Cyberliability
advertisement
Cyberliability Introduction and Overview Overview – History – The Problem: Escalating Risks from Internet Connectivity – Cyberliability • • • • • • Discrimination Harassment Information Leaks Offensive Content Defamation and Libel Spam Overview – Monitoring Internet Usage: Employer’s Rights and Responsibilities – Internet Usage Policy Quiz – Policies, Management Support – E3 + E3 A quick update… The Internet is Changing Today’s Business Model Internet Suppliers Branch Office LAN WAN Customers Intranet Telecommuters No More Business as Usual… New Business Model New Rules for a New Type of Business. . . Instant access to information Speed of execution is critical 24 hours per day (7X24) Global competition & access Provide information without barriers End-to-end security It is Not a Luxury, it’s a Competitive Reality The Internet is Changing Today’s Business Model Internet Suppliers Branch Office LAN WAN Customers Intranet Telecommuters There is one enterprise and it’s global. There is one network and it’s the Internet. In the near future… By the year 2002, more than 88 million users in the United States will be connected to the Internet at work, using it as a tool for e-commerce, marketing, supply chain management, remote site connectivity and customer support. (Source: Estats, 1999 Once connected, these users will have the ability to: – Disseminate product and company information at a faster rate – Communicate instantly across geographic boundaries Once connected, these users will have the ability to: (cont.) – Lower the costs of providing information and services – Share information with partners and vendors – Leverage the power of e-commerce and multimedia applications You’re not paranoid, they are out to get you… Who are We Protecting Ourselves From? Hackers/Crackers/Phreakers Interior or Exterior attack Corporate Raiders Competitive Intelligence gathers Legitimate or Illegitimate inquiries Contractors Hacktivist Information Warfare More risk… Sources of Internet & Intranet Risk: Web surfing Email Downloads Spam Newsgroups Cyberliability Cyberliability Cyberliability: “legal proceedings and related costs due to unmanaged Internet & intranet use, including email, web surfing, ftp, newsgroups and spam.” For Example… Cyberliabilty: – Legal liability: case preparation fees – Legal liability: settlement or damages – Damaged image or brand – Lower shareholder value Other Risk – Decreased employee productivity – Productivity slowdown Remember we are all connected… Of all the Internet risks, cyberliability exposes organizations to new level of cyberdanger. e-documents are as binding as those written on company letterhead. There is a trail of “eevidence” Bottom Line… E-mail or web surfing that contain offensive or company confidential information can quickly result in: – Legal fees (including costs to prepare, litigate and settle cases) – Depressed stock price – Negative effect on brand, reputation and organization confidence Internet & Intranet Environment Combine the casual atmosphere of Internet communications with this substantial electronic paper trail, and it’s easy to see why the use of “e-evidence” has become the new evidence within the following categories of litigation: – – – – – – Discrimination Harassment Obscenity and pornography Defamation and libel Information leaks Spam Cyberliabilty Risks Cyberliability Risk – Discrimination – Harassment – Information Leaks – Offensive Content – Defamation and Libel – Spam A complete listing of cyberliability cases and press coverage could fill several volumes. Lets chat about a few recent examples Discrimination Discrimination A Federal court in New York has allowed a class action discrimination suit based on racist e-mails. The defendant is a large Wall Street brokerage firm and the plaintiffs are seeking $60 million in damages. (Owens and Hutton v. Morgan Stanley & Co., Inc., Case No 96 Civ 9747) Female warehouse employees alleged that a hostile work environment was created in part by inappropriate e-mail. Plaintiffs ask for $60 million in damages; case settles out of court. (Harley v. McCoach, 928 F. Supp. 533, E.D. Pa. 1996) Harassment Harassment International Microcomputer Software pays a former employee $105,000 after she received sexually harassing messages on the firm’s electronic bulletin board, even though the company reported the incident to authorities and launched an internal investigation. (Staff Writer, CNET News.com, April 14, 1999) Chevron settles sexual harassment lawsuit for $2.2 million over e-mail postings such as: “25 reasons why beer is better than women.” (Jerry Adler, Newsweek, “When E-mail Bites Back,” November 23, 1998) Information Leaks Information Leaks The Justice Department’s anti-trust lawsuit against Microsoft Inc. is based in large part on internal e-mail messages about efforts to insert a bug into Microsoft products to disable competitor’s products. (Wall Street Journal, John R. Wilke, August 27, 1998) The defense contractor Raytheon sued 21 “John Doe” employees for posting company confidential information on the Internet. Two workers have since been identified and have elected to resign. (Staff Writer, CNET News.com, April 6, 1999, 1:30 p.m. PT) Information Leaks The restaurant chain Shoney’s is demanding that Yahoo reveal the identity of 100 people who posted confidential information concerning restaurant closings and an alleged pending bankruptcy filing on message boards. (Staff Writer, CNET News.com, April 12, 1999, 5:00 a.m. PT) Offensive Content Offensive Content The New York Times dismissed 23 employees at an administrative center for violating the company’s email policy regarding “offensive or disruptive messages, including photographs, graphics and audio materials.” (Staff writer, NYTimes, December 1, 1999) The Xerox Corp. fired approximately 40 people for viewing porno-graphic sites at work, most managers, directors, and exec-officers (Richard Mullins, Rochester Democrat and Chronicle, October 7, 1999) Offensive Content At least six employees of the US Navy Naval Supply Systems Command (NAVSUP) have been, or are expected to be suspended for circulating “inappropriate, adult humor material” in e-mails. Another 500 were reported disciplined. (Staff writer, The Sentinel, December 4, 1999) Defamation and Libel Defamation and Libel Wade Cook Financial sues members of a bulletin board for libelous statements about the company. (Liz Enbysk, ZDNET Anchordesk, March 10, 1999) An insurance company is sued for circulating an e-mail that accused an employee of using her corporate credit card to defraud the company. (Meloff v. New York Life Insurance Co., 51 F.3d 372, 2nd Cir. 1992) Spam Spam GTE blamed spam for the shutdown of one of its mail servers. Several individuals also complained over the year that they were personally shut down after spammers used the individual’s e-mail addresses as forged return addresses. (John C. Dvorak, PC Magazine, March 24, 1998) Monitoring Internet Usage: Employer Rights and Responsibilities Monitoring Internet Usage: Employer Rights and Responsibilities Employer’s Right to Monitor – Most experts agree that an employer has both the right and the responsibility to manage employee Internet use, but… – There are no laws on the books that can be interpreted as prohibiting an employer from watching what its employees do on the Internet. EPCA The Electronic Communications Privacy Act (ECPA) generally prevents employers from monitoring personal communications, such as private phone calls, unless there is reason to believe that a crime has occurred or certain other exceptions. However, the ECPA does support an employer’s right to monitor stored electronic communications, such as voicemail and e-mail messages in order to protect its business, rights or property. What can and cannot be done… What’s an employer to do? Where do we start? What are our rights as employers? What does the law say? Can I really be charged with any of this? Policies/Procedures/Practices Written Policy – There is no legislation that requires employers to require a written policy before monitoring email and web usage. However, having each employee read and sign your Internet Usage Policy is an extra step that the courts have found to reinforce the employer’s rights: • After being terminated for inappropriate emails, two employees later filed a lawsuit for violation of privacy, which was then dismissed by the California Court of Appeals. Written Policy (cont.) • The court concluded that the employees have no reasonable expectation of privacy in their email messages. The employees had acknowledged and agreed to the employer’s policies that stated that the use of company computers was for business purposes only. (Bourke v. Nissan Motor Corp., No YC-003979, Cal. Ct. App., June 1993) S.A.T.E. S.A.T.E. Security Awareness, Training, and Education – Learning Continuum • Awareness = what • Training = how • Education = why – Continuous – Upgrade & Update – Test and Measure Management Support Management Support Ask for the policies and read them! Talk & Listen to your InfoSec Officers! Participate in meetings/discussions. Write memos on InfoSec matters. Test & Measure all employees. Financially support the InfoSec efforts… SPA-Security Posture Assessment (see me…) Oh, think about this… Things that make you go hmmm… While you were here listening to me, one of your employees may be sending an email that could eventually cost your company/organization several millions dollars. Another may be surfing the Web for personal information, or exploring the latest offerings in cyberpornraphy. Still others are spending valuable time wading through – or following up on – volumes of junk email. Things that make you go hmmm… And while you’re wondering is all of this is going on, who is protecting you corporations/organizations secrets (sensitive material)? In the past year alone, according to the International Computer Security Association (ICSA), employee security breaches increased by 35% and the leak of proprietary information increased by 58%. E-Commerce, E-Business, EMail, EEEEEEEEE… Doesn’t sound possible? Think again. The “E” in email originally stood for “electronic.” Now it could mean “expensive.” Does your Internet Usage Policy give specific guidelines for the following corporate communications: Web surfing, E-mail, FTP, Newsgroups, Chat rooms, Spam? Do you periodically generate usage reports to get feedback on compliance? Weekly, Monthly, Bimonthly, Not at all Have you posted your policy and given each employee a copy? Yes or No Have you vigorously enforced and promoted your policy? Yes or No Have you been consistent in your treatment of policy offenders? Yes or No Have you periodically updated your policy to reflect current technology and business trends? Annually, Semi-annually, Not at all If you answered “no” to any of the questions above, your policy is in need of an update. And Finally... E3 + E3 E3 + E3 Educate Establish a good Enlighten policy & program Educate based on the policy Enforce the policies Empower Q&A USC - Center for Information Assurance Studies The security of networked systems of computers is essential for information security. USC – Center for Information Assurance Studies is the home to what many security professionals in the computer and network security community consider the “Top Gun” institution for IA. Combining research and studies in Information Assurance (IA) and Information Security (InfoSec) since its inception. The USC - Center for Information Assurance Studies encourages an open-environment in which students, faculty, staff, and other agencies work together to understand the information assurance requirements of a university setting as well as national infrastructure protection. Addressing the challenges presented by those requirements through education and research
