1 Data Breaches: Considerations & PitfallsCaroline K. Simons Fish & Richardson P.C. March 22, 2017

2 Overview Overview and Recent DevelopmentsLegal and Regulatory Environment Guarding Against Data Breaches Responding to Data Breaches

3 Overview and Recent Developments

4 What is a Data Breach? Any unauthorized access, exfiltration, alteration, use, or disclosure of confidential data.

5 What Are They Looking For?That’s easy: EVERYTHING OF VALUE Intellectual property (especially trade secrets) Software code Proprietary processes, designs and formulas High-level executive communications How much are we willing to pay for that company? What’s our litigation/marketing/competitive strategy? Financial information and results Military or national security information Access to third party information, systems, data And, of course, personally identifiable information (PII) and protected health information (PHI) Pro tip: Don’t focus exclusively on PII/PHI, because the bad guys don’t

6 Trends and MotivationsWhy do they do it? Who are the attackers? Nation-States and their proxies To gain intelligence Organized crime/Hacking as a service (HaaS) To access or control critical infrastructure Individual hackers To disrupt operations Competitors To steal intellectual property or other business-sensitive information “Hacktivists” Insiders (can be any of above) To make a point To vandalize

7 Data Breaches in the NewsDate Reported Victim Scope Sept. 2016 Yahoo! 500m user records Dec. 2016 1B user records Jan. 8, 2017 E-Sports Entertainment Association League 1.5m user records Feb. 1, 2017 Xbox 360 ISO and PSP ISO 2.5m user records Feb. 7, 2017 InterContinental Hotels Group 12 properties affected Feb. 17, 2017 Arby’s Scope unknown Feb. 27, 2017 Association of British Travel Agents 43k user records Mar. 7, 2017 Verifone Corporate network Mar. 14, 2017 Wishbone 2m+ user accounts Mar. 15, 2017 Dun & Bradstreet 33m corporate contacts

8 Legal and Regulatory Environment

9 The Legal and Regulatory EnvironmentSubstantive Regimes E.O , “Improving Critical Infrastructure Security” Calls for “Voluntary Cybersecurity Standards” for “Critical Infrastructure” New cybersecurity E.O. on the way Federal Trade Commission Guidelines and Enforcement Actions Lax cybersecurity = “unfair” trade practice Jurisdiction over all consumer-facing businesses Securities and Exchange Commission Cybersecurity requirements for broker-dealers and investment advisors Many other industry-specific rules, regulations, and frameworks NYDFS (New York state financial, insurance, and banking sectors) DoD (defense contractors and subcontractors) FFIEC (banks) HHS (health records) – HIPAA Security Rule and Privacy Rule

10 The Legal and Regulatory EnvironmentDisclosure-based regimes SEC’s CF Disclosure Guidance: Topic No. 2 (Oct. 2011) State breach notification laws HIPAA/HITECH Market regulatory regimes “Trickle-down regulation” and market forces Insurance Standard of care …and don’t forget about “private law.” Indemnification Provisions Limitations on Liability Breach Notification Provisions

11 Zooming In: MassachusettsData Security Regulations (201 CMR 17.00) Covers those who “own, license, store, or maintain” personal information of Mass. residents Covers both employees and customers Personal Information = Name + (SSN OR driver’s license/state ID number OR financial account OR payment card information) Encryption of electronic PI for storage and transmittal Written Information Security Policy (WISP) Breach Notification (G.L. c. 93H) Know or have reason to know of: Breach of security Personal information of Mass. resident was acquired or used by unauthorized person or purpose Written notice required as soon as practicable and without unreasonable delay to AGO, OCABR; affected Mass. resident

12 The Securities and Exchange CommissionSEC Staff Guidance CF Disclosure Guidance: Topic No. 2 Registrants are expected to: evaluate cyber risks take into account all relevant information, including: Prior cyber incidents, their severity and frequency Probability of cyber risks occurring Qualitative and quantitative magnitude of risks, including potential costs and other consequences No generic disclosures Since Guidance, SEC staff has demonstrated willingness to: push for disclosure of all incidents—material or not—for context independently monitor breaches and test against disclosures (or lack thereof) probe into pre-disclosure processes ask about third-party risk

13 The Federal Trade CommissionAugust 2015: 3d Circuit affirmed FTC’s cybersecurity enforcement authority over consumer-facing companies Poor cybersecurity practices = “Unfair” business practice under Section 5 of FTC Act No actual consumer harm required Harm must be “probable” not just “possible.” FTC enforcement focus: Inadequate cybersecurity measures False statements of cybersecurity measures in privacy policy January 2017: FTC filed complaint against D-Link alleging violation of the FTC Act based on poor cybersecurity controls for routers and webcams, without concrete allegations of consumer harm Read FTC’s “Start With Security” Guide

