Practical Lessons Learned: An Overview of Cybersecurity Law & Information Governance

Transcription

1 Baltimore Chapter Practical Lessons Learned: An Overview of Cybersecurity Law & Information Governance presented by Howard R. Feldman S. Keith Moulsdale

2 What we re trying to protect. Privacy Rights PII, Identity, Financial Matters, Healthcare, Children, Online Behaviors, Employee Behaviors, Behaviors in our House/Private Space, etc. Safety - of children, and from violence, stalking and harassment Intellectual Property Trade Secrets: formulae; flow charts; processes; novel ideas; financials Copyrights: music; videos; photos of private people; photos of famous people; software code Trademarks: domain name ownership State Secrets How to build a nuclear bomb; Communications between embassies; Troop numbers and movements; Satellite positioning and capabilities; How to build a drone Networks + Infrastructure Shared: financial systems, phone systems, energy grids Personal: WIFI

3 Cybersecurity is merely an aspect of Information Security + Governance Information Security Cybersecurity (a) technological, social and legal controls (b) implemented by governments, NGOs, private organizations and individuals (c) to secure electronic communications and networks - and other related spaces and things - that store RVA (d) from manipulation, theft and attack (e) by enemies of the state, terrorists, hackers, competitors and others. Cybersecurity Law Information Security Law complying with laws whose purpose or effect is to protect RVA in an electronic and physical world

4 Cybersecurity + Information Governance Pressure Points

5 Data: Big, Inexpensive + Accessible Storage volume - plentiful and inexpensive: o iphone 4S: GB o Basic laptop: 320 GB o Basic desktop computer: 1 TB (1024 GBs) o 4 GB thumb drive: $8.00 o 2 TB external hard drive: $90.00 Capacity of one 4 GB thumb drive ($8) o 400,000 pages (or 160 boxes) of files o 260,000 pages of Word documents Big Data Software is here, too. o Apache Hadoop; NoSQL; FireAMP at SourceFire Cloud Storage = Loss of Direct Control

6 Quantity of Global Digital Data - Exabytes EMC/IDC Digital Universe Study, 2011 (as reported in The Economist The World in 2012)

7 Where is the info. you need to protect? Data lives on computers, but lives in other vulnerable places, too. BUT ALSO on cellulose pulp, derived mainly from wood, and shaped into 8.5 x 11 sheets. And in strange metal structures with sliding doors. AND behind doors, locked and otherwise. And in people s heads and devices. And in off-site storage boxes. And on laptops, CDs, thumb drives and smart phones. Which are easily transportable.

8 Where are the threats coming from? Data security threats are not merely electronic Identity Theft Resource Center 2011 ITRC Breach Report Breaches_2011.shtml

9 Who are the targets? Every Company is at Risk Private Companies Security Companies Defense Contractors & Consultants Government Agencies Financial Institutions Small Businesses Everywhere

10 Size + Impact of Breaches The impact of each breach is growing Average cost of a U.S. data security breach in 2010 (according to Ponemon Institute studies): o $7.2 million per breach (up from $6.8 million) o $214 per record $318 per record for malicious or criminal acts $167 per record for negligence or systems failure Litigation arising from data breaches

11 U.S. o Jumble of IP, Privacy, Security + Retention Laws o Mostly Vertical (Industry Specific) Legal Landscape U.S. States o Also a jumble o Lack of uniformity (e.g., data security breach notice laws) Foreign & Regional Laws o Mostly Horizontal o NGO impact, too

12 With Legislators Like These

13 Business Concerns Operational Needs Safeguard information, assets and goodwill Extract value from growing data Contractual Requirements Business Continuity Institutional Memory and Archives Risk Tolerance Cost

14 Make Cyber Security Part of an Information Security + Governance Plan Security Breach Response Records Management + Retention o Litigation Preparedness Business Continuity Computer Usage Social Media

15 Steps to an Information Security + Governance Plan C-Level Buy-in Due Diligence o Records Inventory o Data Map o Physical Safeguards o Technical Safeguards o Administrative Write the Plan o consider legal and business concerns Implement the Plan o focus group testing o Train employees Periodic Re-Assessment + Enforcement

16 Lessons Learned Need to work in multi-disciplinary teams o Lawyers o C-level Execs o CTO o Consultants who specialize in cybersecurity Internal IT teams sometimes not equipped to handle cybersecurity

17 More Lessons Learned Address information security concerns when negotiating cloud and other vendor contracts: o Conduct careful due diligence and check references o Does vendor have its own info. security + governance plan? o Require prompt notice of a possible breach o Reserve audit and monitoring rights o Indemnification o Where are the servers? o If servers are shared, how can the data be deleted? o Are the support staff proximate to the servers/data? o Encryption levels?

18 Even More Lessons Learned Don t forget to consider info. security in connection with: o M&A transactions o Insurance Policies Control your Disaster recovery does not mean keep everything forever

19 Responding to Possible Security Breaches Rushing to disclose a security breach may cause overreporting and drive up mistakes and costs Law enforcement resources are taxed o be prepared to make your case o Jurisdictional challenges are huge