Surviving a Data Breach

Details: Wednesday, June 05 , 2013 | 8:30 AM

About the Speaker Title: Surviving a Data Breach
About the Speaker: 2013-06-05 08:30:00
Event Name: Members $10 | Non-members $20
Event Time: ../tickets/2013/2013_06_05_Surviving_data_breach__ticket.html
Event Content: itms://itunes.apple.com/us/podcast/challenges-to-building-stability/id210903888?i=160659048
Event Link: From 1997 to 2007, Joseph V. DeMarco was an Assistant United States Attorney for the Southern District of New York, where he founded and headed the Computer Hacking and Intellectual Property (CHIPs) Program, a group of five prosecutors dedicated to investigating and prosecuting violations of federal cybercrime laws and intellectual property offenses. Under his leadership, CHIPs prosecutions grew from a trickle in 1997 to a top priority of the United States Attorney's Office, encompassing all forms of criminal activity affecting e-commerce and critical infrastructures including computer hacking and sabotage crimes; transmission of Internet worms and viruses; web-based frauds; theft of trade secrets; cyberstalking; and copyright and trademark infringement. As a recognized expert in the field, Mr. DeMarco was frequently asked to counsel prosecutors and law enforcement agents regarding novel investigative techniques and methodologies, and regularly provided advice concerning the Office's most sensitive computer-related investigations. Mr. DeMarco also served as a visiting Trial Attorney at the Department of Justice Computer Crimes and Intellectual Property Section in Washington, D.C., where he focused on technology-related policy matters such as Internet privacy, international cyber-investigations, e-commerce, identity theft, and the electronic theft of intellectual property. Mr. DeMarco is also a seasoned crisis manager. In the days and weeks following September 11, 2001, he was responsible for coordinating the U.S. Attorney's Office support for the New York Secret Service Electronic Crimes Task Force's investigation into the attacks against the World Trade Center and the Pentagon.   Since 2002 Mr. DeMarco has been an Adjunct Professor at Columbia Law School, where he teaches the Internet and Computer Crimes seminar. He has spoken throughout the United States as well as in Egypt, Italy and the Netherlands on cybercrime, e-commerce and copyright and trademark infringement. He has also lectured at Harvard Law School and in numerous other fora including the Practicing Law Institute, the National Advocacy Center and the FBI Academy in Quantico, Virginia. He has been interviewed on the subject of cybercrime in a number of media outlets including the Journal of the New York State Bar Association (cover story on cybercrime), ABC World News Tonight with Peter Jennings and Fox News America's Newsroom with Bill Hemmer. Prior to joining the United States Attorney's Office, Mr. DeMarco was a litigation associate at Cravath, Swaine & Moore, where he concentrated on antitrust, securities and intellectual property law for high-technology clients. Mr. DeMarco served as law clerk to the Honorable J. Daniel Mahoney, United States Circuit Judge for the Second Circuit Court of Appeals. Mr. DeMarco speaks conversational Italian. Mr. DeMarco is a Knight of Malta. Mr. DeMarco has received numerous professional awards including the U.S. Department of Justice Director's Award for Superior Performance and the Lawyer of Integrity Award from the Institute for Jewish Humanities. In his spare time, he is involved in various mentoring programs for young professionals and enjoys playing golf and squash and listening to classical piano.
