CYBERSECURITY AND PRIVACY: REDUCING YOUR COMPANY S LEGAL RISK. By: Andrew Serwin
|
|
- Edward Mills
- 5 years ago
- Views:
Transcription
1 CYBERSECURITY AND PRIVACY: REDUCING YOUR COMPANY S LEGAL RISK By: Andrew Serwin January 19, 2018
2 Overview What are companies concerned about? What information are we concerned about? Cybersecurity Who are the threat actors? Steps to address a breach Consequences of a breach Examples of incidents Steps to prepare and respond Notice on a global basis Litigation and enforcement Morrison & Foerster LLP 1
3 Overview Continued How concerned are Boards? What are the relevant legal obligations for the Board? How should the Board think about cyber? Where should cyber be addressed at the Board? What are the threats and challenges? What should the Board do about cyber? What should Management do about cyber? What are emerging SEC issues regarding cyber? Lessons learned and takeaways What questions should you ask? Morrison & Foerster LLP 2
4 Top-Level Concerns Controller v. processor Data misuse Generally a first-party issue Failure to fully disclose data practices; Failure to comply with applicable laws; Marketing mistakes; and Others. Attacks Third-party focused There are two primary types of attacks: Theft of information (e.g., PI, trade secrets); and Attacks on the grid (e.g., denial of service, attempts to shutdown systems). Morrison & Foerster LLP 3
5 All Companies Have Information of Value Companies create and process a significant amount of information: Financial information; Information regarding individuals (employees and customers); Proprietary/confidential information IP; Undisclosed M&A activity; Business and marketing plans; and Pricing; Information regarding businesses processes, including process improvements; Information regarding business trends; Social data/user-generated content; Machine data; and Many other forms of information. Morrison & Foerster LLP 4
6 Understanding the Cyber Threat YESTERDAY Threat Actors Isolated Criminals Script Kiddies Goals Identity Theft Self-promotion Theft of Content or Services TODAY Threat Actors Organized Criminals Nation States Hacktivists Insiders Goals Intellectual Property Financial Information Strategic Access/Destruction Terrorism Embarrassment Morrison & Foerster LLP 5
7 Breaches are on the Rise Security breaches are becoming more common and reported on more frequently Morrison & Foerster LLP 6
8 Have you Stopped Buying Based upon a Breach? 90% 80% 78% 70% 60% 50% 40% 30% 20% 22% 10% 0% Yes No Morrison & Foerster LLP 7
9 You ve Been Breached Now What? Investigate and stop intrusion. Determine notice obligations and comply with deadlines. Evaluate whether PR firm is needed. Morrison & Foerster LLP 8
10 Common Issues Escalation Privilege Who is in charge? The role of third-party vendors Morrison & Foerster LLP 9
11 Should You Hire a Vendor? Vendors can investigate breach and plug infiltration. You may also need third parties for notice-related issues, PR, and other services. Morrison & Foerster LLP 10
12 Tips & Suggestions Regarding Privilege in the U.S. Copying a lawyer on an does not necessarily make it privileged. To be privileged, the must be seeking legal advice or contain legal advice. Limit the distribution of documents containing legal advice to people who have a need to know. Do not cc: or forward s containing legal advice to any third party (e.g., government, other companies). Stamp or add legend to documents that are privileged to make them easy to identify. But simply stamping everything privileged can hurt more than it helps, so don t overuse the designation. Morrison & Foerster LLP 11
13 Privilege Quick-Reference Guide Attorney-Client Privilege: DO: Only applies to communications with lawyers regarding legal advice Is usually lost (waived) if shared outside the company Consult with attorneys before hiring consultants to decide whether the engagement should be privileged Ask attorney before forwarding privileged DON'T: Wait to consult attorney before taking initial steps to stop an incident Put heat-of-the-moment opinions or speculations in writing that could later embarrass the company Forward privileged s to people who do not have a need to know or who are outside the company Morrison & Foerster LLP 12
14 What are the Consequences of a Breach? Impact on brand/trust; Bad PR; Corporate governance issues; Significant costs and use of internal resources; Enforcement by regulators on a global basis; and Private litigation in the United States. Morrison & Foerster LLP 13
15 Incident Number 1 IP Theft A publically traded U.S. company has spent a significant amount of money creating a chemical compound that is critical to the manufacturing of solar panels, and it is protecting the compound via trade secret protection. A month before the company is getting ready to release the product, the General Counsel receives a call from the FBI informing her that there are indicators that a foreign state has penetrated the company s network and stolen a significant amount of data, including the proprietary formula for the solar panel compound, as well as other intellectual property. What do you do? Morrison & Foerster LLP 14
16 Incident Number 2 PII Theft A Fortune 50 retailer receives a call from a prominent member of the press informing the company that he is aware of a security breach involving the company and over 40,000,000 credit cards. He will be making the breach public in 24 hours and asks for a comment from the company. What do you do? Morrison & Foerster LLP 15
17 Incident Number 3 A Grid Attack A global Financial Services company sees an uptick in fraud and subsequently discovers that it has been attacked and 200,000,000 user credentials have been stolen from the company. The company hires a forensic expert who determines how the attackers have accessed the network and then takes steps to block the attackers from having continued access. As soon as the attackers are removed from the system, the company is hit with a sophisticated Distributed Denial of Service (DDoS) attack that causes its entire network to crash. What do you do? Morrison & Foerster LLP 16
