Add to collection(s) Add to saved
  1. Business
  2. Finance
  3. International Finance

Jennifer Puplava - Grand Rapids Cyber Security Conference.

Cyber Risk Checklist:
Compliance with Legal Obligations
Grand Rapids Cyber Security Conference
April 23, 2014
Presented by:
Jennifer A. Puplava
Mika Meyers Beckett & Jones PLC
©2014, Mika Meyers Beckett & Jones PLC
All Rights Reserved
900 Monroe Avenue NW
Grand Rapids, MI 49503
(616) 632-8000
jpuplava@mmbjlaw.com
www.mmbjlaw.com
New Technologies Bring New Concerns


Increased use of technology to communicate,
operate, and manage information.
Organizations generally fail to keep pace with
escalating cybersecurity risks.


Many business users use cloud applications
without the knowledge or support of IT. (McAfee
Labs’ 2014 Threats Predictions)
Security incidents involving loss of data have
increased. (PwC, The Global State of Information
Security® Survey 2014)
Key Cybersecurity Worries








Mobile malware.
Virtual currencies.
Cybercrime and cyber warfare.
Social attacks.
PC and server attacks.
Big Data.
Attacks on the cloud.
McAfee Labs’ 2014 Threats Predictions.
Key Cybersecurity Worries



Mobility: increased risk due to BYOD,
lost/stolen devices, lack of security controls,
etc.
Cloud Services: cross-border privacy concerns,
unintentional upload of company data to cloud,
etc.
Uneducated use of technology: use of
company devices for work and personal
matters, use of free file-sharing services, etc.
Source of Threats

“Outsiders”





Hackers (looking for financial gain).
Hacktivits (on ideological missions).
Terrorists/organized crime.
Competitors.
Government.
Source of Threats

“Insiders”






Current/former employees.
Current/former service providers, consultants, contractors.
Suppliers/customers.
Business partners.
Information brokers.
Different motivations:



Disgruntled.
Careless.
Uneducated.
Benefits of Good Cybersecurity Program





Protected data.
Increased efficiency of operations and
financial control.
Minimize risk of damage caused by
cybersecurity breach.
Minimize risk of third party/regulatory action
relating to cybersecurity breach.
Protected reputation.
Range of Harms from Cybersecurity Breach


Potential harm to business, consumers and the public.
Loss of Integrity.






Identity theft.
Tainted data.
Affected operations.
Loss of Access/Availability.
Loss of Confidence.
Disclosure of Confidential Information.


Compromised customer, user or employee records.
Compromised trade secrets or other proprietary information.
Cybersecurity Standards


Cybersecurity regulations and laws are a
moving target.
Currently there is a patchwork quilt of federal
and state laws addressing cybersecurity, but
no broad federal cybersecurity legislation.
Cybersecurity Standards

Examples of Industry/Business-Specific Security
Laws requiring protection of systems and information.






Financial institutions (Financial Services Modernization Act
of 1999, Gramm-Leach Bliley Act, Federal Financial
Institutions Examination Council standards).
Healthcare providers (HIPAA, HITECH).
Federal agencies, or those who provide services on their
behalf (Federal Information Security Management Act,
Homeland Security Act).
Family Educational Rights and Privacy Act (FERPA).
Payment Card Industry Data Security Standards (PCI-DSS).
SEC reporting requirements.
Cybersecurity Standards

State Law.





Trade secrets (e.g. Michigan Uniform Trade Secret Act)
require reasonable security measures be taken.
Social Security Number Privacy Act (in Michigan and other
states).
Data Breach Notification (e.g. Michigan Identity Theft
Protection Act).
Freedom of Information Act.
International Laws.


European Union Data Protection Regulation.
Legislative development in several countries.
Other Cybersecurity Standards
and Resources





Contractual requirements.
Information security management system standards published
by International Organization for Standardization and
International Electrotechnical Commissions (e.g. ISO/IEC
27001-2005 regarding Information security management
systems).
Information Security Forum Standards of Good Practice.
 Now available for sale to the general public.
 Comprehensive list of best practices for information security.
Atlantic Council (cybersecurity resources focusing on
international and state issues).
SANS Institute computer security training programs.
Examples of the Alphabet Soup
of Privacy Regulations








Electronic Communications Privacy Act (ECPA).
Critical Infrastructure Information Act (CIIA).
Fair Credit Reporting Act (FCRA).
Fair Debt Collection Practices Act (FDCPA).
Children’s Online Privacy Protection Act (COPPA).
Computer Fraud and Abuse Act (CFAA).
Telephone Consumer Protection Act (TCPA).
The Controlling the Assault of Non-Solicited
Pornography and Marketing Act (CAN-SPAM).
Best Guidance To Date: NIST Framework

NIST Framework for Improving Critical
Infrastructure Cybersecurity.




