Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger...
-
Upload
julius-miller -
Category
Documents
-
view
215 -
download
0
Transcript of Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger...
Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk
Marc J. ZwillingerMarc J. ZwillingerSonnenschein Nath & Rosenthal LLPSonnenschein Nath & Rosenthal [email protected]@sonnenschein.com
How to avoid unwanted exposure
by Janet
Jackson
Information Security Practice 2000-2004
Draft and review information security policies and procedures.
Immediate legal response to network attacks, including external penetrations and insider abuse, including California 1789.82 issues
Advise clients on laws and regulations governing the storage and exchange of electronic data over computer networks and disclosure of electronic data (Wiretap & ECPA)
Conduct Internal Investigations focusing on electronic evidence in connection with ongoing or potential litigation.
Internet Enforcement Practice 2000-2004
Piracy Investigations and Litigation
Spam
• Anti-Spam Litigation
• e-Marketing (CAN-SPAM) counseling
Information Leaks (Internet boards)
Resale of corporate assets or services
Agenda
Existing Information Security Legislation
and Regulations – What do they mean?
Future Legislation
FTC Inquiries and Enforcement Actions
Where is it all Going?
Information Security Regulation is Here to Stay
Sources of U.S. Information Security Regulation
- Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191, 110 Stat. 1936, “HIPAA”)
-Privacy Standards
-Security Rule (2005)
- Gramm-Leach-Bliley Financial Services Modernization Act of1999 (Pub. L. 106-102, “GLBA”)
-Banking Agency Guidance (2001)
-SEC Regulation S-P (2001)
-FTC Safeguard Rules (2003)
- California Civil Code §1789.82 (formerly SB1386)
- Sarbanes-Oxley
FTC Safeguards Rule
The Safeguards Rule requires each financial
institution to “develop, implement, and maintain
a comprehensive information security program
that is written in one or more readily accessible
parts and contains administrative, technical, and
physical safeguards that are appropriate to your
size and complexity, the nature and scope of your
activities, and the sensitivity of any customer
information at issue.” See 16 CFR part 314.
FTC Regulations
Designate an employee or employees to coordinate
an information security program;
Assess risks in each area of operations;
Design and implement a written information security
program to control these risks;
Require service providers (by contract) to implement
appropriate safeguards for customer information
Adapt security program in light of material changes
to business
California’s Bright IdeaMandatory Disclosure
Covered EntitiesCovered Entities
Require all entities who do Require all entities who do
business in California to disclose business in California to disclose
information security breaches to information security breaches to
every California resident whose every California resident whose
data was acquired by an data was acquired by an
unauthorized personunauthorized person
Notice RequirementsNotice Requirements
Notice shall be made “in the Notice shall be made “in the most expedient time possiblemost expedient time possible
and without unreasonable delay, consistent with legitimate and without unreasonable delay, consistent with legitimate
needs of law enforcement . . . or any measure necessary to needs of law enforcement . . . or any measure necessary to
determine the scope of the breach and restore the determine the scope of the breach and restore the
reasonable integrity of the data system.” reasonable integrity of the data system.”
CustomersCustomers injured by violations of the statute are injured by violations of the statute are authorized authorized
to bring private lawsuitsto bring private lawsuits for damages. for damages.
Cal. Civ. Code §1798.82(a), a/k/a SB1386
Monitor employee access to higher-risk personal
information
Remove access privileges of former employees and
contractors immediately
Use intrusion detection technology for systems with higher-
risk personal information
Require third-parties, including data custodians, to follow
security procedures and notify data owner upon breach
Include electronic print-outs and paper records in your
incident response plans and notification procedures
Notify within 10 business days
Sarbanes-Oxley Act of 2002 Establishes requirements for public companies with respect to
internal controls over financial reporting
Do "internal control" requirements apply to information security policies and procedures?
Rules require policies and procedures that “provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the [company’s] assets that could have a material effect on the financial statements.”
Section 302 – identifies internal fraud as an event that would require disclosure.
Controls relating to the prevention, identification and detection of internal fraud are part of necessary controls
§§ 806 & 1107
Protects/EncouragesWhistleblowers
§ 802
Evidence PreservationDuty; Severe Penalties for destruction
§ 301Must receive and Investigate complaints/allegations of fraud
§ 404
Effective internal controls required
§ 409
Timely reporting required
Computer Investigations/Incident Response
Infrastructure
Internal InvestigationCapabilities
& & =
INTERNAL INVESTIGATIONSand Incident Response
• Nearly All Evidence is Digital • Government Investigations will focus on Computer Evidence• Data Must Be Recovered, Analyzed and Preserved in a Thorough and Rapid Manner
CEOs/CFOs mustevaluate internal controls and
disclose internal fraud
§ 302
Cooperation with SEC/Law Enforcement = Productionand Identification of Evidence
Exchange Act Release No. 44969
Federal Trends
Congressional Action and Debate: Proposals by Representative Putnam, Chair of the
Government Reform Subcommittee on Technology, Information Policy, Intergovernmental
Relations and the Census
Initial Proposal
Chairman Putnam’s Corporate Information Security
Accountability Act of 2003 (Draft)
• Would have required that publicly traded companies include a
status report with their SEC filings on their corporate
information security plans, in the form of a checklist that would
have to be certified by an independent third party auditor.
