The document summarizes legal issues related to data privacy and security breaches. It discusses (1) the relevant cost-benefit analysis that courts consider for data security, (2) examples of court orders regarding document productions and computer forensics in litigation, and (3) that parties are responsible for errors made by their vendors. The document then provides an agenda on legal issues in data privacy and security, including anticipating threats, incident response, and applying relevant laws and frameworks.

1. Legal Issues In Data Privacy & Security:
Anticipating, Then Responding To The Breach
Robert W. Dibert
Connie Wilkinson-Tobbe
Lindsay P. Graves
Alison P. Howard
June 14, 2018
1
Views expressed in these materials are those of the authors individually,
and do not constitute legal or any other formal advice.
Presentation for the Technology Assoc. of Louisville Kentucky, Cybersecurity Summit

2. 2
 “the relevant inquiry here is a cost-benefit analysis, that considers a number of relevant
factors, including the probability and expected size of reasonably unavoidable harms to
consumers given a certain level of cybersecurity and the costs to consumers that would arise
from investment in stronger cybersecurity.” FTC v. Wyndham Worldwide Corp., No. 14-3514,
Slip Op. at 39-40 (3rd Cir. 8/24/2015)
 Defendant “has made a supplemental production of the approximately 15,000 additional
documents inadvertently omitted from its prior production. However, at least 500 pages have
been inadvertently omitted from that production as well. No later than August 23, 2010,
defendant … will produce the omitted pages. Defense counsel will personally supervise the
preparation of this production and will assure the completeness of the production.” Chubb
Custom Ins. Co. v. Grange Mut. Cas. Co., No. 2:07-cv-1285 (S.D. Ohio 8/19/10).
 “The defendants are to provide [one defendant]’s wife[‘s] computer image to the plaintiffs.
Mr. Dibert will communicate with the defendants’ IT personnel for the information”). PPG
Indus. v. Payne, No. 3:10-cv-73 (E.D. Tenn. 5/21/10).
 In re Seroquel Products Liab. Lit., No. 06-md-1769, Slip Op. at 26 (M.D. Fla. 8/21/07) (“a
party is responsible for the errors of its vendors”).
Why Are Lawyers Here?!?!?

3. 3
Why? (2)
Defendants, must … establish and implement, and thereafter maintain, a comprehensive information security program
that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or
about U.S. consumers … Such program, the content and implementation of which must be fully documented in writing,
shall contain administrative, technical, and physical safeguards appropriate to Defendants’ size and complexity, the nature
and scope of Defendants’ activities, and the sensitivity of the personal information collected from or about consumers,
including:
A. the designation of an employee or employees to coordinate and be responsible for the information security
program;
B. the identification of internal and external risks to the security, confidentiality, and integrity of personal
information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other
compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks.
…
C. the design and implementation of reasonable safeguards to control the risks identified through risk assessment,
and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;
D. the development and use of reasonable steps to select and retain service providers capable of appropriately
safeguarding personal information they receive from Defendants, and requiring service providers, by contract, to
implement and maintain appropriate safeguards; and
E. the evaluation and adjustment of the information security program in light of the results of the testing and
monitoring required by sub-Section C, … or any other circumstances that Defendants know or have reason to know
may have an impact on the effectiveness of the information security program.
FTC v Ruby Corp., No. 1:16-cv-02438, Dkt. 1-9 at 4-5 (D.D.C. 12/14/2016) (“Ashley Madison”)

4. 4
Why? (3)

5. 5
And Who? …

6. 6
Will Read The Fine Print ...?
<Vendor> AND <Vendor>’S LICENSORS, RESELLERS AND/OR DISTRIBUTORS MAKE
NO OTHER WARRANTY OR CONDITION, EXPRESS OR IMPLIED, STATUTORY OR
OTHERWISE, REGARDING THE SERVICES, INCLUDING WITHOUT LIMITATION THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, TITLE, NON-INFRINGEMENT ERROR FREE OPERATION OR NON-
INTRUSION DUE TO HACKING OR OTHER SIMILAR MEANS OF UNAUTHORIZED
ACCESS.
FURTHER <Vendor> DOES NOT GUARANTY THAT ... THE SERVICES WILL MEET
YOUR REQUIREMENTS, SPECIFICATIONS OR EXPECTATIONS. ...
NO REPRESENTATION OR OTHER AFFIRMATION OF FACT, INCLUDING BUT NOT
LIMITED TO STATEMENTS REGARDING CAPACITY, SUITABILITY FOR USE OR
PERFORMANCE OF ANY SERVICES ... WHICH IS NOT CONTAINED IN THIS
AGREEMENT, WILL BE DEEMED TO BE A WARRANTY BY <Vendor> FOR ANY
PURPOSE OR GIVE RISE TO ANY LIABILITY OF <Vendor> WHATSOEVER.
YOU ACKNOWLEDGE THAT IT IS IMPOSSIBLE UNDER ANY AVAILABLE
TECHNOLOGY FOR ANY APPLICATION TO IDENTIFY AND ELIMINATE ALL
MALWARE.

