8:15 – 8:30 Introduction and Welcome Remarks
8:30 – 9:15 am DATA BREACH RESPONSE: BIG ISSUES GOING FORWARD
- Chris Cwalina (Norton Rose Fulbright) – Moderator
- H. “Lars” McCarter (DHS)
- Heather Egan Sussman (Orrick)
- Luke Tenery (Ankura Consulting Group)
Data breach response workflow and coordination requires careful navigation because, among other things, the legal, public communications, and compliance ramifications of any failure can be devastating and value destructive for both public and private companies. This panel of top incident response experts will discuss the hottest and most timely issues of IR. Most importantly, this panel will discuss what to expect in the future, kicking it all off with a roundtable on predictions of the biggest IR issues facing legal and compliance professionals during the next few years, from incident response workflow and law enforcement/ regulatory interphase to notification, remediation and cyber-related class actions.
9:20 – 10:05 am COUNSELING BOARDS AND THE C-SUITE BEFORE THE INEVITABLE BREACH
- Phyllis B. Sumner (King & Spalding) – Moderator
- Luke Dembosky (Debevoise & Plimpton)
- Jocelyn J. Hunter (The Home Depot)
- Jason N. Smolanoff (Kroll)
This discussion focuses on the requisite strategic framework for boards of directors to effectively analyze and supervise corporate cybersecurity risks. In the aftermath of a corporate cyber-attack, boards and the c-suite they supervise are subjected to immediate public scrutiny and criticism. This new cyber-reality has essentially removed the distinction between board member and IT executive, with cybersecurity emerging as a key corporate risk area. This panel will also discuss how to approach/improve/manage cybersecurity so, that when the inevitable data security incident occurs, a company’s cyber-hygiene will not only meet, but also impress, the litany of state, federal, and/or sector-based regulators that will suddenly become engaged as well as the many other parties who may seek reparation and/or recompense.
10:10 – 10:55 am RESPONDING TO BUSINESS EMAIL COMPROMISE ATTACKS
- Antony (Tony) Kim (Orrick) – Moderator
- Allison J. Bender (Wilson Sonsini Goodrich & Rosati)
- Michael D’Ambrosio (U.S. Secret Service)
- Nicole Friedlander (Sullivan & Cromwell)
Business email compromise (BEC) attacks can have significant regulatory implications, can involve important legal responsibilities and liabilities, and are growing exponentially both in scope and in breadth. Because BEC issues are critical to the very survival of a company, lawyers typically oversee and direct investigative workflow, command the investigation and remediation for the C-suite, and share with senior management the ultimate responsibility for key decisions. This panel will cover the latest developments in, and the latest legal techniques, practices and countermeasures for, BEC attacks. Most importantly, this panel will address the most effective methods and processes available for BEC recovery.
11:00 – 11:45 am MANAGING THE INSIDER THREAT IN THE WORLD OF CYBER
- Ashden Fein (Covington & Burling) – Moderator
- Yudhijit Bhattacharjee (Author, ‘The Spy Who Couldn’t Spell”)
- Bret Padres (The Crypsis Group)
- Gary Walker (Omnisystems)
One of the most significant, and too often ignored cybersecurity risks, involves the company insider. Leaks, theft, and sabotage by employees (and former employees) have become a major cybersecurity risk – and pose unique investigatory and response challenges for legal and compliance professionals. This panel discusses how to handle the many challenging issues which can arise when a data security incident involves the negligent or intentional misconduct of a current or former employee. This panel will also include a discussion of one of the more infamous insider threat investigations, the thrilling, true-life account of the FBI’s hunt for the ingenious traitor Brian Regan. Before Edward Snowden’s infamous data breach, the largest theft of government secrets was committed by Regan whose intricate espionage scheme and complex system of coded messages were made even more baffling by his dyslexia. Regan, who came to be known as The Spy Who Couldn’t Spell, was captured because of the extraordinary efforts of Bret Padres (then Air Force OSI) and Gary Walker (then Air Force OSI) as described in a book by Yudhijit Bhattacharjee – all of whom will be on this panel.
11:50 – 12:35 pm NATIONAL SECURITY and CYBER-ATTACKS
- Lisa O. Monaco (O’Melveny & Myers) – Moderator
- Ian Brekke (DHS)
- David C. Lashway (Baker & McKenzie)
- Michael Sussmann (Perkins Coie)
This panel will focus on the national security implications of cyber-attacks. For legal and compliance professionals, understanding the national security dynamic of cyber-threats is critical to represent adequately the interest of corporate clients – especially in the context of regulatory compliance; insurance claims; and privacy protections. This panel will include a look at which foreign entities are hacking into American systems, and how they are doing it. Other questions include: What sort of impact does foreign complicity in a data breach have upon a successful strategic incident response? If foreign countries are tampering with elections, should boards be concerned that they’re also tampering with supply chains?
