AWS Community Day CPH - Three problems of Terraform
Data breaches at home and abroad
1. Data Breaches at Home and Abroad:
This Can Mean You Too!
Lessons Learned from the Past, and What’s Coming
Up in the Future for US and Multi-National Entities
Mark E. Schreiber, Chair, Privacy and Data Protection Group
Theodore P. Augustinos, Co-Chair
Laurie A. Kamaiko, Co-Chair
David S. Szabo
Socheth Sor
2. Agenda
Current Breach Landscape
Breach Response Tips
Massachusetts Data Security Requirements: Update
Credit Card Issues
HIPAA and HITECH Developments
Data Breach Litigation
Cyber Risk Insurance
Foreign and International Data breach Considerations
1
3. Current Breach Landscape
Company records containing personal information of
individuals
increasingly exposed to malevolent or inadvertent
disclosures
costs going up drastically
96% avoidable through simple to intermediate security
controls
88% of U.S. companies said to have experienced data
breach in 2010
some multiple times
About 40% of executives in one recent Deloitte survey said
they expected their company to have an electronic security
breach in next 12 months
Roughly ½ said they were not adequately prepared for it 2
4. Cost of Breaches Increasing
2011 had troubled beginning
9.5M records exposed (excluding 100M plus in Sony)
Sony
Google
Epsilon
Citibank
Anonymous/LulzSec
Massachusetts Executive Office of Labor and Workforce
Development and other government agencies
Multiple Hospitals and other Healthcare providers
Average total cost per US company: $7.2 M (2010) up from $6.75 M
(2009)
$3.4 M in Germany, $2.5 M in UK and France (2009)
329 organizations reported 86,455 laptops lost (2010)
Avg. cost of $6.4 million per company
222 million records repeatedly compromised in US in 2009 (likely
undercounts)
10 million patient records in 272 events (OCR report)
$6B cost annually
Ponemon, 2010 Annual Study: U.S. Cost of a Data Breach; Global 2009 Annual Study on Cost of a Data Breach 3
Verizon, April 2011: 2011 Data Breach Investigations Report
5. Responsibility for Breaches
According to Ponemon Studies:
Third Party Outsourcers – 39% of breaches (slight decline
from 2009), but cost up 39%.
Lost/Stolen laptops and other mobile devices – 35% (36%
in 2009, but cost up 15%).
Systems failure – 27%, a 9% decline as companies work
harder on prevention and more technologies are available.
Negligence – 41% (1% increase); costs up 27%.
Malicious/Criminal – 31% (7%/highest increase)
2010 was first time malicious attacks are not least frequent
cause. They are the most expensive; increasingly stealthy
and successful, requiring more resources.
4
6. Breach Response Tips
Assemble the team
Decision-maker level of management
IT
Data Forensics
Legal Counsel
Breach Response Services
Call center
Processing
Mailing
Customer, Public, Media and Governmental Relations
Containment
Find and stop the cause of the breach.
First priority is to stop the loss of data, preferably by
taking steps that will preserve the information needed for
the investigation 5
7. Breach Response Tips (cont.)
Investigation
What happened?
What information was affected?
Where do affected individuals reside?
Analysis – Review results of the investigation under
applicable requirements, and contractual requirements,
including PCI-DSS.
Remediation
Choice of products and services to be offered to affected
individuals, if any
Credit Monitoring
Credit Restoration Services
Credit Insurance
Other 6
8. Breach Response Tips (cont.)
Communication
Affected Individuals
State Agencies
FTC, HHS, as appropriate.
Card Brands, Merchant Bankers and Card
Processors
Employees
Other Constituents
Reaction to Inquiries
Affected Individuals and other consumers or clients
Media
Governmental Agencies 7
9. Breach Response Tips (cont.)
Experience at all levels is critical (even the call center)
Benefits of a third-party forensics team
Credible third party assessment
Reliable Chain of Custody
Backups of all pertinent system logs
Attorney-client privilege
Review availability of insurance coverage and affect any
required notification.
