privacy, cyber threats and risk mitigation – mitigating ... · what would cyber litigation look...
TRANSCRIPT
Pillsbury Winthrop Shaw Pittman LLP
Privacy, Cyber Threats and Risk Mitigation –Mitigating Liability Through the SAFETY ActJoe DePaul, Senior Vice PresidentBrian Finch, Partner
April 9, 2015
The Threat From Cyber Attacks
Exposure of corporate secrets, trade secrets, and other proprietary information
Exposure of personally identifiable information (employees and customers), including health information
Disruption/destruction of operations
Attacks are cheap: ($2 for crashing a website; $30 for malware verification; $5,000 for “zero day”)
Malware now tends to be “one time use”
1 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
Many Theories of Liability for Cyber Attacks
Shareholder claims/SEC Disclosures
Loss of IP/trade secret claims
Negligent selection, design or contracting
Failure to take “reasonable” security measures for threats that a company knew or “should have known” about
Strict liability
2 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
Who Is Attacking?
3 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
Post-Terrorist Attack Litigation
Courts have found that terrorist attacks are reasonably foreseeable, and a duty is owed to plaintiffs (victims) The danger of a plane crashing as a result of a hijacking was “the very risk
that Boeing should reasonably have foreseen”
Other 9/11 cases: Negligence/Negligent selection Res Ipsa Loquitor Strict liability Negligent design and/or manufacture
4 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
What Would Cyber Litigation Look Like?
FTC allegations in Wyndham lawsuit – Wyndham failed to: remedy “known security vulnerabilities” such as allowing insecure server/network
connections employ commonly used methods to require user IDs and passwords that are
difficult for hackers to guess adequately inventory computers in order to manage network devices employ reasonable measures to detect and prevent unauthorized access or to
conduct security investigations follow proper incident response procedures, including failing to monitor computer
network for malware used in a previous intrusion adequately restrict 3d party vendor access share threat information/act upon shared information
The key question: how can you make sure you are taking “reasonable” cyber security measures?
5 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
Recent Decisions
Choice Escrow & Land Title, LLC v. BancorpSouth Bank, 754 F.3d 611 (8th Cir. 2014) A bank customer, a real estate escrow service provider, brought action against its
bank, after $440,000 was stolen from the customer's bank account through fraudulent wire transfer requests. The United States District Court for the Western District of Missouri, John T. Maughmer, United States Magistrate Judge, 2013 WL 1121339, granted summary judgment to the bank. Both parties appealed.
6 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
Recent Decisions
Patco Const. Co. v. People's United Bank, 684 F.3d 197 (1st Cir. 2012) Commercial customer filed action in diversity against bank, alleging negligence,
breach of contract, breach of fiduciary duty, unjust enrichment, conversion, and that bank's security system was not commercially reasonable and that it had not consented to security procedures, after thieves had electronically stolen hundreds of thousands of dollars from its accounts
7 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
Cyber Product Developer Loss Scenarios
Scenario 1: The product is represented to have specific capabilities and associated
services (regular updates, upgrades, etc.): Product manufacturer could be liable for losses suffered by its customer, Product manufacturer could be liable for 3d party losses if they are intended
beneficiaries or creates “unreasonable risk of harm”. Gross negligence or intentional misconduct? All bets are off.
Scenario 2: The product is used at a facility storing highly dangerous materials: Could be held liable for a design defect, If the product is specifically designed to protect that type of facility, liability is
more likely.
The big point: Get ready for litigation.
8 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
FTC v. Wyndham
FTC v. Wyndham decided on April 7, 2014 Facts: Federal Trade Commission sues Wyndham Hotels following a series of
cyber attacks/data breaches affecting its customers. Wyndham claimed that it protected customers’ information “by using standard
industry practices.” The FTC, argues otherwise, saying that Wyndham “failed to provide
reasonable and appropriate security” for the information it collected and maintained.
Claim: Wyndham claimed that the FTC had no authority to pursue enforcement actions related to data security
Ruling: Court affirmed that the FTC has the authority to pursue corporate cybersecurity weaknesses under its existing regulatory powers (Section 5 of the FTC Act) to address unfair or deceptive acts or practices affecting commerce.
Significance: Only a Motion to Dismiss – Not a Ruling on Wyndham’s Liability The FTC can act on unreasonable cybersecurity practices under existing laws
without further legislation
9 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
Who Is To Blame?