• Checklist would include a basic information security plan,
including, an up-to-date inventory of critical IT assets; a risk
assessment and corresponding risk management/mitigation
plan; an incident response plan; and a tested business
continuity plan
Corporate Response
Private sector concerned with the prospect of
massive government regulation
Chairman Putnam challenged the private sector
to identify alternative approach; created
Corporate Information Security Working Group
(CISWG) composed of industry experts to develop
proposal for legislative response to cybersecurity
risks
CISWG Proposals
Incentives over Regulation
Positive incentives are a more effective means of implementing cyber security risk management because they would:
• Leverage private industry’s ability to innovate the tools necessary for effective cyber-security.
• Apply to the global economy through multinational corporations
• Respond to changes in technology.
• Encourage executive buy- in due to inherent advantages to a “return on investment” approach.
• Promote market-based incentive programs that are more applicable to the broad cross-section of entities who use and must protect the cyberspace.
• Complement the existing sector specific initiatives.
Incentives over Regulation (II)
Duplicative and conflicting international,
national, state and local regulations create
disincentives to cyber-security
Key Private Sector Incentive Recommendations
Establish generally accepted measurement tools to evaluate corporate and individual cyber security
Develop programs utilizing these measurement tools to establish programs to determine qualification, compliance and/or certification.
Key Private Sector Incentive Recommendations (II)
Take advantage of the cyber-risk management programs and services offered by the cyber-insurance industry as a means of providing for business continuity and financial risk management.
Establish programs that seek to use market forces to motivate organizations to enhance their cyber security programs and practices. Industry leaders should be encouraged to identify and promote such programs among their clients.
Key Government Incentive Recommendations
Publicize the positive efforts that are being made by corporations to improve cyber security beyond their own corporate walls.
Consider legislation providing liability limits and/or safe harbor protections to private sector entities.
Investigate economic incentives that would reward capital investments made by companies that purchase “certified” or information security products and services.
Key Government Incentive Recommendations (II)
Enact procedures whereby in cases of a
covered cyber-disaster, FEMA payments would
be modified based on the extent to which
“Best Practices” were executed.
Encourage appropriate availability and use of
cyber-insurance as a means to protect this
nation’s critical assets.
Best Practices Recommendations
Create an umbrella organization to establish, promulgate, maintain, and track the use of IS guidance that is systemic, scalable, coherent, and readily usable.
Publish the Fundamental Four and Digital Dozen as sequential components of a “Security Starter Kit” through auditors, accountants, associations, ISP’s, insurance companies and other leverage channels to proliferate use of these practices.
Best Practices Recommendations (II)
Publish the IS Program Elements Framework and encourage enterprises to undertake security improvement projects
Work with industry associations and media to increase awareness of the community aspect of cybersecurity and the imperative to be responsible Internet neighbors.
Enforcement Actions:Enforcement Actions:Past TargetsPast Targets
On June 18, 2003 - Guess, Incorporated On June 18, 2003 - Guess, Incorporated agreed to settleagreed to settle charges charges that it exposed consumers' personal information, including credit that it exposed consumers' personal information, including credit card numbers, to card numbers, to commonly known attackscommonly known attacks by hackers. by hackers.
Personal information was not stored in an unreadable, encrypted format at all times and security measures failed to protect against SQL and other commonly known attacks.
According to the FTC press release, the settlement requires Guess According to the FTC press release, the settlement requires Guess to establish and maintain a to establish and maintain a comprehensive information securitycomprehensive information security program that must be certified by an independent professional program that must be certified by an independent professional within a year, and every other year thereafter.within a year, and every other year thereafter.
On January 14, 2003, On January 14, 2003, New York AG’s settlementNew York AG’s settlement agreement with the agreement with the ACLU resulting from an incident in which ACLU resulting from an incident in which ACLU customers' personal ACLU customers' personal informationinformation -- including name, address, phone number, e-mail -- including name, address, phone number, e-mail address and a record of purchases -- address and a record of purchases -- was accessible through thewas accessible through the search mechanism on the organization's search mechanism on the organization's websitewebsite. .
ACLU’s conduct ACLU’s conduct breached specific representationsbreached specific representations in the in the organization's privacy policy.organization's privacy policy.
ACLU required to “establish and maintain an ACLU required to “establish and maintain an information security information security programprogram that includes appropriate that includes appropriate administrative, technical and administrative, technical and physical safeguardsphysical safeguards” and undergo annual, independent compliance ” and undergo annual, independent compliance reviews over the next five years. reviews over the next five years.
Sample Presentation
Enforcement Questions
• Were there reasonable procedures in place to anticipate security problems?
• Was the problem foreseeable?
• How quickly was the breach caught and did it result in injury?
• Was there communication with victims and, if so, were efforts made to make them whole?
• What have the consequences been?
• Have steps been taken to make sure the problem is not repeated?
• Has security been institutionalized in the company?
• Is an “incident response system” in place?
• Has company demonstrated that they “get it”?
What Does the Future Hold?
Increased likelihood of litigation based on security breaches
• More entities subject to a specified duty of care
• Erosion of “reciprocity is hell” limiting factor
Application of security standards to non-regulated entities
• Outsourcing/contractual relationships
• Insurance Prerequisite
New Federal law encouraging/requiring investment in information security resources
Much more scrutiny on incident handling and incident response
Security and the Law: How to Decipher New Legislation
and Minimize Corporate Risk
Marc J. ZwillingerPartnerSonnenschein Nath and Rosenthal, LLC.