DEATH, TAXES AND DATA BREACH: THE LEGAL LESSONS
|
|
- Magnus Pitts
- 6 years ago
- Views:
Transcription
1 DEATH, TAXES AND DATA BREACH: THE LEGAL LESSONS NAPAVALLEYVINTNERS AUGUST 27, 2015 CHRIS PASSARELLI SENIOR COUNSEL, I.P. DICKENSON, PEATMAN & FOGARTY T: LAW.COM
2 AGENDA Overview Legal Framework Notable Cases & Outcomes Regulatory Liability Lessons Conclusion These materials are made available to you for general informational purposes only. None of the information provided herein should be considered to constitute legal advice.
3 Dual Objectives: OVERVIEW 1. Educational: Convey an appreciation of the scope of the issue. 2. Practical: Convey useful information, awareness of and access to available resources.
4 RECENT BREACHES August 19 th Web.com August 17 th University of VA August 12 th Nationstar Mortgage LLC August 7 th Sterling BackCheck, Ubiquiti Networks, Inc., Sabre Corporation August 6 th WP Technology, Inc. dba Wattpad August 4 th Mama Mio US Source: breach
5 OVERVIEW Data Breach lawsuits arise from loss or disclosure of personal identification information. Consumer/Industry Class Action Suits Focus: Increased risk of identity theft following a breach Plaintiffs often seek to recover credit monitoring expenses, card cancellation fees, and repayment for unauthorized charges. 21 Rich. J.L. & Tech. 3
6 OVERVIEW Theories of Injury: Increased risk of identity theft after personal information has been compromised in a breach (most common) Expenses incurred to mitigate risk, e.g., credit monitoring & cancellation of credit cards Anxiety and distress upon learning about the loss of personal information (less common); and Breached an implied contract to keep information secure. 21 Rich. J.L. & Tech. 3, 21 Rich. J.L. & Tech. 3
7 COST OF BREACH U.S. Year Avg. Cost Per Breach Event Avg. Cost Per Record Compromised 2013 $5.85M $201 44% 2012 $5.4M $188 41% 2011 $5.5M $194 37% 2010 $7.2M $214 31% 2009 $6.8M $204 24% 2008 $6.7M $202 12% % Caused by Malicious attack 2007 $6.3M $197 Unknown 2006 $4.8M $182 Unknown
8 LEGAL FRAMEWORK 1. Statutes State and Federal 2. Notable Cases & Outcomes 3. Standards 4. Regulatory Enforcement
9 STATE LEGISLATION CALIFORNIA CIVIL CODE , et seq.
10 STATE LEGISLATION Personal Information (CA): First name/first initial & last name plus: SSN, or DL No./State-issued ID No., or Account, credit card or debit card no. plus access code/pin/password; or Username or address plus password or security question and answer
11 STATE LEGISLATION Personal Information (CA), cont. Does not apply to: information lawfully made publicly available from federal, state or local government records, or widely distributed media.
12 STATE LEGISLATION Breach Notification Cal. Civ. Code Applies to businesses that own, license or maintain personal information Required to disclose any breach of the security of the system following discovery or notification of the breach* in the most expedient time possible and without unreasonable delay.
13 STATE LEGISLATION AB 1710 Personal Information: Privacy On Sept. 30, 2014, CA Gov. Brown signed AB 1710, amending CA s existing personal information privacy laws. CIV. CODE now requires businesses that maintain (not just own or license) personal information about CA residents must: 1. Implement and maintain reasonable security measures to protect residents personal information; and 2. Offer to provide appropriate identity theft prevention and mitigation services for at least 12 mos.
14 STATE LEGISLATION Breach Notification Requirements Must be written in plain language and include: (1) the name and contact information of the person reporting a breach; (2) the date of the notice; (3) a list of the types of personal information likely impacted; and (4) if the breach exposed SSN, DLN or CA IDN, must provide toll-free phone no. and addresses for credit reporting agencies.
15 STATE LEGISLATION Breach Notification Requirements The following information must be included if available or can be determined prior to notification: (1) date range of breach; (2) whether notification was delayed as a result of a law enforcement investigation; and (3) a general description of the breach incident.
16 STATE LEGISLATION Breach Notification Requirements For breach of ONLY username or address plus password or security Q&A Notification can be electronic Must direct user to change password or Q&A plus other appropriate steps to protect account or other accounts with the same username/password combo If entity maintains but does not own the personal information, must immediately notify owner/licensee of breach.
17 Civil Liability STATE LEGISLATION Persons injured by a violation of may recover damages in civil suit. Businesses may be enjoined by Court order.
18 STATE LEGISLATION Required Notice to CA Attorney General Must submit copy of notification letter if >500 affected. Safe Harbors 1. (CA) Only applies to unencrypted personal info; 2. EXC for disposing of records
19 STATE LEGISLATION CA Bus. & Professions Code BROAD: Prohibits unlawful, unfair or deceptive (fraudulent) trade practices. Unlawful - allows plaintiffs to borrow violations of other laws and treat them as independently actionable unfair competition. Plaintiff must personally suffer injury in fact and lost money or property as a result.
