Loading in 2 Seconds...
Loading in 2 Seconds...
Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP email@example.com
How to avoid unwanted exposure by Janet Jackson
Draft and review information security policies and procedures. Immediate legal response to network attacks, including external penetrations and insider abuse, including California 1789.82 issues Advise clients on laws and regulations governing the storage and exchange of electronic data over computer networks and disclosure of electronic data (Wiretap & ECPA) Conduct Internal Investigations focusing on electronic evidence in connection with ongoing or potential litigation. Information Security Practice 2000-2004
Internet Enforcement Practice 2000-2004 • Piracy Investigations and Litigation • Spam • Anti-Spam Litigation • e-Marketing (CAN-SPAM) counseling • Information Leaks (Internet boards) • Resale of corporate assets or services
Agenda • Existing Information Security Legislation and Regulations – What do they mean? • Future Legislation • FTC Inquiries and Enforcement Actions • Where is it all Going?
Information Security Regulation is Here to Stay • Sources of U.S. Information Security Regulation - Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191, 110 Stat. 1936, “HIPAA”) -Privacy Standards -Security Rule (2005) - Gramm-Leach-Bliley Financial Services Modernization Act of1999 (Pub. L. 106-102, “GLBA”) -Banking Agency Guidance (2001) -SEC Regulation S-P (2001) -FTC Safeguard Rules (2003) - California Civil Code §1789.82 (formerly SB1386) - Sarbanes-Oxley
FTC Safeguards Rule • The Safeguards Rule requires each financial institution to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.” See 16 CFR part 314.
FTC Regulations • Designate an employee or employees to coordinate an information security program; • Assess risks in each area of operations; • Design and implement a written information security program to control these risks; • Require service providers (by contract) to implement appropriate safeguards for customer information • Adapt security program in light of material changes to business
California’s Bright IdeaMandatory Disclosure Covered Entities • Require all entities who do business in California to disclose information security breaches to every California resident whose data was acquired by an unauthorized person
Cal. Civ. Code §1798.82(a), a/k/a SB1386 Notice Requirements • Notice shall be made “in the most expedient time possible and without unreasonable delay, consistent with legitimate needs of law enforcement . . . or any measure necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” • Customers injured by violations of the statute are authorized to bring private lawsuits for damages.
Monitor employee access to higher-risk personal information • Remove access privileges of former employees and contractors immediately • Use intrusion detection technology for systems with higher-risk personal information • Require third-parties, including data custodians, to follow security procedures and notify data owner upon breach • Include electronic print-outs and paper records in your incident response plans and notification procedures • Notify within 10 business days
Establishes requirements for public companies with respect to internal controls over financial reporting Do "internal control" requirements apply to information security policies and procedures? Rules require policies and procedures that “provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the [company’s] assets that could have a material effect on the financial statements.” Section 302 – identifies internal fraud as an event that would require disclosure. Controls relating to the prevention, identification and detection of internal fraud are part of necessary controls Sarbanes-Oxley Act of 2002
Infrastructure §§ 806 & 1107 § 301 § 802 Must receive and Investigate complaints/ allegations of fraud Evidence Preservation Duty; Severe Penalties for destruction Protects/Encourages Whistleblowers Internal Investigation Capabilities § 302 • INTERNAL INVESTIGATIONS • and Incident Response • Nearly All Evidence is Digital • Government Investigations will focus on Computer Evidence • Data Must Be Recovered, Analyzed • and Preserved in a Thorough and Rapid Manner CEOs/CFOs must evaluate internal controls and disclose internal fraud § 409 § 404 Timely reporting required Effective internal controls required Exchange Act Release No. 44969 Cooperation with SEC/Law Enforcement = Production and Identification of Evidence Computer Investigations/Incident Response = & &
Federal Trends Congressional Action and Debate: Proposals by Representative Putnam, Chair of the Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census
Initial Proposal • Chairman Putnam’s Corporate Information Security Accountability Act of 2003 (Draft) • Would have required that publicly traded companies include a status report with their SEC filings on their corporate information security plans, in the form of a checklist that would have to be certified by an independent third party auditor. • Checklist would include a basic information security plan, including, an up-to-date inventory of critical IT assets; a risk assessment and corresponding risk management/mitigation plan; an incident response plan; and a tested business continuity plan
Corporate Response • Private sector concerned with the prospect of massive government regulation • Chairman Putnam challenged the private sector to identify alternative approach; created Corporate Information Security Working Group (CISWG) composed of industry experts to develop proposal for legislative response to cybersecurity risks
Incentives over Regulation • Positive incentives are a more effective means of implementing cyber security risk management because they would: • Leverage private industry’s ability to innovate the tools necessary for effective cyber-security. • Apply to the global economy through multinational corporations • Respond to changes in technology. • Encourage executive buy- in due to inherent advantages to a “return on investment” approach. • Promote market-based incentive programs that are more applicable to the broad cross-section of entities who use and must protect the cyberspace. • Complement the existing sector specific initiatives.
