cyber risk and global security issues: is your business ... · pdf fileidentifying cyber risks...

© Copyright 2014 by K&L Gates LLP. All rights reserved.

Thursday 2 October 2014

Cyber Risk and Global Security Issues: is your business fully prepared

klgates.com klgates.com

Identifying cyber risks and how they impact your business


The Spectrum of Cyber Attacks

Advanced Persistent Threats (“APT”) Cybercriminals, Exploits and Malware Denial of Service attacks (“DDoS”) Domain name hijacking Corporate impersonation and Phishing Employee mobility and disgruntled

employees Lost or stolen laptops and mobile devices Inadequate security and systems: third-

party vendors


The Practical Risks of Cyber Attacks Loss of “crown jewels,” IP and trade secrets Compromise of customer information, credit

cards and other PII Loss of web presence and online business Interception of email and data communications Loss of customer funds and reimbursement of

charges Brand tarnishment and reputational harm Legal and regulatory complications


Advanced Persistent Threats

Targeted, persistent, evasive and advanced Nation state sponsored

P.L.A. Unit 61398 “Comment Crew”



United States Cyber Command and director of the National Security Agency, Gen. Keith B. Alexander, has said the attacks have resulted in the “greatest transfer of wealth in history.”

Source: New York Times, June 1, 2013.



The Director-General of MI5 warned that one London business suffered £800 million in losses following an attack

The UK’s National Security Council has judged that the four highest priority risks are currently those arising from: International terrorism Cyber attack International military crises and Major accidents or natural hazards**

*Source: Cyber crime a global threat, MI5 head warns (2012) http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/9354373/Cyber-crime-a-global-threat-MI5-head-warns.html ** Source: A Strong Britain in an Age of Uncertainty: The National Security Strategy (October 2010)

http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/9354373/Cyber-crime-a-global-threat-MI5-head-warns.html



A survey by anti-virus specialists Kaspersky found that cyber security measures taken by UK businesses were “woefully inadequate”

Only 25% of IT specialists thought that their company was completely protected from cyber threats - although can there ever be complete protection?

When questioned, 33% of IT managers did not know anything about the common cyber threats that have been targeting corporates

*Source: BCS – The Chartered Institute for IT -http://www.bcs.org/content/conWebDoc/49048



Penetration: 67% of organisations admit that their current security

activities are insufficient to stop a targeted attack.* Duration: average = 356 days**

Discovery: External Alerts 55 percent are not even aware of intrusions*

*Source: Trend Micro, USA. http://www.trendmicro.com/us/enterprise/challenges/advance-targeted-attacks/index.html

**Source: Mandiant, “APT1, Exposing One of China’s Cyber Espionage Units”


Advanced Persistent Threats: Penetration

Spear Phishing

Watering Hole Attack rely on insecurity of frequently visited

websites Infected Thumb Drive

*Source: Trend Micro, USA. http://www.trendmicro.com/us/enterprise/challeng

es/advance-targeted-attacks/index.html

**Source: Mandiant, “APT1, Exposing One of China’s Cyber Espionage Units”



Target Profiles Industry:

Government Information Technology Aerospace Telecom/Satellite Energy and Infrastructure Engineering/Research/Defense Chemical/Pharma

Activities: Announcements of China deals China presence





party vendors


Cybercriminals, Exploits and Malware



60,000 known software vulnerabilities 23 new zero-day exploits in 2014

Risk = threat + vulnerability



Ransomware

CryptoLocker UK Law Enforcement





party vendors


Inadequate security and systems: third-party vendors

Vendors with client data Vendors with password access Vendors with direct system integration Point-of-sale


Inadequate security and systems: third-party vendors



*Source: UK Government press release, 29 April 2014 https://www.gov.uk/government/news/cost-of-business-cyber-security-breaches-almost-double

In the UK, a government report found that the cost of cyber security breaches nearly doubled in 2013

For large organisations the worst breaches cost between £600,000 and £1.158 million (up from £450-£850k a year ago)



*Source: Symantec Internet Security Trend Report 2014

Cost Per Record: $158 Notification Costs: $509,000 Post-Breach Costs: $1.6M Business Loss: $3.3M

klgates.com

Dangers of new and emerging risks


Cloud Computing Risks

Exporting security function and control Geographical uncertainty creates

exposure to civil and criminal legal standards Risk of collateral damage


Mobile Device Risks

52% of mobile users store sensitive files online 24% of mobile users store work and personal

info in same account 21% of mobile users share logins with families Mobile malware: apps Insufficient mobile platform security