20 STATE LEGISLATION CA Bus. & Professions Code Economic injury may be shown by: Paying more or getting less in a transaction than he/she otherwise would; Present or Future property interest diminished; Deprived of money or property Required to enter into an otherwise unnecessary transaction, costing money or property
21 DO NOT TRACK LEGISLATION California Online Privacy Protection Act (CalOPPA) CA Bus. & Professions Code Applies to online operators that collection personal information (i.e. any website or app) Must explain how they respond to DNT signals in privacy policy to allow consumers to exercise choice. Must disclose whether 3 rd parties collect personal information on sites/apps. Must disclose whether parties may collect info over time and across different websites by using operator s sites. Can provide hyperlink in the operator s privacy policy to an online description of any program the operator follows that offers the consumer that choice. Enforced by CA Attorney General - up to $2500 per violation.
22 FEDERAL LEGISLATION Gramm-Leach-Bliley Act (GLBA) applies to financial institutions Health Insurance Portability and Accountability Act of 1996 (HIPAA) Data Security and Breach Notification Act of 2015 (Blackburn (R-TN) & Welch (D-VT)) Goal: comprehensive plan to help safeguard sensitive consumer information and shield Americans from the harmful consequences of cyber attacks.
23 LIABILITY TO WHOM Consumers Financial Institutions Credit Card Issuers Regulatory Investigation and Enforcement
24 Common Sources of Liability Improperly retained data Failure to secure & segregate (segmentation) Failure to heed warnings Delay in responding to threat*
25 NOTABLE CASES Issue: Standing to Sue U.S. Constitution Article III Requires: (1) Concrete Injury (2) Traceable to the challenged conduct (i.e., causation), (3) Redressable by favorable judicial decision.
26 SOURCES OF LAW CASES Issue: Standing to Sue Split: Increased Risk of ID Theft giving rise to standing: While initial federal decisions were hostile to the idea that an increased risk of identity theft could constitute injury-in-fact, a shift occurred after the Seventh Circuit endorsed such a theory in Pisciotta v. Old National Bancorp. Despite more success for plaintiffs after Pisciotta, other courts have continued to find that an increased risk of identity theft does not establish injury-in-fact, including the Third Circuit in Reilly v. Ceridian Corp.
27 NOTABLE CASES Clapper v. Amnesty Int l USA, 133 S. Ct 1138 (2013) Issue: Standing and Future Harm Passage of foreign surveillance law (FISA) Plaintiffs: Lawyers, journalists, activists Second Circuit found objectively reasonable likelihood of harm via surveillance. Wrong Standard. U.S. Supreme Court finds that there is no injury in fact and plaintiff had no standing to challenge a foreign surveillance law that may cause them possible future harm.
28 NOTABLE CASES (CA) In re Adobe Sys. Privacy Litigation, 66 F. Supp. 3d 1197 (CA Northern District) 38 million customers Names, login IDs, passwords, credit and debit card number, expiration dates, mailing and ing addresses, as well as source code for Adobe products Theories: Viol. CA Customer Records Act (CC & ) Failure to maintain reasonable security measures and failure to promptly disclose the breach.
29 NOTABLE CASES In re Adobe Sys. Privacy Litigation, cont. Plaintiffs alleged: Increased risk of future harm (fraud) Cost to mitigate risk of future harm (credit monitoring) Loss of value of Adobe products Held: Customers have standing to sue based on actual breach plus risk of future misuse of data and costs to mitigate future harm, as well as unfair business practices under CA law. Confidential settlement agreement filed with Court under seal on August 13, 2015.
30 CASES In re: Target Corp. Customer Data Security Breach Litigation (Case No. MD PAM) filed August 1, 2014 Theft of unprotected vendor s credentials provides access to Target systems. Plaintiff financial institutions: banks, S&L. 110 million customers affected. Customer names, credit or debit card numbers, expiration dates and CVVs. Theories: Negligence, negligent omission, Minnesota state data breach law Outcome: $67 million settlement reached on August 18, 2015 other plaintiffs still disputing settlement.
31 Legal Standards Minnesota s Plastic Card Security Act, Minn. Stat. 325E.64 Imposes liability upon merchants who retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction. Intended to create an incentive [for retailers] to do the right thing and create consequences to prevent breaches from happening in the first place.
32 BASES FOR LIABILITY In re: Target Corp. Customer Data Security Breach Litigation, cont. Failure to adequately secure payment information on its systems. Complaint alleges breach was easily preventable. Failure to take adequate, reasonable measures to ensure data systems are protected. Ignored clear warnings of intruder breach and failed to take actions to thwart breach. Treatment of sensitive personal and financial information entrusted to it by its customers fell woefully short of legal duties and obligations.
33 FAILURES In re: Target Corp. Customer Data Security Breach Litigation allegations, cont. Visa warnings allegedly instructed Target to: Review its firewall configuration and ensure only allowed ports, services and IP addresses are communicating with your network ; segregate the payment processing network from other non-payment processing networks ; implement hardware-based point-to-point encryption ; perform periodic scans on systems to identify storage of cardholder data and securely delete the data ; and assign strong passwords to your security solution to prevent application modification. Target did not implement these measures. Customer payments and personal data network not properly segmented from vendor billing, etc. Target s security software provider spotted the hackers while they were uploading the malware and alerted Target s security team, which could have completely foiled the breach, but Target took no action.