18 Incident Number 4 Public Embarrassment A Fortune 100 health care company with a significant number of government contracts receives an from a Hacktivist group demanding a number of concessions from the company, including terminating certain lines of business that the Hacktivists find objectionable, or the group will begin disseminating damaging information regarding the company. The company has 48 hours to respond, and it does not meet the group s demands. The Hacktivists respond by posting numerous s on a Peer-to- Peer Network that reveal a pattern of inappropriate conduct by the CEO, and seem to indicate that there may be government fraud occurring. The company is given another 48 hours to meet the Hacktivist s demands. Morrison & Foerster LLP 17
19 What Can Companies Do to Prepare? Pre-breach considerations include: Identifying critical systems; Identifying key legal and notice requirements; Creating an incident response plan; Identifying key internal and external stakeholders, including important customers and regulators who may require notice; Identifying professionals to assist in the event of a breach; Conducting a tabletop exercise; Anomaly detection; Establishing relationships with law enforcement and others in your industry to discuss sharing information; and Conducting a security review. Morrison & Foerster LLP 18
20 What Should Companies do to Respond? When a breach occurs: Containment and recovery; Advising on information sharing strategy (e.g., critical partners); Document preservation, including forensic collection, if appropriate, with consideration of the application of the work-product doctrine; Making the facts stand still; Creating a PR plan based upon the nature and scope of the incident; Assessing notice, disclosure, and other legal obligations; Advising on engagement strategy with law enforcement; and Conducting a lessons learned review. Morrison & Foerster LLP 19
21 Notice of Security Breach Legislation Common issues: When notice must be given; The form of the notice; Who notice must be given to; The scope of federal preemption; and The effect of existing security policies. Morrison & Foerster LLP 20
22 Data Breach Laws Vary by State in the U.S. Most states have enacted data breach notification laws requiring businesses and other entities to notify affected individuals when a data breach involving their personally-identifiable information occurs. The requirements of these laws vary and sometimes conflict. Morrison & Foerster LLP 21
23 There Are Federal Laws as Well HIPAA is an emerging issue for many technology companies. Morrison & Foerster LLP 22
24 GDPR GDPR attempts to harmonize European data protection rules, including implementing a European notice of security breach rule. Morrison & Foerster LLP 23
25 GDPR What Is a Breach? Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed. Morrison & Foerster LLP 24
26 Notice Requirements A Controller must notify the Individual of a Personal Data Breach, without undue delay, where that Personal Data Breach is likely to result in a high risk to the rights and freedoms of the Individual in order to allow him or her to take the necessary precautions. The Controller also must notify the DPA of a Personal Data Breach, unless the Personal Data is unlikely to result in a risk to the rights and freedoms of the Individual, without undue delay and, where feasible, not later than 72 hours after having become aware of it. Exceptions. Morrison & Foerster LLP 25
27 Asia/South Asia: Data Security Reasonable organizational, technical, and administrative measures to protect data. More detailed rules in: India Japan Korea Taiwan Morrison & Foerster LLP 26
28 Examples of Asian Countries with Breach Notification Laws or Voluntary Standards Japan Korea Philippines Singapore Taiwan Morrison & Foerster LLP 27
29 Strategy for Compliance Review and comply with the breach notifications laws for each relevant country or state (i.e., those states where individuals whose personal information is held by the company reside, or where your data controller exists). Time is often of the essence. Determine whether other entities need to be contacted (state attorney general, office of consumer affairs, FTC, consumer credit reporting agencies). Morrison & Foerster LLP 28
30 What If I Fail to Notify? Failure to notify could result in enforcement action, penalties, or lawsuits brought by affected consumers. Morrison & Foerster LLP 29
31 The Different Legal Fronts A high-profile nationwide breach may require the largest coordinated legal effort in a company s history Government investigations State AGs FTC SEC Functional regulators (e.g., FCC, HHS, federal banking agencies) Congress International regulators (e.g., Canada OPC) Litigation Consumer class actions Shareholder suits Bank class actions Morrison & Foerster LLP 30
32 Class Action Risk for Data Breach Class action bar has targeted companies that are victims of data breaches. File multiple copycat class actions across the country. Brought on behalf of nationwide and state classes. Morrison & Foerster LLP 31
33 Legal Theories Violation of state consumer protection laws Negligence Breach of contract Invasion of privacy Violations of state data security regulations (e.g., Mass. Data Security Reg.) Violations of federal data compliance/security regulations (e.g., FCRA, ECPA, CFAA, etc.) Civil RICO Morrison & Foerster LLP 32
34 How Concerned are Boards about Cyber? According to a 2016 NACD survey, 46% of Boards were concerned about cyber, the fourth highest ranked concern of Boards for Morrison & Foerster LLP 33
35 Have You Stopped Buying Based upon a Breach? Research by the Lares Institute in % 80% 78% 70% 60% 50% 40% 30% 20% 22% 10% 0% Yes No Morrison & Foerster LLP 34
36 Fiduciary Duties Generally Fiduciary duties are state law specific. Generally, directors have: Duty of Care Duty of Loyalty Duty of Oversight The most relevant duties are the Duty of Care and Oversight. Morrison & Foerster LLP 35
37 Duty of Care The Board must act on an informed basis after due consideration of relevant materials and proper deliberation. Adequate procedure drives the court s inquiry did the Board: have access to relevant information? receive input from management and advisors? consider alternatives? follow a reasonable process? adequately deliberate? Directors may rely on the reports and advice of appropriate advisors, including officers and employees of the Company, counsel, and other professionals. Morrison & Foerster LLP 36
