This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, to SecureWorld Expo Dallas on September 27, 2016. This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies. The main points of this presentation are: (1) Cybersecurity events create a crisis situation and should be treated as such; (2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events; (3) Companies must have a cybersecurity breach response plan in place and tested, in advance; (4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and (5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event. This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions. The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents. It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.

1. Speakers: Put your Name and Title here:
---
---
---
xxxSWE2016xxx
Cybersecurity Legal Issues
What You Really Need to Know
#SWDAL16
@shawnetuma
Shawn E. Tuma
Cybersecurity & Data Privacy
Attorney, Scheef & Stone, LLP
General Counsel & Board Member
Cyber Future Foundation

3. TargetHome DepotNeiman MarcusMichael’sSpecsTJ MaxxeBaySally BeautyPF Chang’sUPSDairy QueenJimmy John’sJP Morgan ChaseKmartStaplesSonyAshley Madison / Brazzers?

4. www.solidcounsel.com
“Security and IT protect companies’ data;
Legal protects companies from their
data.” -Shawn E. Tuma

5. KEEP CALM
I’M A
FIRST
RESPONDER

6. Immediate Priorities
• Assess the situation
• Be a counselor
• Instill confidence
• Bring peace
• Facilitate rational
thought & behavior

7. Privilege / Work Product
KEY POINT: Attorney’s may have privilege
“Target has demonstrated . . . that the work of the
Data Breach Task Force was focused not on
remediation of the breach . . . but on informing
Target’s in-house and outside counsel about the
breach so that Target’s attorneys could provide the
company with legal advice and prepare to defend
the company in litigation that was already pending
and was reasonably expected to follow.”
In re Target Corp. Customer Data Breach
Litigation

8. ACC Study (Sept ‘15)
What concerns keep
Chief Legal Officers
awake at night?
#2 = Data Breaches
82% consider as
somewhat, very, or
extremely important

9. Legal Obligations
 International Laws
 Safe Harbor
 Privacy Shield
 Federal Laws & Regs
 HIPAA, GLBA, FERPA
 FTC, FCC, SEC
 State Laws
 47 states (Ala, NM, SD)
 Fla (w/in 30 days)
 OH & VT (45 days)
 Industry Groups
 PCI, FINRA, etc.
 Contracts
 Vendors & Suppliers
 Business Partners
 Data Security Addendum

10. www.solidcounsel.com
Ancient Cybersecurity
Wisdom
“Water shapes its course
according to the nature of the
ground over which it flows; the
soldier works out his victory in
relation to the foe whom he is
facing.”
“In all fighting the direct
method may be used for joining
battle, but indirect methods will
be needed to secure victory.”

11. There is Hope!
Easily preventable
• 90% in 2014
• 91% in 2015
• 63% confirmed breaches from weak,
default, or stolen passwords
• Data is lost over 100x more than
stolen
• Phishing used most to install malware

12. www.solidcounsel.com
The Basics
“Some people try
to find things in
this game that
don’t exist but
football is only two
things – blocking
and tackling.”
-Lombardi

13. “An ounce of prevention is cheaper than
the first day of litigation.”

14. Consumer Lawsuits

15. www.solidcounsel.com
Peters v. St. Joseph Services (S.D. Tex. 2015)
Remijas v. Neiman Marcus Group, LLC (7th Cir. 2015)
Whalen v. Michael Stores Inc. (E.D.N.Y. 2015)
In re SuperValu, Inc. (D. Minn. 2016)
Anthem Data Breach Litigation (N.D. Cal. 2016) (Koh)
Data Breach Litigation Battleship
Spokeo v. Robins, 136 S.Ct. 1540 (2016)
Tangible or intangible harm but concrete & particularized
Lewert v. P.F. Chang’s China Bistro Inc. (7th Cir. 2016)
Galaria v. Nationwide Mutual Ins. Co. (6th Cir. 2016)

16. Regulatory & Administrative

17. Regulatory & Administrative - FTC
KEY POINTS: You must have (1) basic IT security and
(2) accurate Privacy Policy
F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24,
2015).
• The FTC has authority to regulate cybersecurity under the
unfairness prong of § 45(a) of the Federal Trade Commission Act.
• Companies have fair notice that their specific cybersecurity
practices could fall short of that provision.
• 3 breaches / 619,000 records / $10.6 million in fraud
• Rudimentary practices v. 2007 guidebook
• Website Privacy Policy misrepresentations
• Jurisdiction v. set standard?

18. Regulatory & Administrative – FTC
KEY POINT: You must evaluate business partners’ security
In re GMR Transcription Svcs, Inc., 2014 WL 4252393 (Aug. 14, 2014).
FTC’s Order requires business to follow 3 steps when contracting with
third party service providers:
1. Investigate before hiring data service providers.
2. Obligate their data service providers to adhere to the
appropriate level of data security protections.
3. Verify that the data service providers are complying with
obligations (contracts).

19. Addendum to Business Contracts
KEY POINT: Know your contractual obligations
• Common names for the Addendum:
• Data Security & Privacy; Data Privacy; Cybersecurity; Privacy;
Information Security.
• Common features
• Defines subject “Data” being protected in categories.
• Describes acceptable and prohibited uses for Data.
• Describes standards for protecting Data.
• Describes requirements for deleting Data.
• Describes obligations if a breach of Data.
• Allocates responsibility if a breach of Data.
• Requires binding third parties to similar provisions.

