The information security legal context
This presentation is the property of its rightful owner.
Sponsored Links
1 / 29

The Information Security Legal Context PowerPoint PPT Presentation


  • 133 Views
  • Uploaded on
  • Presentation posted in: General

John R. Christiansen, J.D. Christiansen IT Law. Privacy/Security/Compliance. Privacy/Security/Compliance. 2212 Queen Anne Avenue North #333. Seattle, Washington 98109. 206.301.9412. [email protected] The Information Security Legal Context. UW CIAC

Download Presentation

The Information Security Legal Context

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


The information security legal context

John R. Christiansen, J.D.

Christiansen IT Law

Privacy/Security/Compliance

Privacy/Security/Compliance

2212 Queen Anne Avenue North #333

Seattle, Washington 98109

206.301.9412

[email protected]

The Information Security Legal Context

UW CIAC

Information Security and Risk Management in Context

October 5, 2011


Presenter bio

Presenter Bio

John R. Christiansen, J.D. - Christiansen IT Law

Information Technology Law: Privacy, Security, Compliance and Risk Management, IT Development and Licensing

  • Advisor to U.S. Dep’t of Health and Human Services Offices of National Coordinator for Health Information Technology, and Civil Rights; Special Assistant Attorney General to Washington State Health Care Authority; IT counsel to technology companies, health care organizations, financial institutions and professional services firms

  • Chair, ABA HITECH Business Associates Task Force, 2009 – pres.; Committees on Healthcare Information Technology (2007 – 2009); Healthcare Privacy, Security and Information Technology (2004 – 06); Healthcare Informatics (2000 – 04); and PKI Assessment Guidelines Health Information Protection and Security Task Group (2000 – 2003)

  • Adjunct Faculty, University of Washington Information School and Advisory Board member, Center for Information Assurance and Cybersecurity

  • Publications include Legal Speed Bumps on the Road to Health Information Exchange, Journal of Health and Bioscience Law(2008); Using Safe Harbors to Reduce Legal Barriers to Implementation of Electronic Health Records and Health Information Networks, Shidler Journal of Law, Commerce and Technology (accepted 2007); An Integrated Standard of Care for Healthcare Information Security (2005); Electronic Health Information: Security and Privacy Compliance under HIPAA (2000); etc.

(c) Christiansen IT Law 2011


The problems

The Problems

  • Black Swans

  • Moral Panics

  • Reactive Regulators

  • Flighty Finance

(c) Christiansen IT Law 2011


The problems1

The Problems

  • Unexpected negative events (Black Swans) cause

  • Public outrage and outcry (Moral Panics), which cause

  • Retrospective legal action (Reactive Regulators), causing

  • Investors, customers and business partners to flee (Flighty Finance)

(c) Christiansen IT Law 2011


What s law got to do with it

What’s Law Got to Do With It?

  • Laws are tripwires:

    • Laws create jurisdiction to investigate and enforce

    • Very few proactive investigatory audits

    • Everyone can be found in violation of something

    • Government wants to do something

    • Enforcement becomes a retrospective investigation and penalty action

    • New legislation and regulations may ensue

    • Prolonged investigation, new laws trigger financial flight

(c) Christiansen IT Law 2011


Black swans

Black Swans

  • “A black swan is a highly improbable event with three principal characteristics: it is unpredictable; it carries a massive impact; and, after the fact, we concoct an explanation that makes it appear less random, and more predictable, than it was.”

    • NassimTaleb

  • Black Swans are SOP in complex systems

(c) Christiansen IT Law 2011


Black swans1

Black Swans

  • Deepwater Horizon Blowout

  • 9/11

  • The Morris Worm

  • DNS Cache Poisoning (Kaminsky)

  • Providence/Portland New Years Media Theft

  • California Comptroller Database Breach

  • Heartland Payment Hack (TJ Maxx)

(c) Christiansen IT Law 2011


Black swans2

Black Swans

“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.”

  • Donald Rumsfeld

(c) Christiansen IT Law 2011


Moral panics

Moral Panics

“The business of political operatives is horse trading in smoke-filled rooms. . . .This isn’t hypocrisy; this is management. . . .

