Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

Similar documents
Government Focus on Cybersecurity Elevates Data Breach Legislation. by Experian Government Relations and Experian Data Breach Resolution

When Can We Expect a Federal Data Breach Notification Law?

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

CYBER SECURITY A L E G A L P E R S P E C T I V E

Delaware Cyber Security Workshop September 29, William R. Denny, Esquire Potter Anderson & Corroon LLP

No. 33 February 19, The President

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS

CRISIS MANAGEMENT AND FIRST AID: WHEN GOVERNMENT CONTRACTORS ARE THE HEADLINERS WELCOME

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

The Matrix Reloaded: Cybersecurity and Data Protection for Employers. Jodi D. Taylor

MEMORANDUM MEMBERS OF THE SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

Recent Data Security Developments for Government Contractors

What The OMB Cybersecurity Proposal Does And Doesn't Do

Data Privacy & Security in the Cloud: Legal Basics and New Developments

Cyber Legislation & Policy Developments 2014

I. U.S. Government Privacy Laws

114 th Congress March, Cybersecurity Legislation and Executive Branch Activity I. ADMINSTRATION S CYBERSECURITY PROPOSALS

Department of Defense DIRECTIVE

S. ll IN THE SENATE OF THE UNITED STATES A BILL

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

Changing Legal Landscape in Cybersecurity: Implications for Business

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

Billing Code: 3510-EA

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

SECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012.

September 10, Dear Administrator Scott:

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

Privacy Issues Airports

Washington Update: The Feds Impact Cybersecurity Without Passing Major New Laws

September 28, MEMORANDUM FOR. MR. ANTONY BLINKEN Deputy Assistant to the President and National Security Advisor to the Vice President

NSA Data Collection and its Impact on Cloud and Outsourcing and Recent Privacy and Security Developments on Capitol Hill

Legislative Proposals for the Maryland Commission on Cyber Security Innovation and Excellence

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

What are you trying to secure against Cyber Attack?

Clients Legal Needs in HIPAA Security Compliance

Trends in Data Breach and CybersecurityRegulation, Legislation and Litigation. Part I

DIVISION N CYBERSECURITY ACT OF 2015

Cybersecurity and Corporate America: Finding Opportunities in the New Executive Order

Signed into law on February 17, 2009, the Stimulus Package known

In This Issue: Finance & Legal Edition. Voice. Cybersecurity Developments Raise Growing Regulatory Concerns For Undersea Cable Industry

Preventing And Dealing With Cyber Attacks And Data Breaches. Arnold & Porter LLP Lockheed Martin WMACCA February 12, 2014

February Introduction

Mind Your Business: Privacy, Data Security & Regulatory Compliance Best Practices & Guidance

INFORMATION SECURITY. Additional Oversight Needed to Improve Programs at Small Agencies

How To Pass Cybersecurity Legislation

ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS

Cybersecurity Information Sharing Legislation Protecting Cyber Networks Act (PCNA) National Cybersecurity Protection Advancement (NCPA) Act

Summary of Privacy and Data Security Bills- 112 th Congress. Prepared for September 15, 2011 CT Privacy Forum

Cybersecurity and Information Sharing: Comparison of H.R and H.R. 1731

How to get from laws to technical requirements

Why Cybersecurity Matters in Government Contracting. Robert Nichols, Covington & Burling LLP

7.0 Information Security Protections The aggregation and analysis of large collections of data and the development

S. ll. To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

DIVISION N CYBERSECURITY ACT OF 2015

CDT ISSUE BRIEF ON FEDERAL DATA BREACH NOTIFICATION LEGISLATION

Data Security. Updated April, CCIM Institute 430 N. Michigan Avenue Chicago, IL (312)

Privacy and Data Security Update for Defense Contractors

Perspectives on Cybersecurity and Its Legal Implications

How To Protect Your Cybersecurity From Cyber Incidents

Briefing Outline. Overview of the CUI Program. CUI and IT Implementation

BBB Wise Giving Alliance & The International Committee of Fundraising Organizations Advancing Trust in the Charitable Sector Federal Trade

Jefferson Glassie, FASAE Whiteford, Taylor & Preston

To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

Public Law th Congress An Act

Cyber Risks in the Boardroom

PREPARED STATEMENT OF THE FEDERAL TRADE COMMISSION. Protecting Personal Consumer Information from Cyber Attacks and Data Breaches.

Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Conducting due diligence and managing cybersecurity in medical technology investments

Summary of Social Security Account Number Privacy Legislation Under Active Consideration in House and Senate (as of Sept. 5, 2007)

Legislative Language

SUMMARY: The Office of the Secretary of Defense proposes to. alter a system of records notice DPFPA 02, entitled Pentagon

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

Data Breach and Senior Living Communities May 29, 2015

NATIONAL CYBERSECURITY PROTECTION ACT OF 2014

Preservation of longstanding, roles and missions of civilian and intelligence agencies

The Department of Homeland Security The Department of Justice

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

S. ll. To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

Privacy Law Basics and Best Practices

Department of Defense DIRECTIVE

FEDERAL INFORMATION SECURITY. Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness

Corporate Perspectives On Cybersecurity: A Survey Of Execs

H. R SEC DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

The Legal Pitfalls of Failing to Develop Secure Cloud Services

The National Security Act of A Review

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

S AN ACT. To codify an existing operations center for cybersecurity.

Logging In: Auditing Cybersecurity in an Unsecure World

SUMMARY: The Office of the Secretary of Defense proposes to. alter a system of records notice DA&M 01, entitled Civil

Data Breach Response Basic Principles Under U.S. State and Federal Law. ABA Litigation Section Core Knowledge January

Health Insurance Exchange/Marketplace Privacy and Security Issues

Legislative Language. Law Enforcement Provisions Related to Computer Security

SUMMARY: The Defense Health Agency proposes to alter an. existing system of records, EDTMA 02, entitled "Medical/Dental

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

One Hundred Thirteenth Congress of the United States of America

Transcription:

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues Todd Bertoson Daniel Gibb Erin Sheppard Principal Senior Managing Associate Counsel todd.bertoson@dentons.com daniel.gibb@dentons.com erin.sheppard@dentons.com +1 202 408 5395 +1 202 408 3938 +1 202 496 7533

Legislative activity on cybersecurity: Will Congress pass information sharing legislation? Legislation enacted over the past two Congresses has been largely noncontroversial. More than 20 bills have been introduced this Congress to address a number of cybersecurity issues. Information-sharing legislation is seen by industry and many security experts as the most important tool to improve cybersecurity. The House passed information sharing legislation, H.R. 1560 and H.R. 1731, in April 2015. However, the companion legislation in the Senate, S. 754, remains stalled. These bills provide for incentives for companies to share threat information with each other and the federal government. Provisions granting antitrust exemptions and liability protections for companies remain controversial. Privacy protections are not adequate for many civil liberty advocates. 2

Administration activity to enhance cybersecurity practices Cybersecurity Executive Order 13636 (February 12, 2013) Tasked the National Institute of Standards and Technology with developing a voluntary cybersecurity framework for critical infrastructure. Required sector-specific agencies and the Department of Homeland Security (DHS) to identify critical infrastructure. Required regulatory agencies to determine the adequacy of current requirements and their authority to new establish requirements to address the risks. Cybersecurity Executive Order 13691 (February 12, 2015) Calls for establishing new information sharing and analysis organizations to serve as focal points for cybersecurity information sharing and collaboration within the private sector and between the private sector and government. Presidential Memorandum - Establishment of the Cyber Threat Intelligence Integration Center (CTIIC) (February 25, 2015) The CTIIC is a national intelligence center focused on connecting the dots regarding malicious foreign cyber threats to the nation and cyber incidents affecting US national interests, and on providing all-source analysis of threats to US policymakers. 3

Legislative activity on data breach: Will Congress pass federal data breach legislation? 4

Will 2015 be the year for a federal data security bill? More than 50 federal data security bills have been introduced since 2005, and not one has made it to the Rose Garden, leaving a patchwork of state laws in effect. On April 15, the House Energy and Commerce Committee passed a comprehensive data security bill the Data Security and Breach Notification Act of 2015 on a party-line vote. Sponsored by Rep. Blackburn (R-TN) and co-sponsored by Reps. Welch (D- VT), Burgess (R-TX) and Loebsack (R-IA) During the mark-up, Rep. Welch ultimately voted against the bill, exposing ongoing party tensions The bill requires entities that collect and maintain personal information of individuals to secure that information and provide notice to the individual should a breach of security occur. Key elements of the bill include: Requires companies to use reasonable security measures to protect an individual s personal information. Defines "personal information" to include: An individual's first and last name, or first initial and last name and a government-issued ID number An individual s first and last name, or first initial and last name and any two of the following: home address or telephone number; mother s maiden name; or date of birth Financial account number or debit card number, a full Social Security number, and another unique account identifiers 5