Social Media Risks

Consumer harm and reputational damage


Example – “Peter Pan virus” phishing email (September 2014) Email purportedly came from real company BH

Live Ticketing and entertainment company based in Bournemouth Claimed recipients had tickets to see Peter Pan Invited people to open attached e-tickets Opening attachment may have downloaded

viruses BH Live inundated with phone calls from worried recipients

klgates.com

Protection and Risk Mitigation

WHY MITIGATE CYBER RISK? Consequences of a cyber attack could be catastrophic Consider How long could a business that relies on internet sales

survive if no one could access its website? What would be the impact on its sales if no one was

prepared to enter their credit card details?

klgates.com

LEGAL CONSEQUENCES

The Data Protection Act 1998 (“DPA”) requires the data controller to implement appropriate technical and organisational security measures against unauthorised or unlawful processing, accidental loss, destruction or damage of personal data.

Regulatory penalties may be imposed on the company for

breach of the DPA including: Fines; Enforcement notices; and Director disqualification

Personal data owners may claim compensation from the data controller for such breaches under the DPA.

klgates.com

PRACTICAL CONSEQUENCES

As important to companies subject to a cyber attack are what the consequences of such an attack are in practice for the business.

Loss of customer information, credit card details and other personal information. Data owners seeks compensation against a business under the

Data Protection Act, especially if the hacker cannot be identified.

Prevention of sales. Retailers with an online presence that are subject to a Denial of

Service attack lose customers to competitors. You may eventually get your site back up, but will the customer be back?

This risk is heightened at times of traditional high online sales

klgates.com

PRO-ACTIVE MANAGEMENT AT BOARD LEVEL

Not an IT problem - board level support is required to ensure that the resources both in time and capital are expended.

Ensure that a cybercrime management policy is part of the company’s governance framework and that this is given the same level of attention as financial and other risk management regimes.

klgates.com

PRO-ACTIVE MANAGEMENT AT BOARD LEVEL (2) How would the board answer the following questions: What strategy did you have in place to prevent this

cyber attack from happening? Who was responsible for the strategy? What was done in advance to limit the damage from

attacks of this nature?

klgates.com

Basic information risk management will highlight potential cyber attacks, allowing a board to see what constitute the most potent risks to the company.

Understand what data you hold how sensitive the data is which systems control the management of key

information how critical is the information to the management of

the business klgates.com

PRO-ACTIVE MANAGEMENT AT BOARD LEVEL (3)

ENSURING INTERNET SAFETY AND NETWORK SECURITY Methods to reduce cyber risk include: Mobile working - ensure that a mobile working policy is in

place to ensure the security of documents away from the office.

Control access to removable media such as memory sticks and removable hard drives and avoid their use where possible, especially with regards to storage of sensitive data. All removable data should be encrypted.

Establish a policy on appropriate use and educate staff regarding the appropriate way to use the company’s IT systems.

Implement an incident response plan to ensure effective response to a cyber attack.

klgates.com

ENSURING INTERNET SAFETY AND NETWORK SECURITY (2)

Create an incident management team and provide specialist training to it who can carry out this process.

Control and limit access - Only allow employees access to the information they require to carry out their roles.

Scan all media before incorporating them into IT systems to detect any malware.

Monitor ICT systems for unusual activity. Implement malware protection to all business areas and

produce a policy on dealing with any malware issues. Install security patches Implement basic security controls on networks. Ex-

employees should immediately be denied access.

klgates.com

ADEQUATE TRAINING AND INTERNAL PROCEDURES A cyber attack can take many forms including

deliberate attacks, technology issues or simple human error or negligence.

Every company has a cyber defence weak spot in its own employees.

An adequate defence system protecting a company from cyber attacks should not only have the relevant defences and policies in place, but staff must be trained on the relevant policies.

klgates.com

ADEQUATE TRAINING AND INTERNAL PROCEDURES (2) Implementing staff training and clear mechanisms for staff to

report concerns regarding other members of staff non- compliance with polices

Not knowing what devices are held significantly increases a

company's cyber risk profile Every company should draft and implement a home and

mobile working policy, and train staff to adhere to it

klgates.com

ONGOING MANAGEMENT

Planning and analysis of risk serves no purpose unless a company also properly implements its findings.