38 Business Judgment Rule Ordinarily, a decision to take action, or a conscious decision not to act, is entitled to the protection of the business judgment rule and a court will not substitute its judgment for that of the Board. To be eligible for this protection, the Board s actions must be: Based on material information available with reasonable diligence and inquiry Made in good faith Made in the honest belief that the action taken or not taken is in the best interest of the Company and its stockholders Made without a conflict of interest A person challenging the Board s decision has burden to show the Board failed to satisfy its fiduciary duties. Morrison & Foerster LLP 37
39 Duty of Oversight In re Caremark (Del. Ch. 1996) Duty of oversight: A director s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by noncompliance with applicable legal standards. Stone v. Ritter (Del. 2006) To establish a breach of oversight, it must be pleaded and proven that: (a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention. Morrison & Foerster LLP 38
40 Understanding Cyber Cyber is an asymmetric threat. This means that the attackers may know more about your vulnerabilities than management does. The Board will inherently know less about the vulnerabilities than management. Ultimately managing cyber risk is a governance issue; and to appropriately manage this risk, the Board must understand the potential risks to the business. Information Risk/Value Information is an asset of the company, and the Board should ensure that it is appropriately protected, valued, and utilized for the benefit of the company. Morrison & Foerster LLP 39
41 The Costs of Cyber Costs of not addressing cyber can include: Financial; Legal/compliance; Reputational; and Operational risks. But there are costs to consider when addressing cyber: Costs of remediation; Customer friction; Loss of productivity; and Breaking systems. Ultimately, management must balance all of these costs and determine what the appropriate risk governance strategy is. Morrison & Foerster LLP 40
42 What Is Your Cyber Risk Tolerance? After examining the potential impact of a cyber event, management, with appropriate input from the Board, should determine what the company s risk tolerance is regarding cyber. Ultimately, the Board needs to understand the earnings impact of the risk tolerance of the Company and ensure that it and management are aligned, and it must ensure, via its oversight responsibility, that Company management appropriately addresses cyber. Morrison & Foerster LLP 41
43 Where Should Cyber Sit at the Board? Dodd-Frank requires certain financial institutions to have a Risk Committee at the Board. While it is not required for other companies, some Boards have created Risk Committees. The Board should determine where cyber fits in any relevant committees of the Board, whether that is through Audit, Risk, or other committees. While it is not a requirement, Boards should consider whether cyber should factor into other committees, including compensation, nominating and governance, as well as how it should fit into the Board Agenda. Morrison & Foerster LLP 42
44 All Companies Have Information of Value Companies create and process a significant amount of information: Financial information; Information regarding individuals (employees and customers); Proprietary/confidential information IP; Undisclosed M&A activity; Business and marketing plans; and Pricing; Information regarding businesses processes, including process improvements; Information regarding business trends; Social data/user-generated content; Machine data; and Many other forms of information. Morrison & Foerster LLP 43
45 Understanding the Cyber Threat Threat Actors Organized Criminals Nation States Hacktivists Insiders Goals Intellectual Property Financial Information Strategic Access/Destruction Terrorism Embarrassment Morrison & Foerster LLP 44
46 Challenges Threat actors have more time and more resources The threats constantly changing Inadequate information sharing Chief Information Security Officers cite gaps in skill sets on their teams, lack of bandwidth, and inadequate budgets as some of the biggest issues Morrison & Foerster LLP 45
47 Ramifications Cyber can impact the Company in a number of ways: Loss of trust/reputational harm; Bad PR; Impact on earnings due to: Loss of customers (including for B-to-B Companies); Increased costs that result from fines, response costs, investigative costs, litigation costs and settlements, remediation costs, as well as many others; and Significant distraction for employees, management, and the Board. Morrison & Foerster LLP 46
48 What Should the Board Do? Understand the cyber risk profile of the Company by discussing this with management, and any appropriate third parties; As appropriate, engage with management, to help set the risk tolerance for the company; Make sure that management has appropriate processes and programs to engage in appropriate risk assessment, which include identifying, assessing, and mitigating risk; Make sure that management appropriately communicates the risk; Engage in appropriate oversight by: making sure that cyber is appropriately addressed by the Board, including through relevant committees; ensuring that risks are appropriately remediated; and the cyber risk program is otherwise functioning appropriately; and Do an appropriate, executive-level table-top exercise. Morrison & Foerster LLP 47
49 What Should Management Do? Conduct an appropriate enterprise cyber risk assessment; Determine what your most critical systems and information are; Assist the Board with determining the Company s risk tolerance; Create an appropriate, cross-functional risk governance structure that continually assesses and improves cyber risk This includes organizational, behavioral, and technical changes; Keep the Board appropriately informed of the Company s cyber risks; Align incentives for employees with the risk tolerance of the Company; Make sure escalation criteria are clear; and Engage in appropriate business continuity planning; Morrison & Foerster LLP 48
50 What Should Management Do? Appropriately manage the company s cyber risks, via an appropriate cyber risk mitigation program, including appropriately remediating known cyber issues; Have a third-party evaluate your company (under privilege); Test and train employees, as appropriate, on common attack vectors such as phishing ; Make sure escalation criteria are clear; Appropriately plan for any foreseeable business disruption due to cyber; Engage in appropriate information sharing; Develop appropriate relationships with law enforcement; and Practice responding to a security incident. Morrison & Foerster LLP 49
51 SEC Issues Risk Factors need to be reviewed When to Disclose a Breach Enforcement (Coordination with DOJ) Pre-Breach Questions Post Breach Questions Morrison & Foerster LLP 50
