Integrating the Latest Federal Regulatory Initiatives into Practice through an Examination of

Data Security Laws and Regulations

Robert Craig, CISSP.Direct Support to the CISO

Insider Threat Intelligence Agency

February x, 2015

This was intended for a Marcus Evans event to be held in Washington DC in February 2015, which was cancelled. There were a few more SEC slides to be developed.

Topics

Reviewing FTC regulation and compliance policies.

Releasing details on an attack in compliance with SEC’s transparency standards.

Predicting the future directions of federal regulations

NMCIWG: Daily Computer Threat NewsTuesday, January 06, 2015 • The hidden dangers of third party code in free apps• PayPal complete account hijacking bug gets fix, no award given• Morgan Stanley says wealth management employee stole client data• Three Million MoonPig customer accounts exposed by flaw

Monday, January 05, 2015• Target hackers hit OneStopParking.com• Microsoft Goes After More Tech Support Scammers

• 2014 was the year hacking became the norm • Lizard Squad launches $6 DDoS tool• Snooki's Instagram Is Hacked• 5 Small Business Takeaways from Sony’s Hack• Majority of 4G USB Modems Vulnerable And SIM Cards Exploitable Via SMS• Sony: PlayStation Network is back online now, really• Exploit for Android same origin policy flaw is leveraged against Facebook users• Internet Systems Consortium website has been compromised to serve malware• FBI Probes If Banks Hacked Back as Firms Explore Cyber Offensive• Lizard Squad Member Said Group Provided Log-Ins Used In Sony Attack • Low-risk 'worm' removed at hacked South Korea nuclear operator • Hackers Compromise Official Bryan Adams Website • France Passes Online Surveillance Law That Makes It Legal to Spy on Internet Users

Monday, December 29, 2014 • Malware families distributed through malicious campaign targeting WordPress sites• Rackspace restored after DDOS takes out DNS• FBI Investigating Hacker Group over Xbox Live and Playstation Network Attacks • Hackers claim to have exposed Sony, PlayStation personal data • Bad, bad Internet news: Internet Systems Consortium site hacked • Hacker Generates Fingerprint of German Defense Minister from Public Photos • Cyber attack on Angela Merkel aide: Report • Beware! Hackers are eyeing your car’s safety features to extort money • South Korea Says Nuclear Reactors Safe After Cyber-attacks • Thunderstrike Mac Attack Achieves Persistence • U.S. firm finds malware targeting visitors to Afghan govt websites • Children’s Hospital pays $40,000 over stolen data • Meet Anunak - The Hacker Crew That Owned Staples and Earned $18m In 2014

4

“Only federal agency with the authority to enforce such a standard across broad swaths of the U.S. economy”.

Main legal authority in the data security space is provided by: Section 5 of the FTC Act

Ability to stop unfair or deceptive acts or practices.

Other data security enforcement authorities: Gramm-Leach-Bliley Act and the Safeguards Rule, Fair Credit Reporting Act, The HIPAA HITECH Act, Children’s Online Privacy Protection Act and its implementing rule.

Source: On the Front Lines: The FTC’s Role in Data Security, U.S. Federal Trade Commissioner Julie Brill, Keynote Address Before the Center for Strategic and International Studies, “Stepping into the Fray: The Role of Independent Agencies in Cybersecurity” September 17, 2014

Federal Trade Commission Legal Authorities

FTC

FTC Act Section 5Unfair or Deceptive Acts or

Practices

United States CodeTitle 15 Chapter 2,

Subchapter I, Section 45

Public Law 109-455

Practices the ‘pillars of reasonable security’ Established through settlements (> 50 data security cases). Assessing and addressing security risks must be a continuous process. There is no single, right way to do these assessments.

Depends on the volume and sensitivity of information the company holds Cost of the tools that are available to address vulnerabilities, and other

factors. NIST Framework takes a similar approach by identifying different risk

management practices and defining different levels of implementation.

Source: On the Front Lines: The FTC’s Role in Data Security, U.S. Federal Trade Commissioner Julie Brill, Keynote Address Before the Center for Strategic and International Studies, “Stepping into the Fray: The Role of Independent Agencies in Cybersecurity” September 17, 2014

Federal Trade CommissionSecurity ‘Threshold’

FTC

Companies are accountable for their practices and the representations they make.

FTC applies Section 5 to other commercial activities is considered appropriate and consistent.

Actions are brought when systemic failures in a company’s data security practices are discovered.

Source: On the Front Lines: The FTC’s Role in Data Security, U.S. Federal Trade Commissioner Julie Brill, Keynote Address Before the Center for Strategic and International Studies, “Stepping into the Fray: The Role of Independent Agencies in Cybersecurity” September 17, 2014

Federal Trade Commission‘reasonable security practices‘

FTC

FTC’s data security enforcement actions initially focused on deception. The key difference between unfairness and deception is that unfairness may be

applicable even in the absence of a representation or omission in information presented to consumers.

Recent data security cases show that Section 5 is up to the task of protecting consumers in the rapidly changing environment of mobile technology and ‘apps’.

Emphasizes companies need to implement practices that are appropriate for their businesses. Do a risk assessment. Minimize personal information about consumers. Implement technical and physical safeguards. Train employees to handle personal information properly. Have a plan in place to respond to any security incidents that occur.

