Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?



Similar documents
Comparison of Information Sharing, Monitoring and Countermeasures Provisions in the Cybersecurity Bills

To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

Preservation of longstanding, roles and missions of civilian and intelligence agencies

S. ll. To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

DIVISION N CYBERSECURITY ACT OF 2015

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

S. ll IN THE SENATE OF THE UNITED STATES A BILL

Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA)

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

Cyber Risks in the Boardroom

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Conducting due diligence and managing cybersecurity in medical technology investments

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Cybersecurity and Information Sharing: Comparison of H.R and H.R. 1731

Cybersecurity Information Sharing Legislation Protecting Cyber Networks Act (PCNA) National Cybersecurity Protection Advancement (NCPA) Act

H. R SEC DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

Legislative Language

LEGAL ISSUES IN SHARING CYBER THREAT INTELLIGENCE: WHAT ARE THE REAL CONCERNS?

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

The Matrix Reloaded: Cybersecurity and Data Protection for Employers. Jodi D. Taylor

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

Network Security & Privacy Landscape

How-To Guide: Cyber Security. Content Provided by

FINAL // FOR OFFICIAL USE ONLY. William Noonan

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

H. R. ll IN THE HOUSE OF REPRESENTATIVES A BILL

S. ll IN THE SENATE OF THE UNITED STATES

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Joe A. Ramirez Catherine Crane

Working with the FBI

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

Cybersecurity and Insurance Companies

Cybercrime: risks, penalties and prevention

Cybersecurity Awareness. Part 1

Answering your cybersecurity questions The need for continued action

HOUSE DOCKET, NO FILED ON: 2/28/2014. HOUSE... No The Commonwealth of Massachusetts PRESENTED BY: Paul R. Heroux

Cyber Threats: Exposures and Breach Costs

1st Session NATIONAL CYBERSECURITY PROTECTION ADVANCEMENT ACT OF 2015

How To Protect Your Cybersecurity From Cyber Incidents

Big Data As a Threat? An Alternative Approach to Cybersecurity

Cybersecurity y Managing g the Risks

When Can We Expect a Federal Data Breach Notification Law?

Summary of Privacy and Data Security Bills- 112 th Congress. Prepared for September 15, 2011 CT Privacy Forum

Cyber Liability. What School Districts Need to Know

The Legal Pitfalls of Failing to Develop Secure Cloud Services

Brief. The BakerHostetler Data Security Incident Response Report 2015

114 th Congress March, Cybersecurity Legislation and Executive Branch Activity I. ADMINSTRATION S CYBERSECURITY PROPOSALS

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Data Breach Response Planning: Laying the Right Foundation

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

CYBERSECURITY RISK MANAGEMENT

SECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012.

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

I ve been breached! Now what?

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

New Privacy Laws Impacting the Health Care Work Place

Transcription:

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So? Bruce Heiman K&L Gates September 10, 2015 Bruce.Heiman@klgates.com (202) 661-3935

Why share information? Prevention Timely exposure of threats & vulnerability USG uniquely able to provide threat information/foreign intelligence Facilitates effective cooperation on best way to prevent, detect, address potential harm Protection USG can distribute information more broadly USG can help mitigate damage Prosecution USG better positioned to investigate, arrest, pursue cybercriminals domestically and internationally

Why not share information? Premature escalation Lose control of investigation/response Invite further attacks Reputational harm Regulatory enforcement (criminal/civil) State Attorneys General actions Civil suits (class actions) by those whose data is compromised Shareholder suits Congressional investigations International enforcement

Sources of legal requirements Federal: FTC SEC GLBA FCRA/FACTA State Data breach/cybersecurity laws (47) UDAP Common Law Negligence Breach of contract International EU (Privacy Regulation) Nation states HIPAA COPPA UCC FAR

Types of allegations Failure to do what you say Deceptive practice Intentional/negligent misrepresentation Failure to say what you should Failure to (timely) disclose material facts Failure to do what you should Failure to take reasonable security measures (unfair) Negligence Breach of fiduciary duty/duty of care Breach of contract Failure to disclose a problem Failure to timely notify of data breach Failure to adequately explain the data breach

So -- How to realize benefits of information sharing and avoid negative consequences? Answer: Provide protection to companies to incentivize the voluntary sharing of information among private parties and with the government.

Current pending legislation House: Protecting Cyber Networks Act [HR 1560] National Cybersecurity Protection Advancement Act [HR 1731] Senate: Cybersecurity Information Sharing Act (CISA) [S. 754]

Five Key Questions Share what kind of information? Need to scrub personal information? With which USG departments (and who will they share it with)? What can the information be used for? What legal liability protection will I have?

Share what kind of information? Cyber threat indicator or defensive measure Malware used by malicious actors to compromise computer networks Measures to defend an entity s own information networks and system (and those of customers if authorized)

Need to scrub personal information? Yes need to: Assess and remove any known personal information identifying a specific person not directly related to a cybersecurity threat or Implement and utilize a technological capability configured to remove such personal information

Share with which USG departments (and who will they share it with)? Idea is to create a central portal DHS and formal process Information then rapidly dispersed Key issue allegedly is whether information is thereafter shared with DoD and NSA A business regulated by a federal agency may share information with that agency and receive protection Companies may share information informally with any agency and receive protection [Senate]

How may the information be used? Cybersecurity purposes! But also: to prevent to respond to the imminent threat of serious national harm, harm to a minor, fraud and identity theft, espionage and trade secrets (Senate House broader) Not to regulate, including by way of enforcement actions, lawful activities Important! Those sharing information with the government may impose restrictions on it to use.

What legal liability protections will I have? No cause of action for monitoring, sharing or receiving cybersecurity threat information (and acting, or in good faith not acting, on it) No waiver of any privilege or protection (including trade secret protection) No antitrust violation from sharing information (but cannot fix prices, monopolize etc.) Exempt from disclosure under federal or state or local FOIA laws Exempt from disclosure under any ex parte requirements No limitation on otherwise applicable statutory defenses But assumes good faith and reasonable actions Does not protect against gross negligence or willful misconduct

Hot topic defensive measures For the first time, pending legislation authorizes defensive measures but does not extend legal protection Intent: measures to defend one s own networks and systems (and those of customers if authorized by them) Not intended to authorize offensive measures such as unauthorized access to, or executing computer code on, another entity s information systems But recognize that actions on one s own system can have effects on another s system Ok unless would substantially harm another entity s system

QUESTIONS? Bruce Heiman K&L Gates Bruce.Heiman@klgates.com (202) 661-3935

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information