52 Lessons Learned from Breaches Unclear decision making paths Unclear escalation criteria Lack of practice on incident response plan Lack of business continuity planning Morrison & Foerster LLP 51
53 Board Dos and Don ts Ask the right questions Ask if the right experts have been retained Engage in appropriate oversight Morrison & Foerster LLP 52
54 What Should the Board Be Asking? Is our actual cyber risk consistent with our intended cyber risk? Have we considered appropriate risk shifting devices, such as insurance? Is the Board appropriately engaged regarding cyber, and does it have the appropriate organizational structures, including committees, to meet its oversight obligations? This includes assessing how often, and where, cyber is reported on to the Board. What organizational structures at the management level exist to measure, govern, and assess data and information risk, and how are threat assessments managed and reported? Does management appropriately report on cyber risk to the Board? Does management consider cyber risk, as appropriate, when it makes decisions regarding new products or services? Morrison & Foerster LLP 53
55 What Should the Board Be Asking? Has management reviewed and de-conflicted these cyber organizational structures with the organizational structures for other risks i.e., is your cyber risk management consistent in approach with the management of other risks? Have the company's security processes and systems been reviewed by a third-party assessor? Third-party review of cybersecurity readiness can be a crucial factor in defending the company after a security incident, as well as helping a company to take reasonable steps to prepare for and defend against a cyberattack. Has internal audit been appropriately engaged? Does the company have an incident response plan, and are the appropriate business leaders identified in it? Is it cross-functional? Have you tested it through a tabletop? Morrison & Foerster LLP 54
56 What Should the Board Be Asking? Has the level of penetration testing (internal and external), software patching, and other similar activities been reviewed by a third party to ensure it is adequate for your company? Has the company benchmarked its cybersecurity risk posture against those of other similar businesses? Has management determined what the company s information sharing strategy is? Has management allocated responsibility for protecting the Company s information assets appropriately? Has management completed a high-level data inventory of the company's information assets so that it has an understanding of what information the Company has and generally where it is located? Morrison & Foerster LLP 55
57 What Should the Board Be Asking? Has management done a thorough review of policies and procedures to ensure that they comply with the relevant data security laws and are consistent with industry best practice? Has management done appropriate resiliency planning for a cyber attack? Morrison & Foerster LLP 56
Cybersecurity Insurance: New Risks and New Challenges
SESSION ID: SDS1-F01 Cybersecurity Insurance: New Risks and New Challenges Mark Weatherford Chief Cybersecurity Strategist varmour @marktw The cybersecurity market in the Asia Pacific region contributes
More informationCybersecurity Insurance: The Catalyst We've Been Waiting For
SESSION ID: CRWD-W16 Cybersecurity Insurance: The Catalyst We've Been Waiting For Mark Weatherford Chief Cybersecurity Strategist varmour @marktw Agenda Insurance challenges in the market today 10 reasons
More informationCyber Incident Response When You Didn t Have a Plan
Cyber Incident Response When You Didn t Have a Plan April F. Doss Saul Ewing LLP How serious is the cybersecurity threat? Some sobering numbers from 2015: Over half a billion personal records were stolen
More informationHIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018
1 HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier March 22, 2018 2 Today s Panel: Kimberly Holmes - Moderator - Vice President, Health Care, Cyber Liability & Emerging Risks, TDC Specialty Underwriters,
More informationCYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY
CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY Agenda Threat Landscape and Trends Breach Response Process Pitfalls and Critical Points BBR Services Breach Prevention
More informationCyber-Insurance: Fraud, Waste or Abuse?
SESSION ID: STR-F03 Cyber-Insurance: Fraud, Waste or Abuse? David Nathans Director of Security SOCSoter, Inc. @Zourick Cyber Insurance overview One Size Does Not Fit All 2 Our Research Reviewed many major
More informationSixth Annual Benchmark Study on Privacy & Security of Healthcare Data
Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data Sponsored by ID Experts Independently conducted by Ponemon Institute LLC Publication Date: May 2016 Ponemon Institute Research Report
More informationAnatomy of a Data Breach
Anatomy of a Data Breach May 17, 2017 Lucie F. Huger Officer, Greensfelder, Hemker & Gale, P.C. Mary Ann Wymore Officer, Greensfelder, Hemker & Gale, P.C. Information is the New Oil! Companies are collecting
More informationEvaluating Your Company s Data Protection & Recovery Plan
Evaluating Your Company s Data Protection & Recovery Plan CBIA Cybersecurity Webinar Series 11AM 12PM Part V. Presented by: Stewart Tosh Charles Bellingrath Date: December 7, 2017 Today s presenters Stewart
More informationCybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do
ARTICLE Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do By Gene Griggs and Saad Gul This article analyzes cybersecurity issues for retirement plans. Introduction
More informationCyber Risks & Insurance
Cyber Risks & Insurance Bob Klobe Asst. Vice President & Cyber Security Subject Matter Expert Chubb Specialty Insurance Legal Disclaimer The views, information and content expressed herein are those of
More informationThe Guide to Budgeting for Insider Threat Management
The Guide to Budgeting for Insider Threat Management The Guide to Budgeting for Insider Threat Management This guide is intended to help show you how to approach including Insider Threat Management within
More informationVaco Cyber Security Panel
Vaco Cyber Security Panel ISACA Charlotte Chapter December 5 th, 2017 Vaco is an international talent solutions firm headquartered in Nashville, Tennessee, with more than 35 locations around the globe.
More informationChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them
ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them PROVIDED BY HUB INTERNATIONAL October 25th, 2016 W W W. C H I C A G O L A N D R I S K F O R U M. O R G AGENDA 1. The evolution of
More informationThe Race to GDPR: A Study of Companies in the United States & Europe
The Race to GDPR: A Study of Companies in the United States & Europe Sponsored by McDermott Will & Emery LLP Independently conducted by Ponemon Institute LLC Publication Date: April 2018 2018 McDermott
More informationCyber Risks & Cyber Insurance
Cyber Risks & Cyber Insurance Terry Quested Executive Director Associated Risk Managers of Ohio Darren Faye Vice President Leonard Insurance / Assured Partners Legal Disclaimer The views, information and
More informationNONPROFIT CORPORATE GOVERNANCE IN THE HEALTHCARE WORLD
NONPROFIT CORPORATE GOVERNANCE IN THE HEALTHCARE WORLD SC BAR NONPROFIT CORPORATE UPDATE Jeanne M. Born, RN, JD FEBRUARY 5, 2015 Jborn@nexsenpruet.com Current Health Care Environment Health Care reform
More informationA FRAMEWORK FOR MANAGING CYBER RISK APRIL 2015
APRIL 2015 CYBER RISK IS HERE TO STAY Even an unlimited budget for information security will not eliminate your cyber risk. Tom Reagan Marsh Cyber Practice Leader 2 SIMPLIFIED CYBER RISK MANAGEMENT FRAMEWORK
More informationHEALTHCARE BREACH TRIAGE
IAPP Privacy Academy September 30 October 2, 2013 HEALTHCARE BREACH TRIAGE Theodore P. Augustinos EDWARDS WILDMAN PALMER LLP Kenneth P. Mortensen CVS/CAREMARK 2013 Edwards Wildman Palmer LLP & Edwards
More informationThe General Data Protection Regulation s Impact on M&A
The General Data Protection Regulation s Impact on M&A PRACTICAL ADVICE ON HOW TO CONTINUE A SMOOTH M&A PROCESS Presented by Avi Gesser, Davis Polk partner, Litigation/Cybersecurity Pritesh P. Shah, Davis
More informationH 7789 S T A T E O F R H O D E I S L A N D
======== LC001 ======== 01 -- H S T A T E O F R H O D E I S L A N D IN GENERAL ASSEMBLY JANUARY SESSION, A.D. 01 A N A C T RELATING TO INSURANCE - INSURANCE DATA SECURITY ACT Introduced By: Representatives
More informationCYBER LIABILITY INSURANCE OVERVIEW FOR. Prepared by: Evan Taylor NFP
CYBER LIABILITY INSURANCE OVERVIEW FOR Prepared by: Evan Taylor NFP Targeted Industries Business Sector Financial Services 10% Non-Profit 11% Retail 10% Other 37% Other 18% Type of Data PII 40% Professional
More informationNOTIFICATION OF PRIVACY AND SECURITY BREACHES
NOTIFICATION OF PRIVACY AND SECURITY BREACHES Overview The UT Health Science Center at San Antonio (Health Science Center) is required to report all breaches of protected health information and personally
More informationCYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING
CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING 2015 Verizon Data Breach Report 79,790 security incidents 2,122 confirmed data breaches Top industries affected: Public, Information,
More informationNATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE
NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE As many of you know, Gramm-Leach-Bliley requires "financial institutions" to establish and implement a Safeguard Rule Compliance
More informationSOX, Corporate Governance and Working with the Board
SOX, Corporate Governance and Working with the Board HCCA Compliance Institute New Orleans, Louisiana April 18, 2005 Lisa Murtha Parente Randolph, LLC Two Penn Center Plaza Suite 1800 Philadelphia, PA
More informationHIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES
HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment
More information503 SURVIVING A HIPAA BREACH INVESTIGATION
503 SURVIVING A HIPAA BREACH INVESTIGATION Presented by Nicole Hughes Waid, Esq. Mark J. Swearingen, Esq. Celeste H. Davis, Esq. Regional Manager 1 Surviving a HIPAA Breach Investigation: Enforcement Presented
More informationBoard of Directors Role in Corporate Compliance and Ethics
Board of Directors Role in Corporate Compliance and Ethics ACC Compliance and Ethics Committee Teleconference March 15, 2016 John Marshall Mosser, General Counsel of Elliott Davis Decosimo Darryl R. Marsch,
More informationYou ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017
You ve been hacked Riekie Gordon & Roger Truebody & Alexandra Schudel Why should you care? U$4.6 - U$121 billion - Lloyds U$45 billion not covered 2 The plot thickens 2016 Barkly Survey: It s a business
More informationRisky Business: Protecting the Personal Assets of Ds&Os. Steven Cohen, Marsh Inc. Jay Dubow, Pepper Hamilton LLP Bob Hickok, Pepper Hamilton LLP
Risky Business: Protecting the Personal Assets of Ds&Os Steven Cohen, Marsh Inc. Jay Dubow, Pepper Hamilton LLP Bob Hickok, Pepper Hamilton LLP Thursday, January 28, 2016 Topics Nuts and Bolts - D&O Liability,
More informationDetermining Whether You Are a Business Associate
The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information
More informationDesigning Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016
Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions June 2016 Program Overview Regulatory Environment Who Needs a Privacy Program and Common Questions Components of a Comprehensive
More informationTrade Secret Theft: Protecting the Crown Jewels March 25, 2015
Trade Secret Theft: Protecting the Crown Jewels March 25, 2015 Presented by: Dan Rubinstein Today s elunch Presenter Dan Rubinstein Litigation Chicago, Los Angeles drubinstein@winston.com 2 Trade Secret
More informationCyber Risk Mitigation
Cyber Risk Mitigation Eide Bailly Howalt + McDowell Insurance Introduction Meet your presenters Eric Pulse Risk Advisory Director 20 years in the public accounting and consulting industry providing information
More informationJAMES GRAY SPECIAL GUEST 6/7/2017. Underwriter, London UK Specialty Treaty Beazley Group
SPECIAL GUEST JAMES GRAY Underwriter, London UK Specialty Treaty Beazley Group All 6 Beazley Lloyd's Syndicates are rated A (Excellent) by A.M. Best Admitted Carrier in the US Beazley Ins Co rated A (Excellent)
More informationNEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES I, Maria T. Vullo, Superintendent of Financial Services, pursuant to the
More informationCompliance With the Red Flags Rules
For Audio Participation, Please Call 1.866.281.4322, *1382742* Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321
More informationDATA PROTECTION ADDENDUM
DATA PROTECTION ADDENDUM In the event an agreement ( Underlying Agreement ) entered into by and between (i) either Sunovion Pharmaceuticals Inc. or its subsidiary, Sunovion Pharmaceuticals Europe Ltd.
