Download - 503 privacy and cybersecurity regulatory update - final slides

PRIVILEGED & CONFIDENTIAL

Privacy and Cybersecurity Regulatory Update

Women, Influence & Power in Law Annual ConferenceWashington DC

Melissa H. Cozart, AIG Life & RetirementLeslie T. Thornton, Washington GasMary Jane Wilson-Bilik, SutherlandSeptember 19, 2014

24496382.1

©2014 Sutherland Asbill & Brennan LLP


Presenters

2

Melissa H. CozartChief Privacy OfficerAIG Life & Retirement

MJ Wilson-BilikPartnerSecurities and Insurance RegulationSutherland Asbill & Brennan LLP

Leslie T. ThorntonVice President, General Counsel & Corporate SecretaryWGL Holdings, Inc. & Washington Gas Light Company



Roadmap to Today’ Discussion

• Background on Data Breaches

• Current Regulatory Landscape

• What to Expect from Regulators

• Best Practices

3



Threats In the News

• “Investigators Target eBay Over Massive Data Breach,” Time, 5/23/14 100 Million user passwords stolen (failure to protect)

• “Target Missed Signs of Data Breach,” NY Times, 3/13/14 Malware in system for several years (failure to detect)

• “Target Earnings Show Pain of Data Breach,” Business Week, 5/21/14 16% plunge in earnings (threat to going concern)

• “Target Fires Executives Over Data Breach,” Business Week, 5/23/14 CIO, CEO and head of operations in Canada dismissed

4



The Context

• Exponential increase in use, transmission and storage of electronic data (records, laptops, ipads, iphones, social media, the cloud) Increasing number of breaches Growing use of malware to disrupt operations

New generation of computers

• Increased awareness of Privacy• Growing body of law and regulation to protect

personal and confidential information and systems Expanding number of regulations governing how companies

collect, use and store personal information Heightened national security concerns

5



Root Causes of Data Breaches

Root Causes of a Data Breach

Per Capita Cost for Each Root

Cause

Source: 2014 Cost of Data Breach Study: Global AnalysisSponsored by IBM, Conducted by Ponemon Institute LLC

6



Costs of a Data Breach

• Detection or Discovery• Escalation• Notification• Post Data Breach• Opportunity Costs

Turnover of Existing Customers Diminished Customer Acquisition

7



Types of Threats

• Criminals Former employees/ Teenagers on a dare Cyber-extortion – gang in Eastern Europe, etc.

• Hackivists Intent is to embarrass corporate leadership

• Espionage Will disrupt a company’s operations by planting malware

that lays dormant for years to steal secrets and create havoc -- deleting information, etc.

• National Security Threats to critical infrastructure have drawn the attention of

Homeland Security, CIA, FBI

8



Targets

• Critical infrastructure• Financial information (SSNs, IDs)• Trading information• Health data • Intellectual property• Logons and Passwords

9



The Attack Profile

• Many attacks now are specifically targeted Phishing (spear phishing, whaling) Water-holing

• Advanced Persistent Threats (APT) Hackers lying in wait Selling time on your computers

• We have met the enemy and he is us Employees and contractors already have access They do not need malicious intent to be a problem

10



Layers of Regulation

• International Commissions• Federal

Executive Order/ Homeland Security/ CIA/ FBI National Cyber Investigative Joint Task Force (NCIJTF) Commerce: NIST (National Institute of Standards and

Technology) Federal Trade Commission (Gramm Leach Bliley) HHS (HIPAA) U.S. Securities and Exchange Commission, FINRA

• State State data breach laws State GLB laws

11



Federal: Gramm-Leach-Blileyand HIPAA

• FTC issued two rules: Privacy Rule: must notify customers when their information

is shared with others; opt-out rights; annual notice/ Reg. S-P Safeguards Rule: must develop a written information

security plan describing how company will protect the security, confidentiality and integrity of customer information Tailored to company’s size and complexity Nature and scope of company’s activities

• HIPAA: Privacy Rule: Protect individual health data Security Rule: Perform risk assessment, develop policies

and procedures to address potential threats to data security of electronic protected health data

12



Federal: SEC Rules and Guidance

• SEC Reg. S-P Broker-dealers, investment advisers and investment

company must have written policies and procedures to ensure confidentiality of personal information, protect against unauthorized access, and protect against anticipated threats and hazards to security and integrity of data

• SEC Guidance for public companies (2011): Identified cybersecurity risks and incidents as potential

material information to be disclosed to investors Encourages companies to assess their risks of cyber

incidents and review impact on a company’s operations, liquidity and financial condition

A blueprint for assessing cyber risk exposures and determining what must be disclosed

13



The 2013 Executive Order

• Feb. 12, 2013: President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity”

Calls for development of voluntary cybersecurity framework Provide a flexible, performance-based, cost-efficient

approach to manage cybersecurity risk

14



NCIJTF

• National Cyber Investigative Joint Task Force Tracks, attributes and takes action against terrorists, spies

and criminals who exploit our cyber systems If a significant breach occurs, a team of experts from

