Data Breach and Cyber Risk Update November 17, 2011

Size: px

Start display at page:

Download "Data Breach and Cyber Risk Update November 17, 2011"

Melina Curtis
6 years ago
Views:

1 Data Breach and Cyber Risk Update November 17, 2011 Mark E. Schreiber Chair, Privacy & Data Protection Group Edwards Wildman Palmer LLP 111 Huntington Avenue Boston, MA Tel: Theodore P. Augustinos Co-Chair, Privacy & Data Protection Group Edwards Wildman Palmer LLP 20 Church Street Hartford, CT Tel: Thomas J. Smedinghoff Privacy & Data Protection Group Edwards Wildman Palmer LLP 225 West Wacker Drive, Suite 3000 Chicago, IL Tel: Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP Doc No

2 Agenda I. SEC Data Breach and Security Risk Disclosure Guidance II. Data Breach Legislation and Management III. Data Breach Litigation and Class Actions 2

3 I. SEC Data Breach and Security Risk Disclosure Guidance What Are We Talking About? SEC CF Disclosure Guidance: Topic No. 2 October 13, 2011 Division of Corporation Finance s views regarding disclosure obligations relating to Cybersecurity risks Cyber incidents Applies to public companies Not a rule, regulation, or statement of the SEC, but... 3

4 Consider Two Perspectives How does this SEC Guidance fit into the cybersecurity legal landscape? What does this guidance require public companies to do? 4

5 Impact of Cybersecurity Incidents Impact on stakeholders Employees/customers/prospects re breach of personal data Investors re breach of any corporate data e.g., BofA WikiLeaks incident Unrelated third parties re breach of personal data e.g., merchants, banks, credit card issuers Impact on company -- Costs noted in the SEC Guidance include Remediation costs (incld. Liability for stolen assets) Increased security costs Lost revenues Litigation Reputational damages 5

6 The Legal Response to Cybersecurity Risk Laws and regulations to protect stakeholders by Imposing a legal duty to implement data security State data security laws all sectors Federal data security laws financial and healthcare sectors Imposing a legal duty to warn affected stakeholders Of security breaches State breach notification laws Federal breach notification regulations financial and healthcare sectors, SEC Guidance Of security risks SEC Guidance re disclose security risks Proposed legislation 6

7 The SEC Guidance and Existing SEC Policy SEC regulations have long required that public companies report material events to their shareholders Material events are developments or events which a reasonable investor would consider important to an investment decision The new Guidance seeks to clarify this reporting requirement with respect to cybersecurity Two aspects Disclosure of cybersecurity risks Disclosure of specific cybersecurity incidents 7

8 Determining Whether to Disclose Cybersecurity Risks and Cyber Incidents Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky This requires a risk assessment We expect registrants to evaluate their cybersecurity risks 8

9 Conducting a Risk Assessment Requires a Company to -- Identify all reasonably foreseeable internal and external threats Identify its vulnerabilities Assess likelihood that each threat with the ability to exploit vulnerabilities will actually do so Assess impact of such an event i.e., evaluate the potential damage that will result Consider the adequacy of existing security measures Risk-based cybersecurity is also the Law FTC, GLB, HIPAA, MA regs, OR statute, NJ draft regs, etc. Deploying seemingly strong security isn t enough Security must respond to the risks 9

10 Nature of the Disclosure (1) The cybersecurity risk disclosure -- Must adequately describe the nature of the material risks and specify how each risk affects the registrant. Must be tailored to their particular circumstances. Companies should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure 10

11 Nature of the Disclosure (2) Appropriate disclosures may include: Discussion of aspects of the registrant s business or operations that give rise to material cybersecurity risks and the potential costs and consequences; To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks; Description of known or threatened cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences; Risks related to cyber incidents that may remain undetected for an extended period; and Description of relevant insurance coverage. 11

12 Points of Note Disclosures are not limited to PII risks or incidents All corporate data is covered The federal securities laws do not require disclosure that itself would compromise a registrant s cybersecurity. Instead, registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence Failure to address disclosed risks might be a violation of applicable state or federal data security law Decisions not to disclose should be documented and justified on the basis of the risk assessment 12