As cybercrime evolves over time, companies must constantly monitor the adequacy of their cyber defences and re-evaluate the threats pertinent to their business.

klgates.com

IMMEDIATE DAMAGE TO REPUTATION

Cyber attacks naturally affect customer confidence, especially when customer information or funds are stolen.

Exacerbated by online communication forums that spread news of such an attack

Crisis management costs include: Informing affected customers; PR campaigns to restore reputation; Management time; Retrieving data; Suspending customer access to data and websites where relevant; Forensic investigation of the attack; and Repairing cyber defences.

klgates.com

IMMEDIATE DAMAGE TO REPUTATION (2)

82% of the UK public would stop dealing with an organisation if their online data was breached (Unisys survey, 2011)

Brand damage may also come in the form of intellectual property infringement with fake websites or counterfeit products sold online.

IP theft can result in loss of first-to-market advantage and a consequential loss of competitive advantage.

klgates.com

POSSIBLE LONG TERM IMPACT ON BUSINESS STRATEGY AND FINANCIAL STABILITY

Research and development may be scaled back to preserve current financial stability or because frequent IP theft has made it unprofitable.

Businesses may shy away from exploiting the online market for fear of incurring another costly cyber attack

klgates.com

A GROWING ISSUE

Consumers are becoming increasingly receptive to interacting with businesses online

As customer interaction with online technology grows, so too does their disclosure of sensitive, personal information.

A cyber attack that results in a loss of customer information can cause huge reputational damage

The prominence of social media and the speed at which information can be disseminated can cause reputational damage at an unprecedented speed.

klgates.com

COFFEE BREAK

Personal Data Breaches and Notifications – a U.S. Perspective

LEGAL AND REGULATORY FRAMEWORK Federal Privacy Laws Gramm-Leach-Bliley Act Health Insurance Portability and Accountability Act (HIPAA)/Health

Information Technology for Economic and Clinical Health Act (HITECH) Fair Credit Reporting Act/The Fair and Accurate Credit Transactions Act Federal Trade Commission Act

State Privacy Laws/Consumer Protection Statutes http://www.ncsl.org/research/telecommunications-and-information-

technology/security-breach-notification-laws.aspx SEC Cybersecurity Guidance NIST Cybersecurity Framework Payment Card Industry Data Security Standards (PCI DSS)

46

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

FEDERAL PRIVACY LAWS

Gramm-Leach-Bliley Act U.S. financial services organisations “shall establish

appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards--

1. (1) to insure the security and confidentiality of customer records and information;

2. (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and

3. (3) to protect against unauthorised access to or use of such records or information which could result in substantial harm or inconvenience to any customer.” (15 U.S.C. §6801.)

47

FEDERAL PRIVACY LAWS HIPAA “A covered entity or business associate must, in accordance with

§164.306 [“Security standards: General rules”] … [i]Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart….” (45 C.F.R. §164.316(a).)

HITECH “A covered entity that accesses, maintains, retains, modifies,

records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information … shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach.” (42 U.S.C. §17932.)

FEDERAL PRIVACY LAWS

Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transactions Act “It is the purpose of this subchapter to require that consumer

reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilisation of such information in accordance with the requirements of this subchapter.” (15 U.S.C. §1681.)

Regulations promulgated by the FTC and other regulatory agencies require financial institutions and creditors to develop and implement written identity theft prevention programs which, among other things, detect warning signs of identity theft (16 CFR § 681.1.)

49

FEDERAL PRIVACY LAWS Federal Trade Commission Act Section 5 empowers the FTC to “prevent . . . unfair or deceptive acts or

practices in or affecting commerce”: The Commission is hereby empowered and directed to prevent

persons, partnerships, or corporations, except banks, savings and loan institutions described in section 57a(f)(3) of this title, Federal credit unions described in section 57a(f)(4) of this title, common carriers subject to the Acts to regulate commerce, air carriers and foreign air carriers subject to part A of subtitle VII of Title 49, and persons, partnerships, or corporations insofar as they are subject to the Packers and Stockyards Act, 1921, as amended [7 U.S.C.A. § 181 et seq.], except as provided in section 406(b) of said Act [7 U.S.C.A. § 227(b) ], from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce. (15 U.S.C.A. § 45(a)(2).)

