Cyber Risk Checklist: Compliance with Legal Obligations Grand Rapids Cyber Security Conference April 23, 2014 2014, Mika Meyers Beckett & Jones PLC All Rights Reserved Presented by: Jennifer A. Puplava Mika Meyers Beckett & Jones PLC 900 Monroe Avenue NW Grand Rapids, MI 49503 (616) 632-8000 jpuplava@mmbjlaw.com www.mmbjlaw.com
New Technologies Bring New Concerns Increased use of technology to communicate, operate, and manage information. Organizations generally fail to keep pace with escalating cybersecurity risks. Many business users use cloud applications without the knowledge or support of IT. (McAfee Labs 2014 Threats Predictions) Security incidents involving loss of data have increased. (PwC, The Global State of Information Security Survey 2014)
Key Cybersecurity Worries Mobile malware. Virtual currencies. Cybercrime and cyber warfare. Social attacks. PC and server attacks. Big Data. Attacks on the cloud. McAfee Labs 2014 Threats Predictions.
Key Cybersecurity Worries Mobility: increased risk due to BYOD, lost/stolen devices, lack of security controls, etc. Cloud Services: cross-border privacy concerns, unintentional upload of company data to cloud, etc. Uneducated use of technology: use of company devices for work and personal matters, use of free file-sharing services, etc.
Source of Threats Outsiders Hackers (looking for financial gain). Hacktivits (on ideological missions). Terrorists/organized crime. Competitors. Government.
Source of Threats Insiders Current/former employees. Current/former service providers, consultants, contractors. Suppliers/customers. Business partners. Information brokers. Different motivations: Disgruntled. Careless. Uneducated.
Benefits of Good Cybersecurity Program Protected data. Increased efficiency of operations and financial control. Minimize risk of damage caused by cybersecurity breach. Minimize risk of third party/regulatory action relating to cybersecurity breach. Protected reputation.
Range of Harms from Cybersecurity Breach Potential harm to business, consumers and the public. Loss of Integrity. Identity theft. Tainted data. Affected operations. Loss of Access/Availability. Loss of Confidence. Disclosure of Confidential Information. Compromised customer, user or employee records. Compromised trade secrets or other proprietary information.
Cybersecurity Standards Cybersecurity regulations and laws are a moving target. Currently there is a patchwork quilt of federal and state laws addressing cybersecurity, but no broad federal cybersecurity legislation.
Cybersecurity Standards Examples of Industry/Business-Specific Security Laws requiring protection of systems and information. Financial institutions (Financial Services Modernization Act of 1999, Gramm-Leach Bliley Act, Federal Financial Institutions Examination Council standards). Healthcare providers (HIPAA, HITECH). Federal agencies, or those who provide services on their behalf (Federal Information Security Management Act, Homeland Security Act). Family Educational Rights and Privacy Act (FERPA). Payment Card Industry Data Security Standards (PCI-DSS). SEC reporting requirements.
Cybersecurity Standards State Law. Trade secrets (e.g. Michigan Uniform Trade Secret Act) require reasonable security measures be taken. Social Security Number Privacy Act (in Michigan and other states). Data Breach Notification (e.g. Michigan Identity Theft Protection Act). Freedom of Information Act. International Laws. European Union Data Protection Regulation. Legislative development in several countries.
Other Cybersecurity Standards and Resources Contractual requirements. Information security management system standards published by International Organization for Standardization and International Electrotechnical Commissions (e.g. ISO/IEC 27001-2005 regarding Information security management systems). Information Security Forum Standards of Good Practice. Now available for sale to the general public. Comprehensive list of best practices for information security. Atlantic Council (cybersecurity resources focusing on international and state issues). SANS Institute computer security training programs.
Examples of the Alphabet Soup of Privacy Regulations Electronic Communications Privacy Act (ECPA). Critical Infrastructure Information Act (CIIA). Fair Credit Reporting Act (FCRA). Fair Debt Collection Practices Act (FDCPA). Children s Online Privacy Protection Act (COPPA). Computer Fraud and Abuse Act (CFAA). Telephone Consumer Protection Act (TCPA). The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM).
Best Guidance To Date: NIST Framework NIST Framework for Improving Critical Infrastructure Cybersecurity. Voluntary set of standards. Good starting point for developing best practices. Aimed at reducing and better managing cybersecurity risks. Could be used as a standard for evaluating reasonableness of an organizations cybersecurity program.
Potential Liability for Security Breaches Examples of Some Private Rights of Action. Negligence. Breach of contract. Breach of fiduciary duty. Invasion of privacy. Conversion. Unjust enrichment. Class actions. Waste of corporate assets. Abuse of control. Shareholder derivative suits.
Potential Liability for Security Breaches Examples of Regulatory Action. FTC enforcement actions due to inadequate data privacy and security measures. HHS enforcement actions against entities covered by HIPAA who fail to comply with privacy and security rules. Security and Exchange Commission can take action for failure to fully or timely disclose a material data breach. State enforcement actions can overlap with federal enforcement actions relating to the same security breach.
Potential Remedies for Cyberattacks Breach of contract. Federal Computer Fraud & Abuse Act. Trespass. Misappropriation. Copyright Infringement. Digital Millennium Copyright Act (if the defendant circumvented measures to block activity).
General Rules for Cybersecurity Be proactive rather than just reactive. Maintain reasonable procedures to protect sensitive information and comply with applicable law. Do not misrepresent your practices.
Best Practices in a Creating Cybersecurity Program The process of creating a cybersecurity program will be different for each organization no one-size-fits-all approach. Involve all levels of authority in creating a cybersecurity program. IT staff cannot be alone in this effort. Consider using NIST Cybersecurity Framework.
Best Practices in a Creating Cybersecurity Program Identify and prioritize corporate information assets. Inventory: Where data resides; The type of data collected; Type and location of equipment and devices used; Who can access the data; How and what sensitive information is transmitted to third parties; What information is retained and for how long.
Best Practices in a Creating Cybersecurity Program Assess legal requirements regarding ability to: Collect and retain information from employees, customers, and third parties. Use and share collected information. Secure collected information. Dispose of collected information. Evaluate risk of data loss. NIST Guide for Conducting Risk Assessments. FTC requires reasonable risk assessment. Assess cybersecurity risk of outsourced functions.
Best Practices in a Creating Cybersecurity Program Develop appropriate safeguards. Draft a security policy/plan. Address cybersecurity in vendor agreements. Consider cyber-insurance coverage. Accurately describe information sharing in customer Terms of Service and Privacy Policies. Implement technical, administrative, and physical controls using cost/benefit analysis. Train employees, and develop procedures for newly hired and exiting employees.
Best Practices in a Creating Cybersecurity Program Monitor and be prepared to respond to breaches. Develop procedures to stop the breach and remediate damaged functionality. Identify legal requirements relating reporting/notification in the event of a security breach. Draft a written computer incident response/data breach policy, and be prepared to mitigate an incident. Regularly evaluate the above.
Questions? Jennifer Puplava jpuplava@mmbjlaw.com (616) 632-8050 Disclaimer: This presentation is to assist in a general understanding of some of the legal issues involved, and is not intended as legal advice. Persons with particular questions should seek the advice of counsel.