Round Table: Cyber Security

Transcription

1 Round Table: Cyber Security w w w. c o r p o r a te l i v e w i r e. c o m Ronald I. Raether, Jr., Esq., Cipp Faruki Ireland & Cox P.L.L. Gonenc Gurkaynak ELIG Attorneys-at-Law John Lyons International Cyber Security Protection Alliance (ICSPA) Christian Schroeder BDO Legal Rechtsanwalts mbh Rosemary Jay Hunton & Williams Christian Laux LAUX LAWYERS Russell Schrader Visa Keith Moulsdale Whiteford Taylor & Preston LLP

2 The Experts Christian Schroeder - BDO Legal Rechtsanwalts mbh T: E: christian.schroeder@bdolegal.de Dr Christian Schroeder is the head of BDO Legal s IP/IT practice group which closely cooperates in particular with Frank Wißing of BDO AG s IT Advisory Services. Frank Wißing contributed to this round-table by providing the IT security related answers. Dr Schroeder has many years of experience advising clients, including US and UK headquartered multinationals on IP, IT issues with a special focus on data protection matters. He also interned with the German Federal Data Protection Commissioner and Electronic Privacy Informational Centre in Washington, D.C.. Dr Schroeder s PhD-thesis on comparative US-American and German data protection law won a scientific award from the German Institute for Data Protection and Data Security (GDD). He is Scientific Board Member of Germany s major data protection journal, Zeitschrift für Datenschutz. Ronald I. Raether, Jr., Esq., Cipp - Faruki Ireland & Cox P.L.L. T: E: rraether@ficlaw.com Ron Raether is a partner at Faruki Ireland & Cox P.L.L. in Dayton, Ohio. Ron s experience with technology?related issues has spanned a broad array of substantive legal areas, including patent, antitrust, licensing and contracts, employment, trademark, domain name disputes, and federal and state privacy statutes. Ron has been involved in seminal data privacy and security cases, successfully defending over 30 class actions, and 175 individual FCRA and privacy related cases. Ron not only works with companies which have experienced unauthorized access to consumer data or have been named defendants in class actions and before agencies, but also has advised companies in developing practices and policies to proactively address these issues. Rosemary Jay - Hunton & Williams T: +44 (0) E: rjay@hunton.com Rosemary Jay is a senior attorney at Hunton & Williams with over 25 years experience in privacy and data protection law. She is recognized as one of the top lawyers in the area in the UK. Rosemary is author of Sweet & Maxwell s Data Protection Law & Practice, a contributing editor to The White Book on data protection and an editor of the Encyclopedia of Data Protection and Privacy. She has worked with the Council of Europe, the European Commission, the Commonwealth Secretariat in West Africa and has advised non-eu states on the adoption and drafting of privacy laws. Rosemary speaks frequently and is a regular contributor to journals, conferences and workshops, as well as participating on a number of advisory committees in the area of privacy and data protection. Keith Moulsdale - Whiteford Taylor & Preston LLP T: E: kmoulsdale@wtplaw.com Keith Moulsdale is a partner at the US law firm of Whiteford Taylor & Preston LLP, where he co-chairs the Cyber Security, Information Management & Privacy practice, and is a former co-chair of the Technology and Intellectual Property practice. Most of his career has focused on licensing, intellectual property, data security, privacy and other legal issues related to technology companies, products and issues, both in the U.S. and internationally. Keith regularly counsels organizations in connection with security breach attempts, and has led assessment, containment and response efforts, developed mitigation strategies, and assisted clients in preparing information security policies and assessing and complying with statutory notification requirements both domestically and internationally. Keith is listed in Best Lawyers in America, is active in the Cyber Incubator at the University of Maryland Baltimore County, and teaches cyber security law in the M.B.A. program at Loyola University Maryland. Gonenc Gurkaynak - ELIG Attorneys-at-Law T: E: gonenc.gurkaynak@elig.com Gönenç Gürkaynak holds an L.L.B. degree from Ankara University Law School (1997), and an L.L.M. degree from Harvard Law School (2001). He is a qualified attorney of the Istanbul Bar (1998) and the New York Bar (2002), and he is also a Solicitor of the Law Society of England & Wales (2004). He lectures at three universities in Istanbul and also holds a permanent teaching position at undergraduate and graduate levels at the Bilkent University Law School in Ankara, where he has been teaching since Gönenç Gürkaynak is one of the founding partners of ELIG, Attorneys-at-Law in Istanbul, and he heads the Regulatory & Compliance Department at ELIG. He has had over 100 international and local articles published in English and in Turkish on various matters of Turkish law, and two books taught at law schools. John Lyons - International Cyber Security Protection Alliance (ICSPA) T: E: icspa@arpartners.com John Lyons is Chief Executive of the International Cyber Security Protection Alliance (ICSPA), a business-led, international, not-for-profit organisation which aims to provide private and public sector funding and support globally to law enforcement agencies and governments engaged in the fight against cyber crime. Lyons previous public service included 20 years in the Royal Air Force (Security Branch) and subsequently at the UK s National Hi Tech Crime Unit (which in 2006 formed part of the Serious Organised Crime Agency) where he led the Unit s business engagement as the Crime Reduction Coordinator. Whilst at the NHTCU he established the first UK national public/private sector security awareness campaign for Internet users - Get Safe Online ( Lyons work in the private sector included engagements with Unilever, Johnson & Johnson and Unisys. Russell Schrader - Visa E: rschrade@visa.com Russ has 15+ years of senior executive level experience at Visa Inc., where he is currently Chief Privacy Officer and Associate General Counsel Global Enterprise Risk. He is responsible for a wide variety of complex privacy and payment systems policies and issues at Visa as well as a principal legal liaison for Visa financial institutions attorneys on worldwide regulatory issues. Russ began building the Global Privacy Office (GPO) in 2009 using a systematic approach over several years to create a comprehensive framework, principles, and knowledge base that were flexible to meet the business strategy as it evolved. It required coordinating staff in multiple geographies and across numerous global functions in support of a common objective, using communication and training to simplify a complex subject, and delivering results by influencing others, without creating a large staff or an unwieldy bureaucracy. Developing and running the GPO requires frequently seeking feedback, accepting new ways of doing things, and recruiting staff with non-traditional skill sets to fill in gaps. This allows the GPO to work with product, engineering, government relations, corporate relations, sales, marketing, risk, and compliance to step up and make major contributions to important innovation initiatives and new payment solutions. Christian Laux - LAUX LAWYERS T: E: christian.laux@lauxlawyers.ch Christian Laux is a Zurich based attorney for technology, advertising and e-commerce matters combining inside and outside counsel experience with a passion for technology. Christian advises clients on all aspects of IT law, namely outsourcing transactions and other tech driven matters. Christian studied in Zurich, Paris and at Stanford University and has worked in large law firms (Zurich; Mountain View/San Francisco) before founding LAUX LAWYERS, an IT boutique firm offering legal services to the IT sector in Switzerland and abroad. Christian holds a PhD (Zurich), is fluent in German, English and French, and speaks Russian. Lyons is a Liveryman of the City of London s 100th Livery Company, the Worshipful Company of Information Technologists and a keen, but not great, golfer.

