Planning and Response: Surviving a Data Breach A WEBINAR presented by Womble Carlyle Sandridge & Rice, PLLC June 16, 2010 12:00 – 1:00 PM (EDT) For technical support during the program, please call: 1-866-229-3239.

Introductions Moderator: •

Ted F. Claypoole - Attorney, Womble Carlyle Sandridge & Rice, PLLC

Panelists: •

Charles Kallenbach - General Counsel and Chief Legal Officer, Heartland Payment Systems, Inc.

•

Jennifer M. Kashatus, CIPP - Attorney, Womble Carlyle Sandridge & Rice, PLLC

•

Sarah Byer Miller - Attorney, Womble Carlyle Sandridge & Rice, PLLC

Who Wants Your Data? • • • • • •

Competitors Foreign Governments Identity Thieves – Target Your Customers $ Thieves – Target Your Systems Disgruntled Employees/Ex-Employees Ego Hackers

How Does Customer Data Disappear? • Lost or Stolen Laptops – 36% of Data Loss Incidents – Per victim cost $225 – Cell Phones/PDAs/Tablets • Third-Party Errors – Who Processes/Holds your data? • Your Own Errors – Process Procedures/Training Systems/Software • Malicious Attacks – 24% of Data Loss Incidents – Criminals – Enemies

Malicious Attacks • The incidence of malicious attacks is on the rise – up 12% from 2008 to 2009. • This type of breach is especially expensive – malicious or criminal acts lead to breaches averaging $215 cost per compromised record, 40% higher than breaches involving a negligent insider ($154 per record), and 30% higher than breaches from system glitches ($166).

Cost of Meeting Obligations • In 2009, the average cost of a data breach increased from $6.65 million to $6.75 million. The most expensive breach event in 2009 cost the organization nearly $31 million. • The cost of a data breach has increased drastically in the last four years. – In 2005, per-record cost was $138. – In 2009, the per-record cost was $204.

Who Will You Communicate With? • • • • • • • • •

Your Regulators Law Enforcement State Attorneys General Federal Trade Commission Payment Card Industry – Banks and Card Companies Customers (And Customers of Customers) Credit Reporting Agencies Others Affected by the Incident Press

Heartland Payment Systems • • • • • •

5th largest merchant processor in US NYSE: HPY 3,000 W-2 Employees throughout US 250,000 merchant customers $1.2 Billion in revenue Process $80 Billion in transactions per year

Processing System Intrusion • 1/20/09 Heartland Announces Intrusion: – Criminal breach of payment systems environment – Malicious software used to collect in-transit, unencrypted payment card data during transaction authorization process – Data not required to be encrypted while in transit under payment card industry guidelines – Heartland received PCI-DSS compliance each year – Card data that could have been exposed: card numbers, expiration dates, mag stripe data, but not: CVV2, SS, unencrypted PIN – Breach contained and did not extend beyond 2008

Inquiries, Claims and Litigation • Inquiries: SEC/DOJ, FTC, State Ags, FFIEC • Claims: Visa, MC, Amex, Discover – Status: settlements reached with Visa, Amex and signed with MC

• Litigation – 40 class actions filed against Heartland – Consolidated by JPML to 3 class actions: securities class action, cardholder class action, and financial institution class action – Shareholder derivative claims made – Status: securities class action dismissed, derivative claims dismissed, cardholder class action settled. MTD before financial institution class action judge.

Costs of Intrusion • From 2009 to 1Q10, Heartland expensed $139.4 MM • Includes: • Settlement agreements with Visa, American Express and MasterCard • Settlement of cardholder class action • Legal costs and fees

• Subtract $30MM in insurance proceeds

Heartland Initiatives • End-to-end encryption (E3) • Payments Processing Information Sharing Council (PPISC) Within FS-ISAC

Preparation is Critical to Surviving a Data Breach – Internal Preparation • Implement a data breach incident response plan – Critical that your company can respond promptly in the event of a data breach – Some states provide for fines if notification is not provided or is not provided in a timely manner • Ensure that the plan will work well for your particular company • Communicate existence of plan and contact information to all employees

Preparation – Third Party Vendors • Think before company sends data to a third party – Does third party need all of the data being sent?

• Contractually protect company – Control data sent to third party – Limit use of data – Require third party to notify company in event of breach/suspected breach, even if third party still is gathering information

State Data Breach Notification Laws • 46 states, plus Washington D.C., Puerto Rico, and the U.S. Virgin Islands, have data breach notification laws – Entities required to notify (private vs. govt. entity) varies by state – Notification requirements may vary based on whether entity is data holder vs. data owner – Some states provide businesses with discretion in determining whether notification is required based on risk of harm or potential misuse of compromised data

• Content of Notification Varies by State; Common Elements Include – – – –

Nature of Breach Number of people affected Contact information of company Type of information obtained

Special Requirements • Contact information for State Agency • CRA notification • State Regulator Notification (varies based on the facts of the breach)

Then there’s Massachusetts…

Massachusetts REQUIRES: • Right to obtain a police report • How to request a security freeze • Fees required to be paid to the CRAs

Massachusetts PROHIBITS: • Nature of Breach • Number of people affected

New Legislation • Mississippi (Eff. Date July 1, 2011) – Disclosure required for companies that own, license, OR maintain data – No notification required if harm unlikely

Second Wave of Data Breach Bills • Indiana (2008) – Closed laptop loophole in original notification law

• New Hampshire (Eff. Date January 1, 2010) – Stricter breach of notification law for healthcare providers and business associates

• California (Pending) – First state to pass notification rule law in 2003 – Added medical and health insurance info in 2007 – If enacted, SB 1166 would make existing notification requirements more stringent

Questions? Contacts: • • •

Ted F. Claypoole - Attorney, Womble Carlyle Sandridge & Rice, PLLC ([email protected]; 704-331-4910) Jennifer M. Kashatus, CIPP - Attorney, Womble Carlyle Sandridge & Rice, PLLC ([email protected]; 202-857-4506) Sarah Byer Miller - Attorney, Womble Carlyle Sandridge & Rice, PLLC ([email protected]; 202-857-4448) This presentation is intended to provide general information and should not be construed as providing legal advice or legal opinions. You should consult an attorney for specific legal questions. To ensure compliance with IRS requirements, we inform you that this presentation is not intended or written to be used, and cannot be used, for the purpose of avoiding penalties under the Internal Revenue Code.