BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.

Cybersecurity:Risks, Responsibilities, Corporate

GovernanceEd McNicholaseMcNicholas@Sidley.com

www.Sidley.com/Infolaw

Cybersecurity Outline• What does cybersecurity cover?• Recent incidents that could worry companies• Laws, regulations, policies and US Government

expectations on cybersecurity• Data security and data breach laws regarding personal

information• Enhancing cybersecurity governance and internal

controls • What should GCs do about legal exposure?

2

New York Times: “Universities Face a Rising Barrage of Cyberattacks”

July 16, 2013By RICHARD PÉREZ-PEÑA

• “America’s research universities, among the most open and robust centers of information exchange in the world, are increasingly coming under cyberattack, most of it thought to be from China, with millions of hacking attempts weekly. . . .”

• “University officials concede that some of the hacking attempts have succeeded. . .”

• “They acknowledge that they often do not learn of break-ins until much later, if ever, and that even after discovering the breaches they may not be able to tell what was taken. . .”

3

What Does Cybersecurity Cover?

4

Explaining Cybersecurity• “National security” dimension includes:

– Defense industrial base– Critical infrastructure (finance, communications, power,

food, supply chain transport, etc.)– Well-ordered functioning of society (government, police,

hospitals, commuting transport, schools, etc.)– Economic strength and competitiveness (business)

• Corporate IP, trade secrets and company data• Company websites, networks and databases

• “Data security” dimension includes:– Personal information of consumers, employees, etc.– Customer account information– Data breach notifications

5

What’s at Stake?• Valuable IP assets, proprietary information, business,

transaction and negotiating records, financial data, electronic funds, business functionality and continuity

• Account information; personal information; access to accounts• Disruption of business; denial of service; cyber-extortion• Derailed acquisition when deal team at law firm is hacked • Debilitating impact on critical infrastructure and essential

services• Communication systems• Supply chain management• SCADA (supervisory control and data acquisition):

– industrial control systems (ICS): computer systems that monitor and control industrial, infrastructure, or facility-based processes

6

What Data and Information Need Protecting?

• Students / Consumers• Employees• Account holders• Online advertising and e-commerce data • Credit cards• Company IP, secrets and networks• Transactional, negotiations and corporate records• Cross-border data• Corporate reputation

7

Who Could Hurt You?• Cyber-crooks• State-sponsored actors and foreign agents• Social hacktivists• Faithless insiders and former employees• Consumer activists• Careless colleagues not complying with policies• Colleagues bringing their own devices (BYOD)• Careless service providers and vendors• Competitors?

8

Who Wants to Hold You Accountable?• FTC, State AGs, CFPB, HHS/OCR, Education • SEC• White House, DHS, FBI• NLRB, unions, worker councils• Congress• Class action lawyers• Audit committees• Shareholders• Media• European regulators and “DPAs”

9

Some Recent Incidents that Could Worry Companies

10

Cyber-attacks Continue• March 2013: South Korean banks and broadcasters attacked (North

Korea suspected)• Feb. 2013: Facebook, Apple, Microsoft and Twitter disclose hacks;

250,000 Twitter user names/emails accessed• Feb. 2013: Federal Reserve Board hacked by Anonymous based on

vulnerability in vendor product• Feb. 2013: New York Times, Wall Street Journal, Washington Post

reveal penetration by China• Jan. 2013: DDOS attacks by Iran against JPMorgan, Bank of America,

Citigroup, etc.; Iran retaliation suspected• August 2012: 30,000 Saudi Aramco computers wiped clean of all

data by “Shamoon” virus; corporate logo replaced with burning American flag; Iran suspected

• May 2012: DHS announces ongoing, coordinated cyber attack on control systems of U.S. gas pipelines

• 2011, 2010: Flame and Stuxnet attack Iran (data extraction and SCADA)

Laws, Regulations, Policies and US Government Expectations

on Cybersecurity

12

The President on Cybersecurity• President Obama State of the Union (Feb. 2013):

– "We know hackers steal people’s identities and infiltrate private email. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems.”

– “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

• The “cyber threat is one of the most serious economic and national security challenges we face as a nation…America's economic prosperity in the 21st century will depend on cybersecurity”

13

US Perspectives on Cybersecurity• “Foreign collectors of sensitive

economic information are able to operate in cyberspace with relatively little risk of detection by their private sector targets.”

• “Cyber tools have enhanced the economic espionage threat, and the Intelligence Community (IC) judges the use of such tools is already a larger threat than more traditional espionage methods.”

• “Sensitive US economic information and technology are targeted by the intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries [especially China and Russia].”

