Current Definition of Cybersecurity Due Care
-
Upload
summit-professional-networks -
Category
Business
-
view
292 -
download
0
Transcript of Current Definition of Cybersecurity Due Care
![Page 1: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/1.jpg)
© 2015 ROBINS KAPLAN LLP
CURRENT AND EMERGING STANDARDS
OF CYBERSECURITY DUE CARE
RICHARD M. MARTINEZ
PARTNER, CHAIR DATA PRIVACY AND CYBERSECURITY GROUP
![Page 2: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/2.jpg)
© 2015 ROBINS KAPLAN LLP
BRINING THE PARTIES TOGETHER
Role of IT
Role of Legal
Changing Threat Lanscape
What’s at Stake
Source of Standards
![Page 3: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/3.jpg)
© 2015 ROBINS KAPLAN LLP
SOURCE OF STANDARDS
Federal Trade Commission
Legislation
Litigation
Industry and Standards Groups
Private-Public Partnerships
Others
![Page 4: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/4.jpg)
© 2015 ROBINS KAPLAN LLP
L E S S O N S L E A R N E D F R O M T H E F T C
Role of the Federal Trade Commission
Lessons Learned from 50 FTC Cases
Guiding principles gleamed from the FTC’s leading enforcement actions
– 10 principles
– Various Case Illustrations
![Page 5: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/5.jpg)
© 2015 ROBINS KAPLAN LLP
F T C J U R I S D I C T I O N A F F I R M E D
FTC v. Wyndham Worldwide Corporation.3rd cir opinion
The FTC sued the hospitality company and three subsidiaries, alleging that
data security failures led to three data breaches at Wyndham hotels in less
than two years.
According to the complaint, those failures resulted in millions of dollars of
fraudulent charges on consumers’ credit and debit cards – and the transfer of
hundreds of thousands of consumers’ account information to a website
registered in Russia.
![Page 6: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/6.jpg)
© 2015 ROBINS KAPLAN LLP
RECENT DECISION BY FTC CHIEF ALJ
Impact of dismissal of FTC’s LabMD case
FTC alleged that LabMD failed to provide reasonable and appropriate security for the personal information it maintained on its network, constituting an unfair act or practice under Section 5 of the FTC Act causing injury on two occasions.
ALJ found the FTC had not demonstrated that LabMD’s activities caused or were likely to cause substantial injury to consumers, and thus had not established unfairness under Section 5.
The Federal Trade Commission has filed a Notice of Appeal
![Page 7: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/7.jpg)
© 2015 ROBINS KAPLAN LLP
F T C J U R I S D I C T I O N A F F I R M E D
Third Circuit upheld the District Court’s ruling that the FTC could use
the prohibition on unfair practices in section 5 of the FTC Act to
challenge the alleged data security lapses outlined in the complaint.
The Court also rejected Wyndham’s fair notice argument.
“For good reason, Wyndham does not argue that the cybersecurity
intrusions were unforeseeable. That would be particularly implausible
as to the second and third attacks.”
![Page 8: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/8.jpg)
© 2015 ROBINS KAPLAN LLP
F T C N E W S F L A S H
Global Privacy Enforcement Network (“GPEN”)
Look for expanded, multi-jurisdictional investigations
Cross-border data transfers
![Page 9: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/9.jpg)
© 2015 ROBINS KAPLAN LLP
G L O B A L P R I VA C Y E N F O R C E M E N T N E T W O R K
( “ G P E N ” )
The FTC and enforcement agencies from seven other countries on Oct. 25,
2015, signed a new information-sharing system that to coordinate international
efforts in protecting consumer privacy.
Australia, Canada, Ireland, Netherlands, New Zealand, Norway, United
Kingdom, U.S.
