Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Business Law

Cyber and Privacy Risks,, Deborah Bjes and Jill Zuback

Carlsmith Ball LLP
Cyber Issues For Lawyers
Deborah Bjes
October 22nd, 2015
Why are lawyers targets?
Maintain valuable information
Verizon’s 2015 Data Breach Investigations
Report found legal department is far more likely
to actually open a phishing e-mail than all other
departments.
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
2
Phishing emails:
Lawyers easy targets?
•23% of lawyers opened the email
•11% clicked on the attachment
WHY?
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
3
Are lawyers targets?
Lawyers must work efficiently
Lawyers look for new opportunities
Lawyers want to assist
Lawyers are trusting within relationship
Technologically challenged?
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
4
Changes in technology Changes in lawyer’s duty:
Lawyers must:
Stay up-to-date with technology.
Secure client & company data.
Avoid mishandling electronic documents.
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
5
Maintaining competence
ABA Model Rule 1.1
[8] To maintain the requisite knowledge and skill, a
lawyer should keep abreast of changes in the law and its
practice, including the benefits and risks associated with
relevant technology, engage in continuing study and
education and comply with all continuing legal education
requirements to which the lawyer is subject.
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
6
Confidentiality of information
ABA Model Rule 1.6
(a) A lawyer shall not reveal information relating to the representation of a
client unless the client gives informed consent, the disclosure is impliedly
authorized in order to carry out the representation or the disclosure is
permitted by paragraph (b).
*
*
*
*
*
*
*
*
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or
unauthorized disclosure of, or unauthorized access to, information relating
to the representation of a client.
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
7
ABA Model Rule 1.6
Acting Competently to Preserve Confidentiality
Comment [18]: ….The unauthorized access to, or the inadvertent or
unauthorized disclosure of, information relating to the representation of a
client does not constitute a violation of paragraph (c) if the lawyer has made
reasonable efforts to prevent the access or disclosure.
Factors: 1) sensitivity of the information, 2) likelihood of disclosure, 3) the
cost, and 4) the difficulty of implementing the safeguards.
Comment [19]....This duty, however, does not require that the lawyer use
special security measures if the method of communication affords a
reasonable expectation of privacy. …
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
8
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
9
Potential cyber causes of action
Negligence
Breach of contract
Waste and conversion
Invasion of privacy
Breach of fiduciary duty
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
10
Direct costs
• Forensic experts to establish extent of stolen data
(who/what)
• Notification costs
• Credit monitoring cost
• Business interruption cost
• Network restoration cost
• Public relations firm fees/costs – restore/mitigate
reputational damage
• Fines
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
11
Indirect costs
Management/executive time
Loss of good will.
Cost of reissuing documents or credit cards
Cost of mailings/expedited postage
Declined credit card transactions
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
12
Obtain upper
management buy-in!
Management must understand the
importance of security.
Avoid “it won’t happen to me” thinking.
Allocate resources!
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
13
Expense of cyber breach
Decrease
Increase
Incident response team
Third party involvement in breach
Extensive use of encryption
Quick notification
Employee training
Lost or stolen device
Board level involvement
Engagement of consultants
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
14
Breakdown of claims costs
$62.3 million in pay-outs on 85 claims
 48% on crisis services
– $1.5 million in forensics
– $6.15 million in notification costs
– $2.5 million in legal guidance
– $135,000 in public relations
 15% on legal defense
 10% on legal settlements
 10% on regulatory defense
 6% on regulatory fines
 11% on other fines
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
15
State breach notification statutes,
Know them (or know someone who does!)
Requires prompt notification of unauthorized access to personal information
47 states, DC, Puerto Rico and US VI
Common features relate to:
• Notification trigger
• Notification requirements
• Timing of notice
• Remedies
• Enforcement/fines
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
16
Notification considerations
Is it required?
• If not, is there a benefit or other need?
Timing of notification
• Avoid rush to notify v. will media beat you to it?
• Law enforcement may delay notification
Who must be notified?
• Affected individuals
• Government or regulatory agencies
• Banks
• Media
Who drafts notification letter?
Credit monitoring: To offer or not?
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
17
• Create an educated/proactive work force!
• Focus on the weakest link!
• Create an open door for discussion.
• Avoid finger pointing.
• Do all employees know who to call?
• Are all systems security ready before roll out?
• Are outdated systems retro-fitted?
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
18
Cyber security plan
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
19
Cyber security
plan and protocols
Well defined objectives
Agreed upon management plan
Nuts and bolts details
Insurance can assist
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
20
What do I do? I have had a breach!
