Texas Stockbroker Fraud Attorney - PowerPoint by zhp31456

VIEWS: 0 PAGES: 20

More Info
									      Information Security
                    Threats
                   Response
                  Enforcement

              Michael Zweiback, Partner
         ALSTON & BIRD, LLP-Los Angeles Office

                        June 3, 2009
Los Angeles Information Systems Security Association- Summit
                      Los Angeles, CA
                          BACKGROUND

BACKGROUND:

Michael Zweiback, Partner, Alston + Bird LLP

        Practice areas- Internal Investigations (Theft of Trade Secrets and
        Corporate Network Intrusions)- Privacy & Data Security, Health Care,
        RICO, Fraud, Foreign Corrupt Practices, & False Claims

Prior experience- 18 years in US Attorney’s Office Los Angeles

    •Chief, Cyber & Intellectual Property Crimes Section
    •Deputy Chief, Terrorism & Organized Crime Section
    •Deputy Chief, Organized Crime Strike Force
                Threats In The “Wild”


 State Sponsored - Russian Business Network
 Highly Sophisticated Organized Profiteers
    Botnet operators and Malware writers who share work through
     chat channels;
    Extortion via hacking-Express Scripts Investigation - Threat to
     publish hacked HIPAA (including SSNs) information detailed in
     PC World.

 Disgruntled Employees - Vendors/Contract IT
 Hacktivists - Bragging Rights - University Hacking - USC
              THE “BOT MASTERS”


 BotNETs are the growing
  underworld infrastructure for
  web disruption and criminal
  activity- Conficker-Largest Bot
  Net.
    Distributed Denial of Service
     (DDOS)- Generally for purposes
     of extortion.

    Spreading Infection/malware

    E-Mail SPAM- Most spam is
     distributed by BotNET
     What Should I Be Doing About Data
      Security and Privacy Right Now?

 Scenario #1: What responsibility do you have for
  third parties who have access to your systems or
  data?
 A mortgage lender in Texas allowed its database to be
  accessed by a third party home-seller. Third party was
  then hacked and lender’s database was compromised
  allowing access to credit reports and personal financial
  information of lender’s customers. FTC imposes
  comprehensive remedies including 20 year
  requirements.
     What Should I Be Doing About Data
      Security and Privacy Right Now?

 Scenario #2: Cloud computing– the wave of the
  future has a tsunami of data security issues

  Everyone is singing the praises of “the cloud” to cut
  costs and enable applications. But, is the cloud secure?
  How do you monitor and control your risks? Who are
  you dealing with, where is the infrastructure and who is
  accountable? How is your data secured? Do you have
  audit rights
     What Should I Be Doing About Data
      Security and Privacy Right Now?

 Scenario #3: No breach ≠ no enforcement

  London stockbroker had “casual” practices regarding
  customer personal and financial information over phone
  calls, published in unsecured mailings, and stored as
  unencrypted data at employees’ homes. There was no
  known breach or theft of this data. FSA (UK Financial
  Services Authority) enforces fine and remedies.
     What Should I Be Doing About Data
      Security and Privacy Right Now?

 Scenario #4: Heartburn at Heartland

  100 million credit card records compromised when a
  weak point in the company’s data flow process is
  attacked and un-encrypted data is accessed. What are
  the costs of security incidents?
What Should I Be Doing About Data
 Security and Privacy Right Now?

       Heartland Payment Systems Inc. (HPY)




                 1/21/09 Heartland Announces Data Breach
              Development Of An
           Information Security Plan

 Do you know what you have and why you keep it?
 Have you segregated access so that only those who
  need sensitive information have access? Where are
  your Trade Secrets?
 Have you clearly designated responsibilities in the event
  of a security breach?
 If the effected technology platform is outsourced how do
  you obtain access? What are your access rights?
             Who Is On The Team?


 Start small and build out;
 IT Staff are your first responders;
 Chief Information Privacy Officer – Coordination;
 HR- if the breach is internal what are the existing
  privacy policies that impact your ability to obtain
  information;
                Be Prepared To Lead


 General Counsel’s Role- Quarterback
    To communicate with C-level executives
    Insure resources properly allocated and available
    Coordinate press response, if necessary

 Outside Counsel Role
    Breach notification requirements
    Timing - Safe harbors for law enforcement
    If multiple jurisdictions impacted you need to know the laws of
     each state as well as international jurisdictions.
    Are you going to need to self-report the incident to regulators?
                     The Regulators



Federal Trade Commission Enforcement under Section 5
of the FTC
    Prohibits unfair or deceptive promises in privacy statements
     including promises about the security of consumers personal
     information.
        FTC v. GUIDANCE SOFTWARE
    Unfairness authority to challenge information practices that cause
     substantial consumer injury
        FTC v. TJ MAXX
                           Penalties


 Penalties for a violation can include:
    Establish comprehensive security program;
    Audit every two years by a third party;
    Reporting to the FTC;
    If breach demonstrates compliance is seriously lacking, outside
     monitor may be required;
    Under regulatory scrutiny for 10-20 years - similar to an
     injunction.
            Others Are Watching



 SEC now enforcing “Safeguards Rule” of federal
  securities laws for broker-dealers and SEC registered
  investment advisors.
 SEC v. LPL Financial- Sept.11, 2008 -Failure to
  adopt policies to safeguard customer information –
  10,000 customers vulnerable after hacking of online
  trading platform.
         Others Are Also Watching-



 SEC Penalties-
    Cease and desist from future violations of Safeguards Rule;
    $275,000 fine;
    Must retain independent expert to review policies and
     procedures;
    Implement a policy and set procedures for training
     employees to safeguard customer data.
                   You Are Not Done



 FTC-COPA-Sony BMG - Largest FTC Settlement Ever
 Health and Human Services-
    Providence Health Services - Stolen medical records as a result of
     lost lap tops; Paid $100,000 Fine to DOJ

 State Attorneys General -Texas and California very active-
  enforcement of federal regulatory schemes;
 Increasing Class Action Litigation- Erosion of Actual
  Damages requirement
   Personal Health Information (PHI):
  New Privacy and Data Security Rules

 ARRA Significantly Revises HIPAA Rules
   American Recovery and Reinvestment Act of 2009 (“ARRA”)
    Amends Privacy and Security Rules under Health Information
    Portability and Accounting Act of 1996 (“HIPAA Rules”)
      President Obama signed into law on February 17, 2009
      One Year for Companies to Come Into Compliance with New Rules

 Four Significant Changes
   Broader Application to Business Associates, Vendors of Personal
    Health Records (PHRs) & Other Non-HIPAA-Covered Entities
   Statutory Security Breach Notification Requirements for PHI
   New Patient Protections for Electronic Health Records (EHRs)
   Expanded Civil Enforcement including State AG Actions
                     THANK YOU!


 Contact Information:
  MICHAEL ZWEIBACK
  Alston & Bird LLP
  333 South Hope Street, 15th Floor
  Los Angeles, CA 90071
  (213) 576-1163
  michael.zweiback@alston.com

 Biography:
  http://www.alston.com/michael_zweiback

								
To top