50

STATE PRIVACY LAWS/CONSUMER PROTECTION LAWS Pennsylvania: Breach of Personal Information Notification Act

“(a) General rule.--An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. … [T]he notice shall be made without unreasonable delay. For the purpose of this section, a resident of this Commonwealth may be determined to be an individual whose principal mailing address, as reflected in the computerized data which is maintained, stored or managed by the entity, is in this Commonwealth.” (73 P.S. § 2303(a).)

“The Office of Attorney General shall have exclusive authority to bring an action under the Unfair Trade Practices and Consumer Protection Law for a violation

51

SEC CYBERSECURITY GUIDANCE “[A]ppropriate disclosures may include”: “Discussion of aspects of the registrant’s business or operations

that give rise to material cybersecurity risks and the potential costs and consequences”;

“To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks”;

“Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences”;

“Risks related to cyber incidents that may remain undetected for an extended period”; and

“Description of relevant insurance coverage.”

52 Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target,

http://media.klgates.com/klgatesmedia/epubs/GBR_July2014/

http://media.klgates.com/klgatesmedia/epubs/GBR_July2014/

NIST CYBERSECURITY FRAMEWORK NIST Cybersecurity Framework—provides a common

taxonomy and mechanism for organisations to: Describe their current cybersecurity posture; Describe their target state for cybersecurity; Identify and prioritise opportunities for improvement within the

context of a continuous and repeatable process; Assess progress toward the target state; Communicate among internal and external stakeholders about

cybersecurity risk.

The Framework is voluntary (for now)

53

NIST CYBERSECURITY FRAMEWORK

54

NIST Unveils Cybersecurity Framework, http://www.klgates.com/nist-unveils-cybersecurity-framework-02-17-2014/

85% of security budgets currently go here

According to Gartner: By 2020, 75% of security budgets will go towards detection and response

http://www.klgates.com/nist-unveils-cybersecurity-framework-02-17-2014/

NIST CYBERSECURITY FRAMEWORK

55

PCI DSS

“PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.”

56

TRENDS—ARTICLE III STANDING—CLAPPER

57

TRENDS—ARTICLE III STANDING—GALARIA

TRENDS—ARTICLE III STANDING—NEIMAN MARCUS

59

TRENDS—ARTICLE III STANDING—SONY

60

TRENDS—ARTICLE III STANDING—MICHAELS STORES

61

TRENDS—ARTICLE III STANDING—ADOBE

62

TRENDS—SHAREHOLDER LITIGATION—TARGET

63

TRENDS—SHAREHOLDER LITIGATION—WYNDHAM

64

TRENDS—FTC REGULATORY ACTION—WYNDHAM

65

TRENDS—FTC REGULATORY ACTION—WYNDHAM

66

TRENDS—SEC—“THE NEW SHERIFF”

67

Personal Data Breaches and Notifications – a UK perspective

LEGISLATIVE REQUIREMENTS Directive 95/46/EC transposed into UK law by the Data Protection Act 1998 “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. (Part 1(7), Schedule 1 to DPA) – 7th principle.

No prescriptive requirements, unless sector specific regulation. No “one size fits all” but three principles:

1. Risk assessment – what is appropriate given type of data? Regard to be had to state of technology / implementation cost compared to what harm might result from breach.

2. Reliability of employees 3. Vet your data processors – written contracts

Guidance from regulator (UK Information Commissioner’s Office): Encryption? Data storage vs. transmission. International Standard 27001 / Cyber Essentials Scheme. Anonymisation? Data Sharing Code of Practice Internal policies – IT Internet use / data retention and destruction / data security / training Processes and security protocols – staff vetting and access control Disposal (CESG approved?) / decommissioning Software Updates (remedy vulnerabilities) / SQL Injections (high risk) Authentication / hashing / salted hashing

http://uk.practicallaw.com/1-505-8622?pit=

DO WE NEED TO NOTIFY TO UK ICO? What sector are you in? PECR 2003 - Notifications only compulsory for “publically available

electronic communication services” – same across all of EU – i.e. telcoms / ISPs. 24 hours after breach detection.

Everyone else – no legal requirement, but ICO guidance. Should notify if “serious”. Overriding consideration: potential harm to individuals. Can mitigate fines vs danger of over-notifying.

Notify data subjects? Do they need to take steps to protect themselves?

Contractual obligation to notify? Public sector bodies may have own requirements – health

service organisations – IG Toolkit Incident Reporting Tool. Financial institutions – FCA / FMSA. Police / insurers / professional bodies / bank or credit card

companies.