7. 7
I. Three-dimensional Data (And, Therefore, Threats) …
A. What Is The Environment/What Are The Odds?
B. What Is The Environment/What Are The Costs?
II. Anticipating Threats
A. Legal Duties
B. The NIST Framework
C. Cyber Insurance
D. GDPR
E. Data Mapping
III. Incident Response
A. Applying Laws & Frameworks
B. Time For Compliance
1. Notice requirements
2. Courts accelerate compliance
3. Examples of cyber-evidence
Today’s Agenda

8. 8
“In 2015, 43 percent of all attacks were directed at small
businesses. … 42 percent of small businesses surveyed by the
National Small Business Association (NSBA) reported being a
victim of a cyber- attack, with cyber-attacks cost an average
$32,021 for companies whose business banking accounts were
hacked, and $7,115 on average for small businesses overall.”
R. Luft (on behalf of NSBA), “Protecting Small Businesses from
Cyber Attacks: the Cybersecurity Insurance Option” at 2,3; Hearing
before the House Small Business Committee (7/26/2017).
I. Three-D Data And, Therefore, Threats ...

9. 9
What is the Environment/What are the Odds?
The Global
Risks Landscape
2018, World
Economic
Forum, Global
Risks Report
2018
(1/17/2018)

10. 10
Environment/Odds (2)
Ponemon Institute, 2017 Cost of Data Breach Study at 14 (6/6/2017).

11. 11
Environment/Odds (3)
Verizon 2018
Data Breach
Investigations
Report at 5
(4/2018).

12. 12
What Are The Costs?
 “Almost half of organizations represented in this research (47 percent) identified the root cause of the data
breach as a malicious or criminal attack and the average cost was approximately $156 [per compromised
record]. In contrast system glitches and human error or negligence averaged approximately $128 and $126,
respectively.” Ponemon, supra at 4 (6/6/2017).
 “Third party involvement in a breach and extensive cloud migration at the time of the breach increases the
cost.” Id., at 6.
 Small to medium-sized businesses may face cyber incident losses ranging in the tens of thousands of
dollars per incident. See The Hiscox Cyber Readiness Report 2017, at 5 (Forrester Research survey found an
average cost per incident of $35,967 for businesses with fewer than 99 employees).
 Example cyber insurance annual premiums may range from hundreds (for $1-2 million coverage on a
small business) to more than $40,000 (for $5-10 million coverage on a medium-sized business)
 The average cyber insurance claim may average $250,000.
 “Expenses/fines related to breach of customer/personal information is the primary driver for purchasing a
cyber insurance policy. Conversely, just 10 percent of respondents identified business interruption as the
primary reason for purchasing the cover.” Information Security And Cyber Risk Management Survey 4
(Advisen/Zurich North America Oct. 2017)

13. 13
A. General Legal Duties: Beyond Sectors
B. The NIST Framework
C. Cyber Insurance
D. GDPR
E. Data Mapping
II. Anticipating Threats