3 Cyber Security In our Cyber Security roundtable eight experts from around the world discuss new regulatory changes and developments in their jurisdiction as well as providing an insightful understanding on how to tackle copyright breach, data protection issues and outlining the best methods to ensure security when outsourcing work. 1. Given the recent shift towards investing in monitoring and response capabilities, what extent do businesses need to go beyond purely defence? Schroeder: Due to the increasing threat of cyber attacks, effective monitoring is essential to respond to these threats. However, monitoring is only one side of the equation, the other is the implementation of effective security measures. Measures to be implemented can be drawn from the results of monitoring, but not necessarily. Whether security measures are actually necessary largely depends on the general security strategy pursued by the organisation and its derived security concepts. Similar to the services in cloud computing, the security measures implemented should have a certain amount of scalability. Only in such case, an organisation is able to adapt business needs to the necessary security level. Raether: We have worked with for years with companies in highly regulated sectors which are often the focus of attacks. These companies have employed privacy by design and also recognised that security does not stop at protecting and monitoring the perimeter. The knowledge and experience of these companies are beginning to be recognised by other industries. Being more proactive, raises another current trend hack back or active defence. Such responses range from the extreme measure of using a denial of service attack against the originating servers to less intrusive measures such as trace backs and honeypots. The legal permissibility of such actions is uncertain; however, we are working on policies to navigate these issues. Unfortunately, the sectors most likely to be attacked (healthcare and mobile applications, especially mobile payments) are not always employing these measures. The reasons remain the same ignorance or applying limited resources to developing user functionality over baking in security as evidenced by the recent FTC settlement with a mobile application developer Path. However, the consequences also are the same as often others (such as class counsel) may benefit from your ideas and hard work. Lyons: To be successful at cyber protection, businesses need to consider a multi-layered approach. Equal weight should be given to Board level engagement and awareness and training of all members of staff and contractors. They should undertake a risk-based assessment of the critical elements of their supply chain to ensure that suitable cyber protective measures are employed by their suppliers, especially when the business has outsourced sensitive functions such as the storage and management of customer data. Laux: Proactive defence is the keyword. Enterprises will need to manage their security concerns, using risk-based approaches in order to determine the appropriate steps. Before you can effectively protect information and other IT assets, one will first need to assess the processes and assets that are core to the business. How would one otherwise be able to apply a risk based approach? One needs to understand what should be protected. The inhouse security team should be able to think like the enemy, an intruder, accepting that not every attack can be blocked at the forefront of the own perimeter. Event-detection should rely heavily on data analytics. Incident response should be automated to a high extent, standard remediative action should occur reflex-like. As it is the case very often in IT: The right cocktail of measures and procedures is what provides for effective protection. Schrader: It s not a good idea to rely just on having a strong, or even the strongest, firewall. Attacks are constantly evolving and getting more sophisticated. At Visa we take a multi-layered approach to security and risk management, which is applicable to any business that handles sensitive information. Our approach targets all three points in the fraud cycle. The first is prevent, which involves focusing on minimising fraud in the payment system by building policies, tools, technologies and strategies, such as data minimisation, that help prevent fraud before it happens. The second is protect. This refers to protecting vulnerable card data wherever it is stored, processed or transmitted throughout the payment system. Lastly, there is respond. Monitor and manage fraud to ensure we effectively address issues and minimise impact. 2. How do you acquire the perfect balance between the amount of risk you accept before you expose the organisation to real danger, while at the same time ensuring that they are secure without exceeding budget or impeding the operations? Schroeder: Security is a core responsibility of the executive/upper management which needs to find the right balance. The basis for company security is an approved IT security policy and a company-wide security concept. Both should be approved by executive/upper management. The security concept typically consists of a threat and risk analysis, the derivation of measures, a residual risk analysis and also of an economic analysis which shows the costs of security measures. Since many technical measures can be replaced by organisational measures, the balance between the required security and economic requirements can be established. However, it should be noted that organisational measures do not always have the same effect as technical ones. In addition, companies often use alternative (short- ened) methods for the creation of IT security concepts. Applying these methods often leads to decreased transparency of the relation between the underlying economics and security. Raether: Security is risk management. Understand the value of the data assets and develop a measured regime. Have a plan and the right people in place to implement and manage the plan. Companies need to remain vigilant and constantly engaged in security. Security is not an event on a project chart that can be completed and then ignored as the team moves on to the next project. The risks are constantly changing and often unique to each organisation. One common issue is the vulnerabilities created by the weakest link people. Having the right policies is only a good start. Training and testing are essential, as is accountability and ownership. Technical solutions are being developed; e.g., disabling USB ports, usage auditing to detect misuse and the like. ISSA and SANs provide good resources for identifying common attack vectors and solutions being implemented by others. Lyons: Carry out an in-depth analysis of all business lines and functions. Categorise each function in terms of their criticality to business operations, reputation, financial dependencies, governance and compliance. Grade the impact on each of these against the likelihood of failure in functionality and you will begin to understand where the risks lie and their criticality together with the probability of them happening. Remember that less than 10% of systems failure is due to external factors such as cyber attacks. The vast majority of system failures are due to the unforeseen effects of change, incompetence and poor user / technical staff training. Laux: Information Management is the overall theme to help balancing the interests on stake. To get there, preliminary steps are recommended: Information Management starts with reducing complexity. Reducing complexity can mean that one adopts a more balanced view on its own information assets, namely IP assets, and releases other pieces of information as open source. Core pieces of information, however, should be protected by means of state of the art routines and technology. Data should be organised in a smart way. Namely, data should be segregated so to reduce the impact of an attack. Segregation should be made through good tools for information management. This is how Information Management becomes an imperative of these days. Schrader: There is no one-size fits all approach to security, and the balance is always shifting. However, any entity that handles payment information should at minimum follow the Payment Card Industry Data Security Standard (PCI-DSS), an important baseline of security. Companies that handle other types of information also should take appropriate precautions based on the sensitivity of that data. What additional tools and strategies an organisation deploys above and beyond that is dependent on each organisation s individual business case. Businesses also need to factor in the costs of a breach financial and reputational when setting a budget. Moulsdale: In a world where even the most sophisticated, financed and protected networks can and do get hacked, it is not possible to bullet-proof an organisation from real danger arising from cyber threats without completely pulling the plug between the organisation and the internet and other networks. So, every organisation must seek its own perfect balance between risk, budget realities and operations. That balance will be different for each organisation, and depends on a number of factors, including the value and level of sensitivity of data stored or controlled by the organisation, whether the organisation operates critical infrastructure, whether a breach could lead to personal injury, the scope of applicable data security preparedness laws and regulations, whether the organisation is publicly traded, and the organisation s duties to customers, partner and shareholders. 