Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk

Marc J. ZwillingerMarc J. ZwillingerSonnenschein Nath & Rosenthal LLPSonnenschein Nath & Rosenthal LLPmzwillinger@sonnenschein.commzwillinger@sonnenschein.com

How to avoid unwanted exposure

by Janet

Jackson

Information Security Practice 2000-2004

Draft and review information security policies and procedures.

Immediate legal response to network attacks, including external penetrations and insider abuse, including California 1789.82 issues

Advise clients on laws and regulations governing the storage and exchange of electronic data over computer networks and disclosure of electronic data (Wiretap & ECPA)

Conduct Internal Investigations focusing on electronic evidence in connection with ongoing or potential litigation.

Internet Enforcement Practice 2000-2004

Piracy Investigations and Litigation

Spam

• Anti-Spam Litigation

• e-Marketing (CAN-SPAM) counseling

Information Leaks (Internet boards)

Resale of corporate assets or services

Agenda

Existing Information Security Legislation

and Regulations – What do they mean?

Future Legislation

FTC Inquiries and Enforcement Actions

Where is it all Going?

Information Security Regulation is Here to Stay

Sources of U.S. Information Security Regulation

- Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191, 110 Stat. 1936, “HIPAA”)

-Privacy Standards

-Security Rule (2005)

- Gramm-Leach-Bliley Financial Services Modernization Act of1999 (Pub. L. 106-102, “GLBA”)

-Banking Agency Guidance (2001)

-SEC Regulation S-P (2001)

-FTC Safeguard Rules (2003)

- California Civil Code §1789.82 (formerly SB1386)

- Sarbanes-Oxley

FTC Safeguards Rule

The Safeguards Rule requires each financial

institution to “develop, implement, and maintain

a comprehensive information security program

that is written in one or more readily accessible

parts and contains administrative, technical, and

physical safeguards that are appropriate to your

size and complexity, the nature and scope of your

activities, and the sensitivity of any customer

information at issue.” See 16 CFR part 314.

FTC Regulations

Designate an employee or employees to coordinate

an information security program;

Assess risks in each area of operations;

Design and implement a written information security

program to control these risks;

Require service providers (by contract) to implement

appropriate safeguards for customer information

Adapt security program in light of material changes

to business

California’s Bright IdeaMandatory Disclosure

Covered EntitiesCovered Entities

Require all entities who do Require all entities who do

business in California to disclose business in California to disclose

information security breaches to information security breaches to

every California resident whose every California resident whose

data was acquired by an data was acquired by an

unauthorized personunauthorized person

Notice RequirementsNotice Requirements

Notice shall be made “in the Notice shall be made “in the most expedient time possiblemost expedient time possible

and without unreasonable delay, consistent with legitimate and without unreasonable delay, consistent with legitimate

needs of law enforcement . . . or any measure necessary to needs of law enforcement . . . or any measure necessary to

determine the scope of the breach and restore the determine the scope of the breach and restore the

reasonable integrity of the data system.” reasonable integrity of the data system.”

CustomersCustomers injured by violations of the statute are injured by violations of the statute are authorized authorized

to bring private lawsuitsto bring private lawsuits for damages. for damages.

Cal. Civ. Code §1798.82(a), a/k/a SB1386

Monitor employee access to higher-risk personal

information

Remove access privileges of former employees and

contractors immediately

Use intrusion detection technology for systems with higher-

risk personal information

Require third-parties, including data custodians, to follow

security procedures and notify data owner upon breach

Include electronic print-outs and paper records in your

incident response plans and notification procedures

Notify within 10 business days

Sarbanes-Oxley Act of 2002 Establishes requirements for public companies with respect to

internal controls over financial reporting

Do "internal control" requirements apply to information security policies and procedures?

Rules require policies and procedures that “provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the [company’s] assets that could have a material effect on the financial statements.”

Section 302 – identifies internal fraud as an event that would require disclosure.

Controls relating to the prevention, identification and detection of internal fraud are part of necessary controls

§§ 806 & 1107

Protects/EncouragesWhistleblowers

§ 802

Evidence PreservationDuty; Severe Penalties for destruction

§ 301Must receive and Investigate complaints/allegations of fraud

§ 404

Effective internal controls required

§ 409

Timely reporting required

Computer Investigations/Incident Response

Infrastructure

Internal InvestigationCapabilities

& & =

INTERNAL INVESTIGATIONSand Incident Response

• Nearly All Evidence is Digital • Government Investigations will focus on Computer Evidence• Data Must Be Recovered, Analyzed and Preserved in a Thorough and Rapid Manner

CEOs/CFOs mustevaluate internal controls and

disclose internal fraud

§ 302

Cooperation with SEC/Law Enforcement = Productionand Identification of Evidence

Exchange Act Release No. 44969

Federal Trends

Congressional Action and Debate: Proposals by Representative Putnam, Chair of the

Government Reform Subcommittee on Technology, Information Policy, Intergovernmental

Relations and the Census

Initial Proposal

Chairman Putnam’s Corporate Information Security

Accountability Act of 2003 (Draft)

• Would have required that publicly traded companies include a

status report with their SEC filings on their corporate

information security plans, in the form of a checklist that would

have to be certified by an independent third party auditor.