UK ICO ENFORCEMENT Make assessments (re-active or pro-active) Serving Information Notices / Special Information Notices Enforcement Notices Powers of entry, inspection, seizure of documents / equipment Fines of up to £500,000 – serious breaches “contravention deliberate or the data controller knew or ought to

have known that there was a risk that the contravention would occur, and of a kind likely to cause substantial damage / distress but failed to take reasonable steps to prevent it”. (s.55(A) DPA).

Selective enforcement / limited resources Individual has a direct right of action and right to compensation Criminal offences – failure to comply with an Information /

Enforcement Notice (Directors can also be prosecuted).

ENFORCEMENT TRENDS Leading video games provider (Jan 2013)

Network platform subject to several DDoS (“distributed denial of service”) attacks Hacker access customer details and passwords (no cardholder information) 100 million customers thought to be affected. Data Controller didn’t keep up to date with technical developments. Didn’t deal with system vulnerabilities even though update available Didn’t use cryptographic controls for passwords History of attacks but still used platform to hold vast amounts of personal data Didn’t react quickly enough Voluntarily reported (mitigating factor) £250,000 fine Internal cost to Data Controller thought to be in region of $171 million.

Booking agent for travel services (Dec 2012)

SQL Injection attack, allowed hacker to access over 1 million card payment details (half of which were active).

Data Controller no penetration tests / vulnerability scans and checks on basis webserver was not external facing (but could still be access over internet by individuals with basic technical skills)

No evidence of actual harm / fraud Voluntarily reported (mitigating factor) £150,000 fine.

APRIL – MARCH 2014

FUTURE DEVELOPMENTS CESQ (information security arm of GCHQ) - 80% of known attacks

defeated by basic security practices Nov 2011 - Cyber Security Strategy produced. Set agenda for 2015. Set up

National Cyber Security Programme (NCSP) with £650 million funding for four years. Falls under supervision of Cabinet Office. Published progress against objectives in Dec 2013. Most recent progress published on 10 Sep 2014.

September 2012 - BIS issued guidance for companies 5 Jun 2014 - New ISO Standard – based on ISO27000. Certification to

demonstrate that industry-minimum cyber security measures adopted. From 1 October 2014, the government will require certain suppliers bidding for certain information handling contracts to be Cyber Essentials certified.

CERT-UK set up on 31 March 2014 to take the lead in coordinating the management of national cyber security incidents and will act as the UK central contact point for international counterparts in this field – as will be required under upcoming European Cyber-Security Directive.

No UK specific legislation on horizon – but watch out for European Data Protection Regulation and Network and Information Security Directive.

Personal Data Breaches and Notifications – a German perspective

LEGISLATIVE REQUIREMENTS Directive 95/46/EC transposed into German law by the Federal

Data Protection Act (BDSG)

Sect. 9 / Annex 1 to sec. 9 BDSG requires data processors/controllers to implement adequate technical and organisational measures for data security, in particular:

1. Access control: Preventing unauthorised persons gaining access to data processing systems; preventing data processing systems from being used without authorisation; ensuring that authorised persons can only access data they are authorised to access.

2. Disclosure control: Ensuring that data cannot be read, copied, etc. during electronic transfer or recording; ensuring transparency which bodies data will be transferred to.

3. Input control: Ensuring possibility to trace alteration or deletion of data.

4. Job control: Ensuring in case of commissioned data processing compliance with the controllers instructions

5. Availability control: Ensuring personal data is protected against accidental destruction or loss

http://uk.practicallaw.com/1-505-8622?pit=

WHEN DO WE NEED TO NOTIFY TO DATA PROTECTION AUTHORITY (DPA) AND INFORM DATA SUBJECT?

