Preventing and Responding
to Data Breaches
Bill Cobb  Stephanie Chandler  Anna Trimble
Speakers
Bill Cobb, Partner
Litigation Section
Former Texas Deputy
Attorney General for Civil Litigation
Anna Trimble, Associate
Data Breach Response SWAT Team
Stephanie Chandler, Partner
Corporate & Securities Section;
Co-Chair of Cybersecurity Practice
The Art of Data Breach Response
“The enlightened ruler lays his plans well ahead;
the good general cultivates his resources.”
— Sun Tzu, The Art of War
Bill Cobb
512-236-2326 – [email protected]
“The art of war teaches us to rely not on
the likelihood of the enemy's not coming,
but on our own readiness to receive him;
Not on the chance of his not attacking, but
rather on the fact that we have made our
position unassailable.”
— Sun Tzu, The Art of War
Are you at Risk?
High-profile data
breaches:
FBI, CIA, Sony,
Google, LinkedIn,
Federal Reserve,
NYT, WSJ, Texas
Comptroller
Welcome to the
“new normal”
855 breaches / 174 million records
Large companies infiltrated with
the same ease as small companies
Do you know the risks?
Average cost per breach
= $4.5 to $7.2 million
Average
cost per
record
=
$138 - $214
Sony: 100 million records
50 class actions
$170 million liability
Range of cost per breach = $500,000 - $20 million
Can you afford to think that
“this could never happen where I work”?
Are the risks substantial?
10 million records Global Payments
24 million records Zappos
100 million cc Heartland Paym’t Syst.
32 million records RockYou
94 million records TJX
40 million records CardSystems
$100 million Heartland Payment Systems / CC
$10 million ChoicePoint and shareholders
$9 million Netflix and customers
$8.5 million Google and customers
$5 million BMW and customers
$2 million Adaptive Inc. and NY Att’y General
“The general who wins a battle makes many
calculations in his temple before the battle is
fought.
The general who loses a battle makes but few
calculations beforehand.
Thus do many calculations lead to victory, and
few calculations to defeat: how much more no
calculation at all!
It is by attention to this point that I can foresee
who is likely to win or lose.”
— Sun Tzu, The Art of War
Step 1: Prepare / Plan
Form SWAT Team
• Upper Management – Business Heads
• Information Technology
• Security (Information & Physical)
• Legal counsel (inside/outside counsel)
• Compliance
• Communications (Public & Inv. Rel.)
• Designate a crisis manager
FTI Consulting Corporate
Board Member Survey:
Data Security is the top
legal concern in 2012 for
both Directors and
General Counsel
Only 42 percent of
survey participants said
their company had a data
crisis management plan
in place
Data security should be part of your overall
risk management plan
“When the general is weak and without
authority;
when his orders are not clear and
distinct;
when there are no fixed duties assigned
to officers and men,
and the ranks are formed in a slovenly
haphazard manner,
the result is utter disorganization.”
— Sun Tzu, The Art of War
Create Response Checklist
Breach timeline
Type of data breach
How it happened
How it was contained
Future remedial actions
Assemble Key Documents
Data location lists
Confidentiality agreements
Customer contracts
Third-party vendor contracts
Privacy policy
Information security policy
Ethics policy
Litigation hold template
Contact list
Review
Insurance
Policies
Review
Document / Data
Retention
Policies
Conduct a
Crisis Audit
“We are not fit to lead an army on the
march unless we are familiar with the
face of the country — its mountains
and forests, its pitfalls and precipices,
its marshes and swamps.”
— Sun Tzu, The Art of War
Knowledge (of the law) is Power
►
Federal Trade Commission Act § 5
►
Health Insurance Portability &
Accountability Act
►
Health Information Technology for
Economic & Clinical Health Act
►
Fair Credit Reporting Act
►
Fair & Accurate Credit Transactions Act
►
Graham-Leach-Bliley Act
►
46 State Data Breach Notification Laws
“Amid the turmoil and tumult of battle, there
may be seeming disorder and yet no real
disorder at all; amid confusion and chaos, your
array may be without head or tail, yet it will be
proof against defeat.”
— Sun Tzu, The Art of War
Step 2: Identify the Problem
Who, what, when, where, why, and how?
How / Who / Where:
Loss / theft of hardware / software
Hacking / unauthorized access
Rogue employee / internal fraud
Email transfer / wrong address
FTP file transfer
Lost paper files
Loss / theft by third party
What:
Corporate Information
Personal information
Financial information
Why: Someone will be blamed
When:
Occurrence
Discovery
Any computer forensics or other network security investigators
should be hired by counsel for advisory purposes-The consultants’ reports should then be privileged
“The general who advances without
coveting fame and retreats without
fearing disgrace, whose only thought
is to protect his country and do good
service for his sovereign, is the jewel
of the kingdom.”