Voluntary set of standards.
Good starting point for developing best practices.
Aimed at reducing and better managing
cybersecurity risks.
Could be used as a standard for evaluating
reasonableness of an organizations cybersecurity
program.
Potential Liability for Security Breaches

Examples of Some Private Rights of Action.
 Negligence.
 Breach of contract.
 Breach of fiduciary duty.
 Invasion of privacy.
 Conversion.
 Unjust enrichment.
 Class actions.
 Waste of corporate assets.
 Abuse of control.
 Shareholder derivative suits.
Potential Liability for Security Breaches

Examples of Regulatory Action.
 FTC enforcement actions due to inadequate data privacy
and security measures.
 HHS enforcement actions against entities covered by HIPAA
who fail to comply with privacy and security rules.
 Security and Exchange Commission can take action for
failure to fully or timely disclose a material data breach.
 State enforcement actions can overlap with federal
enforcement actions relating to the same security breach.
Potential Remedies for Cyberattacks






Breach of contract.
Federal Computer Fraud & Abuse Act.
Trespass.
Misappropriation.
Copyright Infringement.
Digital Millennium Copyright Act (if the
defendant circumvented measures to block
activity).
General Rules for Cybersecurity



Be proactive rather than just reactive.
Maintain reasonable procedures to protect
sensitive information and comply with
applicable law.
Do not misrepresent your practices.
Best Practices in a Creating
Cybersecurity Program


The process of creating a cybersecurity
program will be different for each organization
– no “one-size-fits-all” approach.
Involve all levels of authority in creating a
cybersecurity program.


IT staff cannot be alone in this effort.
Consider using NIST Cybersecurity
Framework.
Best Practices in a Creating
Cybersecurity Program


Identify and prioritize corporate information
assets.
Inventory:






Where data resides;
The type of data collected;
Type and location of equipment and devices used;
Who can access the data;
How and what sensitive information is transmitted
to third parties;
What information is retained and for how long.
Best Practices in a Creating
Cybersecurity Program

Assess legal requirements regarding ability to:





Collect and retain information from employees, customers,
and third parties.
Use and share collected information.
Secure collected information.
Dispose of collected information.
Evaluate risk of data loss.



NIST Guide for Conducting Risk Assessments.
FTC requires “reasonable” risk assessment.
Assess cybersecurity risk of outsourced functions.
Best Practices in a Creating
Cybersecurity Program

Develop appropriate safeguards.






Draft a security policy/plan.
Address cybersecurity in vendor agreements.
Consider cyber-insurance coverage.
Accurately describe information sharing in customer Terms
of Service and Privacy Policies.
Implement technical, administrative, and physical controls
using cost/benefit analysis.
Train employees, and develop procedures for newly hired
and exiting employees.
Best Practices in a Creating
Cybersecurity Program

Monitor and be prepared to respond to breaches.




Develop procedures to stop the breach and remediate
damaged functionality.
Identify legal requirements relating reporting/notification in
the event of a security breach.
Draft a written computer incident response/data breach
policy, and be prepared to mitigate an incident.
Regularly evaluate the above.
Questions?
Jennifer Puplava
jpuplava@mmbjlaw.com
(616) 632-8050
Disclaimer: This presentation is to assist in a general understanding of some of the
legal issues involved, and is not intended as legal advice. Persons with particular
questions should seek the advice of counsel.
Related documents
Read Key Cybersecurity`s full description of
Read Key Cybersecurity`s full description of
BroadBand Building Future Skills for National Security and Business
BroadBand Building Future Skills for National Security and Business
Improving Critical Infastructure Cybersecurity
Improving Critical Infastructure Cybersecurity
ARS Results
ARS Results
Joining the Cybersecurity Revolution: What it means, where the jobs
Joining the Cybersecurity Revolution: What it means, where the jobs
Final Reflection Essay–Qi Zhu
Final Reflection Essay–Qi Zhu
National Security Key Issues Deck
National Security Key Issues Deck
Download