The Information Security Legal Context

The Information Security Legal Context

UW CIACInformation Security and Risk

Management in Context October 5, 2011

John R. Christiansen, J.D. Christiansen IT Law

Privacy/Security/CompliancePrivacy/Security/Compliance

2212 Queen Anne Avenue North #333Seattle, Washington 98109

[email protected]

(c) Christiansen IT Law 2011 2

Presenter BioJohn R. Christiansen, J.D. - Christiansen IT Law

Information Technology Law: Privacy, Security, Compliance and Risk Management, IT Development and Licensing

• Advisor to U.S. Dep’t of Health and Human Services Offices of National Coordinator for Health Information Technology, and Civil Rights; Special Assistant Attorney General to Washington State Health Care Authority; IT counsel to technology companies, health care organizations, financial institutions and professional services firms

• Chair, ABA HITECH Business Associates Task Force, 2009 – pres.; Committees on Healthcare Information Technology (2007 – 2009); Healthcare Privacy, Security and Information Technology (2004 – 06); Healthcare Informatics (2000 – 04); and PKI Assessment Guidelines Health Information Protection and Security Task Group (2000 – 2003)

• Adjunct Faculty, University of Washington Information School and Advisory Board member, Center for Information Assurance and Cybersecurity

• Publications include Legal Speed Bumps on the Road to Health Information Exchange, Journal of Health and Bioscience Law (2008); Using Safe Harbors to Reduce Legal Barriers to Implementation of Electronic Health Records and Health Information Networks, Shidler Journal of Law, Commerce and Technology (accepted 2007); An Integrated Standard of Care for Healthcare Information Security (2005); Electronic Health Information: Security and Privacy Compliance under HIPAA (2000); etc.

October 15, 2011

(c) Christiansen IT Law 2011 3October 15, 2011

The Problems

Black Swans Moral Panics Reactive Regulators Flighty Finance


The Problems

• Unexpected negative events (Black Swans) cause

• Public outrage and outcry (Moral Panics), which cause

• Retrospective legal action (Reactive Regulators), causing

• Investors, customers and business partners to flee (Flighty Finance)


What’s Law Got to Do With It?• Laws are tripwires:

• Laws create jurisdiction to investigate and enforce• Very few proactive investigatory audits• Everyone can be found in violation of something• Government wants to do something• Enforcement becomes a retrospective investigation

and penalty action• New legislation and regulations may ensue • Prolonged investigation, new laws trigger financial

flight


Black Swans

• “A black swan is a highly improbable event with three principal characteristics: it is unpredictable; it carries a massive impact; and, after the fact, we concoct an explanation that makes it appear less random, and more predictable, than it was.”– Nassim Taleb

• Black Swans are SOP in complex systems


Black Swans

• Deepwater Horizon Blowout• 9/11• The Morris Worm• DNS Cache Poisoning (Kaminsky)• Providence/Portland New Years Media Theft • California Comptroller Database Breach• Heartland Payment Hack (TJ Maxx)


Black Swans

“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.”– Donald Rumsfeld


Moral Panics“The business of political operatives is horse

trading in smoke-filled rooms. . . .This isn’t hypocrisy; this is management. . . .

“Except, that is, for outbursts of the bizarre: scandal and terror. Sometimes everyday politics is disrupted by an advent so wicked and heinous, so beyond the pale, that it calls the whole system into question. . . . This is moral panic.” – Bruce Sterling


Moral Panics“. . . Moral panics are not always based on ‘The

Big Lie.’ Instead, moral panics can take an existing problem of little or no consequence and turn it into an existential one to further a political agenda. Moral panics are not irrational acts by those who construct them, but rather are the result of deliberate political opportunism. . . .”– William Patry


Moral Panics• Satanic Abuse Cases (Wenatchee, McMartin

Day Care, etc.)• The “Hacker Crackdown”• Cyberterrorism, Cyberwar (?)• Music Piracy• HIPAA Uniform Patient Identifier


Reactive Regulators• Richard Nixon and the Fair Information

Protection Principles– Basis for EU Data Protection, HIPAA, GLBA, etc.

• “Operation Sundevil” • SB 1386 (and its many progeny)• Defunding of HIPAA patient identifier work• Regulatory investigation and penalty actions

against Providence (typical)• Payment Card Industry (PCI) standards and

enforcement regime


Reactive Regulators• Presumption: Every major organization can be

found in breach of some regulation– Almost all standards are risk-based: HIPAA, GLBA;

PCI compensating controls; etc.• Good: Allows for necessary variation• Bad: More stringent additional or alternate

safeguards can almost always be identified • Risk management is only as good as risk

assessment – back to Black Swans and unknown unknowns

• Risk analysis and management are judged harshly in retrospect: Hindsight is 20/20


Reactive Regulators• Presumption: Every major organization can be

found in breach of some regulation– Many organizations are subject to multiple

overlapping regulations – can they be reconciled?– Some regulations have competing values – what is

the “legally correct” balance between confidentiality and availability?