3. Likewise, with the EU states likely to force changes to soften proposed data protection rules due to the financial risk involved for businesses, how important is it to get the legislative balance correct? Schroeder: The results of the current legislative process of the EU data protection regulation is, in our view, far from being clear. It may well happen that, perhaps in part, data protection laws will be softened to allow for better compliance with the law. The current data protection law is at times considered too burdensome and inflexible and little enforced. For this reason, it is often difficult to convince businesses that compliance with data protection laws is key for running a successful business. New European-wide harmonised laws may hopefully provide better solutions for both the right to privacy and business interests, may actually be a benefit for European businesses. Striking the right balance would be important to regain and strengthen consumers trust in businesses while applying somewhat more business friendly laws. In addition, the new regulation will hopefully better bridge some transatlantic differences. However, this is a task for both sides of the Atlantic. Raether: The need for legislative balance is always critical and not unique to the EU, but probably never more than now given the economic uncertainties. That being said, per my earlier comments on risk management, any legislative requirement needs to be balanced and scalable to the business or sector risk. You can never undervalue the speed with which misinformation and the resulting emotional responses impact the law-making process. Far too often, the legislative response is to impose administrative requirements that do little to improve security but instead dramatically increase costs, benefiting only the consultants retained to perform check the box reviews or audits. Instead, any legislation needs to appreciate the ever evolving nature of security threats and permit companies to dedicate limited resources to implementing sound practices rather than writing documents and addressing check the box procedures. A more effective solution involves flexibility and cooperation. This means that regulators must understand the industry and be knowledgeable about security. The effort should be collaborative, rather than just bringing gotcha enforcement actions or illusory legislative requirements. Jay: I think that this question takes a certain amount of unpicking before we can deal with it. As listeners will be aware the EU has made a proposal for a data protection regulation which would replace the existing Directive and, if passed, come into force around The

4 draft Regulation is going through the EU legislative process at the moment with debates between the European Parliament, the Commission and the Member States. The draft has some new provisions around security but they are not massively different to many of those in force in one or more Member States. One of the items in the draft is that every data controller and processor should have a duty to give notice of any security breaches. The timescales for the notices are very short indeed. One of the pressures from Member States is to make the timescales more realistic and to back off from requiring notices in all cases. I would not categorise these as softening the data protection rules around security. However I would agree wholeheartedly that it is important to get the legislative balance right. I think that the pressure at the moment is to achieve that balance and move away from some of the more extreme and less realistic EU proposals. Lyons: As a business you only have two choices to make. You either carry on to your advantage, risk non-compliance, a court case, legal fees, a potential fine and adverse reputational damage - or, you comply with the law or demonstrate that you are taking all reasonable measures to do so. Recent cases taken by the authorities against non-compliant businesses, such as in the case of Prudential, might result in a low fine which is less expensive than compliance, but what message does that send to institutional share holders about the way in which the Board makes its decisions about risk, compliance and governance? Laux: It is not yet clear whether the new data protection rules in fact will result in a softened framework for personally identifiable information. Regardless, the question is important. Data is an asset, and is the fuel for innovation. Data Protection rules (aiming to protect personally identifiable information) are factors that rather hinder than support innovation. On the other hand, a democratic society must make sure that my neighbour does not know more about me than myself. Protection for individuals on the data layer is core. Both interests must be taken seriously. Data Protection rules so far have not really added to make the world a better place. Instead, compliance costs increase. Technology can bring some relief, and smart identity management should be made a standard. But on the long run, we will probably need to be prepared that transparency rules spill into our private lives, and make them more public than they are today. Moulsdale: Legislative balance is imperative. While we should strive for perfectly-protected systems, perfection inevitably comes with costs and trade-offs which must be considered, such as privacy, civil liberty, flexibility, cost-effectiveness, operational performance and reduced competition. This is one of the many reasons that both the Cybersecurity Act and the Cyber Intelligence Sharing and Protection Act ( CIS- PA ) failed in the U.S. Congress in It is also why President Obama threatened to veto CISPA when it was re-introduced and passed by the U.S. House of Representatives in April of Have there been any recent regulatory changes or interesting developments in your jurisdiction? Schroeder: The proposed new employee data protection act, which would have required many changes for businesses, is no longer being pursued and it is not expected that a new attempt will be started with the next one to one and a half years. It appears that in the field of data protection, all stakeholders are waiting for the outcome of the negotiations on the new EU data protection regulation. In terms of cyber security, the new proposed EU Directive on Network and Information Security is likely to include new cyber crime prevention measures to be implemented and security incident reporting duties for certain businesses which are considered infrastructure critical. However, until now, neither the additional duties nor the affected businesses are clearly defined. Gurkaynak: The cyber security provisions are regulated specifically under Turkish Criminal Code in 2004, along with other provisions in various regulations. Previously, there was no specific provision in this respect. In 2010, Turkey signed the Convention on Cybercrime, but not ratified it yet. Although there are no recent regulatory changes or interesting developments on these provisions, the need for protection in cyber world brought innovation to the correlated legislation. For instance, there is a draft law for data protection under Turkish law that regulates the most significant issues as well as a draft law on e-commerce. The authorised bodies are still working on these regulations and the drafts are expected to be enacted in the near future. Raether: The main issue with data security law compliance remains the same understanding which jurisdictions apply and determining whether those laws apply to the