10 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
The “In-Law” Problem
11 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
The SAFETY Act
“Support Anti-Terrorism by Fostering Effective Technologies Act”
Part of the Homeland Security Act of 2002
Eliminates or minimizes tort liability for sellers of DHS-approved “technologies” should suits arise after an attack (physical or cyber), including: SAFETY Act protections obtained by submitting an application to DHS Applies to services, products, policies
This includes self-deployed programs Protections apply even if the attack originates from abroad so long as US interests
implicated (i.e., economic losses)
Protections apply to cyber attacks unrelated to “terrorism”
12 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
“Act of Terrorism”
What is an “act of terrorism”? (i) is unlawful; (ii) causes harm, including financial harm, to a person, property, or entity, in the
United States, or in the case of a domestic United States air carrier or a United States-flag vessel in or outside the United States; and
(iii) uses or attempts to use instrumentalities, weapons or other methods designed or intended to cause mass destruction, injury or other loss to citizens or institutions of the United States.
Definition is read to include events that impact the United States.
13 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
Designation vs. Certification
Two levels of protection under the SAFETY Act
Under “Designation”: Claims may only be filed in Federal court Damages are capped at a level set by DHS Bar on punitive damages and prejudgment interest
Under “Certification” sellers also receive a presumption of immediate dismissal
In both circumstances claims against CUSTOMERS are to be immediately dismissed
14 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
Any cyber security product, service, and/or policy is eligible for SAFETY Act protections
Cyber attacks are encompassed under this definition
There is NO requirement that the attacker’s identity or motivation be identified/proven: Only mention of “intent” potentially relates to intent to cause injury
or loss, NOT traditional “terrorist” intent
This means that ANY cyber attack could potentially trigger SAFETY Act liability protections
Act of Terrorism = Cyber Attack
15 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
SAFETY Act Evaluation Criteria
What are you seeking coverage for?
How does the product or service work/how is it provided?
How do you know it works?
How will you make sure it continues to work?
Can you show your product/service is repeatable (e.g., documented policies and procedures)?
Is it safe?
Quality control, quality assurance, written policies, and evidence of effectiveness are key data points.
It is not necessary to meet all of the evaluation criteria in order to obtain SAFETY Act protections.
16 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
Information Needed
Data and documentation is critical to application process.
Key information required for submission includes: Documented processes and procedures. Evidence of management chain/quality control. Audits/effectiveness reports.. Points of contact with local law enforcement.
DHS requires records demonstrating utility, effectiveness, and quality control.
Gathering and interpreting information is typically the most time consuming part of the process.
17 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
Antivirus System
Breach Response
Plan
BYODPolicies
SA
FETY
A
ctS
AFE
TY
Act
SA
FETY
A
ct
SAFETY Act
SAFETY Act
SAFETY Act
SAFETY Act
SAFETY Act
SAFETY Act
SA
FETY
Act
SA
FETY
Act
SA
FETY
Act
Customer suffers
loss/damages
Customer suffers
loss/damages
Firewalls
General Cybersecurity Policies and Procedures
APT Defense Systems Malware
Protection Programs
Forensic Investigation
18 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
Breach Response
Plan
Malware Protection Programs
Customer suffers
loss/damages
Customer suffers
loss/damages
Firewalls
APT Defense Systems
General Cybersecurity Policies and Procedures
Forensic Investigation
BYODPolicies
Antivirus System
19 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
The Application Process
20 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
Key Questions and How To Use
Any costs for filing a SAFETY Act application? No.
What kind of security products are eligible for SAFETY Act protections? All products, services, and/or policies, including internal policies, whether
physical or cyber.
What is the practical effect of obtaining SAFETY Act protections? A cap on damages or immunity from damages arising out of or related to
cyber attacks or “acts of terrorism”.
21 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
Key Questions and How To Use Cont.
Can I realize SAFETY Act benefits just by purchasing and using SAFETY Act approved cyber security solutions? Yes.
Can I require SAFETY Act approval in procurements? Yes.
What kind of claims will this help mitigate/eliminate? Negligence, third party liability, failure to take reasonable mitigation steps,
D&O claims.
22 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
SAFETY Act
Jurisdictional defenses (Exclusive Federal jurisdiction, no punitive damages, no prejudgment interest)
Cap on 3d party damages
Possible immunity
Government “endorsement” of security plans and technologies
Cyber/Terrorism insurance
Reimbursement for damages, but no cap
No jurisdictional defenses
No government “sanction” of security plans and technologies
Less certainty as to coverage
Tying SAFETY Act to cyber insurance can result in reduced premiums
SAFETY Act vs. Cyber/Terrorism Insurance
23 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
25 | Privacy, Cyber Threats and Risk Mitigation – Preparing for and Handling Data Breaches
Joe DePaulSenior Vice PresidentFINEX North American Cyber and E&O TeamWillis Americas Administration, Inc.Phone: [email protected]
Brian E. FinchPartner, Public PolicyPillsbury Winthrop Shaw Pittman LLPPhone: 202.663.8062 [email protected]
Thank You for Participating!