This presentation was delivered at the Southern Methodist University Law School, Science and Technology Law Review's 2015 Cybersecurity Symposium on October 23, 2015.

1. Data Security and Privacy by Contract
Hacking Us All Into Business Associates
Shawn E. Tuma
Scheef & Stone, LLP
@shawnetuma
Cybersecurity Symposium
October 23, 2015

3. breach impacting 110 million customers
$262 million in expenses for 2013 and
2014
offer “free” identity theft and credit
monitoring to all affected customers
Net earnings down 34.28%
Earnings per share down 44.60%
Non-cash losses up 487.71%
US sales down 6.60%
Lawsuits, possible enforcement actions,
who knows?

4. 4
Have you ever heard of …

5. www.solidcounsel.com
Ancient Cybersecurity
Wisdom
 “In all fighting the direct
method may be used for
joining battle, but indirect
methods will be needed to
secure victory.”
 “You can be sure of
succeeding in your attacks
if you attack places which
are not defended.”

6. Regulatory Response

7. www.solidcounsel.com
Regulatory Response – SEC
January 2014: SEC indicates companies need
P&P for:
1. Prevention, detection, and response to
cyber attacks and data breaches,
2. IT training focused on security, and
3. Vendor access to company systems and
vendor due diligence.

8. www.solidcounsel.com
Regulatory Response – SEC
April 15, 2014 – Office of Compliance
Inspections and Examinations (OCIE)
Cybersecurity Initiative
 Examine 50 registered broker-dealers and
registered investment advisors.
 7 page sample cybersecurity doc request.
 Many  3rd parties

9. www.solidcounsel.com
Regulatory Response – SEC
“Firms must adopt written policies to protect their
clients’ private information and they need to
anticipate potential cybersecurity events and have
clear procedures in place rather than waiting to react
once a breach occurs.” S.E.C. v. R.T. Jones Capital Equities
Management, Consent Order (Sept. 22, 2015).
 R.T. Jones violated this “safeguards rule
 100,000 records (no reports of harm)
 $75,000 penalty

10. www.solidcounsel.com
Regulatory Response – FTC
FTC’s Order requires business to follow 3 steps when
contracting with 3rd party service providers. In re
GMR Transcription Svcs, Inc., 2014 WL 4252393 (Aug.
14, 2014):
1. Investigate before hiring data service providers.
2. Obligate their data service providers to adhere
to the appropriate level of data security
protections.
3. Verify that the data service providers are
complying with obligations (contracts).

11. www.solidcounsel.com
Regulatory & Administrative
The FTC has authority to regulate cybersecurity
under the unfairness prong of § 45(a) of the Federal
Trade Commission Act and companies have fair
notice that their specific cybersecurity practices
could fall short of that provision. F.T.C. v. Wyndham
Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24, 2015).

12. The Contract

13. www.solidcounsel.com
Addendum to Business Contracts
 Many names, similar features:
 Defines “Data” being protected in categories.
 Describes acceptable and prohibited uses.
 Describes standards for protecting.
 Describes requirements for returning/deleting.
 Describes obligations if a breach.
 Allocates responsibility if a breach.
 Requires binding third parties to similar
contractual obligations.

14. “Business Associates”?