2016 Mid-Year Cybersecurity and Data Protection Legal Summit
Wednesday, June 15, 2016
7:30 am - 8:00 am Registration and Continental Breakfast
8:00 am - 10:00 amRansomware Extortion Hack Simulation Workshop
Jay F. Kramer, Supervisory Special Agent, Federal Bureau of Investigation, Cyber Division, New York Office
Alan M. Winchester, Member, Harris Beach PLLC
Richard A. Shutts, Jr., Chief Information Officer, Harris Beach PLLC

The CEO of Hollywood Presbyterian Medical Center says the hospital decided to pay ransom to hackers who were holding its computer network hostage because that was the "quickest and most efficient way" to regain control of the system.

Do you think he made the right choice?  What would you do when forced to decide between regaining access to your files and taking a stand against criminals? 

Extortion hacks, where hackers threaten to release confidential company/customer data if the victim does not comply, are on the rise. This type of attack is listed among the most serious security threats of 2016 and is estimated to have cost victims more than $5 million annually.  ”But I backup my data,” you say, “and I don’t care if I can’t access my network.”  These are fair points but do they account for the reality that a major danger of these attacks is the ruin that can accompany public release of sensitive information, ranging from embarrassing emails to trade secrets?

This extended session will present a table top exercise walking you through the response to a extortion hack fact pattern. Take an in-depth look at the decision chart you should keep handy to ensure that you can quickly and efficiently regain control of your system, on your own terms. Topics of discussion will include:

  • Creating an organization-wide response plan for an extortion scenario
  • Weighing the legal risks for paying vs. not paying, going public, and more
  • Partnering with law enforcement and computer forensics experts to recover your systems
  • Aligning business continuity planning with this specific and increasingly common cyberrisk
10:00 am - 10:15 amMorning Refreshment Break
10:15 am - 10:25 amOpening Remarks by Chair
Mauricio F. Paez, Partner , Jones Day
10:25 am - 11:25 amThe EU-US Privacy Shield: Opportunities and Challenges for Personal Data Transfers From the EU to the US
Mauricio F. Paez, Partner , Jones Day

The EU-US Privacy Shield governing the transfer of personal data from the EU to the US was issued in February 2016. Companies engaged in cross border and transatlantic data exchange have many questions concerning the Privacy Shield, including:
  • The benefits and risks with certifying compliance with the Privacy Shield
  • How and when the Privacy Shield will be implemented
  • The transition approach from the Safe Harbor to the Shield for existing companies that are Safe Harbor certified
  • The major differences in approach between the two mechanisms
  • The enforcement and redress approaches included in the Privacy Shield
  • Jurisdictional enforcement in the E.U. and the U.S.
11:25 am - 11:35 amIntermission - Adjourn to Roundtable Room

11:35 am - 12:35 pmRoundtables - Breakout discussions of 8-14 people led by a table moderator.
11:35 pm - 12:35 pmRoundtable A (Ethics Session) - Lawyer, Heal Thyself! How Should Law Firms Address Cybersecurity Risks?
Devin Chwastyk, Of Counsel, McNees Wallace & Nurick LLC

Data security at law firms suddenly is front page news! The “Panama Papers” scandal arose this year when a law firm was hacked and millions of its clients’ records were exposed. Meanwhile, plaintiff’s lawyers recently threatened class action lawsuits against several of the largest U.S. firms, alleging that their failure to safeguard client data amounts to legal malpractice. With these current events in mind, this roundtable will highlight the unique cyber-security risks faced by law firms, and how attorneys should meet their ethical duty to safeguard confidential information. This discussion is expected to touch upon:
  • How the Rules of Professional Conduct intertwine with data privacy concerns;
  • The standards of care for protection of client information;
  • Best practices for law firm data security, including policies, breach response, notifications, and vendor concerns;
  • The particular challenges of implementing appropriate security measures in a law firm environment.
Roundtable B - Emerging Cybersecurity Threats Stemming from the Deployment of the Internet of Things (IoT)
Todd S. McClelland, Partner, Jones Day

By 2020, 25 billion “smart” devices will be wirelessly connected to, and communicating with, each other, raising serious legal and liability issues. This so-called “Internet of Things” (IoT) is one of the fastest emerging, most transformative, and potentially most disruptive technology developments in years. This roundtable will discuss:
  • How is the use of connected devices by your employees creating potential enterprise risk?
  • Litigation threats for companies deploying IoT devices
  • Best practices for IoT vendors in mitigating risk
11:35 am - 12:35 pmRoundtable C - PR: Using Crises As An Opportunity to Protect and Enhance Your Company’s Reputation
David Lashway, Partner, Baker & McKenzie LLP