technology or market at issue. A recent example demonstrates the complexity of the analysis. A major airline released a mobile application to assist its customers in booking tickets, online check-in and other travel conveniences. I am certain that the airline consider what laws applied and looked at legal payment requirements, aviation law and laws generally addressed in its market. However, at least according to the California Attorney General, the airline failed to have a privacy policy required by the California Online Privacy Protection Act. The airline was not alone as the California Attorney General sent over 100 letters to companies it felt were not in compliance. Another uncertainty involves the development of the law and anticipating the likely requirements of new legislation an obvious issue when addressing Privacy by Design. For example, the industry is still waiting to see the final modifications to the European Union privacy and data security rules. Additionally, it is unclear the effect of President Obama s recent executive order on data sharing will have on private industry. This complexity is compounded by new laws and regulations adopted by emerging market countries. Ultimately, great care must be taken to identify and understand the legal issues. Jay: The topic of cyber security is very high profile at the moment. The European Commission has released a proposed directive on cyber security The timescale for the directive is not yet clear however if and when it is passed and implemented it could have significant effects on business. It would impose legal obligations on market operators to adopt security safeguards applying a risk based approach. Market operators include not just those who provide critical infrastructure but businesses which operate in cyber space including e commerce platforms, social networks, app stores and cloud computing services. This came out in February this year and is part of a wider EU strategy in this area to achieve an open, safe and secure cyber space. In the UK the Government has launched a Cyber Security Information Sharing Partnership (CISP) between government and industry to share intelligence about cyber threats on a voluntary basis. Laux: Nothing particular to report from the side of Swiss case law. Data protection regulations will not be pushed forward at the same speed as abroad. Switzerland remains an interesting market for database providers and internet service providers, and many firms prove they consider settling here. Switzerland s legal framework is quite stable, is far less regulated than other jurisdictions and has comparably little restrictions to principles of free flow of information, all elements that are core for internet service and platform providers. Schrader: We ve seen good progress in the U.S., specifically by the White House, to lay out an approach that sensibly encourages information sharing and the adoption of existing security best practices. We were pleased to see private sector feedback reflected in the Executive Order introduced by President Obama a few weeks ago. As I mentioned at a kick-off event at the Department of Commerce last month, to build on this constructive first step, any Congressional action should address important remaining issues such as improving international cooperation to combat cybercrime and liability protection for those who provide and act on shared information. We look forward to working with the Administration and Congress under the new framework to combat cyber security threats. Moulsdale: In February 2013, President Obama issued an Executive Order ( EO ) that directed certain U.S. government agencies to establish processes to rapidly disseminate cyber threat information to targeted U.S. private sector entities, and to share classified reports with certain critical infrastructure entities. The EO also required the National Institute of Standards and Technology to work with private industry to develop and publish a baseline cybersecurity framework to reduce cyber risks to critical infrastructure, and directed the Department of Homeland Security to establish a voluntary program to support adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and other interested entities. It remains to be seen whether this is the start of a slow march toward legislative action and whether the Cybersecurity Framework will become a de facto minimum cybersecurity standard even for organisations that do not operate or control critical infrastructure. 5. With cyber security becoming an increasing issue in all fields where success depends on both the protection of intellectual property of the product and also the privacy of communications, to what extent does the current legislature safeguard organisations? Gurkaynak: Turkish legislation requires that the organisations take all the necessary protective measures for cyber security. There are different regulations to safeguard organisations on protection of intellectual property and privacy of communications under Turkish law. While regulation on data protection in e-communication sector regulates the means and standards to be followed by the operators for the processing, storing and protecting the confidentiality of personal data, the law on intellectual property rights regulates the legal proceedings that the right holder may apply to. Organisations would not be safeguarded unless they prove that they fulfilled all the liabilities imposed on them under the relevant regulations and that they have no negligence. Raether: The harsh reality is the legislature does nothing to safeguard an organisation against the loss of information, as any law is going to be remedial in nature. For intellectual property, the laws provide a means to react to infringement, an often expensive endeavour. For personally identifiable information, the negative consequences of breach can also be a motivator. Cybersecurity requires real-time, persistent protection, the responsibility for which ultimately resides with the organisation. Once the information is gone, it is gone. So, while compliance with the law is always critical, companies need to focus on what they are doing day-to-day to properly safeguard their information from being disclosed in the first place. During the budgeting process, companies need to be honest about the risk, look to the opportunities provided by sound security, and allocate the appropriate resources to data security. Jay: Legislation alone cannot safeguard organisations. It is the organisations themselves that can do that. Legislation can discourage those who seek to breach security or who might do so due to carelessness and it can apply some standards but all the legislation under the sun will be of no avail unless organisations apply it and train their staff to understand the risks of breach. So the law does apply some standards for example standards required of those who process personal data but of necessity those are expressed in general terms (adequate security) and have to be applied on the ground by organisations. So legislation can provide a back-up but its role should not be over-estimated. Lyons: It doesn t! Legislation and regulation will not protect your business from criminal or state-sponsored groups or individuals who wish to target your business online to steal data. Businesses need to deploy suitable measures to protect themselves and their customers from attacks of this nature. They will not be able to rely on government help except in cases where the business is part of a critical national infrastructure and in a country that as put measures in place to provide that type of assistance. Laux: Making data an asset this is the top priority To Do for enterprises. Ownership in information can be accomplished by controlling access and reuse of the information, combining these two with a right to ask for deletion of information. Swiss statutes mostly follow and implement general principles on access and reuse (but not deletion), but some shortcomings remain. For example: Access control: Accessing information that is not protected by technical measures is not a criminal act; sometimes, the information owner would wish to see this protected by criminal law. Reuse control: Sometimes, data held by a company cannot be protected by standard IP laws (copyright, patents). Switzerland, unlike the EU, does not have a database protection scheme, protecting real-time data sometimes cannot be achieved by mere legal measures. This calls for organisational, procedural and technical measures. It should be added that the EU database protection scheme is disputed.