Conduct the Investigation
Legal, Analysis and Decision-Making
Draft and Effect Required Notices
8
10. Breach Response Tips (cont.)
Top Five Ways to Avoid a Breach
Assemble the Team and Assess the Data
Develop Policies and Procedures
Control Hardware and Software
Mitigate Risk
Train, Test, Update and Monitor. Repeat
9
11. Breach Response Tips (cont.)
Top Five Ways to Respond to a Breach
Assemble the Response Team
Do the Forensics and Assess the Data
Develop and Effectuate Remediation
Draft and Effect Notices
Review Preventative Measures
10
12. Massachusetts Data Security
Requirements: Update
State of the Art in Policies and Procedures
Massachusetts requirements for comprehensive written
information security programs are both more broad and
more specific than those of other states
More Broad – Extend to areas not covered by others
Written Policy Requirements
Technology and other security requirements
Vendor Contracts
More Specific – Impose specific requirements for
security
Encryption
Specific requirements for vendor selection,
contracting and management
Different – Unique breach notice requirements and
limitations 11
13. Massachusetts Data Security Requirements:
Update (cont.)
State of the Art in Enforcement?
Briar Group, LLC
Chain of restaurants and bars allegedly suffered
malware intrusion
Allegedly continued to accept credit cards after
knowledge of attack and prior to effective remediation,
without notifying patrons of risk
Consent order entered by Mass AG included
significant fine
Breach pre-dated MA Data Security Regulation
Enforcement pursued under general consumer
protection statute
Enforcement posture based in part on apparent
position that failure to comply with PCI-DSS =
violations of consumer protection statute
Effectively adopts PCI-DSS as legal standard of
conduct in the Commonwealth? 12
14. Credit Card Issues
PCI-DSS
Industry Standard imposed by merchant banking
contracts
Incorporated into Nevada law by statute
Imposed by Massachusetts enforcement posture?
Credit Card Breaches
Brand, Merchant Bank and Processor Notifications
Involvement of QIRA and QSA
Self-Assessment Questionnaire and Certification
13
15. HIPAA Enforcement
Cignet Healthcare -- $4.3 million penalty
Partners Health Care System -- $1 million settlement
Interesting Questions
What is an “ongoing violation?”
How should penalties be calculated?
Does the statute authorize daily penalties?
14
16. Resolution Agreements
Five agreements on OCR website
Settlements range from $35,000 to $2.25 million
Four are fundamentally based on security failures (lost
or stolen information, improper disposal of information).
One is predominantly a privacy case (unauthorized use
of PHI for marketing).
All have a corrective action plan. Terms for CAPs are
three years (4) and two years (1).
15
17. HITECH Rulemaking
Accounting for Disclosures—proposed rule issued May
31, 2011. Includes two rights: right to an accounting of
disclosures, and right to receive an electronic medical
records access report
Period for accounting reduced to three years from
six years.
Disclosures to be accounted for to be explicitly listed
in the final rule. Comment is requested on specific
items to be added or excluded from the list.
16
18. HITECH Rulemaking (cont.)
Access Reports
OCR proposes a report of every time a person
accesses electronic data in a designated record set,
whether a disclosure is made or not.
OCR takes the position that access logs already are
required by the Security Rule—such that the
regulation only requires access to a document that
should be readily available.
Individuals can request reports reflecting access on
specific dates or by specific individuals.
Reports must be aggregated if data resides on more
than one information system (EMR, billing, etc).
17
19. HITECH Rulemaking (cont.)
Still pending: Final rule for a large number of other
HITECH mandated changes, including:
Marketing Authorizations
Business Associate Agreements
Transition Provisions
Sale of PHI
Research Authorizations
Decedents
Immunizations
Minimum Necessary
Fundraising
Notice Requirements
18
Access Rights for Individuals
20. Data Breach Litigation
Article III Standing Required
Data breach class actions
Tend to be in federal court due to Class Action
Fairness Act. 28 U.S.C. § 1332(d)
If in state court, may be removable
Federal lawsuits must satisfy Article III standing
requirement
Requires a “case or controversy” requiring an
injury in fact that is actual or imminent, not
conjectural or hypothetical.