Living with the actuality that all companies will experience a breach (if they haven't already) exposes the need for a strong communication structure to preserve a company's reputation.  This roundtable will delve into the importance of:
  • Understanding the latest issues and trends impacting the PR/legal dynamic in a crisis
  • Strategies for balancing an executive charter to advise the company about its legal and ethical obligations and to uncover and defend against charges of company misconduct
  • Using a crises as an opportunity to protect and enhance the company's reputation by promoting the public interest and transparency 
  • Understanding the litigation risk of statements made during a crisis
Roundtable D - Negotiating and Understanding Cyber Liability Insurance
Maria C. Anderson, Associate University Counsel, Office of the President, Montclair State University

Attendees will be provided with a sample commercial agreement and partner with their fellow roundtable members for a hands-on approach to learning about how to:
  • Spot red flags and hidden landmines to in contract terms related to cyberrisk and compliance
  • Structuring terms that deal with reporting, auditing, subcontractors, and conflicts of law
  • Best practices for vendor management and cyberrisk oversight
11:35 am - 12:35 pmRoundtable E - Cybersecurity & The Employment Lifecycle
Martin L. Schmelkin, Partner, Jones Day
Corporations today have to ensure social media policies and HR policies do not run afoul of any employment laws including the National Labor Relations Act, as well as advising on discipline for employees who violate cybersecurity policies. In this session, we will discuss the best practices and guidelines for HR policies and employment law guidance that will help mitigate cybersecurity issues of a firm’s employees during the three stages of the employment lifecycle.
12:35 pm - 1:35 pmNetworking Lunch
1:35 pm - 1:45 pmIntermission – Adjourn to General Session Room
1:45 pm - 2:45 pmTransforming Your Compliance Considerations from “Good on Paper” to Implementable Strategies
Shahryar Shaghaghi, National Leader, Technology Advisory Services, BDO USA, LLP
David Hale, Chief Privacy Officer and Senior Counsel, TD Ameritrade Holding Corporation

As data privacy laws continue to evolve globally, the balance between checking the box for every jurisdiction where a transaction processes personal information to meet local requirements and effectively performing the transaction can be precarious. The good news is that this compliance challenge can be a transformative opportunity for your entire organization to pull together, and for in-house counsel to act as an agent of change. How?

Join this fireside chat session to delve into the case study of how one organization took its codified legal standards and worked with its IT and operations teams in over 150 countries through the establishment of four regional hubs.

2:45 pm - 3:00 pmAfternoon Refreshment Break
3:00 pm - 4:00 pmCyberinsurance: Recent Trends in Covered and Uncovered Losses
Richard (Rich) DeNatale, Partner, Jones Day
Zachary Scheublein, CIPP/US, Vice President, Aon
Laura Burke, Executive Underwriter - Cyber, Tech, Media & Specialty PI, Allianz - AGCS

As cyber losses mount, policyholders turn to insurance as a method for mitigating both first-party and third-party risk. The market for cyber insurance is growing, but policies are complicated and standard forms have not yet developed. Even sophisticated policyholders may not fully understand what coverages they have – or don’t have. For companies looking to augment their coverage, the underwriting process has become more challenging. The days of the one-page application are over, and companies must demonstrate their breach preparedness and provide detailed information about their controls

This session will review emerging trends in cyber coverage and the policy provisions that matter most in the event of a breach. We will explore the “Dating Game” between underwriters and prospective policyholders to uncover what insurers look for before they write coverage. We will discuss options available for companies – including those with prior breach history or weak data protection regimes – to make themselves more attractive in the market.

Other issues covered will include:

  • What underwriters expect in the application process
  • Most common reasons insurers walk away from underwriting risk
  • The critical features you should look for in policies
  • Strategies for strengthening and tailoring coverages based on your companies needs
  • Emergence of new exclusions
  • The risk of rescission and how to avoid it
  • Managing breach claims and recovery efforts

4:00 pm - 5:00 pm How Ongoing Data Privacy Litigation Should Be Factored Into Your Data Processing and Breach Response Protocols
Douglas Meal, Partner, Ropes & Gray
Sloane Menkes, Principal, PricewaterhouseCoopers
Jonathan Wilan, Partner, Baker & McKenzie LLP
Moderator: David Lashway, Partner, Baker & McKenzie LLP

It’s not just about data breach class actions anymore.  Update your cybersecurity program with the latest insights from the judicial treatment of data breach injury in fact, privacy implications from the collection and sharing of customer information, and board responsibility for information security.  Topics of discussion will include:

  • When and how data breach injury is determined based on key issues for cases surviving standing challenges in 2015
  • Takeaways from In re Target Corporation Customer Data Security Breach Litigation, Corona v. Sony Pictures Entertainment, Inc., and more
  • No good deed goes unpunished: what to keep in mind for your data breach response plan when it comes to how remediation measures by a company (credit monitoring, etc.) may be open to interpretation as evidence of harm
  • Consequences of Spokeo, Inc. v. Robins (decision expected Spring 2016)
  • How treatment of "personally identifiable information" has been impacted by Video Privacy Protection Act litigation
  • Factors to consider when sharing your customer data with a third party
  • The rise of shareholder derivative litigation

5:00 pm - 6:00 pmNetworking Cocktail Reception