34 NOTABLE CASES Remijas v. Nieman Marcus Group, LLC, 2015 U.S. App. LEXIS (7 th Cir.) (decided July 20, 2015) 350,000 customers affected Payment card account information Theories of liability: negligence, breach of implied contract, unjust enrichment, unfair & deceptive business practices, invasion of privacy, multiple state data breach laws Outcome: Consistent with Adobe, 7 th Cir. allowed case to move forward on theory of standing based on imminent future harm certainly impending. Opening the floodgates
35 NOTABLE CASES Remijas v. Nieman Marcus Group, LLC, 2015 U.S. App. LEXIS (N.D. Ill. Sept. 16, 2014) Alleged Injury: Lost time and money to resolve fraudulent charges; Lost time and money to protect against future ID theft; Financial loss of buying items at NM which plaintiffs would not otherwise have purchased, had they known; Lost control over the value of personal information Holding: injuries associated with resolving fraudulent charges and protecting oneself against future identity theft are sufficient for standing
36 On the Horizon Missing Link/eCellar 70 wineries 250,000 customers affected Names, credit and debit card numbers, billing addresses and dates of birth Social Security numbers, the CVV and pin numbers were not compromised. Ashley Madison 40 million user records exposed Company's user databases, financial records along with other confidential information. The company has not stated the exact personal information compromised. On August 18, 2015, hackers posted sensitive data online : A data dump, 9.7 gigabytes in size, appear to include account details and log-ins for some 32 million users, seven years worth of credit card and other payment transaction details are also part of the dump, going back to Data includes names, street address, address and amount paid, but not credit card numbers; instead it includes four digits for each transaction that may be the last four digits of the credit card or simply a transaction ID unique to each charge."
37 Contractual Liability to Financial Institutions Card Operating Regulations Contractual: Enforceable upon merchant under contract with acquiring bank. Prohibit merchants from disclosing cardholder account numbers, personal information, magnetic stripe information, or transaction information to 3 rd parties other than the merchant s agent, the acquiring bank, or the acquiring bank s agents. Required to protect cardholder information from unauthorized disclosure. Payment Card Industry Data Security Standards ( PCI DSS ) 12 information security requirements promulgated by the Payment Card Industry Security Standards Council. Apply to all organizations and environments where cardholder data is stored, processed, or transmitted Require merchants to protect cardholder data, ensure the maintenance of vulnerability management programs, implement strong access control measures, regularly monitor and test networks, and ensure the maintenance of information security policies. Prohibits merchant from retaining certain customer data.
38 Industry Standards PCI DSS 2.0 requires merchants to adhere to the following rules: Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an Information Security Policy Maintain a policy that addresses information security for all personnel
39 Contractual Liability to Financial Institutions EMV Chip Technology aka ChipandSignature Global standard for secure credit card payments. Already used in EU. Embedded chip protects cardholder info from fraud. Used in place of magnetic stripe. Creates unique transaction code with each use. In October, 2015 contractual liability for counterfeit card transactions will move from card issuers to merchants if an EMV card transaction turns out to be fraudulent. Affects card present transactions only at this time. ecommerce, online or phone orders are not yet included. Merchants are not required to switch to EMV yet. Cost to implement = $ or low monthly rental fee. Tokenization standard keep customer data stored in a secured payment vault with your processor, not on your system!
40 Research: Litigation Empirical Analysis of Data Breach Litigation, Sasha Romanosky, David Hoffman, Alessandro Acquisti* April 6, 2013 First comprehensive empirical analysis of data breach litigation Built database and analyze court dockets for over 230 federal data breach lawsuits from 2000 to Two questions: Q1: Which data breaches are being litigated?; and Q2: Which data breach lawsuits are settling? A1: odds of a firm being sued are 3.5 times greater when individuals suffer financial harm, but 6 times lower when the firm provides free credit monitoring. A2: Defendants settle 30% more often when plaintiffs allege financial loss, or when faced with a certified class action suit.
41 Research: Litigation Q1: Which data breaches are being litigated? A1: odds of a firm being sued are 3.5 times greater when individuals suffer financial harm, but 6 times lower when the firm provides free credit monitoring. Q2: Which data breach lawsuits are settling? A2: Defendants settle 30% more often when plaintiffs allege financial loss, or when faced with a certified class action suit. Empirical Analysis of Data Breach Litigation, Romanosky, Hoffman, Acquisti
42 Regulatory Enforcement Who: FBI Secret Service Federal Trade Commission (FTC) CA Office of Privacy Protection CA Attorney General What: Potential fines and penalties Imperative to engage counsel in responding to a communication from regulatory authorities!
43 The Consumer Recent Pew Research Center survey: 91% of adults in the survey agree or strongly agree that consumers have lost control over how personal information is collected and used by companies.