19
21. Data Breach Litigation
Article III Standing Required (cont.)
Several lower federal courts have found that
increased risk of identity theft as result of data
breach not an injury in fact
Two federal appellate courts found increased risk
of identity theft satisfies injury in fact requirement
Sixth Circuit suggested increased risk of identity
theft too conjectural to be injury in fact
20
22. Data Breach Litigation
Cognizable Injury Also Required
If standing requirements satisfied
Plaintiffs still need to allege injury for which state law
provides remedy
Injuries not cognizable (generally) under state common law:
Increased risk of identity theft
Time and effort spent closing accounts/protecting credit
ratings
Court finds cognizable injury in statutory claim
Doe 1 v. AOL LLC, 719 F.Supp.2d 1102 (N.D. Ca. 2010)
Claim under California Consumers Legal Remedy Act
Statute says consumer suffering “any damage” may
bring a claim
Defendant exposed “highly sensitive” personal information
of plaintiffs
Sufficient allegation of injury under statute
Moral: state law on injury may determine outcome of motion
21
to dismiss
23. Data Breach Litigation
Class Certification
Plaintiffs’ attorneys need financial incentive of class
action in order to pursue data breach action
Individual losses will generally be too small
Court may not certify class
May not be worth proceeding without class
22
24. Cyber Risk Insurance
Specialty cyber risk/data protection/tech policies
Personal information breaches
Network security
Cyber extortion
Business Disruption
Often can be sub-limits and other limitations on
coverage
Terms/Scope of coverage vary
23
25. Other Insurance
Claims often made under more traditional lines
(although frequently exclusions/coverage defenses apply)
Property
Crime/Fidelity
K&R
CGL
Coverage A –property damage/BI-emotional distress
Coverage B – injury arising out of publication that
violated the data owners privacy
Professional liability
Lawyers, real estate agents, A&E, etc.
D&O
Approval/Lack of security plans
How a breach is handled
What is said about the cause and remediation
24
26. Other Insurance Issues
Aggregation of risk on policies issued
The cyber hurricane
(simultaneous attack on multiple targets)
Multiple insureds impacted
Multiple lines have claims made under them
Regulatory scrutiny
Includes data security
Insurance depts. such as Connecticut want to know within 5
days of breach of insurer
Increasing accumulation of protected information
increase risk of breach of insurers
Medical records and PI of claimants/insureds/beneficiaries
Medicare secondary payer reporting requirements
25
27. Foreign and International Breach
Considerations
Global Transactions, Operations, Data Processing and
Storage
U.S. – styled breach notice requirements are being adopted
in EU and elsewhere
EU Data Protection Directive may change by year end
Art. 29 W.P., April 2011, recommends breach notification
Definition of Personal Information is broader than U.S.
definitions
India
New Data Security Rules issued under Information
Technology Act of 2000 effective April 11, 2011
Requires “reasonable security practices” to protect
“sensitive personal data” and
Imposes restrictions and requirements for
Collection of data
Disclosure of data
Transfer of data
Security practices and procedures 26
28. Foreign and International Breach
Considerations (cont.)
Notification Considerations
Does the Company have operations there?
Is the Company a data controller or processor in the
country?
Does DPA have jurisdiction?
Would it help mitigate reputational risk to notify affected
individuals?
Would the Company’s posture in enforcement be
improved by notifying government agencies?
Method of Notifying Individuals: Mail or Email:
Translated or English?
Remediation Issues
Limited credit monitoring
Call center operations: Toll free? Foreign language
capabilities?
27
29. Thank you
Mark E. Schreiber, Partner Theodore P. Augustinos, Partner Laurie A. Kamaiko, Partner
mschreiber@eapdlaw.com taugustinos@eapdlaw.com lkamaiko@eapdlaw.com
617.239.0585 860.541.7710 212.912.2768
David S. Szabo, Partner Socheth Sor, Associate
dszabo@eapdlaw.com ssor@eapdlaw.com
617.239.0414 860.541.7773
28