(Or may have had a breach!)
Create a Response Plan (75% of the work should be done before incident)
Who is point person? Spokesperson?
Notify law enforcement. (should be aware of identify b/c incident)
Retain privacy counsel! (already lined up)
Retain forensic consultant. (already lined up)
Determine PR issues/ Retain a PR Firm. (already lined up)
Investigate timely notice requirements!
Public company disclosure requirements.
Notice your carrier/broker!
Activate “dark site”.
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
21
Further considerations
• Whether to employ routine cyber risk safety audits?
• Should you employ cyber incident drills?
• Should vendors employ cyber risk safety standards? (weakest link)
• Should business partners employ cyber risk safety standards?
• How to decide whether to compensate clients/customer if incident?
• In addition to notice – consider credit monitoring/gift cards?
• Should you build a “dark website”?
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
22
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
23
No standard cyber policy
• Compare pricing and policies
• Understand what is covered & what is not
• Understand notice requirements
• Determine what is really needed
• Negotiate your needs
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
24
What is cyber insurance?
There is no agreed upon definition.
Generally: policy covering one or more of the following:
• Damage to digital assets (data, software) not considered tangible property.
• Business interruption triggered either by damage to digital assets or
impairment of external services.
• Liabilities arising out of privacy issues, 3rd party infringement of intellectual
property, virus transmission, or any other serious trouble.
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
25
Cyber insurance
 Crisis management expenses: privacy counsel, public relations
or crisis management firm.
 Forensic expenses: services to determine cause and scope.
 Notification expenses: mandatory notification of customers
whose sensitive personal information has been breached.
 Credit monitoring expenses: monitoring, credit freezing or
fraud alert service expenses for breaches of true identity data.
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
26
Cyber insurance
 Cyber extortion insurance: Covers expenses to obtain legal,
public relations or crisis management services to protect the
company’s reputation.
 Digital asset loss: Will fund costs incurred to replace or
recover data which has been corrupted or destroyed as a
result of a network security failure.
 Regulatory action coverage: Covers loss (damages, defense
costs, civil fines or penalties to the extent insurable by law)
resulting from a regulator action.
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
27
Cyber risk insurance - examples
Cyber and
Traditional
Privacy
Policies
Policy
Risks
Coverage
Legal liability to others for
privacy breaches
Privacy liability: harm suffered by others due to the
disclosure of confidential information
Legal liability to others for
Network security liability: harm suffered by others from
computer security breaches a failure of your network security
Regulatory actions
Legal defense for regulatory actions
Identity theft
Expenses resulting from identity theft
Privacy notification
requirements
Cost to comply with privacy breach notification
statutes
Loss or damage to data /
information
Property loss: the value of data stolen, destroyed, or
corrupted by a computer attack
Extra expense to recover /
respond to a computer
attack
Cyber extortion: the cost of investigation and the
extortion demand
Loss of revenue due to a
computer attack
Loss of revenue: business income that is interrupted by
a computer attack
Loss or damage to
reputation
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
28
Thank you!
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
29
Disclaimer
• ©2015 Swiss Re Corporate Solutions. All rights reserved. You are not
permitted to create any modifications or derivatives of this presentation or
to use it for commercial or other public purposes without the prior written
permission of Swiss Re Corporate Solutions.
• Although all the information used was taken from reliable sources, Swiss Re
Corporate Solutions does not accept any responsibility for the accuracy or
comprehensiveness of the details given. All liability for the accuracy and
completeness thereof or for any damage resulting from the use of the
information contained in this presentation is expressly excluded. Under no
circumstances shall Swiss Re Corporate Solutions or its Group companies
be liable for any financial and/or consequential loss relating to this
presentation.
Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes
30
Related documents
Carlsmith Ball Los Angeles Associate Mary Conklin Named a Super
Carlsmith Ball Los Angeles Associate Mary Conklin Named a Super
Privilege Communications, Deborah Bjes and Jill Zuback, Swiss Re
Privilege Communications, Deborah Bjes and Jill Zuback, Swiss Re
UCSB Accounting Association
UCSB Accounting Association
Faculty Development Grants
Faculty Development Grants
Activity: Reading Response Journal
Activity: Reading Response Journal
Press Release from the Marino Institute of Education and the
Press Release from the Marino Institute of Education and the
UCSB Accounting Association 32nd Annual Awards Banquet
UCSB Accounting Association 32nd Annual Awards Banquet
Fact or Fiction: Hear from Experts in the Field on the Tax Subjects
Fact or Fiction: Hear from Experts in the Field on the Tax Subjects
Download