Will 2015 be the year for a federal data security bill? (cont.) Key elements of the bill include: Requires companies to notify affected individuals within 30 days, unless there is no reasonable risk that breach has resulted in, or will result in, identity theft, economic harm or financial fraud Provides for enforcement by the Federal Trade Commission (FTC) and state attorneys general, and subject to civil penalties Preempts state data security and breach notification laws Main sticking point: Does the bill exempt a company from liability under state common law? Senate Commerce Committee Ranking Member Nelson (D-FL) introduced S.177 in January 2015, which also requires companies to implement security policies for the treatment and protection of personal information and establishes procedures to be followed in the event of a breach. Senate Commerce Committee Chairman Thune (R-SD) is prepping his own draft data breach notification and data security bill but the path forward remains unclear. 6

Administrative action on data breach: FTC on the beat 7

FTC on the beat Since 2001, the FTC has taken enforcement action in more than 50 data security cases. Section 5 prohibition against "unfair or deceptive practices" may apply where a business has made false or misleading claims about its data security procedures, or failed to employ reasonable security measures and, as a result, causes or is likely to cause substantial consumer injury. Other federal statutes include the FTC's Safeguards Rule, the Fair Credit Reporting Act and the Children's Online Privacy Protection Act. FTC v. Wyndham Worldwide Corp. et al. 8

Cybersecurity requirements applicable to federal contractors Absent comprehensive cybersecurity legislation, there remains a patchwork of obligations applicable to government contractors. Federal Information Security Management Act (FISMA) (44 U.S.C. 3551-58) HIPAA (42 U.S.C. 1320d-2(d)) Privacy Act (5 U.S.C. 552a) Agency-specific security laws (e.g., NDAA 941) Individual agencies have also enacted their own cybersecurity and/or information security regulatory requirements. DOD, GSA, DHS, NASA Each vary in terms of what standards they reference and what requirements they impose (e.g., NIST vs. internal policy; security controls; audits; incident response plans; training requirements) 9

Cybersecurity requirements applicable to federal contractors Cybersecurity Executive Order 13636 (Feb. 19, 2013) Required GSA and DOD to craft a report on feasibility, benefits and merits of incorporating security standards into acquisitions. Report was to address steps for harmonization and consistency in cybersecurity procurement requirements. So far in 2015 we have seen a trend toward greater uniformity in required controls and reporting obligations across procuring agencies, yet there has been no government wide rule-making. NIST SP 800-171 OMB guidance 10

Cybersecurity requirements applicable to federal contractors Defense Federal Acquisition Supplement Interim Rule: Network Penetration Reporting and Contracting for Cloud Services, issued August 26, 2015, dramatically expands the scope of covered information. Previous rule was limited to unclassified controlled technical information Now covers a much broader scope of information: Controlled technical information, critical operations security information, export control information, and Any information marked or otherwise identified in the contract that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies (e.g., privacy, proprietary business information) Requires covered contractors to implement SP 800-171 protections Requires rapid reporting of any incident that affects a covered contractor information system or the covered defense information residing therein. Applies to all DOD contractors and subcontractors, regardless of tier and regardless of contract type 11

Introduction to state attorney general data breach investigations 12

Introduction to state attorney general data breach investigations Overview of the AG investigative process Data breach notification responsibility AG inquiry letter AG press releases Ensuring confidentiality of document productions Tolling agreement Resolution 13

State attorney general data breach investigations Consumer breach notification analysis Varied definitions of personal information Notification timeframe Risk of harm analysis Unfair and deceptive trade practices jurisdiction "Reasonable" security practices Deceptive policies and privacy statements State legislative initiatives California: Personal information expanded to include a username or email address, in combination with a password or security question and answer that would permit access to an online account (2013) Florida: Requires production of forensics reports (2014) New York: Legislation allowing safe harbor for companies adopting heightened data security standards (2015) Illinois: Expanded definition of PII (2015) Preemption: How will federal legislation impact state AG enforcement? 14

State Attorney General Data Breach Investigations Important factors in regulator analysis Potential for consumer injury (identity theft, credit cards, etc.) Consumer notification timeline Reasonableness of security practices Facts surrounding breach detection (self-detected, response time, etc.) Cooperation with law enforcement Ongoing process of assessing security enhancements Case examples: Choicepoint, TJX, TD Bank 15

Contacts Todd Bertoson Principal Washington, DC D +1 202 408 5395 todd.bertoson@dentons.com Erin Sheppard Counsel Washington, DC D +1 202 496 7533 erin.sheppard@dentons.com Daniel Gibb Senior Managing Associate Washington, DC D +1 202 408 3938 daniel.gibb@dentons.com 16

Thank you Dentons US LLP 1301 K Street, NW Suite 600, East Tower Washington, DC 20005-3364 United States 2015 Dentons. Dentons is a global legal practice providing client services worldwide through its member firms and affiliates. This publication is not designed to provide legal advice and you should not take, or refrain from taking, action based on its content. Please see dentons.com for Legal Notices.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information