44 Response Plan Jayme Soulati Soulati Media, Inc.
45 The Consumer Best Practice = Standard Practice What is reasonable? Constantly evolving moving target.
46 Countermeasures Before breach - Develop a written response plan Form a response team Review Insurance coverage Set Internal/External Communication strategies
47 Countermeasures During/After Breach - Investigate incidents without delay Consult with counsel to coordinate: Law enforcement Forensic consultant PR Firm Assess response
48 THANK YOU! QUESTIONS? CHRISTOPHER J. PASSARELLI SR. INTELLECTUAL PROPERTY ATTORNEY DICKENSON, PEATMAN & FOGARTY 1455 FIRST STREET, STE. 301 NAPA, CA TELEPHONE: LAW.COM LAW.COM
CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING
CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING 2015 Verizon Data Breach Report 79,790 security incidents 2,122 confirmed data breaches Top industries affected: Public, Information,
More informationDefending Litigation After a Data Breach
Defending Litigation After a Data Breach November 9, 2016 Stewart Baker Steptoe & Johnson LLP Defending Litigation After a Data Breach Class Action Suits Commonly Filed By: Consumers Financial Institutions
More informationCase 3:13-cv Document 49 Filed 07/18/13 Page 1 of 39 PageID #: 959
Case 3:13-cv-00202 Document 49 Filed 07/18/13 Page 1 of 39 PageID #: 959 Case 3:13-cv-00202 Document 49 Filed 07/18/13 Page 2 of 39 PageID #: 960 Case 3:13-cv-00202 Document 49 Filed 07/18/13 Page 3 of
More informationWe re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber
We re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber Protection Data Creates Duties What data do you access, and
More informationBall State University
PCI Data Security Awareness Training Agenda What is PCI-DSS PCI-DDS Standards Training Definitions Compliance 6 Goals 12 Security Requirements Card Identification Basic Rules to Follow Myths 1 What is
More informationEmerging legal and regulatory risks
Emerging legal and regulatory risks Presentation for AusCERT2016 Matthew Pokarier and Ben Di Marco Structure Regulatory risks Third-party liability Actions by affected individuals Actions by banks and
More informationVisa s Approach to Card Fraud and Identity Theft
Visa s Approach to Card Fraud and Identity Theft Paul Russinoff June 7, 2007 Discussion Topics Visa s Comprehensive Security Approach Multiple Layers Commitment to Cardholders Consumer Tips Protecting
More informationPAI Secure Program Guide
PAI Secure Program Guide A complete guide to understanding the Payment Card Industry Data Security Requirements (PCI DSS) and utilizing the PAI Secure Program Welcome to PAI Secure, a unique 4-step PCI-DSS
More informationCybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do
ARTICLE Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do By Gene Griggs and Saad Gul This article analyzes cybersecurity issues for retirement plans. Introduction
More informationCYBERINSURANCE TRENDS AND DEVELOPMENTS
CYBERINSURANCE TRENDS AND DEVELOPMENTS What cyber risks can be covered Emerging products Recent cases, pending legislation and regulation Claims case studies INTRODUCTION TO CYBERINSURANCE Gartner defines
More informationPrivacy and Data Breach Protection Modular application form
Instructions The Hiscox Technology, Privacy and Cyber Portfolio Policy may be purchased on an a-la-carte basis. Some organizations may require coverage for their technology errors and omissions, while
More informationHIPAA and Lawyers: Your stakes have just been raised
HIPAA and Lawyers: Your stakes have just been raised October 16, 2013 Presented by: Harry Nelson e: hnelson@fentonnelson.com Claire Marblestone e: cmarblestone@fentonnelson.com AGENDA Statutory & Regulatory
More informationCyber, Data Risk and Media Insurance Application form
Instructions The Hiscox Technology, Privacy and Cyber Portfolio Policy may be purchased on an a-la-carte basis. Some organizations may require coverage for their technology errors and omissions, while
More informationSummary Comparison of Current Senate Data Security and Breach Notification Bills
Data Security reasonable Standards measures Specific Data Security Requirements Personal Information Definition None (a) First name or (b) first initial and last name, in combination with one of the following
More informationData Breach Financial Protection Program Terms and Conditions
Data Breach Financial Protection Program Terms and Conditions The Data Breach Financial Protection Program (the Program ) is a comprehensive expense reimbursement program, provided with some Netsurion
More informationTHIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY CRISIS MANAGEMENT COVERAGE The Insurer shall pay on behalf of the Insured: 1) Crisis Management Expenses that are a direct result of a Network
More informationPaul Jones, Jones & Co. Kathleen Rice, Faegre Baker Daniels, LLP
HOW TO NAVIGATE THE LANDSCAPE OF GLOBAL PRIVACY AND DATA PROTECTION Paul Jones, Jones & Co. Kathleen Rice, Faegre Baker Daniels, LLP Topics to Cover General Concepts Increased U.S. enforcement activity
More informationCase 2:15-cv Document 1 Filed 12/08/15 Page 1 of 15 UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF WASHINGTON AT SEATTLE JUDGMENT
Case :-cv-0 Document Filed /0/ Page of UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF WASHINGTON AT SEATTLE ATLANTIC SPECIALTY INSURANCE COMPANY, vs. Plaintiff, NO. JUDGMENT Clerk s Action Required
More informationCYBER LIABILITY INSURANCE OVERVIEW FOR. Prepared by: Evan Taylor NFP
CYBER LIABILITY INSURANCE OVERVIEW FOR Prepared by: Evan Taylor NFP Targeted Industries Business Sector Financial Services 10% Non-Profit 11% Retail 10% Other 37% Other 18% Type of Data PII 40% Professional
More informationCYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY
CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY Agenda Threat Landscape and Trends Breach Response Process Pitfalls and Critical Points BBR Services Breach Prevention
More informationLICENSE AGREEMENT. Security Software Solutions
LICENSE AGREEMENT Security Software Solutions VERIS ACTIVE ID SERVICES AGREEMENT between Timothy J. Rollins DBA Security Software Solutions, having an office at 5215 Sabino Canyon Road and 4340 N Camino
More informationNATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE
NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE As many of you know, Gramm-Leach-Bliley requires "financial institutions" to establish and implement a Safeguard Rule Compliance
More informationCyber Insurance 2017:
Cyber Insurance 2017: Ensuring Your Coverage is Sound Thursday, March 23, 2017 Attorney Advertising Prior results do not guarantee a similar outcome 777 East Wisconsin Avenue, Milwaukee, WI 53202 414.271.2400
More informationDATA COMPROMISE COVERAGE RESPONSE EXPENSES AND DEFENSE AND LIABILITY
THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. DATA COMPROMISE COVERAGE RESPONSE EXPENSES AND DEFENSE AND LIABILITY Coverage under this endorsement is subject to the following: PART 1 RESPONSE
More informationCyber-Insurance: Fraud, Waste or Abuse?