Podcast URL: Surviving a Data Breach with Joseph DeMarco,  Partner, DeVore & DeMarco, LLP JOSEPH DEMARCO: Thank you very much, Daniel; and I wish to thank everyone for being here this morning. It's a real pleasure for me to be speaking at The Korea Society. As many of you know, I'm a proud member of The Korea Society and have been so for a number of years. I'm also a member of the International Association of Korean Lawyers. A fair amount of my practice deals with legal issues related to high technology between the United States and the Republic of Korea. These are timely issues. They’re at the top of the press's agenda, they're at the top of the government's agenda and they're at the top of law enforcement's agenda. This morning I'd like to spend a little bit of time talking about one piece of the cybersecurity conundrum; using this as a prism through which we can examine the pressing issue of data breaches. Today I will focus specifically on data breaches based on an organization's loss of personal information about its consumers, customers and employees. We will speak about some of the key legal drivers and decision points that corporate managers need to understand once they have a data spill or a data loss. I'm not going to be talking about hackers breaking into or planting logic bombs on a company's computer systems, although it's an interesting topic. I'm not going to be talking about the theft of "crown jewel" intellectual property like codes, algorithms, blueprints, schematics and business plans. Today I'm going to talk about the legal drivers that companies need to be aware of when it comes to the loss of personal information data. My objective today is to talk about data breach notification laws and the legal obligations of companies to report when they've had a data loss or a data spill involving personally identifiable information or what is referred to as "PII." I'm going to talk about what it's like to work with law enforcement in this context (they're often the ones informing the company about the data loss or data spill). I'm going to talk about some of the most important decision points that corporate managers have to make and why those decisions need to be made. And I'm going to talk about some real-world issues that come up with these types of events. Just so that we're all on the same page, let me define personally identifiable information (PII) as it's defined by law and for the purposes of this discussion. PII is someone's name in combination with other data about them. It could be their name plus their bank account information. It could be their name plus their social security number. It could be their name and one of their computer passwords. PII is any information which includes both someone's name and some other information that could be used to perpetrate an identity theft crime against someone, defraud someone, take money out of someone's bank account and the like. As you might imagine, many companies have access to or have collected a great deal of this type of PII—not only about their customers but about their employees, as well. What happens to a company having to face these legal issues? As I mentioned a few moments ago, it starts with having the issue brought to a company's attention by a law enforcement agency such as the FBI or the Secret Service. Records were found inside of a location. Now, the investigation that law enforcement was undertaking most likely had nothing to do with your company. Nonetheless, when they were executing a search warrant they came across a stack of printed records that contained information about your company. That information could have been retrieved by part of a large identity theft ring. It could have been obtained through an outsider hacking into your company. It could have come from a corrupt employee working inside your company and giving information to people engaged in wrongdoing. The FBI or Secret Service wants to interview some of your employees and they ask your permission. They also advise you not to tell anyone else about this, because it is a sensitive law enforcement investigation. They don't want anyone who is involved in the wrongdoing to destroy evidence or possibly flee the jurisdiction. They may not order you to keep this a secret, but might ask you to do so voluntarily. That leads to your very first decision point. What do you do? Have you thought about the possibility this could happen before? Do you have an incident response plan to deal with this kind of situation? If you're a big company—particularly a large B to C company with information on lots of consumers—presumably you do have an incident response plan. You have some type of go-to document which is going to lay out the road map, at the top level, telling the people tasked with addressing this situation exactly what they should and should not do in this situation. A classic example of a large-scale data breach where you would hope a company would have an instant-response plan was what happened a few years back involving Sony and the hack of its PlayStation game portal. That intrusion, as you recall, involved the theft of not only people's names and e-mail addresses, but credit card, debit card and bank account information. Again, a company of that size (or even a smaller company) would presumably have an instant response plan to deal with this type of issue. Once the breach occurs, who do you call? Who do you have to notify about this event both internally and externally? Do you have to report the event to state law enforcement officials? Now, we're talking about a defined PII that includes things like names, social security numbers and bank account information. The reporting laws of various states actually define whether or not you have to let state officials know if you've had a