More informationDATA PROCESSING AGREEMENT/ADDENDUM
DATA PROCESSING AGREEMENT/ADDENDUM This Data Processing Agreement ( DPA ) is made and entered into as of this day of, 2018 forms part of our Terms and Conditions (available at www.storemaven.com/terms-of-service)
More informationEnhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking
Draft 11/29/16 Enhanced Cyber Risk Management Standards Advance Notice of Proposed Rulemaking The left column in the table below sets forth the general concepts that the federal banking agencies are considering
More informationSouth Carolina General Assembly 122nd Session,
South Carolina General Assembly 122nd Session, 2017-2018 R184, H4655 STATUS INFORMATION General Bill Sponsors: Reps. Sandifer and Spires Document Path: l:\council\bills\nbd\11202cz18.docx Companion/Similar
More information2016 Risk Practices Survey
Strong Board. Strong Bank. 2016 Risk Practices Survey MAR 2016 RESEARCH Sponsored by: 2 2016 RISK PRACTICES SURVEY TABLE OF CONTENTS Executive Summary 3 Risk Governance & Oversight 4 Risk Culture & Infrastructure
More informationHOW TO INSURE CYBER RISKS? Oulu Industry Summit
HOW TO INSURE CYBER RISKS? Oulu Industry Summit 2017 6.10.2017 Panu Peltomäki Liability and Financial Lines Practice Leader Marsh Oy Marsh A Leader in Quality, Scope, and Scale GLOBAL RISKS OF CONCERN
More informationAligning Risk Management with CU Business Strategy
Aligning Risk Management with CU Business Strategy Managing your most pressing risks CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited 2016 CUNA Mutual Group, All Rights
More informationWe re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber
We re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber Protection Data Creates Duties What data do you access, and
More informationWhistleblower Update MAPI LAW COUNCIL MEETING FALL Miriam Fisher Eric Swibel November 9, 2017
MAPI LAW COUNCIL MEETING FALL 2017 Whistleblower Update Miriam Fisher Eric Swibel November 9, 2017 Latham & Watkins operates worldwide as a limited liability partnership organized under the laws of the
More informationBest Practices Trump Regulatory Compliance
Best Practices Trump Regulatory Compliance Brian Hamburger, JD, CRCP President and CEO February 16, 2017 T3 Advisor Conference T3 Advisor Conference Cybersecurity Recruiting Equity Plan Design Succession
More informationThe Wild West Meets the Future: Key Tips for Maximizing Your Cyber and Privacy Insurance Coverage
The Wild West Meets the Future: Key Tips for Maximizing Your Cyber and Privacy Insurance Coverage James P. Bobotek james.bobotek@pillsburylaw.com (202) 663-8930 Pillsbury Winthrop Shaw Pittman LLP DOCUMENT
More information2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners
2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners Providers, and Partners 2 Editor s Foreword What follows are excerpts from the U.S. Department of Health and
More informationThe Cost of Identity Theft to Business What Business Owners Must Know Now
The Cost of Identity Theft to Business What Business Owners Must Know Now An Introduction to the Fair and Accurate Credit Reporting Act (FACTA): What Business Owners Must Know Now It often seems that there
More informationRIMS Cyber Presentation
RIMS Cyber Presentation Forrest Pace Cyber & Strategic Risk Leader South Zone AIG Property Casualty Forrest.Pace@aig.com 1 Bio Forrest Pace is the Cyber and Strategic Risk Leader for the South Zone, coordinating
More informationCyber Risk & Insurance
Cyber Risk & Insurance Digitalization in Insurance a Threat or an Opportunity Beirut, 3 & 4 May 2017 Alexander Blom - AIG 1 Today s Cyber Presentation Cyber risks insights from an insurance perspective
More information2/13/2013 MANAGING A COMPLIANCE CRISIS: BE PREPARED! THE CASE FOR COMPLIANCE:
SCCE UTILITIES & ENERGY COMPLIANCE & ETHICS CONFERENCE February 26, 2013 Houston, TX MANAGING A COMPLIANCE CRISIS: BE PREPARED! BART SCHWARTZ, GUIDEPOST SOLUTIONS LLC. THE CASE FOR COMPLIANCE: Not all
More informationCyber Security Liability:
www.mcgrathinsurance.com Cyber Security Liability: How to protect your business from a cyber security threat or breach. 01001101011000110100011101110010011000010111010001101000001000000100100101101110011100110111
More informationMEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013
More informationFrequently Asked Questions
Frequently Asked Questions How do you protect my identity? We use our proprietary software to proactively monitor various sources. Through PrivacyArmor, you will also have the power to create thresholds
More informationRisk Associated with Meetings
Risk Associated with Meetings Risks Associated with Meetings & Events: No Company is Exempt Meetings and events remain a necessary way for people and organizations to communicate information, build relationships,
More informationMedical Data Security Beyond HIPAA: Practical Solutions for Red Flags and Security Breaches. April 3, 2009
Medical Data Security Beyond HIPAA: Practical Solutions for Red Flags and Security Breaches April 3, 2009 Jon A. Neiditz Cynthia B. Hutto Ross E. Sallade Eli A. Poliakoff Nelson Mullins Healthcare Information
More informationLargest Risk for Public Pension Plans (Other Than Funding) Cybersecurity
Largest Risk for Public Pension Plans (Other Than Funding) Cybersecurity 2017 Public Safety Employees Pension & Benefits Conference Ronald A. King (517) 318-3015 rking@ I am convinced that there are only
More informationTrue or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)
Protected Health Info HIPAA Update: Avoiding Penalties IHCA (7/15) Preliminaries This presentation is similar to any other legal education materials designed to provide general information on pertinent
More informationDATA PROCESSING AGREEMENT (GDPR, Privacy Shield, and Standard Contractual Clauses)
DATA PROCESSING AGREEMENT (GDPR, Privacy Shield, and Standard Contractual Clauses) This Data Processing Agreement ("DPA") forms part of the Master Services and Subscription Agreement between Customer and
More informationCyber & Privacy Liability and Technology E&0
Cyber & Privacy Liability and Technology E&0 Risks and Coverage Geoff Kinsella Partner http://map.norsecorp.com http://www.youtube.com/watch?v=f7pyhn9ic9i Presentation Overview 1. The Cyber Evolution 2.