• Checklist would include a basic information security plan,

including, an up-to-date inventory of critical IT assets; a risk

assessment and corresponding risk management/mitigation

plan; an incident response plan; and a tested business

continuity plan

Corporate Response

Private sector concerned with the prospect of

massive government regulation

Chairman Putnam challenged the private sector

to identify alternative approach; created

Corporate Information Security Working Group

(CISWG) composed of industry experts to develop

proposal for legislative response to cybersecurity

risks

CISWG Proposals

Incentives over Regulation

Positive incentives are a more effective means of implementing cyber security risk management because they would:

• Leverage private industry’s ability to innovate the tools necessary for effective cyber-security.

• Apply to the global economy through multinational corporations

• Respond to changes in technology.

• Encourage executive buy- in due to inherent advantages to a “return on investment” approach.

• Promote market-based incentive programs that are more applicable to the broad cross-section of entities who use and must protect the cyberspace.

• Complement the existing sector specific initiatives.

Incentives over Regulation (II)

Duplicative and conflicting international,

national, state and local regulations create

disincentives to cyber-security

Key Private Sector Incentive Recommendations

Establish generally accepted measurement tools to evaluate corporate and individual cyber security

Develop programs utilizing these measurement tools to establish programs to determine qualification, compliance and/or certification.

Key Private Sector Incentive Recommendations (II)

Take advantage of the cyber-risk management programs and services offered by the cyber-insurance industry as a means of providing for business continuity and financial risk management.

Establish programs that seek to use market forces to motivate organizations to enhance their cyber security programs and practices. Industry leaders should be encouraged to identify and promote such programs among their clients.

Key Government Incentive Recommendations

Publicize the positive efforts that are being made by corporations to improve cyber security beyond their own corporate walls.

Consider legislation providing liability limits and/or safe harbor protections to private sector entities.

Investigate economic incentives that would reward capital investments made by companies that purchase “certified” or information security products and services.

Key Government Incentive Recommendations (II)

Enact procedures whereby in cases of a

covered cyber-disaster, FEMA payments would

be modified based on the extent to which

“Best Practices” were executed.

Encourage appropriate availability and use of

cyber-insurance as a means to protect this

nation’s critical assets.

Best Practices Recommendations

Create an umbrella organization to establish, promulgate, maintain, and track the use of IS guidance that is systemic, scalable, coherent, and readily usable.

Publish the Fundamental Four and Digital Dozen as sequential components of a “Security Starter Kit” through auditors, accountants, associations, ISP’s, insurance companies and other leverage channels to proliferate use of these practices.

Best Practices Recommendations (II)

Publish the IS Program Elements Framework and encourage enterprises to undertake security improvement projects

Work with industry associations and media to increase awareness of the community aspect of cybersecurity and the imperative to be responsible Internet neighbors.

Enforcement Actions:Enforcement Actions:Past TargetsPast Targets

On June 18, 2003 - Guess, Incorporated On June 18, 2003 - Guess, Incorporated agreed to settleagreed to settle charges charges that it exposed consumers' personal information, including credit that it exposed consumers' personal information, including credit card numbers, to card numbers, to commonly known attackscommonly known attacks by hackers. by hackers.

Personal information was not stored in an unreadable, encrypted format at all times and security measures failed to protect against SQL and other commonly known attacks.

According to the FTC press release, the settlement requires Guess According to the FTC press release, the settlement requires Guess to establish and maintain a to establish and maintain a comprehensive information securitycomprehensive information security program that must be certified by an independent professional program that must be certified by an independent professional within a year, and every other year thereafter.within a year, and every other year thereafter.

On January 14, 2003, On January 14, 2003, New York AG’s settlementNew York AG’s settlement agreement with the agreement with the ACLU resulting from an incident in which ACLU resulting from an incident in which ACLU customers' personal ACLU customers' personal informationinformation -- including name, address, phone number, e-mail -- including name, address, phone number, e-mail address and a record of purchases -- address and a record of purchases -- was accessible through thewas accessible through the search mechanism on the organization's search mechanism on the organization's websitewebsite. .

ACLU’s conduct ACLU’s conduct breached specific representationsbreached specific representations in the in the organization's privacy policy.organization's privacy policy.

ACLU required to “establish and maintain an ACLU required to “establish and maintain an information security information security programprogram that includes appropriate that includes appropriate administrative, technical and administrative, technical and physical safeguardsphysical safeguards” and undergo annual, independent compliance ” and undergo annual, independent compliance reviews over the next five years. reviews over the next five years.

Sample Presentation

Enforcement Questions

• Were there reasonable procedures in place to anticipate security problems?

• Was the problem foreseeable?

• How quickly was the breach caught and did it result in injury?

• Was there communication with victims and, if so, were efforts made to make them whole?

• What have the consequences been?

• Have steps been taken to make sure the problem is not repeated?

• Has security been institutionalized in the company?

• Is an “incident response system” in place?

• Has company demonstrated that they “get it”?

What Does the Future Hold?

Increased likelihood of litigation based on security breaches

• More entities subject to a specified duty of care

• Erosion of “reciprocity is hell” limiting factor

Application of security standards to non-regulated entities

• Outsourcing/contractual relationships

• Insurance Prerequisite

New Federal law encouraging/requiring investment in information security resources

Much more scrutiny on incident handling and incident response

Security and the Law: How to Decipher New Legislation

and Minimize Corporate Risk

Marc J. ZwillingerPartnerSonnenschein Nath and Rosenthal, LLC.