“Except, that is, for outbursts of the bizarre: scandal and terror. Sometimes everyday politics is disrupted by an advent so wicked and heinous, so beyond the pale, that it calls the whole system into question. . . . This is moral panic.”

  • Bruce Sterling

(c) Christiansen IT Law 2011


Moral panics1

Moral Panics

“. . . Moral panics are not always based on ‘The Big Lie.’ Instead, moral panics can take an existing problem of little or no consequence and turn it into an existential one to further a political agenda. Moral panics are not irrational acts by those who construct them, but rather are the result of deliberate political opportunism. . . .”

  • William Patry

(c) Christiansen IT Law 2011


Moral panics2

Moral Panics

  • Satanic Abuse Cases (Wenatchee, McMartin Day Care, etc.)

  • The “Hacker Crackdown”

  • Cyberterrorism, Cyberwar (?)

  • Music Piracy

  • HIPAA Uniform Patient Identifier

(c) Christiansen IT Law 2011


Reactive regulators

Reactive Regulators

  • Richard Nixon and the Fair Information Protection Principles

    • Basis for EU Data Protection, HIPAA, GLBA, etc.

  • “Operation Sundevil”

  • SB 1386 (and its many progeny)

  • Defunding of HIPAA patient identifier work

  • Regulatory investigation and penalty actions against Providence (typical)

  • Payment Card Industry (PCI) standards and enforcement regime

(c) Christiansen IT Law 2011


Reactive regulators1

Reactive Regulators

  • Presumption: Every major organization can be found in breach of some regulation

    • Almost all standards are risk-based: HIPAA, GLBA; PCI compensating controls; etc.

      • Good: Allows for necessary variation

      • Bad: More stringent additional or alternate safeguards can almost always be identified

      • Risk management is only as good as risk assessment – back to Black Swans and unknown unknowns

      • Risk analysis and management are judged harshly in retrospect: Hindsight is 20/20

(c) Christiansen IT Law 2011


Reactive regulators2

Reactive Regulators

  • Presumption: Every major organization can be found in breach of some regulation

    • Many organizations are subject to multiple overlapping regulations – can they be reconciled?

    • Some regulations have competing values – what is the “legally correct” balance between confidentiality and availability?

    • Risk assessment is always and only a snapshot – status at the time of observation

      • Hannaford Brothers (2008): Processor certified compliant one day after being notified of two month old malware operations

(c) Christiansen IT Law 2011


Flighty finance

Flighty Finance

  • “Vulnerability disclosures do lead to a negative and significant change in market value for a software vendor. On average, a vendor loses around 0.6% value in stock price when a vulnerability is reported. This is equivalent to a loss in market capitalization values of $0.86 billion per vulnerability announcement.”

    • Telang & Wetal (2005)

(c) Christiansen IT Law 2011


Flighty finance1

Flighty Finance

  • “The most readily available metric, the share price of Heartland common stock, serves as a ready indicator of how the markets have responded to the incident and the company’s actions since.”

    • Kroger (2010)

      Before announcement:$15.16

      Right after announcement:$8.18

      Next SEC disclosure:$3.43

      After remediation (several months):$10.43

(c) Christiansen IT Law 2011


Flighty finance2

Flighty Finance

  • CardSystems

    • Intrusion compromised tens of millions of card numbers

      • Millions of dollars in fraudulent charges. In the wake of the breach

      • Thousands of credit cards canceled, re-issued

    • Mastercard and Visa terminated their contracts

    • CardSystems filed for bankruptcy

(c) Christiansen IT Law 2011


A cautionary tale

A Cautionary Tale

  • Oxford Health Plans (S.D.N.Y.) / Heller v. Oxford Health Plans et al. (D.Conn.)

    • Computer system upgrade initiated 1996

    • Delays in generating billings, lost revenues

    • Processing failures made accurate accounting of revenues, expenses impossible

    • 11/96 – 10/97: Company officers filed SEC documents, made representations admitting but underplaying effects of problems

(c) Christiansen IT Law 2011


A cautionary tale1

A Cautionary Tale

  • Oxford Health Plans (S.D.N.Y.) / Heller v. Oxford Health Plans et al. (D.Conn.)