14. 14
General Legal Duties: Beyond Sectors
 Common law fiduciary duties to protect non-public information: Attorney-client; employer-employee … see also,
Savidge v Pharm-Save, Inc., 2017 WL 5986972 (W.D. Ky. 12/1/2017) (“the Court can draw the reasonable inference
that, because [the employee] Plaintiffs' information was released to unauthorized individuals, Defendants breached their
duties to safeguard that information ... Defendants' motion to dismiss will be denied with respect to Plaintiffs'
negligence claim.”); id. (“these facts [of employees providing ‘personal information for tax purposes and to receive
employment and benefits’] are sufficient for the Court to draw the reasonable inference that Defendants impliedly
assented to protect Plaintiffs' information ... Plaintiffs have adequately pled the existence of an implied contract”).
 General statutory duty to protect confidentiality of non-public citizen data: “At least 13 states now have general
information security laws that require reasonable measures to protect defined categories of personal information
(including Arkansas, California, Connecticut, Illinois, Maryland, Massachusetts, Nevada, New Jersey, New York,
Oregon, Rhode Island, Texas, and Utah). ... ‘personal information’is usually defined to include general or specific facts
about an identifiable individual.” I. Hemmans & D. Ries, Cybersecurity: Ethically Protecting Your Confidential Data in
a Breach-A-Day World, at 25 (ABA Law Prac. Div. 4/27/2016).
 Mandatory, secure disposal of records containing “personal information” when their legal or business retention
has expired. KRS 365.725.
 Duty to notify individuals of a data security breach: “All 50 states, the District of Columbia, Guam, Puerto
Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of
security breaches of information involving personally identifiable information.” Nat’l Conf. of State Legislatures
(NCSL), Security Breach Notification Laws, http://www.ncsl.org/research/telecommunications-and-information-
technology/security-breach-notification-laws.aspx (3/29/2018) (last visited 4/17/2018).

15. 15
The NIST Framework
“This voluntary framework provides a much needed roadmap
for improving the cybersecurity of our most critical
infrastructure… Companies now have a common, but
flexible path forward to better secure their systems, and also
a meaningful way to measure their progress. We must now
focus like a laser on ensuring widespread implementation of
the framework in order to effectively protect our national and
economic security.” - Senator Tom Carper (D-DE), Chairman of the
Committee on Homeland Security and Governmental Affairs:
Image Credit: https://www.nist.gov/cyberframework/new-framework
“The release of the Cybersecurity Framework is a helpful step
forward in providing guidance and best practices to help
companies, particularly small and medium sized companies,
grappling with today's cyber threats.” - Michael Chertoff, Secretary of
Homeland Security under President George W. Bush and Chairman of the Chertoff
Group

16. 16
Image Credits: https://www.nist.gov/cyberframework/online-learning/components-
framework
The NIST Framework: Implementation Tiers

17. 17
Image Credits: https://www.nist.gov/cyberframework/online-learning/components-
framework
The NIST Framework: Core

18. 18
Nat’l Inst. for Standards & Technology (“NIST”), Framework for Improving Critical
Infrastructure Cybersecurity) at 23, App. A/Table 1 ((ver. 1.1; 4/16/2018).
The NIST Framework: 5 Core Functions

19. 19Image Credit: https://www.nist.gov/cyberframework/online-learning/components-framework
NIST Core Functions (cont.)

20. 20
Image Credits: https://www.nist.gov/cyberframework/online-learning/components-
framework
The NIST Framework: Profiles

21. 21
The NIST Framework: Core Implementation

22. 22
Cyber Insurance
• Compliance = Policies & procedures.
• Risk = Loss, theft, or damage to
irreplaceable data (ex. customer lists),
sensitive customer information (ex.
social security numbers, credit
information), intellectual property (ex.
the secret recipe….yours, or the
customer’s).
• Loss = liability to others and/or
business losses.
• Insurance = Part of Compliance and
Mitigating Risk of Loss.
• Consider Insurance in Policies &
Response Protocol.
This presentation provides a brief overview
of insurance considerations based on our
legal experience and observations. Please
consult with a licensed agent to determine
your specific coverage needs and available
options.

23. This Photo
by
Unknown
Author is
licensed
under CC
BY-NC
This Photo by Unknown Author is licensed under CC BY-NC-SA
• Require service providers to
demonstrate adequate security
policies and procedures?
• Require 3rd party
indemnification?
• Restrict employee access to
personally identifiable
information on a business-need to
know basis?
• Implement an identity theft
program (aka FTC “Red Flags”)?
• Have a written Intellectual
Property clearance procedure?
• Were such policies reviewed by a
qualified attorney?
• Have a designated Chief
Security Officer? Chief
Privacy Officer?
• Have a disaster recovery
plan? Business continuity
plan?
• Have an incident response
plan for network intrusions
and virus incidents?
• How often are such plans
tested?
• Conduct training for every
employee user regarding
security events and
procedures?
• Encrypt data stored on
laptop computers, back-up
tapes?
Application: First Considerations
23