— Sun Tzu, The Art of War
Step 3: Re-Secure Data
Isolate (physically) any suspected computer from the network
Leave the computer in current state
Immediately terminate access rights to lost or stolen devices
Disable public and external access to website
Check/install/monitor firewalls
Check/install/monitor intrusion detection & prevention system
Check/install/monitor anti-virus software
Harden servers & OS software by disabling unneeded features
Check (install) video surveillance in areas where info. is stored
Announcing one data-breach is an invitation for another
“On the field of battle, the spoken word does not
carry far enough:
hence the institution of gongs and drums.
Nor can ordinary objects be seen clearly enough:
hence the institution of banners and flags.”
— Sun Tzu, The Art of War
Step 4: Keep a Record
Response: Steps to secure data
Enhanced security measures
Communications with public
Communications with law enforcement
Nature of the breach
Type of information compromised
Nature of compromise
Speak with one voice
“The general that hearkens to my counsel and
acts upon it, will conquer:
let such a one be retained in command!
The general that hearkens not to my counsel
nor acts upon it, will suffer defeat:
let such a one be dismissed!”
— Sun Tzu, The Art of War
Step 5: Contact Legal Counsel
Legal Counsel can assist with:
• Notification and communication decisions
(scope, content, timing, hiring service specialists)
• Clarifications of duties / Second opinions
• Advice regarding the need for (and hiring of)
3rd parties (investigators, network security consultants)
Keeping and preserving a record and evidence
Preserving the confidentiality of investigations
Preparing for potential class action litigation
“The clever combatant looks to
the effect of combined energy,
and does not require too much
from individuals. Hence his
ability to pick out the right men
and to utilize combined energy.”
— Sun Tzu, The Art of War
Step 6: Notify Law Enforcement
If the breach involves theft, hacking, or
potential misuse of personal information
notify appropriate law enforcement:
• FBI, Secret Service, Local Police
• State Attorneys General / Info. Sec. Dept.
Law enforcement may request that you
delay public notice to prevent interfering
with an investigation.
•Document such requests carefully
“Speed is the essence of war.”
— Sun Tzu, The Art of War
Step 7: Notify Affected Parties
Affected Individuals: Any person whose personal
information may have been compromised
Different states have
different notice
requirements
Different data has
different notice
requirements
Texas law requires notice to individuals in all 50 states
“When in difficult country, do not encamp.
In country where high roads intersect,
join hands with your allies.
Do not linger in dangerously
isolated positions.”
— Sun Tzu, The Art of War
Step 8: Notify Third Parties
Business partners that access data systems
• B2B / Vendors / Payroll / Accounting
Credit reporting agencies
Credit card companies
Security & IT consultants and vendors
Step 9: Remediate
Notify Employees
(Re)-Educate employees on data protection
Review privacy and security protocols
Develop customer
compensation
program
Rebuild compromised or damaged networks
Superiority
(class actions)
Correct any vulnerabilities
Promotes products/
Restores confidence
Review/implement/install
secure transport and storage of backup tapes
encryption on mobile devices
tracking devices on software on laptops
software to prevent sensitive data from email
transfer
data breach incident logs / automated auditing
Fix it and Watch it
Offer free credit
monitoring
Reduces odds of
lawsuit by six
times
Doubles
satisfaction rate
with response
“If you know the enemy and know yourself, you
need not fear the result of a hundred battles.”
— Sun Tzu, The Art of War
Data Breach Notification
“He who knows when he can fight and when he
cannot, will be victorious.”
— Sun Tzu, The Art of War
Anna B. Trimble
512.236.2381 - [email protected]
Data Security Breach Notification Statutes
Approximately 46 states have enacted a statute requiring a
company to notify state residents if the security of certain
sensitive customer information is breached.
 While there are many commonalities, there are also many
differences.
 The task of applying the laws of 46 states to a breach that
is national in scope is time consuming and complicated,
and it may cause your company to run afoul of the given
time limitations of most statutes.
 You will need to look at each state’s law. Best practice is
to apply the law of the state in which the consumer
resides.
Anatomy of
Data Breach Law
Data breach notification laws are generally
laid out like this:
 What is personal
information?
 What is a breach?
 Who do you have to tell and
how quickly?
 What happens if you don’t
notify?
Personal Information
Most laws apply to personal information. But, what
constitutes “personal information” varies by jurisdiction.

Generally, personal information means a name or part of
a name in conjunction with identifying information that
could lead to identity theft or bank fraud such as a social
security number or a credit card number.

One state includes email addresses.

Some have additional identifiers such as tribal ID.
Texas Sensitive Personal Information
In Texas “sensitive personal information" means:
• An individual's first name or first initial and last name
in combination with an unencrypted either (a) SSN; (b)
DLN or ID; or (c) account number or credit or debit
card number with any required security code or access
code.