NCIJTF will offer to help the target company with vulnerability mitigation plans

FBI may request permission to monitor specific networks in the company to capture information about the intruder

Critical for GC to handle her company’s “consent” and negotiate the agreement with the FBI

15



Federal: NIST at Commerce

• Feb. 21, 2014: National Institute of Standards and Technology (NIST) Cybersecurity Framework Year-long initiative of NIST and Homeland Security in

response to Executive Order Guidance to companies on how to manage the growing

cybersecurity threat Deter – identify risks Detect – unauthorized access and activity Protect – safeguards for systems, vendors Respond – response plan, communications, mitigation Recover – restore capabilities

Voluntary – but may give rise to new standard of care for corporate management – presented at NAIC

16



NIST Framework

• Corporate Governance Develop policies, procedures and processes to manage and

monitor the organization’s legal risk environment and operational requirements Establish information security policy Identify security roles and responsibility and align

internal roles and external partners Understand legal and regulatory requirements regarding

cybersecurity Including privacy and civil liberty obligations

Ensure governance and risk management processes address cybersecurity risks

17



SEC Begins Cybersecurity Exams

• March 26, 2014: SEC Cybersecurity Roundtable Chair Mary Jo White: compelling need for stronger

partnership between government and private sector to address cyber threats

Announced cybersecurity initiatives designed to assess cybersecurity preparedness in securities industry

• April 15, 2014: SEC Cybersecurity Initiatives OCIE conducting exams of 50+ broker-dealers and

investment advisers. Published list of 26 questions on Cybersecurity governance Protection of networks and information Risks associated with remote customer access, vendors Detecting unauthorized activity

18



Red Flags for SEC

• Weak IT Security Policy • Weak Incident Response Plan• Weak Training Programs• Weak Third Party Due Diligence• Weak Internal Controls and Protocols for Identity

Theft Poorly Documented Controls

• Weak Access Controls Weak Remote Access Security

• Excessive IT Cost Cutting• Poor Integration and Communications

19



State Data Breach Laws

20



State Data Breach Notification Laws

• 51 U.S jurisdictions (47 states, DC, Guam, PR and VI) have data breach notification laws (AL, NM and SD do not yet)

• Laws apply based on residence of individual whose data was compromised

• Laws have different triggers and specified content Varying definitions of PI Paper v. computerized Risk of harm exception Some states require notification within 5 days of breach Some require state attorneys general and state insurance

commissioner to be notified

21



State Data Security Requirements

• 7 States have data protection laws. Most comprehensive is Massachusetts’ Regulation. Applies to any company that uses or stores personal

information of Massachusetts residents Must adopt a comprehensive written information security

program that: Identifies and evaluates internal and external risks Monitors employee access to PI Service providers must comply

Must review security measures annually and upgrade safeguards

Establish continuing education program and training Develop procedures to take in response to breach.

22



State Data Security Requirements

Massachusetts Data Protection Regulation (cont’d)• Must establish and maintain a computer security

program, to the extent technically feasible, that requires: Encryption of transmitted records and records on laptops,

mobile devices User-authentication protocols and access-control measures Up-to-date firewalls, anti-virus and anti-malware programs

• No one-size fits all Reasonableness standard given current technology and

sophistication of organization

• MA Attorney General: will scrutinize any breach

23



Best Practices

• Prepare comprehensive enterprise-wide privacy and data safeguard policies and procedures Identify your IT assets and stakeholders Identify your risks and risk management strategy

• Institute reasonable security procedures Identify who has access to what and why Limit access (physical and remote) to personal information Recertify access periodically Training and awareness

24



Best Practices

• Ensure Data Security Data-in-transit, data at rest, data disposition Protection against data leaks (DLP and email monitoring)

and unauthorized access Testing and continuous improvement

• Detect anomalies and events Establish incident alert thresholds

• Educate company executives on applicable legal requirements regarding cyber risks and safeguards Importance of establishing a team of stakeholders to assess

risks and implement appropriate compliance procedures Chief Information Security Officer

25



Best Practices

• Consider data security in vendor/business partner selection and management and add to agreements Failure to conduct due diligence on service providers can

create unexpected risks

• Prepare a robust incident response plan Test your plan

• Mitigate damages and improve recovery/restoration/ resilience

• Cyber Insurance

26



Conclusion

• Data breaches will continue to extract costs throughout society Garnered the attention of top levels in government and

industry Increasingly rigorous regulatory requirements Significant risk exposures for companies to identify, mitigate

and manage

27



Contact Information

• Melissa H. Cozart, Chief Privacy Officer AIG Life & Retirement [email protected] (713) 831- 6371

• Leslie T. Thornton, Vice President & General Counsel WGL Holdings, Inc. and Washington Gar Light Company [email protected] (202) 624-6720

• Mary Jane Wilson-Bilik, Partner Sutherland Asbill & Brennan LLP [email protected] (202) 383-0660

28



Thank You

• Questions?

29

Download - 503 privacy and cybersecurity regulatory update - final slides

Top Related