13 Where Disclosures May Be Required Management s Discussion and Analysis of Financial Condition and Results of Operations if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition Description of Business If one or more cyber incidents materially affect a registrant s products, services, relationships with customers or suppliers, or competitive conditions Legal Proceedings disclosure If a material pending legal proceeding to which a registrant or any of its subsidiaries is a party involves a cyber incident Financial Statement disclosures Cybersecurity risks and cyber incidents may have a broad impact on a registrant s financial statements, depending on the nature and severity of the potential or actual incident 13

14 Going Forward, Public Companies Should... Conduct regular and rigorous cybersecurity risk assessments Address the risks that are identified by Developing and implementing a responsive comprehensive data security program Making appropriate disclosures to SEC of material risks Developing an appropriate incident response plan Document and justify any decisions not to disclose risks where appropriate Work with both data security counsel and securities counsel to coordinate foregoing and make decisions regarding SEC disclosure filings 14

15 II. Data Breach Legislation and Management Legislative and Regulatory Developments US Federal data breach bills including White House proposal. Would purportedly standardize breach notification in the U.S. Override the current patchwork of notification requirements Apply to electronic data. Not paper. Define sensitive personally identifiable information differently. Most include but extend beyond most state law definitions. Some require security policies to protect PII. Some would preempt state notice requirements, except State specific contact information Agency notification Some include private rights of action; others do not. 15

16 Legislative and Regulatory Developments (cont.) States 4 remaining states without breach notification requirements, after MS adopted legislation in No action on the horizon among the 4. Only 6 states include data in paper form, and those may not apply depending on numbers affected and other factors. 16

17 Legislative and Regulatory Developments (cont.) Abroad EU requirements are coming. Breach Notification Consultation closed September EU Data Protection Directive Amendment or regulation expected Feb Amendment would take years to implement; regulation would be effective immediately. Currently, notification to individuals and/or government agencies is required in some EU/EEA, but US leads the way in notice to affected individuals. 17

18 Developments in Enforcement Federal FTC 34 enforcement actions since Two cases summer of 2011 imposed, among other actions, 20 years of mandated biennial third party data security audits. OCR Over past 5 years, data security cases were 2d highest category of investigations closed with corrective actions State HIPPA/HITECH enforcement. See, IN AG in Wellpoint. PCI-DSS. Massachusetts application of PCI-DSS as standard under general consumer protection statute. Briar Group. California interpretation of prohibition against collecting addresses under Song-Beverly to include ZIP code alone, with name. EU Expected increase after breach notification requirements. 18

19 Breach Management Developments Discrimination among affected individuals a Coming Attraction? Treating similarly affected individuals differently based on differences in state requirements was almost unthinkable until only a short time ago. Valid sensitivity to over notification has driven legitimate discussion as to whether to differentiate based on legal requirements. Jurisdiction specific differentiation is expensive. Legal and other response costs are higher in a state by state approach. 19

20 Breach Preparedness 2.0 Seasoned Teams assembled Dry-run exercises Heightened awareness, better training and increased budgets Involvement of Insurance Brokers in development of policies specific to cyber risk Development of vendor panels by insurers of cyber risk Increased attention to vendor management Contractual provisions Audits Physical vulnerabilities and exposures Shortened timeframes 20

21 III. Data Breach Litigation and Class Actions U.S. Class Action Litigation Status Most data breach class actions are defeated On motions to dismiss and/or class not certified Go nowhere, but are costly to defend Even more expensive to settle Small amount of individual damages multiplied by millions in large cases Plaintiffs attorneys need financial incentive of class action In order to pursue data breach action Individual losses will generally be too small Not likely to be worth it for plaintiffs to proceed without class 21

22 U.S. Class Action Litigation Status- Article III Standing Required Data breach class actions Tend to be in federal court due to Class Action Fairness Act. 28 U.S.C. 1332(d) If in state court, may be removable Federal lawsuits must satisfy Article III standing requirement Requires a case or controversy Case or controversy requires an injury in fact that is actual or imminent, not conjectural or hypothetical. Friends of the Earth, Inc. v. Laidlaw Envtl. Servs., Inc., 528 U.S. 167, (2000) 22

23 U.S. Class Action Litigation Status- Article III Standing Required (cont.) Numerous lower federal courts Found that increased risk of identity theft as result of data breach not an injury in fact Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1 (D.D.C. 2009); Key v. DSW Inc., 454 F.Supp.2d 684 (S.D. Ohio 2006) Two federal appellate courts found Increased risk of identity theft satisfies injury in fact requirement Pisciotta v. Old National Bancorp., 499 F.3d 629 (7th Cir. 2007) Krottner v. Starbucks Corp., No (9th Cir., Dec. 14, 2010) Sixth Circuit suggested Increased risk of identity theft too conjectural to be injury in fact Did not decide issue Lambert v. Hartman, 517 F.3d 433, 437 (6th Cir. 2008) 23