– Risk assessment is always and only a snapshot – status at the time of observation• Hannaford Brothers (2008): Processor certified compliant

one day after being notified of two month old malware operations


Flighty Finance• “Vulnerability disclosures do lead to a negative

and significant change in market value for a software vendor. On average, a vendor loses around 0.6% value in stock price when a vulnerability is reported. This is equivalent to a loss in market capitalization values of $0.86 billion per vulnerability announcement.” – Telang & Wetal (2005)


Flighty Finance• “The most readily available metric, the share

price of Heartland common stock, serves as a ready indicator of how the markets have responded to the incident and the company’s actions since.” – Kroger (2010)

Before announcement: $15.16Right after announcement: $8.18Next SEC disclosure: $3.43After remediation (several months): $10.43


Flighty Finance• CardSystems

– Intrusion compromised tens of millions of card numbers• Millions of dollars in fraudulent charges. In the

wake of the breach• Thousands of credit cards canceled, re-issued

– Mastercard and Visa terminated their contracts– CardSystems filed for bankruptcy


A Cautionary Tale

• Oxford Health Plans (S.D.N.Y.) / Heller v. Oxford Health Plans et al. (D.Conn.)– Computer system upgrade initiated 1996– Delays in generating billings, lost revenues– Processing failures made accurate accounting of

revenues, expenses impossible– 11/96 – 10/97: Company officers filed SEC

documents, made representations admitting but underplaying effects of problems

October 15, 2011


A Cautionary Tale

• Oxford Health Plans (S.D.N.Y.) / Heller v. Oxford Health Plans et al. (D.Conn.)

• Court ruled valid claims stated for:– Breach of fiduciary duty (officers)– Gross mismanagement (officers)– Waste (officers)– “Knowing or reckless disregard of lack of internal

controls and ineffective computing system” (KPMG)• Settlement March 2003: $300 million

October 15, 2011


A Cautionary Tale

• In re Caremark International, Inc. (Del. 1996)– Stockholder suit against Caremark board for breach

of fiduciary duty in failing to supervise employees and institute measures to address company violations of antikickback laws

– The “core element of any corporate law duty of care inquiry [is] whether there [was] a good faith effort to be informed and exercise judgment.”

October 15, 2011


A Cautionary Tale

• In re Caremark International, Inc. (Del. 1996)– “[A] director’s obligation includes a duty to attempt in good faith

to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may . . . Render a director liable for losses caused by noncompliance with applicable legal standards.”

– “[L]iability to the corporation for a loss may be said to arise from an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.”

October 15, 2011


So What Do I Do?• Assume a security breach will happen to you

– Help your C-Suite and Board understand this perspective

– Avoid “minimalist” risk assessment and risk management

– Be ready to respond – investigation, remediation, legal and public relations


So What Do I Do?

• R is the risk level required for regulatory compliance.• C is the cost of the risk management program necessary to achieve and maintain regulatory compliance.• R’ is the more-stringent risk level to be achieved in order to prevent losses the organization is not willing or able to

assume.• C’ is the greater cost of the risk management program necessary to achieve regulatory compliance as well as to

prevent losses the organization is not willing or able to assume.


So What Do I Do?• Assume retrospective assessment would find a

breach of some applicable law– Have legal counsel involved, do due diligence to

minimize possible violations – Be ready to defend yourself – Be ready to find a scapegoat– Be ready to negotiate


Defensible Information Security Risk Management

Board, CEO, CFO, General Counsel

Senior Management Interaction with or Participation in Board Committees

Cross-Organizational Team (Business Managers, HR, Legal, CPO, CSO, CIO/CISO)

Operational Personnel

Facts About Processes, Technologies, Processes, Outputs, Events








Analyses of Financial, Operational, Legal Risk Implications of Facts








Analyses of Financial, Operational, Legal Risk Implications of Facts

Reports on Analyses and Recommendations for Risk Strategies







Information Security Program Policies, Procedures and Technical Solutions

Risk Management and Information Security Policies

Risk Acceptance and Risk Strategy Guidance


Questions? Thanks!

John R. Christiansen, J.D. Christiansen IT LawPrivacy/Security/CompliancePrivacy/Security/Compliance


[email protected]

John R. Christiansen, J.D. Christiansen IT LawPrivacy/Security/CompliancePrivacy/Security/Compliance


[email protected]

The Information Security Legal Context

Documents

Transcript of The Information Security Legal Context