data breach involving PII. Until about ten years ago, breach reporting laws didn't really exist. Prior to 2003, if a company lost all of its customer or employee information, it didn't have any legal obligations under the law to tell anyone. That began to change in 2003 when California passed a breach reporting law which made it obligatory and compulsory for companies to report these types of data spills to the State Attorney General. Other states followed suit. Today almost all states require companies to report any data breach involving PII to state law enforcement officials. But here's the catch. All of those laws vary. Sometimes they vary a little and sometimes they vary a lot. Because they vary and because there's no one uniform standard; one of the very first decisions a corporate manager faces is whether or not they have to report that a breach occurred based on the laws of that particular state. Most of the states have a breach reporting law if the PII (as they define it) involves one of their residents. Now if you're a company that has consumers or employees in more than one state, you'll most likely be looking at the laws of many different states where your consumers or employees reside to determine whether or not the PII that you lost qualifies as defined PII and triggers a breach reporting obligation under that state's law. This is a very important decision point for a manager to deal with right from the start. Who do you need to report this to? Which state officials? If you have employee or consumer information from ten different states, is it considered PII as those ten different states define it? Who do you report to in those states? When is it triggered? The next decision point is whether or not you wait for law enforcement's go-ahead before reporting a data breach to customers. Some states say it's unnecessary to report the breach to the state or to consumers if law enforcement has asked you to keep it quiet. Not all states have those laws, however. You will need to quickly get a handle on PII's definition according to the laws of individual states to which you need to report, which state residents have been affected, and whether or not the state in question will allow you to hold off on reporting until the law enforcement officials give you the go-ahead. What do you do in these first few hours or first couple of days? Do you inform people outside of your organization? Maybe you have cyber insurance and your policy requires you to notify the insurance company immediately of the event so that coverage can begin. What do you do if the FBI or the Secret Service tells you not to notify anyone for one month and your insurance company requires notification within three weeks in order to meet coverage requirements? Do you tell the insurance carrier and thereby get your coverage but maybe compromise the investigation because it could leak out through the insurance company? Or do you try and work with law enforcement and keep things quiet while trying to find the outsider or insider who stole your company records? You then may lose coverage for the event. These are very tough decisions, particularly for companies experiencing data breaches for the very first time. The company who is best prepared for a data breach of this type is the company that has already experienced a data breach exactly like this. Based on my experience of over fifteen years, the calls I get tend to be from first-time victims and corporate managers are going to be making these decisions for the very first time. They're also going to be making these decisions with imperfect information, because the breach notification laws oftentimes require you to notify law enforcement first, and a cyber event of any magnitude takes a lot of time to do technical analysis, forensic analysis, and employee interviews. The corporate manager who's dealing with this situation for the very first time is often going to be dealing with it on a very tight time frame, and he or she is going to have to make decisions about whether to report, who to report to and whether they even have a reportable event without an adequate amount of information. They're going to be essentially making decisions in a fog bank, something that managers don't like to do. Once this decision is made, it's irrevocable. Whether you choose to report the breach to law enforcement or to your insurance carrier; whether you decide to ignore the Secret Service's advice and go public with the event or abide by law enforcement's request and keep it secret; chances are the decision you make is not going to have a "take it back" switch. That puts the corporate manager between a rock and a hard place—having to make a quick decision with imperfect information that's irrevocable. I can think of a few examples where CEOs, CFOs, COOs and general counsels have had all three difficulties on their plates at the same time. I can tell you that it's not routine for them, and this is a good example of where corporate managers earn their pay. Let's say that your company has customers in all fifty states as well as overseas and only 15 percent of those customers have financial data stored within their profiles. In addition, a list was found during the execution of a search warrant with 10,000 names on it. About 15 percent of the PII data points will trigger reporting. You may be able to whittle it down even further because the clients who have stored financial data may reside in only a few states. That will make your job considerably easier. Also, you should participate in an exercise that identifies just what your reporting obligations are. You may actually come to the conclusion that you don't have a reportable event. I'll give you an example. A few years ago we were retained by a large company. As a result of a change