Unlawful disclosure of special categories of personal data (e.g. ethnic heritage, religious beliefs, data referring to criminal offences or subject to professional secrecy)

Threatening serious harm to the rights or legitimate interests of data subjects

klgates.com

General notification obligation to DPA and Data Subject, applicable to all private bodies and certain public bodies (Sect. 42a BDSG):

Information to DPA:

Without undue delay Nature of the disclosure and possible harmful consequences

Information to Data Subject: Without undue delay, as soon as data is secured and criminal investigation is

not endangered Nature of the disclosure; recommendations to minimise possible harm

ENFORCEMENT BY THE DPAS IN GERMANY German DPAs may (Sect. 38 BDSG):

Monitor the implementation of the BDSG and other provisions on data protection matters including Right to request information by processors and Right to enter the property and premises for inspections

Notify data subjects in case of violation and report to prosecution authorities

Order measures to remedy violations (e.g. prohibiting data processing)

Raise fines up to EUR 300,000 in case of intended or negligent violation of certain provisions of the BDSG or other regulations on data protection (Sect. 43 BDSG)

ENFORCEMENT TRENDS There still is no common code of practice among DPAs,

which leads to varying practices in different German states (“Länder”).

In the past, German DPAs were not very strict in enforcing data protection laws by raising fines.

Example 1: Google StreetView (2008-2010): Google provides panorama pictures for ‘Street View’ While taking these pictures, surrounding WiFi data were scanned accidentally Competent DPA (Hamburg) raised fine of EUR 145,000

Example 2: AOL Server Breakdown (2014): Server Breakdown caused a leak of 500,000 user access data sets Stolen data was used for spam-mail wave Provider did not notify breach to DPA but informed users Presumably no action by competent DPA

NUMBERS AND TABLES No absolute numbers on breaches and notifications; all

DPAs are obliged to publish data protection reports, but they vary and can hardly be compared

Statement of Federal Commissioner for Data Protection: March 2011 – October 2013: 501 notifications in total

TelCom Sector: 2012: 27 notifications 2013: 66 notifications

FUTURE DEVELOPMENTS

Federal Commissioner for Data Protection endorses stricter enforcement of data protection, especially in the telecommunications sector

Legislative framework: Draft version of a German Regulation for IT-Security Draft EU Regulation

Personal Data Breaches and Notifications A French perspective

LEGISLATIVE REQUIREMENTS Directive 95/46/EC implemented in August 2004 into the French Data Protection Act

of 1978 Directive 2009/136/EC “ePrivacy” implementing data breach requirements in August

2010

“Breach of personal data” - The French definition and

scope Any breach of security leading accidentally or unlawfully to the

destruction, loss, alteration, disclosure or unauthorised access to personal data processed in the context of providing electronic communication services to the public.

Data breach notifications are only required from telco operators and internet access providers For any breach of personal data processed “by electronic

communication service providers operating electronic communication networks with open public access.”

LEGISLATIVE REQUIREMENTS Two categories of notifications

1. To the French DPA Within 24 hours of the effective knowledge, through an

electronic procedure, whatever is the potential impact of the breach of personal data Notify at least the existence of the breach

Within 72 hours of the effective knowledge, through an electronic procedure, describing the breach in details: Categories of data breached, Origin, specificities and duration of the breach, Security measures and patches implemented, Potential impact on the privacy of the “affected parties”, Spontaneous information of the “affected parties”.

LEGISLATIVE REQUIREMENTS

Two categories of notifications 2. To the “affected parties”

If said breach is likely to breach personal data security or the privacy of a subscriber or any other individual.

Unless the French DPA has found that appropriate protection measures have been implemented by the service provider to ensure that the personal data are made undecipherable to any unauthorised individuals and have been applied to the data affected by said breach.

Failing this, the French DPA may serve the service provider with a formal notice to inform the “affected parties” as well, after investigating the severity of the breach.

LEGISLATIVE REQUIREMENTS

Recording of all breaches Each provider of electronic communication services

must keep and make available to the French DPA upon request, an updated record of all breaches of personal data, listing the conditions, effects and measures taken as remedies.

ANALYSIS PERFORMED BY THE FRENCH DPA

The DPA has up to two months to: Consider the potential impacts of the breach on data

security and privacy protection; Estimate whether security measures implemented

before the breach were appropriate; Evaluate whether information measures taken

towards the "affected parties" were sufficient.

ENFORCEMENT The DPA may: Require the company (Telcos and ISPs) to inform

“affected parties” or the general public. Apply any administrative fine up to €150,000

After an adversarial public or closed procedure where the company may be assisted by its counsel.

Publish a description of the breach: on its website, or on any appropriate medium at the company’s expense.

Publish whole or part of the ruling against the company on its website, or on any appropriate medium at the company’s expense.