20. Regulatory & Administrative – SEC
KEY POINT: You must have written (1) Policies &
Procedures and (2) Incident Response Plan
S.E.C. v. R.T. Jones Capital Equities Management, Consent Order
(Sept. 22, 2015).
• “Firms must adopt written policies to protect their clients’
private information”
• “they need to anticipate potential cybersecurity events and
• have clear procedures in place rather than waiting to
react once a breach occurs.”
• violated this “safeguards rule
• 100,000 records (no reports of harm)
• $75,000 penalty

21. Responding: Execute Response Plan
This is only a
checklist – not a
Response Plan
Download at:
www.shawnetuma.com

22. How Fast?
• 45 days (most states)
• 30 days (some states)
• 3 days (fed contracts)
• 2 days (bus expectation)
• Immediately (contracts)

23. Officer & Director Liability

24. Officer & Director Liability
KEY POINT: “boards that choose to ignore, or minimize,
the importance of cybersecurity oversight responsibility,
do so at their own peril.” SEC Commissioner Luis A. Aguilar, June 10,
2014.
• Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham
• Derivative claims premised on the harm to the company from data breach.
• Caremark Claims:
• Premised on lack of oversight = breach of the duty of loyalty and good faith
• Cannot insulate the officers and directors = PERSONAL LIABILITY!
• Standard:
(1) “utterly failed” to implement reporting system or controls; or
(2) “consciously failed” to monitor or oversee system.

25. Officer & Director Liability
KEY POINT: “boards that choose to ignore, or minimize,
the importance of cybersecurity oversight responsibility,
do so at their own peril.” SEC Commissioner Luis A. Aguilar, June 10,
2014.
• Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham
• Derivative claims premised on the harm to the company from data breach.
• Caremark Claims:
• Premised on lack of oversight = breach of the duty of loyalty and good faith
• Cannot insulate the officers and directors = PERSONAL LIABILITY!
• Standard:
(1) “utterly failed” to implement reporting system or controls; or
(2) “consciously failed” to monitor or oversee system.
$4.8 Billion Deal?

26. Cyber Insurance

27. Cyber Insurance – Key Questions
• Even know if you have it?
• What period does the
policy cover?
• Are Officers & Directors
Covered?
• Cover 3rd Party Caused
Events?
• Social Engineering
coverage?
• Cover insiders intentional
acts (vs. negligent)
• Contractual liability?
• What is the triggering
event?
• What types of data are
covered?
• What kind of incidents are
covered?
• Acts of war?
• Required carrier list for
attorneys & experts?
• Other similar risks?

28. Game Changer?

29. New York Department of Financial Services
Cybersecurity Requirements for
Financial Services Companies + [fill in blank]
• All NY “financial institutions”
• Establish Cybersecurity Program (w/ specifics)
• Adopt Cybersecurity Policies
• Designate qualified CISO to be responsible
• Third-Party Service Providers – examine, obligate, audit
• Written Incident Response Plan
• Board or Senior Officer Certify Compliance

31. Virtually all companies will be
breached. Will they be liable?
It’s not the breach; it’s their diligence
and response that matter most.
Companies have a duty to be
reasonably informed of and take
reasonable measures to protect
against cybersecurity risks.
It takes a TEAM APPROACH.

32. Cyber Risk
Assessment
Strategic
Planning
Deploy
Defense
Assets
Develop,
Implement
&Train on
P&P
Tabletop
Testing
Reassess &
Refine
Cybersecurity Risk
Management Program

33. 3 Must-Haves for Every Organization
1. Basic IT Security
2. Written Policies & Procedures
3. Written Incident Response Plan
***Document3***

34. “You don’t drown by falling in the water;
You drown by staying there.”

35. Shawn Tuma
Cybersecurity Partner
Scheef & Stone, L.L.P.
214.472.2135
shawn.tuma@solidcounsel.com
@shawnetuma
blog: www.shawnetuma.com
web: www.solidcounsel.com
This information provided is
for educational purposes only,
does not constitute legal
advice, and no attorney-client
relationship is created by this
presentation.
Shawn Tuma is a business lawyer with an internationally recognized
reputation in cybersecurity, computer fraud and data privacy law. He is a
Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service
commercial law firm in Texas that represents businesses of all sizes
throughout the United States and around the world.
 Board of Directors, University of North Texas Cyber Forensics Lab
 Board of Directors & General Counsel, Cyber Future Foundation
 National Law Journal Cybersecurity Law Trailblazer (2016)
 SuperLawyers – Top 100 Dallas / Fort Worth Super Lawyers
 Texas SuperLawyers 2015-16 (IP Litigation)
 Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law)
 Council, Computer & Technology Section, State Bar of Texas
 Chair, Civil Litigation & Appellate Section, Collin County Bar Association
 College of the State Bar of Texas
 Privacy and Data Security Committee, Litigation, Intellectual Property
Law, and Business Sections of the State Bar of Texas
 Information Security Committee of the Section on Science & Technology
Committee of the American Bar Association
 North Texas Crime Commission, Cybercrime Committee
 Infragard (FBI)
 International Association of Privacy Professionals (IAPP)
 Information Systems Security Association (ISSA)
 Board of Advisors Office of CISO, Optiv Security
 Editor, Business Cybersecurity Business Law Blog