5 To make data an asset, one will further need to analyse whether third parties can impose restrictions on him who holds the data. On that level, Swiss law provides for a quite comprehensive response it being noted that the market players, sometimes, would wish to see more balanced provisions. 6. Considering technology is an ever-changing facet, how frequently should a business review their security policies? Schroeder: There is no standard on how frequently security policies should be reviewed. The necessary security in a company not only depends on the technology available, but also on the need for protection of the processed data and the data to be transmitted. To achieve an adequate security level in a company, a security process is required. This security process consists of, inter alia, security creation procedures, approval procedures and security audit procedures. Company security is a continuous life cycle as the security process begins with the creation of security measures and continues with the approval of management for these measures, security audits, suggestions for company security which have to be approved and so forth. Gurkaynak: It is not possible for the governments to enact new laws in a way to catch up with the technologic developments. Therefore the protection provided by the legislations will always follow technologic developments far behind. However, under Turkish laws, judges are entitled to fill the legal gaps by using their discretionary power. Therefore, even the legislation is not side by side with the technology, the technologic investments for the companies on providing cyber security are a necessity. Considering how fast the technology develops, it is recommended that companies closely follow-up on the latest status, and update their defence software very often to protect themselves from cyber-attacks and possible third party claims. Raether: An effective security program is a collective effort that must combine strong technology with sound and tested practices. You are only as strong as your weakest link. In the case of security that is often your employees. Having strong perimeter security (e.g., firewalls) will not protect you from the employee who uses a common password, downloads applications or clicks on unknown hyperlinks that enable malware. We have seen recently employees providing passwords to callers pretending to be affiliated with the company only to realise the caller is a criminal who uses that password to steal data from the company. Employees must be invested in the importance of good security practices. Likewise, a good program is essential when responding to an incident. Being unprepared, lacking an incident response plan, can have costly and disastrous consequences. To be effective all these pieces need to work in unison. As the business changes so too do these pieces. Thus, at a minimum the policies should be reviewed yearly as well as every time there is a change in the business. Lyons: Annually and tactically in response to major new outbreaks of malicious software. Clearly, if a business has experienced a successfully targeted attack or intrusion, it should review its security policies immediately as part of the post-attack remedial action. Laux: Legal policies (text), if established, may do some good, and can be there probably for quite an extended period. Technical and organisational policies (security routines, sometimes also referred to as policies) must at all times be up to date. There is not a specific threshold one can give as an answer, rather: A company not keeping track of security issues arising is negligent. Monitoring is key. Schrader: Cybercriminals work around the clock to improve their attacks. As a result, the technologies and strategies to combat cyber threats are adapting quickly too. This has made it ever more important for companies to regularly review their security policies and ensure they keep up to date with the latest security best practices and evolving legal compliance requirements. Moulsdale: From a business risk perspective, it seems logical that security policy reviews should reasonably track the pace of applicable technology change. And some state-level data security laws (such as in Maryland) support that logic by imposing a general duty to implement and maintain reasonable security procedures and practices that are appropriate to the nature of underlying personally identifiable information, and the nature and size of a business and its operations. But the strictest state laws (such as in Massachusetts) demand, at a minimum, annual policy reviews and regular monitoring of data security. The latter standard is perhaps more consistent with certain sector-specific U.S. federal laws, such as HIPAA, which require that periodic evaluations be performed in response to environmental or operational changes that affect security, and that on-going evaluations should be performed on a scheduled basis. 7. Given the emphatic rise and heavy reliance upon Cloud Computing, is it really safe? Schroeder: In many services offered in the cloud, the security level is actually higher than the one realised within some companies, particularly in the SME sector. For small companies, the security level depends on the available budget. In such cases it is possible that the implemented security level is inadequate. In the cloud, service providers must offer a high security level because their products would be otherwise not saleable. Availabilities of 99.99% are the rule rather than the exception. Of course, it is necessary to examine each individual case. In addition, it must be carefully assessed to what extent business sensitive data should be handed over to a third party. Gurkaynak: Cloud computing is a very user friendly system, since it enables users to access to their documents and contents anywhere without carrying their computers. The companies providing cloud computing service are among the world s largest technology companies. Therefore, it is highly likely that their hard drives where the user contents are stored are protected with the latest technology. Although there is always a risk in terms of cyber security, from a technologic protection point of view, storing the contents at your own computer might not be safer than storing them in cloud. On the other hand, storing the content in cloud environment means that you submit this content to the service provider, which we believe may lead to further arguments on safety. Raether: Cloud computing has dramatically changed the dynamics of data security. It may be possible for companies to merge their resources to provide better security for a shared application or network architecture, although the user access settings and database architectural issues become more critical. President Obama s recent executive order on data sharing might be more effective in the cloud model as companies may be less concerned about competitive disadvantages or loss of control. Although again, keeping the data of multiple companies at a single point increases vulnerability as a cloud service may be a more attractive target for hackers. To be certain, a company considering cloud computing needs to carefully vet its service providers and carefully consider the question of what data leaves the safety of its environs. Jay: We have to distinguish here between technical safety and legal safety. There are real legal challenges in using cloud where there is personal data being processed. The data protection laws require the data owner to know whether the data are inside or outside the EEA and in fact to know where the data are stored. This is very difficult with cloud. If there is a data loss the owner will remain legally responsible for the data. So cloud poses a legal risk. The level of that risk will depend on the cloud service and the data being dealt with. There is no absolute answer as to whether it is safe. Some cloud is safe for some data depending on the facts and the arrangements. The message is to analyse what you are buying with a cloud service, where will the data be? What kind of data are you entrusting to the cloud? We are back to informed risk assessment here. Lyons: No. But what does really safe mean? Not many businesses can declare themselves impervious to cyber attacks and intrusions. So it s a matter of getting the balance right between risk mitigation and expenditure on security measures. The Cloud, represents additional risk factors. It is for businesses to decide upon their risk appetite versus the cost of operations and to take into account the type of data that they wish to store in the cloud or services they wish to deploy to that external environment. Laux: Hosting data on a server is probably more secure than if applications and data are still operated on local devices, provided the host operator applies appropriate security measures. This is a question of choosing the right provider. Thus, cloud solutions can be made safe. However, it should be noted that Cloud often results in rich collections of data, which makes them an attractive target to intruders. Tremendous efforts will need to be taken, on a permanent basis, to give attackers a hard time. Moulsdale: Just as no network is really safe, whether the cloud is a safe option for an organisation is a relative question that depends on the other options that are affordably available to the organisation. For example, for a small or otherwise cash-strapped entity in a relatively unregulated sector that cannot afford to purchase, implement, maintain, upgrade and monitor its own data security systems, a cloud computing solution offered by a larger, more technologically sophisticated and better-financed organisation may in fact be a safer option. But, for an entity that has specific, high-level requirements due to the nature and sensitivity of the data stored or systems controlled by the entity, a broad-based cloud computing solution may offer less security, or security which is not sufficient for regulatory compliance purposes. In any event, before relying on a cloud service, every organisation should ensure that the cloud vendor has employed data security and procedures which sufficiently meet the organisation s minimum legal requirements. For example, some laws, such as HIPAA and some U.S. state data security laws, impose minimum security standards by contract. 8. How troublesome has the internet proved in the fight against copyright breach in the entertainment and media sector; particularly with regards to the music and film industry? Gurkaynak: Fighting against internet is like fighting against windmills. It is neither possible to control each and every content that is being broadcasted, nor to prevent spreading of the copyrighted content online. Even a single internet user may broadcast a great number of content by using very simple software. This situation, needless to say, leads to many problems for both the right holders and the service providers in many aspects. As for the film and music industry, especially peer to peer downloading and online watching websites enable users to exchange, watch and listen to copyrighted contents, such as movies and music files. Even initiating legal proceedings against or banning access to these websites do not prevent the infringement, as the same content may pop-up under a different URL in a very short period of time. Raether: The Internet has obviously made the physical act of breaching copyright (and trademark) much easier to accomplish, but also easier to detect violations. However, as is often the case with balancing of privacy and security, the technology is not the culprit. Rather, it is the policy around the technology or its use that is the issue. First, copyright owners need to develop policies and procedures to protect their work before they ever place the work online. This includes administrative controls (policies, terms of use) and technological controls (prevent downloading or copying). Secondly, in the absence of efficient legislative control (some are currently being considered) the burden is on the copyright owner to proactively educate the user or web site viewer on the copyright holder s rights and the law. There is a huge gap in the average Internet user s understanding of intellectual property rights, as evidenced in the Stop Online Piracy Act (SOPA) debate here in the U.S. Technology also enables copyright holders to monitor the use of their intellectual property. When there has been infringement, the copyright holder needs to be aggressive and protect their works. Laux: Enforcement in the internet meets significant hurdles, actually resulting in quite some uneasiness on either sides, media producers (including authors), and media users. Swiss law provides for some flexible provisions, and copyright law is under review, these days. In 2013, stakeholders of the copyright market meet on various occasions, in order to find solutions suitable to resolve the most pressing questions.