SESSION ID: STR-F03 Cyber-Insurance: Fraud, Waste or Abuse? David Nathans Director of Security SOCSoter, Inc. @Zourick Cyber Insurance overview One Size Does Not Fit All 2 Our Research Reviewed many major
More informationARE YOU HIP WITH HIPAA?
ARE YOU HIP WITH HIPAA? Scott C. Thompson 214.651.5075 scott.thompson@haynesboone.com February 11, 2016 HIPAA SECURITY WHY SHOULD I CARE? Health plan fined $1.2 million for HIPAA breach. Health plan fined
More informationCredit Card Handling Security Standards
Credit Card Handling Security Standards Overview This document is intended to provide guidance regarding the processing of charges and credits on credit and/or debit cards. These standards are intended
More informationEmpirical Analysis of Data Breach Litigation. Sasha Romanosky David Hoffman Alessandro Acquisti
Empirical Analysis of Data Breach Litigation Sasha Romanosky David Hoffman Alessandro Acquisti 1 Problem: externalities caused by loss or theft of consumer information Modern IS, Web 2.0, and social media
More informationBREACH MITIGATION EXPENSE COVERAGE
POLICY NUMBER: QBPC-2030 (09-16) THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. BREACH MITIGATION EXPENSE COVERAGE This endorsement modifies insurance provided under the following: INSURANCE
More informationDesigning Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016
Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions June 2016 Program Overview Regulatory Environment Who Needs a Privacy Program and Common Questions Components of a Comprehensive
More informationCyber Risks & Insurance
Cyber Risks & Insurance Bob Klobe Asst. Vice President & Cyber Security Subject Matter Expert Chubb Specialty Insurance Legal Disclaimer The views, information and content expressed herein are those of
More informationCyber Risk Proposal Form
Cyber Risk Proposal Form Company or trading name Address Postcode Country Telephone Email Website Date business established Number of employees Do you have a Chief Privacy Officer (or Chief Information
More informationCyberRisk: What we know and what we don't know
CyberRisk: What we know and what we don't know JOHN MULLEN, ESQ., LEWIS BRISBOIS BISGAARD & SMITH LLP ADAM COTTINI, ARTHUR J GALLAGHER MARCH 16, 2016 2014 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS
More informationCritical Issues in Cybersecurity:
Critical Issues in Cybersecurity: Are you prepared and in compliance? July 27, 2017 Robert Barbarowicz Scott Lyon JillAllison Opell 1 What Types of Information do We Collect? PII v. PHI v. NPI v. sensitive/confidential
More informationAS PASSED BY HOUSE AND SENATE H Page 1 of 37 H.764. An act relating to data brokers and consumer protection
2018 Page 1 of 37 H.764 An act relating to data brokers and consumer protection It is hereby enacted by the General Assembly of the State of Vermont: Sec. 1. FINDINGS AND INTENT (a) The General Assembly
More informationOLD DOMINION UNIVERSITY PCI SECURITY AWARENESS TRAINING OFFICE OF FINANCE
OLD DOMINION UNIVERSITY PCI SECURITY AWARENESS TRAINING OFFICE OF FINANCE August 2017 WHO NEEDS PCI TRAINING? THE FOLLOWING TRAINING MODULE SHOULD BE COMPLETED BY ALL UNIVERSITY STAFF THAT: - PROCESS PAYMENTS
More informationData Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor
Data Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor This Addendum is applicable only in those situations where the Selected
More informationPayment Card Industry Compliance Policy
PURPOSE and BACKGROUND The purpose of this policy is to ensure that Massachusetts Maritime Academy (MMA) maintains compliance with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is
More informationPRIVACY AND CYBER SECURITY
PRIVACY AND CYBER SECURITY Presented by: Joe Marra, Senior Account Executive/Producer Stoya Corcoran, Assistant Vice President Presented to: CIFFA Members September 20, 2017 1 Disclaimer The information
More informationThe Risk-based Approach to Data Breach Response Meeting mounting expectations for effective, relevant solutions
The Risk-based Approach to Data Breach Response Meeting mounting expectations for effective, relevant solutions Our Speakers Mark Melodia is Partner and Co-Head of the Global Data Security, Privacy & Management
More informationData Compromise Issues: Is Your Company in Shape To Deal with Banks & Card Networks?
Data Compromise Issues: Is Your Company in Shape To Deal with Banks & Card Networks? 2 Today s Presenters Mike Williams, Executive Vice President and General Counsel, Staples, Inc. After 22 years as a
More informationAPPLICATION FOR DATA BREACH AND PRIVACY LIABILITY, DATA BREACH LOSS TO INSURED AND ELECTRONIC MEDIA LIABILITY INSURANCE
Deerfield Insurance Company Evanston Insurance Company Essex Insurance Company Markel American Insurance Company Markel Insurance Company Associated International Insurance Company DataBreach SM APPLICATION
More informationPCI Training. If your department processes credit card information, it is CRITICAL that you understand the importance of protecting this data.
