1 / 25

PROTECTING YOUR COMPANY FROM A DATA PRIVACY OR CYBERSECURITY BREACH

PROTECTING YOUR COMPANY FROM A DATA PRIVACY OR CYBERSECURITY BREACH. Robert P. Thavis and Stephen J. Cosentino. Cybersecurity and Privacy. How will the Cybersecurity Framework affect c onsumer p rivacy? Consumer privacy law continues to focus on disclosure

brady-baird
Download Presentation

PROTECTING YOUR COMPANY FROM A DATA PRIVACY OR CYBERSECURITY BREACH

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PROTECTING YOUR COMPANY FROM A DATA PRIVACY OR CYBERSECURITY BREACH Robert P. Thavis and Stephen J. Cosentino

  2. Cybersecurity and Privacy • How will the Cybersecurity Framework affect consumer privacy? • Consumer privacy law continues to focus on disclosure • Those working in privacy compliance will need to determine whether the disclosure focus should extend to cooperative exchanges of data within the Cybersecurity Framework

  3. Cybersecurity and Privacy • California Privacy Law Changes for 2014 • Operators must disclose how they respond to web browser Do Not Track signals • Operators must disclose whether third parties collect PII about consumer online activities over time and across networks • Intended to target tracking in ad networks like Facebook FBX and Google AdSense • The focus is on disclosure and awareness

  4. Cybersecurity and Privacy • Children’s Online Privacy Protection Act Changes for 2013 • similar focus on information sharing with third parties • close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent

  5. Cybersecurity and Privacy • Financial industry privacy requirements focus on disclosure and choice • Emphasis on distinguishing between the company and third parties • Uniformity of the GLB Policy is very important • Cybersecurity Framework related disclosures don’t fit well

  6. Cybersecurity and Privacy • Cybersecurity-related disclosures continue to be broad and vague • GLB Model Policy • “To protect your personal information from unauthorized access and use, we use security measures that comply with federal law” • Typical website disclosures • We work to protect your information in transmission using secure socket layers • We strive to keep your information safe and secure • Obligatory disclaimer

  7. Cybersecurity and Privacy • COPPA Amendments do address data security • covered website operators and online service providers must take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential • continues to lack any detail

  8. HIPAA Data Breach Requirement • Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act • Requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information

  9. HIPAA Data Breach Requirement • Definition of Breach • Impermissible use or disclosure that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual • Breach Notification Requirements for CE’s • If CE has insufficient or out-of-date contact information for 10 or more individuals, provide substitute individual notice by either posting the notice on the home page of its web site or provide notice in major print or broadcast media where the affected individuals likely reside

  10. HIPAA Data Breach Requirement • Breach Notification Requirements for CE’s • If the CE has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means.  • The final exception to breach applies if the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.

  11. Iowa Data Breach Requirement • Scope of Iowa Law (Iowa Code 715C) • First name/initial and last name with unencrypted: • SSN/DL# • Financial account, credit card number, debit card number + security code that would allow access • Unique electronic identifier or routing code + security or access code • Unique biometric data (fingerprint, retina image, etc.)

  12. IOWA Data Breach Requirement • Scope of Iowa Law • Breach of Security is unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality or integrity of information • Exception for good faith acquisition by a person who is not a threat

  13. IOWA Data Breach Requirement • Consumer Notice • Made in the most expeditious manner possible without unreasonable delay • Consistent with measures necessary to determine the contact info of consumers, scope of breach, and restore integrity, security and confidentiality • Does contain exception for law enforcement investigation • Some discretion. Notice not required . . . • If the entity conducts an appropriate investigation or consultation with law enforcement determines that there is no reasonable likelihood of financial harm to consumers. • However, the entity must maintain documentation supporting this determination for five years.

  14. IOWA Data Breach Requirement • Notice • Methods for Notice. • Written notice or electronic notice if the person’s customary method of communication is electronic or as consistent with ESIGN Act. • Substitute notice if cost would exceed $250,000 or the class is more than 350,000 people or insufficient contact information • email, posting on the entity's website, or notice to major statewide media. • If breach impacts more than 500 Iowa residents at one time, notice must be provided to the State AG office within 5 days of notice. • Violations are an unlawful practice under Iowa’s Consumer Fraud Statute subject to a fine of up to $40,000 per violation.

  15. COVERAGE FOR CYBER RISKS • Cyber-related risks are perhaps both the most likely, and the most significant, risks to develop over the past 25 years • One of the most difficult risks to manage: • Difficult to anticipate what insurer will agree is covered • Every case sets a precedent • Good rule of thumb — big losses not covered • Difficult to anticipate what will be found covered under existing policies • Not much case law • Early case law muddled

  16. FIRST-PARTY Cyber coverage • Property/Casualty Coverage • Physical injury to tangible property • Compromised equipment (heat, water exposure, warranty)? • Hacking/attacks covered? • Strangers only, or are disgruntled employees’ acts covered? • Definition of insured/insured v. insured exclusion • Military action/EMP exclusion? • Business Interruption • Is it covered? • Source of shutdown covered? Power, water • Slow-down versus shut-down/working from home? • Limits and proof of loss

  17. FIRST-PARTY Cyber coverage • Valuable Papers/Data Restoration • Do you have it/limits • Backup required? • Crime • One from Column A not enough • Remote access excluded or required? • Theft by employees/versus outsiders? • Ultimately, Need Express Cyber Language

  18. Cyber LIABILITY coverage • General Liability Coverage • Physical damage to tangible property • DOS, data loss, exclusivity of data lost, data corrupted — perhaps not covered • Loss of use of tangible property not physically damaged • Impact on computers and computer-run equipment/operations • Slow-down versus shut-down • Personal injury • Defamation • Loss of privacy

  19. Cyber coverage • Errors &Omissions Coverage • Tailoring required — “professional services” definition is heart of coverage • Nothing is certain — Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (2010) • “Arising out of” contract • Intended act versus intended injury • Every case sets a precedent

  20. Cyber coverage • Directors &Officers (and Entity) Coverage • Any significant company event, including breach, can give rise to shareholder class suits, derivative suits, consumer class suits, competitor suits and regulatory actions • Disclosure obligations • SEC’s Division of Corporate Finance Disclosure Guidelines (October 13, 2011) • Disclosures from private companies? • Entity coverage and Side A protections

  21. Cyber LIABILITY coverage • Regulatory Aftermath • Historically most data breaches in financial and healthcare industries • Data breaches trigger enforcement actions under FCRA, HIPAA, numerous other consumer protection statutes • Regulatory actions can, but may not, be covered • Violation of statutes • Claim for “damages”

  22. Cyber coverage • Specialty Cyber Policies • Different Historical Antecedents and Approaches • Replacements for advertising injury coverage • Specialized E&O coverage • Utilities approach • Crime/fraud approach • Terrorism/extortion coverage • Reason for piecemeal approach is no insurer willing to provide blanket coverage • Can’t gauge risks today • Cyber risks have short half-life; certainly can’t predict risks tomorrow • Caveat Emptor/do your homework — No standardization until market matures

  23. THANK YOU Robert P. Thavis Stephen J. Cosentino

More Related