24 Cognizable Injury Also Required If standing requirements satisfied Plaintiffs still need to allege injury for which state law provides remedy Injuries not cognizable (generally) under state common law: Increased risk of identity theft Time and effort spent closing accounts/protecting credit ratings Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy. Pisciotta v. Old National Bancorp., 499 F.3d 629 (7th Cir.2007) 24

25 Cognizable Injury Also Required (cont.) Recent example: Anderson v. Hannaford Bros. Co., (1st Cir. CA, 10/20/11) Mitigation damages cognizable under Maine law in data breach class action if reasonably foreseeable and reasonable are for actual financial losses rather than just time or effort expended in negligence and breach of implied contract claims Includes, under the circumstances: cost of credit monitoring/identity theft insurance fees for replacement of credit and debit cards Excludes: loss of accumulated miles reward points inability to earn reward points emotional distress time and effort spent dealing with the situation 25

26 Cognizable Injury Also Required (cont.) History: 4.2 million credit and debit card numbers hacked/stolen with expiration dates and security codes, but not customer names 1,800 reports of fraudulent credit and debit card activity Maine highest court answered certified questions on time and effort, in the negative, 2010 ME 93 (2010) Foreseeable, on these facts, customers replace cards to mitigate against unauthorized charges/other misuse reasonably purchase insurance to protect against further misuse. Boundary on recovery of costs by claimants if no fraudulent charges monitoring services may be unreasonable and not recoverable 26

27 Cognizable Injury Also Required (cont.) Claims dismissed/dismissal upheld for breach of fiduciary duty, breach of implied warranty, strict liability failure to notify customers of the data breach ME Consumer Protection Statute In re Hannaford Bros., Co., Customer Data Security Breach Litigation, 613 F. Supp.2d 108 (D. ME. 2009) Implications elsewhere? Damages for other state law claims in other class actions? Does forseeability depend on no. of fraudulent changes? Notice letter language? 27

28 Class Certification Doubtful Court may not certify class Stollenwerk v. TriWest Healthcare Alliance, No (D.Ariz., June 10, 2008) Adequacy test - if plaintiffs attorneys locate individual who has suffered identity theft, or other injury, to satisfy standing and cognizable injury requirements That individual may not be appropriate class representative for others who merely suffer increased risks Test of predominance - due to highly individualized proof required for causation of identity theft Common questions of fact and law might not predominate 28

29 Cases That May Survive Motion To Dismiss? New theories of injury: Customers of social media application provider lost value when usernames, passwords stolen Claridge v. RockYou, C PJH (N.D. Ca., April 11, 2011) Court did not dismiss, but skeptical about claim surviving summary judgment Court finds cognizable injury in statutory claim Doe 1 v. AOL LLC, 719 F.Supp.2d 1102 (N.D. Ca. 2010) Claim under California Consumers Legal Remedy Act Statute says consumer suffering any damage may bring a claim 29

30 Cases That May Survive Motion To Dismiss? (cont.) Defendant exposed highly sensitive personal information of plaintiffs Sufficient allegation of injury under statute Behavioral advertising cases Super cookie litigation, Do Not Track Other statutes, i.e., ECPA, CFAA, etc. Are these breaches? Possible UK/EU cookie implications 30

Huntington Avenue Boston, MA 02199 617-239-0585 mschreiber@edwardswildman.com Theodore P.

Church Street Hartford, CT 06103 860-541-7710 taugustinos@edwardswildman.com Thomas J.

31 Contact Information Mark E. Schreiber, Chair, Privacy & Data Protection Group Edwards Wildman Palmer LLP 111 Huntington Avenue Boston, MA Theodore P. Augustinos, Co-Chair, Privacy & Data Protection Group Edwards Wildman Palmer LLP 20 Church Street Hartford, CT Thomas J. Smedinghoff Privacy & Data Protection Group Edwards Wildman Palmer LLP 225 West Wacker Drive, Suite 3000 Chicago, IL

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING 2015 Verizon Data Breach Report 79,790 security incidents 2,122 confirmed data breaches Top industries affected: Public, Information,