PCI Training This training is to assist you in understanding the policies at Appalachian that govern credit card transactions and to meet the PCI DSS Standards for staff training to prevent identity theft.
More informationIdentity Theft Prevention Program Lake Forest College Revision 1.0
Identity Theft Prevention Program Lake Forest College Revision 1.0 This document supersedes all previous identity theft prevention program documents. Approved and Adopted by: The Board of Directors Date:
More informationH 7789 S T A T E O F R H O D E I S L A N D
======== LC001 ======== 01 -- H S T A T E O F R H O D E I S L A N D IN GENERAL ASSEMBLY JANUARY SESSION, A.D. 01 A N A C T RELATING TO INSURANCE - INSURANCE DATA SECURITY ACT Introduced By: Representatives
More informationDoes the Applicant provide data processing, storage or hosting services to third parties? Yes No
BEAZLEY BREACH RESPONSE APPLICATION NOTICE: THIS POLICY S LIABILITY INSURING AGREEMENTS PROVIDE COVERAGE ON A CLAIMS MADE AND REPORTED BASIS AND APPLY ONLY TO CLAIMS FIRST MADE AGAINST THE INSURED DURING
More informationClaims Made Basis. Underwritten by Underwriters at Lloyd s, London
APPLICATION for: NetGuard Plus Claims Made Basis. Underwritten by Underwriters at Lloyd s, London tice: The Policy for which this Application is made applies only to Claims made against any of the Insureds
More informationWhat is a privacy breach / security breach?
What is a breach? What is a privacy breach / security breach? Privacy breach Computer security breach: The theft, loss or unauthorized disclosure of personally identifiable non-public information (PII)
More informationChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them
ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them PROVIDED BY HUB INTERNATIONAL October 25th, 2016 W W W. C H I C A G O L A N D R I S K F O R U M. O R G AGENDA 1. The evolution of
More informationOperating Procedures/Guide
HOME SPECIALTY STANDARD OPERATING PROCEDURES Operating Procedures/Guide Effective Date 8/19/2014 Credit is extended by Synchrony Bank. Table of Contents Introduction......................................
More informationDATA COMPROMISE COVERAGE FORM
DATA COMPROMISE DATA COMPROMISE COVERAGE FORM Various provisions in this policy restrict coverage. Read the entire policy carefully to determine rights, duties and what is and is not covered. Throughout
More informationCampus Administrative Policy
Campus Administrative Policy Policy Title: Credit Card Acceptance Policy Number: 2019 Functional Area: Finance Effective: February 1, 2011 Date Last Amended/Reviewed: February 1, 2011 Date Scheduled for
More informationVPSS Certification Frequently Asked Questions
VPSS Certification Frequently Asked Questions What is the difference between Visa s Account Information Security (AIS) program and VPSS Certification? The AIS program ensures compliance to the Payment
More informationData Breach and Cyber Risk Update November 17, 2011
Data Breach and Cyber Risk Update November 17, 2011 Mark E. Schreiber Chair, Privacy & Data Protection Group Edwards Wildman Palmer LLP 111 Huntington Avenue Boston, MA 02199 Tel: 617-239-0585 Email: mschreiber@edwardswildman.com
More informationPersonal Information Protection Act Breach Reporting Guide
Personal Information Protection Act Breach Reporting Guide If an organization determines that a real risk of significant harm exists to an individual as a result of a breach of personal information, section
More informationMERCHANT MEMBER PACKAGE AGREEMENT & APPLICATION
MERCHANT MEMBER PACKAGE AGREEMENT & APPLICATION Vantage Card Services, Inc. 2230 Towne Lake Parkway Building 400, Suite 110 Woodstock, GA 30189 (800) 397-2380 (770) 928-5688 Fax (770) 928-9328 www.vantagecard.com
More informationREF STANDARD PROVISIONS
This Data Protection Addendum ( Addendum ) is an add- on to the Purchasing Terms and Conditions. It is applicable only in those situations where the Selected Firm/Vendor provides goods or services under
More informationAmerican Express Data Security Operating Policy Thailand
American Express Data Security Operating Policy Thailand As a leader in consumer protection, American Express has a long-standing commitment to protect Cardmember Information, ensuring that it is kept
More informationHIPAA Compliance Guide
This document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) compliance requirements. It covers the relevant legislation, required procedures, and ways that your
More informationPayment Card Industry Data Security Standards (PCI DSS) Initial Training
Payment Card Industry Data Security Standards (PCI DSS) Initial Training PCI DSS Training Content What topics will this training cover? What is PCI DSS? Objectives of PCI DSS Common Terminology Background
More informationCybersecurity Curveballs in Vendor Risk Management Programs
Cybersecurity Curveballs in Vendor Programs 2016 SoCal Cybersecurity, & Data Protection Retreat November 7, 2016 2016 Reed Smith LLP. All rights reserved. The contents of this presentation are for informational
More informationPayment Card Industry Training 2014
Payment Card Industry Training 2014 Phone Line Terminal & Hosted Order Page/Secure Acceptance Redirect Merchants Contact * Carole Fallon * 614-292-7792 * fallon.82@osu.edu Updated May 2014 AGENDA A. Payment
More informationElectronic Payments: The Winds of Change, A Call to Action. Will 2011 Be An Eventful Year in the History of Payment Card Security?
