1 / 11

David Thaw University of Connecticut School of Law Yale Law School Information Society Project

Comparing Management-Based Regulation and Prescriptive Legislation: How to Improve Information Security Through Regulation (a.k.a., “The Efficacy of Cybersecurity Regulation”). David Thaw University of Connecticut School of Law Yale Law School Information Society Project.

lethia
Download Presentation

David Thaw University of Connecticut School of Law Yale Law School Information Society Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Comparing Management-Based Regulation and Prescriptive Legislation: How to Improve Information Security Through Regulation(a.k.a., “The Efficacy of Cybersecurity Regulation”) David Thaw University of Connecticut School of LawYale Law School Information Society Project

  2. Information Security Failures 04/17/2011 – Sony PlayStation Network compromised by attackers, 77,000,000 consumer records compromised Sony compromised again… one week later! (24.6 million records) 01/29/2009 – Heartland Payment Systems payment card processing network compromise discovered, 130,000,000 consumer records compromised Actual compromise occurred ~8 months earlier and went undetected! 01/17/2007 – TJX Companies reports information security failure that allowed attackers to compromise 94,000,000 million consumer records including many consumers’ payment card information Banks wrote off tens of millions in fraudulent charges Some consumers forced to obtain new driver’s licenses/ID #’s

  3. Sensitive Personal Information SBN “Triggering” Data Identifier (usually name) Reportable Breach + = • Three Common Types of Sensitive Personal Information: • Social Security Number • Payment Card/Account Number* • Gov’t-Issued ID Number* • But: exception for “encrypted” data!

  4. CISO Quotes: Effects of SBNs SBNs drive encryption policies: “. . . [SBNs] caused us to . . . in a very short period of time, encrypt 40,000 laptops . . .” (CISO of a large healthcare organization) “. . . What we have done is all computers now have to be encrypted.” (CISO of a large telecommunications company)

  5. CISO Quotes: Effects of SBNs SBNs drive encryption policies: “So what’s happened since the Notification Laws have become sort of ubiquitous in the last three years [is] the security investment is moved, essentially to crypto. If it moves, encrypt it. It if stays there, encrypt it. There’s not much reflection on whether or not actually anyone ever uses that data. It’s still a breach.” (CISO of a large healthcare organization)

  6. CISO Quotes: Effects of SBNs “And so what’s been really interesting about the Notification Laws is [they] have come in and [ ] essentially reversed the whole direction security was taking from when I started this job.” (CISO of a large healthcare organization)

  7. CISO Quotes: Effects of SBNs • “[B]asically [encryption] has distracted us from [] what I think is important thing . . . actually address[ing] things like Botnets and really significant network security vulnerabilities . . . [t]his whole crypto business [] has essentially moved resources from that area which we were kind of focusing on to this other area . . . every dollar that I spend on crypto is a dollar I don’t get to spend on something else” (CISO of a large health care organization)

More Related