Source: On the Front Lines: The FTC’s Role in Data Security, U.S. Federal Trade Commissioner Julie Brill, Keynote Address Before the Center for Strategic and International Studies, “Stepping into the Fray: The Role of Independent Agencies in Cybersecurity” September 17, 2014

Federal Trade Commission‘reasonable security practices‘

FTC

“Section 5 is up to the task of protecting consumers in the rapidly changing environment of mobile technologies”.

Mobile devices and ‘apps’ can leave a broad range of sensitive personal information at risk.

FTC brought enforcement actions against two popular ‘apps’. Credit Karma and Fandango.

‘Apps’ contained flawed implementations of the Secure Sockets Layer (SSL) protocol, which is a common means for encrypting data in transit.

Susceptible to “man in the middle attacks,” in which an impostor could pose as a legitimate data recipient and collect highly sensitive information from consumers – including Social Security numbers in the case of Credit Karma, and credit card information in the case of Fandango.

FTC alleged companies had overrode more secure default settings and failed to test adequately.

Source: On the Front Lines: The FTC’s Role in Data Security, U.S. Federal Trade Commissioner Julie Brill, Keynote Address Before the Center for Strategic and International Studies, “Stepping into the Fray: The Role of Independent Agencies in Cybersecurity” September 17, 2014

Federal Trade CommissionMobile Technology

FTC

SECReleasing details of a cyber incidentCompliance with the SEC’s transparency standards

SEC issued a set of disclosure guidelines in 2011.

Companies to disclose any potential cyber risk. Possible effects of that risk. Status of internal controls. Risk management procedures in place.

SEC is revisiting the issue and considering turning guidelines into standards.

Desired Outcome: Companies will have to live up to the level of transparency their investors have come to expect.

Source: The Security Ratings Blog, “How can the SEC become the primary regulator of corporate cyber security?”, Posted by Ben Fagan, LinkedIn, Aug 6, 2014 9:00:00 AM

Releasing details of a cyber incidentCompliance with the SEC’s transparency standards

SEC

Minimum standard for breach transparency would hold companies accountable for their security procedures.

Desired Outcome: To make it more likely that companies would regularly measure security performance.

Desired Outcome: Rather than be subject to investigation by the SEC, companies would hopefully opt to improve their standing with the Commission and shareholders by properly reporting security breaches.

Source: The Security Ratings Blog, “How can the SEC become the primary regulator of corporate cyber security?”, Posted by Ben Fagan, LinkedIn, Aug 6, 2014 9:00:00 AM

Releasing details of a cyber incidentCompliance with the SEC’s transparency standards

SEC

Securities and Exchange CommissionDivision of Corporation Finance

CF Disclosure Guidance: Topic No. 2 “Cybersecurity” October 13, 2011

Laws are designed to elicit disclosure of timely, comprehensive, and accurate

information.

Risks and events that a reasonable investor would consider important to an

investment decision.2

Material information regarding cybersecurity risks and cyber incidents is

required to be disclosed:

In order to make other required disclosures, in light of the circumstances under

which they are made, not misleading.3

Disclose the risk of cyber incidents if issues are among the most significant

factors that make an investment in the company speculative or risky.4

SEC

SEC – Disclosure Guidance : Risk Factors

Determining if a risk factor disclosure is required:

Evaluate cybersecurity risks and take into account all available relevant information.

Prior cyber incidents and the severity and frequency of those incidents.

Probability of cyber incidents occurring.

Quantitative and qualitative magnitude of those risks.

Potential costs and other consequences from misappropriation of assets or sensitive information, corruption of data or operational disruption.

Adequacy of preventative actions taken to reduce cybersecurity risks (context of the industry in which they operate).

Cybersecurity risk disclosure must adequately describe the nature of the material risks and specify how each risk affects the registrant.

Do not present risks that could apply to any issuer or any offering and avoid generic risk factor disclosure.5

SEC

Disclosures may include: Discussion of business or operations that give rise to material

cybersecurity risks and the potential costs and consequences.

Extent of outsourcing functions that have material cybersecurity risks.

Description of those functions and how those risks are addressed.

Description of cyber incidents that have been experienced that are individually, or in the aggregate, material to incident.

Include a description of the costs and other consequences.

Risks related to cyber incidents that may remain undetected for an extended period.

Description of relevant insurance coverage.

SEC – Disclosure Guidance : DescriptionSEC

Disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware

was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur.

Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.

Provide disclosure tailored to particular circumstances. Avoid generic “boilerplate” disclosure. Provide sufficient disclosure to allow investors to appreciate the nature of the

risks faced. SEC reiterates that the federal securities laws do not require disclosure that

itself would compromise cybersecurity.

SEC – Disclosure Guidance : Description (continued)SEC

Responding to SEC Inquiries Concerning:Data Breach and Data Security Policies

Jurisdiction over the policies and practices of the securities industry Ensures the integrity of the securities exchanges, and provide investor

protection. Conducts periodic examinations of industry participants

Investment Banks, Asset Managers, Hedge Funds, and Mutual Funds Requires regulated entities to perform a risk assessment of various

cybersecurity risks and adopt written policies and procedures.

Source: Marc Powers on October 28, 2014 Posted in http://www.dataprivacymonitor.com/category/data-breaches/

SEC

Federal Draft Legislation (2014)