management snafu to an upgrade on its software system, permission configurations to their online employee portal were left unsecured. As a result of this snafu, everyone inside the company could, if they logged on and put in someone else's name, see information about that other person for a thirty-eight minute window. Of critical importance was that the salary and bank account information of people was visible during this time. Now, this was not a major security breach (it didn't have major contractual or business implications outside of the company) but you might imagine that from the point of view of morale, it had quite significant implications. We were able to figure out doing this analysis that the universe of people who potentially looked at other people's information was whittled down to residents in only one state, and only about twenty employees did so. Of those twenty, about six were members of the legal department who had been alerted and were testing the vulnerability of the system. The remaining fourteen resided in states where there was no breach reporting obligation. This is why it's so important to do an analysis of reporting obligations. It could require a mass notification. It might require no notification. The key point is that you have to get it right. The investigation continues and decisions continue that your managers will need to make. Let's say you decide to allow the Secret Service to interview employees at your office, and you only talk about this with senior management. You conduct your investigation. It's supervised by counsel. You figure out that an outsider was using authentic company credentials belonging to an employee. By looking at the log data, you're able to figure out that the printout is actually a screen shot of information from your system created by an individual who logged into the system remotely. This may mean you have insiders working together with outsiders. A good forensic analysis supervised by counsel will really help you at this point, and it should lead to a conclusion. One of your conclusions may be that the outsider has authentic credentials of the suspect; but that it's unlikely that the suspect created the printouts. You still don't know the extent of the breach or whether any fraudulent misuse has been made, and that is also something that has to be done. Based on this, you decide to hold off notifying your customers in order to conclude your investigation. You get clearance from law enforcement. You still need to know what you're going to do in the future. Let's say the first decision point that you've come to is to not conduct a broad notification and keep things quiet long enough for the government to do their investigation. Maybe you're lucky. Maybe you don't have an insurance policy which triggers instant notification. You keep things quiet for a while and see where things go with the government's investigation. Why is supervision by counsel imperative? Because your in-house legal team and your outside legal team bring to bear not only an understanding of the laws that apply in this situation (they're going to be the ones that tell you whether you have a reportable event or not) but they also bring to bear what your other obligations are. You may have obligations to other companies. You may have contractual obligations to shareholders. You may have obligations to corporate affiliates. Finally, corporate counsel is protected by the attorney-client and work-product privilege, and that's also an extremely important point here. When you have a cyber incident of any kind of magnitude or severity, it could be a data breach (a PII) like we're talking about here. It could be an intrusion into the system. It could be a theft of crown-jewel intellectual property. Whatever it is; it's absolutely critical for you to get your in-house lawyers and expert outside counsel involved. Should the CEO simply hire a technology consultant, the communications between that CEO and the technology consultant are rarely privileged or protected. Why does that matter? Because, as I mentioned, there are breach reporting obligations which require you report certain incidents to state law enforcement officials. Those reports are public. Increasingly, what state law enforcement officials are doing in response to these reports (particularly with the loss of consumer information) is they are conducting investigations of the companies in order to determine whether the companies are negligent in how they handled and cared for that information. If a company is negligent, the law enforcement officials will start a civil lawsuit against the company with potentially large damages attached to them for violating state consumer protection laws. That has happened in every major data breach: TJMaxx, Sony PlayStation, Hannaford's and the list goes on. Should your communications on the event not be protected by the attorney-client or work-product privilege, those communications will likely be turned over to state law enforcement officials who will request them in their subpoenas or their document demands. What that means on a practical level is that all of your conversations, analyses and studies about whatever deficiencies may have lead to the breach or loss will be turned over to the people that are going to be suing you for negligence and breach of fiduciary duty. Now, it doesn't take a law degree to figure out that when you give your potential adversary the play book of your vulnerabilities; you've essentially given them the road map on how to extract a lot of money from your company. It gets worse, though, because plaintiffs' lawyers, as a result of these breach notification laws, become aware of the breaches and immediately start soliciting plaintiffs for class action lawsuits against companies [for] breach