6 9. How can you help a business track down and cease a fraudulent action or an active breach of copyright when the offender is operating from a different jurisdiction? Gurkaynak: An online content is basically accessible throughout the world, and a content broadcasted in United States may violate rights of a person in Turkey. In this respect, rather than working on company-based remedies, countries shall first recognise common rules to apply. For example, copyright is recognised by wide-range of countries and in practice, to the extent the complainant proves he is the right owner; the infringing content is being removed from broadcast. As for the criminal proceedings, the procedures under international agreements shall be followed. Therefore, the suffering party may request removal of content or apply to the legal remedies regulated under the offender s jurisdiction, or apply to international agreements. Jay: This is another big question. The EU cyber security agenda recognises the threats posed by cyber crime. There are a number of legal initiatives in this area also aimed at making it more difficult for criminals to operate in cyber space but there are real challenges here. Often the perpetrators are professionals. The first question of tracking down the perpetrator will depend on how far he/she has gone to cover their tracks. This is a question for the investigators rather than the lawyers but if for example proxy IP addresses have been used this may prove a challenge. It may be difficult to get to the actual location of the perpetrator. Once you find the location and the machine you may be able to use local investigators to pinpoint an identified person or business but that can be a challenge in some countries. Once you have found that person the question of whether you can enforce will depend on whether you want to use criminal law or take civil action. In most countries only the state can prosecute for criminal matters so the question will be in the hands of the authorities where the perpetrator is located. However some crimes which have an effect in another country can be prosecuted in that country so you may be able to bring a prosecution in the UK. In order to obtain evidence agreements on mutual legal assistance may come into play. There are mutual legal assistance agreements in force between many countries. If the offender is in the EU you should be able to get assistance from the other EU country police but the timescales can be variable. However to make a person stand charge you have to extradite them and that is another challenge. Really, to prosecute an overseas fraudster, you need the resources of the state. Realistically the question of whether there can be a prosecution may well depend on the local jurisdiction from which the person is operating. If it is a civil case you can bring proceedings in the other country but of course your success may depend on how reliable the legal system is in that country. You may also be able to bring proceedings in your own country but even if you succeed you may not be able to recover any damages. International cooperation in this area is increasing but challenges remain. Lyons: It depends upon the jurisdiction and more practically on the degree of criminal behaviour. Reporting the crime to your local police agency will not get much traction unless it represents a significant level of financial harm or is part of a wider, major conspiracy. Industry bodies working on behalf of their members have a much better chance of getting law enforcement involved in the relevant jurisdiction, particularly if they have assembled evidence well from a number of member victim businesses. Laux: Legal enforcement abroad often turns too costly. It is almost impossible to take the official enforcement route, and remaining within a reasonable budget. In many instances, turning to the providers copyright notice and takedown desk, or to the infringed trademark desk is a more promising approach than lodging a court case. Larger providers are prepared to react accordingly, and already have implemented technology to help rights owners pursue their legitimate interests. Collecting societies will likely need to enhance endeavours on that level, and invest in IT systems, to improve their ability to manage copyright infringements. Moulsdale: Tracking down and enforcing sophisticated perpetrators of digital fraud is difficult even under the best of circumstances. When the offender is in a foreign country, that difficulty becomes magnified due to a combination of factors, such as heightened costs, political considerations, conflicting privacy and security rights and laws, overburdened law enforcement and the need for cross-border law enforcement cooperation. As a result, some organisations are pursuing novel and cutting-edge claims in civil court. For example, in a series of cases where apparent non-usa offenders used USA-based command and control servers to spread malware, Microsoft has used federal civil courts to seize those servers. In one such case involving the spread of keystroke-logging malware, Microsoft teamed up with NACHA and FS-ISAC to bring a first-of-its-kind civil racketeering claim in New York against 40 John Doe offenders believed to be in Russia or Eastern Europe ( 10. Losing or damaging devices with important data is a frequent occurrence in the business world, but what forms of damage limitation strategies can be put into place? Schroeder: For data storage, a data protection approach including a contingency plan is essential. The focus must be on the data protection requirements needed in a company and the security measures implemented should be viewed as a means of achieving and protecting those requirements. In both of these concepts, all necessary measures for the protection against loss of critical data should be developed. These concepts should be part of a company-wide security policy. In addition, emergency exercises must be set up and practised regularly. To make the results of the emergency exercises comparable and comprehensible, a legally compliant documentation is essential. Raether: Companies can learn from our prior experience in responding to breaches. There are two main lessons. First, we need to address the obvious to avoid incidents. Encrypt sensitive data, including passwords. Have a poison pill or other means to wipe the lost device. The negative effect of numerous incidents involving lost laptops, flash drives and other mobile devices could have been avoided. Likewise, improve employee training; test them, and retain those training records. In one recent incident, a helpdesk employee provided an administrator ID and password to a caller who he thought was the company s CIO; this should never happen. Second, we need to improve our communication strategies following an incident. Each incident requires a unique plan. I have seen clients overact and create a story and drive attention. I also have seen companies not take the incident seriously and then have to explain the lack of a timely or complete response. Both approaches can have disastrous consequences in the form of harm to goodwill and unnecessary attention from regulators and class counsel. Laux: The IT sector has come up with technical means (password protections, remote wipes for devices) to limit risk exposure coming hand in hand with the increased mobility of personnel. If information is stored on the server side (remote desktops, combined with sessions timeouts, etc.) help to increase those risks. Thus, cloud computing can contribute to organisational IT security. 