Incentives over Regulation (II) • Duplicative and conflicting international, national, state and local regulations create disincentives to cyber-security
Key Private Sector Incentive Recommendations • Establish generally accepted measurement tools to evaluate corporate and individual cyber security • Develop programs utilizing these measurement tools to establish programs to determine qualification, compliance and/or certification.
Key Private Sector Incentive Recommendations (II) • Take advantage of the cyber-risk management programs and services offered by the cyber-insurance industry as a means of providing for business continuity and financial risk management. • Establish programs that seek to use market forces to motivate organizations to enhance their cyber security programs and practices. Industry leaders should be encouraged to identify and promote such programs among their clients.
Key Government Incentive Recommendations • Publicize the positive efforts that are being made by corporations to improve cyber security beyond their own corporate walls. • Consider legislation providing liability limits and/or safe harbor protections to private sector entities. • Investigate economic incentives that would reward capital investments made by companies that purchase “certified” or information security products and services.
Key Government Incentive Recommendations (II) • Enact procedures whereby in cases of a covered cyber-disaster, FEMA payments would be modified based on the extent to which “Best Practices” were executed. • Encourage appropriate availability and use of cyber-insurance as a means to protect this nation’s critical assets.
Best Practices Recommendations • Create an umbrella organization to establish, promulgate, maintain, and track the use of IS guidance that is systemic, scalable, coherent, and readily usable. • Publish the Fundamental Four and Digital Dozen as sequential components of a “Security Starter Kit” through auditors, accountants, associations, ISP’s, insurance companies and other leverage channels to proliferate use of these practices.
Best Practices Recommendations (II) • Publish the IS Program Elements Framework and encourage enterprises to undertake security improvement projects • Work with industry associations and media to increase awareness of the community aspect of cybersecurity and the imperative to be responsible Internet neighbors.
Enforcement Actions: Past Targets
On June 18, 2003 - Guess, Incorporated agreed to settle charges that it exposed consumers' personal information, including credit card numbers, to commonly known attacks by hackers. • Personal information was not stored in an unreadable, encrypted format at all times and security measures failed to protect against SQL and other commonly known attacks. • According to the FTC press release, the settlement requires Guess to establish and maintain a comprehensive information security program that must be certified by an independent professional within a year, and every other year thereafter.
What was EXPOSED on VictoriasSecret.com?
Enforcement Questions • Were there reasonable procedures in place to anticipate security problems? • Was the problem foreseeable? • How quickly was the breach caught and did it result in injury? • Was there communication with victims and, if so, were efforts made to make them whole? • What have the consequences been? • Have steps been taken to make sure the problem is not repeated? • Has security been institutionalized in the company? • Is an “incident response system” in place? • Has company demonstrated that they “get it”?
What Does the Future Hold? • Increased likelihood of litigation based on security breaches • More entities subject to a specified duty of care • Erosion of “reciprocity is hell” limiting factor • Application of security standards to non-regulated entities • Outsourcing/contractual relationships • Insurance Prerequisite • New Federal law encouraging/requiring investment in information security resources • Much more scrutiny on incident handling and incident response
Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Partner Sonnenschein Nath and Rosenthal, LLC.