collin county bench bar conference: cybersecurity mitigation & compliance strategies
TRANSCRIPT
Cybersecurity MissionImpossible?
Shawn E. TumaScheef & Stone, LLP@shawnetuma
Shawn TumaPartner, Scheef & Stone, L.L.P.
214.472.2135
@shawnetuma
blog: shawnetuma.com
web: solidcounsel.com
This information provided is for educational purposes only, does not constitute legal advice, and no attorney-client relationship is created by this presentation.
Shawn Tuma is a cyber lawyer business leaders trust to help solve problems with cutting-edge issues involving cybersecurity, data privacy, computer fraud, intellectual property, and social media law. He is a partner at Scheef & Stone, LLP, a full service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, throughout the world.
Texas SuperLawyers 2015
Best Lawyers in Dallas 2014 & 2015, D Magazine (Digital Information Law)
Chair, Collin County Bar Association Civil Litigation & Appellate Section
College of the State Bar of Texas
Privacy and Data Security Committee, Litigation, Intellectual Property Law, and Business Sections of the State Bar of Texas
Information Security Committee of the Section on Science & Technology Committee of the American Bar Association
Social Media Committee of the American Bar Association
North Texas Crime Commission, Cybercrime Committee
Infragard (FBI)
International Association of Privacy Professionals
Information Systems Security Association
Contributor, Norse DarkMatters Security Blog
Editor, Business Cyber Risk Law Blog
#CCBBF@shawnetuma
“There are only two types of companies: those that have been hacked, and those that will be.” –Robert Mueller
97% - Companies Tested – Breached in Prior 6 mos.
Odds: Security @100% / Hacker @ 1
•Stewardship
•Public Relations
•Legal
Responding: Execute Breach Response Plan
• contact attorney
• assemble your Response Team
• notify Card Processor
• contact forensics
• contact notification vendor
• investigate breach
• remediate responsible vulnerabilities
• reporting & notification
What does “reporting & notification” mean?
• Law Enforcement
• State Attorneys General
• pre-notice = VT (14 days), MD, NJ St. Police
• Federal Agencies
• FTC, SEC, HHS, etc.
• Consumers
• Fla, Ohio, Vermont = 45 days
• Industry Groups
• PCI, FINRA, FFIEC
• Credit Bureaus
• Professional Vendors & Suppliers
www.solidcounsel.com
first name or
first initial
last name
SSN
DLN or
GovtID
data breach
first name or
first initial
last name
Acct or Card #
Access or
Security Code
data breach
Info that IDs Individual
Health-care, provided, or
paydata breach
Duty to notify when “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information …” Tx. Bus. Comm. Code § 521.053
CIVIL PENALTY $100.00 per individual per day for notification delay, not to exceed $250,000 for single breach § 521.151
2013 Cost (pre-Target) $188.00 per record $5.4 million = total average cost paid by organizations
2014 Cost$201 per record
$5.9 million = total average cost paid by organizations
“The primary reason for the increase is the loss of customers following the data breach due to the additional expenses required to preserve the organization’s brand and reputation.” –Ponemon Institute 2014 Cost of Data Breach Study
Cost of a Data Breach
Blocking & Tackling –Most Common Breaches
Theft
Lost
Passwords
Phishing
Websites
Basic IT
Case Stories
Blocking & Tackling – Must Haves
Approved & DocumentedBasic IT Security
Basic Physical Security
Policies & Procedures Focused on Data Security Company
Workforce (Rajaee v. Design Tech Homes, Ltd.)
Network
Business Associates (Travelers Casualty v. Ignition Studio, Inc.)
Implementation & Training
Regular Reassessment & Update
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
www.solidcounsel.com
Security Culture
Assess, Audit, Gap Analysis
Develop Strategic Plan
Implement & Execute Plan
Manage Response &
Conflict
Reassess & Update
protecting
businesses’
information
protecting
businesses fromtheir information
Risk Compliance
Program
www.solidcounsel.com
• Login Credentials
• “You don’t drown from falling into the water”
• 25k v. 40m (T) / 56m (HD)
www.solidcounsel.com
Newspaper Research
Email Scheduling Lunch With
Client
Trial Exhibits
Draft of Plaintiff’s Original Petition
Personally Identifiable Information
(PII)
Protected Health
Information (PHI)
Formula for Coke
Let us think …
www.solidcounsel.com38
protecting misusing respondingdata
devices