ENFORCEMENT As of now: 7 condemnations in 2013 16 between January and September 2014 Fines between €20,000 and €150,000 (max.) The French DPA has systematically been publishing its

rulings regarding data breaches

Next year: A draft bill will be discussed starting January 2015:

extending data breach notification requirements to any data controller or processor, in any sector (public or private)

providing for penalties up to: €1,000,000, or 2% of the global annual turnover, whichever the highest.

New Draft EU Data Protection Regulation – Mandatory Data Breach Notification

INTRODUCTION

Draft EU Data Protection Regulation COM(2012)0011 – C7-0025/2012 – 2012/0011(COD); draft version published by Commission in 2012, adopted by European Parliament in March 2014; shall replace the Data Protection Directive 95/46/EC

What are the goals ?

Protection of individuals with regard to the processing of personal data

Free movement of personal data

Protection of the fundamental rights and freedoms of natural persons

Details: transfer of personal data to third countries or international organisations; mandatory data protection officer; role of independent supervisory authorities; co-operation and consistency; remedies, liability and sanctions

http://ec.europa.eu/prelex/liste_resultats.cfm?CL=en&ReqId=0&DocType=COM&DocYear=2012&DocNum=0011

http://www.europarl.europa.eu/oeil/popups/ficheprocedure.do?lang=en&reference=2012/0011(COD)

THE "DATA BREACH" REGULATION 2013/611 “Electronic communications service providers” must report any personal data breach to the relevant national data protection authorities and, as the case may be, to the data subjects themselves.

The notification requirement targets Internet service providers and telco operators. Email service providers are not impacted… yet.

The draft Privacy Regulation will extend data breach notification to any controller (expected in 2016)

Non-compliance with the notification requirement is subject to criminal sanctions

MANDATORY NOTIFICATION OBLIGATION - DETAILS

Who has to notify? All data processors and

commissioned data processors

To whom? Data processors to the competent

DPA Commissioned data processors to

data processor

Reason? Personal data breach

To whom? Data subject

Who has to communicate? All data processors

Reason? Personal data breach is likely to adversely affect the protection of

personal data or privacy

klgates.com 94

Art. 31: Notification Art. 32: Communication

MANDATORY NOTIFICATION OBLIGATION - DETAILS

klgates.com 95

When has to be notified? Without undue delay and where

feasable not later than 24 hours after having become aware of the breach

What has to be notified? Nature and consequences of the

breach, contact information, measures to mitigate possible

adverse effects

What has to be communicated? Nature of the breach and measures

to mitigate the possible adverse effects

When has to be communicated? After notification to DPA without

undue delay

Art. 31: Notification Art. 32: Communication

ENFORCEMENT

Competent supervisory authority may sanction administrative offences

Amount of fine shall depend on the technical and organisational measures implemented and on the collaboration with the supervisory authority

Fine can be fixed up to EUR 100,000,000 or 5 % of annual worldwide turnover, whichever is higher

klgates.com

Maximising insurance coverage for cyber risks

AGENDA

What do Cyber Policies Actually Cover? The Types of Risk Covered What About the Risk Associated With Vendors/Outsourcing? What About Paper Records?

Can We Not Simply Reply On The Coverage Provided by Existing Policies?

Potential Coverage The Limitations of “Legacy” Policies

Questions for Any Insured Thinking Of Taking Out Cyber Cover What Happens in the Event of a Claim or Investigation Which

Impacts the Policy? Conclusion And Takeaways

98

What do cyber policies actually cover?

klgates.com back

100

Privacy And Network Security Provides coverage for liability (defense and indemnity) arising out of data

breaches, transmission of malicious code, denial of third-party access to the insured’s network, and other network security threats

Regulatory Liability Provides coverage to deal with regulators and liability arising out of

administrative or regulatory investigations, proceedings, fines and penalties

Crisis Management Provides coverage for forensics experts to determine the cause of the

breach, notify individuals whose PII may have been compromised, call centers, ID theft monitoring, PR and other crisis management activities

Media Liability Provides coverage for liability (defense and indemnity) for claims alleging

invasion of privacy, libel, slander, defamation, infringement of IP rights (not patent), and other web-based acts (e.g., improper deep-linking)

THE TYPES OF RISK COVERED

101

Network Interruption And Extra Expense (and CBI) Coverage lost business income and extra expense caused by

malicious code, DDoS attacks, unauthorised access to, or theft of, information, and other security threats to networks (e.g., a website goes down and orders cannot be taken).