  • Court ruled valid claims stated for:

    • Breach of fiduciary duty (officers)

    • Gross mismanagement (officers)

    • Waste (officers)

    • “Knowing or reckless disregard of lack of internal controls and ineffective computing system” (KPMG)

  • Settlement March 2003: $300 million

(c) Christiansen IT Law 2011


A cautionary tale2

A Cautionary Tale

  • In re Caremark International, Inc. (Del. 1996)

    • Stockholder suit against Caremark board for breach of fiduciary duty in failing to supervise employees and institute measures to address company violations of antikickback laws

    • The “core element of any corporate law duty of care inquiry [is] whether there [was] a good faith effort to be informed and exercise judgment.”

(c) Christiansen IT Law 2011


A cautionary tale3

A Cautionary Tale

  • In re Caremark International, Inc. (Del. 1996)

    • “[A] director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may . . . Render a director liable for losses caused by noncompliance with applicable legal standards.”

    • “[L]iability to the corporation for a loss may be said to arise from an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.”

(c) Christiansen IT Law 2011


So what do i do

So What Do I Do?

  • Assume a security breach will happen to you

    • Help your C-Suite and Board understand this perspective

    • Avoid “minimalist” risk assessment and risk management

    • Be ready to respond – investigation, remediation, legal and public relations

(c) Christiansen IT Law 2011


So what do i do1

So What Do I Do?

  • R is the risk level required for regulatory compliance.

  • C is the cost of the risk management program necessary to achieve and maintain regulatory compliance.

  • R’ is the more-stringent risk level to be achieved in order to prevent losses the organization is not willing or able to assume.

  • C’ is the greater cost of the risk management program necessary to achieve regulatory compliance as well as to prevent losses the organization is not willing or able to assume.

(c) Christiansen IT Law 2011


So what do i do2

So What Do I Do?

  • Assume retrospective assessment would find a breach of some applicable law

    • Have legal counsel involved, do due diligence to minimize possible violations

    • Be ready to defend yourself

    • Be ready to find a scapegoat

    • Be ready to negotiate

(c) Christiansen IT Law 2011


Defensible information security risk management

Defensible Information Security Risk Management

Board, CEO, CFO, General Counsel

Senior Management Interaction with or Participation in Board Committees

Cross-Organizational Team (Business Managers, HR, Legal, CPO, CSO, CIO/CISO)

Facts About Processes, Technologies, Processes, Outputs, Events

Operational Personnel

(c) Christiansen IT Law 2011


Defensible information security risk management1

Defensible Information Security Risk Management

Board, CEO, CFO, General Counsel

Senior Management Interaction with or Participation in Board Committees

Analyses of Financial, Operational, Legal Risk Implications of Facts

Cross-Organizational Team (Business Managers, HR, Legal, CPO, CSO, CIO/CISO)

Facts About Processes, Technologies, Processes, Outputs, Events

Operational Personnel

(c) Christiansen IT Law 2011


Defensible information security risk management2

Defensible Information Security Risk Management

Board, CEO, CFO, General Counsel

Reports on Analyses and Recommendations for Risk Strategies

Senior Management Interaction with or Participation in Board Committees

Analyses of Financial, Operational, Legal Risk Implications of Facts

Cross-Organizational Team (Business Managers, HR, Legal, CPO, CSO, CIO/CISO)

Facts About Processes, Technologies, Processes, Outputs, Events

Operational Personnel

(c) Christiansen IT Law 2011


Defensible information security risk management3

Defensible Information Security Risk Management

Board, CEO, CFO, General Counsel

Risk Acceptance and Risk Strategy Guidance

Senior Management Interaction with or Participation in Board Committees

Risk Management and Information Security Policies

Cross-Organizational Team (Business Managers, HR, Legal, CPO, CSO, CIO/CISO)

Information Security Program Policies, Procedures and Technical Solutions

Operational Personnel

(c) Christiansen IT Law 2011


Questions thanks

Questions? Thanks!

(c) Christiansen IT Law 2011


  • Login