24.  Do existing E&O, CGL,
Crime, etc. coverages …
have: _____?
 Review a sample copy of
any Policy you consider
purchasing: The Writing
controls the coverage!
• Theft and Fraud – Destruction or loss of
policyholder’s data
• Forensic Investigation
• Business Continuity – Cyber events and data loss =
investigation, reporting, lost income and costs
• Extortion (Ransomware) – Pay the ransom?
• Computer data loss and restoration
• 3rd party claims (privacy injury, identity theft, etc.)
• Network damage (damage due to viruses),
• Loss or theft of data, including propriety
information.
• Costs to comply with “duty to notify” laws
• Crisis Management/Public Relations
• Regulatory expenses, fines and penalties
• Legal counsel – yours? Or panel counsel?
• Custom coverage – livestock, golf course, etc.
Application: Some Coverage Options
24

25. Mapping Your Cyber Insurance Needs
25

26. 26
When – Not “If” – A Cyber Incident Occurs:
STOP … THINK ... what insurance could apply?
E&O? Crime? Cyber?
 Know your Duties: (1) Policy (or Policies); and (2) Written Incident Response Plan
 Policy Duties -- Follow written procedures preserve coverage. Triggers for incident
response? Definition of “claim”? Concerned about premium effects? Any “pre-notice” or
“pre-claim provisions”? Notification/reporting requirements? Term? Business
changes/insurance revisions?
 Incident Response Plan Duties -- Is Insurance Addressed? There may be coverage for
immediate steps following a cyber incident…i.e. forensic investigator, legal counsel,
compliance with notification laws, etc.
 Seek Legal Help -- Consult counsel or a designated incident response officer
BEFORE notifying anyone else .

27. 27
What is the GDPR?

28. 28
The GDPR – Bigger Than Beyoncé
Image Credit: Jason Karaian

29. 29
GDPR Impact
Image Credit: Marcel Freinbichler

30. 30
U.S. /EU, Pre-GDPR Web Performance
Image Credit: Marcel Freinbichler

31. 31
GDPR: EU Performance Impact
Image Credit: Marcel Freinbichler

32. 32
The GDPR Requires That “Personal Data” Shall Be:

33. 33
Does The GDPR Apply To My Business?

34. 34
Benefits Of Complying With The GDPR
1
Reduce
Reputational
Risks
2
Reduce
Financial
Risks 3
Organize
Your Data
4
Build Trust
5
Reduce
Chaos
6
Peace of
Mind

35. 35
Steps To Compliance – IT
2 3 4 5 6

36. 36
Anticipating Threats: Data Mapping
 “Knowing the type of data collected, where it is being held, with whom it is being
shared, and how it is being transferred is a central component of most data privacy and
data security programs. The process of answering these questions is often referred to as
a ‘data map’ or a ‘data inventory.’” D. Zetoony, Data Privacy and Security: A Practical
Guide for In-House Counsel 1 (Wash. Legal Foundation, May 2016).
 How is a data map compiled?
 System inventories
 Organization charts
 Classification systems?
 How frequently is a map updated?

37. 37
Mapping Systems

38. 38
Mapping Types

39. 39
Mapping Locations

40. 40
Mapping Content

41. 41
Cybersecurity:
Summary Retention & Compliance Issues
 How and Where are your records for customer & employee financial & health data created,
communicated & stored?
 Who are the custodians responsible for the security of that data?
 Where are the records to define the reasonable administrative, physical & technical safeguards that
protect Critical Cyber Assets, as well as employee & customer financial & health data?
 Are the records identifiable within the general categories of administrative, physical &
technical safeguards?
 Are the classifications of technical records (such as system security logs) NIST-consistent, and
do they include logs of internet access & use of connected facilities?
 Does your RIM taxonomy account for specific jurisdictional requirements (e.g., Massachusetts
encryption and WISP requirements for personal data)?
 Who are the custodians responsible for maintaining and updating those records?
 How frequently are systems mapped, or otherwise tested, to validate the continuing accuracy of the
records classifications?

42. A. Applying Laws & Frameworks
B. Time For Compliance
1. Notice Requirements
2. Courts accelerate compliance
3. Examples of cyber-evidence
III. Incident Response
42

43. 43
(Choice of) Laws & Frameworks
 Whose Law Controls?
“Kentucky has adopted the ‘most significant relationship’test to resolve choice of law issues relating to contract
disputes. … ‘[t]he rights and duties of the parties with respect to an issue in contract are determined by the local
law of the state which, with respect to that issue, has the most significant relationship to the transaction and the
parties …’ Kentucky will override the outcome of the ‘most significant relationship’test and apply its own laws
if ‘a clear and certain statement of strong public policy in controlling laws or judicial precedent’would be
violated in applying another state's laws.“ Henry v. Travelers Personal Security Insurance Co., 2016-CA-
001939-MR (Ky. App. 2/2/2018) (unpublished) (citations omitted).
“Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the
processing activities of natural and legal persons under the jurisdiction of the Member States. … extraterritorial
application of those laws, regulations and other legal acts may be in breach of international law and may impede
the attainment of the protection of natural persons ensured in the Union by this Regulation.” GDPR, at Recital
(115).
∑ Is There a Race to an Agency or Courthouse?
 What are the Facts Supporting One Choice Over Another?
 Does the Framework Provide Early Answers?