OR
• Information that identifies an individual and relates to
their (a) physical or mental health; (b) provision of
health care; or (c) payment for the provision of health
care.
Breach
This description is where you find “outs” to notification.
 Most states require an unauthorized acquisition of
personal information and a likelihood of harm.
 There may be no breach if the
information was encrypted and
the bad guys didn’t get the key,
or the loss is unlikely to result in
harm to anyone, because,
although you lost it, you got the
info back from a trusted
individual you believe did not
share the copy.
 Some states have an out for no
likelihood of financial harm.
Texas Breach
No Harm Threshold in Texas:
 Initially, most state statutes only required notification if it
was reasonable to assume that a customer’s sensitive
personal information was acquired by an unauthorized
person and there was a reasonable likelihood of harm.
 In Texas, the fox is no longer guarding the hen house and
companies may not rely on an internal reasonableness
determination. Notification is now required after any
unauthorized acquisition that compromises the security
of sensitive personal information.
Notification and Timing
All statutes require notice be given
to customers or consumers whose
information was breached.
 Some say you have to give your state
attorney general or federal regulator
notice of the loss.
 Others say you also have to alert the media
and credit reporting agencies.
 The notification must be given as quickly
as possible.
 However, the notification may be delayed
at the request of law enforcement to avoid
compromising an investigation.
Texas Notification
Texas legislature amended the Business and Commerce
Code Section 521.053 in 2011 to require notification to
customers not just in Texas but in any state that does not
require notification of the affected customer.
 Among other things, this means that companies
operating in Texas must notify residents of from the
four US states without data breach notification laws
(Alabama, Kentucky, New Mexico, and South
Dakota).
 And companies operating in these states could be in
breach of Texas law if those companies do business
in Texas in one way or another.
 In fact, the law is worded broadly enough that its
effects could be global.
Penalties
Most statutes are explicit
about the financial
penalty for not providing
notice and give a perperson amount so the
larger the loss the higher
the fine.
• Many cap the total fine
for an individual
breach. But these
amounts vary widely.
• Per violation amounts
range from $100 to
$25,000 and caps go
from $10,000 to
$750,000.
Texas Failure to Notify
Section 151.151 of the law provides
for a penalty for failing to comply
with this notification requirement is
a civil penalty of up to $100 per
individual per day for the delayed
time, but is not to exceed $250,000
for a single breach.
Sample Notification Letter Components
• What happened and when?
• How was it detected?
• What specific types of personal information are involved
and for whom?
• What steps are being taken? Are you providing insurance?
• CSIdentity
• Debix
• Experian Credit Bureau
• Does the evidence point to misuse of the information?
• What steps should the affected customer take?
• Expression of regret or commitment to security.
• Next steps.
• Contact information.
Federal Law
No immediate prospects
for a federal law, although
several bills on the issue
have been introduced.
Data Security Risk
Management
“The enlightened ruler lays his plans well ahead;
the good general cultivates his resources.”
— Sun Tzu, The Art of War
Stephanie Chandler
210-978-7704 –
[email protected]
The SEC
Letter to Chairman Schapiro
Responded in June ’11
Guidance issued in
October ‘11
What Should
Corporate Boards Do?
 CTO/Chief Security Officer – Direct Report (or
Report to Audit or Risk Committees)
 Disclosure Committees
 Risk Oversight – "disclosure about the board's
involvement in the oversight of the risk
management process should provide important
information to investors about how a company
perceives the role of its board and the relationship
between the board and senior management in
managing the material risks facing the company."
What is the
Nature of Risk from a Fiduciary
Perspective?
 Class Actions/Consumer Litigation
 State Law Breach of Contract Claims Resulting
from Privacy Policy
 Bank/Credit Card Company Breach of Contract
(i.e. requirements to maintain PCI DSS
compliance)
 Governmental Authorities (AGs & FTC)
 Chargebacks (Credit Card Data)
 Public Relations Harm
The SEC
What Should
Corporate Boards Do?
• Analyze Risk and Exercise Fiduciary Duty to Address
• Insurance Policies - Hack Insurance/ Cybersecurity
Insurance
• Security Audits
– Document Retention Policies
– SAS70 Now SOC
• SOC 1 - Report on Controls at a Service
Organization Relevant to User Entities’
Internal Control over Financial Reporting
• SOC 2 - Report on Controls at a Service
Organization Relevant to Security,
Availability, Processing Integrity,
Confidentiality and/or Privacy
• SOC 3 - Trust Services Report
Financial Reports
(SSAE 16)
Non-Financial
Reporting (AT101)
Risk factors
SEC Guidance
• (See Appendix)
• Description of outsourced functions that have material
cybersecurity risks;
• Description of cyber incidents experienced by the registrant
that are material, including a description of the costs and
consequences; and
• Description of relevant insurance coverage for cyber incidents.