of fiduciary duty and negligence in the securing of that information. The Sony PlayStation breach spawned several dozen class action lawsuits by plaintiffs. As any of you know, once a company is hit with a class action lawsuit, the incentives for that company to settle on favorable terms with the plaintiffs and the plaintiffs' attorneys are extremely strong. What company wants to go to trial against a group of plaintiffs who have had their information breached? Therefore, the vast majority of these cases are settled with the companies paying significant amounts of money. Meanwhile, plaintiffs' lawyers have become very savvy. During litigations such as these, they request copies of studies, plans, analysis reports, e-mails and other communications from the company which describe all the details surrounding the security event. You're essentially turning over your laundry list of deficiencies in all the areas where you failed or could have done better, and giving to your adversaries a road map to winning their lawsuit along with opening arguments for the litigation. On the other hand, if you've done everything you could to secure this information; then at least you have an argument that some of that information can be kept out of the hands of the plaintiffs' lawyers (with the information about the wrongdoers included). It's critical to keep that secure. You're also going to be faced with another decision point, and that is who do you notify? Do you notify clients and other customers beyond the ones that had their PIIs stolen? Do you notify everyone in the database? Do you notify just those with financial information? Do you notify individuals only in the affected states? Do you notify state regulators? Do you notify federal regulators? Do you notify credit reporting bureaus? They play an important role in this event, as well. The key point here is that you may have obligations that go beyond only notifying state regulators. And for companies registered with the SEC that are either tracking personal health information or information on consumers and customers; you might have reporting obligations to federal regulators, as well. Once you've decided what states are in play and where your obligations lie; you're still going to have to decide whether to make that information available to a minimum subset of consumers and customers or as a courtesy to notify everyone. Let's say you make the decision to notify only those individuals who have financial information in the database (say individuals residing in New York, Massachusetts, New Jersey and California), the appropriate state regulators and the credit bureaus. You're not going to send out notifications to every customer in all fifty states. Depending on the facts, that can be a rational decision for a company to make. Looking at that matrix, that means you would have to send out approximately 20,000 letters, abiding by state reporting laws in terms how you must notify those individuals. You might have to contact them by first-class mail or certified mail. Maybe you can notify them by e-mail. Most of you have already received these types of letters saying something along the lines of, "We are writing to advise you that your information may have been compromised. We're investigating this matter. We have no reason to believe that you specifically were targeted or that you have been defrauded; but we're notifying you of this. Here's a number you can call for further information and some answers to frequently asked questions." According to the latest statistics, approximately two-thirds to three-quarters of all Americans have had their identities stolen at one point or another. What other entities are in this ecosystem? There may be key customers you need to notify. You may not have any of their PII but want to notify them ahead of any negative publicity that will most likely result from this type of event. You may want to talk to key business partners to let them know that you're aware of this and have the situation under control. I've been called on a number of occasions by clients concerned that a business partner had a data breach, and they want to know the types of questions they should ask their partner in order to assure themselves that the partner knows what to do and has taken the appropriate steps in terms of computer security. You also have to provide comfort to key customers and suppliers in terms of your reputation. You may also have to have communications with corporate affiliates. You could be the US subsidiary of a big chaebol in Korea and question whether you have to notify the home office. At what point? What's the trigger point? If you have a data spill involving 5,000 people's identity; is that something that requires you to pick up the hot phone to Seoul? Is it an event that you think can expose you to millions of dollars in claims and damages? Whatever it is, hopefully the steps you need to take are part of your incident response plan. These steps have been thought about ahead of time so that any decision that has to be made is done so with great thought and preparation. In addition, you don't want anything to fall through the cracks. The last thing you want are your managers in Seoul reading in the Seoul Times about a data breach that happened to one of their subsidiaries in the United States—who reported it to the New York State Attorney General who then turned around and posted it on their data breach website. There may not be legal ramifications for that, but there could be career ramifications to that which may concern you even more. The decisions that have to be made will keep coming. As I mentioned a moment ago, you will have to choose a notification vendor to handle notices to consumers. There are many companies that do this. They all vary greatly