44. 44
Compliance: Notice Requirements
 Nature of the Incident?
• Which sector?
• Are specific contracts or other duties implicated?
 Time to Notify?
• State data breach notification laws may provide for notice within anywhere
from 14-90 days after discovery of the incident.
• GDPR compresses the notice timeframe to 72 hours (Art. 33:1)
 Manner of Notice?
 Does the Framework Provide Early Answers?

45. 45
 Courts expect parties to have document & data retention practices in order: See Rules 16(b)(2);
26(f)(1) (requiring pre-discovery conference & scheduling order within 90-120 days of the beginning of
an action); In re Direct Southwest, Inc. FLSA Litigation, 2009 U.S. Dist. LEXIS 69142 (E.D. La.)
(requiring execution of supplemental search terms, production of documents & production of privilege log
within 10 days).
 [Defendant] “was ordered to “provide a data-map of the ESI involved in this litigation for in-camera
review ... If no data-map exists, then …[defendant] [was to] to explain why no ESI data-map exist[ed] and
how Counsel ... educated themselves about [defendant’s] information and record keeping systems.” Small
v. Univ. Med. Center of Southern Nevada, 2:13-cv-00298 (D. Nev. 8/18/2014). Id., at n. 15 (Court-
appointed Special Master “was forced to create his own data map ... from scratch, by synthesizing
testimony from IT personnel and other employees”).
 “[T]he parties have fifteen (15) business days from the date of this order to exchange information
regarding the location and existence of electronic data sources that may contain discoverable ESI (the
"Data Map"), including information regarding the parties' policies and/or procedures regarding data
retention; their computer servers and back-up and archival sources that store ESI; all computers, phones,
tablets, and other storage devices issued to the Custodians or used by the Custodians for business
purposes; all email accounts and cloud-storage/file-sharing service accounts used by the Custodians for
business purposes; and any data source that the party identifies as not reasonably accessible pursuant to
Fed. R. Civ. P. 26(b)(2).” Hydrochem LLC v. Duplessis, Civil No. 14-264 (M.D. La. 5/28/2015).
Courts Accelerate Compliance

46. 46
Examples Of Cyber Evidence
 Logs of internet URL/domain access. Microsoft Corp. v. John Does 1-5, No. 15-cv-6565
(E.D.N.Y. 11/23/2015)
 Server login records. Tyan v Garcia, No. 15-cv-05443 (C.D. Cal. 5/2/2017)
 “more than 42, 000 files on appellant’s computer were intentionally overwritten on February
6, 2011, using [XXXXXX], a program designed to permanently delete and overwrite files.
[Defendants’ expert] was unable to restore or retrieve the content of the overwritten files. In
addition, certain files one would expect to find (such as “Recent Folder Activity, Link Files,
Recycle Bin Info Files, Temp Folders, and Internet Cache Folders”) were missing and could not
be restored or retrieved. [The expert] found remnants of other files …” Braun v. Toyota Motor
Sales, U.S.A., Inc., No. B234212 (Cal. App. 2d Dist. 2/13/2013) (unpublished)
 “Defendants have … failed to ascertain that third-party service providers implemented
reasonable security measures to protect personal information.” FTC v Ruby Corp., No. 1:16-cv-
02438, Dkt. 1 at 9, ¶31 (D.D.C. 12/14/2016) (“Ashley Madison”). Cf. Board of Trustees of Ibew
Local 43 Electrical Contractors Health v. D'Arcangelo & Co., LLP, 1 N.Y.S. 3d 659, 124 A.D.3d
1358 (4th Dept. 1/2/2015) (motion to dismiss denied where negligence claim was based on alleged
failure to obtain an audit report)

47. 47
Evidence (2)

48. 48
Evidence (3)
Excerpt from https://www.minerva.kgi.edu/cookies/ (last visited 6/12/2018)

49. 49
(Today’s) Conclusions
 Cyber privacy & security must balance economic, human and technology
resources. Balance is essential to preserve, identify, collect & produce material
information in an appropriate form, that is reasonably necessary to resolve a
privacy/security incident or any other matter.
 Educated, empowered and accountable employees are a company’s ultimate
defense against threats to data integrity and security.
 An integrated privacy & security program must establish reasonable standards,
verify their implementation, and validate their effectiveness on a regular basis.
 Attorneys will be held responsible for assessing and defending “reasonable”
privacy and security standards in particular matters.

