EEI: Cybersecurity Law Conference Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com October 24, 2014 Paul M. Tiao Hunton & Williams LLP (202) 955-1618 ptiao@hunton.com The Privacy and Cybersecurity Team at Hunton & Williams • Over 25 privacy professionals in the U.S., EU and Asia • Our privacy clients have included 6 of the Fortune 10 • Representing clients across multiple industry sectors, including energy, retail, transportation, consumer products, publishing, financial services, technology, advertising, health care and pharmaceutical • Centre for Information Policy Leadership at Hunton & Williams • www.HuntonPrivacyBlog.com • @hunton_privacy Roadmap • Introduction • Cyber Threat Landscape – Setting the Stage • The Legal and Policy Environment – U.S. – EU • Lessons Learned 3 A Sampling of Recent Global Headlines 1 August 2013 Another wave of DDOS attacks on Financial Institutions launched but deemed to have little impact 3 April 2014 5 May 2014 Heartbleed bug announced – related breaches uncovered French Telco reports 2nd breach in past several months 2 December / January 2013 Several U.S. retailers and a UK announce significant credit card breaches 4 April 2014 Worst data breach in German history identified; 18+ million email passwords compromised 7 May 2014 Ebay Breach – investigations in the US and UK anticipated 6 May 2014 Target CEO resigns; the company’s breach response cited as a contributing factor 4 The Cyber Threat Landscape • Threat Actors • Threat Vectors • Targeted Information and Systems 5 A Year In Review • • Recent Compromises – Target – Neiman Marcus – Michaels – The UPS Store – Goodwill – The Home Depot – JPMorgan Chase Recent Government Activity – Congressional inquiries – Calls for FTC action – PLA indictment 6 Legislative and Policy Environment • Congressional attempts to pass cybersecurity legislation – Numerous efforts to pass a cybersecurity law – Key legislative issues – Failure to pass legislation in 2012 provided impetus for the 2013 Executive Order on Improving Critical Infrastructure Cybersecurity 7 Executive Order on Improving Critical Infrastructure Cybersecurity • Cybersecurity Framework – Voluntary program, including incentives • Information sharing • Identification of critical infrastructure for which a cybersecurity attack could have catastrophic effects • Agencies to determine whether existing regulations are sufficient and take regulatory action to address deficiencies • Use of the federal procurement process to encourage contractors to enhance information security practices • Consideration of privacy and civil liberties issues 8 Cybersecurity Framework • • • • NIST published final version of Cybersecurity Framework on Feb. 12, 2014 – Framework Core – Implementation Tiers – Framework Profile – Privacy appendix in preliminary Framework (Oct. 2013) stricken from final Extensive public input – Five widely-attended workshops – Request for Information – Many comments on the preliminary version of the Framework Likely benchmark in regulatory, enforcement and litigation context Future workshops and versions 9 A Life-Cycle Methodology 10 Function Categories 6 Functions, 22 Categories, 98 Sub Categories Identify – Asset management, business environment, governance, risk assessment, risk management Protect – Access control, awareness & training, data security, process & procedures, maintenance, protective technologies Detect – Anomalies & events, continuous monitoring, detection processes Respond – Response planning, communications, analysis, mitigation, improvement Recover - Recovery planning, improvements, communications 11 Framework Profile * This same roadmap visualization can be applied to the categories and subcategories within each function. 12 Electric Utility Issues • Industrial Control Systems • Smart Grid • Information Sharing Groups – Electricity Subsector ISAC – Downstream Natural Gas ISAC • Cyber insurance for operational technology 13 Federal Agency Information-Sharing Programs • DHS – National Cybersecurity and Communications Integration Center (NCCIC) • US-CERT • ICS-CERT – Cybersecurity Information Sharing and Collaboration Program (CISCP) • FBI – Cyber Division & FBI Field Offices – National Cyber Investigative Joint Task Force – National Cyber and Forensics Training Alliance – Domestic Security Alliance Council – InfraGard • DOE – Cybersecurity Risk Information Sharing Program (CRISP) 14 Public-Private