey, Sr. VP Booz Allen Hamilton
![Page 14: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/14.jpg)
What is a breach?
• Hacking • Phishing • Malware • Theft • Misuse
How does a breach occur?
• Motive • Opportunity • Weak
security • Weak
policies
Now what?
• Respond quickly
• Respond appropriately
• Preserve evidence
Breach & Breach Reporting
![Page 15: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/15.jpg)
Steps in a Breach Response
• Identify the incident or potential incident. • Immediately report the incident or threat to the proper party.
Discovery & Reporting
• Secure and isolate affected systems to limit further data loss. • Preserve evidence. Convene the Incident Response Team in
accordance with this Plan. • Know your role. Coordinate investigation and remediation.
Initial Response
• Gather information on the incident. • Consider involving forensics team and outside counsel. • Analyze the cause of the incident and the affected systems. • Analyze legal requirements and liabilities going forward.
Investigation
• Comply with legal requirements including breach notification. • Remove known vulnerabilities; repairing systems. • Respond to third party inquiries. Consider contacting law enforcement.
Remediation
• Review analysis and notes regarding the incident. • Improve practices as necessary. • Improve policies as necessary.
Post-Incident Review
![Page 16: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/16.jpg)
16
Data Breach Damages
Reputational
Hardware/Software
Compliance
Claims
![Page 17: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/17.jpg)
Financial Information
• FTC Safeguard Rule • Gramm-Leach-Bliley • SEC Health Information
• HIPAA
Additional Responsibilities
![Page 18: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/18.jpg)
18
Additional Responsibilities
SEC Guidance
Disclosure Guidance No. 2 (Oct. 13, 2011)
Roundtable (Mar. 26, 2014)
Risk Alert and Cybersecurity Initiative (Apr. 15, 2014)
![Page 19: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/19.jpg)
Legal and Regulatory Obligations
● Risk Factors
● Management’s Discussion and Analysis
● Description of Business and Legal Proceedings
● Financial Statement Disclosures
![Page 20: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/20.jpg)
● External Auditors
● Center for Audit Quality Alert #2014-3 (Mar. 21, 2014)
● Internal Auditors
● Protiviti 2015 Internal Audit Capabilities and Needs Survey
20
Additional Responsibilities
![Page 21: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/21.jpg)
● State Law Developments
● Texas HB 896 – Signed in to law May 28, 2015
● Effective September 1, 2015
● Amends the breach of computer security law provisions relating to the prosecution of the offense of breach of computer security—expands provisions related to unauthorized access of computer systems
● Texas Penal Code § 33.02 – Breach of Computer Security
21
Recent Developments
![Page 22: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/22.jpg)
● Wyndham – FTC jurisdiction
● FTC v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug. 24, 2015).
22
Recent Developments
![Page 23: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/23.jpg)
23
Recent Developments—Litigation Landscape
Settlement
Damages
Standing
![Page 24: Cybersecurity: Legal Perspectives · The average cost of a data breach in the study was . $6.5 Million. The average cost per stolen record has increased from $201 last year, to](https://reader034.vdocuments.mx/reader034/viewer/2022052019/6032569fabd6aa15ec44a87b/html5/thumbnails/24.jpg)
24
Questions?
http://www.tkcybersecurityblog.com/
Craig C. Carpenter (214) 969-1154 [email protected] Mackenzie S. Wallace (214) 969-1404 [email protected]
http://www.tklaw.com/data-privacy-and-cybersecurity/