“Today, data is increasingly crossing borders, and our privacy investigations
and enforcement must do the same.” Chairwoman Ramirez
![Page 10: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/10.jpg)
© 2015 ROBINS KAPLAN LLP
50 FTC LAWSUITS DISTILLED
Webinar: “Managing Risk in the Era of Cyber Insecurity”
Risks
Lapses
Lessons learned
Emerging standards: details from 50+ FTC Enforcement
Actions
![Page 11: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/11.jpg)
© 2015 ROBINS KAPLAN LLP
RISK MANAGEMENT PRINCIPLES
1. Start with security.
2. Control access to data sensibly.
3. Require secure passwords and authentication.
4. Store sensitive personal information securely and protect it during transmission.
5. Segment your network and monitor who’s trying to get in and out.
6. Secure remote access to your network.
7. Apply sound security practices when developing new products.
8. Make sure your service providers implement reasonable security measures.
9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
10. Secure paper, physical media, and devices.
![Page 12: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/12.jpg)
© 2015 ROBINS KAPLAN LLP
C O N T R O L A C C E S S TO D ATA S E N S I B LY
Restrict access to sensitive data.
– Goal Financial (company failed to restrict employee access to personal
information stored in paper files and on its network)
Limit administrative access.
– Twitter (granted almost all of its employees administrative control over
Twitter’s system)
![Page 13: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/13.jpg)
© 2015 ROBINS KAPLAN LLP
R E Q U I R E S E C U R E PA S S W O R D S A N D
A U T H E N T I C AT I O N .
Insist on complex and unique passwords.
– Twitter (common dictionary)
Store passwords securely.
– Reed Elsevier (credentials in cookies)
– Twitter (admin passwords in plain text / email )
![Page 14: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/14.jpg)
© 2015 ROBINS KAPLAN LLP
R E Q U I R E S E C U R E PA S S W O R D S A N D
A U T H E N T I C AT I O N .
Guard against brute force attacks.
– Lookout Services, Twitter, and Reed Elsevier ( limit on unsuccessful logins)
Protect against authentication bypass.
– Lookout Services ( known security flaws)
![Page 15: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/15.jpg)
© 2015 ROBINS KAPLAN LLP
S E G M E N T Y O U R N E T W O R K A N D M O N I TO R W H O ’ S
T RY I N G TO G E T I N A N D O U T.
Segment your network.
– Protect particularly sensitive data by housing it in a separate secure place
on your network
– DSW (company didn’t sufficiently limit computers from one in-store
network from connecting to computers on other in-store and corporate
networks )
Monitor activity on your network.
– Dave & Buster’s (no intrusion detection; no system log monitoring)
– Cardsystem Solutions (no detection of unauthorized access to network;
hackers installed programs that collected stored sensitive data and sent it
outside the network every four days)
![Page 16: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/16.jpg)
© 2015 ROBINS KAPLAN LLP
S E C U R E R E M O T E A C C E S S TO Y O U R N E T W O R K .
Ensure endpoint security.
– Premier Capital Lending (activated a remote login account for a business client
to obtain consumer reports, without first assessing the business’s security)
– Settlement One (allowed clients that didn’t have basic security measures, like
firewalls and updated antivirus software, to access consumer reports through
its online portal)
– Lifelock (no antivirus)
Put sensible access limits in place.
– Dave & Buster’s
![Page 17: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/17.jpg)
© 2015 ROBINS KAPLAN LLP
S E T P R O C E D U R E S TO K E E P S E C U R I T Y C U R R E N T
A N D A D D R E S S V U L N E R A B I L I T I E S .
Update and patch third-party software.
– TJX Companies (update anti-virus software)
Heed credible security warnings and move quickly to fix them.
– HTC America (process for receiving and addressing reports about security
vulnerabilities)
– Fandango (company relied on its general customer service system to
respond to warnings about security risks)
![Page 18: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/18.jpg)
© 2015 ROBINS KAPLAN LLP
WIRE TRANSFER FRAUD
Wire transfer Phishing
Business email Compromise
FBI Warning
![Page 19: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/19.jpg)
© 2015 ROBINS KAPLAN LLP
![Page 20: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/20.jpg)
© 2015 ROBINS KAPLAN LLP
WIRE TRANSFER FRAUD
Standard: UCC Article 4A
“Commercially Reasonable” Security Procedures
UCC Article 4A-202(b):
– (b) If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. The bank is not required to follow an instruction that violates a written agreement with the customer or notice of which is not received at a time and in a manner affording the bank a reasonable opportunity to act on it before the payment order is accepted.