14

Report from the Office of National Counterintelligence

Executive (NCIX), October 2011

Cybersecurity Executive Order 13636 and Directive (Feb. 12, 2013)

• Congressional stalemate led to Executive Order 13636:– Development of NIST “Cybersecurity Framework” and programs to

encourage voluntary adoption of the framework– DHS designation of CI companies (with right of reconsideration)– Creation of regulatory standards by agencies with statutory authority– Increased threat information sharing to CI operators

• Directive (Feb. 12, 2013) names 16 critical infrastructure areas– CI sectors and their designated SSAs are: Chemical (DHS); Commercial Facilities

(DHS); Communications (DHS); Critical Manufacturing (DHS); Dams (DHS); Defense Industrial Base (DoD); Emergency Services (DHS); Energy (Department of Energy); Financial Services (Treasury); Food and Agriculture (Department of Agriculture (USDA) and Department of Health and Human Services (HHS)); Government Facilities (DHS and General Services Administration); Healthcare and Public Health (HHS); Information Technology (DHS); Nuclear Reactors, Materials, and Waste (DHS); Transportation Systems (DHS and Department of Transportation); and Water and Wastewater Systems (Environmental Protection Agency)

15

Primary (Existing) Enforcement Statutes

• Computer Fraud and Abuse Act of 1984 (CFAA)– Prohibits certain attacks on computer systems used in

interstate and foreign commerce– Criminal and civil penalties for unauthorized access and

wrongful use of computers and networks• Electronic Communications Privacy Act of 1986

(ECPA) – Prohibits interception of wire, oral, or electronic

communications unless an exception applies– Establishes rules that law enforcement must follow to

access data stored by service providers (ECS and RCS), e.g., search warrants, court orders and subpoenas

16

SEC Cybersecurity Guidance• Corporation Finance guidance issued Oct. 13, 2011 (in

response to Sen. Rockefeller)– 4/9/13: New Rockefeller letter seeking formal rules

• Guidance characterizes cyber-attacks as targeting:– Financial assets, intellectual property, other sensitive

information – Customer or business partner data – Disruption of business operations  

• Disclose cyber-risks if: they “are among the most significant factors that make an investment in the company speculative or risky” – Frequency of prior incidents; probability and potential

harm of future incidents– Avoid generic language

17

SEC Guidance• Determine cybersecurity risks based on

frequency of prior incidents and probability and potential harm of future incidents

• “[A]dequately describe the nature of the material risk and specify how each risk affects the registrant,” avoiding generic language

• At least 21 Dow 30 companies discussed cybersecurity or data breaches in their 2011 Form 10-K risk factor disclosures

18

SEC Cyber-Comment Letters • In 2012, following hack of Amazon’s Zappos servers

(involving theft of 24 million customer names and e-mails), SEC asked Amazon to “expand [cybersecurity] risk factor to disclose that you have experienced cyber-attacks and breaches” and “to describe [risks of] third-party technology and systems” – SEC had disagreed with Amazon’s view that hack was

not significant enough to be covered by SEC Cybersecurity Guidance

• Google, AIG, Hartford Financial Services Group, Eastman Chemical, and Quest Diagnostics were also asked by SEC in 2012 to expand cybersecurity disclosures

19

Federal Financial Institutions Examination Council

• 2011 Supplement Guidance specifically targeting cyber security:– Enhanced risk assessments: banks should update risk assessments

at least annually– Layered security controls: should not rely on static challenge

questions to protect customer data. Layered security measures should be implemented based on the dollar amount and complexity of the transaction

– Fraud detection and monitoring: Fraud detection measures can be manual or electronic. People, processes or platforms can be used to detect anomalies

– Out of band transaction confirmation: additional layer of security by having the authorization come from outside the channel where the transaction originated

– Heightened education initiatives: Many security breaches can be avoided simply by educating the relevant parties in how to prevent and detect security breaches. Special attention was given to customer education

20

Data Security and Data Breach Laws on Personal

Information

21

Data Breach and Data Security Laws• State data breach notification laws re: personal information

– 46 states, DC, Puerto Rico, the Virgin Islands, and Guam have breach notification requirements

– Some states require prompt reporting to government agencies (e.g. Puerto Rico: 10 days; VT: 14 business days)

– Triggers vary from “risk of harm,” to “compromise,” to mere acquisition of data

• State data security laws re: personal information– E.g., Massachusetts requires comprehensive written

information security plan with specific, detailed requirements• Federal requirements regarding safeguarding personal

information and responding to data breaches– Communications Act, GLBA, HIPAA – Federal data breach legislation possible

22

Enhancing Cybersecurity Governance and Internal

Controls

23

Data Security: On the Corporate Radar?