14 The EU General Data Protection Regulation (GDPR)Enforcement date: May 25, 2018 Applies to all companies that intend to offer products/services to EU residents, or those who monitor EU data subjects Applies to all companies processing and holding personal data of EU residents Personal data = anything that can be used to directly or indirectly identify a person Breach Notification Provisions Notification to consumers and government (DPA) Different materiality thresholds Within 72 hours of discovery (DPA) Hefty fines: € 10 million OR 2% of annual revenue Private right of action

15 Guarding Against an Attack

16 Preparing for the InevitableEnsure board-level attention Agenda item with regular reports from cognizant officers Steady-state security assessments Set “tone at the top” Understand and assess the threat and risks What data is valuable to us? How is it safeguarded? What detection systems in place? If the data is stolen or altered, how can the company recover? Understand regulatory and statutory framework at play Pre-crisis planning Develop a preparedness plan, and exercise it. It’s not “set it and forget it.”

17 Responding to an Attack

18 In the Heat Of Battle: Responding to an AttackBreach should be treated as an internal investigation, run by outside counsel Gain benefit of attorney-client privilege + work product protection Engage outside experts Law firm Forensic cyber investigator Crisis PR firm Ask and answer the important questions FAST The Big Question: DISCLOSURE Do we have to? Do we want to? Assess law enforcement involvement Assess litigation and regulatory enforcement risk

19 Mass. Breach Notification (G.L. c. 93H)Notice to AGO and OCABR Nature of breach or unauthorized acquisition/use # of Mass. residents affected Steps taken in response Notice to Affected Massachusetts Residents consumer's right to obtain police report; how to request a security freeze; Information consumer will need to supply Fees charged by consumer reporting agencies notification shall not include: the nature of the breach or unauthorized acquisition or use; or the number of Massachusetts residents affected by the security breach or the unauthorized access or use.

20 Disclosure Considerations for Public CompaniesTo 8-K Or Not To 8-K? Cybersecurity incidents are not mandatory disclosure items (Item 8.01) Companies need to consider: How much do we know? Is it material? Will there be trading in the company’s stock? Is there a Reg FD issue? Do we have to make concurrent disclosures? Mandatory (e.g., state data breach disclosure laws) Voluntary (e.g., PR, vendors/suppliers) What are the litigation, investigatory, or security consequences of disclosure? Key Question: Timing

21 Fish & Richardson’s 8-K “Disclosure Decision Tree”

22 Bouncing Back: Weathering Litigation and InvestigationsWho Sues and What For? Affected Individuals: Negligence Securities Plaintiffs: 10b-5 Action Derivative Plaintiffs: Breach of Fiduciary Duty When Regulators Come Knocking… FTC investigates supposedly unfair trade practices State AGs investigate whether disclosures were timely made Sector-specific regulators determine whether regulations were followed SEC examines disclosure and trading issues

23 Bouncing Back: Weathering Litigation and InvestigationsWhat’s the Best Way To Defend? Use a Standard…(Almost) Any Standard Available Guidelines include: NIST, ISO, FIPS, CAG Document Your Efforts It is Better to Act Than Not Act: Avail Yourself of the Business Judgment Rule Know Your Obligations and Follow Them

24 Bouncing Back: Taking the Fight To The Bad GuysSue for Misappropriation of Trade Secrets New federal cause of action under the Defend Trade Secrets Act D employed improper means to appropriate the secret, or knew or should have known that another did so Allows action against hacker and company using stolen secrets Available remedies: Monetary damages – actual loss, unjust enrichment and/or reasonable royalty Injunctive relief – for actual or threatened misappropriation Civil seizure Exemplary damages and attorney’s fees

25 Bouncing Back: Taking the Fight To The Bad GuysBring an International Trade Commission Section 337 complaint ITC investigates whether imported goods are result of unfair competition, including cyberespionage of trade secrets Results in exclusion order = no importation of items to U.S. Sue for Violation of the Computer Fraud and Abuse Act 18 U.S.C. § 1030(g) provides for private cause of action Available against one who accesses computer without authorization, obtains information, and causes harm If company profiting from trade secret can be shown to have conspired, cause of action against them as well Damages and injunctive or other equitable relief available Call the Feds

26 Questions?

27 Caroline K. Simons [email protected] 617-956-5907 (Boston)