in terms of what they offer. Do you watch for people who are deceased? Where do you send the letter? Do you de-dup them and how do you do that? Are you going to offer credit monitoring, because you have to pay for that. If so, for how long? Or are you just referring them to public resources that can teach them how to protect their identities? You're going to have to set up a call center. Again, your breach notification vendor will do this. That breach notification vendor will be retained by your counsel so that all the communications between the breach notification vendor and you go through the lawyer to protect the attorney-client privilege. You're going to have to make decisions about how long the call center will be active. Whether or not to have a toll-free number. What the call center operators will say. Who pays for the call center? Is the cost of a call center covered by your insurance policy? Is it covered by reserves you've held back? Is it covered by a corporate affiliate? Maybe by the parent? You're going to have to think about all these issues ahead of time. Again, these are the very kind of issues that will be in your incident response plan for the few of you that are out there that don't yet have one. So, the investigation continues. After about three weeks, law enforcement comes to the conclusion that it was, in fact, one of your employees working with an outside identity theft ring. The insider gave the outsiders his login credentials, and the outsiders remotely logged in to gain access to the databases from which the printouts were then downloaded. Some members of the ring have been arrested and the Secret Service now advises you to begin notifying the affected individuals. You're now prepared. You have your breach notification vendor ready to go. Once the call comes in from the Secret Service, you tell the breach notification vendor to put the letters in the mail and to set up the call center. You're off to the races and waiting for this to hit. Before you get to after-incident remediation, you're going to prepare a set of FAQs (frequently asked questions) for the call center operators to answer. These responses will be drafted by your lawyers, because you don't want to be saying anything that's going to get you into legal trouble. You will also have a statement to issue to the press, as "no comment" is no longer considered a good press strategy. Of course, you're going to be extremely careful to say only what you absolutely must say in order to make consumers, regulators and business partners comfortable that you are on top of this situation. You've hired the right people. The data breach is your primary focus. At the same time, you're not saying too much. And above all, don't say anything inaccurate. One of the reasons why Sony was subjected to so much criticism following their data breach a couple of years ago is because they made statements to the press which they then had to retract when those statements turned out not less than 100 percent accurate. You're not aiming for 99 percent accuracy. You're aiming for 100 percent accuracy. Saying less is more important than saying more. The key point is to make sure what you do say doesn't expose you to any further legal liability. Don't say too much, don't say too little, and above all, make sure what you say is completely correct. In some cases, you may decide that you are required to answer questions live or to have a press conference. We generally don't advise that, but in certain cases it's necessary. And if you have the right corporate manager you can trust in front of a microphone to take live questions, then it's something that you may want to do. Obviously that person will need to be trained on what they can say and what they can't say, as well as on the law. You do, however, need to have a press relations strategy, a shareholder's relations strategy and an internal employee relations strategy in effect so you can deal with these events in an effective way. Let me tell you what happened in a recent case that we handled and give you some practical tips. We sent out letters notifying the appropriate people about a data breach. It was a large data breach involving a lot of personally identifiable information from people from a number of states. It just so happened that the government gave us clearance to send out these notification letters right before a major three-day holiday weekend. We called the breach notification vendor at two o'clock on Friday afternoon, told them we had clearance from the Secret Service and to let the letters go. It took one day to print the letters and they were dropped in Saturday's mail. Monday was a federal holiday. Believe it or not, some consumers received their letters on Tuesday morning. We set up the call center to be live on Tuesday morning and at 9:00 a.m. on Tuesday were ready to go. The hours the call center was available were included in the letter. We also notified the state regulator on that Friday. This particular regulator liked to receive information online using a form answering very basic information about what happened with the intrusion, when the company became aware of it, how many individuals were affected, the nature of the information, and whether it was an insider or outsider who was responsible. I think it was around two or three o'clock on Friday afternoon that we hit the Send button. At eight o'clock that night, I received an e-mail back from the state regulator asking why it took us so long to report this to consumers. We had only been sitting on this information for about three weeks at the request of law enforcement. Now, I have been a regulator myself. I often worked after-hours, but I was really impressed that someone in the state attorney general's office, in that particular state, took their