11. What procedure should a firm take when outsourcing or contracting work which contains important data and security, be it hosting their website or obtaining passwords to secured information? Schroeder: In a first step, the company should conduct a thorough analysis of their own business needs before approaching vendors. This rather simple exercise is often overlooked or not properly conducted and thus businesses often purchase services which do not fit their needs. In a second step, if important data is concerned, business should run a risk analysis to see how they can handle (i) temporary nonavailability or (ii) theft by third parties. In addition, a data protection compliance check should be made in case the processing of personal data shall be outsourced. Depending on the outcome of these assessments, reputable services providers should be asked to submit offers with detailed service descriptions including very clear information on (i) availability warranties and (ii) implemented security concepts. If all information provided is acceptable and if the draft terms and conditions reflect the promises and are fairly balanced, one may enter into negotiations. Raether: Companies are not giving this area enough attention often focusing more on the terms of the agreement than actual performance. Security becomes more complicated anytime you add more parties and transfer points. For healthcare in the U.S., these issues take on greater importance following the recent final rules on HIPAA. There are more opportunities for things to break. Logistics, accountability and compliance increase in complexity exponentially when you add another company. Initially, the laws and regulations at issue might change. A practice permitted for an internal transfer might be prohibited only because it has been outsourced. Outsourcing agreements are still important and need to address ownership of the data and responsibilities for data security, limitations on data usage, and roles in the event of an incident. Two key provisions often overlooked are: the requirement of proof of insurance; and the inclusion of security metrics and audit rights for the information provider in service level agreements. One of the more interesting current issues is outsourcing software development or firmware production and the risk of the third-party embedding malware in the code or device. The threat of nation-sponsored attacks or corporate espionage may impede cross-border transfers, and outweigh short term cost savings, as much as the law. Jay: There are two sides to this again: the legal and the practical. There are legal obligations to put in place contracts where a firm is outsourcing the processing of personal data. But any legal safeguards should reflect the risks to the business so some contracts need to impose far more stringent provisions on security than others. The security you require has to match the risk. But a contract is not enough - you need to practical approach to choose a provider who can show that their security meets your requirements. You need to make sure that they can deliver to the standards required and you need to retain rights to inspect and to be told if there are any breaches. You need to use these rights so the provider realises that you really do take security seriously. Lyons: Remember that reputation cannot be outsourced. If a third party losses your data or suffers a breach, it is your business that will suffer both adverse reputational impact and potentially a fine from the relevant regulator(s). So put in place a good contract, conduct an audit of the supplier before signing, obtain references of existing satisfied clients and talk to them about the relationship they have with your prospective supplier. Finally, get them to agree to no-notice inspections of their facilities, staff and operations. If they will not agree to that, look elsewhere! Laux: An enterprise wishing to entrust a service provider with the processing of its information remains responsible for what happens with information it hands over to the service provider. Thus, the enterprise must make sure it knows about the legal qualifications attached to that information. The nature of the data determines the rules that apply: Personally identifiable information, entire profiles of persons, anonymised data, confidential data, describing a bank customer or the attorney s client, a business secret or just information of a certain value, such as market data all of them are subject to different sets of regulation. The following steps follow almost naturally: inviting the most suitable providers, performing a due diligence, and then choosing the most appropriate provider, based on effective contractual measures. And: Never wait too long to bring your lawyer at the table, a really important recommendation. Otherwise, you risk last minutes changes, or even a dealbreaker shortly before signing the deal. Schrader: Specialist data contractors should have developed an expertise greater than that of their clients. But even in run-of-the-mill outsourcing, price cannot be your most important contractual term. Data security needs to be an important contractual focus, including in service provider agreements, as well as agreements governing the processing, transmission and storage of information. Over the past several years, companies have gained an even greater appreciation of the importance of maintaining fulsome data security controls, including avoiding the costs of security breach incidents addressing reputational risk, protecting proprietary information from competi-

7 tors and avoiding resulting financial exposure and ensuring that contractors adhere to high security standards should be an important component as well. 12. To what extent are internal risks as dangerous as external risks? Schroeder: Experience has shown that external risks are given considerably more attention than to internal ones. Companies often invest more in external security measures to protect against external threats. Such can be evidenced by the often more reliable technical measures which are implemented against external threats. Internal threats include, inter alia, the employees itself. Employees enjoy a measure of trust which is in some cases, not justified. This does not always mean fraud. Unintentional misuse and ignorance may be more often the cause. Regular training and security audits would generally be the approach to take in response to these internal threats. Raether: I define internal risks to not only include the criminal employee, but also the careless employee. As such, internal risks can far exceed the threat from hacking or brute force attacks, at least in terms of the initial unlawful entry. There is a key difference however. Criminal employees often are not as sophisticated as external criminals. As a result, the scope of the breach, what the criminal does once behind the wall, may be different. Employees may not take as much data or the most valuable data. Since employees are already behind the firewall, companies must develop other lines of defence. Access management and privilege restrictions are a good start. These practices also help defend against external threats. If an employee compromises a password, then less damage can be done. More needs to be done however. Training, monitoring and audits of employees that have access to sensitive information are key. Jay: Your legal obligations are to ensure security against both internal and external threats. If you look at one of the few places where we see fairly detailed reports of types of security breaches (the Information Commissioner s website where he publishes the fines he has imposed for breaches of security) you will see most of them are internal and caused by human error/failure. This is interesting because of course businesses are notoriously tight-lipped about security breaches unless they absolutely have to disclose them. The list of the penalty notices served by the Commissioner is one of the few places that security breaches are exposed. Internal risks are often overlooked but may well cause more data loss or breach than external threats. Lyons: Equally so. The most flagrant breaches of security are often perpetrated by employees who have legitimate, authorised access to your company data. Insiders in the employ of external actors represent a significant threat to all businesses that hold sensitive and customer data. Employees who are disgruntled or feel unhappy because they have been made redundant or passed-over for promotion can also represent a threat should they have access to company data. Business need to understand the risk that employees present to their business operations and must put suitable measures in place to counter identified threats; one of which might be able to monitor unusual access activities on the part of employees. Laux: To a very important extent. IT security increasingly needs to rely on data analytics to detect security threats from within the organisation. Schrader: Internal factors can pose a greater risk to a company s information than external factors. Companies must take precautions against both inadvertent and intentional breaches and/or disclosures of information by its own employees, contractors