Come to our session at #PSR18 – Vendor Risk Management: Maintaining Relationships While Limiting Liability

Are you at IAPP – International Association of Privacy Professionals P.S.R.  #PSR18 in Austin? If so, please come to our Thursday 10:30 – 11:30 session on Vendor Risk Management: Maintaining Relationships While Limiting Liability in Lone Star Ballroom A, Level 3. It should be great as I get to be with great panelists Tami Dokken and Melissa Krasnow and we will have Mark Smith as our moderator.

Bloomberg BNA Texas ProfileWhile you’re there pick up your copy of Bloomberg BNA’s  Domestic Privacy Profile: Texas!

If you can’t make it, here is a link to the .pdf (hey, I know people!).

Session Info: https://iapp.org/conference/privacy-security-risk/sessions-psr18/?id=a191a0000028eqTAAQ

Do data breaches have consequences? Will Equifax CIO serve jail time for insider trading?

“Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.” Richard R. Best, SEC – Atlanta Division

For years many in the cybersecurity/data breach space have been saying that somebody is going to have to go to jail before corporate decision-makers begin to take cybersecurity as seriously as they should. Many thought the Department of Justice’s focus on individual accountability through the “Yates Memo” may be the vehicle but that has not yet happened.

With the Equifax breach and revelations that three executives had sold stock in the company before the breach was announced publicly, we saw an outcry against what was believed to be insider trading and calls for the executives to face jail time:

Thirty-six U.S. senators on Tuesday called on federal authorities to investigate the sale of nearly $2 million in shares of credit bureau Equifax Inc by company executives after a massive data breach, and one compared their actions to insider trading.

The lawmakers signed a letter asking the U.S. Department of Justice, the Securities and Exchange Commission and the Federal Trade Commission to look into about $1.8 million in stock sales by three executives between July 29 – the day Equifax said it learned that its systems were hacked in mid-May – and when they made it public last week.

“If that happened, somebody needs to go to jail,” Senator Heidi Heitkamp, a Democrat on the Senate Banking Committee, said at a credit union industry conference in Washington. “It’s a problem when people can act with impunity with no consequences. How is that not insider trading?”

gate-191675_1920As it turned out, however, the sale of stock by those Equifax executives was found to have been properly approved and they did not know of the data breach at the time of the sale, so it was not the problem that many had suspected.

Criminal Charges Filed Against Former CIO of Equifax Unit

For one former Equifax executive, however, his actions were not quite so innocent and may now give rise to the closest chance yet of someone actually getting jail time as a consequence of a data breach:

If these allegations are true, this certainly sounds like insider trading. As stated by Richard R. Best, Regional Director of the Atlanta Regional Office of the SEC, “Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.”

Best’s sentiments were echoed by David J. LeValley, Special Agent in Charge of FBI Atlanta: “By prosecuting cases like this, the FBI and the U.S. Securities and Exchange Commission are sending a strong message to company insiders that they must follow the same rules that govern regular investors. Otherwise, they face the severe consequences for failing to do so.”

Severe consequences can mean many things. What everyone is really wanting to know is whether Ying actually serve any jail time. If he does, this case will be a game-changer that moves the needle of data breach consequences significantly upward. We will not know the answer to that question until he is convicted (or enters a plea agreement) and sentenced. Some articles state that Ying is facing up to 25 years in jail on the charges. Neither the SEC nor DOJ press releases state how long of a sentence is being sought.

As far as real-life insider trading cases where people have actually been sentenced to jail go, a Wall Street Journal post from 2014 discussing the longest insider trading sentences has the top 5 longest sentences ranging from 12 years down to 7 years. Comparing the amount of money involved in those cases to the $117,000 in losses that Ying avoided makes this cases relatively small. I doubt we will see anything approaching those sentences.

If the question, however, is not how much jail time will Ying get but whether he will get any jail time, I think both the SEC and DOJ have been looking for the right poster child to make an example out of and Ying may have drawn the short straw. Let’s see …

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Do data breaches have consequences? Law firm closes due to irreparable damages to its reputation

The once prestigious 40-year law firm Mossack Fonseca, infamously known for its data breach that revealed the Panama Papers, is closing at the end of the month. The reason, in its words:

“The reputational deterioration, the media campaign, the financial siege and the irregular actions of some Panamanian authorities have caused irreparable damage, whose obligatory consequence is the total cessation of operations to the public.”

What led to all of that? Its data breach, of course.

Full article: Mossack Fonseca to close doors at end of month

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Marine corp data breach lesson: human error is often the cause and is preventable

There has been a data breach emanating from the U.S. Marine Corps Forces Reserve that impacted 21,426 individuals. The breach exposed their sensitive personal information such as truncated social security numbers, bank electronic funds transfer and bank routing numbers, truncated credit card information, mailing address, residential address and emergency contact information.

Calm down and press the pause button on the hysteria hype machine — it was not the Russians behind it! It was something far more treacherous when it comes to the real world of data breaches: it was human error.

In this case, it happened when an individual sent an email to the wrong email distribution list and the email was unencrypted and included an attachment that contained the personal information described above. You can read more about the breach here: Major data breach at Marine Forces Reserve impacts thousands

THE TAKEAWAY:  The important lesson to take away is that scenarios such as this are far more common than all of the super-sophisticated “hacking” type over-politicised stuff that we usually hear about through the media. This is the real world of data breach that most companies face far more often than they face state-sponsored espionage. In fact, research into actual data breaches reveals that 90% of all claims made on cyber insurance stemmed from some type of human error and, as reported by the highly reputable Online Trust Alliance, “in 2017, 93 percent of all breaches could have been avoided had simple steps been taken such as regularly updating software, blocking fake email messages using email authentication and training people to recognize phishing attacks.” The good news is this type of problem is preventable with some effort.

Below is a checklist of good cyber hygiene that, in reality, all companies should be doing these days. How do you make sure you’re doing it? You develop and implement a cyber risk management program that is tailor-made for your company and is continuously maturing to address the risks your company face — such as my CyberGard™ program.

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

What is “reasonable cybersecurity” and how do courts view it? (SecureWorld interviews)

What is “reasonable cybersecurity” and how do courts view “reasonable cybersecurity”?

See KnowB4’s discussion of these interviews

These are two excellent questions that I was asked and I answered, as succinctly as I could, in two short interviews with SecureWorld. Tell me what you think about my answers.

What Is Reasonable Cybersecurity? – SecureWorld article

How Courts & Attorneys View ‘Reasonable Cybersecurity’ in 2018 – SecureWorld article

Here are the videos.

 

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.