7:00-8:20 Breakfast and Check-in
8:20-8:30 Welcome Remarks
8:30 – 9:15 Incident Response, Law Enforcement and the New Accountability Paradigm
Data breach response workflow and coordination requires careful navigation because, among other things, the legal, public communications, and compliance ramifications of any failure can be devastating and value destructive for both public and private companies. It can also cost corporate executives their jobs. This panel will explore that, just like any other independent and thorough investigation, the work relating to a cyber-attack will involve a team of lawyers with different skill-sets and expertise (e.g., regulatory, ediscovery, data breach response, privacy, litigation, law enforcement liaison, and public communications). The panel will focus especially on the critical coordination role that is played by the legal function as well as regulatory response aspects of IR as well as the national security implications that lurk in the background of just about every corporate decision.
- David R. Fontaine (Kroll) — Moderator
- David A. Hoffman, (Intel Corp.)
- Jordan Rae Kelly (National Security Council)
- Phyllis B. Sumner (King and Spalding)
9:20 – 10:05 Managing Retail Data Breaches
This panel will focus on the unique aspects of handling a data breach involving a retail organization, or any other organization that collects credit card information. When a cyber-attack targets electronically transmitted, collected or stored payment card information, so-called Payment Card Industry Data Security Standards (“PCI-DSS”) compliance is often one of the first aspects investigated. PCI-DSS is a set of requirements created to help protect the security of electronic payment card transactions that include PII of cardholders, and operate as an industry standard for security for organizations utilizing credit card information.
If a cyber-attack against a company involves credit cards or other similar modes of payment and triggers PCI-DSS compliance, the unique investigative and remedial workflow involving the PCI-DSS can be extremely costly, cumbersome and disruptive. This panel will also help clarify the value of personal identifying information (PII); how PII is sold/exploited by criminals; and why protecting PII is so important.
- Hon. Louis J. Freeh (Freeh Group International Solutions) — Moderator
- David N. Fagan (Covington & Burling)
- Maneesha Mithal (Federal Trade Commission)
- Bret Padres (Crypsis)
- Heather Egan Sussman (Ropes & Gray)
10:05 – 10:15 Break
10:15 – 11:00 Financial Regulators, Law Enforcement and Data Breaches
This panel will focus on the unique regulatory and legal framework surrounding cyber-attacks of financial firms, with a particular focus on managing issues pertaining to the U.S. Securities and Exchange Commission, the Financial Industry Regulatory Authority and various law enforcement agencies.
- John Reed Stark (John Reed Stark Consulting) — Moderator
- Robert A. Cohen (Securities and Exchange Commission)
- Elizabeth P. Gray (Willkie Farr & Gallagher)
- David Kelley (Financial Industry Regulatory Authority)
11:00 -11:10 Break
11:10 – 12:00 National Security and Cyber-Attacks
This panel will focus on the international threat of cyber-attacks. For legal and compliance professionals, understanding the international dynamic of cyber-threats is critical to adequately represent the interest of corporate clients – especially in the context of regulatory compliance, insurance claims, and privacy protections.
- Luke Dembosky (Debevoise & Plimpton) — Moderator
- Maj. Gen. Charles J. Dunlap, Jr. (Ret.) (Duke Law School)
- Scott Ferber (Department of Justice)
- Jonathan E. Meyer (SheppardMullin)
- Tonya Ugoretz, (Office of the Director of National Intelligence)
12:00 – 1:10 Lunch and Afternoon Keynote Q&A with John Lynch, Chief, Computer Crime and Intellectual Property Section, Criminal Division, U.S. Department of Justice (moderated by Jeff Ward, Duke Law School)
1:10 – 2:00 Managing Data Breaches Across Borders
When a data security incident occurs, the ramifications are rarely confined by physical borders. Cyber concerns for Incident Response teams typically cross borders and are global in nature – mandating additional attention, expertise and oversight. For instance, in addition to the federal and state regulations, many U.S. companies maintain subsidiaries, affiliates or employees in the European Union (E.U.). Such companies, whether public or private, must comply with relevant E.U. Member State data protection laws and guidelines where “personal data” (as defined by the pertinent law) is collected, processed or transferred by local operations.