50. 50
Lindsay Graves: Lindsay is a senior Attorney in the Electronic Data Discovery
(“EDD”) Group of Frost Brown Todd, LLC. Her experience in the Group includes counseling
clients on privacy policies and practices applicable to financial, healthcare, and retail consumer
businesses. She also has worked with clients in the investigation of both internal and
external/international data misappropriation incidents. Before joining the EDD Group, Lindsay
represented individuals and businesses in commercial litigation, including real estate developers
and brokers, title insurers and financial institutions. She helped those clients obtain successful
outcomes in judicial/appellate, regulatory and mediation/arbitration proceedings throughout the
Commonwealth of Kentucky.
Alison Howard: Alison is a senior Attorney in the Electronic Data Discovery
(“EDD”) Group of Frost Brown Todd, LLC. Her experience in the Group includes research,
analysis and drafting for privacy policies and practices applicable to financial, insurance, land title
and retail consumer businesses. Apart from her work with the Group, Alison has been an
experienced litigator, a licensed insurance and real estate agent, and a licensed property and
casualty adjuster. She also served as compliance counsel for a national real estate title company,
and a conflicts counsel for Frost Brown Todd. Alison has authored and presented multiple official
continuing education courses for real estate licensees and government regulators concerning
liability insurance and claims experiences.
Presenters

51. 51
Presenters (too)
Connie Wilkinson-Tobbe: Connie is a senior Attorney in the Electronic Data
Discovery (“EDD”) Group of Frost Brown Todd, LLC. Her experience in the Group
includes counseling clients on privacy policy and practices applicable to financial,
healthcare, and retail consumer businesses. She also has worked with clients in the
investigation of both internal and external/international data misappropriation incidents.
Before joining the EDD Group, Connie was a trial and compliance attorney for both
individual and business clients. She helped those clients obtain successful outcomes in
bench and jury trials, regulatory and grand jury proceedings, and mediation/arbitration
proceedings in Kentucky state and federal courts.
Robert Dibert: Bob is a Member of the Business Litigation and Electronic
Data Discovery (“EDD”) groups at Frost Brown Todd, LLC. He has more than 30 years’
experience litigating commercial disputes, including cases based upon alleged fraud and
racketeering violations. His data privacy/security experience began with HIPAA
compliance issues in litigation, and has expanded over the last 10 years to include both
counseling for breach preparedness and representation for incident response.

52. Views expressed in these materials are those of the authors individually,
and do not constitute legal or any other formal advice.
I. Identifying Threats
A. Do we maintain an annual profile of predominant threats to our business sector?
B. Do we maintain an annual profile of costs in our sector?
1. Costs/potential financial impact of predominant threats
2. Costs of safeguards to prevent or mitigate threats
3. Costs of insurance to offset impacts of threats
II. Preparing For Threats
A. Have we established a Framework to anticipate and respond to threats?
1. Does that Framework reasonably reflect the scope of our business & legal
environment?
2. Do we verify our use and maintenance of that Framework?
3. Do we validate the scope and effectiveness of that Framework?
B. Does our records retention & compliance program include categories for the
profiles, Framework, and types of information likely to be necessary for incident
response?
III. Incident Response
A. Have we identified a team for first response?
B. Do we maintain a scope and choice of law analysis for how, and how quickly,
responses must be made?
C. Do we have data maps to help identify and contain the compromised area(s)?
D. Do we have tools or providers necessary to preserve potentially relevant
information from the compromised area(s)?
Robert W. Dibert
Connie Wilkinson-Tobbe
Lindsay P. Graves
Alison P. Howard
June 14, 2018