MD&A
• Cost
Business
• If there has been an incident
Legal Proceedings
Financial Statements
Effect on Internal Controls (SOX)
Identify who is responsible
for meeting data security standards




You?
SAAS provider?
SAAS provider’s vendor?
Outside consultant?
Outsourcing Guidelines
 Hold vendors to the same security standards as your
own in-house security policies and practices.
 Vendor is legally obligated to fix data problems
should a breach occur. This includes notification.
 Require background checks for vendor employees
who have access to confidential information.
 Make sure the vendor has appropriate security and
controls procedures in place to monitor potential
threats.
PCI Data Security Standards
requirements:
 Install and maintain a firewall configuration to
protect data
 Do not use default passwords and security
parameters
 Protect stored data
 Encrypt transmission of data
 Use and update antivirus software
 Develop & maintain security systems &
applications
PCI Data Security Standards
requirements:
 Restrict internal access to the data
 Assign a unique ID to each person with access
 Restrict physical access to data
 Track & monitor all access to network
resources & data
 Regularly test security systems & processes
 Maintain a policy to address information
security
Questions
Bill Cobb
[email protected]
512-236-2326
Anna Trimble
[email protected]
512-236-2381
Stephanie Chandler
[email protected]
210-978-7704
Appendix
Sample Risk Factor
Security breaches and other disruptions could compromise our information and expose us to
liability, which would cause our business and reputation to suffer.
[In the ordinary course of our business, we/We] [collect and] store sensitive data, including
intellectual property, our proprietary business information and that of our customers, [suppliers
and business partners,] and personally identifiable information of our [customers and] employees,
in our data centers and on our networks. The secure [processing,] maintenance [and transmission]
of this information is critical to our operations [and business strategy]. Despite our security
measures, our information technology and infrastructure may be vulnerable to attacks by hackers
or breached due to employee error, malfeasance or other disruptions. Any such breach could
compromise our networks and the information stored there could be accessed, publicly disclosed,
lost or stolen. Any such access, disclosure or other loss of information could result in legal claims
or proceedings, [liability under laws that protect the privacy of personal information,] [and
regulatory penalties,] [disrupt our operations [and the services we provide to customers],] [and]
damage our reputation, [and cause a loss of confidence in our products and services], which could
adversely affect our [business/operating margins, revenues and competitive position].
Source: PLC Securities
Examples of Risk Factors
Google Inc. Annual Report on Form 10-K for the fiscal year ended December 31, 2011.
Citigroup Inc. Annual Report on Form 10-K for the fiscal year ended December 31,
2011.
Lockheed Martin Corporation Annual Report on Form 10-K for the fiscal year ended
December 31, 2011.
EMC Corporation Annual Report on Form 10-K for the fiscal year ended December 31,
2011.
The Coca-Cola Company Annual Report on Form 10-K for the fiscal year ended
December 31, 2011.
Electronic Arts Inc. Quarterly Report on Form 10-Q for the period ended December 31,
2011.
ATA Inc. Annual Report on Form 20-F for the fiscal year ended March 31, 2011.
CoreLogic, Inc. Annual Report on Form 10-K for the fiscal year ended December 31,
2011.
Alliance Data Systems Corporation Annual Report on Form 10-K for the fiscal year
ended December 31, 2011.
Sample Risk Factor
[ADDITIONAL RISK FACTOR DISCLOSURE FOR COMPANIES THAT HAVE
EXPERIENCED A SECURITY BREACH]
[In [DATE] [[our computer network/our website] suffered [cyber
attacks/unauthorized intrusions] in which [customer data/proprietary
business information] was accessed [and stolen]/[DESCRIBE SPECIFICS OF
CYBER ATTACK OR OTHER BREACH]]. Following the[se] attack[s], we have
taken [additional] steps designed to improve the security of our networks
and computer systems. Despite these defensive measures, there can be no
assurance that we have adequately protected our information or that we
will not experience future violations.]
Source: PLC Securities
Examples of Risk Factors
Examples of description of previous attacks or
breaches:
• Sony Corporation Annual Report on Form 20-F for the
fiscal year ended March 30, 2011.
• The TJX Companies, Inc. Annual Report on Form 10-K
for the fiscal year ended January 29, 2011.
• The NASDAQ OMX Group, Inc. Annual Report on Form
10-K for the fiscal year ended December 31, 2011.
Examples of Risk Factors

Consider Describing Your Preventative Actions

Examples:
Microsoft Corporation's Quarterly Report on Form 10-Q for the period ended
December 31, 2011.
Adobe Systems Incorporated Annual Report on Form 10-K for the fiscal year
ended December 2, 2011.