Electronic Payments: The Winds of Change, A Call to Action Will 2011 Be An Eventful Year in the History of Payment Card Security? 1 Presenter W. Stephen Cannon, Chairman, Constantine Cannon LLP Former
More informationCredit Card Data Breaches: Protecting Your Company from the Hidden Surprises
Credit Card Data Breaches: Protecting Your Company from the Hidden Surprises By David Zetoony Partner, Bryan Cave LLP Courtney Stout Counsel, Davis Wright Tremaine LLP With Contributions By Suzanne Gladle,
More informationCASE 0:14-md PAM Document Filed 07/10/15 Page 1 of 14 EXHIBIT 1
CASE 0:14-md-02522-PAM Document 483-1 Filed 07/10/15 Page 1 of 14 EXHIBIT 1 CASE 0:14-md-02522-PAM Document 483-1 Filed 07/10/15 Page 2 of 14 EXHIBIT 1 SUMMARY OF DATA BREACH SETTLEMENTS Monetary Value
More informationMarch 1. HIPAA Privacy Policy
March 1 HIPAA Privacy Policy 2016 1 PRIVACY POLICY STATEMENT Purpose: The following privacy policy is adopted by the Florida College System Risk Management Consortium (FCSRMC) Health Program and its member
More informationEquifax Data Breach: Your Vital Next Steps
Equifax Data Breach: Your Vital Next Steps David A. Reed Partner, Ann Davidson Vice President Risk Consulting/ Bond Division Allied Solutions, LLC Do You Remember When this Was the Biggest Threat to Data
More informationCompliance With the Red Flags Rules
For Audio Participation, Please Call 1.866.281.4322, *1382742* Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321
More informationJOTFORM HIPAA BUSINESS ASSOCIATE AGREEMENT
JOTFORM HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( HIPAA BAA ) is made between JotForm, Inc., ( JotForm ) and {YourCompanyName} ( Covered Entity or Customer ) as an agreement
More informationAppLovin Data Processing Agreement
AppLovin Data Processing Agreement This AppLovin Data Processing Agreement ( DPA ) is incorporated into and is subject to the AppLovin Terms of Use Agreement available at https://www.applovin.com/terms
More informationAGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION
AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION THIS AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION ( PHI ) ( Agreement ) is entered into between The Moses H. Cone Memorial Hospital Operating
More informationSureRent 2020 Private Landlord Tenant Screening Application Package
Page 1 of 9 SureRent 2020 Private Landlord Tenant Screening Application Package Welcome to Alliance 2020. Your membership packet includes several forms that you must complete before service can be started,
More informationCOLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6
1. Procedure Title: PCI Compliance Program COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6 2. Procedure Purpose and Effect: All Colorado State University departments that accept credit/debit
More informationInformation Security and Third-Party Service Provider Agreements
The Iowa State Bar Association s ecommerce & Intellectual Property Law Sections presents 2016 Intellectual Property Law & ecommerce Seminar Information Security and Third-Party Service Provider Agreements
More informationMedical Data Security Beyond HIPAA: Practical Solutions for Red Flags and Security Breaches. April 3, 2009
Medical Data Security Beyond HIPAA: Practical Solutions for Red Flags and Security Breaches April 3, 2009 Jon A. Neiditz Cynthia B. Hutto Ross E. Sallade Eli A. Poliakoff Nelson Mullins Healthcare Information
More informationFive Key Steps to Developing an nformation Security Program
Five Key Steps to Developing an nformation Security Program Driving Business Advantage Five Key Steps to Developing an Information Security Program by Gabriel M. Helmer Foley Hoag ebook Contents Introduction...
More informationPayment Card Acceptance Administrative Policy
Administrative Procedure Approved By: Brandon Gilliland, AVP for Finance and Controller Effective Date: January 15, 2016 History: Approval Date: September 25, 2014 Revisions: December 15, 2015 Type: Administrative
More informationEvaluating Your Company s Data Protection & Recovery Plan
Evaluating Your Company s Data Protection & Recovery Plan CBIA Cybersecurity Webinar Series 11AM 12PM Part V. Presented by: Stewart Tosh Charles Bellingrath Date: December 7, 2017 Today s presenters Stewart
More informationH E A L T H C A R E L A W U P D A T E
L O U I S V I L L E. K Y S E P T E M B E R 2 0 0 9 H E A L T H C A R E L A W U P D A T E L E X I N G T O N. K Y B O W L I N G G R E E N. K Y N E W A L B A N Y. I N N A S H V I L L E. T N M E M P H I S.
More informationSouth Carolina General Assembly 122nd Session,
South Carolina General Assembly 122nd Session, 2017-2018 R184, H4655 STATUS INFORMATION General Bill Sponsors: Reps. Sandifer and Spires Document Path: l:\council\bills\nbd\11202cz18.docx Companion/Similar
More informationCal. Civ. Code : Customer Records
Cal. Civ. Code 1798.80-84: Customer Records Section: 1798.80: Definitions 1798.81: Reasonable Steps for Disposal of Customer Records 1798.81.5: Security Procedures and Practices with Respect to Personal
More informationCyber & Privacy Liability and Technology E&0
Cyber & Privacy Liability and Technology E&0 Risks and Coverage Geoff Kinsella Partner http://map.norsecorp.com http://www.youtube.com/watch?v=f7pyhn9ic9i Presentation Overview 1. The Cyber Evolution 2.