and vendors. It is important for a company to establish meaningful access controls designed to limit its employee (and service provider) access to the company s information based on the need to know to perform relevant job duties, or to provide the relevant services. In addition to technological protections, a company should consider the use of confidentiality and non-disclosure agreements with employees, as well as employee training. Moulsdale: While external hacking is currently the single largest source of data security breaches, risks related to internal controls and processes essentially account for the remaining sources of data breach risks. For example, an organisation could employ the world s most secure systems and devices to protect its data, but if it then fails to routinely engage in background checks when hiring employees or subcontractors with access to those systems, it may inadvertently hire a fox to watch the hen house. Likewise, an organisation that fails to provide effective and routine data security training raises its risk and liability profile by making itself more susceptible to such internal risks as employee error and negligence, accidental data exposure and lost media, such as when an employee takes data home on an unencrypted thumb drive and loses the drive. I remember the universe of internal and external data risks by the acronym DASHIE which stands for Data on the move, Accidental exposure, Subcontractors, Hackers, Insider theft and Employee error/negligence. Those categories are tracked by the Identify Theft Resource Center ( 13. How effective is an intelligence based sharing strategy such as the RSA Juniper model? Laux: Probably, the question should be framed so to ask for intelligence based strategies. Intelligence based strategies very much are in the focus. Data analytics help understand current threats. Pooling information generally is never a bad thing for those controlling the information. However, information pools obviously can affect the market, opening up a variety of new issues. Further, providers controlling such information may themselves become targets for attack, as the example of the Spamhaus Project (headquartered in Geneva, Switzerland) evidences. In fact, that is the central role of the various Information Sharing and Analysis Centers or ISACs that represent their respective U.S. sectors. For example, the ISAC for the U.S. financial services sector ( FS-ISAC ) has established a system that enables member financial institutions to share critical physical and cyber threat information on a timely, but anonymous, basis. While shared data is anonymised to protect the financial institution contributor and any underlying personally identifiable information, some question whether anonymisation reduces the effectiveness of shared data and argue in favour of legislation that better enables the sharing of cyber threat data that includes personal information, provided that such personal information is protected from unauthorised use outside of that context. 14. What trends are you seeing in security breaches within specific sectors? Raether: Financial information will always be a prime target. We are seeing a recycling of attacks and the ingenuity of the criminals in the space to further enhance these attacks and develop new schemes. For example, the recent Barnes & Noble breach that involved the manipulation of the Pin Pad reader at the point-of-sale. We saw this attack 4-5 years earlier and are seeing it again but in new ways. Then the criminal would leave behind a piece of firmware and later return to collect the payment information. Now, criminals are finding a software vulnerability in a single device at a single store and then replicating that across the organisation. This technique is a much easier way to steal a great deal of data. Similarly, the theft of passwords at Yahoo and LinkedIn reveal another trend. Criminals are willing to build a scheme based on taking several steps. At Yahoo and LinkedIn clear text passwords were stolen. Knowing that most consumers use the same password across platforms, the criminals could use these passwords to attempt access to online bank accounts. Laux: Severe security breaches more and more tend to come from within the organisation. If an attack is coming from the outside, the intensity and size of the attack is reaching new spheres. Organisations sometimes need to turn to dedicated providers to help them channel severe and massive attacks, like distributed denial of service attacks (DDoS). 15. In an ideal world what would you like to see implemented or changed in the coming year? Gurkaynak: Common understanding that internet is not a different version of newspaper; a legislation that answers the needs more efficiently; countries agreeing on a common way of taking action at least in terms of the infringements that stand for the same meaning in all countries, such as copyright infringements; conscious internet users who are aware that a crime in real life is also a crime on the internet would be a big step for an ideal world. Raether: I would like boards and management teams to realise the importance of data security in the broadest terms. Data security is seen as a cost centre. As a result, many boards have not made security a priority until compelled to do so. This pressure often comes from an incident, regulators, or a knowledgeable board member. On this last point, it our responsibility to educate the board on the importance of security and the financial implications of an incident. Avoiding the costs of an incident can be as important to the bottom line as improving revenue. Additionally, it is important for us to educate the board on how strong security and regulatory compliance can improve revenue by being a market differentiator. Jay: It would be very helpful to see continuing international cooperation in tackling fraud. It would be good to see companies carrying out more checks to stop fraudsters before they can take advantage. Organisations like CIFAS do great work there but there can be a tradeoff between maximising sales and accepting some level of fraud as inevitable. I d like to see a zero tolerance of any kind of fraud marker. Not to refuse to trade with the person but to really make sure that they are who they claim to be before entering into an agreement. And finally I d like to see the Government accept Lord Leveson s recommendation and finally bring in that custodial penalty for breach of section 55 of the Data Protection Act. Laux: On a regulatory level: Nothing, actually. Regulations should not be made except if there is a clear indication the free market is not able to find adequate solutions to a problem. The upcoming years will bring a massive load of innovation. The market will make increased use of the opportunities that are offered by the cloud. Datasets will be made public on a more routine level, opening the route for innovative solutions for dedicated needs. Linked data will be a key topic of the next years, paving the grounds for an internet of things. I am very much looking forward to that. Schrader: Cybersecurity is a complex issue that will not be solved with singular, simple measures. However, there are incremental steps we can take that will move us forward. One of them is bringing cyber threat intelligence out from behind closed curtains, working with lawmakers to create a responsible, workable framework where government and corporations can freely share what they know, while preserving protections for consumer privacy. Dialogue between the private and public sector has been taking place on this issue. Collaboration and partnership must continue if we are to be successful in staying ahead of cyber threats. Moulsdale: In a truly ideal world, I d like to see everyone follow the Golden Rule. But, in a merely ideal political world, I d like to see legislatures put more responsibility on ISPs and others who control the internet backbone to better monitor and stop fraudulent and intentionally hurtful behaviours, such as the use of domain names in malware campaigns and DDOS attacks, before their perpetrators have a chance to defraud innocent people and organisations. At the same time, I d like to see those legislatures build in safeguards that protect civil liberties. Moulsdale: Formalised sharing in at-risk sectors is proving to be an important component of a broad information security program.

8