12:40 – 1:05 pm Keynote Discussion with Justin Shibayama Herring (Executive Deputy Superintendent, Cybersecurity Division for New York Department of Financial Services)
- Moderated by Ken C. Joseph (Duff & Phelps)
1:10 – 1:35 pm. Cybersecurity Regulatory/Law Enforcement Spotlight with Special Government Guest
1:40 – 2:25 pm RESPONDING TO RANSOMWARE ATTACKS
- Sean B. Hoar (Lewis Brisbois) – Moderator
- Leonard Bailey (DOJ)
- Kimberly Kiefer Peretti (Alston & Bird)
- Scott Lindlaw (Sard Verbinnen & Co.)
Ransomware attacks can have significant regulatory implications, can involve important legal responsibilities and liabilities, and are growing exponentially. Because ransomware response is critical to the very survival of a company, lawyers typically oversee and direct investigative workflow, command the investigation and remediation for the C-suite, and share with senior management the ultimate responsibility for key decisions. In the context of ransomware in particular, because most companies end up paying the ransom, effective legal counsel is essential. This panel will discuss some of the more typical ransomware workflow such as: working with law enforcement; quarterbacking remediation; managing any possible customer and regulatory notification responsibilities; and leading the battle for any insurance claims. This panel will also address some of the unique and complex issues involved such as the legal risks of negotiating with, and tendering payment to, the ransomware purveyor.
2:30 – 3:20 pm INCIDENT RESPONSE AND THE CALIFORNIA CONSUMER PRIVACY ACT AND GDPR
- Travis LeBlanc (Cooley LLP) – Moderator
- Jennifer A. Beckage (Beckage PLLC)
- James A. Trilling (FTC)
- David A. Hoffman (Intel Corporation)
- Serrin A. Turner (Latham & Watkins)
The CCPA, effective January 1, 2020, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. The CCPA now takes its place alongside the European Union’s General Data Protection Regulation (GDPR), which has its own legal framework with different scopes, definitions, and requirements. Both statutes will have a tremendous impact on businesses and will permanently change the way customer data is collected, stored, and used. This panel will focus on the most critical items in both blockbuster statutes, all in the context of how to manage these responsibilities in the context of a data security incident.
3:25 – 4:10 pm CYBER-INSURANCE (TRENDS AND HOW TO GET PAID); CLASS ACTIONS (TRENDS AND HOW TO AVOID); AND DAMAGES (TRENDS AND HOW TO CALCULATE)
- Kari M. Rollins (Sheppard Mullin) – Moderator
- Dr. Vildan Altuglu (Cornerstone Research)
- Scott N. Godes (Barnes & Thornburg)
- Paul H. Luehr (Faegre Drinker Biddle & Reath LLP)
Companies have begun taking into account cybersecurity concerns when considering overall enterprise risk management and insurance risk transfer mechanisms, just as they do with other hazards of doing business. Yet there is no standard cyber-insurance policy, and many corporate cyber-insurance policies are bespoke. This discussion focuses on: 1) battleground legal issues concerning cyber-insurance (and other types of insurance), including discussions of how to make sure all parties involved are properly covered and reimbursed; 2) the types of damages, theories and models in data breach class actions and some of the issues underlying these types of calculations and theories; and 3) how the latest class action developments impact the conducting of an incident response.
4:15 – 5:00 pm FINANCIAL REGULATORS, CYBERSECURITY AND DATA BREACHES
- Elizabeth P. Gray (Willkie Farr & Gallagher) – Moderator
- Ali L. Karshan (Citigroup Inc.)
- Kristina Littman (SEC)
- Edward R. McNicholas (Ropes & Gray)
This discussion will focus on the unique regulatory and legal framework surrounding cyber-attacks of financial firms, with a particular focus on managing issues pertaining to the U.S. Securities and Exchange Commission, the Financial Industry Regulatory Authority, and the litany of other federal and state financial law enforcement/regulatory agencies.
5:00 – 6:00 pm ANNOUNCEMENT OF “INCIDENT RESPONSE 30” FOR 2020 AND Q&A SESSION