More informationSubject: Protecting cardholder data in support of the Payment Card Industry (PCI) Data Security Standards
University Policy: Cardholder Data Security Policy Category: Financial Services Subject: Protecting cardholder data in support of the Payment Card Industry (PCI) Data Security Standards Office Responsible
More informationPAYMENT CARD INDUSTRY
DATA SECURITY POLICY Page 1 of 1 I. PURPOSE To provide guidelines and procedures to ensure that all money paid to the College in the form of cash, checks or payment cards is properly receipted, accounted
More information3/11/2013. Federal Trade Commission Section 5(a) of the Federal Trade Commission Act
Paul Huck, Partner, Hunton & Williams LLP Robert Clements, Senior Assistant Attorney General Office of Attorney General, State of Florida The Society of Corporate Compliance and Ethics 2013 South Atlantic
More informationThe Wild West Meets the Future: Key Tips for Maximizing Your Cyber and Privacy Insurance Coverage
The Wild West Meets the Future: Key Tips for Maximizing Your Cyber and Privacy Insurance Coverage James P. Bobotek james.bobotek@pillsburylaw.com (202) 663-8930 Pillsbury Winthrop Shaw Pittman LLP DOCUMENT
More informationCREDIT CARD PROCESSING AND SECURITY
CREDIT CARD PROCESSING AND SECURITY POLICY NUMBER: RESERVED FOR FUTURE USE RESPONSIBLE OFFICIAL TITLE: SENIOR VICE PRESIDENT FOR ADMINISTRATION AND FINANCE RESPONSIBLE OFFICE: ADMINISTRATION AND FINANCE
More informationHIPAA / HITECH. Ed Massey Affiliated Marketing Group
HIPAA / HITECH Agent Understanding And Compliance Presented By: Ed Massey Affiliated Marketing Group It s The Law On February 17, 2010 the Health Information Technology for Economic and Clinical Health
More information503 SURVIVING A HIPAA BREACH INVESTIGATION
503 SURVIVING A HIPAA BREACH INVESTIGATION Presented by Nicole Hughes Waid, Esq. Mark J. Swearingen, Esq. Celeste H. Davis, Esq. Regional Manager 1 Surviving a HIPAA Breach Investigation: Enforcement Presented
More informationPCI FAQ Q: What is PCI? ALL process, store transmit Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)?
PCI FAQ Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information
More informationCYBER LIABILITY REINSURANCE SOLUTIONS
CYBER LIABILITY REINSURANCE SOLUTIONS CYBER STRONG. CYBER STRONG. State-of-the-Art Protection for Growing Cyber Risks Businesses of all sizes and in every industry are experiencing an increase in cyber
More informationResponding to Privacy Breaches
Key Steps in Responding to Privacy Breaches The purpose of this document is to provide guidance to private sector organizations, health custodians and public sector bodies on how to manage a privacy breach.
More informationSUMMARY: The Federal Trade Commission ( FTC or Commission ) requests public
[Billing Code: 6750-01S] FEDERAL TRADE COMMISSION 16 CFR Part 314 RIN 3084-AB35 Standards for Safeguarding Customer Information AGENCY: Federal Trade Commission. ACTION: Request for public comment. SUMMARY:
More informationLargest Risk for Public Pension Plans (Other Than Funding) Cybersecurity
Largest Risk for Public Pension Plans (Other Than Funding) Cybersecurity 2017 Public Safety Employees Pension & Benefits Conference Ronald A. King (517) 318-3015 rking@ I am convinced that there are only
More informationThe Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure
The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure Purpose To provide for notification in the case of breaches of Unsecured Protected Health Information ( Unsecured PHI )
More informationMNsure Certified Application Counselor Services Agreement with Tribal Nation Attachment A State of Minnesota
MNsure Certified Application Counselor Services Agreement with Tribal Nation Attachment A State of Minnesota 1. MNsure Duties A. Application Counselor Duties (a) (b) (c) (d) (e) (f) Develop and administer
More informationRECITALS. WHEREAS, this Amendment incorporates the various amendments, technical and conforming changes to HIPAA implemented by the Final Rule; and
Amendment to Business Associate Agreements and All Other Contracts Containing Embedded Business Associate Provisions as stated in a Health Insurance Portability and Accountability Act Section between Independent
More informationPreparing for a HIPAA Audit & Hot Topics in Health Care Reform
Preparing for a HIPAA Audit & Hot Topics in Health Care Reform 2013 San Francisco Mid-Sized Retirement & Healthcare Plan Management Conference March 17-20, 2013 Elizabeth Loh, Esq. Copyright Trucker Huss,
More informationAnatomy of a Data Breach
Anatomy of a Data Breach May 17, 2017 Lucie F. Huger Officer, Greensfelder, Hemker & Gale, P.C. Mary Ann Wymore Officer, Greensfelder, Hemker & Gale, P.C. Information is the New Oil! Companies are collecting
More informationSubject: Protecting cardholder data in support of the Payment Card Industry (PCI) Data Security Standards
University Policy: Cardholder Data Security Policy Category: Financial Services Subject: Protecting cardholder data in support of the Payment Card Industry (PCI) Data Security Standards Office Responsible
More information