- Antony Kim (Orrick) — Moderator
- Jennifer Archie (Latham & Watkins)
- Eric L. Goldstein (O’Melveny & Myers)
- James A. Harvey (Alston and Bird)
2:00 – 2:10 Break
2:10 – 3:00 After the Breach: Digital Forensics and Remediation
Cyber attackers have become increasingly innovative in their techniques and execution. This panel covers the latest methods and practices of cyber-attackers, which is critical for legal and practitioners to understand. For instance, during the aftermath of a data breach, an expert forensic team will typically present its findings to the legal team leading the incident response. The legal team will then determine the nature and substance of any contractual, statutory (federal and state) or other requirements triggered by the attack. Without understanding the nature of the latest attacks and threats, a legal or compliance team can stumble (badly) concerning this critical responsibility and cannot effectively carry out one of the most critical aspects of data breach response — remediation.
- Justin L. Root (Dickinson Wright) — Moderator
- Dr. Gary D. King (Air Force Office of Special Investigations)
- Darren Lacey (Johns Hopkins University and Johns Hopkins Medicine)
- Tara McGraw Swaminatha (Squire Patton Boggs)
- Luke Tenery (Ankura Consulting Group)
3:00 – 3:10 Break
3:10 – 4:00 Spotlight: State Regulators
Privacy laws begin not with the federal government but with the states: There is no one unifying privacy-based federal statutory regime. Privacy laws vary by jurisdiction, are interpreted unpredictably and are in a constant state of flux. Some are based broadly, while others cover specific elements of industry sectors, such as medical records, financial transactions, credit cards, debt collectors, insurers or even library records. As the regulatory protections afforded to so-called personally identifying information (PII) continue to expand, so do the risks in acquiring, storing and transmitting such information. What are best practices? When must a company notify customers of a data security incident? What remediation is required?
New York State’s Division Of Financial Services has issued a broad ranging new cybersecurity regulation requiring banks, insurance companies, and other financial services institutions regulated by DFS are required to have a cybersecurity program designed to protect consumers’ private data; a written policy or policies that are approved by the board or a senior officer; a Chief Information Security Officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry. What is the status/impact of these new cybersecurity regulations?
- Edward R. McNicholas (Sidley Austin) — Moderator
- Erez Liebermann (Prudential Financial)
- Dominic A. Paluzzi (McDonald Hopkins)
- Lydia Parnes (Wilson Sonsini Goodrich & Rosati)
- Gregory A. Tapocsi (Office of Ohio AG)
4:00 – 4:10 Break
4:10 – 5:00 Breach Avoidance/Preparation: Counseling Companies Before the Inevitable Breach (Including Cyber Insurance)
Although data breaches are inevitable, companies should still take important and thoughtful preemptive measures to meet their compliance obligations and to help prepare themselves to respond. This panel focuses on preemptive steps that legal and compliance professionals should implement today to not only insure adequate preparation for the latest types of data breaches, but also to assure adequate compliance amid increasing regulatory scrutiny. This panel will also discuss the related area of cyber insurance.
Companies have begun taking into account cybersecurity concerns when considering overall enterprise risk management and insurance risk transfer mechanisms, just as they do with other hazards of doing business. Clearly, cyber insurance will eventually become yet another basic element of a company’s insurance coverage, just like property insurance and health insurance. Many companies might even find their customers demanding that the company carry cyber insurance as a matter of good business practice.
- Jennifer A. Coughlin (Mullen Coughlin) — Moderator
- Timothy A. Gallagher (Federal Bureau of Investigation)
- Scott N. Godes (Barnes & Thornburg)
- John D. Kennedy (Nationwide Insurance)
- Matthew F. Noyes (U.S. Secret Service)
5:00 – 6:00 Cocktail Party and Announcement of “Incident Response 30” Honorees