collin county bench bar conference: cybersecurity mitigation & compliance strategies

Cybersecurity MissionImpossible?

Shawn E. TumaScheef & Stone, LLP@shawnetuma

Shawn TumaPartner, Scheef & Stone, L.L.P.

214.472.2135

shawn.tuma@solidcounsel.com

@shawnetuma

blog: shawnetuma.com

web: solidcounsel.com

This information provided is for educational purposes only, does not constitute legal advice, and no attorney-client relationship is created by this presentation.

Shawn Tuma is a cyber lawyer business leaders trust to help solve problems with cutting-edge issues involving cybersecurity, data privacy, computer fraud, intellectual property, and social media law. He is a partner at Scheef & Stone, LLP, a full service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, throughout the world.

Texas SuperLawyers 2015

Best Lawyers in Dallas 2014 & 2015, D Magazine (Digital Information Law)

Chair, Collin County Bar Association Civil Litigation & Appellate Section

College of the State Bar of Texas

Privacy and Data Security Committee, Litigation, Intellectual Property Law, and Business Sections of the State Bar of Texas

Information Security Committee of the Section on Science & Technology Committee of the American Bar Association

Social Media Committee of the American Bar Association

North Texas Crime Commission, Cybercrime Committee

Infragard (FBI)

International Association of Privacy Professionals

Information Systems Security Association

Contributor, Norse DarkMatters Security Blog

Editor, Business Cyber Risk Law Blog

#CCBBF@shawnetuma

“There are only two types of companies: those that have been hacked, and those that will be.” –Robert Mueller

97% - Companies Tested – Breached in Prior 6 mos.

Odds: Security @100% / Hacker @ 1

•Stewardship

•Public Relations

•Legal

Responding: Execute Breach Response Plan

• contact attorney

• assemble your Response Team

• notify Card Processor

• contact forensics

• contact notification vendor

• investigate breach

• remediate responsible vulnerabilities

• reporting & notification

What does “reporting & notification” mean?

• Law Enforcement

• State Attorneys General

• pre-notice = VT (14 days), MD, NJ St. Police

• Federal Agencies

• FTC, SEC, HHS, etc.

• Consumers

• Fla, Ohio, Vermont = 45 days

• Industry Groups

• PCI, FINRA, FFIEC

• Credit Bureaus

• Professional Vendors & Suppliers

www.solidcounsel.com

first name or

first initial

last name

SSN

DLN or

GovtID

data breach

first name or

first initial

last name

Acct or Card #

Access or

Security Code

data breach

Info that IDs Individual

Health-care, provided, or

paydata breach

Duty to notify when “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information …” Tx. Bus. Comm. Code § 521.053

CIVIL PENALTY $100.00 per individual per day for notification delay, not to exceed $250,000 for single breach § 521.151

2013 Cost (pre-Target) $188.00 per record $5.4 million = total average cost paid by organizations

2014 Cost$201 per record

$5.9 million = total average cost paid by organizations

“The primary reason for the increase is the loss of customers following the data breach due to the additional expenses required to preserve the organization’s brand and reputation.” –Ponemon Institute 2014 Cost of Data Breach Study

Cost of a Data Breach

Blocking & Tackling –Most Common Breaches

Theft

Lost

Passwords

Phishing

Websites

Basic IT

Case Stories

Blocking & Tackling – Must Haves

Approved & DocumentedBasic IT Security

Basic Physical Security

Policies & Procedures Focused on Data Security Company

Workforce (Rajaee v. Design Tech Homes, Ltd.)

Network

Business Associates (Travelers Casualty v. Ignition Studio, Inc.)

Implementation & Training

Regular Reassessment & Update

www.solidcounsel.com

Security Culture

Assess, Audit, Gap Analysis

Develop Strategic Plan

Implement & Execute Plan

Manage Response &

Conflict

Reassess & Update

protecting

businesses’

information

protecting

businesses fromtheir information

Risk Compliance

Program

www.solidcounsel.com

Security Culture

Assess, Audit, Gap Analysis

Develop Strategic Plan

Implement & Execute Plan

Manage Response &

Conflict

Reassess & Update

protecting

businesses’

information

protecting

businesses fromtheir information

Risk Compliance

Program

www.solidcounsel.com

Security Culture

Assess, Audit, Gap Analysis

Develop Strategic Plan

Implement & Execute Plan

Manage Response &

Conflict

Reassess & Update

protecting

businesses’

information

protecting

businesses fromtheir information

Risk Compliance

Program

www.solidcounsel.com

Security Culture

Assess, Audit, Gap Analysis

Develop Strategic Plan

Implement & Execute Plan

Manage Response &

Conflict

Reassess & Update

protecting

businesses’

information

protecting

businesses fromtheir information

Risk Compliance

Program

www.solidcounsel.com

Security Culture

Assess, Audit, Gap Analysis

Develop Strategic Plan

Implement & Execute Plan

Manage Response &

Conflict

Reassess & Update

protecting

businesses’

information

protecting

businesses fromtheir information

Risk Compliance

Program

www.solidcounsel.com

Security Culture

Assess, Audit, Gap Analysis

Develop Strategic Plan

Implement & Execute Plan

Manage Response &

Conflict

Reassess & Update

protecting

businesses’

information

protecting

businesses fromtheir information

Risk Compliance

Program

www.solidcounsel.com

Security Culture

Assess, Audit, Gap Analysis

Develop Strategic Plan

Implement & Execute Plan

Manage Response &

Conflict

Reassess & Update

protecting

businesses’

information

protecting

businesses fromtheir information

Risk Compliance

Program

www.solidcounsel.com

Security Culture

Assess, Audit, Gap Analysis

Develop Strategic Plan

Implement & Execute Plan

Manage Response &

Conflict

Reassess & Update

protecting

businesses’

information

protecting

businesses fromtheir information

Risk Compliance

Program

www.solidcounsel.com

• Login Credentials

• “You don’t drown from falling into the water”

• 25k v. 40m (T) / 56m (HD)

www.solidcounsel.com

Newspaper Research

Email Scheduling Lunch With

Client

Trial Exhibits

Draft of Plaintiff’s Original Petition

Personally Identifiable Information

(PII)

Protected Health

Information (PHI)

Formula for Coke

Let us think …

www.solidcounsel.com38

protecting misusing respondingdata

devices