Information Asset Coverage Coverage for damage to or theft of the insured’s own systems

and hardware, and may cover the cost of restoring or recreating stolen or corrupted data.

Extortion Coverage for losses resulting from extortion (payments of an

extortionist’s demand to prevent network loss or implementation of a threat).

THE TYPES OF RISK COVERED

102

Emerging Market For First-Party Property Damage

Emerging Market For Third-Party Bodily Injury and Property Damage Coverage

THE TYPES OF RISK COVERED—A TARGET INCIDENT

103

Defense And Indemnity For

Claims

Regulatory Defense, Fines And Penalties

Crisis Management

Can we not simply rely on the coverage provided by existing policies?

Directors’ and Officers’ (D&O) Errors and Omissions (E&O)/Professional Liability Employment Practices Liability (EPL) Fiduciary Liability Crime

Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy)

Property? Commercial General Liability (CGL)?

107

POTENTIAL COVERAGE

Coverage B provides coverage for damages because of “personal and advertising injury”

“Personal and Advertising Injury” is defined in part as injury arising out of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy” What is a “Person’s Right of Privacy”? What is a “Publication”?

POTENTIAL COVERAGE

108

109

LIMITATIONS OF “LEGACY” POLICIES

LIMITATIONS OF “LEGACY” POLICIES

110

111

LIMITATIONS OF “LEGACY” POLICIES—SONY

STATE OF THE UK CYBER INSURANCE MARKET

Recognition of need for a specialist market First Cyber policy AIG 1997

Emergence of Lloyd’s Syndicates in 2000s 2008 Growth - 36 Insurers writing US domiciled business

18 Insurers/MGA writing UK domiciled business More joining, but question on capability

Move from a policy to a service proposition – but why? Attritional loss concern

113

THE CHANGING "TRADITIONAL CYBER" MARKET

Data owners – retail, financial institutions Network dependent – hospitality, retail Those able to financially quantify a loss Toe in the water v Catastrophic

Confusion about what to buy – security/privacy, breach,

cyber business interruption 114

WHAT UK COMPANIES ARE CURRENTLY PURCHASING?

QUESTIONS FROM INSUREDS THINKING OF TAKING OUT CYBER COVER

What disclosures are required in terms of IT and Network security?

As such a new market, you cannot have had any claims? Do the policies vary much in terms of coverage?

What extent can we amend the policy wordings? How much limit is available? / What limit should we

purchase?

116

COMMON QUESTIONS

What happens in the event of a claim or investigation which impacts the policy?

THE IMPORTANCE OF PROMPT NOTICE Notification to insurers may seem “low agenda”

item in event of data breach or cyber attack BUT most cyber policies impose time restrictions

regarding notification of claims or events to insurers

Can vary from specified time limit, to immediately or as soon as practicable

Compliance with notice provisions essential to avoid potential denials of cover

klgates.com 118

THE IMPORTANCE OF PROMPT NOTICE Many cyber policies provide for notification of

potential claims or circumstances Can prove beneficial to insured as operates as

extension of cover Also avoids potential gaps in cover at renewal Crystal ball gazing: real risk of a claim or loss

(not remote or fanciful) Particular issues in cyber context: discovery,

awareness and communication klgates.com 119

CLAIMS CO-OPERATION Cyber policies typically impose express obligation on

insured not (without prior consent of insurer) to: incur defence costs settle any claim make any admissions of liability

Another reason prompt notification essential Many policies also impose express duty to mitigate Reinforces need for pro-active approach to cyber risk

klgates.com 120

CONDUCT AND DEFENCE OF CLAIMS Cyber policies typically provide for insured to conduct

and to co-operate with insurer in defence and management of any claim, investigation or event

BUT many policies are silent as to choice of law firm or provide for insurers own panel firms

Consider reserving right to appoint own choice of firm or agreeing suitable firms up front

Selection of lawyers important issue in cyber context : most claims require specialist legal counsel with particular experience in this area klgates.com 121

TAKE-AWAYS

TAKE-AWAYS

More traditional policies unlikely to provide sufficient cover for cyber risks

Consider the need for specific cyber insurance Adopt a pro-active approach both to mitigating

risk and to assessing adequacy of cover Identify suitable legal counsel at an early stage Avoid delays in notification which can jeopardise

insurance cover

klgates.com 123

ANY QUESTIONS?

cyber risk and global security issues: is your business ... · pdf fileidentifying cyber risks...

Documents