• FTI Consulting/Corporate Board Member Survey:– Data security is a top legal concern in 2012 for both

Directors and General Counsel• The percentage of Directors and GCs concerned re: data security

has doubled since 2008– The median annualized cost of cyber-crime per company

averaged $5.9 million– But: only 42 percent of survey participants said their company

had a data crisis management plan in place

24

Corporate Practices on Cybersecurity: Report Suggests Lack of Board Involvement

Boards of Financial Sector Companies– 42% rarely or never review annual privacy/security budgets– 39% rarely or never review roles and responsibilities– 56% do not actively address computer/information security – 52% do not review cyber insurance

25

Governance of Enterprise Security: CyLab 2012 Report

Enhance Board/CEO Attention• Review and refine information governance structure

– Assign distinct board committee responsibility for cybersecurity, data protection and information privacy; establish expectations for management; require ongoing reporting regarding information risks and controls; review top-level policies

– Assign C-level management responsibility, accountability and reporting obligations; provide adequate budget and operational resources; authorize involvement in industry/government information sharing

– Consider appointing CISO (chief information security officer) and CPO (chief privacy officer)

– Develop and approve appropriate cybersecurity protocols and safeguards; increase internal awareness

• Evaluate cyber-insurance coverage26

Enhance Board/CEO Attention – cont’d• Develop cybersecurity and data protection risk assessment

– Understand system and network vulnerabilities; plan for possible “persistent” threats

– Understand exposure of essential or valuable information and communication assets

– Understand exposure to third parties and service providers (includes cloud providers and law firms)

– Consider possible counter-measures to disrupt attacks• Monitor legislative, policy, industry, contractual, litigation,

marketplace, consumer and employee developments and expectations– Address legal compliance and reporting responsibilities– Consider SEC issues

• Engage IT and audit experts; test systems27

What Should General Counsels Do About Legal

Exposure?

28

Managing Cyber Risks• Commission and review risk assessments• Identify legal and business obligations• Monitor legal and policy developments• Address participation in industry and private

sector initiatives– DHS’ US CERT Coordination Center (CERT/CC) – Information Sharing and Analysis Centers (ISACs)– Current ISACs by sector: communications, financial

services, electricity, IT, surface transportation, public transit, water, multi-state

– Goals: risk mitigation, incident response, alert and information-sharing

29

Managing Cyber Risks -- Cont’d• Develop cooperative relationship with key regulators

for optimal information sharing• Examine incident response and notification

procedures• Prepare for involvement of law enforcement/FBI/DHS• Inform investors of materiality of cybersecurity risks• Prepare for technical and legal responses• Identify resources in advance• Ensure appropriate insurance• Report regularly and follow-up at Board and CEO level

30

Lawyer To-Do List For Cybersecurity Overall legal compliance Oversight and readiness for incident response

Have you vetted and tested your response ability? Analyzing and explaining the complex legal environment Coordination of relationships with government Development of standards and internal policies

Does your organization learn lessons? Managing protections and obligations in contracts,

customer and vendor relationships Assessing insurance options and protections Addressing “Hack Back” options Managing legal/reputational issues

Fourth Amendment: Corporate agents of the government? Privilege and selective waivers Securities issues

31

Cybersecurity Insurance• SEC Guidance: “[d]escription of relevant insurance coverage.” • Most commercial insurance does not cover cyber. • Cybersecurity insurance fall into two categories:

– First-party coverage for damages directly associated with intellectual property theft, data loss and destruction, hacking, and denial-of-service attacks, including the immediate technical and forensic expenses

– Third-party coverage for public relations services, legal expenses arising from lawsuits brought by customers or third-party businesses, credit-monitoring for affected individuals, and associated penalties and fines

• Insurers require sufficient documentation or audits demonstrating that technology solutions have been implemented.

• Discounts to those who are better secured.

32

Costs of Intrusion

• Investigation, forensic and audit services• Notification costs, compliance with regulatory

requirements, outside experts and analysis• Legal response and defense costs• Lost business and reputation • Post-breach costs for remediation costs, etc.• Reputation restoration

33

Responding to an Incident• Effectuate IT containment and triage• Assess nature of attack; IP assets; trade secrets;

financial; customer data; denial of service; geopolitical; hacktivists

• Determine affected systems and targeted data; gauge possible exfiltration; address persistent threats