53. frostbrowntodd.com
Indiana | Kentucky | Ohio | Pennsylvania | Tennessee | Texas | Virginia | West Virginia.
THIS IS AN ADVERTISEMENT. ©2018 Frost Brown Todd LLC All rights reserved.
Frost Brown Todd’s (FBT) experienced team serves clients ranging from the Fortune 500 to small startups, including health
care systems, financial institutions, schools and universities, emerging technology companies, and state and municipal
entities. We provide seamless legal counsel on a wide variety of legal issues triggered by data protection and security
obligations, and stand ready to assist clients when confronted with a data security incident. Our team has significant
experience guiding clients through a data breach response by retaining third-party investigative resources, working with
insurance representatives and regulators, and advising on and developing a notification plan. We also assist clients with
addressing current and emerging data privacy and security issues, including cybersecurity preparedness via information
security and privacy programs, incident response plans, disputes and litigation, regulatory investigations, and cyber insurance
evaluation and claims. We advise clients on the implications of data security compliance obligations in mergers and
acquisitions, such as corporate governance and risk management, vendor due diligence, and cross-border data transfers.
Defending Your Company from a Data Breach
The privacy and security landscape is changing more rapidly than ever before, and the threats to
businesses’ confidential information, trade secrets, and other assets are only increasing. Each year,
data breaches continue to escalate in scale and sophistication, and the methods used for infiltration of
businesses’ systems continue to evolve. Regulators have responded to the threats with an extensive array
of requirements and de facto standards. Now, more than ever, businesses must confront this risk head on
and address the need to protect and defend their data– whether it is consumer or employee data, intellectual
property, or product information. Concrete and practical steps must be taken to address not only the legal
risks, but reputational risks as well.

54. Snooping is one of the most common
causes of a HIPAA breach. This can occur in
a HIPAA-covered entity if an employee looks
at PHI beyond what is necessary to perform
their responsibilities for the employer.
Case Study: Compliance Following a
HIPAA Privacy Breach
This incident is a cautionary tale for HIPAA-covered entities
(health care providers, insurers or group health plans
sponsored by an employer) which may have access to
HIPAA-protected information in their files.
Incident: As part of her job responsibilities for a medical
practice, “Employee A” reviews medical records for
purposes of determining the proper charge for the services
provided by the medical practice. One day, she realizes
that the medical record she is reviewing is for a fellow
employee, “Employee B,” who has received services by
the medical practice. Instead of limiting her current review
to the specific medical record for the recent office visit of
“Employee B,” “Employee A,” apparently out of curiosity,
looked at a number of other “Employee B” medical records.
In a routine audit, the medical practice’s information
technology staff determined that “Employee A” looked at
numerous medical records on one specific date. Because
“Employee A” has no legitimate reason to review the prior
test information to perform her duties, this unauthorized use
of protected health information (PHI) was a HIPAA breach
required to be reported to the patient and to Health and
Human Services in year-end breach reporting.
Result: The medical practice had a robust HIPAA policy and
practice, which lessens the risk of governmental penalties,
but the employee involved was disciplined, as required by
HIPAA. Routine review of records accessed is a best practice
that should be used by all businesses that hold HIPAA-
protected data. If a HIPAA-covered entity believes there
has been an unauthorized use or disclosure of PHI as there
was in the example above, the covered entity is required to
investigate the matter and report a HIPAA breach.
Representative Experience
»» Assisted a national restaurant chain from start to finish
with a credit card data breach in dozens of states
with over one million card exposures. Responsibilities
included emergency response coaching, breach
evaluation, breach notification, breach vendor
management, liability assessments, negotiations with
processors, acquiring banks, issuing banks and card
brands, and litigation support.
»» Assisted a large multinational corporation with its
evaluation of and response to a ransomware attack that
crippled all corporate servers including human resources
and payroll.
»» Assisted a company with response and notification
arising from infiltration of the company’s system that
altered payroll files processed by a third-party payroll
processor. Responsibilities included working with a
forensics investigation firm, coordination of notification
to employees, and negotiation with the cyber liability
insurance provider.
»» Consulted proactively with a national manufacturing
business regarding appropriate privacy and security
provisions for maintenance of employee personal
information, both internally and for purposes of data
sharing and transfer agreements.
»» Advised a national restaurant chain regarding incident
response for potential misuse of Wi-Fi services. Scope of
the matter included working with the client’s information
technology department to identify potential access and
use of facilities in question, and response to information
requests from law enforcement and private litigants.
»» Consulted with an international manufacturing business
regarding a "phishing" incident directed at employees'
personal data. Scope of the matter included identification
of the scope of attempted intrusion, analysis of
potentially applicable law of multiple jurisdictions, and
assessment of technological safeguards in place to
prevent an actual breach of the security of information
systems in question.
»» Advised a mid-sized consumer retail services
business on response to employee theft of personal
information from company systems. The scope of the
matter included working with the client’s information
technology department to identify access and attempted
misappropriation of information, and coordination
with law enforcement for potential prosecution and
assessment of any breach notification.
Frost Brown Todd | Defending Your Company from a Data Breach