role and responsibilities so seriously that at eight o'clock in the evening (on a long, warm summer holiday weekend) they e-mailed me to ask me one simple question. Now answering that question was not that simple, because now you're dealing with a regulator who has raised a question about whether or not you've acted properly and whether or not you sat on the information too long. Fortunately we had a good answer for the regulator. The Secret Service had asked us to voluntarily not disclose that information. Nonetheless, we spent a good part of that weekend crafting our exact response. I know first-hand from being a regulator that the very first encounter with a regulator is extremely important. You want to demonstrate good faith to that regulator and your genuine interest in doing what's right for the state, for the consuming public and for the public at large. We actually spent the entire weekend going back and forth with the corporate CEO and general counsel crafting a short response which we then sent to the regulator at nine o'clock Tuesday morning; demonstrating that we were on top of the situation. Here are a couple of other practical but important points. Make sure that your call center operators are sufficiently well trained. Ours still had a few gaps in their knowledge base about the overall nature of the company. A lot of people who received our letters were older people simply calling to find out more information. Older people generally contact call centers more often than younger people. If you're dealing with a good breach notification vendor, they will give you a breakdown of cohort response rates. That allows them to skew their answer in a direction related to the demographic that contacts the call center the most. For example, let's say you have a large pool of Korean customers. You might consider sending out a breach notification letter in both English and Korean. If you have a large cohort of people that spend time in both Korea and the United States, maybe you want to keep your call center open longer, as some people go to Korea for a month at a time. You want to make sure that the most important information on that letter is on the front page. You'd be surprised how many people do not turn over a two-page letter. The ideal situation is to talk to a breach notification vendor through your counsel before you even have a breach so you understand how the flow of information works and you are aware of the basic decisions that have to be made. Now your breach is over. You got a request from the state attorney general. You answered their question[s]. Happily, nothing has happened. The state attorney general seems satisfied. You think all is over and then two months later you receive notice that a plaintiffs' class action law firm has set up a blog looking for representative plaintiffs to serve as class plaintiffs in a lawsuit against you. What do you do then? Well, there's frankly not much you can do about that. You can monitor the blog. You can put in place a litigation strategy. You can reserve funds for damages. You may have an obligation to notify your insurance carrier. In the case I was referring to, nothing ever happened. We were never sued. But as most of you know, the statute of limitations on these types of claims is often several years. Lastly I want to talk about after-incident remediation and analysis. You should never let a good crisis go to waste. There's a lot to be learned. You could be the victim of one of these types of incidents. You could also be a manager of a company going through a data breach for the first time. You want to do a good after-incident remediation so that you can improve your company as long as you stay there. In addition, should you go to another company, you can tell that company that you've managed a data breach. All those lessons will be a great help to your next employer as you will be in a much better position to protect that company as well as yourself. Now you do an analysis after the fact. It is again supervised by counsel for the reasons I described. You want to assess how to prevent this type of incident from happening in the future. You're going to obviously look for improved technical security and logging. You might change access permission controls to the database or your most critical portions of the database. You'll most likely change some of your data collection and storage practices. I've seen companies that have lost people's names and social security numbers in combination and therefore have a reportable event. In those cases, I suggest that the company create a unique customer identification number (unless a social security name is necessary) in order to prevent that number from being breached. Indeed, some states prevent you from doing that. When it comes to a data breach, there's obviously a lot you can do after the fact. It's going to depend, naturally, on the nature of your breach. I've think I've left you with an understanding of the most key and salient features. Thank you very much. [Applause]
Custom HTML field content: About the Speaker
Third Tab: http://traffic.libsyn.com/koreasociety/2013-06-05_Surviving_A_Data_Breach.mp3

2013 06 05 DataBreachSurvival icon2 Recent headlines about high-profile cyber attacks on American and Korean corporations should prompt all companies to examine their procedures for recovering from a data breach. Expert Joseph V. DeMarco, Esq., provides an overview of the key laws and regulations that affect businesses and addresses the practical considerations for fulfilling those obligations.

Those interested in receiving New York CLE credit for attending this seminar, please complete THIS FORM.

Wednesday, June 5, 2013

8:00 AM | Registration
8:30 AM | Discussion

with

Joseph V. DeMarco, Partner, DeVore & DeMarco, LLP