• Involve outside counsel and forensic IT consultants?• Identify and notify stakeholders?• Consult government; national security; law

enforcement; homeland security?• Assess liabilities, legal compliance, contract

obligations, SEC reporting, insurance, etc.• Evaluate existing control systems, responsibility and

accountability; implement lessons learned34

FBI Visit on APT• “Advanced Persistent Threat” attack on defense contractor:

not detectable through normal scans• FBI initiated contact to inform re evidence of penetration

and possible exfiltration of data– Communications to suspected server

• State-sponsored intrusion (no national state attribution)• Likely cause: spear phishing malware

– Downloads attack tools– Communicates with malware repository– Compromise domain controllers; escalate credentials– .exe files renamed; file headers show executable nature– .rar files used for compression

• Forensic measures: DNS server logging; full packet capture; firewall logs

35

Litigation Exposure• Failure to safeguard could expose boards to shareholder

suits alleging negligence or breach of fiduciary duty– Delaware Caremark decision: duty of care to establish

information control systems for reporting and oversight of legal compliance and ethics

• Patco Construction Co. v. People’s United Bank (1st Cir. 2012).– Bank sued after transferring $345,000 to cyber criminal – Court held that defendant’s security procedures were

“commercially unreasonable; court relied upon FFIEC standards

• Lawsuits faced by: ChoicePoint, Heartland Payment Systems, Hannaford, Amazon/Zappos, Sony, etc.

36

TJX (2007)• Hackers stole 45 million customer records over 18

months • Breach reported to cost up to $1.6 billion• Banks and Massachusetts Bankers Association (MBA)

sued ($41 million settlement)• State AG settlement (41 states) for $9.75 million

– Agreed to implement stringent data security program – CA AG Coakley: settlement “ensures that companies

cannot write-off the risk of a data breach as a cost of doing business”

• Consumer action settled by offering $30 cash or $60 voucher for three years of credit monitoring, plus cost of replacing driver’s license

37

Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, New York, Los Angeles, San Francisco, Palo Alto, Dallas, London, Hong Kong, Houston, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin (NY) LLP, a Delaware limited liability partnership (New York); Sidley Austin (CA) LLP, a Delaware limited liability partnership (Los Angeles, San Francisco, Palo Alto); Sidley Austin (TX) LLP, a Delaware limited liability partnership (Dallas, Houston); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.For purposes of compliance with New York State Bar rules, Sidley Austin LLP’s headquarters are 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000.

Questions?

Edward McNicholas: 202-736-8010 eMcNicholas@sidley.com

www.Sidley.com/InfoLaw This presentation has been prepared by Sidley Austin LLP as of July 30, 2013 for educational and

informational purposes only. It does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon

this without seeking personalized advice from professional advisers.BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.

EDWARD R. MCNICHOLAS Partner

Washington, DC +1.202.736.8010 +1.202.736.8711 Fax emcnicholas@sidley.com

PRACTI CES Privacy, Data Security and Information Law Complex Commercial Litigation Appellate

EDUCATI ON Harvard Law School

(J .D., 1996, cum laude, Harvard Law Review Editor) Princeton University

(A.B., 1991, summa cum laude, Phi Beta Kappa)

CLERKSHI PS U.S. Court of Appeals, 4th Circuit, Paul V. Niemeyer

EDWARD R. MCNICHOLAS is a partner in the Washington, D.C., office of the international law firm Sidley Austin LLP and a global coordinator of its Privacy, Data Security, and Information Law practice. His practice focuses on clients facing complex information technology, constitutional and privacy issues in civil and white-collar criminal matters.

Mr. McNicholas has significant experience with a wide-range of cutting-edge Internet and information law matters involving privacy and data protection, electronic surveillance, information security, cloud computing, trade secrets, social media, locational privacy, e-commerce, copyright, defamation, online brand protection, e-discovery, and national security. Mr. McNicholas and Sidley’s Privacy and Data Security practice were selected for Chambers USA: America’s Leading Lawyers for Business for 2008-2013 as well as Chambers Global for 2010-2013, the 2011-2012 Legal 500, and The International Who's Who of Internet, e-Commerce & Data Protection Lawyers 2011-2012. Chambers USA (2013) notes that Mr. McNicholas “wins praise for his ‘depth of experience and ability to bring technology issues together to provide information we can act on.’” Super Lawyers (2013) ranks him in Information Technology. He has also been recognized in Computerworld survey of “Best Privacy Advisers” as one of the “Top 25 Privacy Experts” in the country, and Chambers USA 2010-2011 also separately recognized Mr. McNicholas in nationwide litigation rankings for e-discovery.

Mr. McNicholas previously served as an Associate Counsel to President Clinton. In that capacity, he advised senior White House staff regarding various Independent Counsel, congressional and grand jury investigations. He also previously served as a desk officer at the U.S. Office of Government Ethics, where he helped national defense and intelligence agencies establish effective compliance programs.