![Page 21: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/21.jpg)
© 2015 ROBINS KAPLAN LLP
STANDARDS FOR THE
INTERNET OF THINGS
24 billion Internet-connected devices before the end of the
decade (> 3/person)
Standards are being proposed
![Page 22: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/22.jpg)
© 2015 ROBINS KAPLAN LLP
MEDICAL DEVICES AND HEALTH APPS
![Page 23: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/23.jpg)
© 2015 ROBINS KAPLAN LLP
FDA: MEDICAL DEVICES
Led on-going industry / stakeholder Public Workshops on
advancing medical device cybersecurity
Issued “non-binding guidance”
Issued Warnings
Health Care Mobile Apps
![Page 24: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/24.jpg)
© 2015 ROBINS KAPLAN LLP
NH-ISAC
National Health Information Sharing Analysis Center
![Page 25: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/25.jpg)
© 2015 ROBINS KAPLAN LLP
HOSPIRA SYMBIQ INFUSION SYSTEM:
FDA SAFETY COMMUNICATION
FDA told hospitals to stop using Hospira's Infusion Pump
If accessed hacker could “control the device and change
the dosage the pump delivers, which could lead to over- or
under-infusion of critical patient therapies”
![Page 26: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/26.jpg)
© 2015 ROBINS KAPLAN LLP
FDA “GUIDANCE FOR INDUSTRY”
Example: FDA's “Cybersecurity for Networked Medical
Devices Containing Off-The-Shelf (OTS) Software”
“Nonbinding Recommendations”
Challenges inherent in devices that will be operated in
networked environments beyond manufacturers control
![Page 27: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/27.jpg)
© 2015 ROBINS KAPLAN LLP
LEGISLATION
California Civil Code sections 1798.29 and 1798.82
Under California’s current law, if personal information is “encrypted,” the notification requirements do not apply
Until now, the law had not defined when personal information would be considered to be “encrypted”
“Encrypted” is now defined as “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.”
![Page 28: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/28.jpg)
© 2015 ROBINS KAPLAN LLP
F T C E X AM P L E S
Keep sensitive information secure throughout its lifecycle.
– Superior Mortgage Corporation (emailed in clear)
Use industry-tested and accepted methods.
– ValueClick (non-standard, proprietary form of encryption)
Ensure proper configuration.
– Fandango and Credit Karma. (SSL encryption used in mobile apps, but turned off a critical process known as SSL certificate validation without implementing other compensating security measures.)
![Page 29: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/29.jpg)
© 2015 ROBINS KAPLAN LLP
NIST: NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY
Cybersecurity Framework
Computer Security Resource Center (CSRC)
![Page 30: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/30.jpg)
© 2015 ROBINS KAPLAN LLP
US-CERT
Dept. Homeland Security, US Computer Emergency
Readiness Team
Security Bulletins
![Page 31: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/31.jpg)
© 2015 ROBINS KAPLAN LLP
INFRAGARD
InfraGard is a partnership between the FBI and the private
sector
Confidential, timely alerts for the private sector
16 Critical Infrastructures covered
Ignorance is not bliss
Examples
– Social Engineering, Smart Farming, Increase in Point of Sale
Malware Intrusions Possible During Holiday Season, Compromised
and stolen sensitive military information
![Page 32: Current Definition of Cybersecurity Due Care](https://reader034.fdocuments.us/reader034/viewer/2022042907/587ad7141a28ab542b8b46bd/html5/thumbnails/32.jpg)
© 2015 ROBINS KAPLAN LLP
ACTIONS AGAINST THIRD PARTIES
Liability of technology companies for data breaches
Next Wave of Litigation