More informationDATA PROCESSING ADDENDUM
DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms part of the Master Purchase Agreement, Customer Agreement, Channel Partner Agreement, End User License Agreement or other written agreement
More informationInformation Security and Third-Party Service Provider Agreements
The Iowa State Bar Association s ecommerce & Intellectual Property Law Sections presents 2016 Intellectual Property Law & ecommerce Seminar Information Security and Third-Party Service Provider Agreements
More informationCyber Risk Management
Cyber Risk Management Agenda Asset Inventory and Baselines Vendor Management Incident Response Planning Resilience Insurance Considerations All. Together. Certain. 2 1 Asset Inventory and Baselines All.
More informationThe Risk-based Approach to Data Breach Response Meeting mounting expectations for effective, relevant solutions
The Risk-based Approach to Data Breach Response Meeting mounting expectations for effective, relevant solutions Our Speakers Mark Melodia is Partner and Co-Head of the Global Data Security, Privacy & Management
More informationFIDUCIARY DUTIES OF THE BOARD OF DIRECTORS
FIDUCIARY DUTIES OF THE BOARD OF DIRECTORS Jenifer R. Smith, Partner September 21, 2017 www.dlapiper.com September 2017 0 Introduction Every director owes fiduciary duties to the corporation and its shareholders.
More informationH E A L T H C A R E L A W U P D A T E
L O U I S V I L L E. K Y S E P T E M B E R 2 0 0 9 H E A L T H C A R E L A W U P D A T E L E X I N G T O N. K Y B O W L I N G G R E E N. K Y N E W A L B A N Y. I N N A S H V I L L E. T N M E M P H I S.
More informationCYBER LIABILITY REINSURANCE SOLUTIONS
CYBER LIABILITY REINSURANCE SOLUTIONS CYBER STRONG. CYBER STRONG. State-of-the-Art Protection for Growing Cyber Risks Businesses of all sizes and in every industry are experiencing an increase in cyber
More informationSafeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker
Safeguarding Your HIPAA and Personal Health Information Data Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker 1 Overview» Patient information confidentiality Grant requirements
More informationCyber Liability State of the Insurance Market & Risk Update Sept 8, ISACA North Texas
Cyber Liability State of the Insurance Market & Risk Update Sept 8, 2016 ISACA North Texas Agenda Introduction Cyber Liability Overview State of Insurance Regulatory Update Questions and Discussion 2 Speakers
More informationHow to Cut Down on Security Risks:
How to Cut Down on Security Risks: What You Don t Know About HIPAA Security October 29, 2015 2015 Epstein Becker & Green, P.C. All Rights Reserved. ebglaw.com Presented by Adam Solander Member of the Firm
More information1.5 This policy meets the guidance provided by the ICO on data security breach management.
William Austin Junior School Data Breach Policy Introduction 1.1 The Data Protection Act 2018 (DPA) is based around six principles of good information handling. These give people specific rights in relation
More informationCybersecurity Curveballs in Vendor Risk Management Programs
Cybersecurity Curveballs in Vendor Programs 2016 SoCal Cybersecurity, & Data Protection Retreat November 7, 2016 2016 Reed Smith LLP. All rights reserved. The contents of this presentation are for informational
More informationYour defence toolkit. How to combat the cyber threat
Your defence toolkit How to combat the cyber threat Contents The threat of cyber crime 4 How UK businesses are targeted 6 Case studies 8 Why cyber security is so important to manufacturers now 10 The
More informationSECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations
! SECURITY POLICY This Security Policy ( Policy ) applies to all Services provided by Collective Medical Technologies, Inc. ( CMT ) pursuant to a Master Subscription Agreement ( Underlying Agreement )
More informationCredit Card Data Breaches: Protecting Your Company from the Hidden Surprises
Credit Card Data Breaches: Protecting Your Company from the Hidden Surprises By David Zetoony Partner, Bryan Cave LLP Courtney Stout Counsel, Davis Wright Tremaine LLP With Contributions By Suzanne Gladle,
More informationNew legislation brings changes to how data is handled
New legislation brings changes to how data is handled April 2018 Lockton Companies New European Union (EU) data protection rules may require changes to how businesses handle personal data even if the businesses
More informationHIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel
HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability
More informationDATA COMPROMISE COVERAGE RESPONSE EXPENSES AND DEFENSE AND LIABILITY
THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. DATA COMPROMISE COVERAGE RESPONSE EXPENSES AND DEFENSE AND LIABILITY Coverage under this endorsement is subject to the following: PART 1 RESPONSE
More informationMEASURING & PRICING THE COST DRIVERS OF A CYBER SECURITY RISK EVENT
MEASURING & PRICING THE COST DRIVERS OF A CYBER SECURITY RISK EVENT IOWA ACTUARIES CLUB 2/25/16 EDUCATION DAY PRESENTED BY KEITH BURKHARDT, V.P. KRAUS-ANDERSON INSURANCE Overview I. Why are cyber security
More informationHIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT
WHAT YOU NEED TO KNOW ABOUT HIPAA AND ONLINE BACKUP Learn more about how KeepItSafe can help to reduce costs, save time, and provide compliance for online backup, disaster recovery-as-a-service, mobile
More informationRISK MANAGEMENT FRAMEWORK OVERVIEW
Perpetual Limited RISK MANAGEMENT FRAMEWORK OVERVIEW September 2017 Classification: Public Page 1 of 6 COMMITMENT TO RISK MANAGEMENT As a publicly listed company and provider of financial products and
More informationHOW TO EXECUTE THIS DPA:
DATA PROCESSING ADDENDUM (GDPR, and EU Standard Contractual Clauses) (Rev. April 20, 2018) This Data Processing Addendum ( DPA ) forms part of the Master Subscription Agreement or other written or electronic
More informationCYBER CLAIMS BRIEF A SEMI-ANNUAL PUBLICATION FROM YOUR WNA FINEX CLAIMS & LEGAL GROUP
www.willis.com July 2015 CYBER CLAIMS BRIEF A SEMI-ANNUAL PUBLICATION FROM YOUR WNA FINEX CLAIMS & LEGAL GROUP INSIDE THIS EDITION... CYBER CLAIMS LANDSCAPE A SAMPLING OF LARGE CYBER SETTLEMENTS LEGAL
More informationThe Impact of Technology on Nonprofit Governance (and its Regulation)
The Impact of Technology on Nonprofit Governance (and its Regulation) Presented to: 2017 NAAG/NASCO Annual Conference October 2, 2017 Washington, D.C. Michael W. Peregrine McDermott Will & Emery LLP MPeregrine@mwe.com
More informationGDPR Data Processing Addendum (DPA) Instructions for Area 1 Security Customers
Area 1 Security, Inc. 142 Stambaugh Street Redwood City, CA 94063 EU GDPR DPA GDPR Data Processing Addendum (DPA) Instructions for Area 1 Security Customers Who should execute this DPA: If you qualify
More informationGoverning Body Responsibilities for Implementing Effective Compliance and Ethics Programs
Governing Body Responsibilities for Implementing Effective Compliance and Ethics Programs Tim Timmons Corporate Integrity Officer Greater Oregon Behavioral Health, Inc. #NatCon14 What We ll Cover Today
More informationOutside the Courtroom Auditing Under Legal Privilege. Houston IIA Conference
Outside the Courtroom Auditing Under Legal Privilege Houston IIA Conference Some Interesting Statistics Around 25% of frauds are uncovered due to employee tips, while 19% are uncovered through internal
More informationSummary Comparison of Current Senate Data Security and Breach Notification Bills
Data Security reasonable Standards measures Specific Data Security Requirements Personal Information Definition None (a) First name or (b) first initial and last name, in combination with one of the following
More informationCyberinsurance: Necessary, Expensive and Confusing as Hell. Presenters: Sharon Nelson and Judy Selby
Cyberinsurance: Necessary, Expensive and Confusing as Hell Presenters: Sharon Nelson and Judy Selby Setting the stage 2018 report from PwC one-third of US businesses have some form of cyberinsurance PwC
More informationSolving Cyber Risk. Security Metrics and Insurance. Jason Christopher March 2017
Solving Cyber Risk Security Metrics and Insurance Jason Christopher March 2017 How We Try to Address Cyber Risk What is Cyber Risk? Definitions Who should be concerned? Key categories of cyber risk Cyber
More informationHow to mitigate risks, liabilities and costs of data breach of health information by third parties
How to mitigate risks, liabilities and costs of data breach of health information by third parties April 17, 2012 ID Experts Webinar www.idexpertscorp.com Rick Kam President and Co-Founder richard.kam@idexpertscorp.com
More informationSponsored by. Is Your Data Safe? The 2016 Financial Adviser Cybersecurity Assessment
Sponsored by Is Your Data Safe? The 2016 Financial Adviser Cybersecurity Assessment Table of Contents Welcome 3 Executive Summary 4 Introduction and Methodology 6 Preparation and Readiness 8 - Client Awareness
More informationTech and Cyber Claims Services
Tech and Cyber Claims Services Insurance Tech, Cyber Claims and our Breach Response Service The technology industry is a significant area of expertise for the Firm where we advise on contentious and non-contentious
More informationInsuring your online world, even when you re offline. Masterpiece Cyber Protection
Insuring your online world, even when you re offline Masterpiece Cyber Protection Protect your online information from being an open network 97% of Chubb clients who had a claim paid were highly satisfied
More informationLIABILITY INTERRUPTION OF ACTIVITIES CYBER CRIMINALITY OWN DAMAGE AND COSTS OPTION: LEGAL ASSISTANCE
I N S U R A N C E a g a i n s t c y b e r r i s k s After "prevention", risk covering is always the next step. Good insurance policies have the substantial merit allowing people to progress, even choosing
More informationSECURITY SAFEGUARD BREACH GUIDE
SECURITY SAFEGUARD BREACH GUIDE On November 1, 2018, new regulations will come into force that will require all organizations, including insurance brokers, to report breaches of security safeguards that
More informationCyber Security & Insurance Solution Karachi, Pakistan
March 2017 Cyber Security & Insurance Solution Karachi, Pakistan Ram Garg CFA, MBA Financial & Casualty Line J B Boda & Co (Singapore) Pte Ltd Karachi Insurance Institute Agenda Cyber Risk - Background
More information