October 22, 2014
Data Breach Notification and Cybersecurity Developments in 2014
Melissa J. Krasnow, Dorsey & Whitney LLP, and Certified Information Privacy Professional/US
Mastering Data Privacy, Social Media,
& Cyber Law
This presentation was created by Dorsey & Whitney LLP, 50 South Sixth Street, Suite 1500, Minneapolis, MN 55402. This presentation is intended for general information purposes only and should not be construed as legal advice or legal opinions on any specific facts or circumstances. An attorney-client relationship is not created or continued by sending and/or receiving this presentation. Members of Dorsey & Whitney will be pleased to provide further information regarding the matters
State breach notification laws
• 47 states, plus the District of Columbia, Guam, Puerto Rico and Virgin Islands, have breach
notification laws (Alabama, New Mexico, and South Dakota do not have these laws)
• These laws require notification of a breach to affected individuals
• These laws cover breaches involving personal information in electronic format
2014 state breach notification law developments
• 18 state laws, plus Puerto Rico law, also require
notification of a breach to a state attorney general or regulator in addition to the affected individuals
• 7 state laws cover breaches involving personal information in both electronic and paper formats • California and Florida laws define personal
information as covering online account information • New Kentucky breach notification law
California breach notification law
amendment effective January 1, 2015
Where a person or business was the source of a breach, the person or business providing breach notification must offer to provide appropriate identity theft prevention and mitigation services, if any, at no cost to an affected individual for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed his or her first name or first initial and last name, together with any of the following data elements, where the name or the data elements are not encrypted: • SSN
• Driver's license number or California identification card number
Breach notification in federal and foreign laws and provisions in contracts and policies
• Federal HIPAA / HITECH Act breach notification for covered entities and business associates regarding protected health information
• Laws in other countries (e.g., Canada) • Provisions in contracts and policies
Cybersecurity laws and guidance and
provisions in contracts and policies
• State security procedures laws: Massachusetts and certain other states (e.g., California)
• Issued in February 2014:
– Federal: National Institute of Standards and Technology critical infrastructure cybersecurity framework
– California cybersecurity guidance
Cyber liability insurance
Main coverages in a traditional cyber liability insurance policy include:
• Security and privacy liability insurance that responds to third party liability
• Event management insurance that responds by paying costs for breach notification, public relations and other services to assist in managing a covered privacy or network security incident
• Cyber extortion insurance that pays to settle network security-related extortion demands made against the insured
• Network business interruption insurance that responds to an insured’s loss of income and operating expenses when
business operations are interrupted or suspended due to a failure of network security
Enforcement, litigation and other
consequences
• Federal Trade Commission
• Department of Health and Human Services • State attorneys general (e.g., California and
Massachusetts) • Foreign regulators • Litigation
Some steps companies are taking to
prepare
• Preparing, revising and testing incident response plans
Tabletop Exercise (TTX)
A TTX is intended to generate discussion of various issues regarding a hypothetical, simulated emergency. TTXs can be used to enhance general awareness, validate plans and
procedures, rehearse concepts, and/or assess the types of systems needed to guide the prevention of, protection from, mitigation of, response to, and recovery from a defined
incident. Generally, TTXs are aimed at facilitating conceptual understanding, identifying strengths and areas for
improvement, and/or achieving changes in perceptions.
Source: Homeland Security Exercise and Evaluation Program (HSEEP) (April 2013)
Some steps companies are taking to
prepare (continued)
• Preparing and revising company policies and programs, including training
• Procuring security and data breach services
Resources
Data breach
• California Privacy Laws Change: Identity Theft Prevention and Mitigation Services
http://www.irmi.com/expert/articles/2014/krasnow10-cyber-privacy-risk-insurance.aspx
• Changes in State Breach Notification Laws
http://www.irmi.com/expert/articles/2014/krasnow08-cyber-privacy-risk-insurance.aspx
• California’s Breach Notification Law Expands to Include Online Account Information
http://www.dorsey.com/psm_ca_breach_online_account_info/ • Verizon 2014 Data Breach Investigations Report
http://www.verizonenterprise.com/DBIR/2014/ Cybersecurity
• Cybersecurity White Paper
Resources (continued)
Cybersecurity (continued)
• Written Information Security Programs: Compliance with the Massachusetts Data
Security Regulation
http://www.dorsey.com/files/Upload/Written%20Information%20Security%20Progra
ms%20Compliance%20with%20the%20Massachusetts%20%287-523-1520%29.pdf
• Guidance for Managing Cybersecurity Risks
http://www.irmi.com/expert/articles/2014/krasnow05-cyber-privacy-risk-insurance.aspx
• National Institute of Standards and Technology Framework for Improving Critical
Infrastructure Cybersecurity
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
• Cybersecurity in the Golden State
https://oag.ca.gov/cybersecurity
• Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the
Focus
http://www.sec.gov/News/Speech/Detail/Speech/1370542057946#.VDvmOa1OXct
Melissa J. Krasnow 612-492-6106
krasnow.melissa@dorsey.com