55. Jane Hils Shea | Member | jshea@fbtlaw.com | 513.651.6961
Jane leads FBT’s privacy and information security practice. She has significant experience in the law governing
data privacy and information security, assisting clients with the development of written information security
programs, the European Union’s General Data Protection Regulation (GDPR) compliance, appropriate internal
policies and procedures, as well as incident response measures and data breach notification. Jane is a member
of the International Association of Privacy Professionals and is a Certified Information Privacy Professional for
the U.S. private-sector (CIPP/US).
frostbrowntodd.com
Michael T. Bindner I Member | mbindner@fbtlaw.com I 317.237.3863
Michael assist clients with various HIPAA privacy matters, including privacy training, investigating and reporting
HIPAA privacy breaches, and with breaches of personal information. He speaks frequently on topics related to
employee benefits, HIPAA and other health care issues.
Robert W. Dibert | Member | bdibert@fbtlaw.com | 502.568.0379
Bob works with businesses in the educational, financial, health care, manufacturing, professional services, and
consumer retail sectors on data privacy and security matters, beginning with the proactive incorporation of
privacy/security-related records, procedures into retention and compliance programs, and breach notifications.
The nature of incidents include commercial espionage, employee theft, lost or stolen devices, misuse of
facilities by outsiders, and so-called “phishing” for personal information.
Milton C. Sutton | Senior Associate | msutton@fbtlaw.com | 614.559.7271
Milton practices in FBT’s intellectual property and government services practice groups. His practice focuses
on complex information technology matters including computer systems, telecommunications, data, software
development, web hosting, licensing, cloud computing, cybersecurity and privacy. He is a Certified Information
Privacy Professional for the U.S. private-sector (CCIP/US). He assists entities on general privacy issues, GDPR
compliance, cybersecurity preparation as well as responding to large data breach incidents.
Frost Brown Todd Data Breach Attorneys

56. THE FIRM
at a glanceFrost Brown Todd (FBT) is a full-service law
firm with offices in Indiana, Kentucky, Ohio,
Pennsylvania, Tennessee, Texas, Virginia and West
Virginia. With more than 500 lawyers across our
eight-state footprint, FBT offers a deep, talented
roster of legal professionals. Our services extend
beyond our footprint, as we have attorneys licensed
to practice law in 25 states and the District of
Columbia. Our attorneys serve a diverse client base,
from global multinationals to small, entrepreneurial
companies. We integrate a powerful network of
legal talent and business experience to provide our
clients with innovative and comprehensive services.
INDIANA
Indianapolis
KENTUCKY
Florence
Lexington
Louisville
OHIO
Cincinnati
Columbus
West Chester
PENNSYLVANIA
Pittsburgh
TENNESSEE
Nashville
TEXAS
Dallas
VIRGINIA
Ashland (Richmond Area)
WEST VIRGINIA
Charleston
Focused Legal Services
Our attorneys advise and protect you in business
transactions and litigation in industries including automotive,
construction, energy, financial services, food and beverage,
health care, technology, insurance, manufacturing, real
estate and transportation. We deliver sound legal counsel,
responsive service, concise communications and efficient
representation.
Diversity Inclusion
Our program is constantly evolving to build a more vibrant
and creative law firm for our employees, clients and
communities. Our focus on inclusion extends beyond the
firm. It includes partnering with our clients on unique
programs to help them achieve their diversity and inclusion
goals. It includes leading the way on numerous pipeline
programs as well as investing in regional and national
initiatives in our communities and beyond.
CORE PRACTICES SERVICE AREAS
Business
Advertising Media Law
Bankruptcy Restructuring
Capital Transactions Governance
Employee Benefits
Entrepreneurial Business Services
Estates, Trusts Wills
Franchise Distribution
Health Law
Intellectual Property
International Services
Lending Commercial Services
Mergers Acquisitions
Public Finance
Real Estate
Regulated Business
Tax
Litigation
Appellate
Business Litigation
Construction
Environmental
Government Services
Insurance Tort Defense
Labor Employment
Product Liability Mass Tort
frostbrowntodd.com
Indiana | Kentucky | Ohio | Pennsylvania | Tennessee | Texas | Virginia | West Virginia.
THIS IS AN ADVERTISEMENT. ©2018 Frost Brown Todd LLC All rights reserved.