Information Sharing Issues • Standard Agreements – DHS Cooperative Research and Development Agreement – FBI Memorandum of Agreement and Non-Disclosure Agreements • Information sharing rules and procedures • Information handling restrictions • Protection from disclosure under FOIA • Implications for regulatory enforcement • Prosecutorial implications • Privacy risks 15 Data Security Rules • • • Federal Law – FTC Act – Gramm-Leach-Bliley – HIPAA/HITECH – FACTA Disposal Rule State Requirements – MA, NV, CA and progeny – Breach notification laws Industry Standards – PCI DSS – ISO – NIST 16 Utility-Specific Cybersecurity Requirements • Version 5 Critical Infrastructure Protection Reliability Standards – Expanded scope of covered cyber systems – Categorization of systems by impact on reliability – Enforcement date – April 2016 • NERC Physical Security Standards 17 Legal Obligations • Understand your legal obligations arising out of a cyber event – Breach notification and other obligations • State, federal, international law • Industry standards • Contractual obligations • SEC reporting 18 State Breach Notification Requirements • Generally, the duty to notify arises when unencrypted computerized “personal information” was acquired or accessed by an unauthorized person • “Personal information” generally is an individual’s name plus: – Social Security number – Driver’s license / state ID card number or – Account, credit or debit card number, along with password or access code • Service providers must notify data owners of security breaches and some states require “cooperation” with the data owner 19 Variations in State Breach Laws – Definition of PI – Computerized v. paper data – Notification to state agencies – Notification to CRAs – Timing of individual notification – Harm threshold – Content of notification letter – Preemption – New CA requirements 20 SEC Cybersecurity Guidance • Companies are not disclosing enough – The SEC is cracking down • Vast majority of companies that did address cyber issues used only boilerplate language – Some hacking victims said nothing • Disclosures often don’t give a genuine sense of the risk – Cyber attacks are included as one of many potentially catastrophic events 21 SEC Enforcement Efforts • SEC is now formally investigating companies’ cyber disclosures – Focused on whether investors appropriately informed – Probes are not public – Target is reported to be facing scrutiny – Prospect of enforcement actions 22 EU Cybersecurity: Regulatory Efforts • • • • On February 7, 2013, the EC issued a draft directive on cybersecurity Once adopted, member states will have 18 months to implement the Directive The aim of the Directive is to – Achieve European cyber resilience – Drastically reduce European cybercrime – Develop common European cyber defense policies and resources – Establish a coherent European cyberspace policy and promote core EU values The Directive would require EU competent authorities to cooperate, share information, and coordinate responses 23 EU Cybersecurity: Breach Reporting • The Directive would require companies in “critical” sectors to adopt strict network security standards and report “significant” cybersecurity incidents • The proposals encompass a broad section of industry sectors, including non-essential services such as YouTube and Spotify • The proposals do not clearly distinguish between targeted cybersecurity incidents and other types of breaches • The breach reporting requirements are not harmonized with existing and anticipated breach reporting requirements under the EU EPrivacy Directive and the proposed EU General Data Protection Regulation 24 Global Breach Notification Requirements • Breach notification requirements and guidance emerging across the world – 30+ countries outside the U.S. now require or strongly recommend notification • Federal and provincial standards in Canada • Several countries in Europe (including Germany) • All major countries in Asia and Oceania (including Australia, Hong Kong, India) 25 1 Data Breach Response Timeline Event 2 Mobilize 3 Legal Posture 4 Law Enforcement 5 Stabilize 6 Investigate 7 Legal Analysis 8 Notify 9 Regulatory Response 10 Lawsuits 11 Review & Improve 26 Lisa J. Sotto Partner Chair, Privacy and Cybersecurity Practice Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com Paul M. Tiao Partner Hunton & Williams LLP (202) 955-1618 ptiao@hunton.com 27